diff options
author | CoprDistGit <infra@openeuler.org> | 2023-10-30 11:56:48 +0000 |
---|---|---|
committer | CoprDistGit <infra@openeuler.org> | 2023-10-30 11:56:48 +0000 |
commit | 1dae37b163e1e08e719ac06fa86b3414b4ddfb2b (patch) | |
tree | d6c29b92e733448b00701f46c85d08ecc4a5fbbb | |
parent | 8a55803b9ffda4b5bd4f5bbb9767a617620266ae (diff) |
automatic import of edk2openeuler22.03_LTS
38 files changed, 5613 insertions, 0 deletions
@@ -0,0 +1,3 @@ +/brotli.tar.gz +/edk2-stable202011.tar.gz +/openssl-1.1.1f.tar.gz diff --git a/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch b/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch new file mode 100644 index 0000000..8b41381 --- /dev/null +++ b/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch @@ -0,0 +1,244 @@ +From 83761337ec91fbd459c55d7d956fcc25df3bfa50 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:50 +0200 +Subject: [PATCH 18/27] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80 + characters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Working with overlong lines is difficult for me; rewrap the CHAP-related +source files in IScsiDxe to 80 characters width. No functional changes. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210608121259.32451-2-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++-------- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +- + 2 files changed, 71 insertions(+), 22 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index 355c6f129f..cbbc56ae5b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -1,5 +1,6 @@ + /** @file
+- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.
++ This file is for Challenge-Handshake Authentication Protocol (CHAP)
++ Configuration.
+
+ Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + @param[in] ChallengeLength The length of iSCSI CHAP challenge message.
+ @param[out] ChapResponse The calculation of the expected hash value.
+
+- @retval EFI_SUCCESS The expected hash value was calculatedly successfully.
+- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the
+- length of the hash value for the hashing algorithm chosen.
++ @retval EFI_SUCCESS The expected hash value was calculatedly
++ successfully.
++ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least
++ the length of the hash value for the hashing
++ algorithm chosen.
+ @retval EFI_PROTOCOL_ERROR MD5 hash operation fail.
+ @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5.
+
+@@ -94,8 +97,10 @@ Exit: + @param[in] AuthData iSCSI CHAP authentication data.
+ @param[in] TargetResponse The response from target.
+
+- @retval EFI_SUCCESS The response from target passed authentication.
+- @retval EFI_SECURITY_VIOLATION The response from target was not expected value.
++ @retval EFI_SUCCESS The response from target passed
++ authentication.
++ @retval EFI_SECURITY_VIOLATION The response from target was not expected
++ value.
+ @retval Others Other errors as indicated.
+
+ **/
+@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived ( + //
+ // The first Login Response.
+ //
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived ( +
+ Session->TargetPortalGroupTag = (UINT16) Result;
+
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_AUTH_METHOD
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+ //
+- // Initiator mandates CHAP authentication but target replies without "CHAP", or
+- // initiator suggets "None" but target replies with some kind of auth method.
++ // Initiator mandates CHAP authentication but target replies without
++ // "CHAP", or initiator suggets "None" but target replies with some kind of
++ // auth method.
+ //
+ if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
+ if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {
+@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived ( + //
+ // The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
+ //
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_ALGORITHM
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived ( + goto ON_EXIT;
+ }
+
+- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);
++ Identifier = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_IDENTIFIER
++ );
+ if (Identifier == NULL) {
+ goto ON_EXIT;
+ }
+
+- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);
++ Challenge = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_CHALLENGE
++ );
+ if (Challenge == NULL) {
+ goto ON_EXIT;
+ }
+@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived ( +
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
+- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);
++ IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived ( + goto ON_EXIT;
+ }
+
+- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);
++ Response = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_RESPONSE
++ );
+ if (Response == NULL) {
+ goto ON_EXIT;
+ }
+@@ -341,7 +369,8 @@ ON_EXIT: + @param[in, out] Pdu The PDU to send out.
+
+ @retval EFI_SUCCESS All check passed and the phase-related CHAP
+- authentication info is filled into the iSCSI PDU.
++ authentication info is filled into the iSCSI
++ PDU.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
+
+@@ -392,7 +421,11 @@ IScsiCHAPToSendReq ( + // It's the initial Login Request. Fill in the key=value pairs mandatory
+ // for the initial Login Request.
+ //
+- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName);
++ IScsiAddKeyValuePair (
++ Pdu,
++ ISCSI_KEY_INITIATOR_NAME,
++ mPrivate->InitiatorName
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");
+ IScsiAddKeyValuePair (
+ Pdu,
+@@ -413,7 +446,8 @@ IScsiCHAPToSendReq ( +
+ case ISCSI_CHAP_STEP_ONE:
+ //
+- // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.
++ // First step, send the Login Request with CHAP_A=<A1,A2...> key-value
++ // pair.
+ //
+ AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);
+@@ -429,11 +463,20 @@ IScsiCHAPToSendReq ( + //
+ // CHAP_N=<N>
+ //
+- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName);
++ IScsiAddKeyValuePair (
++ Pdu,
++ ISCSI_KEY_CHAP_NAME,
++ (CHAR8 *) &AuthData->AuthConfig->CHAPName
++ );
+ //
+ // CHAP_R=<R>
+ //
+- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);
++ IScsiBinToHex (
++ (UINT8 *) AuthData->CHAPResponse,
++ ISCSI_CHAP_RSP_LEN,
++ Response,
++ &RspLen
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
+
+ if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
+@@ -448,7 +491,12 @@ IScsiCHAPToSendReq ( + //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+ AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
+- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);
++ IScsiBinToHex (
++ (UINT8 *) AuthData->OutChallenge,
++ ISCSI_CHAP_RSP_LEN,
++ Challenge,
++ &ChallengeLen
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
+
+ Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 140bba0dcd..5e59fb678b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived ( + @param[in, out] Pdu The PDU to send out.
+
+ @retval EFI_SUCCESS All check passed and the phase-related CHAP
+- authentication info is filled into the iSCSI PDU.
++ authentication info is filled into the iSCSI
++ PDU.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
+
+-- +2.27.0 + diff --git a/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch b/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch new file mode 100644 index 0000000..7ddeeaa --- /dev/null +++ b/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch @@ -0,0 +1,64 @@ +From 29cab43bb7912a12efa5a78dac15394aee866e4c Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:51 +0200 +Subject: [PATCH 19/27] NetworkPkg/IScsiDxe: simplify + "ISCSI_CHAP_AUTH_DATA.InChallenge" size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024. + +The usage of this macro currently involves a semantic (not functional) +bug, which we're going to fix in a subsequent patch, eliminating +ISCSI_CHAP_AUTH_MAX_LEN altogether. + +For now, remove the macro's usage from all +"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without +duplicating open-coded constants. + +No changes in functionality. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Message-Id: <20210608121259.32451-3-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index cbbc56ae5b..df3c2eb120 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived ( + }
+
+ AuthData->InIdentifier = (UINT32) Result;
+- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
++ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+ IScsiHexToBin (
+ (UINT8 *) AuthData->InChallenge,
+ &AuthData->InChallengeLength,
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 5e59fb678b..1fc1d96ea3 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { + typedef struct _ISCSI_CHAP_AUTH_DATA {
+ ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
+ UINT32 InIdentifier;
+- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
++ UINT8 InChallenge[1024];
+ UINT32 InChallengeLength;
+ //
+ // Calculated CHAP Response (CHAP_R) value.
+-- +2.27.0 + diff --git a/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch b/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch new file mode 100644 index 0000000..82ee449 --- /dev/null +++ b/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch @@ -0,0 +1,95 @@ +From 95616b866187b00355042953efa5c198df07250f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:52 +0200 +Subject: [PATCH 20/27] NetworkPkg/IScsiDxe: clean up + "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array +with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge +is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used +in the array. + +Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused) +ISCSI_CHAP_AUTH_MAX_LEN macro. + +Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is +superfluous too. + +Most importantly, explain in a new comment *why* tying the challenge size +to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also +Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge +length to the hash digest size", 2019-11-06.) For sure, the motivation +that the new comment now explains has always been there, and has always +been the same, for IScsiDxe; it's just that now we spell it out too. + +No change in peer-visible behavior. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Message-Id: <20210608121259.32451-4-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +-- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index df3c2eb120..9e192ce292 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget ( + AuthData->AuthConfig->ReverseCHAPSecret,
+ SecretSize,
+ AuthData->OutChallenge,
+- AuthData->OutChallengeLength,
++ ISCSI_CHAP_RSP_LEN, // ChallengeLength
+ VerifyRsp
+ );
+
+@@ -490,7 +490,6 @@ IScsiCHAPToSendReq ( + // CHAP_C=<C>
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
+ IScsiBinToHex (
+ (UINT8 *) AuthData->OutChallenge,
+ ISCSI_CHAP_RSP_LEN,
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 1fc1d96ea3..35d5d6ec29 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent +
+ #define ISCSI_CHAP_ALGORITHM_MD5 5
+
+-#define ISCSI_CHAP_AUTH_MAX_LEN 1024
+ ///
+ /// MD5_HASHSIZE
+ ///
+@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA { + //
+ // Auth-data to be sent out for mutual authentication.
+ //
++ // While the challenge size is technically independent of the hashing
++ // algorithm, it is good practice to avoid hashing *fewer bytes* than the
++ // digest size. In other words, it's good practice to feed *at least as many
++ // bytes* to the hashing algorithm as the hashing algorithm will output.
++ //
+ UINT32 OutIdentifier;
+- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
+- UINT32 OutChallengeLength;
++ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN];
+ } ISCSI_CHAP_AUTH_DATA;
+
+ /**
+-- +2.27.0 + diff --git a/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch b/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch new file mode 100644 index 0000000..2be51c1 --- /dev/null +++ b/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch @@ -0,0 +1,94 @@ +From e8f28b09e63dfdbb4169969a43c65f86c44b035a Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:53 +0200 +Subject: [PATCH 21/27] NetworkPkg/IScsiDxe: clean up library class + dependencies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sort the library class dependencies in the #include directives and in the +INF file. Remove the DpcLib class from the #include directives -- it is +not listed in the INF file, and IScsiDxe doesn't call either DpcLib API +(QueueDpc(), DispatchDpc()). No functional changes. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Message-Id: <20210608121259.32451-5-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++--- + NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++--------- + 2 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf +index 0ffb340ce0..543c408302 100644 +--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf ++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf +@@ -65,6 +65,7 @@ + NetworkPkg/NetworkPkg.dec
+
+ [LibraryClasses]
++ BaseCryptLib
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+@@ -72,14 +73,13 @@ + HiiLib
+ MemoryAllocationLib
+ NetLib
+- TcpIoLib
+ PrintLib
++ TcpIoLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
++ UefiHiiServicesLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+- UefiHiiServicesLib
+- BaseCryptLib
+
+ [Protocols]
+ gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable
+diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h +index 387ab9765e..d895c7feb9 100644 +--- a/NetworkPkg/IScsiDxe/IScsiImpl.h ++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h +@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include <Protocol/AdapterInformation.h>
+ #include <Protocol/NetworkInterfaceIdentifier.h>
+
+-#include <Library/HiiLib.h>
+-#include <Library/UefiHiiServicesLib.h>
+-#include <Library/DevicePathLib.h>
+-#include <Library/DebugLib.h>
++#include <Library/BaseCryptLib.h>
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/DevicePathLib.h>
++#include <Library/HiiLib.h>
+ #include <Library/MemoryAllocationLib.h>
++#include <Library/NetLib.h>
+ #include <Library/PrintLib.h>
++#include <Library/TcpIoLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+-#include <Library/UefiRuntimeServicesTableLib.h>
++#include <Library/UefiHiiServicesLib.h>
+ #include <Library/UefiLib.h>
+-#include <Library/DpcLib.h>
+-#include <Library/NetLib.h>
+-#include <Library/TcpIoLib.h>
+-#include <Library/BaseCryptLib.h>
++#include <Library/UefiRuntimeServicesTableLib.h>
+
+ #include <Guid/MdeModuleHii.h>
+ #include <Guid/EventGroup.h>
+-- +2.27.0 + diff --git a/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch new file mode 100644 index 0000000..f1eddbe --- /dev/null +++ b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch @@ -0,0 +1,147 @@ +From cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:54 +0200 +Subject: [PATCH 22/27] NetworkPkg/IScsiDxe: fix potential integer overflow in + IScsiBinToHex() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Considering IScsiBinToHex(): + +> if (((*HexLength) - 3) < BinLength * 2) { +> *HexLength = BinLength * 2 + 3; +> } + +the following subexpressions are problematic: + + (*HexLength) - 3 + BinLength * 2 + BinLength * 2 + 3 + +The first one may wrap under zero, the latter two may wrap over +MAX_UINT32. + +Rewrite the calculation using SafeIntLib. + +While at it, change the type of the "Index" variable from UINTN to UINT32. +The largest "Index"-based value that we calculate is + + Index * 2 + 2 (with (Index == BinLength)) + +Because the patch makes + + BinLength * 2 + 3 + +safe to calculate in UINT32, using UINT32 for + + Index * 2 + 2 (with (Index == BinLength)) + +is safe too. Consistently using UINT32 improves readability. + +This patch is best reviewed with "git show -W". + +The integer overflows that this patch fixes are theoretical; a subsequent +patch in the series will audit the IScsiBinToHex() call sites, and show +that none of them can fail. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210608121259.32451-6-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 + + NetworkPkg/IScsiDxe/IScsiImpl.h | 1 + + NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++---- + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + 4 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf +index 543c408302..1dde56d00c 100644 +--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf ++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf +@@ -74,6 +74,7 @@ + MemoryAllocationLib
+ NetLib
+ PrintLib
++ SafeIntLib
+ TcpIoLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h +index d895c7feb9..ac3a25730e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiImpl.h ++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h +@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include <Library/MemoryAllocationLib.h>
+ #include <Library/NetLib.h>
+ #include <Library/PrintLib.h>
++#include <Library/SafeIntLib.h>
+ #include <Library/TcpIoLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/UefiHiiServicesLib.h>
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index b8fef3ff6f..42988e15cb 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -316,6 +316,7 @@ IScsiMacAddrToStr ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string
+ and the length of the string is updated.
+ @retval EFI_BUFFER_TOO_SMALL The string is too small.
++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
+ @retval EFI_INVALID_PARAMETER The IP string is malformatted.
+
+ **/
+@@ -327,18 +328,28 @@ IScsiBinToHex ( + IN OUT UINT32 *HexLength
+ )
+ {
+- UINTN Index;
++ UINT32 HexLengthMin;
++ UINT32 HexLengthProvided;
++ UINT32 Index;
+
+ if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+- if (((*HexLength) - 3) < BinLength * 2) {
+- *HexLength = BinLength * 2 + 3;
++ //
++ // Safely calculate: HexLengthMin := BinLength * 2 + 3.
++ //
++ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) ||
++ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) {
++ return EFI_BAD_BUFFER_SIZE;
++ }
++
++ HexLengthProvided = *HexLength;
++ *HexLength = HexLengthMin;
++ if (HexLengthProvided < HexLengthMin) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+- *HexLength = BinLength * 2 + 3;
+ //
+ // Prefix for Hex String.
+ //
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 46c725aab3..231413993b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -150,6 +150,7 @@ IScsiAsciiStrToIp ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string
+ and the length of the string is updated.
+ @retval EFI_BUFFER_TOO_SMALL The string is too small.
++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
+ @retval EFI_INVALID_PARAMETER The IP string is malformatted.
+
+ **/
+-- +2.27.0 + diff --git a/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch b/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch new file mode 100644 index 0000000..82c659e --- /dev/null +++ b/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch @@ -0,0 +1,88 @@ +From d90fff40cb2502b627370a77f5608c8a178c3f78 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:55 +0200 +Subject: [PATCH 23/27] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always + succeeds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +IScsiBinToHex() is called for encoding: + +- the answer to the target's challenge; that is, CHAP_R; + +- the challenge for the target, in case mutual authentication is enabled; + that is, CHAP_C. + +The initiator controls the size of both blobs, the sizes of their hex +encodings are correctly calculated in "RspLen" and "ChallengeLen". +Therefore the IScsiBinToHex() calls never fail; assert that. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Message-Id: <20210608121259.32451-7-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index 9e192ce292..dbe3c8ef46 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -391,6 +391,7 @@ IScsiCHAPToSendReq ( + UINT32 RspLen;
+ CHAR8 *Challenge;
+ UINT32 ChallengeLen;
++ EFI_STATUS BinToHexStatus;
+
+ ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
+
+@@ -471,12 +472,13 @@ IScsiCHAPToSendReq ( + //
+ // CHAP_R=<R>
+ //
+- IScsiBinToHex (
+- (UINT8 *) AuthData->CHAPResponse,
+- ISCSI_CHAP_RSP_LEN,
+- Response,
+- &RspLen
+- );
++ BinToHexStatus = IScsiBinToHex (
++ (UINT8 *) AuthData->CHAPResponse,
++ ISCSI_CHAP_RSP_LEN,
++ Response,
++ &RspLen
++ );
++ ASSERT_EFI_ERROR (BinToHexStatus);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
+
+ if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
+@@ -490,12 +492,13 @@ IScsiCHAPToSendReq ( + // CHAP_C=<C>
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+- IScsiBinToHex (
+- (UINT8 *) AuthData->OutChallenge,
+- ISCSI_CHAP_RSP_LEN,
+- Challenge,
+- &ChallengeLen
+- );
++ BinToHexStatus = IScsiBinToHex (
++ (UINT8 *) AuthData->OutChallenge,
++ ISCSI_CHAP_RSP_LEN,
++ Challenge,
++ &ChallengeLen
++ );
++ ASSERT_EFI_ERROR (BinToHexStatus);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
+
+ Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
+-- +2.27.0 + diff --git a/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch b/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch new file mode 100644 index 0000000..2a3f310 --- /dev/null +++ b/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch @@ -0,0 +1,86 @@ +From dc469f137110fe79704b8b92c552972c739bb915 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:56 +0200 +Subject: [PATCH 24/27] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading + comment block +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We'll need further return values for IScsiHexToBin() in a subsequent +patch; make room for them in the leading comment block of the function. +While at it, rewrap the comment block to 80 characters width. + +No functional changes. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210608121259.32451-8-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++-------- + NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++-------- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 42988e15cb..014700e87a 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -370,14 +370,14 @@ IScsiBinToHex ( + /**
+ Convert the hexadecimal string into a binary encoded buffer.
+
+- @param[in, out] BinBuffer The binary buffer.
+- @param[in, out] BinLength Length of the binary buffer.
+- @param[in] HexStr The hexadecimal string.
+-
+- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
+- encoded buffer.
+- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+-
++ @param[in, out] BinBuffer The binary buffer.
++ @param[in, out] BinLength Length of the binary buffer.
++ @param[in] HexStr The hexadecimal string.
++
++ @retval EFI_SUCCESS The hexadecimal string is converted into a
++ binary encoded buffer.
++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
++ converted data.
+ **/
+ EFI_STATUS
+ IScsiHexToBin (
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 231413993b..28cf408cd5 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -165,14 +165,14 @@ IScsiBinToHex ( + /**
+ Convert the hexadecimal string into a binary encoded buffer.
+
+- @param[in, out] BinBuffer The binary buffer.
+- @param[in, out] BinLength Length of the binary buffer.
+- @param[in] HexStr The hexadecimal string.
+-
+- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
+- encoded buffer.
+- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+-
++ @param[in, out] BinBuffer The binary buffer.
++ @param[in, out] BinLength Length of the binary buffer.
++ @param[in] HexStr The hexadecimal string.
++
++ @retval EFI_SUCCESS The hexadecimal string is converted into a
++ binary encoded buffer.
++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
++ converted data.
+ **/
+ EFI_STATUS
+ IScsiHexToBin (
+-- +2.27.0 + diff --git a/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch b/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch new file mode 100644 index 0000000..0996638 --- /dev/null +++ b/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch @@ -0,0 +1,97 @@ +From 47b76780b487dbfde4efb6843b16064c4a97e94d Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:57 +0200 +Subject: [PATCH 25/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The IScsiHexToBin() function has the following parser issues: + +(1) If the *subject sequence* in "HexStr" is empty, the function returns + EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should + be rejected. + +(2) The function mis-handles a "HexStr" that ends with a stray nibble. For + example, if "HexStr" is "0xABC", the function decodes it to the bytes + {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns + EFI_SUCCESS. Such inputs should be rejected. + +(3) If an invalid hex char is found in "HexStr", the function treats it as + end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be + rejected. + +All of the above cases are remotely triggerable, as shown in a subsequent +patch, which adds error checking to the IScsiHexToBin() call sites. While +the initiator is not immediately compromised, incorrectly parsing CHAP_R +from the target, in case of mutual authentication, is not great. + +Extend the interface contract of IScsiHexToBin() with +EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement +the new checks. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210608121259.32451-9-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++-- + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 014700e87a..f0f4992b07 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -376,6 +376,7 @@ IScsiBinToHex ( +
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+@@ -402,14 +403,21 @@ IScsiHexToBin ( +
+ Length = AsciiStrLen (HexStr);
+
++ //
++ // Reject an empty hex string; reject a stray nibble.
