summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCoprDistGit <infra@openeuler.org>2023-10-30 11:56:48 +0000
committerCoprDistGit <infra@openeuler.org>2023-10-30 11:56:48 +0000
commit1dae37b163e1e08e719ac06fa86b3414b4ddfb2b (patch)
treed6c29b92e733448b00701f46c85d08ecc4a5fbbb
parent8a55803b9ffda4b5bd4f5bbb9767a617620266ae (diff)
automatic import of edk2openeuler22.03_LTS
-rw-r--r--.gitignore3
-rw-r--r--0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch244
-rw-r--r--0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch64
-rw-r--r--0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch95
-rw-r--r--0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch94
-rw-r--r--0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch147
-rw-r--r--0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch88
-rw-r--r--0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch86
-rw-r--r--0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch97
-rw-r--r--0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch106
-rw-r--r--0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch84
-rw-r--r--0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch982
-rw-r--r--0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch378
-rw-r--r--0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch121
-rw-r--r--0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch161
-rw-r--r--0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch63
-rw-r--r--0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch53
-rw-r--r--0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch191
-rw-r--r--0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch63
-rw-r--r--0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch68
-rw-r--r--0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch50
-rw-r--r--0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch191
-rw-r--r--0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch208
-rw-r--r--0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch43
-rw-r--r--0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch57
-rw-r--r--0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch106
-rw-r--r--0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch79
-rw-r--r--0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch102
-rw-r--r--0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch41
-rw-r--r--0029-Fix-Timing-Oracle-in-RSA-decryption.patch834
-rw-r--r--0030-brotli-Fix-VLA-parameter-warning-893.patch89
-rw-r--r--0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch48
-rw-r--r--0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch50
-rw-r--r--0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch53
-rw-r--r--0034-Basetools-turn-off-gcc12-warning.patch43
-rw-r--r--0035-add-file-edk2-aarch64-json.patch50
-rw-r--r--edk2.spec378
-rw-r--r--sources3
38 files changed, 5613 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index e69de29..23a9e75 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,3 @@
+/brotli.tar.gz
+/edk2-stable202011.tar.gz
+/openssl-1.1.1f.tar.gz
diff --git a/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch b/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
new file mode 100644
index 0000000..8b41381
--- /dev/null
+++ b/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
@@ -0,0 +1,244 @@
+From 83761337ec91fbd459c55d7d956fcc25df3bfa50 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:50 +0200
+Subject: [PATCH 18/27] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80
+ characters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Working with overlong lines is difficult for me; rewrap the CHAP-related
+source files in IScsiDxe to 80 characters width. No functional changes.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-2-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++--------
+ NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +-
+ 2 files changed, 71 insertions(+), 22 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index 355c6f129f..cbbc56ae5b 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -1,5 +1,6 @@
+ /** @file
+- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.
++ This file is for Challenge-Handshake Authentication Protocol (CHAP)
++ Configuration.
+
+ Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ @param[in] ChallengeLength The length of iSCSI CHAP challenge message.
+ @param[out] ChapResponse The calculation of the expected hash value.
+
+- @retval EFI_SUCCESS The expected hash value was calculatedly successfully.
+- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the
+- length of the hash value for the hashing algorithm chosen.
++ @retval EFI_SUCCESS The expected hash value was calculatedly
++ successfully.
++ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least
++ the length of the hash value for the hashing
++ algorithm chosen.
+ @retval EFI_PROTOCOL_ERROR MD5 hash operation fail.
+ @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5.
+
+@@ -94,8 +97,10 @@ Exit:
+ @param[in] AuthData iSCSI CHAP authentication data.
+ @param[in] TargetResponse The response from target.
+
+- @retval EFI_SUCCESS The response from target passed authentication.
+- @retval EFI_SECURITY_VIOLATION The response from target was not expected value.
++ @retval EFI_SUCCESS The response from target passed
++ authentication.
++ @retval EFI_SECURITY_VIOLATION The response from target was not expected
++ value.
+ @retval Others Other errors as indicated.
+
+ **/
+@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived (
+ //
+ // The first Login Response.
+ //
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived (
+
+ Session->TargetPortalGroupTag = (UINT16) Result;
+
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_AUTH_METHOD
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+ //
+- // Initiator mandates CHAP authentication but target replies without "CHAP", or
+- // initiator suggets "None" but target replies with some kind of auth method.
++ // Initiator mandates CHAP authentication but target replies without
++ // "CHAP", or initiator suggets "None" but target replies with some kind of
++ // auth method.
+ //
+ if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
+ if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {
+@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived (
+ //
+ // The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
+ //
+- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);
++ Value = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_ALGORITHM
++ );
+ if (Value == NULL) {
+ goto ON_EXIT;
+ }
+@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived (
+ goto ON_EXIT;
+ }
+
+- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);
++ Identifier = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_IDENTIFIER
++ );
+ if (Identifier == NULL) {
+ goto ON_EXIT;
+ }
+
+- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);
++ Challenge = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_CHALLENGE
++ );
+ if (Challenge == NULL) {
+ goto ON_EXIT;
+ }
+@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived (
+
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
+- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);
++ IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived (
+ goto ON_EXIT;
+ }
+
+- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);
++ Response = IScsiGetValueByKeyFromList (
++ KeyValueList,
++ ISCSI_KEY_CHAP_RESPONSE
++ );
+ if (Response == NULL) {
+ goto ON_EXIT;
+ }
+@@ -341,7 +369,8 @@ ON_EXIT:
+ @param[in, out] Pdu The PDU to send out.
+
+ @retval EFI_SUCCESS All check passed and the phase-related CHAP
+- authentication info is filled into the iSCSI PDU.
++ authentication info is filled into the iSCSI
++ PDU.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
+
+@@ -392,7 +421,11 @@ IScsiCHAPToSendReq (
+ // It's the initial Login Request. Fill in the key=value pairs mandatory
+ // for the initial Login Request.
+ //
+- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName);
++ IScsiAddKeyValuePair (
++ Pdu,
++ ISCSI_KEY_INITIATOR_NAME,
++ mPrivate->InitiatorName
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");
+ IScsiAddKeyValuePair (
+ Pdu,
+@@ -413,7 +446,8 @@ IScsiCHAPToSendReq (
+
+ case ISCSI_CHAP_STEP_ONE:
+ //
+- // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.
++ // First step, send the Login Request with CHAP_A=<A1,A2...> key-value
++ // pair.
+ //
+ AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);
+@@ -429,11 +463,20 @@ IScsiCHAPToSendReq (
+ //
+ // CHAP_N=<N>
+ //
+- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName);
++ IScsiAddKeyValuePair (
++ Pdu,
++ ISCSI_KEY_CHAP_NAME,
++ (CHAR8 *) &AuthData->AuthConfig->CHAPName
++ );
+ //
+ // CHAP_R=<R>
+ //
+- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);
++ IScsiBinToHex (
++ (UINT8 *) AuthData->CHAPResponse,
++ ISCSI_CHAP_RSP_LEN,
++ Response,
++ &RspLen
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
+
+ if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
+@@ -448,7 +491,12 @@ IScsiCHAPToSendReq (
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+ AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
+- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);
++ IScsiBinToHex (
++ (UINT8 *) AuthData->OutChallenge,
++ ISCSI_CHAP_RSP_LEN,
++ Challenge,
++ &ChallengeLen
++ );
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
+
+ Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+index 140bba0dcd..5e59fb678b 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived (
+ @param[in, out] Pdu The PDU to send out.
+
+ @retval EFI_SUCCESS All check passed and the phase-related CHAP
+- authentication info is filled into the iSCSI PDU.
++ authentication info is filled into the iSCSI
++ PDU.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
+
+--
+2.27.0
+
diff --git a/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch b/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
new file mode 100644
index 0000000..7ddeeaa
--- /dev/null
+++ b/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
@@ -0,0 +1,64 @@
+From 29cab43bb7912a12efa5a78dac15394aee866e4c Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:51 +0200
+Subject: [PATCH 19/27] NetworkPkg/IScsiDxe: simplify
+ "ISCSI_CHAP_AUTH_DATA.InChallenge" size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024.
+
+The usage of this macro currently involves a semantic (not functional)
+bug, which we're going to fix in a subsequent patch, eliminating
+ISCSI_CHAP_AUTH_MAX_LEN altogether.
+
+For now, remove the macro's usage from all
+"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without
+duplicating open-coded constants.
+
+No changes in functionality.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-3-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +-
+ NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index cbbc56ae5b..df3c2eb120 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived (
+ }
+
+ AuthData->InIdentifier = (UINT32) Result;
+- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;
++ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+ IScsiHexToBin (
+ (UINT8 *) AuthData->InChallenge,
+ &AuthData->InChallengeLength,
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+index 5e59fb678b..1fc1d96ea3 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
+ typedef struct _ISCSI_CHAP_AUTH_DATA {
+ ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
+ UINT32 InIdentifier;
+- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
++ UINT8 InChallenge[1024];
+ UINT32 InChallengeLength;
+ //
+ // Calculated CHAP Response (CHAP_R) value.
+--
+2.27.0
+
diff --git a/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch b/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
new file mode 100644
index 0000000..82ee449
--- /dev/null
+++ b/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
@@ -0,0 +1,95 @@
+From 95616b866187b00355042953efa5c198df07250f Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:52 +0200
+Subject: [PATCH 20/27] NetworkPkg/IScsiDxe: clean up
+ "ISCSI_CHAP_AUTH_DATA.OutChallengeLength"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array
+with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge
+is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used
+in the array.
+
+Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused)
+ISCSI_CHAP_AUTH_MAX_LEN macro.
+
+Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is
+superfluous too.
+
+Most importantly, explain in a new comment *why* tying the challenge size
+to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also
+Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge
+length to the hash digest size", 2019-11-06.) For sure, the motivation
+that the new comment now explains has always been there, and has always
+been the same, for IScsiDxe; it's just that now we spell it out too.
+
+No change in peer-visible behavior.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-4-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +--
+ NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++---
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index df3c2eb120..9e192ce292 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget (
+ AuthData->AuthConfig->ReverseCHAPSecret,
+ SecretSize,
+ AuthData->OutChallenge,
+- AuthData->OutChallengeLength,
++ ISCSI_CHAP_RSP_LEN, // ChallengeLength
+ VerifyRsp
+ );
+
+@@ -490,7 +490,6 @@ IScsiCHAPToSendReq (
+ // CHAP_C=<C>
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;
+ IScsiBinToHex (
+ (UINT8 *) AuthData->OutChallenge,
+ ISCSI_CHAP_RSP_LEN,
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+index 1fc1d96ea3..35d5d6ec29 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
+@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ #define ISCSI_CHAP_ALGORITHM_MD5 5
+
+-#define ISCSI_CHAP_AUTH_MAX_LEN 1024
+ ///
+ /// MD5_HASHSIZE
+ ///
+@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA {
+ //
+ // Auth-data to be sent out for mutual authentication.
+ //
++ // While the challenge size is technically independent of the hashing
++ // algorithm, it is good practice to avoid hashing *fewer bytes* than the
++ // digest size. In other words, it's good practice to feed *at least as many
++ // bytes* to the hashing algorithm as the hashing algorithm will output.
++ //
+ UINT32 OutIdentifier;
+- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN];
+- UINT32 OutChallengeLength;
++ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN];
+ } ISCSI_CHAP_AUTH_DATA;
+
+ /**
+--
+2.27.0
+
diff --git a/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch b/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
new file mode 100644
index 0000000..2be51c1
--- /dev/null
+++ b/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
@@ -0,0 +1,94 @@
+From e8f28b09e63dfdbb4169969a43c65f86c44b035a Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:53 +0200
+Subject: [PATCH 21/27] NetworkPkg/IScsiDxe: clean up library class
+ dependencies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sort the library class dependencies in the #include directives and in the
+INF file. Remove the DpcLib class from the #include directives -- it is
+not listed in the INF file, and IScsiDxe doesn't call either DpcLib API
+(QueueDpc(), DispatchDpc()). No functional changes.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-5-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++---
+ NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++---------
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+index 0ffb340ce0..543c408302 100644
+--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+@@ -65,6 +65,7 @@
+ NetworkPkg/NetworkPkg.dec
+
+ [LibraryClasses]
++ BaseCryptLib
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+@@ -72,14 +73,13 @@
+ HiiLib
+ MemoryAllocationLib
+ NetLib
+- TcpIoLib
+ PrintLib
++ TcpIoLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
++ UefiHiiServicesLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+- UefiHiiServicesLib
+- BaseCryptLib
+
+ [Protocols]
+ gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable
+diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
+index 387ab9765e..d895c7feb9 100644
+--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
+@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Protocol/AdapterInformation.h>
+ #include <Protocol/NetworkInterfaceIdentifier.h>
+
+-#include <Library/HiiLib.h>
+-#include <Library/UefiHiiServicesLib.h>
+-#include <Library/DevicePathLib.h>
+-#include <Library/DebugLib.h>
++#include <Library/BaseCryptLib.h>
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/DevicePathLib.h>
++#include <Library/HiiLib.h>
+ #include <Library/MemoryAllocationLib.h>
++#include <Library/NetLib.h>
+ #include <Library/PrintLib.h>
++#include <Library/TcpIoLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+-#include <Library/UefiRuntimeServicesTableLib.h>
++#include <Library/UefiHiiServicesLib.h>
+ #include <Library/UefiLib.h>
+-#include <Library/DpcLib.h>
+-#include <Library/NetLib.h>
+-#include <Library/TcpIoLib.h>
+-#include <Library/BaseCryptLib.h>
++#include <Library/UefiRuntimeServicesTableLib.h>
+
+ #include <Guid/MdeModuleHii.h>
+ #include <Guid/EventGroup.h>
+--
+2.27.0
+
diff --git a/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
new file mode 100644
index 0000000..f1eddbe
--- /dev/null
+++ b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
@@ -0,0 +1,147 @@
+From cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:54 +0200
+Subject: [PATCH 22/27] NetworkPkg/IScsiDxe: fix potential integer overflow in
+ IScsiBinToHex()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Considering IScsiBinToHex():
+
+> if (((*HexLength) - 3) < BinLength * 2) {
+> *HexLength = BinLength * 2 + 3;
+> }
+
+the following subexpressions are problematic:
+
+ (*HexLength) - 3
+ BinLength * 2
+ BinLength * 2 + 3
+
+The first one may wrap under zero, the latter two may wrap over
+MAX_UINT32.
+
+Rewrite the calculation using SafeIntLib.
+
+While at it, change the type of the "Index" variable from UINTN to UINT32.
+The largest "Index"-based value that we calculate is
+
+ Index * 2 + 2 (with (Index == BinLength))
+
+Because the patch makes
+
+ BinLength * 2 + 3
+
+safe to calculate in UINT32, using UINT32 for
+
+ Index * 2 + 2 (with (Index == BinLength))
+
+is safe too. Consistently using UINT32 improves readability.
+
+This patch is best reviewed with "git show -W".
+
+The integer overflows that this patch fixes are theoretical; a subsequent
+patch in the series will audit the IScsiBinToHex() call sites, and show
+that none of them can fail.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-6-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 +
+ NetworkPkg/IScsiDxe/IScsiImpl.h | 1 +
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++----
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+index 543c408302..1dde56d00c 100644
+--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf
++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf
+@@ -74,6 +74,7 @@
+ MemoryAllocationLib
+ NetLib
+ PrintLib
++ SafeIntLib
+ TcpIoLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h
+index d895c7feb9..ac3a25730e 100644
+--- a/NetworkPkg/IScsiDxe/IScsiImpl.h
++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h
+@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/NetLib.h>
+ #include <Library/PrintLib.h>
++#include <Library/SafeIntLib.h>
+ #include <Library/TcpIoLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/UefiHiiServicesLib.h>
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index b8fef3ff6f..42988e15cb 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -316,6 +316,7 @@ IScsiMacAddrToStr (
+ @retval EFI_SUCCESS The binary data is converted to the hexadecimal string
+ and the length of the string is updated.
+ @retval EFI_BUFFER_TOO_SMALL The string is too small.
++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
+ @retval EFI_INVALID_PARAMETER The IP string is malformatted.
+
+ **/
+@@ -327,18 +328,28 @@ IScsiBinToHex (
+ IN OUT UINT32 *HexLength
+ )
+ {
+- UINTN Index;
++ UINT32 HexLengthMin;
++ UINT32 HexLengthProvided;
++ UINT32 Index;
+
+ if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+- if (((*HexLength) - 3) < BinLength * 2) {
+- *HexLength = BinLength * 2 + 3;
++ //
++ // Safely calculate: HexLengthMin := BinLength * 2 + 3.
++ //
++ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) ||
++ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) {
++ return EFI_BAD_BUFFER_SIZE;
++ }
++
++ HexLengthProvided = *HexLength;
++ *HexLength = HexLengthMin;
++ if (HexLengthProvided < HexLengthMin) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+- *HexLength = BinLength * 2 + 3;
+ //
+ // Prefix for Hex String.
+ //
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 46c725aab3..231413993b 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -150,6 +150,7 @@ IScsiAsciiStrToIp (
+ @retval EFI_SUCCESS The binary data is converted to the hexadecimal string
+ and the length of the string is updated.
+ @retval EFI_BUFFER_TOO_SMALL The string is too small.
++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding.
+ @retval EFI_INVALID_PARAMETER The IP string is malformatted.
+
+ **/
+--
+2.27.0
+
diff --git a/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch b/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
new file mode 100644
index 0000000..82c659e
--- /dev/null
+++ b/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
@@ -0,0 +1,88 @@
+From d90fff40cb2502b627370a77f5608c8a178c3f78 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:55 +0200
+Subject: [PATCH 23/27] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always
+ succeeds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+IScsiBinToHex() is called for encoding:
+
+- the answer to the target's challenge; that is, CHAP_R;
+
+- the challenge for the target, in case mutual authentication is enabled;
+ that is, CHAP_C.
+
+The initiator controls the size of both blobs, the sizes of their hex
+encodings are correctly calculated in "RspLen" and "ChallengeLen".
+Therefore the IScsiBinToHex() calls never fail; assert that.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-7-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index 9e192ce292..dbe3c8ef46 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -391,6 +391,7 @@ IScsiCHAPToSendReq (
+ UINT32 RspLen;
+ CHAR8 *Challenge;
+ UINT32 ChallengeLen;
++ EFI_STATUS BinToHexStatus;
+
+ ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
+
+@@ -471,12 +472,13 @@ IScsiCHAPToSendReq (
+ //
+ // CHAP_R=<R>
+ //
+- IScsiBinToHex (
+- (UINT8 *) AuthData->CHAPResponse,
+- ISCSI_CHAP_RSP_LEN,
+- Response,
+- &RspLen
+- );
++ BinToHexStatus = IScsiBinToHex (
++ (UINT8 *) AuthData->CHAPResponse,
++ ISCSI_CHAP_RSP_LEN,
++ Response,
++ &RspLen
++ );
++ ASSERT_EFI_ERROR (BinToHexStatus);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
+
+ if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
+@@ -490,12 +492,13 @@ IScsiCHAPToSendReq (
+ // CHAP_C=<C>
+ //
+ IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);
+- IScsiBinToHex (
+- (UINT8 *) AuthData->OutChallenge,
+- ISCSI_CHAP_RSP_LEN,
+- Challenge,
+- &ChallengeLen
+- );
++ BinToHexStatus = IScsiBinToHex (
++ (UINT8 *) AuthData->OutChallenge,
++ ISCSI_CHAP_RSP_LEN,
++ Challenge,
++ &ChallengeLen
++ );
++ ASSERT_EFI_ERROR (BinToHexStatus);
+ IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
+
+ Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
+--
+2.27.0
+
diff --git a/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch b/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
new file mode 100644
index 0000000..2a3f310
--- /dev/null
+++ b/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
@@ -0,0 +1,86 @@
+From dc469f137110fe79704b8b92c552972c739bb915 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:56 +0200
+Subject: [PATCH 24/27] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading
+ comment block
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We'll need further return values for IScsiHexToBin() in a subsequent
+patch; make room for them in the leading comment block of the function.
+While at it, rewrap the comment block to 80 characters width.
+
+No functional changes.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-8-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++--------
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++--------
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index 42988e15cb..014700e87a 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -370,14 +370,14 @@ IScsiBinToHex (
+ /**
+ Convert the hexadecimal string into a binary encoded buffer.
+
+- @param[in, out] BinBuffer The binary buffer.
+- @param[in, out] BinLength Length of the binary buffer.
+- @param[in] HexStr The hexadecimal string.
+-
+- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
+- encoded buffer.
+- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+-
++ @param[in, out] BinBuffer The binary buffer.
++ @param[in, out] BinLength Length of the binary buffer.
++ @param[in] HexStr The hexadecimal string.
++
++ @retval EFI_SUCCESS The hexadecimal string is converted into a
++ binary encoded buffer.
++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
++ converted data.
+ **/
+ EFI_STATUS
+ IScsiHexToBin (
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 231413993b..28cf408cd5 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -165,14 +165,14 @@ IScsiBinToHex (
+ /**
+ Convert the hexadecimal string into a binary encoded buffer.
+
+- @param[in, out] BinBuffer The binary buffer.
+- @param[in, out] BinLength Length of the binary buffer.
+- @param[in] HexStr The hexadecimal string.
+-
+- @retval EFI_SUCCESS The hexadecimal string is converted into a binary
+- encoded buffer.
+- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data.
+-
++ @param[in, out] BinBuffer The binary buffer.
++ @param[in, out] BinLength Length of the binary buffer.
++ @param[in] HexStr The hexadecimal string.
++
++ @retval EFI_SUCCESS The hexadecimal string is converted into a
++ binary encoded buffer.
++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
++ converted data.
+ **/
+ EFI_STATUS
+ IScsiHexToBin (
+--
+2.27.0
+
diff --git a/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch b/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
new file mode 100644
index 0000000..0996638
--- /dev/null
+++ b/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
@@ -0,0 +1,97 @@
+From 47b76780b487dbfde4efb6843b16064c4a97e94d Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:57 +0200
+Subject: [PATCH 25/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The IScsiHexToBin() function has the following parser issues:
+
+(1) If the *subject sequence* in "HexStr" is empty, the function returns
+ EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should
+ be rejected.
+
+(2) The function mis-handles a "HexStr" that ends with a stray nibble. For
+ example, if "HexStr" is "0xABC", the function decodes it to the bytes
+ {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns
+ EFI_SUCCESS. Such inputs should be rejected.
+
+(3) If an invalid hex char is found in "HexStr", the function treats it as
+ end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be
+ rejected.
+
+All of the above cases are remotely triggerable, as shown in a subsequent
+patch, which adds error checking to the IScsiHexToBin() call sites. While
+the initiator is not immediately compromised, incorrectly parsing CHAP_R
+from the target, in case of mutual authentication, is not great.
+
+Extend the interface contract of IScsiHexToBin() with
+EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement
+the new checks.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-9-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++--
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 1 +
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index 014700e87a..f0f4992b07 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -376,6 +376,7 @@ IScsiBinToHex (
+
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+@@ -402,14 +403,21 @@ IScsiHexToBin (
+
+ Length = AsciiStrLen (HexStr);
+
++ //
++ // Reject an empty hex string; reject a stray nibble.
++ //
++ if (Length == 0 || Length % 2 != 0) {
++ return EFI_INVALID_PARAMETER;
++ }
++
+ for (Index = 0; Index < Length; Index ++) {
+ TemStr[0] = HexStr[Index];
+ Digit = (UINT8) AsciiStrHexToUint64 (TemStr);
+ if (Digit == 0 && TemStr[0] != '0') {
+ //
+- // Invalid Lun Char.
++ // Invalid Hex Char.
+ //
+- break;
++ return EFI_INVALID_PARAMETER;
+ }
+ if ((Index & 1) == 0) {
+ BinBuffer [Index/2] = Digit;
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 28cf408cd5..404a482e57 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -171,6 +171,7 @@ IScsiBinToHex (
+
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+--
+2.27.0
+
diff --git a/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch b/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
new file mode 100644
index 0000000..6c2861e
--- /dev/null
+++ b/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
@@ -0,0 +1,106 @@
+From 54e90edaed0d7c15230902ac4d74f4304bad2ebd Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:58 +0200
+Subject: [PATCH 26/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer
+ overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return
+condition, but never actually checks whether the decoded buffer fits into
+the caller-provided room (i.e., the input value of "BinLength"), and
+EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can
+overflow "BinBuffer".
+
+This is remotely exploitable, as shown in a subsequent patch, which adds
+error checking to the IScsiHexToBin() call sites. This issue allows the
+target to compromise the initiator.
+
+Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent
+EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow,
+plus actually catch the buffer overflow.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210608121259.32451-10-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++---
+ NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
+index f0f4992b07..4069547867 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
+@@ -377,6 +377,9 @@ IScsiBinToHex (
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
++ the decoded size cannot be expressed in
++ BinLength on output.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+@@ -387,6 +390,8 @@ IScsiHexToBin (
+ IN CHAR8 *HexStr
+ )
+ {
++ UINTN BinLengthMin;
++ UINT32 BinLengthProvided;
+ UINTN Index;
+ UINTN Length;
+ UINT8 Digit;
+@@ -409,6 +414,18 @@ IScsiHexToBin (
+ if (Length == 0 || Length % 2 != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
++ //
++ // Check if the caller provides enough room for the decoded blob.
++ //
++ BinLengthMin = Length / 2;
++ if (BinLengthMin > MAX_UINT32) {
++ return EFI_BAD_BUFFER_SIZE;
++ }
++ BinLengthProvided = *BinLength;
++ *BinLength = (UINT32)BinLengthMin;
++ if (BinLengthProvided < BinLengthMin) {
++ return EFI_BUFFER_TOO_SMALL;
++ }
+
+ for (Index = 0; Index < Length; Index ++) {
+ TemStr[0] = HexStr[Index];
+@@ -425,9 +442,6 @@ IScsiHexToBin (
+ BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit);
+ }
+ }
+-
+- *BinLength = (UINT32) ((Index + 1)/2);
+-
+ return EFI_SUCCESS;
+ }
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
+index 404a482e57..fddef4f466 100644
+--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
+@@ -172,6 +172,9 @@ IScsiBinToHex (
+ @retval EFI_SUCCESS The hexadecimal string is converted into a
+ binary encoded buffer.
+ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr.
++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding:
++ the decoded size cannot be expressed in
++ BinLength on output.
+ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the
+ converted data.
+ **/
+--
+2.27.0
+
diff --git a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
new file mode 100644
index 0000000..426abb9
--- /dev/null
+++ b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
@@ -0,0 +1,84 @@
+From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 8 Jun 2021 14:12:59 +0200
+Subject: [PATCH 27/27] NetworkPkg/IScsiDxe: check IScsiHexToBin() return
+ values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+IScsiDxe (that is, the initiator) receives two hex-encoded strings from
+the iSCSI target:
+
+- CHAP_C, where the target challenges the initiator,
+
+- CHAP_R, where the target answers the challenge from the initiator (in
+ case the initiator wants mutual authentication).
+
+Accordingly, we have two IScsiHexToBin() call sites:
+
+- At the CHAP_C decoding site, check whether the decoding succeeds. The
+ decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes,
+ which is a permissible restriction on the target, per
+ <https://tools.ietf.org/html/rfc7143#section-12.1.3>. Shorter challenges
+ from the target are acceptable.
+
+- At the CHAP_R decoding site, enforce that the decoding both succeed, and
+ provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest
+ calculated by the target, therefore it must be of fixed size. We may
+ only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated.
+
+Cc: Jiaxin Wu <jiaxin.wu@intel.com>
+Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Cc: Siyuan Fu <siyuan.fu@intel.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
+Message-Id: <20210608121259.32451-11-lersek@redhat.com>
+---
+ NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+index dbe3c8ef46..7e930c0d1e 100644
+--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
+@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived (
+
+ AuthData->InIdentifier = (UINT32) Result;
+ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
+- IScsiHexToBin (
+- (UINT8 *) AuthData->InChallenge,
+- &AuthData->InChallengeLength,
+- Challenge
+- );
++ Status = IScsiHexToBin (
++ (UINT8 *) AuthData->InChallenge,
++ &AuthData->InChallengeLength,
++ Challenge
++ );
++ if (EFI_ERROR (Status)) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+ Status = IScsiCHAPCalculateResponse (
+ AuthData->InIdentifier,
+ AuthData->AuthConfig->CHAPSecret,
+@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived (
+ }
+
+ RspLen = ISCSI_CHAP_RSP_LEN;
+- IScsiHexToBin (TargetRsp, &RspLen, Response);
++ Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
++ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) {
++ Status = EFI_PROTOCOL_ERROR;
++ goto ON_EXIT;
++ }
+
+ //
+ // Check the CHAP Name and Response replied by Target.
+--
+2.27.0
+
diff --git a/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch b/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch
new file mode 100644
index 0000000..0917f11
--- /dev/null
+++ b/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch
@@ -0,0 +1,982 @@
+From 306307df0e228c73f6ad38ef231db75c4a3478d1 Mon Sep 17 00:00:00 2001
+From: Dandan Bi <dandan.bi@intel.com>
+Date: Mon, 28 Jun 2021 19:50:22 +0800
+Subject: [PATCH] MdeModulePkg/FPDT: Lock boot performance table address
+ variable at EndOfDxe
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2957
+
+1. Allocate performance data table at EndOfDxe and then lock the varible
+ which store the table address at EndOfDxe.
+
+2. Enlarge PCD gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize
+ from 0x20000 to 0x30000 in order to hold the Delta performance data
+ between EndOfDxe and ReadyToBoot.
+
+3. SMM performance data is collected by DXE modules through SMM communication
+ at ReadyToBoot before.
+ Now to do SMM communication twice, one for allocating the performance
+ size at EndOfDxe, another is at ReadyToBoot to get SMM performance data.
+
+4. Make SmmCorePerformanceLib rather than FirmwarePerformanceSmm to communicate
+ with DxeCorePerformanceLib for SMM performance data and size.
+
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+Cc: Hao A Wu <hao.a.wu@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Signed-off-by: Dandan Bi <dandan.bi@intel.com>
+Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
+Signed-off-by: Jinhua Cao <caojinhua1@huawei.com>
+---
+ .../DxeCorePerformanceLib.c | 132 +++++++++++----
+ .../DxeCorePerformanceLib.inf | 3 +-
+ .../SmmCorePerformanceLib.c | 142 ++++++++++++----
+ .../SmmCorePerformanceLib.inf | 5 +-
+ MdeModulePkg/MdeModulePkg.dec | 4 +-
+ .../FirmwarePerformanceDxe.c | 90 +++++++++--
+ .../FirmwarePerformanceDxe.inf | 6 +-
+ .../FirmwarePerformanceSmm.c | 151 +-----------------
+ .../FirmwarePerformanceSmm.inf | 4 +-
+ 9 files changed, 302 insertions(+), 235 deletions(-)
+
+diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c
+index f500e20b32..bcefac6b6c 100644
+--- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c
++++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c
+@@ -10,7 +10,7 @@
+ This library is mainly used by DxeCore to start performance logging to ensure that
+ Performance Protocol is installed at the very beginning of DXE phase.
+
+-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.<BR>
+ (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+@@ -64,7 +64,7 @@ UINT32 mLoadImageCount = 0;
+ UINT32 mPerformanceLength = 0;
+ UINT32 mMaxPerformanceLength = 0;
+ UINT32 mBootRecordSize = 0;
+-UINT32 mBootRecordMaxSize = 0;
++UINTN mBootRecordMaxSize = 0;
+ UINT32 mCachedLength = 0;
+
+ BOOLEAN mFpdtBufferIsReported = FALSE;
+@@ -205,25 +205,26 @@ IsKnownID (
+ }
+
+ /**
+- Allocate buffer for Boot Performance table.
++ This internal function dumps all the SMM performance data and size.
+
+- @return Status code.
++ @param SmmPerfData Smm Performance data. The buffer contain the SMM perf data is allocated by this function and caller needs to free it.
++ @param SmmPerfDataSize Smm Performance data size.
++ @param SkipGetPerfData Skip to get performance data, just get the size.
+
+ **/
+-EFI_STATUS
+-AllocateBootPerformanceTable (
++VOID
++InternalGetSmmPerfData (
++ OUT VOID **SmmPerfData,
++ OUT UINTN *SmmPerfDataSize,
++ IN BOOLEAN SkipGetPerfData
+ )
+ {
+ EFI_STATUS Status;
+- UINTN Size;
+ UINT8 *SmmBootRecordCommBuffer;
+ EFI_SMM_COMMUNICATE_HEADER *SmmCommBufferHeader;
+ SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
+ UINTN CommSize;
+- UINTN BootPerformanceDataSize;
+- UINT8 *BootPerformanceData;
+ EFI_SMM_COMMUNICATION_PROTOCOL *Communication;
+- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
+ EDKII_PI_SMM_COMMUNICATION_REGION_TABLE *SmmCommRegionTable;
+ EFI_MEMORY_DESCRIPTOR *SmmCommMemRegion;
+ UINTN Index;
+@@ -237,7 +238,6 @@ AllocateBootPerformanceTable (
+ SmmBootRecordCommBuffer = NULL;
+ SmmCommData = NULL;
+ SmmBootRecordData = NULL;
+- SmmBootRecordDataSize = 0;
+ ReservedMemSize = 0;
+ Status = gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL, (VOID **) &Communication);
+ if (!EFI_ERROR (Status)) {
+@@ -284,6 +284,10 @@ AllocateBootPerformanceTable (
+ Status = Communication->Communicate (Communication, SmmBootRecordCommBuffer, &CommSize);
+
+ if (!EFI_ERROR (Status) && !EFI_ERROR (SmmCommData->ReturnStatus) && SmmCommData->BootRecordSize != 0) {
++ if (SkipGetPerfData) {
++ *SmmPerfDataSize = SmmCommData->BootRecordSize;
++ return;
++ }
+ //
+ // Get all boot records
+ //
+@@ -305,19 +309,45 @@ AllocateBootPerformanceTable (
+ }
+ SmmCommData->BootRecordOffset = SmmCommData->BootRecordOffset + SmmCommData->BootRecordSize;
+ }
++ *SmmPerfData = SmmBootRecordData;
++ *SmmPerfDataSize = SmmBootRecordDataSize;
+ }
+ }
+ }
+ }
++}
++
++/**
++ Allocate buffer for Boot Performance table.
++
++ @return Status code.
++
++**/
++EFI_STATUS
++AllocateBootPerformanceTable (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINTN Size;
++ UINTN BootPerformanceDataSize;
++ UINT8 *BootPerformanceData;
++ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
++ UINTN SmmBootRecordDataSize;
++
++ SmmBootRecordDataSize = 0;
++
++ //
++ // Get SMM performance data size at the point of EndOfDxe in order to allocate the boot performance table.
++ // Will Get all the data at ReadyToBoot.
++ //
++ InternalGetSmmPerfData (NULL, &SmmBootRecordDataSize, TRUE);
+
+ //
+ // Prepare memory for Boot Performance table.
+ // Boot Performance table includes BasicBoot record, and one or more appended Boot Records.
+ //
+- BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + PcdGet32 (PcdExtFpdtBootRecordPadSize);
+- if (SmmCommData != NULL && SmmBootRecordData != NULL) {
+- BootPerformanceDataSize += SmmBootRecordDataSize;
+- }
++ BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + SmmBootRecordDataSize + PcdGet32 (PcdExtFpdtBootRecordPadSize);
+
+ //
+ // Try to allocate the same runtime buffer as last time boot.
+@@ -358,9 +388,6 @@ AllocateBootPerformanceTable (
+ DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: ACPI Boot Performance Table address = 0x%x\n", mAcpiBootPerformanceTable));
+
+ if (mAcpiBootPerformanceTable == NULL) {
+- if (SmmCommData != NULL && SmmBootRecordData != NULL) {
+- FreePool (SmmBootRecordData);
+- }
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+@@ -385,19 +412,10 @@ AllocateBootPerformanceTable (
+ mPerformanceLength = 0;
+ mMaxPerformanceLength = 0;
+ }
+- if (SmmCommData != NULL && SmmBootRecordData != NULL) {
+- //
+- // Fill Boot records from SMM drivers.
+- //
+- CopyMem (BootPerformanceData, SmmBootRecordData, SmmBootRecordDataSize);
+- FreePool (SmmBootRecordData);
+- mAcpiBootPerformanceTable->Header.Length = (UINT32) (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize);
+- BootPerformanceData = BootPerformanceData + SmmBootRecordDataSize;
+- }
+
+ mBootRecordBuffer = (UINT8 *) mAcpiBootPerformanceTable;
+ mBootRecordSize = mAcpiBootPerformanceTable->Header.Length;
+- mBootRecordMaxSize = mBootRecordSize + PcdGet32 (PcdExtFpdtBootRecordPadSize);
++ mBootRecordMaxSize = BootPerformanceDataSize;
+
+ return EFI_SUCCESS;
+ }
+@@ -1336,6 +1354,47 @@ ReportFpdtRecordBuffer (
+ }
+ }
+
++/**
++ Update Boot Performance table.
++
++ @param Event The event of notify protocol.
++ @param Context Notify event context.
++
++**/
++VOID
++EFIAPI
++UpdateBootPerformanceTable (
++ IN EFI_EVENT Event,
++ IN VOID *Context
++ )
++{
++ VOID *SmmBootRecordData;
++ UINTN SmmBootRecordDataSize;
++ UINTN AppendSize;
++ UINT8 *FirmwarePerformanceTablePtr;
++
++ //
++ // Get SMM performance data.
++ //
++ SmmBootRecordData = NULL;
++ InternalGetSmmPerfData (&SmmBootRecordData, &SmmBootRecordDataSize, FALSE);
++
++ FirmwarePerformanceTablePtr = (UINT8 *) mAcpiBootPerformanceTable + mAcpiBootPerformanceTable->Header.Length;
++
++ if (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize > mBootRecordMaxSize) {
++ DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: No enough space to save all SMM boot performance data\n"));
++ AppendSize = mBootRecordMaxSize - mAcpiBootPerformanceTable->Header.Length;
++ } else {
++ AppendSize = SmmBootRecordDataSize;
++ }
++ if (SmmBootRecordData != NULL) {
++ CopyMem (FirmwarePerformanceTablePtr, SmmBootRecordData, AppendSize);
++ mAcpiBootPerformanceTable->Header.Length += (UINT32) AppendSize;
++ mBootRecordSize += (UINT32) AppendSize;
++ FreePool (SmmBootRecordData);
++ }
++}
++
+ /**
+ The constructor function initializes Performance infrastructure for DXE phase.
+
+@@ -1358,6 +1417,7 @@ DxeCorePerformanceLibConstructor (
+ {
+ EFI_STATUS Status;
+ EFI_HANDLE Handle;
++ EFI_EVENT EndOfDxeEvent;
+ EFI_EVENT ReadyToBootEvent;
+ PERFORMANCE_PROPERTY *PerformanceProperty;
+
+@@ -1386,13 +1446,25 @@ DxeCorePerformanceLibConstructor (
+ ASSERT_EFI_ERROR (Status);
+
+ //
+- // Register ReadyToBoot event to report StatusCode data
++ // Register EndOfDxe event to allocate the boot performance table and report the table address through status code.
+ //
+ Status = gBS->CreateEventEx (
+ EVT_NOTIFY_SIGNAL,
+- TPL_CALLBACK,
++ TPL_NOTIFY,
+ ReportFpdtRecordBuffer,
+ NULL,
++ &gEfiEndOfDxeEventGroupGuid,
++ &EndOfDxeEvent
++ );
++
++ //
++ // Register ReadyToBoot event to update the boot performance table for SMM performance data.
++ //
++ Status = gBS->CreateEventEx (
++ EVT_NOTIFY_SIGNAL,
++ TPL_CALLBACK,
++ UpdateBootPerformanceTable,
++ NULL,
+ &gEfiEventReadyToBootGuid,
+ &ReadyToBootEvent
+ );
+diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf
+index 1c1dcc60a6..599d4dea66 100644
+--- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf
++++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf
+@@ -9,7 +9,7 @@
+ # This library is mainly used by DxeCore to start performance logging to ensure that
+ # Performance and PerformanceEx Protocol are installed at the very beginning of DXE phase.
+ #
+-# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.<BR>
+ # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+@@ -67,6 +67,7 @@
+ gZeroGuid ## SOMETIMES_CONSUMES ## GUID
+ gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data
+ gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## HOB # StatusCode Data
++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
+ gEfiEventReadyToBootGuid ## CONSUMES ## Event
+ gEdkiiPiSmmCommunicationRegionTableGuid ## SOMETIMES_CONSUMES ## SystemTable
+ gEdkiiPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol
+diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
+index b4f22c14ae..d80f37e520 100644
+--- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
++++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
+@@ -16,7 +16,7 @@
+
+ SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted input and do basic validation.
+
+-Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -48,6 +48,7 @@ CHAR8 *mPlatformLanguage = NULL;
+ SPIN_LOCK mSmmFpdtLock;
+ PERFORMANCE_PROPERTY mPerformanceProperty;
+ UINT32 mCachedLength = 0;
++UINT32 mBootRecordSize = 0;
+
+ //
+ // Interfaces for SMM PerformanceMeasurement Protocol.
+@@ -776,41 +777,116 @@ InsertFpdtRecord (
+ }
+
+ /**
+- SmmReadyToBoot protocol notification event handler.
++ Communication service SMI Handler entry.
+
+- @param Protocol Points to the protocol's unique identifier
+- @param Interface Points to the interface instance
+- @param Handle The handle on which the interface was installed
++ This SMI handler provides services for report MM boot records.
+
+- @retval EFI_SUCCESS SmmReadyToBootCallback runs successfully
++ Caution: This function may receive untrusted input.
++ Communicate buffer and buffer size are external input, so this function will do basic validation.
++
++ @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
++ @param[in] RegisterContext Points to an optional handler context which was specified when the
++ handler was registered.
++ @param[in, out] CommBuffer A pointer to a collection of data in memory that will
++ be conveyed from a non-MM environment into an MM environment.
++ @param[in, out] CommBufferSize The size of the CommBuffer.
++
++ @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
++ should still be called.
++ @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
++ still be called.
++ @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
++ be called.
