From 1dae37b163e1e08e719ac06fa86b3414b4ddfb2b Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Mon, 30 Oct 2023 11:56:48 +0000 Subject: automatic import of edk2 --- .gitignore | 3 + ...IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch | 244 +++++ ...IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch | 64 ++ ...IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch | 95 ++ ...IScsiDxe-clean-up-library-class-dependenc.patch | 94 ++ ...IScsiDxe-fix-potential-integer-overflow-i.patch | 147 +++ ...IScsiDxe-assert-that-IScsiBinToHex-always.patch | 88 ++ ...IScsiDxe-reformat-IScsiHexToBin-leading-c.patch | 86 ++ ...kg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch | 97 ++ ...IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch | 106 +++ ...IScsiDxe-check-IScsiHexToBin-return-value.patch | 84 ++ ...g-FPDT-Lock-boot-performance-table-addres.patch | 982 +++++++++++++++++++++ ...-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch | 378 ++++++++ ...-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch | 121 +++ ...-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch | 161 ++++ ...-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch | 63 ++ ...-Introduce-new-PCD-PcdRandomizePlatformHi.patch | 53 ++ ...-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch | 191 ++++ ...-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch | 63 ++ ...-Add-references-to-header-and-inf-files-t.patch | 68 ++ ...tioNetDxe-Extend-the-RxBufferSize-to-avoi.patch | 50 ++ ...Move-MigrateGdt-from-DiscoverMemory-to-Te.patch | 191 ++++ ...g-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch | 208 +++++ ...-dangling-ptrs-in-header-and-data-params-.patch | 43 + ...7_doit.c-Check-return-of-BIO_set_md-calls.patch | 57 ++ ...-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch | 106 +++ ...ailure-during-BIO-setup-with-stream-is-ha.patch | 79 ++ ...-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch | 102 +++ ...86-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch | 41 + 0029-Fix-Timing-Oracle-in-RSA-decryption.patch | 834 +++++++++++++++++ 0030-brotli-Fix-VLA-parameter-warning-893.patch | 89 ++ ...ModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch | 48 + ...BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch | 50 ++ ...-BaseTools-LzmaCompress-fix-gcc12-warning.patch | 53 ++ 0034-Basetools-turn-off-gcc12-warning.patch | 43 + 0035-add-file-edk2-aarch64-json.patch | 50 ++ edk2.spec | 378 ++++++++ sources | 3 + 38 files changed, 5613 insertions(+) create mode 100644 0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch create mode 100644 0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch create mode 100644 0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch create mode 100644 0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch create mode 100644 0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch create mode 100644 0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch create mode 100644 0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch create mode 100644 0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch create mode 100644 0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch create mode 100644 0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch create mode 100644 0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch create mode 100644 0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch create mode 100644 0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch create mode 100644 0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch create mode 100644 0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch create mode 100644 0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch create mode 100644 0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch create mode 100644 0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch create mode 100644 0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch create mode 100644 0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch create mode 100644 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch create mode 100644 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch create mode 100644 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch create mode 100644 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch create mode 100644 0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch create mode 100644 0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch create mode 100644 0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch create mode 100644 0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch create mode 100644 0029-Fix-Timing-Oracle-in-RSA-decryption.patch create mode 100644 0030-brotli-Fix-VLA-parameter-warning-893.patch create mode 100644 0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch create mode 100644 0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch create mode 100644 0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch create mode 100644 0034-Basetools-turn-off-gcc12-warning.patch create mode 100644 0035-add-file-edk2-aarch64-json.patch create mode 100644 edk2.spec create mode 100644 sources diff --git a/.gitignore b/.gitignore index e69de29..23a9e75 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,3 @@ +/brotli.tar.gz +/edk2-stable202011.tar.gz +/openssl-1.1.1f.tar.gz diff --git a/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch b/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch new file mode 100644 index 0000000..8b41381 --- /dev/null +++ b/0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch @@ -0,0 +1,244 @@ +From 83761337ec91fbd459c55d7d956fcc25df3bfa50 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:50 +0200 +Subject: [PATCH 18/27] NetworkPkg/IScsiDxe: wrap IScsiCHAP source files to 80 + characters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Working with overlong lines is difficult for me; rewrap the CHAP-related +source files in IScsiDxe to 80 characters width. No functional changes. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210608121259.32451-2-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 90 +++++++++++++++++++++++++-------- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 +- + 2 files changed, 71 insertions(+), 22 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index 355c6f129f..cbbc56ae5b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -1,5 +1,6 @@ + /** @file +- This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. ++ This file is for Challenge-Handshake Authentication Protocol (CHAP) ++ Configuration. + + Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent +@@ -18,9 +19,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + @param[in] ChallengeLength The length of iSCSI CHAP challenge message. + @param[out] ChapResponse The calculation of the expected hash value. + +- @retval EFI_SUCCESS The expected hash value was calculatedly successfully. +- @retval EFI_PROTOCOL_ERROR The length of the secret should be at least the +- length of the hash value for the hashing algorithm chosen. ++ @retval EFI_SUCCESS The expected hash value was calculatedly ++ successfully. ++ @retval EFI_PROTOCOL_ERROR The length of the secret should be at least ++ the length of the hash value for the hashing ++ algorithm chosen. + @retval EFI_PROTOCOL_ERROR MD5 hash operation fail. + @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD5. + +@@ -94,8 +97,10 @@ Exit: + @param[in] AuthData iSCSI CHAP authentication data. + @param[in] TargetResponse The response from target. + +- @retval EFI_SUCCESS The response from target passed authentication. +- @retval EFI_SECURITY_VIOLATION The response from target was not expected value. ++ @retval EFI_SUCCESS The response from target passed ++ authentication. ++ @retval EFI_SECURITY_VIOLATION The response from target was not expected ++ value. + @retval Others Other errors as indicated. + + **/ +@@ -193,7 +198,10 @@ IScsiCHAPOnRspReceived ( + // + // The first Login Response. + // +- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG); ++ Value = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_TARGET_PORTAL_GROUP_TAG ++ ); + if (Value == NULL) { + goto ON_EXIT; + } +@@ -205,13 +213,17 @@ IScsiCHAPOnRspReceived ( + + Session->TargetPortalGroupTag = (UINT16) Result; + +- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD); ++ Value = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_AUTH_METHOD ++ ); + if (Value == NULL) { + goto ON_EXIT; + } + // +- // Initiator mandates CHAP authentication but target replies without "CHAP", or +- // initiator suggets "None" but target replies with some kind of auth method. ++ // Initiator mandates CHAP authentication but target replies without ++ // "CHAP", or initiator suggets "None" but target replies with some kind of ++ // auth method. + // + if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) { + if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) { +@@ -236,7 +248,10 @@ IScsiCHAPOnRspReceived ( + // + // The Target replies with CHAP_A= CHAP_I= CHAP_C= + // +- Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM); ++ Value = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_ALGORITHM ++ ); + if (Value == NULL) { + goto ON_EXIT; + } +@@ -249,12 +264,18 @@ IScsiCHAPOnRspReceived ( + goto ON_EXIT; + } + +- Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER); ++ Identifier = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_IDENTIFIER ++ ); + if (Identifier == NULL) { + goto ON_EXIT; + } + +- Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE); ++ Challenge = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_CHALLENGE ++ ); + if (Challenge == NULL) { + goto ON_EXIT; + } +@@ -269,7 +290,11 @@ IScsiCHAPOnRspReceived ( + + AuthData->InIdentifier = (UINT32) Result; + AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN; +- IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge); ++ IScsiHexToBin ( ++ (UINT8 *) AuthData->InChallenge, ++ &AuthData->InChallengeLength, ++ Challenge ++ ); + Status = IScsiCHAPCalculateResponse ( + AuthData->InIdentifier, + AuthData->AuthConfig->CHAPSecret, +@@ -303,7 +328,10 @@ IScsiCHAPOnRspReceived ( + goto ON_EXIT; + } + +- Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE); ++ Response = IScsiGetValueByKeyFromList ( ++ KeyValueList, ++ ISCSI_KEY_CHAP_RESPONSE ++ ); + if (Response == NULL) { + goto ON_EXIT; + } +@@ -341,7 +369,8 @@ ON_EXIT: + @param[in, out] Pdu The PDU to send out. + + @retval EFI_SUCCESS All check passed and the phase-related CHAP +- authentication info is filled into the iSCSI PDU. ++ authentication info is filled into the iSCSI ++ PDU. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. + @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. + +@@ -392,7 +421,11 @@ IScsiCHAPToSendReq ( + // It's the initial Login Request. Fill in the key=value pairs mandatory + // for the initial Login Request. + // +- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName); ++ IScsiAddKeyValuePair ( ++ Pdu, ++ ISCSI_KEY_INITIATOR_NAME, ++ mPrivate->InitiatorName ++ ); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal"); + IScsiAddKeyValuePair ( + Pdu, +@@ -413,7 +446,8 @@ IScsiCHAPToSendReq ( + + case ISCSI_CHAP_STEP_ONE: + // +- // First step, send the Login Request with CHAP_A= key-value pair. ++ // First step, send the Login Request with CHAP_A= key-value ++ // pair. + // + AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr); +@@ -429,11 +463,20 @@ IScsiCHAPToSendReq ( + // + // CHAP_N= + // +- IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName); ++ IScsiAddKeyValuePair ( ++ Pdu, ++ ISCSI_KEY_CHAP_NAME, ++ (CHAR8 *) &AuthData->AuthConfig->CHAPName ++ ); + // + // CHAP_R= + // +- IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen); ++ IScsiBinToHex ( ++ (UINT8 *) AuthData->CHAPResponse, ++ ISCSI_CHAP_RSP_LEN, ++ Response, ++ &RspLen ++ ); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); + + if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) { +@@ -448,7 +491,12 @@ IScsiCHAPToSendReq ( + // + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); + AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN; +- IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen); ++ IScsiBinToHex ( ++ (UINT8 *) AuthData->OutChallenge, ++ ISCSI_CHAP_RSP_LEN, ++ Challenge, ++ &ChallengeLen ++ ); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); + + Conn->AuthStep = ISCSI_CHAP_STEP_FOUR; +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 140bba0dcd..5e59fb678b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -88,7 +88,8 @@ IScsiCHAPOnRspReceived ( + @param[in, out] Pdu The PDU to send out. + + @retval EFI_SUCCESS All check passed and the phase-related CHAP +- authentication info is filled into the iSCSI PDU. ++ authentication info is filled into the iSCSI ++ PDU. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. + @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. + +-- +2.27.0 + diff --git a/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch b/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch new file mode 100644 index 0000000..7ddeeaa --- /dev/null +++ b/0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch @@ -0,0 +1,64 @@ +From 29cab43bb7912a12efa5a78dac15394aee866e4c Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:51 +0200 +Subject: [PATCH 19/27] NetworkPkg/IScsiDxe: simplify + "ISCSI_CHAP_AUTH_DATA.InChallenge" size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The ISCSI_CHAP_AUTH_MAX_LEN macro is defined with value 1024. + +The usage of this macro currently involves a semantic (not functional) +bug, which we're going to fix in a subsequent patch, eliminating +ISCSI_CHAP_AUTH_MAX_LEN altogether. + +For now, remove the macro's usage from all +"ISCSI_CHAP_AUTH_DATA.InChallenge" contexts. This is doable without +duplicating open-coded constants. + +No changes in functionality. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Message-Id: <20210608121259.32451-3-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 +- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index cbbc56ae5b..df3c2eb120 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -289,7 +289,7 @@ IScsiCHAPOnRspReceived ( + } + + AuthData->InIdentifier = (UINT32) Result; +- AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN; ++ AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); + IScsiHexToBin ( + (UINT8 *) AuthData->InChallenge, + &AuthData->InChallengeLength, +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 5e59fb678b..1fc1d96ea3 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -49,7 +49,7 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { + typedef struct _ISCSI_CHAP_AUTH_DATA { + ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig; + UINT32 InIdentifier; +- UINT8 InChallenge[ISCSI_CHAP_AUTH_MAX_LEN]; ++ UINT8 InChallenge[1024]; + UINT32 InChallengeLength; + // + // Calculated CHAP Response (CHAP_R) value. +-- +2.27.0 + diff --git a/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch b/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch new file mode 100644 index 0000000..82ee449 --- /dev/null +++ b/0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch @@ -0,0 +1,95 @@ +From 95616b866187b00355042953efa5c198df07250f Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:52 +0200 +Subject: [PATCH 20/27] NetworkPkg/IScsiDxe: clean up + "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array +with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge +is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used +in the array. + +Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused) +ISCSI_CHAP_AUTH_MAX_LEN macro. + +Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is +superfluous too. + +Most importantly, explain in a new comment *why* tying the challenge size +to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also +Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge +length to the hash digest size", 2019-11-06.) For sure, the motivation +that the new comment now explains has always been there, and has always +been the same, for IScsiDxe; it's just that now we spell it out too. + +No change in peer-visible behavior. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Message-Id: <20210608121259.32451-4-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 3 +-- + NetworkPkg/IScsiDxe/IScsiCHAP.h | 9 ++++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index df3c2eb120..9e192ce292 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -122,7 +122,7 @@ IScsiCHAPAuthTarget ( + AuthData->AuthConfig->ReverseCHAPSecret, + SecretSize, + AuthData->OutChallenge, +- AuthData->OutChallengeLength, ++ ISCSI_CHAP_RSP_LEN, // ChallengeLength + VerifyRsp + ); + +@@ -490,7 +490,6 @@ IScsiCHAPToSendReq ( + // CHAP_C= + // + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); +- AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN; + IScsiBinToHex ( + (UINT8 *) AuthData->OutChallenge, + ISCSI_CHAP_RSP_LEN, +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h +index 1fc1d96ea3..35d5d6ec29 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.h ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h +@@ -19,7 +19,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + + #define ISCSI_CHAP_ALGORITHM_MD5 5 + +-#define ISCSI_CHAP_AUTH_MAX_LEN 1024 + /// + /// MD5_HASHSIZE + /// +@@ -59,9 +58,13 @@ typedef struct _ISCSI_CHAP_AUTH_DATA { + // + // Auth-data to be sent out for mutual authentication. + // ++ // While the challenge size is technically independent of the hashing ++ // algorithm, it is good practice to avoid hashing *fewer bytes* than the ++ // digest size. In other words, it's good practice to feed *at least as many ++ // bytes* to the hashing algorithm as the hashing algorithm will output. ++ // + UINT32 OutIdentifier; +- UINT8 OutChallenge[ISCSI_CHAP_AUTH_MAX_LEN]; +- UINT32 OutChallengeLength; ++ UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN]; + } ISCSI_CHAP_AUTH_DATA; + + /** +-- +2.27.0 + diff --git a/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch b/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch new file mode 100644 index 0000000..2be51c1 --- /dev/null +++ b/0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch @@ -0,0 +1,94 @@ +From e8f28b09e63dfdbb4169969a43c65f86c44b035a Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:53 +0200 +Subject: [PATCH 21/27] NetworkPkg/IScsiDxe: clean up library class + dependencies +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sort the library class dependencies in the #include directives and in the +INF file. Remove the DpcLib class from the #include directives -- it is +not listed in the INF file, and IScsiDxe doesn't call either DpcLib API +(QueueDpc(), DispatchDpc()). No functional changes. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Message-Id: <20210608121259.32451-5-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiDxe.inf | 6 +++--- + NetworkPkg/IScsiDxe/IScsiImpl.h | 17 ++++++++--------- + 2 files changed, 11 insertions(+), 12 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf +index 0ffb340ce0..543c408302 100644 +--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf ++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf +@@ -65,6 +65,7 @@ + NetworkPkg/NetworkPkg.dec + + [LibraryClasses] ++ BaseCryptLib + BaseLib + BaseMemoryLib + DebugLib +@@ -72,14 +73,13 @@ + HiiLib + MemoryAllocationLib + NetLib +- TcpIoLib + PrintLib ++ TcpIoLib + UefiBootServicesTableLib + UefiDriverEntryPoint ++ UefiHiiServicesLib + UefiLib + UefiRuntimeServicesTableLib +- UefiHiiServicesLib +- BaseCryptLib + + [Protocols] + gEfiAcpiTableProtocolGuid ## SOMETIMES_CONSUMES ## SystemTable +diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h +index 387ab9765e..d895c7feb9 100644 +--- a/NetworkPkg/IScsiDxe/IScsiImpl.h ++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h +@@ -35,21 +35,20 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + #include + +-#include +-#include +-#include +-#include ++#include + #include + #include ++#include ++#include ++#include + #include ++#include + #include ++#include + #include +-#include ++#include + #include +-#include +-#include +-#include +-#include ++#include + + #include + #include +-- +2.27.0 + diff --git a/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch new file mode 100644 index 0000000..f1eddbe --- /dev/null +++ b/0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch @@ -0,0 +1,147 @@ +From cf01b2dc8fc3ff9cf49fb891af5703dc03e3193e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:54 +0200 +Subject: [PATCH 22/27] NetworkPkg/IScsiDxe: fix potential integer overflow in + IScsiBinToHex() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Considering IScsiBinToHex(): + +> if (((*HexLength) - 3) < BinLength * 2) { +> *HexLength = BinLength * 2 + 3; +> } + +the following subexpressions are problematic: + + (*HexLength) - 3 + BinLength * 2 + BinLength * 2 + 3 + +The first one may wrap under zero, the latter two may wrap over +MAX_UINT32. + +Rewrite the calculation using SafeIntLib. + +While at it, change the type of the "Index" variable from UINTN to UINT32. +The largest "Index"-based value that we calculate is + + Index * 2 + 2 (with (Index == BinLength)) + +Because the patch makes + + BinLength * 2 + 3 + +safe to calculate in UINT32, using UINT32 for + + Index * 2 + 2 (with (Index == BinLength)) + +is safe too. Consistently using UINT32 improves readability. + +This patch is best reviewed with "git show -W". + +The integer overflows that this patch fixes are theoretical; a subsequent +patch in the series will audit the IScsiBinToHex() call sites, and show +that none of them can fail. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210608121259.32451-6-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiDxe.inf | 1 + + NetworkPkg/IScsiDxe/IScsiImpl.h | 1 + + NetworkPkg/IScsiDxe/IScsiMisc.c | 19 +++++++++++++++---- + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + 4 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiDxe.inf b/NetworkPkg/IScsiDxe/IScsiDxe.inf +index 543c408302..1dde56d00c 100644 +--- a/NetworkPkg/IScsiDxe/IScsiDxe.inf ++++ b/NetworkPkg/IScsiDxe/IScsiDxe.inf +@@ -74,6 +74,7 @@ + MemoryAllocationLib + NetLib + PrintLib ++ SafeIntLib + TcpIoLib + UefiBootServicesTableLib + UefiDriverEntryPoint +diff --git a/NetworkPkg/IScsiDxe/IScsiImpl.h b/NetworkPkg/IScsiDxe/IScsiImpl.h +index d895c7feb9..ac3a25730e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiImpl.h ++++ b/NetworkPkg/IScsiDxe/IScsiImpl.h +@@ -44,6 +44,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include + #include + #include ++#include + #include + #include + #include +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index b8fef3ff6f..42988e15cb 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -316,6 +316,7 @@ IScsiMacAddrToStr ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string + and the length of the string is updated. + @retval EFI_BUFFER_TOO_SMALL The string is too small. ++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. + @retval EFI_INVALID_PARAMETER The IP string is malformatted. + + **/ +@@ -327,18 +328,28 @@ IScsiBinToHex ( + IN OUT UINT32 *HexLength + ) + { +- UINTN Index; ++ UINT32 HexLengthMin; ++ UINT32 HexLengthProvided; ++ UINT32 Index; + + if ((HexStr == NULL) || (BinBuffer == NULL) || (BinLength == 0)) { + return EFI_INVALID_PARAMETER; + } + +- if (((*HexLength) - 3) < BinLength * 2) { +- *HexLength = BinLength * 2 + 3; ++ // ++ // Safely calculate: HexLengthMin := BinLength * 2 + 3. ++ // ++ if (RETURN_ERROR (SafeUint32Mult (BinLength, 2, &HexLengthMin)) || ++ RETURN_ERROR (SafeUint32Add (HexLengthMin, 3, &HexLengthMin))) { ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ ++ HexLengthProvided = *HexLength; ++ *HexLength = HexLengthMin; ++ if (HexLengthProvided < HexLengthMin) { + return EFI_BUFFER_TOO_SMALL; + } + +- *HexLength = BinLength * 2 + 3; + // + // Prefix for Hex String. + // +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 46c725aab3..231413993b 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -150,6 +150,7 @@ IScsiAsciiStrToIp ( + @retval EFI_SUCCESS The binary data is converted to the hexadecimal string + and the length of the string is updated. + @retval EFI_BUFFER_TOO_SMALL The string is too small. ++ @retval EFI_BAD_BUFFER_SIZE BinLength is too large for hex encoding. + @retval EFI_INVALID_PARAMETER The IP string is malformatted. + + **/ +-- +2.27.0 + diff --git a/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch b/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch new file mode 100644 index 0000000..82c659e --- /dev/null +++ b/0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch @@ -0,0 +1,88 @@ +From d90fff40cb2502b627370a77f5608c8a178c3f78 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:55 +0200 +Subject: [PATCH 23/27] NetworkPkg/IScsiDxe: assert that IScsiBinToHex() always + succeeds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +IScsiBinToHex() is called for encoding: + +- the answer to the target's challenge; that is, CHAP_R; + +- the challenge for the target, in case mutual authentication is enabled; + that is, CHAP_C. + +The initiator controls the size of both blobs, the sizes of their hex +encodings are correctly calculated in "RspLen" and "ChallengeLen". +Therefore the IScsiBinToHex() calls never fail; assert that. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Message-Id: <20210608121259.32451-7-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index 9e192ce292..dbe3c8ef46 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -391,6 +391,7 @@ IScsiCHAPToSendReq ( + UINT32 RspLen; + CHAR8 *Challenge; + UINT32 ChallengeLen; ++ EFI_STATUS BinToHexStatus; + + ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION); + +@@ -471,12 +472,13 @@ IScsiCHAPToSendReq ( + // + // CHAP_R= + // +- IScsiBinToHex ( +- (UINT8 *) AuthData->CHAPResponse, +- ISCSI_CHAP_RSP_LEN, +- Response, +- &RspLen +- ); ++ BinToHexStatus = IScsiBinToHex ( ++ (UINT8 *) AuthData->CHAPResponse, ++ ISCSI_CHAP_RSP_LEN, ++ Response, ++ &RspLen ++ ); ++ ASSERT_EFI_ERROR (BinToHexStatus); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); + + if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) { +@@ -490,12 +492,13 @@ IScsiCHAPToSendReq ( + // CHAP_C= + // + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); +- IScsiBinToHex ( +- (UINT8 *) AuthData->OutChallenge, +- ISCSI_CHAP_RSP_LEN, +- Challenge, +- &ChallengeLen +- ); ++ BinToHexStatus = IScsiBinToHex ( ++ (UINT8 *) AuthData->OutChallenge, ++ ISCSI_CHAP_RSP_LEN, ++ Challenge, ++ &ChallengeLen ++ ); ++ ASSERT_EFI_ERROR (BinToHexStatus); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); + + Conn->AuthStep = ISCSI_CHAP_STEP_FOUR; +-- +2.27.0 + diff --git a/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch b/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch new file mode 100644 index 0000000..2a3f310 --- /dev/null +++ b/0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch @@ -0,0 +1,86 @@ +From dc469f137110fe79704b8b92c552972c739bb915 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:56 +0200 +Subject: [PATCH 24/27] NetworkPkg/IScsiDxe: reformat IScsiHexToBin() leading + comment block +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We'll need further return values for IScsiHexToBin() in a subsequent +patch; make room for them in the leading comment block of the function. +While at it, rewrap the comment block to 80 characters width. + +No functional changes. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210608121259.32451-8-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 16 ++++++++-------- + NetworkPkg/IScsiDxe/IScsiMisc.h | 16 ++++++++-------- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 42988e15cb..014700e87a 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -370,14 +370,14 @@ IScsiBinToHex ( + /** + Convert the hexadecimal string into a binary encoded buffer. + +- @param[in, out] BinBuffer The binary buffer. +- @param[in, out] BinLength Length of the binary buffer. +- @param[in] HexStr The hexadecimal string. +- +- @retval EFI_SUCCESS The hexadecimal string is converted into a binary +- encoded buffer. +- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. +- ++ @param[in, out] BinBuffer The binary buffer. ++ @param[in, out] BinLength Length of the binary buffer. ++ @param[in] HexStr The hexadecimal string. ++ ++ @retval EFI_SUCCESS The hexadecimal string is converted into a ++ binary encoded buffer. ++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the ++ converted data. + **/ + EFI_STATUS + IScsiHexToBin ( +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 231413993b..28cf408cd5 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -165,14 +165,14 @@ IScsiBinToHex ( + /** + Convert the hexadecimal string into a binary encoded buffer. + +- @param[in, out] BinBuffer The binary buffer. +- @param[in, out] BinLength Length of the binary buffer. +- @param[in] HexStr The hexadecimal string. +- +- @retval EFI_SUCCESS The hexadecimal string is converted into a binary +- encoded buffer. +- @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the converted data. +- ++ @param[in, out] BinBuffer The binary buffer. ++ @param[in, out] BinLength Length of the binary buffer. ++ @param[in] HexStr The hexadecimal string. ++ ++ @retval EFI_SUCCESS The hexadecimal string is converted into a ++ binary encoded buffer. ++ @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the ++ converted data. + **/ + EFI_STATUS + IScsiHexToBin ( +-- +2.27.0 + diff --git a/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch b/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch new file mode 100644 index 0000000..0996638 --- /dev/null +++ b/0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch @@ -0,0 +1,97 @@ +From 47b76780b487dbfde4efb6843b16064c4a97e94d Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:57 +0200 +Subject: [PATCH 25/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() hex parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The IScsiHexToBin() function has the following parser issues: + +(1) If the *subject sequence* in "HexStr" is empty, the function returns + EFI_SUCCESS (with "BinLength" set to 0 on output). Such inputs should + be rejected. + +(2) The function mis-handles a "HexStr" that ends with a stray nibble. For + example, if "HexStr" is "0xABC", the function decodes it to the bytes + {0xAB, 0x0C}, sets "BinLength" to 2 on output, and returns + EFI_SUCCESS. Such inputs should be rejected. + +(3) If an invalid hex char is found in "HexStr", the function treats it as + end-of-hex-string, and returns EFI_SUCCESS. Such inputs should be + rejected. + +All of the above cases are remotely triggerable, as shown in a subsequent +patch, which adds error checking to the IScsiHexToBin() call sites. While +the initiator is not immediately compromised, incorrectly parsing CHAP_R +from the target, in case of mutual authentication, is not great. + +Extend the interface contract of IScsiHexToBin() with +EFI_INVALID_PARAMETER, for reporting issues (1) through (3), and implement +the new checks. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210608121259.32451-9-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 12 ++++++++++-- + NetworkPkg/IScsiDxe/IScsiMisc.h | 1 + + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index 014700e87a..f0f4992b07 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -376,6 +376,7 @@ IScsiBinToHex ( + + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. ++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +@@ -402,14 +403,21 @@ IScsiHexToBin ( + + Length = AsciiStrLen (HexStr); + ++ // ++ // Reject an empty hex string; reject a stray nibble. ++ // ++ if (Length == 0 || Length % 2 != 0) { ++ return EFI_INVALID_PARAMETER; ++ } ++ + for (Index = 0; Index < Length; Index ++) { + TemStr[0] = HexStr[Index]; + Digit = (UINT8) AsciiStrHexToUint64 (TemStr); + if (Digit == 0 && TemStr[0] != '0') { + // +- // Invalid Lun Char. ++ // Invalid Hex Char. + // +- break; ++ return EFI_INVALID_PARAMETER; + } + if ((Index & 1) == 0) { + BinBuffer [Index/2] = Digit; +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 28cf408cd5..404a482e57 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -171,6 +171,7 @@ IScsiBinToHex ( + + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. ++ @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +-- +2.27.0 + diff --git a/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch b/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch new file mode 100644 index 0000000..6c2861e --- /dev/null +++ b/0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch @@ -0,0 +1,106 @@ +From 54e90edaed0d7c15230902ac4d74f4304bad2ebd Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:58 +0200 +Subject: [PATCH 26/27] NetworkPkg/IScsiDxe: fix IScsiHexToBin() buffer + overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The IScsiHexToBin() function documents the EFI_BUFFER_TOO_SMALL return +condition, but never actually checks whether the decoded buffer fits into +the caller-provided room (i.e., the input value of "BinLength"), and +EFI_BUFFER_TOO_SMALL is never returned. The decoding of "HexStr" can +overflow "BinBuffer". + +This is remotely exploitable, as shown in a subsequent patch, which adds +error checking to the IScsiHexToBin() call sites. This issue allows the +target to compromise the initiator. + +Introduce EFI_BAD_BUFFER_SIZE, in addition to the existent +EFI_BUFFER_TOO_SMALL, for reporting a special case of the buffer overflow, +plus actually catch the buffer overflow. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Maciej Rabeda +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210608121259.32451-10-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiMisc.c | 20 +++++++++++++++++--- + NetworkPkg/IScsiDxe/IScsiMisc.h | 3 +++ + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c +index f0f4992b07..4069547867 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.c ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.c +@@ -377,6 +377,9 @@ IScsiBinToHex ( + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. + @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. ++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding: ++ the decoded size cannot be expressed in ++ BinLength on output. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +@@ -387,6 +390,8 @@ IScsiHexToBin ( + IN CHAR8 *HexStr + ) + { ++ UINTN BinLengthMin; ++ UINT32 BinLengthProvided; + UINTN Index; + UINTN Length; + UINT8 Digit; +@@ -409,6 +414,18 @@ IScsiHexToBin ( + if (Length == 0 || Length % 2 != 0) { + return EFI_INVALID_PARAMETER; + } ++ // ++ // Check if the caller provides enough room for the decoded blob. ++ // ++ BinLengthMin = Length / 2; ++ if (BinLengthMin > MAX_UINT32) { ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ BinLengthProvided = *BinLength; ++ *BinLength = (UINT32)BinLengthMin; ++ if (BinLengthProvided < BinLengthMin) { ++ return EFI_BUFFER_TOO_SMALL; ++ } + + for (Index = 0; Index < Length; Index ++) { + TemStr[0] = HexStr[Index]; +@@ -425,9 +442,6 @@ IScsiHexToBin ( + BinBuffer [Index/2] = (UINT8) ((BinBuffer [Index/2] << 4) + Digit); + } + } +- +- *BinLength = (UINT32) ((Index + 1)/2); +- + return EFI_SUCCESS; + } + +diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h +index 404a482e57..fddef4f466 100644 +--- a/NetworkPkg/IScsiDxe/IScsiMisc.h ++++ b/NetworkPkg/IScsiDxe/IScsiMisc.h +@@ -172,6 +172,9 @@ IScsiBinToHex ( + @retval EFI_SUCCESS The hexadecimal string is converted into a + binary encoded buffer. + @retval EFI_INVALID_PARAMETER Invalid hex encoding found in HexStr. ++ @retval EFI_BAD_BUFFER_SIZE The length of HexStr is too large for decoding: ++ the decoded size cannot be expressed in ++ BinLength on output. + @retval EFI_BUFFER_TOO_SMALL The binary buffer is too small to hold the + converted data. + **/ +-- +2.27.0 + diff --git a/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch new file mode 100644 index 0000000..426abb9 --- /dev/null +++ b/0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch @@ -0,0 +1,84 @@ +From b8649cf2a3e673a4a8cb6c255e394b354b771550 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 8 Jun 2021 14:12:59 +0200 +Subject: [PATCH 27/27] NetworkPkg/IScsiDxe: check IScsiHexToBin() return + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +IScsiDxe (that is, the initiator) receives two hex-encoded strings from +the iSCSI target: + +- CHAP_C, where the target challenges the initiator, + +- CHAP_R, where the target answers the challenge from the initiator (in + case the initiator wants mutual authentication). + +Accordingly, we have two IScsiHexToBin() call sites: + +- At the CHAP_C decoding site, check whether the decoding succeeds. The + decoded buffer ("AuthData->InChallenge") can accommodate 1024 bytes, + which is a permissible restriction on the target, per + . Shorter challenges + from the target are acceptable. + +- At the CHAP_R decoding site, enforce that the decoding both succeed, and + provide exactly ISCSI_CHAP_RSP_LEN bytes. CHAP_R contains the digest + calculated by the target, therefore it must be of fixed size. We may + only call IScsiCHAPAuthTarget() if "TargetRsp" has been fully populated. + +Cc: Jiaxin Wu +Cc: Maciej Rabeda +Cc: Philippe Mathieu-Daudé +Cc: Siyuan Fu +Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356 +Signed-off-by: Laszlo Ersek +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maciej Rabeda +Message-Id: <20210608121259.32451-11-lersek@redhat.com> +--- + NetworkPkg/IScsiDxe/IScsiCHAP.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c +index dbe3c8ef46..7e930c0d1e 100644 +--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c ++++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c +@@ -290,11 +290,15 @@ IScsiCHAPOnRspReceived ( + + AuthData->InIdentifier = (UINT32) Result; + AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge); +- IScsiHexToBin ( +- (UINT8 *) AuthData->InChallenge, +- &AuthData->InChallengeLength, +- Challenge +- ); ++ Status = IScsiHexToBin ( ++ (UINT8 *) AuthData->InChallenge, ++ &AuthData->InChallengeLength, ++ Challenge ++ ); ++ if (EFI_ERROR (Status)) { ++ Status = EFI_PROTOCOL_ERROR; ++ goto ON_EXIT; ++ } + Status = IScsiCHAPCalculateResponse ( + AuthData->InIdentifier, + AuthData->AuthConfig->CHAPSecret, +@@ -337,7 +341,11 @@ IScsiCHAPOnRspReceived ( + } + + RspLen = ISCSI_CHAP_RSP_LEN; +- IScsiHexToBin (TargetRsp, &RspLen, Response); ++ Status = IScsiHexToBin (TargetRsp, &RspLen, Response); ++ if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) { ++ Status = EFI_PROTOCOL_ERROR; ++ goto ON_EXIT; ++ } + + // + // Check the CHAP Name and Response replied by Target. +-- +2.27.0 + diff --git a/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch b/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch new file mode 100644 index 0000000..0917f11 --- /dev/null +++ b/0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch @@ -0,0 +1,982 @@ +From 306307df0e228c73f6ad38ef231db75c4a3478d1 Mon Sep 17 00:00:00 2001 +From: Dandan Bi +Date: Mon, 28 Jun 2021 19:50:22 +0800 +Subject: [PATCH] MdeModulePkg/FPDT: Lock boot performance table address + variable at EndOfDxe + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2957 + +1. Allocate performance data table at EndOfDxe and then lock the varible + which store the table address at EndOfDxe. + +2. Enlarge PCD gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize + from 0x20000 to 0x30000 in order to hold the Delta performance data + between EndOfDxe and ReadyToBoot. + +3. SMM performance data is collected by DXE modules through SMM communication + at ReadyToBoot before. + Now to do SMM communication twice, one for allocating the performance + size at EndOfDxe, another is at ReadyToBoot to get SMM performance data. + +4. Make SmmCorePerformanceLib rather than FirmwarePerformanceSmm to communicate + with DxeCorePerformanceLib for SMM performance data and size. + +Cc: Liming Gao +Cc: Hao A Wu +Cc: Jian J Wang +Signed-off-by: Dandan Bi +Reviewed-by: Hao A Wu +Signed-off-by: Jinhua Cao +--- + .../DxeCorePerformanceLib.c | 132 +++++++++++---- + .../DxeCorePerformanceLib.inf | 3 +- + .../SmmCorePerformanceLib.c | 142 ++++++++++++---- + .../SmmCorePerformanceLib.inf | 5 +- + MdeModulePkg/MdeModulePkg.dec | 4 +- + .../FirmwarePerformanceDxe.c | 90 +++++++++-- + .../FirmwarePerformanceDxe.inf | 6 +- + .../FirmwarePerformanceSmm.c | 151 +----------------- + .../FirmwarePerformanceSmm.inf | 4 +- + 9 files changed, 302 insertions(+), 235 deletions(-) + +diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c +index f500e20b32..bcefac6b6c 100644 +--- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c ++++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.c +@@ -10,7 +10,7 @@ + This library is mainly used by DxeCore to start performance logging to ensure that + Performance Protocol is installed at the very beginning of DXE phase. + +-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.
+ (C) Copyright 2016 Hewlett Packard Enterprise Development LP