++ //
++ if (Length == 0 || Length % 2 != 0) {
++ return EFI_INVALID_PARAMETER;
++ }
++
+ for (Index = 0; Index < Length; Index ++) {
+ TemStr[0] = HexStr[Index];
+ Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
+ if (Digit == 0 && TemStr[0] != '0') {
+ //
+- // Invalid Lun Char.
++ // Invalid Hex Char.
+ //
+- break;
++ return EFI_INVALID_PARAMETER;
+ }
+ if ((Index & 1) == 0) {
+ BinBuffer [Index/2] = Digit;
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 28cf408cd5..404a482e57 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -171,6 +171,7 @@ IScsiBinToHex ( +
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+-- +2.27.0 + diff --git a/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch b/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch new file mode 100644 index 0000000..6c2861e --- /dev/null +++ b/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch @@ -0,0 +1,106 @@ +From 54e90edaed0d7c15230902ac4d74f4304bad2ebd Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:58 +0200 +Subject: [PATCH 26/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer + overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return +condition, but never actually checks whether the decoded buffer fits into +the caller-provided room (i.e., the input value of "BinLength"), and +EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can +overflow "BinBuffer". + +This is remotely exploitable, as shown in a subsequent patch, which adds +error checking to the IScsiHexToBin() call sites. This issue allows the +target to compromise the initiator. + +Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent +EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow, +plus actually catch the buffer overflow. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20210608121259.32451-10-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++--- + NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++ + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index f0f4992b07..4069547867 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -377,6 +377,9 @@ IScsiBinToHex ( + @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
++ the decoded size cannot be expressed in
++ BinLength on output.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+@@ -387,6 +390,8 @@ IScsiHexToBin ( + IN CHAR8 *HexStr
+ )
+ {
++ UINTN BinLengthMin;
++ UINT32 BinLengthProvided;
+ UINTN Index;
+ UINTN Length;
+ UINT8 Digit;
+@@ -409,6 +414,18 @@ IScsiHexToBin ( + if (Length == 0 || Length % 2 != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
++ //
++ // Check if the caller provides enough room for the decoded blob.
++ //
++ BinLengthMin = Length / 2;
++ if (BinLengthMin > MAX_UINT32) {
++ return EFI_BAD_BUFFER_SIZE;
++ }
++ BinLengthProvided = *BinLength;
++ *BinLength = (UINT32)BinLengthMin;
++ if (BinLengthProvided < BinLengthMin) {
++ return EFI_BUFFER_TOO_SMALL;
++ }
+
+ for (Index = 0; Index < Length; Index ++) {
+ TemStr[0] = HexStr[Index];
+@@ -425,9 +442,6 @@ IScsiHexToBin ( + BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);
+ }
+ }
+-
+- *BinLength = (UINT32) ((Index + 1)/2);
+-
+ return EFI_SUCCESS;
+ }
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 404a482e57..fddef4f466 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -172,6 +172,9 @@ IScsiBinToHex ( + @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
++ the decoded size cannot be expressed in
++ BinLength on output.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+-- +2.27.0 + diff --git a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch new file mode 100644 index 0000000..426abb9 --- /dev/null +++ b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch @@ -0,0 +1,84 @@ +From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 8 Jun 2021 14:12:59 +0200 +Subject: [PATCH 27/27] NetworkPkg/IScsiDxe: check IScsiHexToBin() return + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +IScsiDxe (that is, the initiator) receives two hex-encoded strings from +the iSCSI target: + +- CHAP_C, where the target challenges the initiator, + +- CHAP_R, where the target answers the challenge from the initiator (in + case the initiator wants mutual authentication). + +Accordingly, we have two IScsiHexToBin() call sites: + +- At the CHAP_C decoding site, check whether the decoding succeeds. The + decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, + which is a permissible restriction on the target, per + <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges + from the target are acceptable. + +- At the CHAP_R decoding site, enforce that the decoding both succeed, and + provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest + calculated by the target, therefore it must be of fixed size. We may + only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. + +Cc: Jiaxin Wu <jiaxin.wu@intel.com> +Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Cc: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: Siyuan Fu <siyuan.fu@intel.com> +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> +Message-Id: <20210608121259.32451-11-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index dbe3c8ef46..7e930c0d1e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived ( +
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+- IScsiHexToBin (
+- (UINT8 *) AuthData->InChallenge,
+- &AuthData->InChallengeLength,
+- Challenge
+- );
++ Status = IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
++ if (EFI_ERROR (Status)) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived ( + }
+
+ RspLen = ISCSI_CHAP_RSP_LEN;
+- IScsiHexToBin (TargetRsp, &RspLen, Response);
++ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
++ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+
+ //
+ // Check the CHAP Name and Response replied by Target.
+-- +2.27.0 + diff --git a/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch b/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch new file mode 100644 index 0000000..0917f11 --- /dev/null +++ b/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch @@ -0,0 +1,982 @@ +From 306307df0e228c73f6ad38ef231db75c4a3478d1 Mon Sep 17 00:00:00 2001 +From: Dandan Bi <dandan.bi@intel.com> +Date: Mon, 28 Jun 2021 19:50:22 +0800 +Subject: [PATCH] MdeModulePkg/FPDT: Lock boot performance table address + variable at EndOfDxe + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2957 + +1. Allocate performance data table at EndOfDxe and then lock the varible + which store the table address at EndOfDxe. + +2. Enlarge PCD gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize + from 0x20000 to 0x30000 in order to hold the Delta performance data + between EndOfDxe and ReadyToBoot. + +3. SMM performance data is collected by DXE modules through SMM communication + at ReadyToBoot before. + Now to do SMM communication twice, one for allocating the performance + size at EndOfDxe, another is at ReadyToBoot to get SMM performance data. + +4. Make SmmCorePerformanceLib rather than FirmwarePerformanceSmm to communicate + with DxeCorePerformanceLib for SMM performance data and size. + +Cc: Liming Gao <gaoliming@byosoft.com.cn> +Cc: Hao A Wu <hao.a.wu@intel.com> +Cc: Jian J Wang <jian.j.wang@intel.com> +Signed-off-by: Dandan Bi <dandan.bi@intel.com> +Reviewed-by: Hao A Wu <hao.a.wu@intel.com> +Signed-off-by: Jinhua Cao <caojinhua1@huawei.com> +--- + .../DxeCorePerformanceLib.c | 132 +++++++++++---- + .../DxeCorePerformanceLib.inf | 3 +- + .../SmmCorePerformanceLib.c | 142 ++++++++++++---- + .../SmmCorePerformanceLib.inf | 5 +- + MdeModulePkg/MdeModulePkg.dec | 4 +- + .../FirmwarePerformanceDxe.c | 90 +++++++++-- + .../FirmwarePerformanceDxe.inf | 6 +- + .../FirmwarePerformanceSmm.c | 151 +----------------- + .../FirmwarePerformanceSmm.inf | 4 +- + 9 files changed, 302 insertions(+), 235 deletions(-) + +diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c +index f500e20b32..bcefac6b6c 100644 +--- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c ++++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c +@@ -10,7 +10,7 @@ + This library is mainly used by DxeCore to start performance logging to ensure that
+ Performance Protocol is installed at the very beginning of DXE phase.
+
+-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.<BR>
+ (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+@@ -64,7 +64,7 @@ UINT32 mLoadImageCount = 0; + UINT32 mPerformanceLength = 0;
+ UINT32 mMaxPerformanceLength = 0;
+ UINT32 mBootRecordSize = 0;
+-UINT32 mBootRecordMaxSize = 0;
++UINTN mBootRecordMaxSize = 0;
+ UINT32 mCachedLength = 0;
+
+ BOOLEAN mFpdtBufferIsReported = FALSE;
+@@ -205,25 +205,26 @@ IsKnownID ( + }
+
+ /**
+- Allocate buffer for Boot Performance table.
++ This internal function dumps all the SMM performance data and size.
+
+- @return Status code.
++ @param SmmPerfData Smm Performance data. The buffer contain the SMM perf data is allocated by this function and caller needs to free it.
++ @param SmmPerfDataSize Smm Performance data size.
++ @param SkipGetPerfData Skip to get performance data, just get the size.
+
+ **/
+-EFI_STATUS
+-AllocateBootPerformanceTable (
++VOID
++InternalGetSmmPerfData (
++ OUT VOID **SmmPerfData,
++ OUT UINTN *SmmPerfDataSize,
++ IN BOOLEAN SkipGetPerfData
+ )
+ {
+ EFI_STATUS Status;
+- UINTN Size;
+ UINT8 *SmmBootRecordCommBuffer;
+ EFI_SMM_COMMUNICATE_HEADER *SmmCommBufferHeader;
+ SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
+ UINTN CommSize;
+- UINTN BootPerformanceDataSize;
+- UINT8 *BootPerformanceData;
+ EFI_SMM_COMMUNICATION_PROTOCOL *Communication;
+- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
+ EDKII_PI_SMM_COMMUNICATION_REGION_TABLE *SmmCommRegionTable;
+ EFI_MEMORY_DESCRIPTOR *SmmCommMemRegion;
+ UINTN Index;
+@@ -237,7 +238,6 @@ AllocateBootPerformanceTable ( + SmmBootRecordCommBuffer = NULL;
+ SmmCommData = NULL;
+ SmmBootRecordData = NULL;
+- SmmBootRecordDataSize = 0;
+ ReservedMemSize = 0;
+ Status = gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL, (VOID **) &Communication);
+ if (!EFI_ERROR (Status)) {
+@@ -284,6 +284,10 @@ AllocateBootPerformanceTable ( + Status = Communication->Communicate (Communication, SmmBootRecordCommBuffer, &CommSize);
+
+ if (!EFI_ERROR (Status) && !EFI_ERROR (SmmCommData->ReturnStatus) && SmmCommData->BootRecordSize != 0) {
++ if (SkipGetPerfData) {
++ *SmmPerfDataSize = SmmCommData->BootRecordSize;
++ return;
++ }
+ //
+ // Get all boot records
+ //
+@@ -305,19 +309,45 @@ AllocateBootPerformanceTable ( + }
+ SmmCommData->BootRecordOffset = SmmCommData->BootRecordOffset + SmmCommData->BootRecordSize;
+ }
++ *SmmPerfData = SmmBootRecordData;
++ *SmmPerfDataSize = SmmBootRecordDataSize;
+ }
+ }
+ }
+ }
++}
++
++/**
++ Allocate buffer for Boot Performance table.
++
++ @return Status code.
++
++**/
++EFI_STATUS
++AllocateBootPerformanceTable (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINTN Size;
++ UINTN BootPerformanceDataSize;
++ UINT8 *BootPerformanceData;
++ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
++ UINTN SmmBootRecordDataSize;
++
++ SmmBootRecordDataSize = 0;
++
++ //
++ // Get SMM performance data size at the point of EndOfDxe in order to allocate the boot performance table.
++ // Will Get all the data at ReadyToBoot.
++ //
++ InternalGetSmmPerfData (NULL, &SmmBootRecordDataSize, TRUE);
+
+ //
+ // Prepare memory for Boot Performance table.
+ // Boot Performance table includes BasicBoot record, and one or more appended Boot Records.
+ //
+- BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + PcdGet32 (PcdExtFpdtBootRecordPadSize);
+- if (SmmCommData != NULL && SmmBootRecordData != NULL) {
+- BootPerformanceDataSize += SmmBootRecordDataSize;
+- }
++ BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + SmmBootRecordDataSize + PcdGet32 (PcdExtFpdtBootRecordPadSize);
+
+ //
+ // Try to allocate the same runtime buffer as last time boot.
+@@ -358,9 +388,6 @@ AllocateBootPerformanceTable ( + DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: ACPI Boot Performance Table address = 0x%x\n", mAcpiBootPerformanceTable));
+
+ if (mAcpiBootPerformanceTable == NULL) {
+- if (SmmCommData != NULL && SmmBootRecordData != NULL) {
+- FreePool (SmmBootRecordData);
+- }
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+@@ -385,19 +412,10 @@ AllocateBootPerformanceTable ( + mPerformanceLength = 0;
+ mMaxPerformanceLength = 0;
+ }
+- if (SmmCommData != NULL && SmmBootRecordData != NULL) {
+- //
+- // Fill Boot records from SMM drivers.
+- //
+- CopyMem (BootPerformanceData, SmmBootRecordData, SmmBootRecordDataSize);
+- FreePool (SmmBootRecordData);
+- mAcpiBootPerformanceTable->Header.Length = (UINT32) (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize);
+- BootPerformanceData = BootPerformanceData + SmmBootRecordDataSize;
+- }
+
+ mBootRecordBuffer = (UINT8 *) mAcpiBootPerformanceTable;
+ mBootRecordSize = mAcpiBootPerformanceTable->Header.Length;
+- mBootRecordMaxSize = mBootRecordSize + PcdGet32 (PcdExtFpdtBootRecordPadSize);
++ mBootRecordMaxSize = BootPerformanceDataSize;
+
+ return EFI_SUCCESS;
+ }
+@@ -1336,6 +1354,47 @@ ReportFpdtRecordBuffer ( + }
+ }
+
++/**
++ Update Boot Performance table.
++
++ @param Event The event of notify protocol.
++ @param Context Notify event context.
++
++**/
++VOID
++EFIAPI
++UpdateBootPerformanceTable (
++ IN EFI_EVENT Event,
++ IN VOID *Context
++ )
++{
++ VOID *SmmBootRecordData;
++ UINTN SmmBootRecordDataSize;
++ UINTN AppendSize;
++ UINT8 *FirmwarePerformanceTablePtr;
++
++ //
++ // Get SMM performance data.
++ //
++ SmmBootRecordData = NULL;
++ InternalGetSmmPerfData (&SmmBootRecordData, &SmmBootRecordDataSize, FALSE);
++
++ FirmwarePerformanceTablePtr = (UINT8 *) mAcpiBootPerformanceTable + mAcpiBootPerformanceTable->Header.Length;
++
++ if (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize > mBootRecordMaxSize) {
++ DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: No enough space to save all SMM boot performance data\n"));
++ AppendSize = mBootRecordMaxSize - mAcpiBootPerformanceTable->Header.Length;
++ } else {
++ AppendSize = SmmBootRecordDataSize;
++ }
++ if (SmmBootRecordData != NULL) {
++ CopyMem (FirmwarePerformanceTablePtr, SmmBootRecordData, AppendSize);
++ mAcpiBootPerformanceTable->Header.Length += (UINT32) AppendSize;
++ mBootRecordSize += (UINT32) AppendSize;
++ FreePool (SmmBootRecordData);
++ }
++}
++
+ /**
+ The constructor function initializes Performance infrastructure for DXE phase.
+
+@@ -1358,6 +1417,7 @@ DxeCorePerformanceLibConstructor ( + {
+ EFI_STATUS Status;
+ EFI_HANDLE Handle;
++ EFI_EVENT EndOfDxeEvent;
+ EFI_EVENT ReadyToBootEvent;
+ PERFORMANCE_PROPERTY *PerformanceProperty;
+
+@@ -1386,13 +1446,25 @@ DxeCorePerformanceLibConstructor ( + ASSERT_EFI_ERROR (Status);
+
+ //
+- // Register ReadyToBoot event to report StatusCode data
++ // Register EndOfDxe event to allocate the boot performance table and report the table address through status code.
+ //
+ Status = gBS->CreateEventEx (
+ EVT_NOTIFY_SIGNAL,
+- TPL_CALLBACK,
++ TPL_NOTIFY,
+ ReportFpdtRecordBuffer,
+ NULL,
++ &gEfiEndOfDxeEventGroupGuid,
++ &EndOfDxeEvent
++ );
++
++ //
++ // Register ReadyToBoot event to update the boot performance table for SMM performance data.
++ //
++ Status = gBS->CreateEventEx (
++ EVT_NOTIFY_SIGNAL,
++ TPL_CALLBACK,
++ UpdateBootPerformanceTable,
++ NULL,
+ &gEfiEventReadyToBootGuid,
+ &ReadyToBootEvent
+ );
+diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf +index 1c1dcc60a6..599d4dea66 100644 +--- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf ++++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf +@@ -9,7 +9,7 @@ + # This library is mainly used by DxeCore to start performance logging to ensure that
+ # Performance and PerformanceEx Protocol are installed at the very beginning of DXE phase.
+ #
+-# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.<BR>
+ # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+@@ -67,6 +67,7 @@ + gZeroGuid ## SOMETIMES_CONSUMES ## GUID
+ gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data
+ gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## HOB # StatusCode Data
++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
+ gEfiEventReadyToBootGuid ## CONSUMES ## Event
+ gEdkiiPiSmmCommunicationRegionTableGuid ## SOMETIMES_CONSUMES ## SystemTable
+ gEdkiiPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol
+diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +index b4f22c14ae..d80f37e520 100644 +--- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c ++++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +@@ -16,7 +16,7 @@ +
+ SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted input and do basic validation.
+
+-Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -48,6 +48,7 @@ CHAR8 *mPlatformLanguage = NULL; + SPIN_LOCK mSmmFpdtLock;
+ PERFORMANCE_PROPERTY mPerformanceProperty;
+ UINT32 mCachedLength = 0;
++UINT32 mBootRecordSize = 0;
+
+ //
+ // Interfaces for SMM PerformanceMeasurement Protocol.
+@@ -776,41 +777,116 @@ InsertFpdtRecord ( + }
+
+ /**
+- SmmReadyToBoot protocol notification event handler.
++ Communication service SMI Handler entry.
+
+- @param Protocol Points to the protocol's unique identifier
+- @param Interface Points to the interface instance
+- @param Handle The handle on which the interface was installed
++ This SMI handler provides services for report MM boot records.
+
+- @retval EFI_SUCCESS SmmReadyToBootCallback runs successfully
++ Caution: This function may receive untrusted input.
++ Communicate buffer and buffer size are external input, so this function will do basic validation.
++
++ @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
++ @param[in] RegisterContext Points to an optional handler context which was specified when the
++ handler was registered.
++ @param[in, out] CommBuffer A pointer to a collection of data in memory that will
++ be conveyed from a non-MM environment into an MM environment.
++ @param[in, out] CommBufferSize The size of the CommBuffer.
++
++ @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
++ should still be called.
++ @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
++ still be called.
++ @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
++ be called.
++ @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
+
+ **/
+ EFI_STATUS
+ EFIAPI
+-SmmReportFpdtRecordData (
+- IN CONST EFI_GUID *Protocol,
+- IN VOID *Interface,
+- IN EFI_HANDLE Handle
++FpdtSmiHandler (
++ IN EFI_HANDLE DispatchHandle,
++ IN CONST VOID *RegisterContext,
++ IN OUT VOID *CommBuffer,
++ IN OUT UINTN *CommBufferSize
+ )
+ {
+- UINT64 SmmBPDTddr;
+-
+- if (!mFpdtDataIsReported && mSmmBootPerformanceTable != NULL) {
+- SmmBPDTddr = (UINT64)(UINTN)mSmmBootPerformanceTable;
+- REPORT_STATUS_CODE_EX (
+- EFI_PROGRESS_CODE,
+- EFI_SOFTWARE_SMM_DRIVER,
+- 0,
+- NULL,
+- &gEdkiiFpdtExtendedFirmwarePerformanceGuid,
+- &SmmBPDTddr,
+- sizeof (UINT64)
++ EFI_STATUS Status;
++ SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
++ UINTN BootRecordOffset;
++ UINTN BootRecordSize;
++ VOID *BootRecordData;
++ UINTN TempCommBufferSize;
++ UINT8 *BootRecordBuffer;
++
++ //
++ // If input is invalid, stop processing this SMI
++ //
++ if (CommBuffer == NULL || CommBufferSize == NULL) {
++ return EFI_SUCCESS;
++ }
++
++ TempCommBufferSize = *CommBufferSize;
++
++ if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
++ return EFI_SUCCESS;
++ }
++
++ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
++ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM communication data buffer in MMRAM or overflow!\n"));
++ return EFI_SUCCESS;
++ }
++
++ SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer;
++
++ Status = EFI_SUCCESS;
++
++ switch (SmmCommData->Function) {
++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE :
++ if (mSmmBootPerformanceTable != NULL) {
++ mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE);
++ }
++ SmmCommData->BootRecordSize = mBootRecordSize;
++ break;
++
++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA :
++ Status = EFI_UNSUPPORTED;
++ break;
++
++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET :
++ BootRecordOffset = SmmCommData->BootRecordOffset;
++ BootRecordData = SmmCommData->BootRecordData;
++ BootRecordSize = SmmCommData->BootRecordSize;
++ if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) {
++ Status = EFI_INVALID_PARAMETER;
++ break;
++ }
++
++ //
++ // Sanity check
++ //
++ if (BootRecordSize > mBootRecordSize - BootRecordOffset) {
++ BootRecordSize = mBootRecordSize - BootRecordOffset;
++ }
++ SmmCommData->BootRecordSize = BootRecordSize;
++ if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) {
++ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM Data buffer in MMRAM or overflow!\n"));
++ Status = EFI_ACCESS_DENIED;
++ break;
++ }
++ BootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE);
++ CopyMem (
++ (UINT8*)BootRecordData,
++ BootRecordBuffer + BootRecordOffset,
++ BootRecordSize
+ );
+- //
+- // Set FPDT report state to TRUE.