++ @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
+
+ **/
+ EFI_STATUS
+ EFIAPI
+-SmmReportFpdtRecordData (
+- IN CONST EFI_GUID *Protocol,
+- IN VOID *Interface,
+- IN EFI_HANDLE Handle
++FpdtSmiHandler (
++ IN EFI_HANDLE DispatchHandle,
++ IN CONST VOID *RegisterContext,
++ IN OUT VOID *CommBuffer,
++ IN OUT UINTN *CommBufferSize
+ )
+ {
+- UINT64 SmmBPDTddr;
+-
+- if (!mFpdtDataIsReported && mSmmBootPerformanceTable != NULL) {
+- SmmBPDTddr = (UINT64)(UINTN)mSmmBootPerformanceTable;
+- REPORT_STATUS_CODE_EX (
+- EFI_PROGRESS_CODE,
+- EFI_SOFTWARE_SMM_DRIVER,
+- 0,
+- NULL,
+- &gEdkiiFpdtExtendedFirmwarePerformanceGuid,
+- &SmmBPDTddr,
+- sizeof (UINT64)
++ EFI_STATUS Status;
++ SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
++ UINTN BootRecordOffset;
++ UINTN BootRecordSize;
++ VOID *BootRecordData;
++ UINTN TempCommBufferSize;
++ UINT8 *BootRecordBuffer;
++
++ //
++ // If input is invalid, stop processing this SMI
++ //
++ if (CommBuffer == NULL || CommBufferSize == NULL) {
++ return EFI_SUCCESS;
++ }
++
++ TempCommBufferSize = *CommBufferSize;
++
++ if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
++ return EFI_SUCCESS;
++ }
++
++ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
++ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM communication data buffer in MMRAM or overflow!\n"));
++ return EFI_SUCCESS;
++ }
++
++ SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer;
++
++ Status = EFI_SUCCESS;
++
++ switch (SmmCommData->Function) {
++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE :
++ if (mSmmBootPerformanceTable != NULL) {
++ mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE);
++ }
++ SmmCommData->BootRecordSize = mBootRecordSize;
++ break;
++
++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA :
++ Status = EFI_UNSUPPORTED;
++ break;
++
++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET :
++ BootRecordOffset = SmmCommData->BootRecordOffset;
++ BootRecordData = SmmCommData->BootRecordData;
++ BootRecordSize = SmmCommData->BootRecordSize;
++ if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) {
++ Status = EFI_INVALID_PARAMETER;
++ break;
++ }
++
++ //
++ // Sanity check
++ //
++ if (BootRecordSize > mBootRecordSize - BootRecordOffset) {
++ BootRecordSize = mBootRecordSize - BootRecordOffset;
++ }
++ SmmCommData->BootRecordSize = BootRecordSize;
++ if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) {
++ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM Data buffer in MMRAM or overflow!\n"));
++ Status = EFI_ACCESS_DENIED;
++ break;
++ }
++ BootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE);
++ CopyMem (
++ (UINT8*)BootRecordData,
++ BootRecordBuffer + BootRecordOffset,
++ BootRecordSize
+ );
+- //
+- // Set FPDT report state to TRUE.
+- //
+- mFpdtDataIsReported = TRUE;
++ mFpdtDataIsReported = TRUE;
++ break;
++
++ default:
++ Status = EFI_UNSUPPORTED;
+ }
++
++ SmmCommData->ReturnStatus = Status;
++
+ return EFI_SUCCESS;
+ }
+
+@@ -830,8 +906,8 @@ InitializeSmmCorePerformanceLib (
+ )
+ {
+ EFI_HANDLE Handle;
++ EFI_HANDLE SmiHandle;
+ EFI_STATUS Status;
+- VOID *SmmReadyToBootRegistration;
+ PERFORMANCE_PROPERTY *PerformanceProperty;
+
+ //
+@@ -851,11 +927,13 @@ InitializeSmmCorePerformanceLib (
+ );
+ ASSERT_EFI_ERROR (Status);
+
+- Status = gSmst->SmmRegisterProtocolNotify (
+- &gEdkiiSmmReadyToBootProtocolGuid,
+- SmmReportFpdtRecordData,
+- &SmmReadyToBootRegistration
+- );
++ //
++ // Register SMI handler.
++ //
++ SmiHandle = NULL;
++ Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &SmiHandle);
++ ASSERT_EFI_ERROR (Status);
++
+ Status = EfiGetSystemConfigurationTable (&gPerformanceProtocolGuid, (VOID **) &PerformanceProperty);
+ if (EFI_ERROR (Status)) {
+ //
+diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf
+index 6b013b8557..9eecc4b58c 100644
+--- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf
++++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf
+@@ -8,7 +8,7 @@
+ # This library is mainly used by SMM Core to start performance logging to ensure that
+ # SMM Performance and PerformanceEx Protocol are installed at the very beginning of SMM phase.
+ #
+-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -58,14 +58,13 @@
+
+ [Protocols]
+ gEfiSmmBase2ProtocolGuid ## CONSUMES
+- gEdkiiSmmReadyToBootProtocolGuid ## NOTIFY
+
+ [Guids]
+ ## PRODUCES ## SystemTable
+ gPerformanceProtocolGuid
+- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data
+ gZeroGuid ## SOMETIMES_CONSUMES ## GUID
+ gEdkiiSmmPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol
++ gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # SmiHandlerRegister
+
+ [Pcd]
+ gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
+index 5d9e2b8d3d..b139f1668c 100644
+--- a/MdeModulePkg/MdeModulePkg.dec
++++ b/MdeModulePkg/MdeModulePkg.dec
+@@ -1822,9 +1822,9 @@
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosEntryPointProvideMethod|0x3|UINT32|0x00010069
+
+ ## This PCD specifies the additional pad size in FPDT Basic Boot Performance Table for
+- # the extension FPDT boot records received after ReadyToBoot and before ExitBootService.
++ # the extension FPDT boot records received after EndOfDxe and before ExitBootService.
+ # @Prompt Pad size for extension FPDT boot records.
+- gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x20000|UINT32|0x0001005F
++ gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x30000|UINT32|0x0001005F
+
+ ## Indicates if ConIn device are connected on demand.<BR><BR>
+ # TRUE - ConIn device are not connected during BDS and ReadKeyStroke/ReadKeyStrokeEx produced
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c
+index 61a7704b37..68755554ad 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c
+@@ -5,7 +5,7 @@
+ for Firmware Basic Boot Performance Record and other boot performance records,
+ and install FPDT to ACPI table.
+
+- Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -16,6 +16,7 @@
+ #include <Protocol/AcpiTable.h>
+ #include <Protocol/LockBox.h>
+ #include <Protocol/Variable.h>
++#include <Protocol/VariablePolicy.h>
+
+ #include <Guid/Acpi.h>
+ #include <Guid/FirmwarePerformance.h>
+@@ -32,6 +33,8 @@
+ #include <Library/HobLib.h>
+ #include <Library/LockBoxLib.h>
+ #include <Library/UefiLib.h>
++#include <Library/VariablePolicyHelperLib.h>
++#include <Library/PerformanceLib.h>
+
+ #define SMM_BOOT_RECORD_COMM_SIZE (OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + sizeof(SMM_BOOT_RECORD_COMMUNICATE))
+
+@@ -278,11 +281,12 @@ InstallFirmwarePerformanceDataTable (
+ VOID
+ )
+ {
+- EFI_STATUS Status;
+- EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol;
+- UINTN BootPerformanceDataSize;
+- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
+- UINTN Size;
++ EFI_STATUS Status;
++ EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol;
++ UINTN BootPerformanceDataSize;
++ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable;
++ UINTN Size;
++ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicyProtocol;
+
+ //
+ // Get AcpiTable Protocol.
+@@ -292,6 +296,14 @@ InstallFirmwarePerformanceDataTable (
+ return Status;
+ }
+
++ //
++ // Get VariablePolicy Protocol.
++ //
++ Status = gBS->LocateProtocol(&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicyProtocol);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
+ if (mReceivedAcpiBootPerformanceTable != NULL) {
+ mAcpiBootPerformanceTable = mReceivedAcpiBootPerformanceTable;
+ mAcpiBootPerformanceTable->BasicBoot.ResetEnd = mBootPerformanceTableTemplate.BasicBoot.ResetEnd;
+@@ -369,6 +381,24 @@ InstallFirmwarePerformanceDataTable (
+ &PerformanceVariable
+ );
+
++ //
++ // Lock the variable which stores the Performance Table pointers.
++ //
++ Status = RegisterBasicVariablePolicy (
++ VariablePolicyProtocol,
++ &gEfiFirmwarePerformanceGuid,
++ EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME,
++ VARIABLE_POLICY_NO_MIN_SIZE,
++ VARIABLE_POLICY_NO_MAX_SIZE,
++ VARIABLE_POLICY_NO_MUST_ATTR,
++ VARIABLE_POLICY_NO_CANT_ATTR,
++ VARIABLE_POLICY_TYPE_LOCK_NOW
++ );
++ if (EFI_ERROR(Status)) {
++ DEBUG((DEBUG_ERROR, "[FirmwarePerformanceDxe] Error when lock variable %s, Status = %r\n", EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME, Status));
++ ASSERT_EFI_ERROR(Status);
++ }
++
+ //
+ // Publish Firmware Performance Data Table.
+ //
+@@ -501,18 +531,12 @@ FpdtStatusCodeListenerDxe (
+ DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - OsLoaderStartImageStart = %ld\n", mAcpiBootPerformanceTable->BasicBoot.OsLoaderStartImageStart));
+ DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesEntry = 0\n"));
+ DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesExit = 0\n"));
+- } else if (Value == (EFI_SOFTWARE_DXE_BS_DRIVER | EFI_SW_DXE_BS_PC_READY_TO_BOOT_EVENT)) {
+- if (mAcpiBootPerformanceTable == NULL) {
+- //
+- // ACPI Firmware Performance Data Table not installed yet, install it now.
+- //
+- InstallFirmwarePerformanceDataTable ();
+- }
+ } else if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) {
+ //
+ // Get the Boot performance table and then install it to ACPI table.
+ //
+ CopyMem (&mReceivedAcpiBootPerformanceTable, Data + 1, Data->Size);
++ InstallFirmwarePerformanceDataTable ();
+ } else if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) {
+ DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerDxe: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableDxe\n"));
+ Status = EFI_UNSUPPORTED;
+@@ -526,6 +550,32 @@ FpdtStatusCodeListenerDxe (
+ return Status;
+ }
+
++/**
++ Notify function for event EndOfDxe.
++
++ This is used to install ACPI Firmware Performance Data Table for basic boot records.
++
++ @param[in] Event The Event that is being processed.
++ @param[in] Context The Event Context.
++
++**/
++VOID
++EFIAPI
++FpdtEndOfDxeEventNotify (
++ IN EFI_EVENT Event,
++ IN VOID *Context
++ )
++{
++ //
++ // When performance is enabled, the FPDT will be installed when DxeCorePerformanceLib report the data to FimwarePerformanceDxe.
++ // This is used to install the FPDT for the basic boot recods when performance infrastructure is not enabled.
++ //
++ if ((PcdGet8(PcdPerformanceLibraryPropertyMask) & PERFORMANCE_LIBRARY_PROPERTY_MEASUREMENT_ENABLED) != 0) {
++ return;
++ }
++ ASSERT (mReceivedAcpiBootPerformanceTable == NULL);
++ InstallFirmwarePerformanceDataTable ();
++}
+
+ /**
+ Notify function for event EVT_SIGNAL_EXIT_BOOT_SERVICES. This is used to record
+@@ -596,6 +646,7 @@ FirmwarePerformanceDxeEntryPoint (
+ FIRMWARE_SEC_PERFORMANCE *Performance;
+ VOID *Registration;
+ UINT64 OemTableId;
++ EFI_EVENT EndOfDxeEvent;
+
+ CopyMem (
+ mFirmwarePerformanceTableTemplate.Header.OemId,
+@@ -620,6 +671,19 @@ FirmwarePerformanceDxeEntryPoint (
+ Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerDxe, TPL_HIGH_LEVEL);
+ ASSERT_EFI_ERROR (Status);
+
++ //
++ // Register the notify function to install FPDT at EndOfDxe.
++ //
++ Status = gBS->CreateEventEx (
++ EVT_NOTIFY_SIGNAL,
++ TPL_NOTIFY,
++ FpdtEndOfDxeEventNotify,
++ NULL,
++ &gEfiEndOfDxeEventGroupGuid,
++ &EndOfDxeEvent
++ );
++ ASSERT_EFI_ERROR (Status);
++
+ //
+ // Register the notify function to update FPDT on ExitBootServices Event.
+ //
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf
+index 1debb0193e..0411a22e66 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf
+@@ -5,7 +5,7 @@
+ # for Firmware Basic Boot Performance Record and other boot performance records,
+ # and install FPDT to ACPI table.
+ #
+-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -46,12 +46,14 @@
+ HobLib
+ LockBoxLib
+ UefiLib
++ VariablePolicyHelperLib
+
+ [Protocols]
+ gEfiAcpiTableProtocolGuid ## CONSUMES
+ gEfiRscHandlerProtocolGuid ## CONSUMES
+ gEfiVariableArchProtocolGuid ## CONSUMES
+ gEfiLockBoxProtocolGuid ## CONSUMES
++ gEdkiiVariablePolicyProtocolGuid ## CONSUMES
+
+ [Guids]
+ gEfiEventExitBootServicesGuid ## CONSUMES ## Event
+@@ -63,6 +65,7 @@
+ gEfiFirmwarePerformanceGuid
+ gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data
+ gFirmwarePerformanceS3PointerGuid ## PRODUCES ## UNDEFINED # SaveLockBox
++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
+
+ [Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeOsLoaderLoad ## CONSUMES
+@@ -72,6 +75,7 @@
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId ## CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision ## CONSUMES
++ gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES
+
+ [FeaturePcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwarePerformanceDataTableS3Support ## CONSUMES
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
+index d6c6e7693e..dbd9fe1842 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c
+@@ -11,7 +11,7 @@
+
+ FpdtSmiHandler() will receive untrusted input and do basic validation.
+
+- Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+@@ -29,21 +29,12 @@
+ #include <Library/LockBoxLib.h>
+ #include <Library/PcdLib.h>
+ #include <Library/BaseMemoryLib.h>
+-#include <Library/MemoryAllocationLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+-#include <Library/SynchronizationLib.h>
+ #include <Library/SmmMemLib.h>
+
+-SMM_BOOT_PERFORMANCE_TABLE *mSmmBootPerformanceTable = NULL;
+-
+ EFI_SMM_RSC_HANDLER_PROTOCOL *mRscHandlerProtocol = NULL;
+ UINT64 mSuspendStartTime = 0;
+ BOOLEAN mS3SuspendLockBoxSaved = FALSE;
+-UINT32 mBootRecordSize = 0;
+-UINT8 *mBootRecordBuffer = NULL;
+-
+-SPIN_LOCK mSmmFpdtLock;
+-BOOLEAN mSmramIsOutOfResource = FALSE;
+
+ /**
+ Report status code listener for SMM. This is used to record the performance
+@@ -85,21 +76,6 @@ FpdtStatusCodeListenerSmm (
+ return EFI_UNSUPPORTED;
+ }
+
+- //
+- // Collect one or more Boot records in boot time
+- //
+- if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) {
+- AcquireSpinLock (&mSmmFpdtLock);
+- //
+- // Get the boot performance data.
+- //
+- CopyMem (&mSmmBootPerformanceTable, Data + 1, Data->Size);
+- mBootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE);
+-
+- ReleaseSpinLock (&mSmmFpdtLock);
+- return EFI_SUCCESS;
+- }
+-
+ if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) {
+ DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerSmm: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableSmm\n"));
+ return EFI_UNSUPPORTED;
+@@ -154,118 +130,6 @@ FpdtStatusCodeListenerSmm (
+ return EFI_SUCCESS;
+ }
+
+-/**
+- Communication service SMI Handler entry.
+-
+- This SMI handler provides services for report SMM boot records.
+-
+- Caution: This function may receive untrusted input.
+- Communicate buffer and buffer size are external input, so this function will do basic validation.
+-
+- @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
+- @param[in] RegisterContext Points to an optional handler context which was specified when the
+- handler was registered.
+- @param[in, out] CommBuffer A pointer to a collection of data in memory that will
+- be conveyed from a non-SMM environment into an SMM environment.
+- @param[in, out] CommBufferSize The size of the CommBuffer.
+-
+- @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
+- should still be called.
+- @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
+- still be called.
+- @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
+- be called.
+- @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
+-
+-**/
+-EFI_STATUS
+-EFIAPI
+-FpdtSmiHandler (
+- IN EFI_HANDLE DispatchHandle,
+- IN CONST VOID *RegisterContext,
+- IN OUT VOID *CommBuffer,
+- IN OUT UINTN *CommBufferSize
+- )
+-{
+- EFI_STATUS Status;
+- SMM_BOOT_RECORD_COMMUNICATE *SmmCommData;
+- UINTN BootRecordOffset;
+- UINTN BootRecordSize;
+- VOID *BootRecordData;
+- UINTN TempCommBufferSize;
+-
+- //
+- // If input is invalid, stop processing this SMI
+- //
+- if (CommBuffer == NULL || CommBufferSize == NULL) {
+- return EFI_SUCCESS;
+- }
+-
+- TempCommBufferSize = *CommBufferSize;
+-
+- if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) {
+- return EFI_SUCCESS;
+- }
+-
+- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
+- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n"));
+- return EFI_SUCCESS;
+- }
+-
+- SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer;
+-
+- Status = EFI_SUCCESS;
+-
+- switch (SmmCommData->Function) {
+- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE :
+- if (mSmmBootPerformanceTable != NULL) {
+- mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE);
+- }
+- SmmCommData->BootRecordSize = mBootRecordSize;
+- break;
+-
+- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA :
+- Status = EFI_UNSUPPORTED;
+- break;
+-
+- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET :
+- BootRecordOffset = SmmCommData->BootRecordOffset;
+- BootRecordData = SmmCommData->BootRecordData;
+- BootRecordSize = SmmCommData->BootRecordSize;
+- if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) {
+- Status = EFI_INVALID_PARAMETER;
+- break;
+- }
+-
+- //
+- // Sanity check
+- //
+- if (BootRecordSize > mBootRecordSize - BootRecordOffset) {
+- BootRecordSize = mBootRecordSize - BootRecordOffset;
+- }
+- SmmCommData->BootRecordSize = BootRecordSize;
+- if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) {
+- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM Data buffer in SMRAM or overflow!\n"));
+- Status = EFI_ACCESS_DENIED;
+- break;
+- }
+-
+- CopyMem (
+- (UINT8*)BootRecordData,
+- mBootRecordBuffer + BootRecordOffset,
+- BootRecordSize
+- );
+- break;
+-
+- default:
+- Status = EFI_UNSUPPORTED;
+- }
+-
+- SmmCommData->ReturnStatus = Status;
+-
+- return EFI_SUCCESS;
+-}
+-
+ /**
+ The module Entry Point of the Firmware Performance Data Table SMM driver.
+
+@@ -284,12 +148,6 @@ FirmwarePerformanceSmmEntryPoint (
+ )
+ {
+ EFI_STATUS Status;
+- EFI_HANDLE Handle;
+-
+- //
+- // Initialize spin lock
+- //
+- InitializeSpinLock (&mSmmFpdtLock);
+
+ //
+ // Get SMM Report Status Code Handler Protocol.
+@@ -307,12 +165,5 @@ FirmwarePerformanceSmmEntryPoint (
+ Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerSmm);
+ ASSERT_EFI_ERROR (Status);
+
+- //
+- // Register SMI handler.
+- //
+- Handle = NULL;
+- Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &Handle);
+- ASSERT_EFI_ERROR (Status);
+-
+ return Status;
+ }
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf
+index 618cbd56ca..6be57553f0 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf
+@@ -4,7 +4,7 @@
+ # This module registers report status code listener to collect performance data
+ # for SMM boot performance records and S3 Suspend Performance Record.
+ #
+-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -51,10 +51,8 @@
+
+ [Guids]
+ ## SOMETIMES_PRODUCES ## UNDEFINED # SaveLockBox
+- ## PRODUCES ## UNDEFINED # SmiHandlerRegister
+ ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data
+ gEfiFirmwarePerformanceGuid
+- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data
+
+ [Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeS3SuspendStart ## CONSUMES
+--
+2.27.0
+
diff --git a/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch
new file mode 100644
index 0000000..0fce38a
--- /dev/null
+++ b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch
@@ -0,0 +1,378 @@
+From 6642e762e1cedae30a08e28c456de2372bda7766 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:20:57 +0800
+Subject: [PATCH 1/8] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c
+ from edk2-platforms
+
+Import PeiDxeTpmPlatformHierarchyLib from edk2-platforms without any
+modifications.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++
+ .../PeiDxeTpmPlatformHierarchyLib.c | 266 ++++++++++++++++++
+ .../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++
+ 3 files changed, 338 insertions(+)
+ create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
+ create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+ create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+
+diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
+new file mode 100644
+index 0000000000..a872fa09dc
+--- /dev/null
++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
+@@ -0,0 +1,27 @@
++/** @file
++ TPM Platform Hierarchy configuration library.
++
++ This library provides functions for customizing the TPM's Platform Hierarchy
++ Authorization Value (platformAuth) and Platform Hierarchy Authorization
++ Policy (platformPolicy) can be defined through this function.
++
++Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
++#define _TPM_PLATFORM_HIERARCHY_LIB_H_
++
++/**
++ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
++
++**/
++VOID
++EFIAPI
++ConfigureTpmPlatformHierarchy (
++ VOID
++ );
++
++#endif
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+new file mode 100644
+index 0000000000..9812ab99ab
+--- /dev/null
++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+@@ -0,0 +1,266 @@
++/** @file
++ TPM Platform Hierarchy configuration library.
++
++ This library provides functions for customizing the TPM's Platform Hierarchy
++ Authorization Value (platformAuth) and Platform Hierarchy Authorization
++ Policy (platformPolicy) can be defined through this function.
++
++ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++ Copyright (c) Microsoft Corporation.<BR>
++ SPDX-License-Identifier: BSD-2-Clause-Patent
++
++ @par Specification Reference:
++ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
++**/
++
++#include <Uefi.h>
++
++#include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/PcdLib.h>
++#include <Library/RngLib.h>
++#include <Library/Tpm2CommandLib.h>
++#include <Library/Tpm2DeviceLib.h>
++
++//
++// The authorization value may be no larger than the digest produced by the hash
++// algorithm used for context integrity.
++//
++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
++
++UINT16 mAuthSize;
++
++/**
++ Generate high-quality entropy source through RDRAND.
++
++ @param[in] Length Size of the buffer, in bytes, to fill with.
++ @param[out] Entropy Pointer to the buffer to store the entropy data.
++
++ @retval EFI_SUCCESS Entropy generation succeeded.
++ @retval EFI_NOT_READY Failed to request random data.
++
++**/
++EFI_STATUS
++EFIAPI
++RdRandGenerateEntropy (
++ IN UINTN Length,
++ OUT UINT8 *Entropy
++ )
++{
++ EFI_STATUS Status;
++ UINTN BlockCount;
++ UINT64 Seed[2];
++ UINT8 *Ptr;
++
++ Status = EFI_NOT_READY;
++ BlockCount = Length / 64;
++ Ptr = (UINT8 *)Entropy;
++
++ //
++ // Generate high-quality seed for DRBG Entropy
++ //
++ while (BlockCount > 0) {
++ Status = GetRandomNumber128 (Seed);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++ CopyMem (Ptr, Seed, 64);
++
++ BlockCount--;
++ Ptr = Ptr + 64;
++ }
++
++ //
++ // Populate the remained data as request.
++ //
++ Status = GetRandomNumber128 (Seed);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++ CopyMem (Ptr, Seed, (Length % 64));
++
++ return Status;
++}
++
++/**
++ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
++ and limits an authValue to being no larger than the largest digest produced by a TPM.
++
++ @param[out] AuthSize Tpm2 Auth size
++
++ @retval EFI_SUCCESS Auth size returned.
++ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
++
++**/
++EFI_STATUS
++EFIAPI
++GetAuthSize (
++ OUT UINT16 *AuthSize
++ )
++{
++ EFI_STATUS Status;
++ TPML_PCR_SELECTION Pcrs;
++ UINTN Index;
++ UINT16 DigestSize;
++
++ Status = EFI_SUCCESS;
++
++ while (mAuthSize == 0) {
++
++ mAuthSize = SHA1_DIGEST_SIZE;
++ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
++ Status = Tpm2GetCapabilityPcrs (&Pcrs);
++
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
++ break;
++ }
++
++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
++
++ for (Index = 0; Index < Pcrs.count; Index++) {
++ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
++
++ switch (Pcrs.pcrSelections[Index].hash) {
++ case TPM_ALG_SHA1:
++ DigestSize = SHA1_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA256:
++ DigestSize = SHA256_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA384:
++ DigestSize = SHA384_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SHA512:
++ DigestSize = SHA512_DIGEST_SIZE;
++ break;
++ case TPM_ALG_SM3_256:
++ DigestSize = SM3_256_DIGEST_SIZE;
++ break;
++ default:
++ DigestSize = SHA1_DIGEST_SIZE;
++ break;
++ }
++
++ if (DigestSize > mAuthSize) {
++ mAuthSize = DigestSize;
++ }
++ }
++ break;
++ }
++
++ *AuthSize = mAuthSize;
++ return Status;
++}
++
++/**
++ Set PlatformAuth to random value.
++**/
++VOID
++RandomizePlatformAuth (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINT16 AuthSize;
++ UINT8 *Rand;
++ UINTN RandSize;
++ TPM2B_AUTH NewPlatformAuth;
++
++ //
++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
++ //
++
++ GetAuthSize (&AuthSize);
++
++ ZeroMem (NewPlatformAuth.buffer, AuthSize);
++ NewPlatformAuth.size = AuthSize;
++
++ //
++ // Allocate one buffer to store random data.
++ //
++ RandSize = MAX_NEW_AUTHORIZATION_SIZE;
++ Rand = AllocatePool (RandSize);
++
++ RdRandGenerateEntropy (RandSize, Rand);
++ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
++
++ FreePool (Rand);
++
++ //
++ // Send Tpm2HierarchyChangeAuth command with the new Auth value
++ //
++ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
++ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
++ ZeroMem (NewPlatformAuth.buffer, AuthSize);
++ ZeroMem (Rand, RandSize);
++}
++
++/**
++ Disable the TPM platform hierarchy.
++
++ @retval EFI_SUCCESS The TPM was disabled successfully.
++ @retval Others An error occurred attempting to disable the TPM platform hierarchy.
++
++**/
++EFI_STATUS
++DisableTpmPlatformHierarchy (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++
++ // Make sure that we have use of the TPM.
++ Status = Tpm2RequestUseTpm ();
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ ASSERT_EFI_ERROR (Status);
++ return Status;
++ }
++
++ // Let's do what we can to shut down the hierarchies.
++
++ // Disable the PH NV.
++ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have
++ // been known to store the EK cert in the PH NV. If we disable it, the
++ // EK cert will be unreadable.
++
++ // Disable the PH.
++ Status = Tpm2HierarchyControl (
++ TPM_RH_PLATFORM, // AuthHandle
++ NULL, // AuthSession
++ TPM_RH_PLATFORM, // Hierarchy
++ NO // State
++ );
++ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ if (EFI_ERROR (Status)) {
++ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
++ ASSERT_EFI_ERROR (Status);
++ }
++
++ return Status;
++}
++
++/**
++ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
++ and Platform Hierarchy Authorization Policy (platformPolicy)
++
++**/
++VOID
++EFIAPI
++ConfigureTpmPlatformHierarchy (
++ )
++{
++ if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
++ //
++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
++ //
++ RandomizePlatformAuth ();
++ } else {
++ //
++ // Disable the hierarchy entirely (do not randomize it)
++ //
++ DisableTpmPlatformHierarchy ();
++ }
++}
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+new file mode 100644
+index 0000000000..b7a7fb0a08
+--- /dev/null
++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+@@ -0,0 +1,45 @@
++### @file
++#
++# TPM Platform Hierarchy configuration library.
++#
++# This library provides functions for customizing the TPM's Platform Hierarchy
++# Authorization Value (platformAuth) and Platform Hierarchy Authorization
++# Policy (platformPolicy) can be defined through this function.
++#
++# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
++# Copyright (c) Microsoft Corporation.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++###
++
++[Defines]
++ INF_VERSION = 0x00010005
++ BASE_NAME = PeiDxeTpmPlatformHierarchyLib
++ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
++ MODULE_TYPE = PEIM
++ VERSION_STRING = 1.0
++ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
++
++[LibraryClasses]
++ BaseLib
++ BaseMemoryLib
++ DebugLib
++ MemoryAllocationLib
++ PcdLib
++ RngLib
++ Tpm2CommandLib
++ Tpm2DeviceLib
++
++[Packages]
++ MdePkg/MdePkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++ SecurityPkg/SecurityPkg.dec
++ CryptoPkg/CryptoPkg.dec
++ MinPlatformPkg/MinPlatformPkg.dec
++
++[Sources]
++ PeiDxeTpmPlatformHierarchyLib.c
++
++[Pcd]
++ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
+--
+2.27.0
+
diff --git a/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch b/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch
new file mode 100644
index 0000000..e250097
--- /dev/null
+++ b/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch
@@ -0,0 +1,121 @@
+From da8e34ff10bff3bff14c0bc5ee1f2e3f3d72428f Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:20:58 +0800
+Subject: [PATCH 2/8] SecurityPkg/TPM: Fix bugs in imported
+ PeiDxeTpmPlatformHierarchyLib
+
+Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ .../PeiDxeTpmPlatformHierarchyLib.c | 23 +++++--------------
+ .../PeiDxeTpmPlatformHierarchyLib.inf | 5 ++--
+ 2 files changed, 8 insertions(+), 20 deletions(-)
+
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+index 9812ab99ab..d82a0ae1bd 100644
+--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+@@ -18,7 +18,6 @@
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
+ #include <Library/MemoryAllocationLib.h>
+-#include <Library/PcdLib.h>
+ #include <Library/RngLib.h>
+ #include <Library/Tpm2CommandLib.h>
+ #include <Library/Tpm2DeviceLib.h>
+@@ -27,7 +26,6 @@
+ // The authorization value may be no larger than the digest produced by the hash
+ // algorithm used for context integrity.
+ //
+-#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
+
+ UINT16 mAuthSize;
+
+@@ -54,7 +52,7 @@ RdRandGenerateEntropy (
+ UINT8 *Ptr;
+
+ Status = EFI_NOT_READY;
+- BlockCount = Length / 64;
++ BlockCount = Length / sizeof(Seed);
+ Ptr = (UINT8 *)Entropy;
+
+ //
+@@ -65,10 +63,10 @@ RdRandGenerateEntropy (
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+- CopyMem (Ptr, Seed, 64);
++ CopyMem (Ptr, Seed, sizeof(Seed));
+
+ BlockCount--;
+- Ptr = Ptr + 64;
++ Ptr = Ptr + sizeof(Seed);
+ }
+
+ //
+@@ -78,7 +76,7 @@ RdRandGenerateEntropy (
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+- CopyMem (Ptr, Seed, (Length % 64));
++ CopyMem (Ptr, Seed, (Length % sizeof(Seed)));
+
+ return Status;
+ }
+@@ -164,8 +162,6 @@ RandomizePlatformAuth (
+ {
+ EFI_STATUS Status;
+ UINT16 AuthSize;
+- UINT8 *Rand;
+- UINTN RandSize;
+ TPM2B_AUTH NewPlatformAuth;
+
+ //
+@@ -174,19 +170,13 @@ RandomizePlatformAuth (
+
+ GetAuthSize (&AuthSize);
+
+- ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ NewPlatformAuth.size = AuthSize;
+
+ //
+- // Allocate one buffer to store random data.
++ // Create the random bytes in the destination buffer
+ //
+- RandSize = MAX_NEW_AUTHORIZATION_SIZE;
+- Rand = AllocatePool (RandSize);
+-
+- RdRandGenerateEntropy (RandSize, Rand);
+- CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
+
+- FreePool (Rand);
++ RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer);
+
+ //
+ // Send Tpm2HierarchyChangeAuth command with the new Auth value
+@@ -194,7 +184,6 @@ RandomizePlatformAuth (
+ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+- ZeroMem (Rand, RandSize);
+ }
+
+ /**
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+index b7a7fb0a08..7bf666794f 100644
+--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+@@ -1,6 +1,5 @@
+-### @file
+-#
+-# TPM Platform Hierarchy configuration library.
++## @file
++# TPM Platform Hierarchy configuration library.
+ #
+ # This library provides functions for customizing the TPM's Platform Hierarchy
+ # Authorization Value (platformAuth) and Platform Hierarchy Authorization
+--
+2.27.0
+
diff --git a/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch b/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch
new file mode 100644
index 0000000..480ab1d
--- /dev/null
+++ b/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch
@@ -0,0 +1,161 @@
+From 4f998a6c11ca05dc19bafe54ecd43ed74bd2cb3c Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:20:59 +0800
+Subject: [PATCH 3/8] SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from
+ edk2-platforms
+
+Import Tcg2PlatformDxe from edk2-platforms without any modifications.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 +++++++++++++++++++
+ .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 44 ++++++++++
+ 2 files changed, 129 insertions(+)
+ create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+ create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+new file mode 100644
+index 0000000000..150cf748ff
+--- /dev/null
++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+@@ -0,0 +1,85 @@
++/** @file
++ Platform specific TPM2 component for configuring the Platform Hierarchy.
++
++ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
++ SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#include <PiDxe.h>
++
++#include <Library/DebugLib.h>
++#include <Library/UefiBootServicesTableLib.h>
++#include <Library/UefiLib.h>
++#include <Library/TpmPlatformHierarchyLib.h>
++#include <Protocol/DxeSmmReadyToLock.h>
++
++/**
++ This callback function will run at the SmmReadyToLock event.
++
++ Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth)
++ and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function.
++
++ @param Event Pointer to this event
++ @param Context Event hanlder private data
++ **/
++VOID
++EFIAPI
++SmmReadyToLockEventCallBack (
++ IN EFI_EVENT Event,
++ IN VOID *Context
++ )
++{
++ EFI_STATUS Status;
++ VOID *Interface;
++
++ //
++ // Try to locate it because EfiCreateProtocolNotifyEvent will trigger it once when registration.
++ // Just return if it is not found.
++ //
++ Status = gBS->LocateProtocol (
++ &gEfiDxeSmmReadyToLockProtocolGuid,
++ NULL,
++ &Interface
++ );
++ if (EFI_ERROR (Status)) {
++ return ;
++ }
++
++ ConfigureTpmPlatformHierarchy ();
++
++ gBS->CloseEvent (Event);
++}
++
++/**
++ The driver's entry point. Will register a function for callback during SmmReadyToLock event to
++ configure the TPM's platform authorization.
++
++ @param[in] ImageHandle The firmware allocated handle for the EFI image.
++ @param[in] SystemTable A pointer to the EFI System Table.
++
++ @retval EFI_SUCCESS The entry point is executed successfully.
++ @retval other Some error occurs when executing this entry point.
++**/
++EFI_STATUS
++EFIAPI
++Tcg2PlatformDxeEntryPoint (
++ IN EFI_HANDLE ImageHandle,
++ IN EFI_SYSTEM_TABLE *SystemTable
++ )
++{
++ VOID *Registration;
++ EFI_EVENT Event;
++
++ Event = EfiCreateProtocolNotifyEvent (
++ &gEfiDxeSmmReadyToLockProtocolGuid,
++ TPL_CALLBACK,
++ SmmReadyToLockEventCallBack,
++ NULL,
++ &Registration
++ );
++
++ ASSERT (Event != NULL);
++
++ return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+new file mode 100644
+index 0000000000..af29c1cd98
+--- /dev/null
++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+@@ -0,0 +1,44 @@
++### @file
++# Platform specific TPM2 component.
++#
++# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++###
++
++[Defines]
++ INF_VERSION = 0x00010017
++ BASE_NAME = Tcg2PlatformDxe
++ FILE_GUID = 5CAB08D5-AD8F-4d8b-B828-D17A8D9FE977
++ VERSION_STRING = 1.0
++ MODULE_TYPE = DXE_DRIVER
++ ENTRY_POINT = Tcg2PlatformDxeEntryPoint
++#
++# The following information is for reference only and not required by the build tools.
++#
++# VALID_ARCHITECTURES = IA32 X64 IPF
++#
++
++[LibraryClasses]
++ BaseLib
++ UefiBootServicesTableLib
++ UefiDriverEntryPoint
++ DebugLib
++ UefiLib
++ TpmPlatformHierarchyLib
++
++[Packages]
++ MdePkg/MdePkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++ MinPlatformPkg/MinPlatformPkg.dec
++ SecurityPkg/SecurityPkg.dec
++
++[Sources]
++ Tcg2PlatformDxe.c
++
++[Protocols]
++ gEfiDxeSmmReadyToLockProtocolGuid ## SOMETIMES_CONSUMES ## NOTIFY
++
++[Depex]
++ gEfiTcg2ProtocolGuid
+--
+2.27.0
+
diff --git a/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch b/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch
new file mode 100644
index 0000000..b6bcac8
--- /dev/null
+++ b/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch
@@ -0,0 +1,63 @@
+From edaa95dc147509a6c84225d70476c7dd9179cb57 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:21:00 +0800
+Subject: [PATCH 4/8] SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix
+ style issues
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h | 4 ++--
+ .../PeiDxeTpmPlatformHierarchyLib.c | 2 +-
+ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 3 +--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
+index a872fa09dc..8d61a4867b 100644
+--- a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h
+@@ -11,8 +11,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+
+-#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
+-#define _TPM_PLATFORM_HIERARCHY_LIB_H_
++#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_
++#define TPM_PLATFORM_HIERARCHY_LIB_H_
+
+ /**
+ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+index d82a0ae1bd..0bb04a20fc 100644
+--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+@@ -233,7 +233,7 @@ DisableTpmPlatformHierarchy (
+
+ /**
+ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
+- and Platform Hierarchy Authorization Policy (platformPolicy)
++ and Platform Hierarchy Authorization Policy (platformPolicy).
+
+ **/
+ VOID
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+index af29c1cd98..635302fe6f 100644
+--- a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+@@ -1,4 +1,4 @@
+-### @file
++## @file
+ # Platform specific TPM2 component.
+ #
+ # Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
+@@ -31,7 +31,6 @@
+ [Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+- MinPlatformPkg/MinPlatformPkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+ [Sources]
+--
+2.27.0
+
diff --git a/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch b/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch
new file mode 100644
index 0000000..6b096da
--- /dev/null
+++ b/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch
@@ -0,0 +1,53 @@
+From 0282acbc3dee92ee04f1a212ca3f4c77e8b97207 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:21:01 +0800
+Subject: [PATCH 5/8] SecurityPkg: Introduce new PCD
+ PcdRandomizePlatformHierarchy
+
+Introduce the new PCD
+gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy.
+We need it for TpmPlatformHierarchyLib.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ .../PeiDxeTpmPlatformHierarchyLib.inf | 3 +--
+ SecurityPkg/SecurityPkg.dec | 6 ++++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+index 7bf666794f..efe560e7ff 100644
+--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+@@ -35,10 +35,9 @@
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+- MinPlatformPkg/MinPlatformPkg.dec
+
+ [Sources]
+ PeiDxeTpmPlatformHierarchyLib.c
+
+ [Pcd]
+- gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
+diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
+index 5335cc5397..276ea6e2dd 100644
+--- a/SecurityPkg/SecurityPkg.dec
++++ b/SecurityPkg/SecurityPkg.dec
+@@ -291,6 +291,12 @@
+ # @Prompt Physical presence of the platform operator.
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001
+
++ ## Indicates whether the TPM2 platform hierarchy will be disabled by using
++ # a random password or by disabling the hierarchy
++ # TRUE - A random password will be used
++ # FALSE - The hierarchy will be disabled
++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy|TRUE|BOOLEAN|0x00010024
++
+ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## Indicates whether TPM physical presence is locked during platform initialization.
+ # Once it is locked, it can not be unlocked for TPM life time.<BR><BR>
+--
+2.27.0
+
diff --git a/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch b/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch
new file mode 100644
index 0000000..38acd0e
--- /dev/null
+++ b/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch
@@ -0,0 +1,191 @@
+From ede5db34ee1e35c16cf016b974046b1c499c19a6 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:21:03 +0800
+Subject: [PATCH 6/8] SecurityPkg/Tcg: Import Tcg2PlatformPei from
+ edk2-platforms
+
+Import Tcg2PlatformPei from edk2-platforms without any modifications.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++++++++++++
+ .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 52 +++++++++
+ 2 files changed, 159 insertions(+)
+ create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
+ create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
+new file mode 100644
+index 0000000000..66ec75ad0e
+--- /dev/null
++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
+@@ -0,0 +1,107 @@
++/** @file
++
++Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
++Copyright (c) Microsoft Corporation.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#include <PiPei.h>
++#include <Library/PeiServicesLib.h>
++#include <Library/DebugLib.h>
++#include <Library/BaseMemoryLib.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/HobLib.h>
++#include <Library/Tpm2CommandLib.h>
++#include <Library/Tpm2DeviceLib.h>
++#include <Library/TpmPlatformHierarchyLib.h>
++#include <Library/RngLib.h>
++
++#include <Ppi/EndOfPeiPhase.h>
++
++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
++
++/**
++ This function handles PlatformInit task at the end of PEI
++
++ @param[in] PeiServices Pointer to PEI Services Table.
++ @param[in] NotifyDesc Pointer to the descriptor for the Notification event that
++ caused this function to execute.
++ @param[in] Ppi Pointer to the PPI data associated with this function.
++
++ @retval EFI_SUCCESS The function completes successfully
++ @retval others
++**/
++EFI_STATUS
++EFIAPI
++PlatformInitEndOfPei (
++ IN CONST EFI_PEI_SERVICES **PeiServices,
++ IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
++ IN VOID *Ppi
++ )
++{
++ VOID *TcgEventLog;
++
++ //
++ // Try to get TcgEventLog in S3 to see if S3 error is reported.
++ //
++ TcgEventLog = GetFirstGuidHob(&gTcgEventEntryHobGuid);
++ if (TcgEventLog == NULL) {
++ TcgEventLog = GetFirstGuidHob(&gTcgEvent2EntryHobGuid);
++ }
++
++ if (TcgEventLog == NULL) {
++ //
++ // no S3 error reported
++ //
++ return EFI_SUCCESS;
++ }
++
++ //
++ // If there is S3 error on TPM_SU_STATE and success on TPM_SU_CLEAR,
++ // configure the TPM Platform Hierarchy.
++ //
++ ConfigureTpmPlatformHierarchy ();
++
++ return EFI_SUCCESS;
++}
++
++static EFI_PEI_NOTIFY_DESCRIPTOR mEndOfPeiNotifyList = {
++ (EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),
++ &gEfiEndOfPeiSignalPpiGuid,
++ (EFI_PEIM_NOTIFY_ENTRY_POINT)PlatformInitEndOfPei
++};
++
++/**
++ Main entry
++
++ @param[in] FileHandle Handle of the file being invoked.