+- //
+- mFpdtDataIsReported = TRUE;
++ mFpdtDataIsReported = TRUE;
++ break;
++
++ default:
++ Status = EFI_UNSUPPORTED;
+ }
++
++ SmmCommData->ReturnStatus = Status;
++
+ return EFI_SUCCESS;
+ }
+
+@@ -830,8 +906,8 @@ InitializeSmmCorePerformanceLib ( + )
+ {
+ EFI_HANDLE Handle;
++ EFI_HANDLE SmiHandle;
+ EFI_STATUS Status;
+- VOID *SmmReadyToBootRegistration;
+ PERFORMANCE_PROPERTY *PerformanceProperty;
+
+ //
+@@ -851,11 +927,13 @@ InitializeSmmCorePerformanceLib ( + );
+ ASSERT_EFI_ERROR (Status);
+
+- Status = gSmst->SmmRegisterProtocolNotify (
+- &gEdkiiSmmReadyToBootProtocolGuid,
+- SmmReportFpdtRecordData,
+- &SmmReadyToBootRegistration
+- );
++ //
++ // Register SMI handler.
++ //
++ SmiHandle = NULL;
++ Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &SmiHandle);
++ ASSERT_EFI_ERROR (Status);
++
+ Status = EfiGetSystemConfigurationTable (&gPerformanceProtocolGuid, (VOID **) &PerformanceProperty);
+ if (EFI_ERROR (Status)) {
+ //
+diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf +index 6b013b8557..9eecc4b58c 100644 +--- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf ++++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf +@@ -8,7 +8,7 @@ + # This library is mainly used by SMM Core to start performance logging to ensure that
+ # SMM Performance and PerformanceEx Protocol are installed at the very beginning of SMM phase.
+ #
+-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -58,14 +58,13 @@ +
+ [Protocols]
+ gEfiSmmBase2ProtocolGuid ## CONSUMES
+- gEdkiiSmmReadyToBootProtocolGuid ## NOTIFY
+
+ [Guids]
+ ## PRODUCES ## SystemTable
+ gPerformanceProtocolGuid
+- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data
+ gZeroGuid ## SOMETIMES_CONSUMES ## GUID
+ gEdkiiSmmPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol
++ gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # SmiHandlerRegister
+
+ [Pcd]
+ gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index 5d9e2b8d3d..b139f1668c 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -1822,9 +1822,9 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosEntryPointProvideMethod|0x3|UINT32|0x00010069
+
+ ## This PCD specifies the additional pad size in FPDT Basic Boot Performance Table for
+- # the extension FPDT boot records received after ReadyToBoot and before ExitBootService.
++ # the extension FPDT boot records received after EndOfDxe and before ExitBootService.
+ # @Prompt Pad size for extension FPDT boot records.
+- gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x20000|UINT32|0x0001005F
++ gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x30000|UINT32|0x0001005F
+
+ ## Indicates if ConIn device are connected on demand.<BR><BR>
+ # TRUE - ConIn device are not connected during BDS and ReadKeyStroke/ReadKeyStrokeEx produced
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c +index 61a7704b37..68755554ad 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c +@@ -5,7 +5,7 @@ + for Firmware Basic Boot Performance Record and other boot performance records,
+ and install FPDT to ACPI table.
+
+- Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -16,6 +16,7 @@ + #include <Protocol/AcpiTable.h>
+ #include <Protocol/LockBox.h>
+ #include <Protocol/Variable.h>
++#include <Protocol/VariablePolicy.h>
+
+ #include <Guid/Acpi.h>
+ #include <Guid/FirmwarePerformance.h>
+@@ -32,6 +33,8 @@ + #include <Library/HobLib.h>
+ #include <Library/LockBoxLib.h>
+ #include <Library/UefiLib.h>
++#include <Library/VariablePolicyHelperLib.h>
++#include <Library/PerformanceLib.h>
+
+ #define SMM_BOOT_RECORD_COMM_SIZE (OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + sizeof(SMM_BOOT_RECORD_COMMUNICATE))
+
+@@ -278,11 +281,12 @@ InstallFirmwarePerformanceDataTable ( + VOID
+ )
+ {
+- EFI_STATUS Status;
+- EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol;
+- UINTN BootPerformanceDataSize;
+- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
+- UINTN Size;
++ EFI_STATUS Status;
++ EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol;
++ UINTN BootPerformanceDataSize;
++ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
++ UINTN Size;
++ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicyProtocol;
+
+ //
+ // Get AcpiTable Protocol.
+@@ -292,6 +296,14 @@ InstallFirmwarePerformanceDataTable ( + return Status;
+ }
+
++ //
++ // Get VariablePolicy Protocol.
++ //
++ Status = gBS->LocateProtocol(&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicyProtocol);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
+ if (mReceivedAcpiBootPerformanceTable != NULL) {
+ mAcpiBootPerformanceTable = mReceivedAcpiBootPerformanceTable;
+ mAcpiBootPerformanceTable->BasicBoot.ResetEnd = mBootPerformanceTableTemplate.BasicBoot.ResetEnd;
+@@ -369,6 +381,24 @@ InstallFirmwarePerformanceDataTable ( + &PerformanceVariable
+ );
+
++ //
++ // Lock the variable which stores the Performance Table pointers.
++ //
++ Status = RegisterBasicVariablePolicy (
++ VariablePolicyProtocol,
++ &gEfiFirmwarePerformanceGuid,
++ EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME,
++ VARIABLE_POLICY_NO_MIN_SIZE,
++ VARIABLE_POLICY_NO_MAX_SIZE,
++ VARIABLE_POLICY_NO_MUST_ATTR,
++ VARIABLE_POLICY_NO_CANT_ATTR,
++ VARIABLE_POLICY_TYPE_LOCK_NOW
++ );
++ if (EFI_ERROR(Status)) {
++ DEBUG((DEBUG_ERROR, "[FirmwarePerformanceDxe] Error when lock variable %s, Status = %r\n", EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME, Status));
++ ASSERT_EFI_ERROR(Status);
++ }
++
+ //
+ // Publish Firmware Performance Data Table.
+ //
+@@ -501,18 +531,12 @@ FpdtStatusCodeListenerDxe ( + DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - OsLoaderStartImageStart = %ld\n", mAcpiBootPerformanceTable->BasicBoot.OsLoaderStartImageStart));
+ DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesEntry = 0\n"));
+ DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesExit = 0\n"));
+- } else if (Value == (EFI_SOFTWARE_DXE_BS_DRIVER | EFI_SW_DXE_BS_PC_READY_TO_BOOT_EVENT)) {
+- if (mAcpiBootPerformanceTable == NULL) {
+- //
+- // ACPI Firmware Performance Data Table not installed yet, install it now.
+- //
+- InstallFirmwarePerformanceDataTable ();
+- }
+ } else if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) {
+ //
+ // Get the Boot performance table and then install it to ACPI table.
+ //
+ CopyMem (&mReceivedAcpiBootPerformanceTable, Data + 1, Data->Size);
++ InstallFirmwarePerformanceDataTable ();
+ } else if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) {
+ DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerDxe: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableDxe\n"));
+ Status = EFI_UNSUPPORTED;
+@@ -526,6 +550,32 @@ FpdtStatusCodeListenerDxe ( + return Status;
+ }
+
++/**
++ Notify function for event EndOfDxe.
++
++ This is used to install ACPI Firmware Performance Data Table for basic boot records.
++
++ @param[in] Event The Event that is being processed.
++ @param[in] Context The Event Context.
++
++**/
++VOID
++EFIAPI
++FpdtEndOfDxeEventNotify (
++ IN EFI_EVENT Event,
++ IN VOID *Context
++ )
++{
++ //
++ // When performance is enabled, the FPDT will be installed when DxeCorePerformanceLib report the data to FimwarePerformanceDxe.
++ // This is used to install the FPDT for the basic boot recods when performance infrastructure is not enabled.
++ //
++ if ((PcdGet8(PcdPerformanceLibraryPropertyMask) & PERFORMANCE_LIBRARY_PROPERTY_MEASUREMENT_ENABLED) != 0) {
++ return;
++ }
++ ASSERT (mReceivedAcpiBootPerformanceTable == NULL);
++ InstallFirmwarePerformanceDataTable ();
++}
+
+ /**
+ Notify function for event EVT_SIGNAL_EXIT_BOOT_SERVICES. This is used to record
+@@ -596,6 +646,7 @@ FirmwarePerformanceDxeEntryPoint ( + FIRMWARE_SEC_PERFORMANCE *Performance;
+ VOID *Registration;
+ UINT64 OemTableId;
++ EFI_EVENT EndOfDxeEvent;
+
+ CopyMem (
+ mFirmwarePerformanceTableTemplate.Header.OemId,
+@@ -620,6 +671,19 @@ FirmwarePerformanceDxeEntryPoint ( + Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerDxe, TPL_HIGH_LEVEL);
+ ASSERT_EFI_ERROR (Status);
+
++ //
++ // Register the notify function to install FPDT at EndOfDxe.
++ //
++ Status = gBS->CreateEventEx (
++ EVT_NOTIFY_SIGNAL,
++ TPL_NOTIFY,
++ FpdtEndOfDxeEventNotify,
++ NULL,
++ &gEfiEndOfDxeEventGroupGuid,
++ &EndOfDxeEvent
++ );
++ ASSERT_EFI_ERROR (Status);
++
+ //
+ // Register the notify function to update FPDT on ExitBootServices Event.
+ //
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf +index 1debb0193e..0411a22e66 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf +@@ -5,7 +5,7 @@ + # for Firmware Basic Boot Performance Record and other boot performance records,
+ # and install FPDT to ACPI table.
+ #
+-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -46,12 +46,14 @@ + HobLib
+ LockBoxLib
+ UefiLib
++ VariablePolicyHelperLib
+
+ [Protocols]
+ gEfiAcpiTableProtocolGuid ## CONSUMES
+ gEfiRscHandlerProtocolGuid ## CONSUMES
+ gEfiVariableArchProtocolGuid ## CONSUMES
+ gEfiLockBoxProtocolGuid ## CONSUMES
++ gEdkiiVariablePolicyProtocolGuid ## CONSUMES
+
+ [Guids]
+ gEfiEventExitBootServicesGuid ## CONSUMES ## Event
+@@ -63,6 +65,7 @@ + gEfiFirmwarePerformanceGuid
+ gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data
+ gFirmwarePerformanceS3PointerGuid ## PRODUCES ## UNDEFINED # SaveLockBox
++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
+
+ [Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeOsLoaderLoad ## CONSUMES
+@@ -72,6 +75,7 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision ## CONSUMES
++ gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES
+
+ [FeaturePcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwarePerformanceDataTableS3Support ## CONSUMES
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c +index d6c6e7693e..dbd9fe1842 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c +@@ -11,7 +11,7 @@ +
+ FpdtSmiHandler() will receive untrusted input and do basic validation.
+
+- Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -29,21 +29,12 @@ + #include <Library/LockBoxLib.h>
+ #include <Library/PcdLib.h>
+ #include <Library/BaseMemoryLib.h>
+-#include <Library/MemoryAllocationLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+-#include <Library/SynchronizationLib.h>
+ #include <Library/SmmMemLib.h>
+
+-SMM_BOOT_PERFORMANCE_TABLE *mSmmBootPerformanceTable = NULL;
+-
+ EFI_SMM_RSC_HANDLER_PROTOCOL *mRscHandlerProtocol = NULL;
+ UINT64 mSuspendStartTime = 0;
+ BOOLEAN mS3SuspendLockBoxSaved = FALSE;
+-UINT32 mBootRecordSize = 0;
+-UINT8 *mBootRecordBuffer = NULL;
+-
+-SPIN_LOCK mSmmFpdtLock;
+-BOOLEAN mSmramIsOutOfResource = FALSE;
+
+ /**
+ Report status code listener for SMM. This is used to record the performance
+@@ -85,21 +76,6 @@ FpdtStatusCodeListenerSmm ( + return EFI_UNSUPPORTED;
+ }
+
+- //
+- // Collect one or more Boot records in boot time
+- //
+- if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) {
+- AcquireSpinLock (&mSmmFpdtLock);
+- //
+- // Get the boot performance data.
+- //
+- CopyMem (&mSmmBootPerformanceTable, Data + 1, Data->Size);
+- mBootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE);
+-
+- ReleaseSpinLock (&mSmmFpdtLock);
+- return EFI_SUCCESS;
+- }
+-
+ if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) {
+ DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerSmm: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableSmm\n"));
+ return EFI_UNSUPPORTED;
+@@ -154,118 +130,6 @@ FpdtStatusCodeListenerSmm ( + return EFI_SUCCESS;
+ }
+
+-/**
+- Communication service SMI Handler entry.
+-
+- This SMI handler provides services for report SMM boot records.
+-
+- Caution: This function may receive untrusted input.
+- Communicate buffer and buffer size are external input, so this function will do basic validation.
+-
+- @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
+- @param[in] RegisterContext Points to an optional handler context which was specified when the
+- handler was registered.
+- @param[in, out] CommBuffer A pointer to a collection of data in memory that will
+- be conveyed from a non-SMM environment into an SMM environment.
+- @param[in, out] CommBufferSize The size of the CommBuffer.
+-
+- @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
+- should still be called.
+- @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
+- still be called.
+- @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
+- be called.
+- @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
+-
+-**/
+-EFI_STATUS
+-EFIAPI
+-FpdtSmiHandler (
+- IN EFI_HANDLE DispatchHandle,
+- IN CONST VOID *RegisterContext,
+- IN OUT VOID *CommBuffer,
+- IN OUT UINTN *CommBufferSize
+- )
+-{
+- EFI_STATUS Status;
+- SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
+- UINTN BootRecordOffset;
+- UINTN BootRecordSize;
+- VOID *BootRecordData;
+- UINTN TempCommBufferSize;
+-
+- //
+- // If input is invalid, stop processing this SMI
+- //
+- if (CommBuffer == NULL || CommBufferSize == NULL) {
+- return EFI_SUCCESS;
+- }
+-
+- TempCommBufferSize = *CommBufferSize;
+-
+- if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
+- return EFI_SUCCESS;
+- }
+-
+- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
+- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n"));
+- return EFI_SUCCESS;
+- }
+-
+- SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer;
+-
+- Status = EFI_SUCCESS;
+-
+- switch (SmmCommData->Function) {
+- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE :
+- if (mSmmBootPerformanceTable != NULL) {
+- mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE);
+- }
+- SmmCommData->BootRecordSize = mBootRecordSize;
+- break;
+-
+- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA :
+- Status = EFI_UNSUPPORTED;
+- break;
+-
+- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET :
+- BootRecordOffset = SmmCommData->BootRecordOffset;
+- BootRecordData = SmmCommData->BootRecordData;
+- BootRecordSize = SmmCommData->BootRecordSize;
+- if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) {
+- Status = EFI_INVALID_PARAMETER;
+- break;
+- }
+-
+- //
+- // Sanity check
+- //
+- if (BootRecordSize > mBootRecordSize - BootRecordOffset) {
+- BootRecordSize = mBootRecordSize - BootRecordOffset;
+- }
+- SmmCommData->BootRecordSize = BootRecordSize;
+- if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) {
+- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM Data buffer in SMRAM or overflow!\n"));
+- Status = EFI_ACCESS_DENIED;
+- break;
+- }
+-
+- CopyMem (
+- (UINT8*)BootRecordData,
+- mBootRecordBuffer + BootRecordOffset,
+- BootRecordSize
+- );
+- break;
+-
+- default:
+- Status = EFI_UNSUPPORTED;
+- }
+-
+- SmmCommData->ReturnStatus = Status;
+-
+- return EFI_SUCCESS;
+-}
+-
+ /**
+ The module Entry Point of the Firmware Performance Data Table SMM driver.
+
+@@ -284,12 +148,6 @@ FirmwarePerformanceSmmEntryPoint ( + )
+ {
+ EFI_STATUS Status;
+- EFI_HANDLE Handle;
+-
+- //
+- // Initialize spin lock
+- //
+- InitializeSpinLock (&mSmmFpdtLock);
+
+ //
+ // Get SMM Report Status Code Handler Protocol.
+@@ -307,12 +165,5 @@ FirmwarePerformanceSmmEntryPoint ( + Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerSmm);
+ ASSERT_EFI_ERROR (Status);
+
+- //
+- // Register SMI handler.
+- //
+- Handle = NULL;
+- Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &Handle);
+- ASSERT_EFI_ERROR (Status);
+-
+ return Status;
+ }
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf +index 618cbd56ca..6be57553f0 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf +@@ -4,7 +4,7 @@ + # This module registers report status code listener to collect performance data
+ # for SMM boot performance records and S3 Suspend Performance Record.
+ #
+-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -51,10 +51,8 @@ +
+ [Guids]
+ ## SOMETIMES_PRODUCES ## UNDEFINED # SaveLockBox
+- ## PRODUCES ## UNDEFINED # SmiHandlerRegister
+ ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data
+ gEfiFirmwarePerformanceGuid
+- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data
+
+ [Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeS3SuspendStart ## CONSUMES
+-- +2.27.0 + diff --git a/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch new file mode 100644 index 0000000..0fce38a --- /dev/null +++ b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch @@ -0,0 +1,378 @@ +From 6642e762e1cedae30a08e28c456de2372bda7766 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:20:57 +0800 +Subject: [PATCH 1/8] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c + from edk2-platforms + +Import PeiDxeTpmPlatformHierarchyLib from edk2-platforms without any +modifications. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +--- + .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ + .../PeiDxeTpmPlatformHierarchyLib.c | 266 ++++++++++++++++++ + .../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++ + 3 files changed, 338 insertions(+) + create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + +diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +new file mode 100644 +index 0000000000..a872fa09dc +--- /dev/null ++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +@@ -0,0 +1,27 @@ ++/** @file
++ TPM Platform Hierarchy configuration library.
++
++ This library provides functions for customizing the TPM's Platform Hierarchy
++ Authorization Value (platformAuth) and Platform Hierarchy Authorization
++ Policy (platformPolicy) can be defined through this function.
++
++Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
++#define _TPM_PLATFORM_HIERARCHY_LIB_H_
++
++/**
++ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
++
++**/
++VOID
++EFIAPI
++ConfigureTpmPlatformHierarchy (
++ VOID
++ );
++
++#endif
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +new file mode 100644 +index 0000000000..9812ab99ab +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -0,0 +1,266 @@ ++/** @file
++ TPM Platform Hierarchy configuration library.
++
++ This library provides functions for customizing the TPM's Platform Hierarchy
++ Authorization Value (platformAuth) and Platform Hierarchy Authorization
++ Policy (platformPolicy) can be defined through this function.
++
++ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) Microsoft Corporation.<BR>
++ SPDX-License-Identifier: BSD-2-Clause-Patent
++
++ @par Specification Reference:
++ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
++**/
++
++#include <Uefi.h>
++
++#include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/PcdLib.h>
++#include <Library/RngLib.h>
++#include <Library/Tpm2CommandLib.h>
++#include <Library/Tpm2DeviceLib.h>
++
++//
++// The authorization value may be no larger than the digest produced by the hash
++// algorithm used for context integrity.
++//
++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
++
++UINT16 mAuthSize;
++
++/**
++ Generate high-quality entropy source through RDRAND.