++ @param[in] PeiServices Pointer to PEI Services table.
++
++ @retval EFI_SUCCESS Install function successfully.
++
++**/
++EFI_STATUS
++EFIAPI
++Tcg2PlatformPeiEntryPoint (
++ IN EFI_PEI_FILE_HANDLE FileHandle,
++ IN CONST EFI_PEI_SERVICES **PeiServices
++ )
++{
++ EFI_STATUS Status;
++ EFI_BOOT_MODE BootMode;
++
++ Status = PeiServicesGetBootMode (&BootMode);
++ ASSERT_EFI_ERROR(Status);
++
++ if (BootMode != BOOT_ON_S3_RESUME) {
++ return EFI_SUCCESS;
++ }
++
++ //
++ // Performing PlatformInitEndOfPei after EndOfPei PPI produced
++ //
++ Status = PeiServicesNotifyPpi (&mEndOfPeiNotifyList);
++
++ return Status;
++}
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+new file mode 100644
+index 0000000000..579f09b940
+--- /dev/null
++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+@@ -0,0 +1,52 @@
++### @file
++#
++# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
++#
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++###
++
++[Defines]
++ INF_VERSION = 0x00010017
++ BASE_NAME = Tcg2PlatformPei
++ FILE_GUID = 47727552-A54B-4A84-8CC1-BFF23E239636
++ VERSION_STRING = 1.0
++ MODULE_TYPE = PEIM
++ ENTRY_POINT = Tcg2PlatformPeiEntryPoint
++
++#
++# The following information is for reference only and not required by the build tools.
++#
++# VALID_ARCHITECTURES = IA32 X64 IPF EBC
++#
++
++[LibraryClasses]
++ PcdLib
++ BaseMemoryLib
++ MemoryAllocationLib
++ PeiServicesLib
++ PeimEntryPoint
++ DebugLib
++ Tpm2DeviceLib
++ Tpm2CommandLib
++ TpmPlatformHierarchyLib
++ RngLib
++
++[Packages]
++ MdePkg/MdePkg.dec
++ SecurityPkg/SecurityPkg.dec
++ MinPlatformPkg/MinPlatformPkg.dec
++
++[Sources]
++ Tcg2PlatformPei.c
++
++[Guids]
++ gTcgEventEntryHobGuid
++ gTcgEvent2EntryHobGuid
++
++[Ppis]
++ gEfiEndOfPeiSignalPpiGuid
++
++[Depex]
++ gEfiTpmDeviceSelectedGuid
++
+--
+2.27.0
+
diff --git a/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch b/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch
new file mode 100644
index 0000000..3a51c88
--- /dev/null
+++ b/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch
@@ -0,0 +1,63 @@
+From 5134d284aafd4816e265b5c551ee32d6eb43bbc8 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:21:04 +0800
+Subject: [PATCH 7/8] SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix
+ style issues
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 11 ++++++-----
+ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 4 ++--
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
+index 66ec75ad0e..21d2c1433d 100644
+--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
+@@ -1,4 +1,5 @@
+ /** @file
++ Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume
+
+ Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
+@@ -24,12 +25,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ /**
+ This function handles PlatformInit task at the end of PEI
+
+- @param[in] PeiServices Pointer to PEI Services Table.
+- @param[in] NotifyDesc Pointer to the descriptor for the Notification event that
+- caused this function to execute.
+- @param[in] Ppi Pointer to the PPI data associated with this function.
++ @param[in] PeiServices Pointer to PEI Services Table.
++ @param[in] NotifyDescriptor Pointer to the descriptor for the Notification event that
++ caused this function to execute.
++ @param[in] Ppi Pointer to the PPI data associated with this function.
+
+- @retval EFI_SUCCESS The function completes successfully
++ @retval EFI_SUCCESS The function completes successfully
+ @retval others
+ **/
+ EFI_STATUS
+diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+index 579f09b940..6f57de025b 100644
+--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+@@ -1,4 +1,5 @@
+-### @file
++## @file
++# Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume
+ #
+ # Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+ #
+@@ -35,7 +36,6 @@
+ [Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+- MinPlatformPkg/MinPlatformPkg.dec
+
+ [Sources]
+ Tcg2PlatformPei.c
+--
+2.27.0
+
diff --git a/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch b/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch
new file mode 100644
index 0000000..beb2c1f
--- /dev/null
+++ b/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch
@@ -0,0 +1,68 @@
+From e031b8396ba1ad059f7c1dc6e28e9fc4ca6aaae9 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Mon, 13 Sep 2021 22:21:06 +0800
+Subject: [PATCH 8/8] SecurityPkg: Add references to header and inf files to
+ SecurityPkg
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+---
+ SecurityPkg/SecurityPkg.dec | 4 ++++
+ SecurityPkg/SecurityPkg.dsc | 12 ++++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
+index 276ea6e2dd..beffd08772 100644
+--- a/SecurityPkg/SecurityPkg.dec
++++ b/SecurityPkg/SecurityPkg.dec
+@@ -68,6 +68,10 @@
+ #
+ Tcg2PhysicalPresenceLib|Include/Library/Tcg2PhysicalPresenceLib.h
+
++ ## @libraryclass Handle TPM 2.0 platform hierarchy configuration
++ #
++ TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
++
+ ## @libraryclass Provides interfaces about TCG storage generic command.
+ #
+ TcgStorageCoreLib|Include/Library/TcgStorageCoreLib.h
+diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
+index a2eeadda7a..8d5371295a 100644
+--- a/SecurityPkg/SecurityPkg.dsc
++++ b/SecurityPkg/SecurityPkg.dsc
+@@ -211,6 +211,8 @@
+
+ SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
+
++ SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++
+ #
+ # TCG Storage.
+ #
+@@ -272,6 +274,11 @@
+ NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf
+ }
+
++ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf {
++ <LibraryClasses>
++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++ }
++
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
+ <LibraryClasses>
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+@@ -288,6 +295,11 @@
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
+ }
+
++ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf {
++ <LibraryClasses>
++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
++ }
++
+ #
+ # Hash2
+ #
+--
+2.27.0
+
diff --git a/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch b/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch
new file mode 100644
index 0000000..a4db4de
--- /dev/null
+++ b/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch
@@ -0,0 +1,50 @@
+From 85a19a714c4b4702edc59db0a3419f48fffe2b0a Mon Sep 17 00:00:00 2001
+From: Jinhua Cao <caojinhua1@huawei.com>
+Date: Thu, 17 Feb 2022 17:38:41 +0800
+Subject: [PATCH] OvmfPkg: VirtioNetDxe: Extend the RxBufferSize to avoid data
+ truncation
+
+1822 net card needs at least 1536 bytes for DMA, even we never negotiate
+VIRTIO_NET_F_MRG_RXBUF. The original max size of packet is 15144 which would
+cause data trucation. Now we extend the RxBufSize to 9014(Jumbo Frame type)
+so that we can avoid it.
+
+Signed-off-by: Jinhua Cao <caojinhua1@huawei.com>
+---
+ OvmfPkg/Include/IndustryStandard/Virtio095Net.h | 7 +++++++
+ OvmfPkg/VirtioNetDxe/SnpInitialize.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/Include/IndustryStandard/Virtio095Net.h b/OvmfPkg/Include/IndustryStandard/Virtio095Net.h
+index 9c0ed5ed24..28f5cc0899 100644
+--- a/OvmfPkg/Include/IndustryStandard/Virtio095Net.h
++++ b/OvmfPkg/Include/IndustryStandard/Virtio095Net.h
+@@ -88,4 +88,11 @@ typedef struct {
+ #define VIRTIO_NET_S_LINK_UP BIT0
+ #define VIRTIO_NET_S_ANNOUNCE BIT1
+
++//
++// 1822 net card needs at least 1536 bytes for DMA, even we never negotiate
++// VIRTIO_NET_F_MRG_RXBUF. The original max size of packet is 15144 which would
++// cause data trucation. Now we extend the RxBufSize to 9014(Jumbo Frame type)
++// so that we can avoid it.
++#define VIRTIO_RXBUF_JUMBO_PADDING 7500
++
+ #endif // _VIRTIO_0_9_5_NET_H_
+diff --git a/OvmfPkg/VirtioNetDxe/SnpInitialize.c b/OvmfPkg/VirtioNetDxe/SnpInitialize.c
+index bb3b552d68..6febfea3bb 100644
+--- a/OvmfPkg/VirtioNetDxe/SnpInitialize.c
++++ b/OvmfPkg/VirtioNetDxe/SnpInitialize.c
+@@ -337,7 +337,8 @@ VirtioNetInitRx (
+ // and Ethernet payload).
+ //
+ RxBufSize = VirtioNetReqSize +
+- (Dev->Snm.MediaHeaderSize + Dev->Snm.MaxPacketSize);
++ (Dev->Snm.MediaHeaderSize + Dev->Snm.MaxPacketSize) +
++ VIRTIO_RXBUF_JUMBO_PADDING;
+
+ //
+ // Limit the number of pending RX packets if the queue is big. The division
+--
+2.27.0
+
diff --git a/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch b/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
new file mode 100644
index 0000000..082e057
--- /dev/null
+++ b/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
@@ -0,0 +1,191 @@
+From f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac Mon Sep 17 00:00:00 2001
+From: Guomin Jiang <guomin.jiang@intel.com>
+Date: Wed, 13 Jan 2021 18:08:09 +0800
+Subject: [PATCH] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to
+ TempRamDone. (CVE-2019-11098)
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1614
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3160
+
+The GDT still in flash with commit 60b12e69fb1c8c7180fdda92f008248b9ec83db1
+after TempRamDone
+
+So move the action to TempRamDone event to avoid reading GDT from flash.
+
+Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
+Cc: Eric Dong <eric.dong@intel.com>
+Cc: Ray Ni <ray.ni@intel.com>
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Rahul Kumar <rahul1.kumar@intel.com>
+Cc: Debkumar De <debkumar.de@intel.com>
+Cc: Harry Han <harry.han@intel.com>
+Cc: Catharine West <catharine.west@intel.com>
+Reviewed-by: Ray Ni <ray.ni@intel.com>
+---
+ UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 --------------------------
+ UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 -
+ UefiCpuPkg/CpuMpPei/CpuPaging.c | 8 ------
+ UefiCpuPkg/SecCore/SecCore.inf | 1 +
+ UefiCpuPkg/SecCore/SecMain.c | 45 ++++++++++++++++++++++++++++++++
+ 5 files changed, 46 insertions(+), 46 deletions(-)
+
+diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
+index 40729a09b9..3c1bad6470 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c
++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c
+@@ -429,43 +429,6 @@ GetGdtr (
+ AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer);
+ }
+
+-/**
+- Migrates the Global Descriptor Table (GDT) to permanent memory.
+-
+- @retval EFI_SUCCESS The GDT was migrated successfully.
+- @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory.
+-
+-**/
+-EFI_STATUS
+-MigrateGdt (
+- VOID
+- )
+-{
+- EFI_STATUS Status;
+- UINTN GdtBufferSize;
+- IA32_DESCRIPTOR Gdtr;
+- VOID *GdtBuffer;
+-
+- AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
+- GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
+-
+- Status = PeiServicesAllocatePool (
+- GdtBufferSize,
+- &GdtBuffer
+- );
+- ASSERT (GdtBuffer != NULL);
+- if (EFI_ERROR (Status)) {
+- return EFI_OUT_OF_RESOURCES;
+- }
+-
+- GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
+- CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
+- Gdtr.Base = (UINTN) GdtBuffer;
+- AsmWriteGdtr (&Gdtr);
+-
+- return EFI_SUCCESS;
+-}
+-
+ /**
+ Initializes CPU exceptions handlers for the sake of stack switch requirement.
+
+diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+index ba829d816e..7444bdb968 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf
+@@ -67,7 +67,6 @@
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList ## SOMETIMES_CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize ## SOMETIMES_CONSUMES
+ gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize ## SOMETIMES_CONSUMES
+- gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES
+
+ [Depex]
+ TRUE
+diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c
+index 50ad4277af..3e261d6657 100644
+--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c
++++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c
+@@ -605,17 +605,9 @@ MemoryDiscoveredPpiNotifyCallback (
+ {
+ EFI_STATUS Status;
+ BOOLEAN InitStackGuard;
+- BOOLEAN InterruptState;
+ EDKII_MIGRATED_FV_INFO *MigratedFvInfo;
+ EFI_PEI_HOB_POINTERS Hob;
+
+- if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
+- InterruptState = SaveAndDisableInterrupts ();
+- Status = MigrateGdt ();
+- ASSERT_EFI_ERROR (Status);
+- SetInterruptState (InterruptState);
+- }
+-
+ //
+ // Paging must be setup first. Otherwise the exception TSS setup during MP
+ // initialization later will not contain paging information and then fail
+diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf
+index 545781d6b4..ded83beb52 100644
+--- a/UefiCpuPkg/SecCore/SecCore.inf
++++ b/UefiCpuPkg/SecCore/SecCore.inf
+@@ -77,6 +77,7 @@
+
+ [Pcd]
+ gUefiCpuPkgTokenSpaceGuid.PcdPeiTemporaryRamStackSize ## CONSUMES
++ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES
+
+ [UserExtensions.TianoCore."ExtraFiles"]
+ SecCoreExtra.uni
+diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c
+index 155be49a60..2416c4ce56 100644
+--- a/UefiCpuPkg/SecCore/SecMain.c
++++ b/UefiCpuPkg/SecCore/SecMain.c
+@@ -35,6 +35,43 @@ EFI_PEI_PPI_DESCRIPTOR mPeiSecPlatformInformationPpi[] = {
+ }
+ };
+
++/**
++ Migrates the Global Descriptor Table (GDT) to permanent memory.
++
++ @retval EFI_SUCCESS The GDT was migrated successfully.
++ @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory.
++
++**/
++EFI_STATUS
++MigrateGdt (
++ VOID
++ )
++{
++ EFI_STATUS Status;
++ UINTN GdtBufferSize;
++ IA32_DESCRIPTOR Gdtr;
++ VOID *GdtBuffer;
++
++ AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr);
++ GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1;
++
++ Status = PeiServicesAllocatePool (
++ GdtBufferSize,
++ &GdtBuffer
++ );
++ ASSERT (GdtBuffer != NULL);
++ if (EFI_ERROR (Status)) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++
++ GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR));
++ CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1);
++ Gdtr.Base = (UINTN) GdtBuffer;
++ AsmWriteGdtr (&Gdtr);
++
++ return EFI_SUCCESS;
++}
++
+ //
+ // These are IDT entries pointing to 10:FFFFFFE4h.
+ //
+@@ -409,6 +446,14 @@ SecTemporaryRamDone (
+ //
+ State = SaveAndDisableInterrupts ();
+
++ //
++ // Migrate GDT before NEM near down
++ //
++ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) {
++ Status = MigrateGdt ();
++ ASSERT_EFI_ERROR (Status);
++ }
++
+ //
+ // Disable Temporary RAM after Stack and Heap have been migrated at this point.
+ //
+--
+2.27.0
+
diff --git a/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch b/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
new file mode 100644
index 0000000..00641ee
--- /dev/null
+++ b/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
@@ -0,0 +1,208 @@
+From cab1f02565d3b29081dd21afb074f35fdb4e1fd6 Mon Sep 17 00:00:00 2001
+From: Miki Demeter <miki.demeter@intel.com>
+Date: Thu, 27 Oct 2022 16:20:54 -0700
+Subject: [PATCH] MdeModulePkg/PiSmmCore:SmmEntryPoint underflow(CVE-2021-38578)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3387
+
+Added use of SafeIntLib to validate values are not causing overflows or
+underflows in user controlled values when calculating buffer sizes.
+
+Signed-off-by: Miki Demeter <miki.demeter@intel.com>
+Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+---
+ MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 41 ++++++++++++++++++-----
+ MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1 +
+ MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 1 +
+ MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 31 +++++++++++++----
+ MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf | 1 +
+ 5 files changed, 60 insertions(+), 15 deletions(-)
+
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+index 9e5c6cbe33..875c7c0258 100644
+--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+@@ -609,6 +609,7 @@ SmmEndOfS3ResumeHandler (
+ @param[in] Size2 Size of Buff2
+
+ @retval TRUE Buffers overlap in memory.
++ @retval TRUE Math error. Prevents potential math over and underflows.
+ @retval FALSE Buffer doesn't overlap.
+
+ **/
+@@ -620,11 +621,24 @@ InternalIsBufferOverlapped (
+ IN UINTN Size2
+ )
+ {
++ UINTN End1;
++ UINTN End2;
++ BOOLEAN IsOverUnderflow1;
++ BOOLEAN IsOverUnderflow2;
++
++ // Check for over or underflow
++ IsOverUnderflow1 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff1, Size1, &End1));
++ IsOverUnderflow2 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff2, Size2, &End2));
++
++ if (IsOverUnderflow1 || IsOverUnderflow2) {
++ return TRUE;
++ }
++
+ //
+ // If buff1's end is less than the start of buff2, then it's ok.
+ // Also, if buff1's start is beyond buff2's end, then it's ok.
+ //
+- if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) {
++ if ((End1 <= (UINTN)Buff2) || ((UINTN)Buff1 >= End2)) {
+ return FALSE;
+ }
+
+@@ -651,6 +665,7 @@ SmmEntryPoint (
+ EFI_SMM_COMMUNICATE_HEADER *CommunicateHeader;
+ BOOLEAN InLegacyBoot;
+ BOOLEAN IsOverlapped;
++ BOOLEAN IsOverUnderflow;
+ VOID *CommunicationBuffer;
+ UINTN BufferSize;
+
+@@ -699,23 +714,31 @@ SmmEntryPoint (
+ (UINT8 *) gSmmCorePrivate,
+ sizeof (*gSmmCorePrivate)
+ );
+- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) {
++ //
++ // Check for over or underflows
++ //
++ IsOverUnderflow = EFI_ERROR (SafeUintnSub (BufferSize, OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data), &BufferSize));
++
++ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) ||
++ IsOverlapped || IsOverUnderflow)
++ {
+ //
+ // If CommunicationBuffer is not in valid address scope,
+ // or there is overlap between gSmmCorePrivate and CommunicationBuffer,
++ // or there is over or underflow,
+ // return EFI_INVALID_PARAMETER
+ //
+ gSmmCorePrivate->CommunicationBuffer = NULL;
+ gSmmCorePrivate->ReturnStatus = EFI_ACCESS_DENIED;
+ } else {
+ CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommunicationBuffer;
+- BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data);
+- Status = SmiManage (
+- &CommunicateHeader->HeaderGuid,
+- NULL,
+- CommunicateHeader->Data,
+- &BufferSize
+- );
++ // BufferSize was updated by the SafeUintnSub() call above.
++ Status = SmiManage (
++ &CommunicateHeader->HeaderGuid,
++ NULL,
++ CommunicateHeader->Data,
++ &BufferSize
++ );
+ //
+ // Update CommunicationBuffer, BufferSize and ReturnStatus
+ // Communicate service finished, reset the pointer to CommBuffer to NULL
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h
+index 71422b9dfc..b8a490a8c3 100644
+--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h
++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h
+@@ -54,6 +54,7 @@
+ #include <Library/PerformanceLib.h>
+ #include <Library/HobLib.h>
+ #include <Library/SmmMemLib.h>
++#include <Library/SafeIntLib.h>
+
+ #include "PiSmmCorePrivateData.h"
+ #include "HeapGuard.h"
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
+index c8bfae3860..3df44b38f1 100644
+--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
+@@ -60,6 +60,7 @@
+ PerformanceLib
+ HobLib
+ SmmMemLib
++ SafeIntLib
+
+ [Protocols]
+ gEfiDxeSmmReadyToLockProtocolGuid ## UNDEFINED # SmiHandlerRegister
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+index 4f00cebaf5..fbba868fd0 100644
+--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+@@ -34,8 +34,8 @@
+ #include <Library/UefiRuntimeLib.h>
+ #include <Library/PcdLib.h>
+ #include <Library/ReportStatusCodeLib.h>
+-
+ #include "PiSmmCorePrivateData.h"
++#include <Library/SafeIntLib.h>
+
+ #define SMRAM_CAPABILITIES (EFI_MEMORY_WB | EFI_MEMORY_UC)
+
+@@ -1354,6 +1354,7 @@ SmmSplitSmramEntry (
+ @param[in] ReservedRangeToCompare Pointer to EFI_SMM_RESERVED_SMRAM_REGION to compare.
+
+ @retval TRUE There is overlap.
++ @retval TRUE Math error.
+ @retval FALSE There is no overlap.
+
+ **/
+@@ -1353,11 +1354,29 @@ SmmIsSmramOverlap (
+ IN EFI_SMM_RESERVED_SMRAM_REGION *ReservedRangeToCompare
+ )
+ {
+- UINT64 RangeToCompareEnd;
+- UINT64 ReservedRangeToCompareEnd;
+-
+- RangeToCompareEnd = RangeToCompare->CpuStart + RangeToCompare->PhysicalSize;
+- ReservedRangeToCompareEnd = ReservedRangeToCompare->SmramReservedStart + ReservedRangeToCompare->SmramReservedSize;
++ UINT64 RangeToCompareEnd;
++ UINT64 ReservedRangeToCompareEnd;
++ BOOLEAN IsOverUnderflow1;
++ BOOLEAN IsOverUnderflow2;
++
++ // Check for over or underflow.