++
++ @param[in] Length Size of the buffer, in bytes, to fill with.
++ @param[out] Entropy Pointer to the buffer to store the entropy data.
++
++ @retval EFI_SUCCESS Entropy generation succeeded.
++ @retval EFI_NOT_READY Failed to request random data.
++
++**/
++EFI_STATUS
++EFIAPI
++RdRandGenerateEntropy (
++ IN UINTN Length,
++ OUT UINT8 *Entropy
++ )
++{
++ EFI_STATUS Status;
++ UINTN BlockCount;
++ UINT64 Seed[2];
++ UINT8 *Ptr;
++
++ Status = EFI_NOT_READY;
++ BlockCount = Length / 64;
++ Ptr = (UINT8 *)Entropy;
++
++ //
++ // Generate high-quality seed for DRBG Entropy
++ //
++ while (BlockCount > 0) {
++ Status = GetRandomNumber128 (Seed);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++ CopyMem (Ptr, Seed, 64);
++
++ BlockCount--;
++ Ptr = Ptr + 64;
++ }
++
++ //
++ // Populate the remained data as request.
++ //
++ Status = GetRandomNumber128 (Seed);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++ CopyMem (Ptr, Seed, (Length % 64));
++
++ return Status;
++}
++
++/**
++ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
++ and limits an authValue to being no larger than the largest digest produced by a TPM.
++
++ @param[out] AuthSize Tpm2 Auth size
++
++ @retval EFI_SUCCESS Auth size returned.
++ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
++
++**/
++EFI_STATUS
++EFIAPI
++GetAuthSize (
++ OUT UINT16 *AuthSize
++ )
++{
++ EFI_STATUS Status;
++ TPML_PCR_SELECTION Pcrs;
++ UINTN Index;
++ UINT16 DigestSize;
++
++ Status = EFI_SUCCESS;
++
++ while (mAuthSize == 0) {
++
++ mAuthSize = SHA1_DIGEST_SIZE;
++ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
++ Status = Tpm2GetCapabilityPcrs (&Pcrs);
++
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
++ break;
++ }
++
++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
++
++ for (Index = 0; Index < Pcrs.count; Index++) {
++ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
++
++ switch (Pcrs.pcrSelections[Index].hash) {
++ case TPM_ALG_SHA1:
++ DigestSize = SHA1_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA256:
++ DigestSize = SHA256_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA384:
++ DigestSize = SHA384_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA512:
++ DigestSize = SHA512_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SM3_256:
++ DigestSize = SM3_256_DIGEST_SIZE;
++ break;
++ default:
++ DigestSize = SHA1_DIGEST_SIZE;
++ break;
++ }
++
++ if (DigestSize > mAuthSize) {
++ mAuthSize = DigestSize;
++ }
++ }
++ break;
++ }
++
++ *AuthSize = mAuthSize;
++ return Status;
++}
++
++/**
++ Set PlatformAuth to random value.
++**/
++VOID
++RandomizePlatformAuth (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINT16 AuthSize;
++ UINT8 *Rand;
++ UINTN RandSize;
++ TPM2B_AUTH NewPlatformAuth;
++
++ //
++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
++ //
++
++ GetAuthSize (&AuthSize);
++
++ ZeroMem (NewPlatformAuth.buffer, AuthSize);
++ NewPlatformAuth.size = AuthSize;
++
++ //
++ // Allocate one buffer to store random data.
++ //
++ RandSize = MAX_NEW_AUTHORIZATION_SIZE;
++ Rand = AllocatePool (RandSize);
++
++ RdRandGenerateEntropy (RandSize, Rand);
++ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
++
++ FreePool (Rand);
++
++ //
++ // Send Tpm2HierarchyChangeAuth command with the new Auth value
++ //
++ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
++ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
++ ZeroMem (NewPlatformAuth.buffer, AuthSize);
++ ZeroMem (Rand, RandSize);
++}
++
++/**
++ Disable the TPM platform hierarchy.
++
++ @retval EFI_SUCCESS The TPM was disabled successfully.
++ @retval Others An error occurred attempting to disable the TPM platform hierarchy.
++
++**/
++EFI_STATUS
++DisableTpmPlatformHierarchy (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++
++ // Make sure that we have use of the TPM.
++ Status = Tpm2RequestUseTpm ();
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ ASSERT_EFI_ERROR (Status);
++ return Status;
++ }
++
++ // Let's do what we can to shut down the hierarchies.
++
++ // Disable the PH NV.
++ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have
++ // been known to store the EK cert in the PH NV. If we disable it, the
++ // EK cert will be unreadable.
++
++ // Disable the PH.
++ Status = Tpm2HierarchyControl (
++ TPM_RH_PLATFORM, // AuthHandle
++ NULL, // AuthSession
++ TPM_RH_PLATFORM, // Hierarchy
++ NO // State
++ );
++ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ ASSERT_EFI_ERROR (Status);
++ }
++
++ return Status;
++}
++
++/**
++ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
++ and Platform Hierarchy Authorization Policy (platformPolicy)
++
++**/
++VOID
++EFIAPI
++ConfigureTpmPlatformHierarchy (
++ )
++{
++ if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
++ //
++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
++ //
++ RandomizePlatformAuth ();
++ } else {
++ //
++ // Disable the hierarchy entirely (do not randomize it)
++ //
++ DisableTpmPlatformHierarchy ();
++ }
++}
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +new file mode 100644 +index 0000000000..b7a7fb0a08 +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -0,0 +1,45 @@ ++### @file
++#
++# TPM Platform Hierarchy configuration library.
++#
++# This library provides functions for customizing the TPM's Platform Hierarchy
++# Authorization Value (platformAuth) and Platform Hierarchy Authorization
++# Policy (platformPolicy) can be defined through this function.
++#
++# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) Microsoft Corporation.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++###
++
++[Defines]
++ INF_VERSION = 0x00010005
++ BASE_NAME = PeiDxeTpmPlatformHierarchyLib
++ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
++ MODULE_TYPE = PEIM
++ VERSION_STRING = 1.0
++ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
++
++[LibraryClasses]
++ BaseLib
++ BaseMemoryLib
++ DebugLib
++ MemoryAllocationLib
++ PcdLib
++ RngLib
++ Tpm2CommandLib
++ Tpm2DeviceLib
++
++[Packages]
++ MdePkg/MdePkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++ SecurityPkg/SecurityPkg.dec
++ CryptoPkg/CryptoPkg.dec
++ MinPlatformPkg/MinPlatformPkg.dec
++
++[Sources]
++ PeiDxeTpmPlatformHierarchyLib.c
++
++[Pcd]
++ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
+-- +2.27.0 + diff --git a/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch b/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch new file mode 100644 index 0000000..e250097 --- /dev/null +++ b/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch @@ -0,0 +1,121 @@ +From da8e34ff10bff3bff14c0bc5ee1f2e3f3d72428f Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:20:58 +0800 +Subject: [PATCH 2/8] SecurityPkg/TPM: Fix bugs in imported + PeiDxeTpmPlatformHierarchyLib + +Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> +--- + .../PeiDxeTpmPlatformHierarchyLib.c | 23 +++++-------------- + .../PeiDxeTpmPlatformHierarchyLib.inf | 5 ++-- + 2 files changed, 8 insertions(+), 20 deletions(-) + +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +index 9812ab99ab..d82a0ae1bd 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -18,7 +18,6 @@ + #include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
+ #include <Library/MemoryAllocationLib.h>
+-#include <Library/PcdLib.h>
+ #include <Library/RngLib.h>
+ #include <Library/Tpm2CommandLib.h>
+ #include <Library/Tpm2DeviceLib.h>
+@@ -27,7 +26,6 @@ + // The authorization value may be no larger than the digest produced by the hash
+ // algorithm used for context integrity.
+ //
+-#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
+
+ UINT16 mAuthSize;
+
+@@ -54,7 +52,7 @@ RdRandGenerateEntropy ( + UINT8 *Ptr;
+
+ Status = EFI_NOT_READY;
+- BlockCount = Length / 64;
++ BlockCount = Length / sizeof(Seed);
+ Ptr = (UINT8 *)Entropy;
+
+ //
+@@ -65,10 +63,10 @@ RdRandGenerateEntropy ( + if (EFI_ERROR (Status)) {
+ return Status;
+ }
+- CopyMem (Ptr, Seed, 64);
++ CopyMem (Ptr, Seed, sizeof(Seed));
+
+ BlockCount--;
+- Ptr = Ptr + 64;
++ Ptr = Ptr + sizeof(Seed);
+ }
+
+ //
+@@ -78,7 +76,7 @@ RdRandGenerateEntropy ( + if (EFI_ERROR (Status)) {
+ return Status;
+ }
+- CopyMem (Ptr, Seed, (Length % 64));
++ CopyMem (Ptr, Seed, (Length % sizeof(Seed)));
+
+ return Status;
+ }
+@@ -164,8 +162,6 @@ RandomizePlatformAuth ( + {
+ EFI_STATUS Status;
+ UINT16 AuthSize;
+- UINT8 *Rand;
+- UINTN RandSize;
+ TPM2B_AUTH NewPlatformAuth;
+
+ //
+@@ -174,19 +170,13 @@ RandomizePlatformAuth ( +
+ GetAuthSize (&AuthSize);
+
+- ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ NewPlatformAuth.size = AuthSize;
+
+ //
+- // Allocate one buffer to store random data.
++ // Create the random bytes in the destination buffer
+ //
+- RandSize = MAX_NEW_AUTHORIZATION_SIZE;
+- Rand = AllocatePool (RandSize);
+-
+- RdRandGenerateEntropy (RandSize, Rand);
+- CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
+
+- FreePool (Rand);
++ RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer);
+
+ //
+ // Send Tpm2HierarchyChangeAuth command with the new Auth value
+@@ -194,7 +184,6 @@ RandomizePlatformAuth ( + Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+- ZeroMem (Rand, RandSize);
+ }
+
+ /**
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +index b7a7fb0a08..7bf666794f 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -1,6 +1,5 @@ +-### @file
+-#
+-# TPM Platform Hierarchy configuration library.
++## @file
++# TPM Platform Hierarchy configuration library.
+ #
+ # This library provides functions for customizing the TPM's Platform Hierarchy
+ # Authorization Value (platformAuth) and Platform Hierarchy Authorization
+-- +2.27.0 + diff --git a/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch b/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch new file mode 100644 index 0000000..480ab1d --- /dev/null +++ b/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch @@ -0,0 +1,161 @@ +From 4f998a6c11ca05dc19bafe54ecd43ed74bd2cb3c Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:20:59 +0800 +Subject: [PATCH 3/8] SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from + edk2-platforms + +Import Tcg2PlatformDxe from edk2-platforms without any modifications. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> +--- + .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 +++++++++++++++++++ + .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 44 ++++++++++ + 2 files changed, 129 insertions(+) + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +new file mode 100644 +index 0000000000..150cf748ff +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +@@ -0,0 +1,85 @@ ++/** @file
++ Platform specific TPM2 component for configuring the Platform Hierarchy.
++
++ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
++ SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#include <PiDxe.h>
++
++#include <Library/DebugLib.h>
++#include <Library/UefiBootServicesTableLib.h>
++#include <Library/UefiLib.h>
++#include <Library/TpmPlatformHierarchyLib.h>
++#include <Protocol/DxeSmmReadyToLock.h>
++
++/**
++ This callback function will run at the SmmReadyToLock event.
++
++ Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth)
++ and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function.
++
++ @param Event Pointer to this event
++ @param Context Event hanlder private data
++ **/
++VOID
++EFIAPI
++SmmReadyToLockEventCallBack (
++ IN EFI_EVENT Event,
++ IN VOID *Context
++ )
++{
++ EFI_STATUS Status;
++ VOID *Interface;
++
++ //
++ // Try to locate it because EfiCreateProtocolNotifyEvent will trigger it once when registration.
++ // Just return if it is not found.
++ //
++ Status = gBS->LocateProtocol (
++ &gEfiDxeSmmReadyToLockProtocolGuid,
++ NULL,
++ &Interface
++ );
++ if (EFI_ERROR (Status)) {
++ return ;
++ }
++
++ ConfigureTpmPlatformHierarchy ();
++
++ gBS->CloseEvent (Event);
++}
++
++/**
++ The driver's entry point. Will register a function for callback during SmmReadyToLock event to
++ configure the TPM's platform authorization.
++
++ @param[in] ImageHandle The firmware allocated handle for the EFI image.
++ @param[in] SystemTable A pointer to the EFI System Table.
++
++ @retval EFI_SUCCESS The entry point is executed successfully.
++ @retval other Some error occurs when executing this entry point.
++**/
++EFI_STATUS
++EFIAPI
++Tcg2PlatformDxeEntryPoint (
++ IN EFI_HANDLE ImageHandle,
++ IN EFI_SYSTEM_TABLE *SystemTable
++ )
++{
++ VOID *Registration;
++ EFI_EVENT Event;
++
++ Event = EfiCreateProtocolNotifyEvent (
++ &gEfiDxeSmmReadyToLockProtocolGuid,
++ TPL_CALLBACK,
++ SmmReadyToLockEventCallBack,
++ NULL,
++ &Registration
++ );
++
++ ASSERT (Event != NULL);
++
++ return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +new file mode 100644 +index 0000000000..af29c1cd98 +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +@@ -0,0 +1,44 @@ ++### @file
++# Platform specific TPM2 component.
++#
++# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++###
++
++[Defines]
++ INF_VERSION = 0x00010017
++ BASE_NAME = Tcg2PlatformDxe
++ FILE_GUID = 5CAB08D5-AD8F-4d8b-B828-D17A8D9FE977
++ VERSION_STRING = 1.0
++ MODULE_TYPE = DXE_DRIVER
++ ENTRY_POINT = Tcg2PlatformDxeEntryPoint
++#
++# The following information is for reference only and not required by the build tools.
++#
++# VALID_ARCHITECTURES = IA32 X64 IPF
++#
++
++[LibraryClasses]
++ BaseLib
++ UefiBootServicesTableLib
++ UefiDriverEntryPoint
++ DebugLib
++ UefiLib
++ TpmPlatformHierarchyLib
++
++[Packages]
++ MdePkg/MdePkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++ MinPlatformPkg/MinPlatformPkg.dec
++ SecurityPkg/SecurityPkg.dec
++
++[Sources]
++ Tcg2PlatformDxe.c
++
++[Protocols]
++ gEfiDxeSmmReadyToLockProtocolGuid ## SOMETIMES_CONSUMES ## NOTIFY
++
++[Depex]
++ gEfiTcg2ProtocolGuid
+-- +2.27.0 + diff --git a/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch b/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch new file mode 100644 index 0000000..b6bcac8 --- /dev/null +++ b/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch @@ -0,0 +1,63 @@ +From edaa95dc147509a6c84225d70476c7dd9179cb57 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:21:00 +0800 +Subject: [PATCH 4/8] SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix + style issues + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> +--- + SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h | 4 ++-- + .../PeiDxeTpmPlatformHierarchyLib.c | 2 +- + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 3 +-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +index a872fa09dc..8d61a4867b 100644 +--- a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h ++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +@@ -11,8 +11,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent +
+ **/
+
+-#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
+-#define _TPM_PLATFORM_HIERARCHY_LIB_H_
++#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_
++#define TPM_PLATFORM_HIERARCHY_LIB_H_
+
+ /**
+ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +index d82a0ae1bd..0bb04a20fc 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -233,7 +233,7 @@ DisableTpmPlatformHierarchy ( +
+ /**
+ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
+- and Platform Hierarchy Authorization Policy (platformPolicy)
++ and Platform Hierarchy Authorization Policy (platformPolicy).
+
+ **/
+ VOID
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +index af29c1cd98..635302fe6f 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +@@ -1,4 +1,4 @@ +-### @file
++## @file
+ # Platform specific TPM2 component.
+ #
+ # Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
+@@ -31,7 +31,6 @@ + [Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+- MinPlatformPkg/MinPlatformPkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+ [Sources]
+-- +2.27.0 + diff --git a/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch b/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch new file mode 100644 index 0000000..6b096da --- /dev/null +++ b/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch @@ -0,0 +1,53 @@ +From 0282acbc3dee92ee04f1a212ca3f4c77e8b97207 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:21:01 +0800 +Subject: [PATCH 5/8] SecurityPkg: Introduce new PCD + PcdRandomizePlatformHierarchy + +Introduce the new PCD +gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy. +We need it for TpmPlatformHierarchyLib. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> +--- + .../PeiDxeTpmPlatformHierarchyLib.inf | 3 +-- + SecurityPkg/SecurityPkg.dec | 6 ++++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +index 7bf666794f..efe560e7ff 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -35,10 +35,9 @@ + MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+- MinPlatformPkg/MinPlatformPkg.dec
+
+ [Sources]
+ PeiDxeTpmPlatformHierarchyLib.c
+
+ [Pcd]
+- gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
+diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec +index 5335cc5397..276ea6e2dd 100644 +--- a/SecurityPkg/SecurityPkg.dec ++++ b/SecurityPkg/SecurityPkg.dec +@@ -291,6 +291,12 @@ + # @Prompt Physical presence of the platform operator.
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001
+
++ ## Indicates whether the TPM2 platform hierarchy will be disabled by using
++ # a random password or by disabling the hierarchy
++ # TRUE - A random password will be used
++ # FALSE - The hierarchy will be disabled
++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy|TRUE|BOOLEAN|0x00010024
++
+ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## Indicates whether TPM physical presence is locked during platform initialization.
+ # Once it is locked, it can not be unlocked for TPM life time.<BR><BR>
+-- +2.27.0 + diff --git a/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch b/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch new file mode 100644 index 0000000..38acd0e --- /dev/null +++ b/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch @@ -0,0 +1,191 @@ +From ede5db34ee1e35c16cf016b974046b1c499c19a6 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:21:03 +0800 +Subject: [PATCH 6/8] SecurityPkg/Tcg: Import Tcg2PlatformPei from + edk2-platforms + +Import Tcg2PlatformPei from edk2-platforms without any modifications. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> +--- + .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++++++++++++ + .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 52 +++++++++ + 2 files changed, 159 insertions(+) + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +new file mode 100644 +index 0000000000..66ec75ad0e +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +@@ -0,0 +1,107 @@ ++/** @file
++
++Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#include <PiPei.h>
++#include <Library/PeiServicesLib.h>
++#include <Library/DebugLib.h>
++#include <Library/BaseMemoryLib.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/HobLib.h>
++#include <Library/Tpm2CommandLib.h>
++#include <Library/Tpm2DeviceLib.h>
++#include <Library/TpmPlatformHierarchyLib.h>
++#include <Library/RngLib.h>
++
++#include <Ppi/EndOfPeiPhase.h>
++
++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
++
++/**
++ This function handles PlatformInit task at the end of PEI
++
++ @param[in] PeiServices Pointer to PEI Services Table.
++ @param[in] NotifyDesc Pointer to the descriptor for the Notification event that
++ caused this function to execute.
++ @param[in] Ppi Pointer to the PPI data associated with this function.
++
++ @retval EFI_SUCCESS The function completes successfully
++ @retval others
++**/
++EFI_STATUS
++EFIAPI
++PlatformInitEndOfPei (
++ IN CONST EFI_PEI_SERVICES **PeiServices,
++ IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
++ IN VOID *Ppi
++ )
++{
++ VOID *TcgEventLog;
++
++ //
++ // Try to get TcgEventLog in S3 to see if S3 error is reported.
++ //
++ TcgEventLog = GetFirstGuidHob(&gTcgEventEntryHobGuid);
++ if (TcgEventLog == NULL) {
++ TcgEventLog = GetFirstGuidHob(&gTcgEvent2EntryHobGuid);
++ }
++
++ if (TcgEventLog == NULL) {
++ //
++ // no S3 error reported
++ //
++ return EFI_SUCCESS;
++ }
++
++ //
++ // If there is S3 error on TPM_SU_STATE and success on TPM_SU_CLEAR,
++ // configure the TPM Platform Hierarchy.
++ //
++ ConfigureTpmPlatformHierarchy ();
++
++ return EFI_SUCCESS;
++}
++
++static EFI_PEI_NOTIFY_DESCRIPTOR mEndOfPeiNotifyList = {
++ (EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),
++ &gEfiEndOfPeiSignalPpiGuid,
++ (EFI_PEIM_NOTIFY_ENTRY_POINT)PlatformInitEndOfPei
++};
++
++/**
++ Main entry
++
++ @param[in] FileHandle Handle of the file being invoked.
++ @param[in] PeiServices Pointer to PEI Services table.
++
++ @retval EFI_SUCCESS Install function successfully.