++ IsOverUnderflow1 = EFI_ERROR (
++ SafeUint64Add (
++ (UINT64)RangeToCompare->CpuStart,
++ RangeToCompare->PhysicalSize,
++ &RangeToCompareEnd
++ )
++ );
++ IsOverUnderflow2 = EFI_ERROR (
++ SafeUint64Add (
++ (UINT64)ReservedRangeToCompare->SmramReservedStart,
++ ReservedRangeToCompare->SmramReservedSize,
++ &ReservedRangeToCompareEnd
++ )
++ );
++ if (IsOverUnderflow1 || IsOverUnderflow2) {
++ return TRUE;
++ }
+
+ if ((RangeToCompare->CpuStart >= ReservedRangeToCompare->SmramReservedStart) &&
+ (RangeToCompare->CpuStart < ReservedRangeToCompareEnd)) {
+diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
+index 6109d6b544..ddeb39cee2 100644
+--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf
+@@ -46,6 +46,7 @@
+ DxeServicesLib
+ PcdLib
+ ReportStatusCodeLib
++ SafeIntLib
+
+ [Protocols]
+ gEfiSmmBase2ProtocolGuid ## PRODUCES
+--
+2.27.0
+
diff --git a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
new file mode 100644
index 0000000..99ddb6f
--- /dev/null
+++ b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
@@ -0,0 +1,43 @@
+From a114dc3c9af48a8f8ed22e738944a9c3e830a088 Mon Sep 17 00:00:00 2001
+From Shao Denghui <shaodenghui@huawei.com>
+Date: Mon, 20 Feb 2023 21:59:31 +0800
+Subject: [PATCH] [PATCH] Avoid dangling ptrs in header and data params for
+ PEM_read_bio_ex In the event of a failure in PEM_read_bio_ex() we free the
+ buffers we allocated for the header and data buffers. However we were not
+ clearing the ptrs stored in *header and *data. Since, on success, the caller
+ is responsible for freeing these ptrs this can potentially lead to a double
+ free if the caller frees them even on failure.
+
+Thanks to Dawei Wang for reporting this issue.
+
+Based on a proposed patch by Kurt Roeckx.
+
+CVE-2022-4450
+
+Reference: https://github.com/openssl/openssl/commit/ee6243f3947107d655f6dee96f63861561a5aaeb
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+
+Signed-off-by: Shao Denghui <shaodenghui@huawei.com>
+---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c
+index 64baf71..6c7c4fe 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c
+@@ -940,7 +940,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
+ *data = pem_malloc(len, flags);
+ if (*header == NULL || *data == NULL) {
+ pem_free(*header, flags, 0);
++ *header = NULL;
+ pem_free(*data, flags, 0);
++ *data = NULL;
+ goto end;
+ }
+ BIO_read(headerB, *header, headerlen);
+--
+2.27.0
+
diff --git a/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
new file mode 100644
index 0000000..9852ad6
--- /dev/null
+++ b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
@@ -0,0 +1,57 @@
+From 7dd5a23212e3c7bf25a9cd7689681beb89b2d20f Mon Sep 17 00:00:00 2001
+From Shao Denghui <shaodenghui@huawei.com>
+Date: Tue, 21 Feb 2023 20:12:59 +0800
+Subject: [PATCH] [PATCH] pk7_doit.c: Check return of BIO_set_md() calls
+
+These calls invoke EVP_DigestInit() which can fail for digests
+with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write()
+or EVP_DigestFinal() from BIO_read() will segfault on NULL
+dereference. This can be triggered by an attacker providing
+PKCS7 data digested with MD4 for example if the legacy provider
+is not loaded.
+
+If BIO_set_md() fails the md BIO cannot be used.
+
+CVE-2023-0401
+
+Reference: https://github.com/openssl/openssl/commit/6eebe6c0238178356114a96a7858f36b24172847
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Signed-off-by: Shao Denghui <shaodenghui@huawei.com>
+---
+ .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+index f63fbc5..bbfcf27 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+@@ -67,7 +67,10 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
+ goto err;
+ }
+
+- BIO_set_md(btmp, md);
++ if (BIO_set_md(btmp, md) <= 0) {
++ PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB);
++ goto err;
++ }
+ if (*pbio == NULL)
+ *pbio = btmp;
+ else if (!BIO_push(*pbio, btmp)) {
+@@ -454,7 +457,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
+ goto err;
+ }
+
+- BIO_set_md(btmp, evp_md);
++ if (BIO_set_md(btmp, evp_md) <= 0) {
++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
++ goto err;
++ }
+ if (out == NULL)
+ out = btmp;
+ else
+--
+2.27.0
+
diff --git a/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch b/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
new file mode 100644
index 0000000..0c51792
--- /dev/null
+++ b/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
@@ -0,0 +1,106 @@
+From 93bb2a5f1df1617502c24f287ea4e5ca351aef95 Mon Sep 17 00:00:00 2001
+From: chenhuiying <chenhuiying4@huawei.com>
+Date: Sat, 25 Feb 2023 15:05:15 +0800
+Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF
+
+If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+be part of an invalid BIO chain. This causes a "use after free" when the
+BIO is eventually freed.
+
+Based on an original patch by Viktor Dukhovni and an idea from Theo
+Buehler.
+
+Thanks to Octavio Galland for reporting this issue.
+
+REF: https://github.com/openssl/openssl/commit/c3829dd8825c654652201e16f8a0a0c46ee3f344
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ .../OpensslLib/openssl/crypto/asn1/bio_ndef.c | 39 +++++++++++++++----
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c
+index 6222c99..cf52468 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c
+@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
+ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
+ void *parg);
+
++/*
++ * On success, the returned BIO owns the input BIO as part of its BIO chain.
++ * On failure, NULL is returned and the input BIO is owned by the caller.
++ *
++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
++ */
+ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ {
+ NDEF_SUPPORT *ndef_aux = NULL;
+ BIO *asn_bio = NULL;
+ const ASN1_AUX *aux = it->funcs;
+ ASN1_STREAM_ARG sarg;
++ BIO *pop_bio = NULL;
+
+ if (!aux || !aux->asn1_cb) {
+ ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ out = BIO_push(asn_bio, out);
+ if (out == NULL)
+ goto err;
++ pop_bio = asn_bio;
+
+- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
++ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
++ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
++ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++ goto err;
+
+ /*
+- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+- * needs.
++ * Now let the callback prepend any digest, cipher, etc., that the BIO's
++ * ASN1 structure needs.
+ */
+
+ sarg.out = out;
+ sarg.ndef_bio = NULL;
+ sarg.boundary = NULL;
+
+- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++ /*
++ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
++ * middle of some partially built, but not returned BIO chain.
++ */
++ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
++ /*
++ * ndef_aux is now owned by asn_bio so we must not free it in the err
++ * clean up block
++ */
++ ndef_aux = NULL;
+ goto err;
++ }
++
++ /*
++ * We must not fail now because the callback has prepended additional
++ * BIOs to the chain
++ */
+
+ ndef_aux->val = val;
+ ndef_aux->it = it;
+@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ ndef_aux->boundary = sarg.boundary;
+ ndef_aux->out = out;
+
+- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
+-
+ return sarg.ndef_bio;
+
+ err:
++ /* BIO_pop() is NULL safe */
++ (void)BIO_pop(pop_bio);
+ BIO_free(asn_bio);
+ OPENSSL_free(ndef_aux);
+ return NULL;
+--
+2.27.0
+
diff --git a/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch b/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
new file mode 100644
index 0000000..f42b436
--- /dev/null
+++ b/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
@@ -0,0 +1,79 @@
+From cb81a80d059f41b0930fcc36c36a155244f3873a Mon Sep 17 00:00:00 2001
+From: chenhuiying <chenhuiying4@huawei.com>
+Date: Sat, 25 Feb 2023 16:18:41 +0800
+Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled correctly
+
+Test for the issue fixed in the previous commit
+
+REF:https://github.com/openssl/openssl/commit/f040f2577891d2bdb7610566c172233844cf673a
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ .../openssl/test/recipes/80-test_cms.t | 15 +++++++++++++--
+ .../openssl/test/smime-certs/badrsa.pem | 18 ++++++++++++++++++
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+ create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t
+index 5dc6a3a..ec11bfc 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t
+@@ -13,7 +13,7 @@ use warnings;
+ use POSIX;
+ use File::Spec::Functions qw/catfile/;
+ use File::Compare qw/compare_text/;
+-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
+ use OpenSSL::Test::Utils;
+
+ setup("test_cms");
+@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt");
+ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
+ = disabled qw/des dh dsa ec ec2m rc2 zlib/;
+
+-plan tests => 6;
++plan tests => 7;
+
+ my @smime_pkcs7_tests = (
+
+@@ -584,3 +584,14 @@ sub check_availability {
+
+ return "";
+ }
++
++# Check that we get the expected failure return code
++with({ exit_checker => sub { return shift == 6; } },
++ sub {
++ ok(run(app(['openssl', 'cms', '-encrypt',
++ '-in', srctop_file("test", "smcont.txt"),
++ '-stream', '-recip',
++ srctop_file("test/smime-certs", "badrsa.pem"),
++ ])),
++ "Check failure during BIO setup with -stream is handled correctly");
++ });
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem
+new file mode 100644
+index 0000000..f824fc2
+--- /dev/null
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem
+@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
++-----END CERTIFICATE-----
+--
+2.27.0
+
diff --git a/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
new file mode 100644
index 0000000..e670922
--- /dev/null
+++ b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
@@ -0,0 +1,102 @@
+From fe9395b9fe1507236eafd147dc0cd4a8c9bf1fe6 Mon Sep 17 00:00:00 2001
+From: chenhuiying <chenhuiying4@huawei.com>
+Date: Sat, 25 Feb 2023 17:54:23 +0800
+Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp()
+
+If a GENERAL_NAME field contained EdiPartyName data then it was
+incorrectly being handled as type "other". This could lead to a
+segmentation fault.
+
+Many thanks to David Benjamin from Google for reporting this issue.
+
+CVE-2020-1971
+
+reference: https://github.com/openssl/openssl/commit/f960d81215ebf3f65e03d4d5d857fb9b666d6920
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ .../openssl/crypto/x509v3/v3_genn.c | 45 +++++++++++++++++--
+ 1 file changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+index 23e3bc4..23778e2 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+@@ -57,6 +57,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a)
+ (char *)a);
+ }
+
++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
++{
++ int res;
++
++ if (a == NULL || b == NULL) {
++ /*
++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
++ */
++ return -1;
++ }
++ if (a->nameAssigner == NULL && b->nameAssigner != NULL)
++ return -1;
++ if (a->nameAssigner != NULL && b->nameAssigner == NULL)
++ return 1;
++ /* If we get here then both have nameAssigner set, or both unset */
++ if (a->nameAssigner != NULL) {
++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
++ if (res != 0)
++ return res;
++ }
++ /*
++ * partyName is required, so these should never be NULL. We treat it in
++ * the same way as the a == NULL || b == NULL case above
++ */
++ if (a->partyName == NULL || b->partyName == NULL)
++ return -1;
++
++ return ASN1_STRING_cmp(a->partyName, b->partyName);
++}
++
+ /* Returns 0 if they are equal, != 0 otherwise. */
+ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ {
+@@ -66,8 +97,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ return -1;
+ switch (a->type) {
+ case GEN_X400:
++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++ break;
++
+ case GEN_EDIPARTY:
+- result = ASN1_TYPE_cmp(a->d.other, b->d.other);
++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
+ break;
+
+ case GEN_OTHERNAME:
+@@ -114,8 +148,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
+ {
+ switch (type) {
+ case GEN_X400:
++ a->d.x400Address = value;
++ break;
++
+ case GEN_EDIPARTY:
+- a->d.other = value;
++ a->d.ediPartyName = value;
+ break;
+
+ case GEN_OTHERNAME:
+@@ -149,8 +186,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype)
+ *ptype = a->type;
+ switch (a->type) {
+ case GEN_X400:
++ return a->d.x400Address;
++
+ case GEN_EDIPARTY:
+- return a->d.other;
++ return a->d.ediPartyName;
+
+ case GEN_OTHERNAME:
+ return a->d.otherName;
+--
+2.27.0
+
diff --git a/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
new file mode 100644
index 0000000..24e3c8a
--- /dev/null
+++ b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
@@ -0,0 +1,41 @@
+From 7553d2119f3c899f779eaacafff63feaa843814a Mon Sep 17 00:00:00 2001
+From: s00803682 <shaodenghui@huawei.com>
+Date: Sat, 25 Feb 2023 18:22:13 +0800
+Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+REF: https://github.com/openssl/openssl/commit/2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
+Signed-off-by: chenhuiying <chenhuiying4@huawei.com>
+---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c | 2 +-
+ CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+index 23778e2..12ce733 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c
+@@ -97,7 +97,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+ return -1;
+ switch (a->type) {
+ case GEN_X400:
+- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+ break;
+
+ case GEN_EDIPARTY:
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h
+index 6c6eca3..b80438d 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+ OTHERNAME *otherName; /* otherName */
+ ASN1_IA5STRING *rfc822Name;
+ ASN1_IA5STRING *dNSName;
+- ASN1_TYPE *x400Address;
++ ASN1_STRING *x400Address;
+ X509_NAME *directoryName;
+ EDIPARTYNAME *ediPartyName;
+ ASN1_IA5STRING *uniformResourceIdentifier;
+--
+2.27.0
+
diff --git a/0029-Fix-Timing-Oracle-in-RSA-decryption.patch b/0029-Fix-Timing-Oracle-in-RSA-decryption.patch
new file mode 100644
index 0000000..3e57625
--- /dev/null
+++ b/0029-Fix-Timing-Oracle-in-RSA-decryption.patch
@@ -0,0 +1,834 @@
+From df422474e4e7e2f380840eeb9d6e466312fe0879 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 20 Jan 2023 15:26:54 +0000
+Subject: [PATCH] Fix Timing Oracle in RSA decryption
+
+A timing based side channel exists in the OpenSSL RSA Decryption
+implementation which could be sufficient to recover a plaintext across
+a network in a Bleichenbacher style attack. To achieve a successful
+decryption an attacker would have to be able to send a very large number
+of trial messages for decryption. The vulnerability affects all RSA
+padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
+
+Patch written by Dmitry Belyavsky and Hubert Kario
+
+CVE-2022-4304
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+
+reference: https://github.com/openssl/openssl/pull/20284
+Signed-off-by: yexiao <yexiao7@huawei.com>
+---
+ CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 +
+ .../Library/OpensslLib/OpensslLibCrypto.inf | 1 +
+ .../OpensslLib/openssl/crypto/bn/bn_blind.c | 14 -
+ .../OpensslLib/openssl/crypto/bn/bn_err.c | 2 +
+ .../OpensslLib/openssl/crypto/bn/bn_local.h | 14 +
+ .../OpensslLib/openssl/crypto/bn/build.info | 3 +-
+ .../openssl/crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++
+ .../OpensslLib/openssl/crypto/err/openssl.txt | 3 +-
+ .../OpensslLib/openssl/crypto/rsa/rsa_ossl.c | 17 +-
+ .../OpensslLib/openssl/include/crypto/bn.h | 5 +
+ .../openssl/include/openssl/bnerr.h | 1 +
+ 11 files changed, 655 insertions(+), 20 deletions(-)
+ create mode 100644 CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c
+
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+index b00bb74..ec5be59 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+@@ -155,6 +155,7 @@
+ $(OPENSSL_PATH)/crypto/bn/bn_sqr.c
+ $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c
+ $(OPENSSL_PATH)/crypto/bn/bn_srp.c
++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+ $(OPENSSL_PATH)/crypto/bn/bn_word.c
+ $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
+ $(OPENSSL_PATH)/crypto/buffer/buf_err.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+index 3557711..ee68e48 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+@@ -155,6 +155,7 @@
+ $(OPENSSL_PATH)/crypto/bn/bn_sqr.c
+ $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c
+ $(OPENSSL_PATH)/crypto/bn/bn_srp.c
++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
+ $(OPENSSL_PATH)/crypto/bn/bn_word.c
+ $(OPENSSL_PATH)/crypto/bn/bn_x931p.c
+ $(OPENSSL_PATH)/crypto/buffer/buf_err.c
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c
+index 76fc7eb..6e9d239 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c
+@@ -13,20 +13,6 @@
+
+ #define BN_BLINDING_COUNTER 32
+
+-struct bn_blinding_st {
+- BIGNUM *A;
+- BIGNUM *Ai;
+- BIGNUM *e;
+- BIGNUM *mod; /* just a reference */
+- CRYPTO_THREAD_ID tid;
+- int counter;
+- unsigned long flags;
+- BN_MONT_CTX *m_ctx;
+- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+- CRYPTO_RWLOCK *lock;
+-};
+-
+ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
+ {
+ BN_BLINDING *ret = NULL;
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c
+index dd87c15..3dd8d9a 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c
+@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = {
+ {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"},
+ {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"},
+ {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"},
++ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0),
++ "ossl_bn_rsa_do_unblind"},
+ {0, NULL}
+ };
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h
+index 8ad69cc..0965135 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h
+@@ -263,6 +263,20 @@ struct bn_gencb_st {
+ } cb;
+ };
+
++struct bn_blinding_st {
++ BIGNUM *A;
++ BIGNUM *Ai;
++ BIGNUM *e;
++ BIGNUM *mod; /* just a reference */
++ CRYPTO_THREAD_ID tid;
++ int counter;
++ unsigned long flags;
++ BN_MONT_CTX *m_ctx;
++ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
++ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
++ CRYPTO_RWLOCK *lock;
++};
++
+ /*-
+ * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
+ *
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info
+index b9ed532..c9fe2fd 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info
+@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
+ bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \
+ {- $target{bn_asm_src} -} \
+ bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
+- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c
++ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \
++ rsa_sup_mul.c
+
+ INCLUDE[bn_exp.o]=..
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c
+new file mode 100644
+index 0000000..acafefd
+--- /dev/null
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c
+@@ -0,0 +1,614 @@
++#include <openssl/e_os2.h>
++#include <stddef.h>
++#include <sys/types.h>
++#include <string.h>
++#include <openssl/bn.h>
++#include <openssl/err.h>
++#include <openssl/rsaerr.h>
++#include "internal/numbers.h"
++#include "internal/constant_time.h"
++#include "bn_local.h"
++
++# if BN_BYTES == 8
++typedef uint64_t limb_t;
++# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
++/* nonstandard; implemented by gcc on 64-bit platforms */
++typedef __uint128_t limb2_t;
++# define HAVE_LIMB2_T
++# endif
++# define LIMB_BIT_SIZE 64
++# define LIMB_BYTE_SIZE 8
++# elif BN_BYTES == 4
++typedef uint32_t limb_t;
++typedef uint64_t limb2_t;
++# define LIMB_BIT_SIZE 32
++# define LIMB_BYTE_SIZE 4
++# define HAVE_LIMB2_T
++# else
++# error "Not supported"
++# endif
++
++/*
++ * For multiplication we're using schoolbook multiplication,
++ * so if we have two numbers, each with 6 "digits" (words)
++ * the multiplication is calculated as follows:
++ * A B C D E F
++ * x I J K L M N
++ * --------------
++ * N*F
++ * N*E
++ * N*D
++ * N*C
++ * N*B
++ * N*A
++ * M*F
++ * M*E
++ * M*D
++ * M*C
++ * M*B
++ * M*A
++ * L*F
++ * L*E
++ * L*D
++ * L*C
++ * L*B
++ * L*A
++ * K*F
++ * K*E
++ * K*D
++ * K*C
++ * K*B
++ * K*A
++ * J*F
++ * J*E
++ * J*D
++ * J*C
++ * J*B
++ * J*A
++ * I*F
++ * I*E
++ * I*D
++ * I*C
++ * I*B
++ * + I*A
++ * ==========================
++ * N*B N*D N*F
++ * + N*A N*C N*E
++ * + M*B M*D M*F
++ * + M*A M*C M*E
++ * + L*B L*D L*F
++ * + L*A L*C L*E
++ * + K*B K*D K*F
++ * + K*A K*C K*E
++ * + J*B J*D J*F
++ * + J*A J*C J*E
++ * + I*B I*D I*F
++ * + I*A I*C I*E
++ *
++ * 1+1 1+3 1+5
++ * 1+0 1+2 1+4
++ * 0+1 0+3 0+5
++ * 0+0 0+2 0+4
++ *
++ * 0 1 2 3 4 5 6
++ * which requires n^2 multiplications and 2n full length additions
++ * as we can keep every other result of limb multiplication in two separate
++ * limbs
++ */
++
++#if defined HAVE_LIMB2_T
++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
++{
++ limb2_t t;
++ /*
++ * this is idiomatic code to tell compiler to use the native mul
++ * those three lines will actually compile to single instruction
++ */
++
++ t = (limb2_t)a * b;
++ *hi = t >> LIMB_BIT_SIZE;
++ *lo = (limb_t)t;
++}
++#elif (BN_BYTES == 8) && (defined _MSC_VER)
++/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */
++#pragma intrinsic(_umul128)
++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
++{
++ *lo = _umul128(a, b, hi);
++}
++#else
++/*
++ * if the compiler doesn't have either a 128bit data type nor a "return
++ * high 64 bits of multiplication"
++ */
++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b)
++{
++ limb_t a_low = (limb_t)(uint32_t)a;
++ limb_t a_hi = a >> 32;
++ limb_t b_low = (limb_t)(uint32_t)b;
++ limb_t b_hi = b >> 32;
++
++ limb_t p0 = a_low * b_low;
++ limb_t p1 = a_low * b_hi;
++ limb_t p2 = a_hi * b_low;
++ limb_t p3 = a_hi * b_hi;
++
++ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32);
++
++ *lo = p0 + (p1 << 32) + (p2 << 32);
++ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy;
++}
++#endif
++
++/* add two limbs with carry in, return carry out */
++static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry)
++{
++ limb_t carry1, carry2, t;
++ /*
++ * `c = a + b; if (c < a)` is idiomatic code that makes compilers
++ * use add with carry on assembly level
++ */
++
++ *ret = a + carry;
++ if (*ret < a)
++ carry1 = 1;
++ else
++ carry1 = 0;
++
++ t = *ret;
++ *ret = t + b;
++ if (*ret < t)
++ carry2 = 1;
++ else
++ carry2 = 0;
++
++ return carry1 + carry2;
++}
++
++/*
++ * add two numbers of the same size, return overflow
++ *
++ * add a to b, place result in ret; all arrays need to be n limbs long
++ * return overflow from addition (0 or 1)
++ */
++static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n)
++{
++ limb_t c = 0;
++ ossl_ssize_t i;
++
++ for(i = n - 1; i > -1; i--)
++ c = _add_limb(&ret[i], a[i], b[i], c);
++
++ return c;
++}
++
++/*
++ * return number of limbs necessary for temporary values
++ * when multiplying numbers n limbs large
++ */
++static ossl_inline size_t mul_limb_numb(size_t n)
++{
++ return 2 * n * 2;
++}
++
++/*
++ * multiply two numbers of the same size
++ *
++ * multiply a by b, place result in ret; a and b need to be n limbs long
++ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs
++ * long
++ */
++static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp)
++{
++ limb_t *r_odd, *r_even;
++ size_t i, j, k;
++
++ r_odd = tmp;
++ r_even = &tmp[2 * n];
++
++ memset(ret, 0, 2 * n * sizeof(limb_t));
++
++ for (i = 0; i < n; i++) {
++ for (k = 0; k < i + n + 1; k++) {
++ r_even[k] = 0;
++ r_odd[k] = 0;
++ }
++ for (j = 0; j < n; j++) {
++ /*
++ * place results from even and odd limbs in separate arrays so that
++ * we don't have to calculate overflow every time we get individual
++ * limb multiplication result
++ */
++ if (j % 2 == 0)
++ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]);
++ else
++ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]);
++ }
++ /*
++ * skip the least significant limbs when adding multiples of
++ * more significant limbs (they're zero anyway)
++ */
++ add(ret, ret, r_even, n + i + 1);
++ add(ret, ret, r_odd, n + i + 1);
++ }
++}
++
++/* modifies the value in place by performing a right shift by one bit */
++static ossl_inline void rshift1(limb_t *val, size_t n)
++{
++ limb_t shift_in = 0, shift_out = 0;
++ size_t i;
++
++ for (i = 0; i < n; i++) {
++ shift_out = val[i] & 1;
++ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1);
++ shift_in = shift_out;
++ }
++}
++
++/* extend the LSB of flag to all bits of limb */
++static ossl_inline limb_t mk_mask(limb_t flag)
++{
++ flag |= flag << 1;
++ flag |= flag << 2;
++ flag |= flag << 4;
++ flag |= flag << 8;
++ flag |= flag << 16;
++#if (LIMB_BYTE_SIZE == 8)
++ flag |= flag << 32;
++#endif
++ return flag;
++}
++
++/*
++ * copy from either a or b to ret based on flag
++ * when flag == 0, then copies from b
++ * when flag == 1, then copies from a
++ */
++static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n)
++{
++ /*
++ * would be more efficient with non volatile mask, but then gcc
++ * generates code with jumps
++ */
++ volatile limb_t mask;
++ size_t i;
++
++ mask = mk_mask(flag);
++ for (i = 0; i < n; i++) {
++#if (LIMB_BYTE_SIZE == 8)
++ ret[i] = constant_time_select_64(mask, a[i], b[i]);
++#else
++ ret[i] = constant_time_select_32(mask, a[i], b[i]);
++#endif
++ }
++}
++
++static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow)
++{
++ limb_t borrow1, borrow2, t;
++ /*
++ * while it doesn't look constant-time, this is idiomatic code
++ * to tell compilers to use the carry bit from subtraction
++ */
++
++ *ret = a - borrow;
++ if (*ret > a)
++ borrow1 = 1;
++ else
++ borrow1 = 0;
++
++ t = *ret;
++ *ret = t - b;
++ if (*ret > t)
++ borrow2 = 1;
++ else
++ borrow2 = 0;
++
++ return borrow1 + borrow2;
++}
++
++/*
++ * place the result of a - b into ret, return the borrow bit.
++ * All arrays need to be n limbs long
++ */
++static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n)
++{
++ limb_t borrow = 0;
++ ossl_ssize_t i;
++
++ for (i = n - 1; i > -1; i--)
++ borrow = _sub_limb(&ret[i], a[i], b[i], borrow);
++
++ return borrow;
++}
++
++/* return the number of limbs necessary to allocate for the mod() tmp operand */
++static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum)
++{
++ return (anum + modnum) * 3;
++}
++
++/*
++ * calculate a % mod, place the result in ret
++ * size of a is defined by anum, size of ret and mod is modnum,
++ * size of tmp is returned by mod_limb_numb()
++ */
++static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
++ size_t modnum, limb_t *tmp)
++{
++ limb_t *atmp, *modtmp, *rettmp;
++ limb_t res;
++ size_t i;
++
++ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE);
++
++ atmp = tmp;
++ modtmp = &tmp[anum + modnum];
++ rettmp = &tmp[(anum + modnum) * 2];
++
++ for (i = modnum; i <modnum + anum; i++)
++ atmp[i] = a[i-modnum];
++
++ for (i = 0; i < modnum; i++)
++ modtmp[i] = mod[i];
++
++ for (i = 0; i < anum * LIMB_BIT_SIZE; i++) {
++ rshift1(modtmp, anum + modnum);
++ res = sub(rettmp, atmp, modtmp, anum+modnum);
++ cselect(res, atmp, atmp, rettmp, anum+modnum);
++ }
++
++ memcpy(ret, &atmp[anum], sizeof(limb_t) * modnum);
++}
++
++/* necessary size of tmp for a _mul_add_limb() call with provided anum */
++static ossl_inline size_t _mul_add_limb_numb(size_t anum)
++{
++ return 2 * (anum + 1);
++}
++
++/* multiply a by m, add to ret, return carry */
++static limb_t _mul_add_limb(limb_t *ret, limb_t *a, size_t anum,
++ limb_t m, limb_t *tmp)
++{
++ limb_t carry = 0;
++ limb_t *r_odd, *r_even;
++ size_t i;
++
++ memset(tmp, 0, sizeof(limb_t) * (anum + 1) * 2);
++
++ r_odd = tmp;
++ r_even = &tmp[anum + 1];
++
++ for (i = 0; i < anum; i++) {
++ /*
++ * place the results from even and odd limbs in separate arrays
++ * so that we have to worry about carry just once
++ */
++ if (i % 2 == 0)
++ _mul_limb(&r_even[i], &r_even[i + 1], a[i], m);
++ else
++ _mul_limb(&r_odd[i], &r_odd[i + 1], a[i], m);
++ }
++ /* assert: add() carry here will be equal zero */
++ add(r_even, r_even, r_odd, anum + 1);
++ /*
++ * while here it will not overflow as the max value from multiplication
++ * is -2 while max overflow from addition is 1, so the max value of
++ * carry is -1 (i.e. max int)
++ */
++ carry = add(ret, ret, &r_even[1], anum) + r_even[0];
++
++ return carry;
++}
++
++static ossl_inline size_t mod_montgomery_limb_numb(size_t modnum)
++{
++ return modnum * 2 + _mul_add_limb_numb(modnum);
++}
++
++/*
++ * calculate a % mod, place result in ret
++ * assumes that a is in Montgomery form with the R (Montgomery modulus) being
++ * smallest power of two big enough to fit mod and that's also a power
++ * of the count of number of bits in limb_t (B).
++ * For calculation, we also need n', such that mod * n' == -1 mod B.
++ * anum must be <= 2 * modnum
++ * ret needs to be modnum words long
++ * tmp needs to be mod_montgomery_limb_numb(modnum) limbs long
++ */
++static void mod_montgomery(limb_t *ret, limb_t *a, size_t anum, limb_t *mod,
++ size_t modnum, limb_t ni0, limb_t *tmp)
++{
++ limb_t carry, v;
++ limb_t *res, *rp, *tmp2;
++ ossl_ssize_t i;
++
++ res = tmp;
++ /*
++ * for intermediate result we need an integer twice as long as modulus
++ * but keep the input in the least significant limbs
++ */
++ memset(res, 0, sizeof(limb_t) * (modnum * 2));
++ memcpy(&res[modnum * 2 - anum], a, sizeof(limb_t) * anum);
++ rp = &res[modnum];
++ tmp2 = &res[modnum * 2];
++
++ carry = 0;
++
++ /* add multiples of the modulus to the value until R divides it cleanly */
++ for (i = modnum; i > 0; i--, rp--) {
++ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2);
++ v = v + carry + rp[-1];
++ carry |= (v != rp[-1]);
++ carry &= (v <= rp[-1]);
++ rp[-1] = v;
++ }
++
++ /* perform the final reduction by mod... */
++ carry -= sub(ret, rp, mod, modnum);
++
++ /* ...conditionally */
++ cselect(carry, ret, rp, ret, modnum);
++}
++
++/* allocated buffer should be freed afterwards */
++static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs)
++{
++ int i;
++ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++ limb_t *ptr = buf + (limbs - real_limbs);
++
++ for (i = 0; i < real_limbs; i++)
++ ptr[i] = bn->d[real_limbs - i - 1];
++}
++
++#if LIMB_BYTE_SIZE == 8
++static ossl_inline uint64_t be64(uint64_t host)
++{
++ const union {
++ long one;
++ char little;
++ } is_endian = { 1 };
++
++ if (is_endian.little) {
++ uint64_t big = 0;
++
++ big |= (host & 0xff00000000000000) >> 56;
++ big |= (host & 0x00ff000000000000) >> 40;
++ big |= (host & 0x0000ff0000000000) >> 24;
++ big |= (host & 0x000000ff00000000) >> 8;
++ big |= (host & 0x00000000ff000000) << 8;
++ big |= (host & 0x0000000000ff0000) << 24;
++ big |= (host & 0x000000000000ff00) << 40;
++ big |= (host & 0x00000000000000ff) << 56;
++ return big;
++ } else {
++ return host;
++ }
++}
++
++#else
++/* Not all platforms have htobe32(). */
++static ossl_inline uint32_t be32(uint32_t host)
++{
++ const union {
++ long one;
++ char little;
++ } is_endian = { 1 };
++
++ if (is_endian.little) {
++ uint32_t big = 0;
++
++ big |= (host & 0xff000000) >> 24;
++ big |= (host & 0x00ff0000) >> 8;
++ big |= (host & 0x0000ff00) << 8;
++ big |= (host & 0x000000ff) << 24;
++ return big;
++ } else {
++ return host;
++ }
++}
++#endif
++
++/*
++ * We assume that intermediate, possible_arg2, blinding, and ctx are used
++ * similar to BN_BLINDING_invert_ex() arguments.
++ * to_mod is RSA modulus.
++ * buf and num is the serialization buffer and its length.
++ *
++ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished
++ * we serialize the new structure instead of BIGNUMs taking endianness into account.
++ */
++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
++ const BN_BLINDING *blinding,
++ const BIGNUM *possible_arg2,
++ const BIGNUM *to_mod, BN_CTX *ctx,
++ unsigned char *buf, int num)
++{
++ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL;
++ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf;
++ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0;
++ size_t l_tmp_count = 0;
++ int ret = 0;
++ size_t i;
++ unsigned char *tmp;
++ const BIGNUM *arg1 = intermediate;
++ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2;
++
++ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE;
++
++ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count;
++ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
++ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE);
++ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE);
++
++ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL))
++ goto err;
++
++ BN_to_limb(arg1, l_im, l_size);
++ BN_to_limb(arg2, l_mul, l_size);
++ BN_to_limb(to_mod, l_mod, l_mod_count);
++
++ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE);
++
++ if (blinding->m_ctx != NULL) {
++ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ?
++ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count);
++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
++ } else {
++ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ?
++ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count);
++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE);
++ }
++
++ if ((l_ret == NULL) || (l_tmp == NULL))
++ goto err;
++
++ if (blinding->m_ctx != NULL) {
++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
++ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count,
++ blinding->m_ctx->n0[0], l_tmp);
++ } else {
++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp);
++ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp);
++ }
++
++ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */
++ if (num < BN_num_bytes(to_mod)) {
++ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT);
++ goto err;
++ }
++
++ memset(buf, 0, num);
++ tmp = buf + num - BN_num_bytes(to_mod);
++ for (i = 0; i < l_mod_count; i++) {
++#if LIMB_BYTE_SIZE == 8
++ l_buf = be64(l_ret[i]);
++#else
++ l_buf = be32(l_ret[i]);
++#endif
++ if (i == 0) {
++ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num);
++
++ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta);
++ tmp += delta;
++ } else {
++ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE);
++ tmp += LIMB_BYTE_SIZE;
++ }
++ }
++ ret = num;
++
++ err:
++ OPENSSL_free(l_im);
++ OPENSSL_free(l_mul);
++ OPENSSL_free(l_mod);
++ OPENSSL_free(l_tmp);
++ OPENSSL_free(l_ret);
++
++ return ret;
++}
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
+index 35512f9..03d1640 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt
+@@ -1,4 +1,4 @@
+-# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
++# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ #
+ # Licensed under the OpenSSL license (the "License"). You may not use
+ # this file except in compliance with the License. You can obtain a copy
+@@ -231,6 +231,7 @@ BN_F_BN_RSHIFT:146:BN_rshift
+ BN_F_BN_SET_WORDS:144:bn_set_words
+ BN_F_BN_STACK_PUSH:148:BN_STACK_push
+ BN_F_BN_USUB:115:BN_usub
++BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind
+ BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow
+ BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean
+ BUF_F_BUF_MEM_NEW:101:BUF_MEM_new
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c
+index b52a66f..6c3c0cf 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c
+@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ BN_free(d);
+ }
+
+- if (blinding)
+- if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
++ if (blinding) {
++ /*
++ * ossl_bn_rsa_do_unblind() combines blinding inversion and
++ * 0-padded BN BE serialization
++ */
++ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx,
++ buf, num);
++ if (j == 0)
+ goto err;
+-
+- j = BN_bn2binpad(ret, buf, num);
++ } else {
++ j = BN_bn2binpad(ret, buf, num);
++ if (j < 0)
++ goto err;
++ }
+
+ switch (padding) {
+ case RSA_PKCS1_PADDING:
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+index 60afda1..b5f36fb 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+ int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+ const BIGNUM *d, BN_CTX *ctx);
++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
++ const BN_BLINDING *blinding,
++ const BIGNUM *possible_arg2,
++ const BIGNUM *to_mod, BN_CTX *ctx,
++ unsigned char *buf, int num);
+
+ #endif
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h
+index 9f3c7cf..a0752ce 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h
+@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void);
+ # define BN_F_BN_SET_WORDS 144
+ # define BN_F_BN_STACK_PUSH 148
+ # define BN_F_BN_USUB 115
++# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151
+
+ /*
+ * BN reason codes.
+--
+2.33.0
+
diff --git a/0030-brotli-Fix-VLA-parameter-warning-893.patch b/0030-brotli-Fix-VLA-parameter-warning-893.patch
new file mode 100644
index 0000000..9f6974e
--- /dev/null
+++ b/0030-brotli-Fix-VLA-parameter-warning-893.patch
@@ -0,0 +1,89 @@
+From 0a3944c8c99b8d10cc4325f721b7c273d2b41f7b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Adri=C3=A1n=20Herrera=20Arcila?= <adr.her.arc.95@gmail.com>
+Date: Wed, 23 Jun 2021 08:53:59 +0100
+Subject: [PATCH] Fix VLA parameter warning (#893)
+
+Make VLA buffer types consistent in declarations and definitions.
+Resolves build crash when using -Werror due to "vla-parameter" warning.
+
+Signed-off-by: Adrian Herrera <adr.her.arc.95@gmail.com>
+
+reference: https://github.com/google/brotli/pull/893
+Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
+---
+ BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c | 6 ++++--
+ BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c | 5 +++--
+ .../Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c | 6 ++++--
+ .../Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c | 5 +++--
+ 4 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c
+index ae5a3d3..7eee968 100644
+--- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c
++++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c
+@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands(
+ }
+
+ BrotliDecoderResult BrotliDecoderDecompress(
+- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
+- uint8_t* decoded_buffer) {
++ size_t encoded_size,
++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
++ size_t* decoded_size,
++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {
+ BrotliDecoderState s;
+ BrotliDecoderResult result;
+ size_t total_out = 0;
+diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c
+index 8d90937..0c49c64 100644
+--- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c
++++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c
+@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream(
+
+ BROTLI_BOOL BrotliEncoderCompress(
+ int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
+- const uint8_t* input_buffer, size_t* encoded_size,
+- uint8_t* encoded_buffer) {
++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
++ size_t* encoded_size,
++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) {
+ BrotliEncoderState* s;
+ size_t out_size = *encoded_size;
+ const uint8_t* input_start = input_buffer;
+
+diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
+index ae5a3d3..7eee968 100644
+--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
+@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands(
+ }
+
+ BrotliDecoderResult BrotliDecoderDecompress(
+- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
+- uint8_t* decoded_buffer) {
++ size_t encoded_size,
++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
++ size_t* decoded_size,
++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {
+ BrotliDecoderState s;
+ BrotliDecoderResult result;
+ size_t total_out = 0;
+diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
+index 8d90937..0c49c64 100644
+--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
+@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream(
+
+ BROTLI_BOOL BrotliEncoderCompress(
+ int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
+- const uint8_t* input_buffer, size_t* encoded_size,
+- uint8_t* encoded_buffer) {
++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
++ size_t* encoded_size,
++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) {
+ BrotliEncoderState* s;
+ size_t out_size = *encoded_size;
+ const uint8_t* input_start = input_buffer;
+--
+2.41.0
+
diff --git a/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch b/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch
new file mode 100644
index 0000000..bde72b3
--- /dev/null
+++ b/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch
@@ -0,0 +1,48 @@
+From ae8272ef787d80950803c521a13a308651bdc62e Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 20 Dec 2021 22:32:38 +0800
+Subject: [PATCH] MdeModulePkg/UsbBusDxe: fix NOOPT build error
+
+gcc-11 (fedora 35):
+
+/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c: In function ?UsbIoBulkTransfer?:
+/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c:277:12: error: ?UsbHcBulkTransfer? accessing 80 bytes in a region of size 8 [-Werror=stringop-overflow=]
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
+
+reference: https://github.com/tianocore/edk2/pull/2347
+Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
+---
+ MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c | 2 +-
+ MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c
+index 12d08c0b74..740e7babb0 100644
+--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c
++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c
+@@ -285,7 +285,7 @@ UsbHcBulkTransfer (
+ IN UINT8 DevSpeed,
+ IN UINTN MaxPacket,
+ IN UINT8 BufferNum,
+- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM],
++ IN OUT VOID *Data[],
+ IN OUT UINTN *DataLength,
+ IN OUT UINT8 *DataToggle,
+ IN UINTN TimeOut,
+diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h
+index 04cf36d3c8..d93370a6c2 100644
+--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h
++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h
+@@ -149,7 +149,7 @@ UsbHcBulkTransfer (
+ IN UINT8 DevSpeed,
+ IN UINTN MaxPacket,
+ IN UINT8 BufferNum,
+- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM],
++ IN OUT VOID *Data[],
+ IN OUT UINTN *DataLength,
+ IN OUT UINT8 *DataToggle,
+ IN UINTN TimeOut,
+--
+2.41.0
diff --git a/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch b/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch
new file mode 100644
index 0000000..5919700
--- /dev/null
+++ b/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch
@@ -0,0 +1,50 @@
+From 7b005f344e533cd913c3ca05b266f9872df886d1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 24 Mar 2022 20:04:34 +0800
+Subject: [PATCH 1/3] BaseTools: fix gcc12 warning
+
+GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free]
+ 545 | Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+GenFfs.c:544:5: note: call to ?fclose? here
+ 544 | fclose (InFileHandle);
+ | ^~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Bob Feng <bob.c.feng@intel.com>
+
+reference: https://github.com/tianocore/edk2/pull/2694
+Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
+---
+ BaseTools/Source/C/GenFfs/GenFfs.c | 2 +-
+ BaseTools/Source/C/GenSec/GenSec.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c
+index 949025c333..d78d62ab36 100644
+--- a/BaseTools/Source/C/GenFfs/GenFfs.c
++++ b/BaseTools/Source/C/GenFfs/GenFfs.c
+@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
+ PeFileBuffer = (UINT8 *) malloc (PeFileSize);
+ if (PeFileBuffer == NULL) {
+ fclose (InFileHandle);
+- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
+diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c
+index d54a4f9e0a..b1d05367ec 100644
+--- a/BaseTools/Source/C/GenSec/GenSec.c
++++ b/BaseTools/Source/C/GenSec/GenSec.c
+@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
+ PeFileBuffer = (UINT8 *) malloc (PeFileSize);
+ if (PeFileBuffer == NULL) {
+ fclose (InFileHandle);
+- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle);
++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
+ return EFI_OUT_OF_RESOURCES;
+ }
+ fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);
+--
+2.41.0 \ No newline at end of file
diff --git a/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch b/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch
new file mode 100644
index 0000000..2ceedd5
--- /dev/null
+++ b/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch
@@ -0,0 +1,53 @@
+From 85021f8cf22d1bd4114803c6c610dea5ef0059f1 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 24 Mar 2022 20:04:35 +0800
+Subject: [PATCH 2/3] BaseTools: fix gcc12 warning
+
+Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?:
+Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=]
+ 2828 | p->rc.outStream = &outStream.vt;
+ | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
+ 2811 | CLzmaEnc_SeqOutStreamBuf outStream;
+ | ^~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
+Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=]
+ 2828 | p->rc.outStream = &outStream.vt;
+ | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
+ 2811 | CLzmaEnc_SeqOutStreamBuf outStream;
+ | ^~~~~~~~~
+Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
+cc1: all warnings being treated as errors
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Bob Feng <bob.c.feng@intel.com>
+
+reference: https://github.com/tianocore/edk2/pull/2694
+Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
+---
+ BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
+index 4e9b499f8d..4b9f5fa692 100644
+--- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
++++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
+@@ -2638,12 +2638,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, Bool reInit,
+
+ nowPos64 = p->nowPos64;
+ RangeEnc_Init(&p->rc);
+- p->rc.outStream = &outStream.vt;
+
+ if (desiredPackSize == 0)
+ return SZ_ERROR_OUTPUT_EOF;
+
++ p->rc.outStream = &outStream.vt;
+ res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize);
++ p->rc.outStream = NULL;
+
+ *unpackSize = (UInt32)(p->nowPos64 - nowPos64);
+ *destLen -= outStream.rem;
+--
+2.41.0.windows.1
+
diff --git a/0034-Basetools-turn-off-gcc12-warning.patch b/0034-Basetools-turn-off-gcc12-warning.patch
new file mode 100644
index 0000000..f17e7b0
--- /dev/null
+++ b/0034-Basetools-turn-off-gcc12-warning.patch
@@ -0,0 +1,43 @@
+From 22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 24 Mar 2022 20:04:36 +0800
+Subject: [PATCH 3/3] Basetools: turn off gcc12 warning
+
+In function ?SetDevicePathEndNode?,
+ inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5:
+DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=]
+ 321 | memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+In file included from UefiDevicePathLib.h:22,
+ from DevicePathUtilities.c:16:
+../Include/Protocol/DevicePath.h: In function ?FileDevicePath?:
+../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1
+ 51 | UINT8 Type; ///< 0x01 Hardware Device Path.