++
++**/
++EFI_STATUS
++EFIAPI
++Tcg2PlatformPeiEntryPoint (
++ IN EFI_PEI_FILE_HANDLE FileHandle,
++ IN CONST EFI_PEI_SERVICES **PeiServices
++ )
++{
++ EFI_STATUS Status;
++ EFI_BOOT_MODE BootMode;
++
++ Status = PeiServicesGetBootMode (&BootMode);
++ ASSERT_EFI_ERROR(Status);
++
++ if (BootMode != BOOT_ON_S3_RESUME) {
++ return EFI_SUCCESS;
++ }
++
++ //
++ // Performing PlatformInitEndOfPei after EndOfPei PPI produced
++ //
++ Status = PeiServicesNotifyPpi (&mEndOfPeiNotifyList);
++
++ return Status;
++}
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +new file mode 100644 +index 0000000000..579f09b940 +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +@@ -0,0 +1,52 @@ ++### @file
++#
++# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++###
++
++[Defines]
++ INF_VERSION = 0x00010017
++ BASE_NAME = Tcg2PlatformPei
++ FILE_GUID = 47727552-A54B-4A84-8CC1-BFF23E239636
++ VERSION_STRING = 1.0
++ MODULE_TYPE = PEIM
++ ENTRY_POINT = Tcg2PlatformPeiEntryPoint
++
++#
++# The following information is for reference only and not required by the build tools.
++#
++# VALID_ARCHITECTURES = IA32 X64 IPF EBC
++#
++
++[LibraryClasses]
++ PcdLib
++ BaseMemoryLib
++ MemoryAllocationLib
++ PeiServicesLib
++ PeimEntryPoint
++ DebugLib
++ Tpm2DeviceLib
++ Tpm2CommandLib
++ TpmPlatformHierarchyLib
++ RngLib
++
++[Packages]
++ MdePkg/MdePkg.dec
++ SecurityPkg/SecurityPkg.dec
++ MinPlatformPkg/MinPlatformPkg.dec
++
++[Sources]
++ Tcg2PlatformPei.c
++
++[Guids]
++ gTcgEventEntryHobGuid
++ gTcgEvent2EntryHobGuid
++
++[Ppis]
++ gEfiEndOfPeiSignalPpiGuid
++
++[Depex]
++ gEfiTpmDeviceSelectedGuid
++
+-- +2.27.0 + diff --git a/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch b/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch new file mode 100644 index 0000000..3a51c88 --- /dev/null +++ b/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch @@ -0,0 +1,63 @@ +From 5134d284aafd4816e265b5c551ee32d6eb43bbc8 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:21:04 +0800 +Subject: [PATCH 7/8] SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix + style issues + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> +--- + SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 11 ++++++----- + SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 4 ++-- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +index 66ec75ad0e..21d2c1433d 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +@@ -1,4 +1,5 @@ + /** @file
++ Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume
+
+ Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
+@@ -24,12 +25,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + /**
+ This function handles PlatformInit task at the end of PEI
+
+- @param[in] PeiServices Pointer to PEI Services Table.
+- @param[in] NotifyDesc Pointer to the descriptor for the Notification event that
+- caused this function to execute.
+- @param[in] Ppi Pointer to the PPI data associated with this function.
++ @param[in] PeiServices Pointer to PEI Services Table.
++ @param[in] NotifyDescriptor Pointer to the descriptor for the Notification event that
++ caused this function to execute.
++ @param[in] Ppi Pointer to the PPI data associated with this function.
+
+- @retval EFI_SUCCESS The function completes successfully
++ @retval EFI_SUCCESS The function completes successfully
+ @retval others
+ **/
+ EFI_STATUS
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +index 579f09b940..6f57de025b 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +@@ -1,4 +1,5 @@ +-### @file
++## @file
++# Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume
+ #
+ # Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+ #
+@@ -35,7 +36,6 @@ + [Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+- MinPlatformPkg/MinPlatformPkg.dec
+
+ [Sources]
+ Tcg2PlatformPei.c
+-- +2.27.0 + diff --git a/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch b/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch new file mode 100644 index 0000000..beb2c1f --- /dev/null +++ b/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch @@ -0,0 +1,68 @@ +From e031b8396ba1ad059f7c1dc6e28e9fc4ca6aaae9 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.vnet.ibm.com> +Date: Mon, 13 Sep 2021 22:21:06 +0800 +Subject: [PATCH 8/8] SecurityPkg: Add references to header and inf files to + SecurityPkg + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> +--- + SecurityPkg/SecurityPkg.dec | 4 ++++ + SecurityPkg/SecurityPkg.dsc | 12 ++++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec +index 276ea6e2dd..beffd08772 100644 +--- a/SecurityPkg/SecurityPkg.dec ++++ b/SecurityPkg/SecurityPkg.dec +@@ -68,6 +68,10 @@ + #
+ Tcg2PhysicalPresenceLib|Include/Library/Tcg2PhysicalPresenceLib.h
+
++ ## @libraryclass Handle TPM 2.0 platform hierarchy configuration
++ #
++ TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
++
+ ## @libraryclass Provides interfaces about TCG storage generic command.
+ #
+ TcgStorageCoreLib|Include/Library/TcgStorageCoreLib.h
+diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc +index a2eeadda7a..8d5371295a 100644 +--- a/SecurityPkg/SecurityPkg.dsc ++++ b/SecurityPkg/SecurityPkg.dsc +@@ -211,6 +211,8 @@ +
+ SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
+
++ SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++
+ #
+ # TCG Storage.
+ #
+@@ -272,6 +274,11 @@ + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+
++ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
++ <LibraryClasses>
++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++ }
++
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+@@ -288,6 +295,11 @@ + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ }
+
++ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
++ <LibraryClasses>
++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++ }
++
+ #
+ # Hash2
+ #
+-- +2.27.0 + diff --git a/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch b/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch new file mode 100644 index 0000000..a4db4de --- /dev/null +++ b/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch @@ -0,0 +1,50 @@ +From 85a19a714c4b4702edc59db0a3419f48fffe2b0a Mon Sep 17 00:00:00 2001 +From: Jinhua Cao <caojinhua1@huawei.com> +Date: Thu, 17 Feb 2022 17:38:41 +0800 +Subject: [PATCH] OvmfPkg: VirtioNetDxe: Extend the RxBufferSize to avoid data + truncation + +1822 net card needs at least 1536 bytes for DMA, even we never negotiate +VIRTIO_NET_F_MRG_RXBUF. The original max size of packet is 15144 which would +cause data trucation. Now we extend the RxBufSize to 9014(Jumbo Frame type) +so that we can avoid it. + +Signed-off-by: Jinhua Cao <caojinhua1@huawei.com> +--- + OvmfPkg/Include/IndustryStandard/Virtio095Net.h | 7 +++++++ + OvmfPkg/VirtioNetDxe/SnpInitialize.c | 3 ++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/Include/IndustryStandard/Virtio095Net.h b/OvmfPkg/Include/IndustryStandard/Virtio095Net.h +index 9c0ed5ed24..28f5cc0899 100644 +--- a/OvmfPkg/Include/IndustryStandard/Virtio095Net.h ++++ b/OvmfPkg/Include/IndustryStandard/Virtio095Net.h +@@ -88,4 +88,11 @@ typedef struct { + #define VIRTIO_NET_S_LINK_UP BIT0
+ #define VIRTIO_NET_S_ANNOUNCE BIT1
+
++//
++// 1822 net card needs at least 1536 bytes for DMA, even we never negotiate
++// VIRTIO_NET_F_MRG_RXBUF. The original max size of packet is 15144 which would
++// cause data trucation. Now we extend the RxBufSize to 9014(Jumbo Frame type)
++// so that we can avoid it.
++#define VIRTIO_RXBUF_JUMBO_PADDING 7500
++
+ #endif // _VIRTIO_0_9_5_NET_H_
+diff --git a/OvmfPkg/VirtioNetDxe/SnpInitialize.c b/OvmfPkg/VirtioNetDxe/SnpInitialize.c +index bb3b552d68..6febfea3bb 100644 +--- a/OvmfPkg/VirtioNetDxe/SnpInitialize.c ++++ b/OvmfPkg/VirtioNetDxe/SnpInitialize.c +@@ -337,7 +337,8 @@ VirtioNetInitRx ( + // and Ethernet payload).
+ //
+ RxBufSize = VirtioNetReqSize +
+- (Dev->Snm.MediaHeaderSize + Dev->Snm.MaxPacketSize);
++ (Dev->Snm.MediaHeaderSize + Dev->Snm.MaxPacketSize) +
++ VIRTIO_RXBUF_JUMBO_PADDING;
+
+ //
+ // Limit the number of pending RX packets if the queue is big. The division
+-- +2.27.0 + diff --git a/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch b/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch new file mode 100644 index 0000000..082e057 --- /dev/null +++ b/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch @@ -0,0 +1,191 @@ +From f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac Mon Sep 17 00:00:00 2001 +From: Guomin Jiang <guomin.jiang@intel.com> +Date: Wed, 13 Jan 2021 18:08:09 +0800 +Subject: [PATCH] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to + TempRamDone. (CVE-2019-11098) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1614 +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3160 + +The GDT still in flash with commit 60b12e69fb1c8c7180fdda92f008248b9ec83db1 +after TempRamDone + +So move the action to TempRamDone event to avoid reading GDT from flash. + +Signed-off-by: Guomin Jiang <guomin.jiang@intel.com> +Cc: Eric Dong <eric.dong@intel.com> +Cc: Ray Ni <ray.ni@intel.com> +Cc: Laszlo Ersek <lersek@redhat.com> +Cc: Rahul Kumar <rahul1.kumar@intel.com> +Cc: Debkumar De <debkumar.de@intel.com> +Cc: Harry Han <harry.han@intel.com> +Cc: Catharine West <catharine.west@intel.com> +Reviewed-by: Ray Ni <ray.ni@intel.com> +--- + UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 -------------------------- + UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 - + UefiCpuPkg/CpuMpPei/CpuPaging.c | 8 ------ + UefiCpuPkg/SecCore/SecCore.inf | 1 + + UefiCpuPkg/SecCore/SecMain.c | 45 ++++++++++++++++++++++++++++++++ + 5 files changed, 46 insertions(+), 46 deletions(-) + +diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPei.c +index 40729a09b9..3c1bad6470 100644 +--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c ++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c +@@ -429,43 +429,6 @@ GetGdtr ( + AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer);
+ }
+
+-/**
+- Migrates the Global Descriptor Table (GDT) to permanent memory.
+-
+- @retval EFI_SUCCESS The GDT was migrated successfully.
+- @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory.
+-
+-**/
+-EFI_STATUS
+-MigrateGdt (
+- VOID
+- )
+-{
+- EFI_STATUS Status;
+- UINTN GdtBufferSize;
+- IA32_DESCRIPTOR Gdtr;
+- VOID *GdtBuffer;
+-
+- AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
+- GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
+-
+- Status = PeiServicesAllocatePool (
+- GdtBufferSize,
+- &GdtBuffer
+- );
+- ASSERT (GdtBuffer != NULL);
+- if (EFI_ERROR (Status)) {
+- return EFI_OUT_OF_RESOURCES;
+- }
+-
+- GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
+- CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
+- Gdtr.Base = (UINTN) GdtBuffer;
+- AsmWriteGdtr (&Gdtr);
+-
+- return EFI_SUCCESS;
+-}
+-
+ /**
+ Initializes CPU exceptions handlers for the sake of stack switch requirement.
+
+diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf +index ba829d816e..7444bdb968 100644 +--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf ++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf +@@ -67,7 +67,6 @@ + gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList ## SOMETIMES_CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize ## SOMETIMES_CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize ## SOMETIMES_CONSUMES
+- gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES
+
+ [Depex]
+ TRUE
+diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c +index 50ad4277af..3e261d6657 100644 +--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c ++++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c +@@ -605,17 +605,9 @@ MemoryDiscoveredPpiNotifyCallback ( + {
+ EFI_STATUS Status;
+ BOOLEAN InitStackGuard;
+- BOOLEAN InterruptState;
+ EDKII_MIGRATED_FV_INFO *MigratedFvInfo;
+ EFI_PEI_HOB_POINTERS Hob;
+
+- if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+- InterruptState = SaveAndDisableInterrupts ();
+- Status = MigrateGdt ();
+- ASSERT_EFI_ERROR (Status);
+- SetInterruptState (InterruptState);
+- }
+-
+ //
+ // Paging must be setup first. Otherwise the exception TSS setup during MP
+ // initialization later will not contain paging information and then fail
+diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf +index 545781d6b4..ded83beb52 100644 +--- a/UefiCpuPkg/SecCore/SecCore.inf ++++ b/UefiCpuPkg/SecCore/SecCore.inf +@@ -77,6 +77,7 @@ +
+ [Pcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdPeiTemporaryRamStackSize ## CONSUMES
++ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES
+
+ [UserExtensions.TianoCore."ExtraFiles"]
+ SecCoreExtra.uni
+diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c +index 155be49a60..2416c4ce56 100644 +--- a/UefiCpuPkg/SecCore/SecMain.c ++++ b/UefiCpuPkg/SecCore/SecMain.c +@@ -35,6 +35,43 @@ EFI_PEI_PPI_DESCRIPTOR mPeiSecPlatformInformationPpi[] = { + }
+ };
+
++/**
++ Migrates the Global Descriptor Table (GDT) to permanent memory.
++
++ @retval EFI_SUCCESS The GDT was migrated successfully.
++ @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory.
++
++**/
++EFI_STATUS
++MigrateGdt (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINTN GdtBufferSize;
++ IA32_DESCRIPTOR Gdtr;
++ VOID *GdtBuffer;
++
++ AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
++ GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
++
++ Status = PeiServicesAllocatePool (
++ GdtBufferSize,
++ &GdtBuffer
++ );
++ ASSERT (GdtBuffer != NULL);
++ if (EFI_ERROR (Status)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++
++ GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
++ CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
++ Gdtr.Base = (UINTN) GdtBuffer;
++ AsmWriteGdtr (&Gdtr);
++
++ return EFI_SUCCESS;
++}
++
+ //
+ // These are IDT entries pointing to 10:FFFFFFE4h.
+ //
+@@ -409,6 +446,14 @@ SecTemporaryRamDone ( + //
+ State = SaveAndDisableInterrupts ();
+
++ //
++ // Migrate GDT before NEM near down
++ //
++ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
++ Status = MigrateGdt ();
++ ASSERT_EFI_ERROR (Status);
++ }
++
+ //
+ // Disable Temporary RAM after Stack and Heap have been migrated at this point.
+ //
+-- +2.27.0 + diff --git a/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch b/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch new file mode 100644 index 0000000..00641ee --- /dev/null +++ b/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch @@ -0,0 +1,208 @@ +From cab1f02565d3b29081dd21afb074f35fdb4e1fd6 Mon Sep 17 00:00:00 2001 +From: Miki Demeter <miki.demeter@intel.com> +Date: Thu, 27 Oct 2022 16:20:54 -0700 +Subject: [PATCH] MdeModulePkg/PiSmmCore:SmmEntryPoint underflow(CVE-2021-38578) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3387 + +Added use of SafeIntLib to validate values are not causing overflows or +underflows in user controlled values when calculating buffer sizes. + +Signed-off-by: Miki Demeter <miki.demeter@intel.com> +Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> +Cc: Jian J Wang <jian.j.wang@intel.com> +Cc: Liming Gao <gaoliming@byosoft.com.cn> +Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn> +--- + MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 41 ++++++++++++++++++----- + MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1 + + MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 1 + + MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 31 +++++++++++++---- + MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf | 1 + + 5 files changed, 60 insertions(+), 15 deletions(-) + +diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +index 9e5c6cbe33..875c7c0258 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +@@ -609,6 +609,7 @@ SmmEndOfS3ResumeHandler ( + @param[in] Size2 Size of Buff2
+
+ @retval TRUE Buffers overlap in memory.
++ @retval TRUE Math error. Prevents potential math over and underflows.
+ @retval FALSE Buffer doesn't overlap.
+
+ **/
+@@ -620,11 +621,24 @@ InternalIsBufferOverlapped ( + IN UINTN Size2
+ )
+ {
++ UINTN End1;
++ UINTN End2;
++ BOOLEAN IsOverUnderflow1;
++ BOOLEAN IsOverUnderflow2;
++
++ // Check for over or underflow
++ IsOverUnderflow1 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff1, Size1, &End1));
++ IsOverUnderflow2 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff2, Size2, &End2));
++
++ if (IsOverUnderflow1 || IsOverUnderflow2) {
++ return TRUE;
++ }
++
+ //
+ // If buff1's end is less than the start of buff2, then it's ok.
+ // Also, if buff1's start is beyond buff2's end, then it's ok.
+ //
+- if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
++ if ((End1 <= (UINTN)Buff2) || ((UINTN)Buff1 >= End2)) {
+ return FALSE;
+ }
+
+@@ -651,6 +665,7 @@ SmmEntryPoint ( + EFI_SMM_COMMUNICATE_HEADER *CommunicateHeader;
+ BOOLEAN InLegacyBoot;
+ BOOLEAN IsOverlapped;
++ BOOLEAN IsOverUnderflow;
+ VOID *CommunicationBuffer;
+ UINTN BufferSize;
+
+@@ -699,23 +714,31 @@ SmmEntryPoint ( + (UINT8 *) gSmmCorePrivate,
+ sizeof (*gSmmCorePrivate)
+ );
+- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) {
++ //
++ // Check for over or underflows
++ //
++ IsOverUnderflow = EFI_ERROR (SafeUintnSub (BufferSize, OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data), &BufferSize));
++
++ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) ||
++ IsOverlapped || IsOverUnderflow)
++ {
+ //
+ // If CommunicationBuffer is not in valid address scope,
+ // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
++ // or there is over or underflow,
+ // return EFI_INVALID_PARAMETER
+ //
+ gSmmCorePrivate->CommunicationBuffer = NULL;
+ gSmmCorePrivate->ReturnStatus = EFI_ACCESS_DENIED;
+ } else {
+ CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommunicationBuffer;
+- BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+- Status = SmiManage (
+- &CommunicateHeader->HeaderGuid,
+- NULL,
+- CommunicateHeader->Data,
+- &BufferSize
+- );
++ // BufferSize was updated by the SafeUintnSub() call above.
++ Status = SmiManage (
++ &CommunicateHeader->HeaderGuid,
++ NULL,
++ CommunicateHeader->Data,
++ &BufferSize
++ );
+ //
+ // Update CommunicationBuffer, BufferSize and ReturnStatus
+ // Communicate service finished, reset the pointer to CommBuffer to NULL
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h +index 71422b9dfc..b8a490a8c3 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h +@@ -54,6 +54,7 @@ + #include <Library/PerformanceLib.h>
+ #include <Library/HobLib.h>
+ #include <Library/SmmMemLib.h>
++#include <Library/SafeIntLib.h>
+
+ #include "PiSmmCorePrivateData.h"
+ #include "HeapGuard.h"
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf +index c8bfae3860..3df44b38f1 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf +@@ -60,6 +60,7 @@ + PerformanceLib
+ HobLib
+ SmmMemLib
++ SafeIntLib
+
+ [Protocols]
+ gEfiDxeSmmReadyToLockProtocolGuid ## UNDEFINED # SmiHandlerRegister
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +index 4f00cebaf5..fbba868fd0 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +@@ -34,8 +34,8 @@ + #include <Library/UefiRuntimeLib.h>
+ #include <Library/PcdLib.h>
+ #include <Library/ReportStatusCodeLib.h>
+-
+ #include "PiSmmCorePrivateData.h"
++#include <Library/SafeIntLib.h>
+
+ #define SMRAM_CAPABILITIES (EFI_MEMORY_WB | EFI_MEMORY_UC)
+
+@@ -1354,6 +1354,7 @@ SmmSplitSmramEntry ( + @param[in] ReservedRangeToCompare Pointer to EFI_SMM_RESERVED_SMRAM_REGION to compare.
+
+ @retval TRUE There is overlap.
++ @retval TRUE Math error.
+ @retval FALSE There is no overlap.
+
+ **/
+@@ -1353,11 +1354,29 @@ SmmIsSmramOverlap ( + IN EFI_SMM_RESERVED_SMRAM_REGION *ReservedRangeToCompare
+ )
+ {
+- UINT64 RangeToCompareEnd;
+- UINT64 ReservedRangeToCompareEnd;
+-
+- RangeToCompareEnd = RangeToCompare->CpuStart + RangeToCompare->PhysicalSize;
+- ReservedRangeToCompareEnd = ReservedRangeToCompare->SmramReservedStart + ReservedRangeToCompare->SmramReservedSize;
++ UINT64 RangeToCompareEnd;
++ UINT64 ReservedRangeToCompareEnd;
++ BOOLEAN IsOverUnderflow1;
++ BOOLEAN IsOverUnderflow2;
++
++ // Check for over or underflow.
++ IsOverUnderflow1 = EFI_ERROR (
++ SafeUint64Add (
++ (UINT64)RangeToCompare->CpuStart,
++ RangeToCompare->PhysicalSize,
++ &RangeToCompareEnd
++ )
++ );
++ IsOverUnderflow2 = EFI_ERROR (
++ SafeUint64Add (
++ (UINT64)ReservedRangeToCompare->SmramReservedStart,
++ ReservedRangeToCompare->SmramReservedSize,
++ &ReservedRangeToCompareEnd
++ )
++ );
++ if (IsOverUnderflow1 || IsOverUnderflow2) {
++ return TRUE;
++ }
+
+ if ((RangeToCompare->CpuStart >= ReservedRangeToCompare->SmramReservedStart) &&
+ (RangeToCompare->CpuStart < ReservedRangeToCompareEnd)) {
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf +index 6109d6b544..ddeb39cee2 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf +@@ -46,6 +46,7 @@ + DxeServicesLib
+ PcdLib
+ ReportStatusCodeLib
++ SafeIntLib
+
+ [Protocols]
+ gEfiSmmBase2ProtocolGuid ## PRODUCES
+-- +2.27.0 + diff --git a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch new file mode 100644 index 0000000..99ddb6f --- /dev/null +++ b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch @@ -0,0 +1,43 @@ +From a114dc3c9af48a8f8ed22e738944a9c3e830a088 Mon Sep 17 00:00:00 2001 +From Shao Denghui <shaodenghui@huawei.com> +Date: Mon, 20 Feb 2023 21:59:31 +0800 +Subject: [PATCH] [PATCH] Avoid dangling ptrs in header and data params for + PEM_read_bio_ex In the event of a failure in PEM_read_bio_ex() we free the + buffers we allocated for the header and data buffers. However we were not + clearing the ptrs stored in *header and *data. Since, on success, the caller + is responsible for freeing these ptrs this can potentially lead to a double + free if the caller frees them even on failure. + +Thanks to Dawei Wang for reporting this issue. + +Based on a proposed patch by Kurt Roeckx. + +CVE-2022-4450 + +Reference: https://github.com/openssl/openssl/commit/ee6243f3947107d655f6dee96f63861561a5aaeb + +Reviewed-by: Paul Dale <pauli@openssl.org> +Reviewed-by: Tomas Mraz <tomas@openssl.org> + +Signed-off-by: Shao Denghui <shaodenghui@huawei.com> +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c +index 64baf71..6c7c4fe 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c +@@ -940,7 +940,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, + *data = pem_malloc(len, flags); + if (*header == NULL || *data == NULL) { + pem_free(*header, flags, 0); ++ *header = NULL; + pem_free(*data, flags, 0); ++ *data = NULL; + goto end; + } + BIO_read(headerB, *header, headerlen); +-- +2.27.0 + diff --git a/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch new file mode 100644 index 0000000..9852ad6 --- /dev/null +++ b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch @@ -0,0 +1,57 @@ +From 7dd5a23212e3c7bf25a9cd7689681beb89b2d20f Mon Sep 17 00:00:00 2001 +From Shao Denghui <shaodenghui@huawei.com> +Date: Tue, 21 Feb 2023 20:12:59 +0800 +Subject: [PATCH] [PATCH] pk7_doit.c: Check return of BIO_set_md() calls + +These calls invoke EVP_DigestInit() which can fail for digests +with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write() +or EVP_DigestFinal() from BIO_read() will segfault on NULL +dereference. This can be triggered by an attacker providing +PKCS7 data digested with MD4 for example if the legacy provider +is not loaded. + +If BIO_set_md() fails the md BIO cannot be used. + +CVE-2023-0401 + +Reference: https://github.com/openssl/openssl/commit/6eebe6c0238178356114a96a7858f36b24172847 + +Reviewed-by: Paul Dale <pauli@openssl.org> +Reviewed-by: Richard Levitte <levitte@openssl.org> + +Signed-off-by: Shao Denghui <shaodenghui@huawei.com> +--- + .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +index f63fbc5..bbfcf27 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +@@ -67,7 +67,10 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) + goto err; + } + +- BIO_set_md(btmp, md); ++ if (BIO_set_md(btmp, md) <= 0) { ++ PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB); ++ goto err; ++ } + if (*pbio == NULL) + *pbio = btmp; + else if (!BIO_push(*pbio, btmp)) { +@@ -454,7 +457,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) + goto err; + } + +- BIO_set_md(btmp, evp_md); ++ if (BIO_set_md(btmp, evp_md) <= 0) { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); ++ goto err; ++ } + if (out == NULL) + out = btmp; + else +-- +2.27.0 + diff --git a/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch b/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch new file mode 100644 index 0000000..0c51792 --- /dev/null +++ b/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch @@ -0,0 +1,106 @@ +From 93bb2a5f1df1617502c24f287ea4e5ca351aef95 Mon Sep 17 00:00:00 2001 +From: chenhuiying <chenhuiying4@huawei.com> +Date: Sat, 25 Feb 2023 15:05:15 +0800 +Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF + +If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will +be part of an invalid BIO chain. This causes a "use after free" when the +BIO is eventually freed. + +Based on an original patch by Viktor Dukhovni and an idea from Theo +Buehler. + +Thanks to Octavio Galland for reporting this issue. + +REF: https://github.com/openssl/openssl/commit/c3829dd8825c654652201e16f8a0a0c46ee3f344 +Signed-off-by: chenhuiying <chenhuiying4@huawei.com> +--- + .../OpensslLib/openssl/crypto/asn1/bio_ndef.c | 39 +++++++++++++++---- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c +index 6222c99..cf52468 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c +@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); + static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, + void *parg); + ++/* ++ * On success, the returned BIO owns the input BIO as part of its BIO chain. ++ * On failure, NULL is returned and the input BIO is owned by the caller. ++ * ++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() ++ */ + BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + { + NDEF_SUPPORT *ndef_aux = NULL; + BIO *asn_bio = NULL; + const ASN1_AUX *aux = it->funcs; + ASN1_STREAM_ARG sarg; ++ BIO *pop_bio = NULL; + + if (!aux || !aux->asn1_cb) { + ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); +@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + out = BIO_push(asn_bio, out); + if (out == NULL) + goto err; ++ pop_bio = asn_bio; + +- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); +- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); ++ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 ++ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 ++ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) ++ goto err; + + /* +- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure +- * needs. ++ * Now let the callback prepend any digest, cipher, etc., that the BIO's ++ * ASN1 structure needs. + */ + + sarg.out = out; + sarg.ndef_bio = NULL; + sarg.boundary = NULL; + +- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) ++ /* ++ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the ++ * middle of some partially built, but not returned BIO chain. ++ */ ++ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { ++ /* ++ * ndef_aux is now owned by asn_bio so we must not free it in the err ++ * clean up block ++ */ ++ ndef_aux = NULL; + goto err; ++ } ++ ++ /* ++ * We must not fail now because the callback has prepended additional ++ * BIOs to the chain ++ */ + + ndef_aux->val = val; + ndef_aux->it = it; +@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + ndef_aux->boundary = sarg.boundary; + ndef_aux->out = out; + +- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); +- + return sarg.ndef_bio; + + err: ++ /* BIO_pop() is NULL safe */ ++ (void)BIO_pop(pop_bio); + BIO_free(asn_bio); + OPENSSL_free(ndef_aux); + return NULL; +-- +2.27.0 + diff --git a/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch b/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch new file mode 100644 index 0000000..f42b436 --- /dev/null +++ b/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch @@ -0,0 +1,79 @@ +From cb81a80d059f41b0930fcc36c36a155244f3873a Mon Sep 17 00:00:00 2001 +From: chenhuiying <chenhuiying4@huawei.com> +Date: Sat, 25 Feb 2023 16:18:41 +0800 +Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled correctly + +Test for the issue fixed in the previous commit + +REF:https://github.com/openssl/openssl/commit/f040f2577891d2bdb7610566c172233844cf673a +Signed-off-by: chenhuiying <chenhuiying4@huawei.com> +--- + .../openssl/test/recipes/80-test_cms.t | 15 +++++++++++++-- + .../openssl/test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ + 2 files changed, 31 insertions(+), 2 deletions(-) + create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t +index 5dc6a3a..ec11bfc 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t +@@ -13,7 +13,7 @@ use warnings; + use POSIX; + use File::Spec::Functions qw/catfile/; + use File::Compare qw/compare_text/; +-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; ++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; + use OpenSSL::Test::Utils; + + setup("test_cms"); +@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt"); + my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + = disabled qw/des dh dsa ec ec2m rc2 zlib/; + +-plan tests => 6; ++plan tests => 7; + + my @smime_pkcs7_tests = ( + +@@ -584,3 +584,14 @@ sub check_availability { + + return ""; + } ++ ++# Check that we get the expected failure return code ++with({ exit_checker => sub { return shift == 6; } }, ++ sub { ++ ok(run(app(['openssl', 'cms', '-encrypt', ++ '-in', srctop_file("test", "smcont.txt"), ++ '-stream', '-recip', ++ srctop_file("test/smime-certs", "badrsa.pem"), ++ ])), ++ "Check failure during BIO setup with -stream is handled correctly"); ++ }); +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem +new file mode 100644 +index 0000000..f824fc2 +--- /dev/null ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem +@@ -0,0 +1,18 @@ ++-----BEGIN CERTIFICATE----- ++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD ++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY ++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN ++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw ++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A ++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s ++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 ++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB ++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww ++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm ++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW ++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt ++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d ++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv ++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ ++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= ++-----END CERTIFICATE----- +-- +2.27.0 + diff --git a/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch new file mode 100644 index 0000000..e670922 --- /dev/null +++ b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch @@ -0,0 +1,102 @@ +From fe9395b9fe1507236eafd147dc0cd4a8c9bf1fe6 Mon Sep 17 00:00:00 2001 +From: chenhuiying <chenhuiying4@huawei.com> +Date: Sat, 25 Feb 2023 17:54:23 +0800 +Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp() + +If a GENERAL_NAME field contained EdiPartyName data then it was +incorrectly being handled as type "other". This could lead to a +segmentation fault. + +Many thanks to David Benjamin from Google for reporting this issue. + +CVE-2020-1971 + +reference: https://github.com/openssl/openssl/commit/f960d81215ebf3f65e03d4d5d857fb9b666d6920 +Signed-off-by: chenhuiying <chenhuiying4@huawei.com> +--- + .../openssl/crypto/x509v3/v3_genn.c | 45 +++++++++++++++++-- + 1 file changed, 42 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +index 23e3bc4..23778e2 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +@@ -57,6 +57,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a) + (char *)a); + } + ++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) ++{ ++ int res; ++ ++ if (a == NULL || b == NULL) { ++ /* ++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it ++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here ++ */ ++ return -1; ++ } ++ if (a->nameAssigner == NULL && b->nameAssigner != NULL) ++ return -1; ++ if (a->nameAssigner != NULL && b->nameAssigner == NULL) ++ return 1; ++ /* If we get here then both have nameAssigner set, or both unset */ ++ if (a->nameAssigner != NULL) { ++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); ++ if (res != 0) ++ return res; ++ } ++ /* ++ * partyName is required, so these should never be NULL. We treat it in ++ * the same way as the a == NULL || b == NULL case above ++ */ ++ if (a->partyName == NULL || b->partyName == NULL) ++ return -1; ++ ++ return ASN1_STRING_cmp(a->partyName, b->partyName); ++} ++ + /* Returns 0 if they are equal, != 0 otherwise. */ + int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + { +@@ -66,8 +97,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: ++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ break; ++ + case GEN_EDIPARTY: +- result = ASN1_TYPE_cmp(a->d.other, b->d.other); ++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); + break; + + case GEN_OTHERNAME: +@@ -114,8 +148,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) + { + switch (type) { + case GEN_X400: ++ a->d.x400Address = value; ++ break; ++ + case GEN_EDIPARTY: +- a->d.other = value; ++ a->d.ediPartyName = value; + break; + + case GEN_OTHERNAME: +@@ -149,8 +186,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) + *ptype = a->type; + switch (a->type) { + case GEN_X400: ++ return a->d.x400Address; ++ + case GEN_EDIPARTY: +- return a->d.other; ++ return a->d.ediPartyName; + + case GEN_OTHERNAME: + return a->d.otherName; +-- +2.27.0 + diff --git a/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch new file mode 100644 index 0000000..24e3c8a --- /dev/null +++ b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch @@ -0,0 +1,41 @@ +From 7553d2119f3c899f779eaacafff63feaa843814a Mon Sep 17 00:00:00 2001 +From: s00803682 <shaodenghui@huawei.com> +Date: Sat, 25 Feb 2023 18:22:13 +0800 +Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1) + +REF: https://github.com/openssl/openssl/commit/2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 +Signed-off-by: chenhuiying <chenhuiying4@huawei.com> +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c | 2 +- + CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +index 23778e2..12ce733 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +@@ -97,7 +97,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: +- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); + break; + + case GEN_EDIPARTY: +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h +index 6c6eca3..b80438d 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h +@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { + OTHERNAME *otherName; /* otherName */ + ASN1_IA5STRING *rfc822Name; + ASN1_IA5STRING *dNSName; +- ASN1_TYPE *x400Address; ++ ASN1_STRING *x400Address; + X509_NAME *directoryName; + EDIPARTYNAME *ediPartyName; + ASN1_IA5STRING *uniformResourceIdentifier; +-- +2.27.0 + diff --git a/0029-Fix-Timing-Oracle-in-RSA-decryption.patch b/0029-Fix-Timing-Oracle-in-RSA-decryption.patch new file mode 100644 index 0000000..3e57625 --- /dev/null +++ b/0029-Fix-Timing-Oracle-in-RSA-decryption.patch @@ -0,0 +1,834 @@ +From df422474e4e7e2f380840eeb9d6e466312fe0879 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 20 Jan 2023 15:26:54 +0000 +Subject: [PATCH] Fix Timing Oracle in RSA decryption + +A timing based side channel exists in the OpenSSL RSA Decryption +implementation which could be sufficient to recover a plaintext across +a network in a Bleichenbacher style attack. To achieve a successful +decryption an attacker would have to be able to send a very large number +of trial messages for decryption. The vulnerability affects all RSA +padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + +Patch written by Dmitry Belyavsky and Hubert Kario + +CVE-2022-4304 + +Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> +Reviewed-by: Tomas Mraz <tomas@openssl.org> + +reference: https://github.com/openssl/openssl/pull/20284 +Signed-off-by: yexiao <yexiao7@huawei.com> +--- + CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + + .../Library/OpensslLib/OpensslLibCrypto.inf | 1 + + .../OpensslLib/openssl/crypto/bn/bn_blind.c | 14 - + .../OpensslLib/openssl/crypto/bn/bn_err.c | 2 + + .../OpensslLib/openssl/crypto/bn/bn_local.h | 14 + + .../OpensslLib/openssl/crypto/bn/build.info | 3 +- + .../openssl/crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++ + .../OpensslLib/openssl/crypto/err/openssl.txt | 3 +- + .../OpensslLib/openssl/crypto/rsa/rsa_ossl.c | 17 +- + .../OpensslLib/openssl/include/crypto/bn.h | 5 + + .../openssl/include/openssl/bnerr.h | 1 + + 11 files changed, 655 insertions(+), 20 deletions(-) + create mode 100644 CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c + +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +index b00bb74..ec5be59 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +@@ -155,6 +155,7 @@ + $(OPENSSL_PATH)/crypto/bn/bn_sqr.c
+ $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c
+ $(OPENSSL_PATH)/crypto/bn/bn_srp.c
++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+ $(OPENSSL_PATH)/crypto/bn/bn_word.c
+ $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
+ $(OPENSSL_PATH)/crypto/buffer/buf_err.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +index 3557711..ee68e48 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +@@ -155,6 +155,7 @@ + $(OPENSSL_PATH)/crypto/bn/bn_sqr.c
+ $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c
+ $(OPENSSL_PATH)/crypto/bn/bn_srp.c
++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+ $(OPENSSL_PATH)/crypto/bn/bn_word.c
+ $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
+ $(OPENSSL_PATH)/crypto/buffer/buf_err.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c +index 76fc7eb..6e9d239 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c +@@ -13,20 +13,6 @@ + + #define BN_BLINDING_COUNTER 32 + +-struct bn_blinding_st { +- BIGNUM *A; +- BIGNUM *Ai; +- BIGNUM *e; +- BIGNUM *mod; /* just a reference */ +- CRYPTO_THREAD_ID tid; +- int counter; +- unsigned long flags; +- BN_MONT_CTX *m_ctx; +- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, +- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +- CRYPTO_RWLOCK *lock; +-}; +- + BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) + { + BN_BLINDING *ret = NULL; +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c +index dd87c15..3dd8d9a 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c +@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { + {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, ++ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), ++ "ossl_bn_rsa_do_unblind"}, + {0, NULL} + }; + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h +index 8ad69cc..0965135 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h +@@ -263,6 +263,20 @@ struct bn_gencb_st { + } cb; + }; + ++struct bn_blinding_st { ++ BIGNUM *A; ++ BIGNUM *Ai; ++ BIGNUM *e; ++ BIGNUM *mod; /* just a reference */ ++ CRYPTO_THREAD_ID tid; ++ int counter; ++ unsigned long flags; ++ BN_MONT_CTX *m_ctx; ++ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); ++ CRYPTO_RWLOCK *lock; ++}; ++ + /*- + * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions + * +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info +index b9ed532..c9fe2fd 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info +@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ + bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ + {- $target{bn_asm_src} -} \ + bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ +- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c ++ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ ++ rsa_sup_mul.c + + INCLUDE[bn_exp.o]=.. + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c +new file mode 100644 +index 0000000..acafefd +--- /dev/null ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c +@@ -0,0 +1,614 @@ ++#include <openssl/e_os2.h> ++#include <stddef.h> ++#include <sys/types.h> ++#include <string.h> ++#include <openssl/bn.h> ++#include <openssl/err.h> ++#include <openssl/rsaerr.h> ++#include "internal/numbers.h" ++#include "internal/constant_time.h" ++#include "bn_local.h" ++ ++# if BN_BYTES == 8 ++typedef uint64_t limb_t; ++# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 ++/* nonstandard; implemented by gcc on 64-bit platforms */ ++typedef __uint128_t limb2_t; ++# define HAVE_LIMB2_T ++# endif ++# define LIMB_BIT_SIZE 64 ++# define LIMB_BYTE_SIZE 8 ++# elif BN_BYTES == 4 ++typedef uint32_t limb_t; ++typedef uint64_t limb2_t; ++# define LIMB_BIT_SIZE 32 ++# define LIMB_BYTE_SIZE 4 ++# define HAVE_LIMB2_T ++# else ++# error "Not supported" ++# endif ++ ++/* ++ * For multiplication we're using schoolbook multiplication, ++ * so if we have two numbers, each with 6 "digits" (words) ++ * the multiplication is calculated as follows: ++ * A B C D E F ++ * x I J K L M N ++ * -------------- ++ * N*F ++ * N*E ++ * N*D ++ * N*C ++ * N*B ++ * N*A ++ * M*F ++ * M*E ++ * M*D ++ * M*C ++ * M*B ++ * M*A ++ * L*F ++ * L*E ++ * L*D ++ * L*C ++ * L*B ++ * L*A ++ * K*F ++ * K*E ++ * K*D ++ * K*C ++ * K*B ++ * K*A ++ * J*F ++ * J*E ++ * J*D ++ * J*C ++ * J*B ++ * J*A ++ * I*F ++ * I*E ++ * I*D ++ * I*C ++ * I*B ++ * + I*A ++ * ========================== ++ * N*B N*D N*F ++ * + N*A N*C N*E ++ * + M*B M*D M*F ++ * + M*A M*C M*E ++ * + L*B L*D L*F ++ * + L*A L*C L*E ++ * + K*B K*D K*F ++ * + K*A K*C K*E ++ * + J*B J*D J*F ++ * + J*A J*C J*E ++ * + I*B I*D I*F ++ * + I*A I*C I*E ++ * ++ * 1+1 1+3 1+5 ++ * 1+0 1+2 1+4 ++ * 0+1 0+3 0+5 ++ * 0+0 0+2 0+4 ++ * ++ * 0 1 2 3 4 5 6 ++ * which requires n^2 multiplications and 2n full length additions ++ * as we can keep every other result of limb multiplication in two separate ++ * limbs ++ */ ++ ++#if defined HAVE_LIMB2_T ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb2_t t; ++ /* ++ * this is idiomatic code to tell compiler to use the native mul ++ * those three lines will actually compile to single instruction ++ */ ++ ++ t = (limb2_t)a * b; ++ *hi = t >> LIMB_BIT_SIZE; ++ *lo = (limb_t)t; ++} ++#elif (BN_BYTES == 8) && (defined _MSC_VER) ++/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ ++#pragma intrinsic(_umul128) ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ *lo = _umul128(a, b, hi); ++} ++#else ++/* ++ * if the compiler doesn't have either a 128bit data type nor a "return ++ * high 64 bits of multiplication" ++ */ ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb_t a_low = (limb_t)(uint32_t)a; ++ limb_t a_hi = a >> 32; ++ limb_t b_low = (limb_t)(uint32_t)b; ++ limb_t b_hi = b >> 32; ++ ++ limb_t p0 = a_low * b_low; ++ limb_t p1 = a_low * b_hi; ++ limb_t p2 = a_hi * b_low; ++ limb_t p3 = a_hi * b_hi; ++ ++ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); ++ ++ *lo = p0 + (p1 << 32) + (p2 << 32); ++ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; ++} ++#endif ++ ++/* add two limbs with carry in, return carry out */ ++static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) ++{ ++ limb_t carry1, carry2, t; ++ /* ++ * `c = a + b; if (c < a)` is idiomatic code that makes compilers ++ * use add with carry on assembly level ++ */ ++ ++ *ret = a + carry; ++ if (*ret < a) ++ carry1 = 1; ++ else ++ carry1 = 0; ++ ++ t = *ret; ++ *ret = t + b; ++ if (*ret < t) ++ carry2 = 1; ++ else ++ carry2 = 0; ++ ++ return carry1 + carry2; ++} ++ ++/* ++ * add two numbers of the same size, return overflow ++ * ++ * add a to b, place result in ret; all arrays need to be n limbs long ++ * return overflow from addition (0 or 1) ++ */ ++static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t c = 0; ++ ossl_ssize_t i; ++ ++ for(i = n - 1; i > -1; i--) ++ c = _add_limb(&ret[i], a[i], b[i], c); ++ ++ return c; ++} ++ ++/* ++ * return number of limbs necessary for temporary values ++ * when multiplying numbers n limbs large ++ */ ++static ossl_inline size_t mul_limb_numb(size_t n) ++{ ++ return 2 * n * 2; ++} ++ ++/* ++ * multiply two numbers of the same size ++ * ++ * multiply a by b, place result in ret; a and b need to be n limbs long ++ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs ++ * long ++ */ ++static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) ++{ ++ limb_t *r_odd, *r_even; ++ size_t i, j, k; ++ ++ r_odd = tmp; ++ r_even = &tmp[2 * n]; ++ ++ memset(ret, 0, 2 * n * sizeof(limb_t)); ++ ++ for (i = 0; i < n; i++) { ++ for (k = 0; k < i + n + 1; k++) { ++ r_even[k] = 0; ++ r_odd[k] = 0; ++ } ++ for (j = 0; j < n; j++) { ++ /* ++ * place results from even and odd limbs in separate arrays so that ++ * we don't have to calculate overflow every time we get individual ++ * limb multiplication result ++ */ ++ if (j % 2 == 0) ++ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); ++ else ++ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); ++ } ++ /* ++ * skip the least significant limbs when adding multiples of ++ * more significant limbs (they're zero anyway) ++ */ ++ add(ret, ret, r_even, n + i + 1); ++ add(ret, ret, r_odd, n + i + 1); ++ } ++} ++ ++/* modifies the value in place by performing a right shift by one bit */ ++static ossl_inline void rshift1(limb_t *val, size_t n) ++{ ++ limb_t shift_in = 0, shift_out = 0; ++ size_t i; ++ ++ for (i = 0; i < n; i++) { ++ shift_out = val[i] & 1; ++ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); ++ shift_in = shift_out; ++ } ++} ++ ++/* extend the LSB of flag to all bits of limb */ ++static ossl_inline limb_t mk_mask(limb_t flag) ++{ ++ flag |= flag << 1; ++ flag |= flag << 2; ++ flag |= flag << 4; ++ flag |= flag << 8; ++ flag |= flag << 16; ++#if (LIMB_BYTE_SIZE == 8) ++ flag |= flag << 32; ++#endif ++ return flag; ++} ++ ++/* ++ * copy from either a or b to ret based on flag ++ * when flag == 0, then copies from b ++ * when flag == 1, then copies from a ++ */ ++static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ /* ++ * would be more efficient with non volatile mask, but then gcc ++ * generates code with jumps ++ */ ++ volatile limb_t mask; ++ size_t i; ++ ++ mask = mk_mask(flag); ++ for (i = 0; i < n; i++) { ++#if (LIMB_BYTE_SIZE == 8) ++ ret[i] = constant_time_select_64(mask, a[i], b[i]); ++#else ++ ret[i] = constant_time_select_32(mask, a[i], b[i]); ++#endif ++ } ++} ++ ++static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) ++{ ++ limb_t borrow1, borrow2, t; ++ /* ++ * while it doesn't look constant-time, this is idiomatic code ++ * to tell compilers to use the carry bit from subtraction ++ */ ++ ++ *ret = a - borrow; ++ if (*ret > a) ++ borrow1 = 1; ++ else ++ borrow1 = 0; ++ ++ t = *ret; ++ *ret = t - b; ++ if (*ret > t) ++ borrow2 = 1; ++ else ++ borrow2 = 0; ++ ++ return borrow1 + borrow2; ++} ++ ++/* ++ * place the result of a - b into ret, return the borrow bit. ++ * All arrays need to be n limbs long ++ */ ++static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t borrow = 0; ++ ossl_ssize_t i; ++ ++ for (i = n - 1; i > -1; i--) ++ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); ++ ++ return borrow; ++} ++ ++/* return the number of limbs necessary to allocate for the mod() tmp operand */ ++static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) ++{ ++ return (anum + modnum) * 3; ++} ++ ++/* ++ * calculate a % mod, place the result in ret ++ * size of a is defined by anum, size of ret and mod is modnum, ++ * size of tmp is returned by mod_limb_numb() ++ */ ++static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, ++ size_t modnum, limb_t *tmp) ++{ ++ limb_t *atmp, *modtmp, *rettmp; ++ limb_t res; ++ size_t i; ++ ++ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); ++ ++ atmp = tmp; ++ modtmp = &tmp[anum + modnum]; ++ rettmp = &tmp[(anum + modnum) * 2]; ++ ++ for (i = modnum; i <modnum + anum; i++) ++ atmp[i] = a[i-modnum]; ++ ++ for (i = 0; i < modnum; i++) ++ modtmp[i] = mod[i]; ++ ++ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) { ++ rshift1(modtmp, anum + modnum); ++ res = sub(rettmp, atmp, modtmp, anum+modnum); ++ cselect(res, atmp, atmp, rettmp, anum+modnum); ++ } ++ ++ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum); ++} ++ ++/* necessary size of tmp for a _mul_add_limb() call with provided anum */ ++static ossl_inline size_t _mul_add_limb_numb(size_t anum) ++{ ++ return 2 * (anum + 1); ++} ++ ++/* multiply a by m, add to ret, return carry */ ++static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum, ++ limb_t m, limb_t *tmp) ++{ ++ limb_t carry = 0; ++ limb_t *r_odd, *r_even; ++ size_t i; ++ ++ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2); ++ ++ r_odd = tmp; ++ r_even = &tmp[anum + 1]; ++ ++ for (i = 0; i < anum; i++) { ++ /* ++ * place the results from even and odd limbs in separate arrays ++ * so that we have to worry about carry just once ++ */ ++ if (i % 2 == 0) ++ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m); ++ else ++ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m); ++ } ++ /* assert: add() carry here will be equal zero */ ++ add(r_even, r_even, r_odd, anum + 1); ++ /* ++ * while here it will not overflow as the max value from multiplication ++ * is -2 while max overflow from addition is 1, so the max value of ++ * carry is -1 (i.e. max int) ++ */ ++ carry = add(ret, ret, &r_even[1], anum) + r_even[0]; ++ ++ return carry; ++} ++ ++static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum) ++{ ++ return modnum * 2 + _mul_add_limb_numb(modnum); ++} ++ ++/* ++ * calculate a % mod, place result in ret ++ * assumes that a is in Montgomery form with the R (Montgomery modulus) being ++ * smallest power of two big enough to fit mod and that's also a power ++ * of the count of number of bits in limb_t (B). ++ * For calculation, we also need n', such that mod * n' == -1 mod B. ++ * anum must be <= 2 * modnum ++ * ret needs to be modnum words long ++ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long ++ */ ++static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, ++ size_t modnum, limb_t ni0, limb_t *tmp) ++{ ++ limb_t carry, v; ++ limb_t *res, *rp, *tmp2; ++ ossl_ssize_t i; ++ ++ res = tmp; ++ /* ++ * for intermediate result we need an integer twice as long as modulus ++ * but keep the input in the least significant limbs ++ */ ++ memset(res, 0, sizeof(limb_t) * (modnum * 2)); ++ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum); ++ rp = &res[modnum]; ++ tmp2 = &res[modnum * 2]; ++ ++ carry = 0; ++ ++ /* add multiples of the modulus to the value until R divides it cleanly */ ++ for (i = modnum; i > 0; i--, rp--) { ++ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); ++ v = v + carry + rp[-1]; ++ carry |= (v != rp[-1]); ++ carry &= (v <= rp[-1]); ++ rp[-1] = v; ++ } ++ ++ /* perform the final reduction by mod... */ ++ carry -= sub(ret, rp, mod, modnum); ++ ++ /* ...conditionally */ ++ cselect(carry, ret, rp, ret, modnum); ++} ++ ++/* allocated buffer should be freed afterwards */ ++static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) ++{ ++ int i; ++ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ limb_t *ptr = buf + (limbs - real_limbs); ++ ++ for (i = 0; i < real_limbs; i++) ++ ptr[i] = bn->d[real_limbs - i - 1]; ++} ++ ++#if LIMB_BYTE_SIZE == 8 ++static ossl_inline uint64_t be64(uint64_t host) ++{ ++ const union { ++ long one; ++ char little; ++ } is_endian = { 1 }; ++ ++ if (is_endian.little) { ++ uint64_t big = 0; ++ ++ big |= (host & 0xff00000000000000) >> 56; ++ big |= (host & 0x00ff000000000000) >> 40; ++ big |= (host & 0x0000ff0000000000) >> 24; ++ big |= (host & 0x000000ff00000000) >> 8; ++ big |= (host & 0x00000000ff000000) << 8; ++ big |= (host & 0x0000000000ff0000) << 24; ++ big |= (host & 0x000000000000ff00) << 40; ++ big |= (host & 0x00000000000000ff) << 56; ++ return big; ++ } else { ++ return host; ++ } ++} ++ ++#else ++/* Not all platforms have htobe32(). */ ++static ossl_inline uint32_t be32(uint32_t host) ++{ ++ const union { ++ long one; ++ char little; ++ } is_endian = { 1 }; ++ ++ if (is_endian.little) { ++ uint32_t big = 0; ++ ++ big |= (host & 0xff000000) >> 24; ++ big |= (host & 0x00ff0000) >> 8; ++ big |= (host & 0x0000ff00) << 8; ++ big |= (host & 0x000000ff) << 24; ++ return big; ++ } else { ++ return host; ++ } ++} ++#endif ++ ++/* ++ * We assume that intermediate, possible_arg2, blinding, and ctx are used ++ * similar to BN_BLINDING_invert_ex() arguments. ++ * to_mod is RSA modulus. ++ * buf and num is the serialization buffer and its length. ++ * ++ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished ++ * we serialize the new structure instead of BIGNUMs taking endianness into account. ++ */ ++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, ++ const BN_BLINDING *blinding, ++ const BIGNUM *possible_arg2, ++ const BIGNUM *to_mod, BN_CTX *ctx, ++ unsigned char *buf, int num) ++{ ++ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; ++ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; ++ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; ++ size_t l_tmp_count = 0; ++ int ret = 0; ++ size_t i; ++ unsigned char *tmp; ++ const BIGNUM *arg1 = intermediate; ++ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; ++ ++ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ ++ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; ++ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); ++ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); ++ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); ++ ++ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) ++ goto err; ++ ++ BN_to_limb(arg1, l_im, l_size); ++ BN_to_limb(arg2, l_mul, l_size); ++ BN_to_limb(to_mod, l_mod, l_mod_count); ++ ++ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); ++ ++ if (blinding->m_ctx != NULL) { ++ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? ++ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); ++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); ++ } else { ++ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? ++ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); ++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); ++ } ++ ++ if ((l_ret == NULL) || (l_tmp == NULL)) ++ goto err; ++ ++ if (blinding->m_ctx != NULL) { ++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); ++ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, ++ blinding->m_ctx->n0[0], l_tmp); ++ } else { ++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); ++ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); ++ } ++ ++ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ ++ if (num < BN_num_bytes(to_mod)) { ++ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); ++ goto err; ++ } ++ ++ memset(buf, 0, num); ++ tmp = buf + num - BN_num_bytes(to_mod); ++ for (i = 0; i < l_mod_count; i++) { ++#if LIMB_BYTE_SIZE == 8 ++ l_buf = be64(l_ret[i]); ++#else ++ l_buf = be32(l_ret[i]); ++#endif ++ if (i == 0) { ++ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); ++ ++ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); ++ tmp += delta; ++ } else { ++ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); ++ tmp += LIMB_BYTE_SIZE; ++ } ++ } ++ ret = num; ++ ++ err: ++ OPENSSL_free(l_im); ++ OPENSSL_free(l_mul); ++ OPENSSL_free(l_mod); ++ OPENSSL_free(l_tmp); ++ OPENSSL_free(l_ret); ++ ++ return ret; ++} +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt +index 35512f9..03d1640 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt +@@ -1,4 +1,4 @@ +-# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the OpenSSL license (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -231,6 +231,7 @@ BN_F_BN_RSHIFT:146:BN_rshift + BN_F_BN_SET_WORDS:144:bn_set_words + BN_F_BN_STACK_PUSH:148:BN_STACK_push + BN_F_BN_USUB:115:BN_usub ++BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind + BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow + BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean + BUF_F_BUF_MEM_NEW:101:BUF_MEM_new +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c +index b52a66f..6c3c0cf 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c +@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BN_free(d); + } + +- if (blinding) +- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) ++ if (blinding) { ++ /* ++ * ossl_bn_rsa_do_unblind() combines blinding inversion and ++ * 0-padded BN BE serialization ++ */ ++ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, ++ buf, num); ++ if (j == 0) + goto err; +- +- j = BN_bn2binpad(ret, buf, num); ++ } else { ++ j = BN_bn2binpad(ret, buf, num); ++ if (j < 0) ++ goto err; ++ } + + switch (padding) { + case RSA_PKCS1_PADDING: +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h +index 60afda1..b5f36fb 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h +@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); + int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); + int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, + const BIGNUM *d, BN_CTX *ctx); ++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, ++ const BN_BLINDING *blinding, ++ const BIGNUM *possible_arg2, ++ const BIGNUM *to_mod, BN_CTX *ctx, ++ unsigned char *buf, int num); + + #endif +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h +index 9f3c7cf..a0752ce 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h +@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); + # define BN_F_BN_SET_WORDS 144 + # define BN_F_BN_STACK_PUSH 148 + # define BN_F_BN_USUB 115 ++# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 + + /* + * BN reason codes. +-- +2.33.0 + diff --git a/0030-brotli-Fix-VLA-parameter-warning-893.patch b/0030-brotli-Fix-VLA-parameter-warning-893.patch new file mode 100644 index 0000000..9f6974e --- /dev/null +++ b/0030-brotli-Fix-VLA-parameter-warning-893.patch @@ -0,0 +1,89 @@ +From 0a3944c8c99b8d10cc4325f721b7c273d2b41f7b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adri=C3=A1n=20Herrera=20Arcila?= <adr.her.arc.95@gmail.com> +Date: Wed, 23 Jun 2021 08:53:59 +0100 +Subject: [PATCH] Fix VLA parameter warning (#893) + +Make VLA buffer types consistent in declarations and definitions. +Resolves build crash when using -Werror due to "vla-parameter" warning. + +Signed-off-by: Adrian Herrera <adr.her.arc.95@gmail.com> + +reference: https://github.com/google/brotli/pull/893 +Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> +--- + BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c | 6 ++++-- + BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c | 5 +++-- + .../Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c | 6 ++++-- + .../Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c | 5 +++-- + 4 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c +index ae5a3d3..7eee968 100644 +--- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c ++++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c +@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( + } + + BrotliDecoderResult BrotliDecoderDecompress( +- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, +- uint8_t* decoded_buffer) { ++ size_t encoded_size, ++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], ++ size_t* decoded_size, ++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { + BrotliDecoderState s; + BrotliDecoderResult result; + size_t total_out = 0; +diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c +index 8d90937..0c49c64 100644 +--- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c ++++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c +@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( + + BROTLI_BOOL BrotliEncoderCompress( + int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, +- const uint8_t* input_buffer, size_t* encoded_size, +- uint8_t* encoded_buffer) { ++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], ++ size_t* encoded_size, ++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { + BrotliEncoderState* s; + size_t out_size = *encoded_size; + const uint8_t* input_start = input_buffer; + +diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +index ae5a3d3..7eee968 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c ++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( + } + + BrotliDecoderResult BrotliDecoderDecompress( +- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, +- uint8_t* decoded_buffer) { ++ size_t encoded_size, ++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], ++ size_t* decoded_size, ++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { + BrotliDecoderState s; + BrotliDecoderResult result; + size_t total_out = 0; +diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c +index 8d90937..0c49c64 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c ++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c +@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( + + BROTLI_BOOL BrotliEncoderCompress( + int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, +- const uint8_t* input_buffer, size_t* encoded_size, +- uint8_t* encoded_buffer) { ++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], ++ size_t* encoded_size, ++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { + BrotliEncoderState* s; + size_t out_size = *encoded_size; + const uint8_t* input_start = input_buffer; +-- +2.41.0 + diff --git a/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch b/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch new file mode 100644 index 0000000..bde72b3 --- /dev/null +++ b/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch @@ -0,0 +1,48 @@ +From ae8272ef787d80950803c521a13a308651bdc62e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 20 Dec 2021 22:32:38 +0800 +Subject: [PATCH] MdeModulePkg/UsbBusDxe: fix NOOPT build error + +gcc-11 (fedora 35): + +/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c: In function ?UsbIoBulkTransfer?: +/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c:277:12: error: ?UsbHcBulkTransfer? accessing 80 bytes in a region of size 8 [-Werror=stringop-overflow=] + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Hao A Wu <hao.a.wu@intel.com> + +reference: https://github.com/tianocore/edk2/pull/2347 +Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> +--- + MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c | 2 +- + MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c +index 12d08c0b74..740e7babb0 100644 +--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c ++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c +@@ -285,7 +285,7 @@ UsbHcBulkTransfer ( + IN UINT8 DevSpeed,