+ | ^~~~
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Bob Feng <bob.c.feng@intel.com>
+
+reference: https://github.com/tianocore/edk2/pull/2694
+Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
+---
+ BaseTools/Source/C/DevicePath/GNUmakefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/BaseTools/Source/C/DevicePath/GNUmakefile b/BaseTools/Source/C/DevicePath/GNUmakefile
+index 7ca08af966..b05d2bddfa 100644
+--- a/BaseTools/Source/C/DevicePath/GNUmakefile
++++ b/BaseTools/Source/C/DevicePath/GNUmakefile
+@@ -13,6 +13,9 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o DevicePathUtili
+
+ include $(MAKEROOT)/Makefiles/app.makefile
+
++# gcc 12 trips over device path handling
++BUILD_CFLAGS += -Wno-error=stringop-overflow
++
+ LIBS = -lCommon
+ ifeq ($(CYGWIN), CYGWIN)
+ LIBS += -L/lib/e2fsprogs -luuid
+--
+2.41.0
+
diff --git a/0035-add-file-edk2-aarch64-json.patch b/0035-add-file-edk2-aarch64-json.patch
new file mode 100644
index 0000000..2103508
--- /dev/null
+++ b/0035-add-file-edk2-aarch64-json.patch
@@ -0,0 +1,50 @@
+From 32a67be9c4f5d12a0beeacff4142bb47c9cd0ee7 Mon Sep 17 00:00:00 2001
+From: tzing_t <zhengting13@huawei.com>
+Date: Mon, 30 Oct 2023 11:00:44 +0000
+Subject: [PATCH] add file edk2-aarch64.json
+
+---
+ edk2-aarch64.json | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+ create mode 100644 edk2-aarch64.json
+
+diff --git a/edk2-aarch64.json b/edk2-aarch64.json
+new file mode 100644
+index 0000000..5bbfa6a
+--- /dev/null
++++ b/edk2-aarch64.json
+@@ -0,0 +1,31 @@
++{
++ "description": "UEFI firmware for ARM64 virtual machines",
++ "interface-types": [
++ "uefi"
++ ],
++ "mapping": {
++ "device": "flash",
++ "executable": {
++ "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw",
++ "format": "raw"
++ },
++ "nvram-template": {
++ "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw",
++ "format": "raw"
++ }
++ },
++ "targets": [
++ {
++ "architecture": "aarch64",
++ "machines": [
++ "virt-*"
++ ]
++ }
++ ],
++ "features": [
++
++ ],
++ "tags": [
++
++ ]
++}
+--
+2.33.0
+
diff --git a/edk2.spec b/edk2.spec
new file mode 100644
index 0000000..2a40409
--- /dev/null
+++ b/edk2.spec
@@ -0,0 +1,378 @@
+%global stable_date 202011
+%global release_tag edk2-stable%{stable_date}
+%global openssl_version 1.1.1f
+%global _python_bytecompile_extra 0
+
+Name: edk2
+Version: %{stable_date}
+Release: 14
+Summary: EFI Development Kit II
+License: BSD-2-Clause-Patent
+URL: https://github.com/tianocore/edk2
+Source0: https://github.com/tianocore/edk2/archive/%{release_tag}.tar.gz
+Source1: openssl-%{openssl_version}.tar.gz
+Source2: brotli.tar.gz
+
+# for CVE-2021-38575
+Patch0001: 0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch
+Patch0002: 0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch
+Patch0003: 0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch
+Patch0004: 0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch
+Patch0005: 0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch
+Patch0006: 0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch
+Patch0007: 0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch
+Patch0008: 0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch
+Patch0009: 0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch
+Patch0010: 0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch
+
+# for CVE-2021-28216
+Patch0011: 0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch
+
+# for CVE-2021-38576
+Patch0012: 0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch
+Patch0013: 0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch
+Patch0014: 0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch
+Patch0015: 0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch
+Patch0016: 0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch
+Patch0017: 0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch
+Patch0018: 0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch
+Patch0019: 0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch
+
+Patch0020: 0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch
+
+Patch0021: 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch
+
+Patch0022: 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch
+Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch
+Patch0024: 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch
+Patch0025: 0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
+Patch0026: 0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
+Patch0027: 0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
+Patch0028: 0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
+
+# for CVE-2022-4304
+Patch0029: 0029-Fix-Timing-Oracle-in-RSA-decryption.patch
+
+# solving the compilation failure problem of gcc 12.3.0
+Patch0030: 0030-brotli-Fix-VLA-parameter-warning-893.patch
+Patch0031: 0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch
+Patch0032: 0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch
+Patch0033: 0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch
+Patch0034: 0034-Basetools-turn-off-gcc12-warning.patch
+
+Patch0035: 0035-add-file-edk2-aarch64-json.patch
+
+BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command
+
+%description
+EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.
+
+%package devel
+Summary: EFI Development Kit II Tools
+%description devel
+This package provides tools that are needed to build EFI executables and ROMs using the GNU tools.
+
+%package -n python3-%{name}-devel
+Summary: EFI Development Kit II Tools
+Requires: python3
+BuildArch: noarch
+%description -n python3-%{name}-devel
+This package provides tools that are needed to build EFI executables and ROMs using the GNU tools.
+
+%package help
+Summary: Documentation for EFI Development Kit II Tools
+BuildArch: noarch
+%description help
+This package documents the tools that are needed to build EFI executables and ROMs using the GNU tools.
+
+%ifarch aarch64
+%package aarch64
+Summary: AARCH64 Virtual Machine Firmware
+BuildArch: noarch
+%description aarch64
+EFI Development Kit II AARCH64 UEFI Firmware
+%endif
+
+%ifarch x86_64
+%package ovmf
+Summary: Open Virtual Machine Firmware
+BuildArch: noarch
+%description ovmf
+EFI Development Kit II Open Virtual Machine Firmware (x64)
+%endif
+
+%ifarch %{ix86}
+%package ovmf-ia32
+Summary: Open Virtual Machine Firmware
+BuildArch: noarch
+%description ovmf-ia32
+EFI Development Kit II Open Virtual Machine Firmware (ia32)
+%endif
+
+%prep
+%setup -n edk2-%{release_tag}
+tar -xf %{SOURCE1} -C CryptoPkg/Library/OpensslLib/openssl --strip-components=1
+tar -xf %{SOURCE2} -C MdeModulePkg/Library/BrotliCustomDecompressLib/brotli --strip-components=1
+tar -xf %{SOURCE2} -C BaseTools/Source/C/BrotliCompress/brotli --strip-components=1
+%autopatch -p1
+
+%build
+NCPUS=`/usr/bin/getconf _NPROCESSORS_ONLN`
+BUILD_OPTION="-t GCC5 -n $NCPUS -b RELEASE"
+
+make -C BaseTools %{?_smp_mflags} EXTRA_OPTFLAGS="%{optflags}" EXTRA_LDFLAGS="%{__global_ldflags}"
+. ./edksetup.sh
+
+COMMON_FLAGS="-D NETWORK_IP6_ENABLE"
+%ifarch aarch64
+ BUILD_OPTION="$BUILD_OPTION -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc --cmd-len=65536 $COMMON_FLAGS"
+%endif
+
+%ifarch x86_64
+ BUILD_OPTION="$BUILD_OPTION -a X64 -p OvmfPkg/OvmfPkgX64.dsc $COMMON_FLAGS"
+%endif
+
+%ifarch %{ix86}
+ BUILD_OPTION="$BUILD_OPTION -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc"
+%endif
+BUILD_OPTION="$BUILD_OPTION -D SECURE_BOOT_ENABLE=TRUE"
+BUILD_OPTION="$BUILD_OPTION -D TPM2_ENABLE=TRUE"
+BUILD_OPTION="$BUILD_OPTION -D TPM2_CONFIG_ENABLE=TRUE"
+BUILD_OPTION="$BUILD_OPTION -D TPM_ENABLE=TRUE"
+BUILD_OPTION="$BUILD_OPTION -D TPM_CONFIG_ENABLE=TRUE"
+build $BUILD_OPTION
+
+%install
+cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
+mkdir -p %{buildroot}%{_bindir} \
+ %{buildroot}%{_datadir}/%{name}/Conf \
+ %{buildroot}%{_datadir}/%{name}/Scripts
+install BaseTools/Source/C/bin/* %{buildroot}%{_bindir}
+install BaseTools/BuildEnv %{buildroot}%{_datadir}/%{name}
+install BaseTools/Conf/*.template %{buildroot}%{_datadir}/%{name}/Conf
+install BaseTools/Scripts/GccBase.lds %{buildroot}%{_datadir}/%{name}/Scripts
+
+%ifarch aarch64
+mkdir -p %{buildroot}%{_datadir}/qemu/firmware
+install -m 0644 edk2-aarch64.json \
+ %{buildroot}%{_datadir}/qemu/firmware/edk2-aarch64.json
+# endif build_aarch64
+%endif
+
+cp -R BaseTools/Source/Python %{buildroot}%{_datadir}/%{name}/Python
+find %{buildroot}%{_datadir}/%{name}/Python -name '__pycache__'|xargs rm -rf
+
+for i in build BPDG GenDepex GenFds GenPatchPcdTable PatchPcdValue Pkcs7Sign Rsa2048Sha256Sign TargetTool Trim UPT; do
+echo '#!/usr/bin/env bash
+export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"}
+exec python3 '%{_datadir}/%{name}/Python/$i/$i.py' "$@"' > %{buildroot}%{_bindir}/$i
+ chmod +x %{buildroot}%{_bindir}/$i
+done
+
+echo '#!/usr/bin/env bash
+export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"}
+exec python3 '%{_datadir}/%{name}/Python/Ecc/EccMain.py' "$@"' > %{buildroot}%{_bindir}/Ecc
+chmod +x %{buildroot}%{_bindir}/Ecc
+
+echo '#!/usr/bin/env bash
+export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"}
+exec python3 '%{_datadir}/%{name}/Python/Capsule/GenerateCapsule.py' "$@"' > %{buildroot}%{_bindir}/GenerateCapsule
+chmod +x %{buildroot}%{_bindir}/GenerateCapsule
+
+echo '#!/usr/bin/env bash
+export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"}
+exec python3 '%{_datadir}/%{name}/Python/Rsa2048Sha256Sign/Rsa2048Sha256GenerateKeys.py' "$@"' > %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
+chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
+
+%ifarch aarch64
+ mkdir -p %{buildroot}/usr/share/%{name}/aarch64
+ cp Build/ArmVirtQemu-AARCH64/RELEASE_*/FV/*.fd %{buildroot}/usr/share/%{name}/aarch64
+ dd of="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI-pflash.raw" if="/dev/zero" bs=1M count=64
+ dd of="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI-pflash.raw" if="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI.fd" conv=notrunc
+ dd of="%{buildroot}/usr/share/%{name}/aarch64/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64
+%endif
+
+%ifarch x86_64
+ mkdir -p %{buildroot}/usr/share/%{name}/ovmf
+ cp Build/OvmfX64/*/FV/OVMF*.fd %{buildroot}/usr/share/%{name}/ovmf
+%endif
+
+%ifarch %{ix86}
+ mkdir -p %{buildroot}/usr/share/%{name}/ovmf-ia32
+ cp Build/OvmfIa32/*/FV/OVMF_CODE.fd %{buildroot}/usr/share/%{name}/ovmf-ia32
+%endif
+
+%files devel
+%license License.txt
+%license LICENSE.openssl
+%{_bindir}/BrotliCompress
+%{_bindir}/DevicePath
+%{_bindir}/EfiRom
+%{_bindir}/GenCrc32
+%{_bindir}/GenFfs
+%{_bindir}/GenFv
+%{_bindir}/GenFw
+%{_bindir}/GenSec
+%{_bindir}/LzmaCompress
+%{_bindir}/Split
+%{_bindir}/TianoCompress
+%{_bindir}/VfrCompile
+%{_bindir}/VolInfo
+%{_datadir}/%{name}/BuildEnv
+%{_datadir}/%{name}/Conf
+%{_datadir}/%{name}/Scripts
+
+%files -n python3-%{name}-devel
+%{_bindir}/BPDG
+%{_bindir}/Ecc
+%{_bindir}/GenDepex
+%{_bindir}/GenFds
+%{_bindir}/GenPatchPcdTable
+%{_bindir}/GenerateCapsule
+%{_bindir}/Pkcs7Sign
+%{_bindir}/PatchPcdValue
+%{_bindir}/Rsa2048Sha256GenerateKeys
+%{_bindir}/Rsa2048Sha256Sign
+%{_bindir}/TargetTool
+%{_bindir}/Trim
+%{_bindir}/UPT
+%{_bindir}/build
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/Python
+
+%files help
+%doc BaseTools/UserManuals/*.rtf
+
+%ifarch aarch64
+%files aarch64
+%license OvmfPkg/License.txt
+%license LICENSE.openssl
+%dir /usr/share/%{name}
+%dir /usr/share/%{name}/aarch64
+/usr/share/%{name}/aarch64/QEMU*.fd
+/usr/share/%{name}/aarch64/*.raw
+%{_datadir}/qemu/firmware/edk2-aarch64.json
+%endif
+
+%ifarch x86_64
+%files ovmf
+%license OvmfPkg/License.txt
+%license LICENSE.openssl
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/ovmf
+%endif
+
+%ifarch %{ix86}
+%license OvmfPkg/License.txt
+%license LICENSE.openssl
+%files ovfm-ia32
+%dir /usr/share/%{name}
+%endif
+
+%changelog
+* Mon Oct 30 2023 zhengting<zhengting13@huawei.com> - 202011-14
+- add edk2-aarch64-json
+
+* Thu Jul 13 2023 Jiabo Feng<fengjiabo1@huawei.com> - 202011-13
+- solving the compilation failure problem of gcc 12.3.0
+
+* Fri Mar 10 2023 yexiao<yexiao7@huawei.com> - 202011-12
+- fix CVE-2022-4304
+
+* Sun Feb 26 2023 chenhuiying<chenhuiying4@huawei.com> - 202011-11
+- fix CVE-2023-0286
+
+* Sun Feb 26 2023 chenhuiying<chenhuiying4@huawei.com> - 202011-10
+- fix CVE-2023-0215
+
+* Sat Feb 25 2023 shaodenghui<shaodenghui@huawei.com> - 202011-9
+- fix CVE-2023-0401
+
+* Mon Feb 20 2023 shaodenghui<shaodenghui@huawei.com> - 202011-8
+- fix CVE-2022-4450
+
+* Tue Nov 29 2022 chenhuiying<chenhuiying4@huawei.com> - 202011-7
+- fix CVE-2021-38578
+
+* Thu Sep 29 2022 chenhuiying<chenhuiying4@huawei.com> - 202011-6
+* fix CVE-2019-11098
+
+* Tue Jun 14 2022 miaoyubo <miaoyubo@huawei.com> - 202011-5
+- Enable TPM for pcr0-7
+
+* Wed Apr 27 2022 yezengruan <yezengruan@huawei.com> - 202011-4
+- update the format of changelog
+
+* Thu Feb 17 2022 Jinhua Cao <caojinhua1@huawei.com> - 202011-3
+- OvmfPkg: VirtioNetDxe: Extend the RxBufferSize to avoid data truncation
+
+* Tue Feb 15 2022 Jinhua Cao <caojinhua1@huawei.com> - 202011-2
+- fix CVE-2021-38576
+
+* Mon Feb 7 2022 Jinhua Cao <caojinhua1@huawei.com> - 202011-1
+- update edk2 to stable 202011
+
+* Wed Jan 12 2022 Jinhua Cao <caojinhua1@huawei.com> - 202002-11
+- BaseTools: fix ucs-2 lookup on python3.9
+- BaseTools: Work around array.array.tostring() removal in python3.9
+
+* Wed Dec 1 2021 Jinhua Cao <caojinhua1@huawei.com> - 202002-10
+- fix CVE-2021-28216
+
+* Wed Sep 22 2021 imxcc <xingchaochao@huawei.com> - 202002-9
+- fix cve-2021-38575
+
+* Tue Aug 31 2021 miaoyubo <miaoyubo@huawei.com> - 202002-8
+- MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed
+
+* Fri Jul 30 2021 Zhenyu Ye <yezhenyu2@huawei.com> - 202002-7
+- ArmPkg/CompilerIntrinsicsLib: provide atomics intrinsics
+
+* Mon Jun 28 2021 Jiajie Li <lijiajie11@huawei.com> - 202002-6
+- Fix CVE-2021-28210
+
+* Tue Oct 27 2020 AlexChen <alex.chen@huawei.com> - 202002-5
+- remove build requires of python2
+
+* Mon Sep 28 2020 FangYing <fangying1@huawei.com> - 202002-4
+- update the Source0 to http url
+
+* Fri Jul 31 2020 jiangfangjie <jiangfangjie@huawei.com> - 202002-3
+- ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot
+- ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module
+
+* Mon Jul 27 2020 zhangxinhao <zhangxinhao1@huawei.com> - 202002-2
+- add build option "-D SECURE_BOOT_ENABLE=TRUE" to enable secure boot
+
+* Thu May 7 2020 openEuler Buildteam <buildteam@openeuler.org> - 202002-1
+- Update edk2 to stable202002 and OpenSSL to 1.1.1f
+
+* Thu Mar 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-9
+- fix an overflow bug in rsaz_512_sqr
+- use the correct maximum indent
+
+* Tue Mar 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-8
+- enable multiple threads compiling
+- Pass EXTRA_OPTFLAGS and EXTRA_OPTFLAGS options to make command
+- enable IPv6 for X86_64
+
+* Sun Mar 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-7
+- fix missing OVMF.fd in package
+
+* Sat Feb 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 201908-6
+- add build requires of python2
+
+* Mon Dec 30 2019 Heyi Guo <buildteam@openeuler.org> - 201908-5
+- Upgrade openssl to 1.1.1d
+
+* Tue Nov 26 2019 openEuler Buildteam <buildteam@openeuler.org> - 201908-4
+- add build requires of nasm
+
+* Tue Nov 26 2019 openEuler Buildteam <buildteam@openeuler.org> - 201908-3
+- Correct name of package ovmf
+
+* Mon Sep 30 2019 zhanghailiang <zhang.zhanghailiang@huawei.com> - 201908-2
+- Enable IPv6 suppport and Modify Release number to 2
+
+* Wed Sep 18 2019 openEuler Buildteam <buildteam@openeuler.org> - 201908-1
+- Package init
diff --git a/sources b/sources
new file mode 100644
index 0000000..fa3ed6b
--- /dev/null
+++ b/sources
@@ -0,0 +1,3 @@
+8f2f18f20f2a3ae186c90413fbb39ec1 brotli.tar.gz
+6f896f055082159f88d7a54ee24763c1 edk2-stable202011.tar.gz
+3f486f2f4435ef14b81814dbbc7b48bb openssl-1.1.1f.tar.gz