+ IN UINTN MaxPacket,
+ IN UINT8 BufferNum,
+- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM],
++ IN OUT VOID *Data[],
+ IN OUT UINTN *DataLength,
+ IN OUT UINT8 *DataToggle,
+ IN UINTN TimeOut,
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h +index 04cf36d3c8..d93370a6c2 100644 +--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h ++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h +@@ -149,7 +149,7 @@ UsbHcBulkTransfer ( + IN UINT8 DevSpeed,
+ IN UINTN MaxPacket,
+ IN UINT8 BufferNum,
+- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM],
++ IN OUT VOID *Data[],
+ IN OUT UINTN *DataLength,
+ IN OUT UINT8 *DataToggle,
+ IN UINTN TimeOut,
+-- +2.41.0 diff --git a/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch b/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch new file mode 100644 index 0000000..5919700 --- /dev/null +++ b/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch @@ -0,0 +1,50 @@ +From 7b005f344e533cd913c3ca05b266f9872df886d1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Thu, 24 Mar 2022 20:04:34 +0800 +Subject: [PATCH 1/3] BaseTools: fix gcc12 warning + +GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free] + 545 | Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +GenFfs.c:544:5: note: call to ?fclose? here + 544 | fclose (InFileHandle); + | ^~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Bob Feng <bob.c.feng@intel.com> + +reference: https://github.com/tianocore/edk2/pull/2694 +Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> +--- + BaseTools/Source/C/GenFfs/GenFfs.c | 2 +- + BaseTools/Source/C/GenSec/GenSec.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c +index 949025c333..d78d62ab36 100644 +--- a/BaseTools/Source/C/GenFfs/GenFfs.c ++++ b/BaseTools/Source/C/GenFfs/GenFfs.c +@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) + PeFileBuffer = (UINT8 *) malloc (PeFileSize);
+ if (PeFileBuffer == NULL) {
+ fclose (InFileHandle);
+- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
+diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c +index d54a4f9e0a..b1d05367ec 100644 +--- a/BaseTools/Source/C/GenSec/GenSec.c ++++ b/BaseTools/Source/C/GenSec/GenSec.c +@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) + PeFileBuffer = (UINT8 *) malloc (PeFileSize);
+ if (PeFileBuffer == NULL) {
+ fclose (InFileHandle);
+- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
+-- +2.41.0
\ No newline at end of file diff --git a/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch b/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch new file mode 100644 index 0000000..2ceedd5 --- /dev/null +++ b/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch @@ -0,0 +1,53 @@ +From 85021f8cf22d1bd4114803c6c610dea5ef0059f1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Thu, 24 Mar 2022 20:04:35 +0800 +Subject: [PATCH 2/3] BaseTools: fix gcc12 warning + +Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?: +Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=] + 2828 | p->rc.outStream = &outStream.vt; + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here + 2811 | CLzmaEnc_SeqOutStreamBuf outStream; + | ^~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here +Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=] + 2828 | p->rc.outStream = &outStream.vt; + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here + 2811 | CLzmaEnc_SeqOutStreamBuf outStream; + | ^~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here +cc1: all warnings being treated as errors + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Bob Feng <bob.c.feng@intel.com> + +reference: https://github.com/tianocore/edk2/pull/2694 +Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> +--- + BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c +index 4e9b499f8d..4b9f5fa692 100644 +--- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c ++++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c +@@ -2638,12 +2638,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, Bool reInit, +
+ nowPos64 = p->nowPos64;
+ RangeEnc_Init(&p->rc);
+- p->rc.outStream = &outStream.vt;
+
+ if (desiredPackSize == 0)
+ return SZ_ERROR_OUTPUT_EOF;
+
++ p->rc.outStream = &outStream.vt;
+ res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize);
++ p->rc.outStream = NULL;
+
+ *unpackSize = (UInt32)(p->nowPos64 - nowPos64);
+ *destLen -= outStream.rem;
+-- +2.41.0.windows.1 + diff --git a/0034-Basetools-turn-off-gcc12-warning.patch b/0034-Basetools-turn-off-gcc12-warning.patch new file mode 100644 index 0000000..f17e7b0 --- /dev/null +++ b/0034-Basetools-turn-off-gcc12-warning.patch @@ -0,0 +1,43 @@ +From 22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Thu, 24 Mar 2022 20:04:36 +0800 +Subject: [PATCH 3/3] Basetools: turn off gcc12 warning + +In function ?SetDevicePathEndNode?, + inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5: +DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=] + 321 | memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from UefiDevicePathLib.h:22, + from DevicePathUtilities.c:16: +../Include/Protocol/DevicePath.h: In function ?FileDevicePath?: +../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1 + 51 | UINT8 Type; ///< 0x01 Hardware Device Path. + | ^~~~ + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Bob Feng <bob.c.feng@intel.com> + +reference: https://github.com/tianocore/edk2/pull/2694 +Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> +--- + BaseTools/Source/C/DevicePath/GNUmakefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/BaseTools/Source/C/DevicePath/GNUmakefile b/BaseTools/Source/C/DevicePath/GNUmakefile +index 7ca08af966..b05d2bddfa 100644 +--- a/BaseTools/Source/C/DevicePath/GNUmakefile ++++ b/BaseTools/Source/C/DevicePath/GNUmakefile +@@ -13,6 +13,9 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o DevicePathUtili +
+ include $(MAKEROOT)/Makefiles/app.makefile
+
++# gcc 12 trips over device path handling
++BUILD_CFLAGS += -Wno-error=stringop-overflow
++
+ LIBS = -lCommon
+ ifeq ($(CYGWIN), CYGWIN)
+ LIBS += -L/lib/e2fsprogs -luuid
+--
+2.41.0 + diff --git a/0035-add-file-edk2-aarch64-json.patch b/0035-add-file-edk2-aarch64-json.patch new file mode 100644 index 0000000..2103508 --- /dev/null +++ b/0035-add-file-edk2-aarch64-json.patch @@ -0,0 +1,50 @@ +From 32a67be9c4f5d12a0beeacff4142bb47c9cd0ee7 Mon Sep 17 00:00:00 2001 +From: tzing_t <zhengting13@huawei.com> +Date: Mon, 30 Oct 2023 11:00:44 +0000 +Subject: [PATCH] add file edk2-aarch64.json + +--- + edk2-aarch64.json | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 edk2-aarch64.json + +diff --git a/edk2-aarch64.json b/edk2-aarch64.json +new file mode 100644 +index 0000000..5bbfa6a +--- /dev/null ++++ b/edk2-aarch64.json +@@ -0,0 +1,31 @@ ++{ ++ "description": "UEFI firmware for ARM64 virtual machines", ++ "interface-types": [ ++ "uefi" ++ ], ++ "mapping": { ++ "device": "flash", ++ "executable": { ++ "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw", ++ "format": "raw" ++ }, ++ "nvram-template": { ++ "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", ++ "format": "raw" ++ } ++ }, ++ "targets": [ ++ { ++ "architecture": "aarch64", ++ "machines": [ ++ "virt-*" ++ ] ++ } ++ ], ++ "features": [ ++ ++ ], ++ "tags": [ ++ ++ ] ++} +-- +2.33.0 + diff --git a/edk2.spec b/edk2.spec new file mode 100644 index 0000000..2a40409 --- /dev/null +++ b/edk2.spec @@ -0,0 +1,378 @@ +%global stable_date 202011 +%global release_tag edk2-stable%{stable_date} +%global openssl_version 1.1.1f +%global _python_bytecompile_extra 0 + +Name: edk2 +Version: %{stable_date} +Release: 14 +Summary: EFI Development Kit II +License: BSD-2-Clause-Patent +URL: https://github.com/tianocore/edk2 +Source0: https://github.com/tianocore/edk2/archive/%{release_tag}.tar.gz +Source1: openssl-%{openssl_version}.tar.gz +Source2: brotli.tar.gz + +# for CVE-2021-38575 +Patch0001: 0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch +Patch0002: 0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch +Patch0003: 0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch +Patch0004: 0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch +Patch0005: 0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch +Patch0006: 0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch +Patch0007: 0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch +Patch0008: 0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch +Patch0009: 0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch +Patch0010: 0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch + +# for CVE-2021-28216 +Patch0011: 0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch + +# for CVE-2021-38576 +Patch0012: 0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch +Patch0013: 0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch +Patch0014: 0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch +Patch0015: 0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch +Patch0016: 0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch +Patch0017: 0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch +Patch0018: 0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch +Patch0019: 0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch + +Patch0020: 0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch + +Patch0021: 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch + +Patch0022: 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch +Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch +Patch0024: 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch +Patch0025: 0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch +Patch0026: 0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch +Patch0027: 0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch +Patch0028: 0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch + +# for CVE-2022-4304 +Patch0029: 0029-Fix-Timing-Oracle-in-RSA-decryption.patch + +# solving the compilation failure problem of gcc 12.3.0 +Patch0030: 0030-brotli-Fix-VLA-parameter-warning-893.patch +Patch0031: 0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch +Patch0032: 0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch +Patch0033: 0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch +Patch0034: 0034-Basetools-turn-off-gcc12-warning.patch + +Patch0035: 0035-add-file-edk2-aarch64-json.patch + +BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command + +%description +EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. + +%package devel +Summary: EFI Development Kit II Tools +%description devel +This package provides tools that are needed to build EFI executables and ROMs using the GNU tools. + +%package -n python3-%{name}-devel +Summary: EFI Development Kit II Tools +Requires: python3 +BuildArch: noarch +%description -n python3-%{name}-devel +This package provides tools that are needed to build EFI executables and ROMs using the GNU tools. + +%package help +Summary: Documentation for EFI Development Kit II Tools +BuildArch: noarch +%description help +This package documents the tools that are needed to build EFI executables and ROMs using the GNU tools. + +%ifarch aarch64 +%package aarch64 +Summary: AARCH64 Virtual Machine Firmware +BuildArch: noarch +%description aarch64 +EFI Development Kit II AARCH64 UEFI Firmware +%endif + +%ifarch x86_64 +%package ovmf +Summary: Open Virtual Machine Firmware +BuildArch: noarch +%description ovmf +EFI Development Kit II Open Virtual Machine Firmware (x64) +%endif + +%ifarch %{ix86} +%package ovmf-ia32 +Summary: Open Virtual Machine Firmware +BuildArch: noarch +%description ovmf-ia32 +EFI Development Kit II Open Virtual Machine Firmware (ia32) +%endif + +%prep +%setup -n edk2-%{release_tag} +tar -xf %{SOURCE1} -C CryptoPkg/Library/OpensslLib/openssl --strip-components=1 +tar -xf %{SOURCE2} -C MdeModulePkg/Library/BrotliCustomDecompressLib/brotli --strip-components=1 +tar -xf %{SOURCE2} -C BaseTools/Source/C/BrotliCompress/brotli --strip-components=1 +%autopatch -p1 + +%build +NCPUS=`/usr/bin/getconf _NPROCESSORS_ONLN` +BUILD_OPTION="-t GCC5 -n $NCPUS -b RELEASE" + +make -C BaseTools %{?_smp_mflags} EXTRA_OPTFLAGS="%{optflags}" EXTRA_LDFLAGS="%{__global_ldflags}" +. ./edksetup.sh + +COMMON_FLAGS="-D NETWORK_IP6_ENABLE" +%ifarch aarch64 + BUILD_OPTION="$BUILD_OPTION -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc --cmd-len=65536 $COMMON_FLAGS" +%endif + +%ifarch x86_64 + BUILD_OPTION="$BUILD_OPTION -a X64 -p OvmfPkg/OvmfPkgX64.dsc $COMMON_FLAGS" +%endif + +%ifarch %{ix86} + BUILD_OPTION="$BUILD_OPTION -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc" +%endif +BUILD_OPTION="$BUILD_OPTION -D SECURE_BOOT_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM2_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM2_CONFIG_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM_CONFIG_ENABLE=TRUE" +build $BUILD_OPTION + +%install +cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl +mkdir -p %{buildroot}%{_bindir} \ + %{buildroot}%{_datadir}/%{name}/Conf \ + %{buildroot}%{_datadir}/%{name}/Scripts +install BaseTools/Source/C/bin/* %{buildroot}%{_bindir} +install BaseTools/BuildEnv %{buildroot}%{_datadir}/%{name} +install BaseTools/Conf/*.template %{buildroot}%{_datadir}/%{name}/Conf +install BaseTools/Scripts/GccBase.lds %{buildroot}%{_datadir}/%{name}/Scripts + +%ifarch aarch64 +mkdir -p %{buildroot}%{_datadir}/qemu/firmware +install -m 0644 edk2-aarch64.json \ + %{buildroot}%{_datadir}/qemu/firmware/edk2-aarch64.json +# endif build_aarch64 +%endif + +cp -R BaseTools/Source/Python %{buildroot}%{_datadir}/%{name}/Python +find %{buildroot}%{_datadir}/%{name}/Python -name '__pycache__'|xargs rm -rf + +for i in build BPDG GenDepex GenFds GenPatchPcdTable PatchPcdValue Pkcs7Sign Rsa2048Sha256Sign TargetTool Trim UPT; do +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/$i/$i.py' "$@"' > %{buildroot}%{_bindir}/$i + chmod +x %{buildroot}%{_bindir}/$i +done + +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/Ecc/EccMain.py' "$@"' > %{buildroot}%{_bindir}/Ecc +chmod +x %{buildroot}%{_bindir}/Ecc + +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/Capsule/GenerateCapsule.py' "$@"' > %{buildroot}%{_bindir}/GenerateCapsule +chmod +x %{buildroot}%{_bindir}/GenerateCapsule + +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/Rsa2048Sha256Sign/Rsa2048Sha256GenerateKeys.py' "$@"' > %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys +chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys + +%ifarch aarch64 + mkdir -p %{buildroot}/usr/share/%{name}/aarch64 + cp Build/ArmVirtQemu-AARCH64/RELEASE_*/FV/*.fd %{buildroot}/usr/share/%{name}/aarch64 + dd of="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI-pflash.raw" if="/dev/zero" bs=1M count=64 + dd of="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI-pflash.raw" if="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI.fd" conv=notrunc + dd of="%{buildroot}/usr/share/%{name}/aarch64/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64 +%endif + +%ifarch x86_64 + mkdir -p %{buildroot}/usr/share/%{name}/ovmf + cp Build/OvmfX64/*/FV/OVMF*.fd %{buildroot}/usr/share/%{name}/ovmf +%endif + +%ifarch %{ix86} + mkdir -p %{buildroot}/usr/share/%{name}/ovmf-ia32 + cp Build/OvmfIa32/*/FV/OVMF_CODE.fd %{buildroot}/usr/share/%{name}/ovmf-ia32 +%endif + +%files devel +%license License.txt +%license LICENSE.openssl +%{_bindir}/BrotliCompress +%{_bindir}/DevicePath +%{_bindir}/EfiRom +%{_bindir}/GenCrc32 +%{_bindir}/GenFfs +%{_bindir}/GenFv +%{_bindir}/GenFw +%{_bindir}/GenSec +%{_bindir}/LzmaCompress +%{_bindir}/Split +%{_bindir}/TianoCompress +%{_bindir}/VfrCompile +%{_bindir}/VolInfo +%{_datadir}/%{name}/BuildEnv +%{_datadir}/%{name}/Conf +%{_datadir}/%{name}/Scripts + +%files -n python3-%{name}-devel +%{_bindir}/BPDG +%{_bindir}/Ecc +%{_bindir}/GenDepex +%{_bindir}/GenFds +%{_bindir}/GenPatchPcdTable +%{_bindir}/GenerateCapsule +%{_bindir}/Pkcs7Sign +%{_bindir}/PatchPcdValue +%{_bindir}/Rsa2048Sha256GenerateKeys +%{_bindir}/Rsa2048Sha256Sign +%{_bindir}/TargetTool +%{_bindir}/Trim +%{_bindir}/UPT +%{_bindir}/build +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/Python + +%files help +%doc BaseTools/UserManuals/*.rtf + +%ifarch aarch64 +%files aarch64 +%license OvmfPkg/License.txt +%license LICENSE.openssl +%dir /usr/share/%{name} +%dir /usr/share/%{name}/aarch64 +/usr/share/%{name}/aarch64/QEMU*.fd +/usr/share/%{name}/aarch64/*.raw +%{_datadir}/qemu/firmware/edk2-aarch64.json +%endif + +%ifarch x86_64 +%files ovmf +%license OvmfPkg/License.txt +%license LICENSE.openssl +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/ovmf +%endif + +%ifarch %{ix86} +%license OvmfPkg/License.txt +%license LICENSE.openssl +%files ovfm-ia32 +%dir /usr/share/%{name} +%endif + +%changelog +* Mon Oct 30 2023 zhengting<zhengting13@huawei.com> - 202011-14 +- add edk2-aarch64-json + +* Thu Jul 13 2023 Jiabo Feng<fengjiabo1@huawei.com> - 202011-13 +- solving the compilation failure problem of gcc 12.3.0 + +* Fri Mar 10 2023 yexiao<yexiao7@huawei.com> - 202011-12 +- fix CVE-2022-4304 + +* Sun Feb 26 2023 chenhuiying<chenhuiying4@huawei.com> - 202011-11 +- fix CVE-2023-0286 + +* Sun Feb 26 2023 chenhuiying<chenhuiying4@huawei.com> - 202011-10 +- fix CVE-2023-0215 + +* Sat Feb 25 2023 shaodenghui<shaodenghui@huawei.com> - 202011-9 +- fix CVE-2023-0401 + +* Mon Feb 20 2023 shaodenghui<shaodenghui@huawei.com> - 202011-8 +- fix CVE-2022-4450 + +* Tue Nov 29 2022 chenhuiying<chenhuiying4@huawei.com> - 202011-7 +- fix CVE-2021-38578 + +* Thu Sep 29 2022 chenhuiying<chenhuiying4@huawei.com> - 202011-6 +* fix CVE-2019-11098 + +* Tue Jun 14 2022 miaoyubo <miaoyubo@huawei.com> - 202011-5 +- Enable TPM for pcr0-7 + +* Wed Apr 27 2022 yezengruan <yezengruan@huawei.com> - 202011-4 +- update the format of changelog + +* Thu Feb 17 2022 Jinhua Cao <caojinhua1@huawei.com> - 202011-3 +- OvmfPkg: VirtioNetDxe: Extend the RxBufferSize to avoid data truncation + +* Tue Feb 15 2022 Jinhua Cao <caojinhua1@huawei.com> - 202011-2 +- fix CVE-2021-38576 + +* Mon Feb 7 2022 Jinhua Cao <caojinhua1@huawei.com> - 202011-1 +- update edk2 to stable 202011 + +* Wed Jan 12 2022 Jinhua Cao <caojinhua1@huawei.com> - 202002-11 +- BaseTools: fix ucs-2 lookup on python3.9 +- BaseTools: Work around array.array.tostring() removal in python3.9 + +* Wed Dec 1 2021 Jinhua Cao <caojinhua1@huawei.com> - 202002-10 +- fix CVE-2021-28216 + +* Wed Sep 22 2021 imxcc <xingchaochao@huawei.com> - 202002-9 +- fix cve-2021-38575 + +* Tue Aug 31 2021 miaoyubo <miaoyubo@huawei.com> - 202002-8 +- MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed + +* Fri Jul 30 2021 Zhenyu Ye <yezhenyu2@huawei.com> - 202002-7 +- ArmPkg/CompilerIntrinsicsLib: provide atomics intrinsics + +* Mon Jun 28 2021 Jiajie Li <lijiajie11@huawei.com> - 202002-6 +- Fix CVE-2021-28210 + +* Tue Oct 27 2020 AlexChen <alex.chen@huawei.com> - 202002-5 +- remove build requires of python2 + +* Mon Sep 28 2020 FangYing <fangying1@huawei.com> - 202002-4 +- update the Source0 to http url + +* Fri Jul 31 2020 jiangfangjie <jiangfangjie@huawei.com> - 202002-3 +- ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot +- ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module + +* Mon Jul 27 2020 zhangxinhao <zhangxinhao1@huawei.com> - 202002-2 +- add build option "-D SECURE_BOOT_ENABLE=TRUE" to enable secure boot + +* Thu May 7 2020 openEuler Buildteam <buildteam@openeuler.org> - 202002-1 +- Update edk2 to stable202002 and OpenSSL to 1.1.1f + +* Thu Mar 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-9 +- fix an overflow bug in rsaz_512_sqr +- use the correct maximum indent + +* Tue Mar 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-8 +- enable multiple threads compiling +- Pass EXTRA_OPTFLAGS and EXTRA_OPTFLAGS options to make command +- enable IPv6 for X86_64 + +* Sun Mar 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-7 +- fix missing OVMF.fd in package + +* Sat Feb 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-6 +- add build requires of python2 + +* Mon Dec 30 2019 Heyi Guo <buildteam@openeuler.org> - 201908-5 +- Upgrade openssl to 1.1.1d + +* Tue Nov 26 2019 openEuler Buildteam <buildteam@openeuler.org> - 201908-4 +- add build requires of nasm + +* Tue Nov 26 2019 openEuler Buildteam <buildteam@openeuler.org> - 201908-3 +- Correct name of package ovmf + +* Mon Sep 30 2019 zhanghailiang <zhang.zhanghailiang@huawei.com> - 201908-2 +- Enable IPv6 suppport and Modify Release number to 2 + +* Wed Sep 18 2019 openEuler Buildteam <buildteam@openeuler.org> - 201908-1 +- Package init @@ -0,0 +1,3 @@ +8f2f18f20f2a3ae186c90413fbb39ec1 brotli.tar.gz +6f896f055082159f88d7a54ee24763c1 edk2-stable202011.tar.gz +3f486f2f4435ef14b81814dbbc7b48bb openssl-1.1.1f.tar.gz |