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +@@ -64,7 +64,7 @@ UINT32 mLoadImageCount = 0; + UINT32 mPerformanceLength = 0; + UINT32 mMaxPerformanceLength = 0; + UINT32 mBootRecordSize = 0; +-UINT32 mBootRecordMaxSize = 0; ++UINTN mBootRecordMaxSize = 0; + UINT32 mCachedLength = 0; + + BOOLEAN mFpdtBufferIsReported = FALSE; +@@ -205,25 +205,26 @@ IsKnownID ( + } + + /** +- Allocate buffer for Boot Performance table. ++ This internal function dumps all the SMM performance data and size. + +- @return Status code. ++ @param SmmPerfData Smm Performance data. The buffer contain the SMM perf data is allocated by this function and caller needs to free it. ++ @param SmmPerfDataSize Smm Performance data size. ++ @param SkipGetPerfData Skip to get performance data, just get the size. + + **/ +-EFI_STATUS +-AllocateBootPerformanceTable ( ++VOID ++InternalGetSmmPerfData ( ++ OUT VOID **SmmPerfData, ++ OUT UINTN *SmmPerfDataSize, ++ IN BOOLEAN SkipGetPerfData + ) + { + EFI_STATUS Status; +- UINTN Size; + UINT8 *SmmBootRecordCommBuffer; + EFI_SMM_COMMUNICATE_HEADER *SmmCommBufferHeader; + SMM_BOOT_RECORD_COMMUNICATE *SmmCommData; + UINTN CommSize; +- UINTN BootPerformanceDataSize; +- UINT8 *BootPerformanceData; + EFI_SMM_COMMUNICATION_PROTOCOL *Communication; +- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; + EDKII_PI_SMM_COMMUNICATION_REGION_TABLE *SmmCommRegionTable; + EFI_MEMORY_DESCRIPTOR *SmmCommMemRegion; + UINTN Index; +@@ -237,7 +238,6 @@ AllocateBootPerformanceTable ( + SmmBootRecordCommBuffer = NULL; + SmmCommData = NULL; + SmmBootRecordData = NULL; +- SmmBootRecordDataSize = 0; + ReservedMemSize = 0; + Status = gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL, (VOID **) &Communication); + if (!EFI_ERROR (Status)) { +@@ -284,6 +284,10 @@ AllocateBootPerformanceTable ( + Status = Communication->Communicate (Communication, SmmBootRecordCommBuffer, &CommSize); + + if (!EFI_ERROR (Status) && !EFI_ERROR (SmmCommData->ReturnStatus) && SmmCommData->BootRecordSize != 0) { ++ if (SkipGetPerfData) { ++ *SmmPerfDataSize = SmmCommData->BootRecordSize; ++ return; ++ } + // + // Get all boot records + // +@@ -305,19 +309,45 @@ AllocateBootPerformanceTable ( + } + SmmCommData->BootRecordOffset = SmmCommData->BootRecordOffset + SmmCommData->BootRecordSize; + } ++ *SmmPerfData = SmmBootRecordData; ++ *SmmPerfDataSize = SmmBootRecordDataSize; + } + } + } + } ++} ++ ++/** ++ Allocate buffer for Boot Performance table. ++ ++ @return Status code. ++ ++**/ ++EFI_STATUS ++AllocateBootPerformanceTable ( ++ VOID ++ ) ++{ ++ EFI_STATUS Status; ++ UINTN Size; ++ UINTN BootPerformanceDataSize; ++ UINT8 *BootPerformanceData; ++ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; ++ UINTN SmmBootRecordDataSize; ++ ++ SmmBootRecordDataSize = 0; ++ ++ // ++ // Get SMM performance data size at the point of EndOfDxe in order to allocate the boot performance table. ++ // Will Get all the data at ReadyToBoot. ++ // ++ InternalGetSmmPerfData (NULL, &SmmBootRecordDataSize, TRUE); + + // + // Prepare memory for Boot Performance table. + // Boot Performance table includes BasicBoot record, and one or more appended Boot Records. + // +- BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + PcdGet32 (PcdExtFpdtBootRecordPadSize); +- if (SmmCommData != NULL && SmmBootRecordData != NULL) { +- BootPerformanceDataSize += SmmBootRecordDataSize; +- } ++ BootPerformanceDataSize = sizeof (BOOT_PERFORMANCE_TABLE) + mPerformanceLength + SmmBootRecordDataSize + PcdGet32 (PcdExtFpdtBootRecordPadSize); + + // + // Try to allocate the same runtime buffer as last time boot. +@@ -358,9 +388,6 @@ AllocateBootPerformanceTable ( + DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: ACPI Boot Performance Table address = 0x%x\n", mAcpiBootPerformanceTable)); + + if (mAcpiBootPerformanceTable == NULL) { +- if (SmmCommData != NULL && SmmBootRecordData != NULL) { +- FreePool (SmmBootRecordData); +- } + return EFI_OUT_OF_RESOURCES; + } + +@@ -385,19 +412,10 @@ AllocateBootPerformanceTable ( + mPerformanceLength = 0; + mMaxPerformanceLength = 0; + } +- if (SmmCommData != NULL && SmmBootRecordData != NULL) { +- // +- // Fill Boot records from SMM drivers. +- // +- CopyMem (BootPerformanceData, SmmBootRecordData, SmmBootRecordDataSize); +- FreePool (SmmBootRecordData); +- mAcpiBootPerformanceTable->Header.Length = (UINT32) (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize); +- BootPerformanceData = BootPerformanceData + SmmBootRecordDataSize; +- } + + mBootRecordBuffer = (UINT8 *) mAcpiBootPerformanceTable; + mBootRecordSize = mAcpiBootPerformanceTable->Header.Length; +- mBootRecordMaxSize = mBootRecordSize + PcdGet32 (PcdExtFpdtBootRecordPadSize); ++ mBootRecordMaxSize = BootPerformanceDataSize; + + return EFI_SUCCESS; + } +@@ -1336,6 +1354,47 @@ ReportFpdtRecordBuffer ( + } + } + ++/** ++ Update Boot Performance table. ++ ++ @param Event The event of notify protocol. ++ @param Context Notify event context. ++ ++**/ ++VOID ++EFIAPI ++UpdateBootPerformanceTable ( ++ IN EFI_EVENT Event, ++ IN VOID *Context ++ ) ++{ ++ VOID *SmmBootRecordData; ++ UINTN SmmBootRecordDataSize; ++ UINTN AppendSize; ++ UINT8 *FirmwarePerformanceTablePtr; ++ ++ // ++ // Get SMM performance data. ++ // ++ SmmBootRecordData = NULL; ++ InternalGetSmmPerfData (&SmmBootRecordData, &SmmBootRecordDataSize, FALSE); ++ ++ FirmwarePerformanceTablePtr = (UINT8 *) mAcpiBootPerformanceTable + mAcpiBootPerformanceTable->Header.Length; ++ ++ if (mAcpiBootPerformanceTable->Header.Length + SmmBootRecordDataSize > mBootRecordMaxSize) { ++ DEBUG ((DEBUG_INFO, "DxeCorePerformanceLib: No enough space to save all SMM boot performance data\n")); ++ AppendSize = mBootRecordMaxSize - mAcpiBootPerformanceTable->Header.Length; ++ } else { ++ AppendSize = SmmBootRecordDataSize; ++ } ++ if (SmmBootRecordData != NULL) { ++ CopyMem (FirmwarePerformanceTablePtr, SmmBootRecordData, AppendSize); ++ mAcpiBootPerformanceTable->Header.Length += (UINT32) AppendSize; ++ mBootRecordSize += (UINT32) AppendSize; ++ FreePool (SmmBootRecordData); ++ } ++} ++ + /** + The constructor function initializes Performance infrastructure for DXE phase. + +@@ -1358,6 +1417,7 @@ DxeCorePerformanceLibConstructor ( + { + EFI_STATUS Status; + EFI_HANDLE Handle; ++ EFI_EVENT EndOfDxeEvent; + EFI_EVENT ReadyToBootEvent; + PERFORMANCE_PROPERTY *PerformanceProperty; + +@@ -1386,13 +1446,25 @@ DxeCorePerformanceLibConstructor ( + ASSERT_EFI_ERROR (Status); + + // +- // Register ReadyToBoot event to report StatusCode data ++ // Register EndOfDxe event to allocate the boot performance table and report the table address through status code. + // + Status = gBS->CreateEventEx ( + EVT_NOTIFY_SIGNAL, +- TPL_CALLBACK, ++ TPL_NOTIFY, + ReportFpdtRecordBuffer, + NULL, ++ &gEfiEndOfDxeEventGroupGuid, ++ &EndOfDxeEvent ++ ); ++ ++ // ++ // Register ReadyToBoot event to update the boot performance table for SMM performance data. ++ // ++ Status = gBS->CreateEventEx ( ++ EVT_NOTIFY_SIGNAL, ++ TPL_CALLBACK, ++ UpdateBootPerformanceTable, ++ NULL, + &gEfiEventReadyToBootGuid, + &ReadyToBootEvent + ); +diff --git a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf +index 1c1dcc60a6..599d4dea66 100644 +--- a/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf ++++ b/MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf +@@ -9,7 +9,7 @@ + # This library is mainly used by DxeCore to start performance logging to ensure that + # Performance and PerformanceEx Protocol are installed at the very beginning of DXE phase. + # +-# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
++# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved.
+ # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
+ # SPDX-License-Identifier: BSD-2-Clause-Patent + # +@@ -67,6 +67,7 @@ + gZeroGuid ## SOMETIMES_CONSUMES ## GUID + gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data + gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## HOB # StatusCode Data ++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event + gEfiEventReadyToBootGuid ## CONSUMES ## Event + gEdkiiPiSmmCommunicationRegionTableGuid ## SOMETIMES_CONSUMES ## SystemTable + gEdkiiPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol +diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +index b4f22c14ae..d80f37e520 100644 +--- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c ++++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c +@@ -16,7 +16,7 @@ + + SmmPerformanceHandlerEx(), SmmPerformanceHandler() will receive untrusted input and do basic validation. + +-Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
++Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -48,6 +48,7 @@ CHAR8 *mPlatformLanguage = NULL; + SPIN_LOCK mSmmFpdtLock; + PERFORMANCE_PROPERTY mPerformanceProperty; + UINT32 mCachedLength = 0; ++UINT32 mBootRecordSize = 0; + + // + // Interfaces for SMM PerformanceMeasurement Protocol. +@@ -776,41 +777,116 @@ InsertFpdtRecord ( + } + + /** +- SmmReadyToBoot protocol notification event handler. ++ Communication service SMI Handler entry. + +- @param Protocol Points to the protocol's unique identifier +- @param Interface Points to the interface instance +- @param Handle The handle on which the interface was installed ++ This SMI handler provides services for report MM boot records. + +- @retval EFI_SUCCESS SmmReadyToBootCallback runs successfully ++ Caution: This function may receive untrusted input. ++ Communicate buffer and buffer size are external input, so this function will do basic validation. ++ ++ @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). ++ @param[in] RegisterContext Points to an optional handler context which was specified when the ++ handler was registered. ++ @param[in, out] CommBuffer A pointer to a collection of data in memory that will ++ be conveyed from a non-MM environment into an MM environment. ++ @param[in, out] CommBufferSize The size of the CommBuffer. ++ ++ @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers ++ should still be called. ++ @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should ++ still be called. ++ @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still ++ be called. ++ @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced. + + **/ + EFI_STATUS + EFIAPI +-SmmReportFpdtRecordData ( +- IN CONST EFI_GUID *Protocol, +- IN VOID *Interface, +- IN EFI_HANDLE Handle ++FpdtSmiHandler ( ++ IN EFI_HANDLE DispatchHandle, ++ IN CONST VOID *RegisterContext, ++ IN OUT VOID *CommBuffer, ++ IN OUT UINTN *CommBufferSize + ) + { +- UINT64 SmmBPDTddr; +- +- if (!mFpdtDataIsReported && mSmmBootPerformanceTable != NULL) { +- SmmBPDTddr = (UINT64)(UINTN)mSmmBootPerformanceTable; +- REPORT_STATUS_CODE_EX ( +- EFI_PROGRESS_CODE, +- EFI_SOFTWARE_SMM_DRIVER, +- 0, +- NULL, +- &gEdkiiFpdtExtendedFirmwarePerformanceGuid, +- &SmmBPDTddr, +- sizeof (UINT64) ++ EFI_STATUS Status; ++ SMM_BOOT_RECORD_COMMUNICATE *SmmCommData; ++ UINTN BootRecordOffset; ++ UINTN BootRecordSize; ++ VOID *BootRecordData; ++ UINTN TempCommBufferSize; ++ UINT8 *BootRecordBuffer; ++ ++ // ++ // If input is invalid, stop processing this SMI ++ // ++ if (CommBuffer == NULL || CommBufferSize == NULL) { ++ return EFI_SUCCESS; ++ } ++ ++ TempCommBufferSize = *CommBufferSize; ++ ++ if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) { ++ return EFI_SUCCESS; ++ } ++ ++ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) { ++ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM communication data buffer in MMRAM or overflow!\n")); ++ return EFI_SUCCESS; ++ } ++ ++ SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer; ++ ++ Status = EFI_SUCCESS; ++ ++ switch (SmmCommData->Function) { ++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE : ++ if (mSmmBootPerformanceTable != NULL) { ++ mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE); ++ } ++ SmmCommData->BootRecordSize = mBootRecordSize; ++ break; ++ ++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA : ++ Status = EFI_UNSUPPORTED; ++ break; ++ ++ case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET : ++ BootRecordOffset = SmmCommData->BootRecordOffset; ++ BootRecordData = SmmCommData->BootRecordData; ++ BootRecordSize = SmmCommData->BootRecordSize; ++ if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) { ++ Status = EFI_INVALID_PARAMETER; ++ break; ++ } ++ ++ // ++ // Sanity check ++ // ++ if (BootRecordSize > mBootRecordSize - BootRecordOffset) { ++ BootRecordSize = mBootRecordSize - BootRecordOffset; ++ } ++ SmmCommData->BootRecordSize = BootRecordSize; ++ if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) { ++ DEBUG ((DEBUG_ERROR, "FpdtSmiHandler: MM Data buffer in MMRAM or overflow!\n")); ++ Status = EFI_ACCESS_DENIED; ++ break; ++ } ++ BootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE); ++ CopyMem ( ++ (UINT8*)BootRecordData, ++ BootRecordBuffer + BootRecordOffset, ++ BootRecordSize + ); +- // +- // Set FPDT report state to TRUE. +- // +- mFpdtDataIsReported = TRUE; ++ mFpdtDataIsReported = TRUE; ++ break; ++ ++ default: ++ Status = EFI_UNSUPPORTED; + } ++ ++ SmmCommData->ReturnStatus = Status; ++ + return EFI_SUCCESS; + } + +@@ -830,8 +906,8 @@ InitializeSmmCorePerformanceLib ( + ) + { + EFI_HANDLE Handle; ++ EFI_HANDLE SmiHandle; + EFI_STATUS Status; +- VOID *SmmReadyToBootRegistration; + PERFORMANCE_PROPERTY *PerformanceProperty; + + // +@@ -851,11 +927,13 @@ InitializeSmmCorePerformanceLib ( + ); + ASSERT_EFI_ERROR (Status); + +- Status = gSmst->SmmRegisterProtocolNotify ( +- &gEdkiiSmmReadyToBootProtocolGuid, +- SmmReportFpdtRecordData, +- &SmmReadyToBootRegistration +- ); ++ // ++ // Register SMI handler. ++ // ++ SmiHandle = NULL; ++ Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &SmiHandle); ++ ASSERT_EFI_ERROR (Status); ++ + Status = EfiGetSystemConfigurationTable (&gPerformanceProtocolGuid, (VOID **) &PerformanceProperty); + if (EFI_ERROR (Status)) { + // +diff --git a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf +index 6b013b8557..9eecc4b58c 100644 +--- a/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf ++++ b/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf +@@ -8,7 +8,7 @@ + # This library is mainly used by SMM Core to start performance logging to ensure that + # SMM Performance and PerformanceEx Protocol are installed at the very beginning of SMM phase. + # +-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
+ # SPDX-License-Identifier: BSD-2-Clause-Patent + # + ## +@@ -58,14 +58,13 @@ + + [Protocols] + gEfiSmmBase2ProtocolGuid ## CONSUMES +- gEdkiiSmmReadyToBootProtocolGuid ## NOTIFY + + [Guids] + ## PRODUCES ## SystemTable + gPerformanceProtocolGuid +- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data + gZeroGuid ## SOMETIMES_CONSUMES ## GUID + gEdkiiSmmPerformanceMeasurementProtocolGuid ## PRODUCES ## UNDEFINED # Install protocol ++ gEfiFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # SmiHandlerRegister + + [Pcd] + gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index 5d9e2b8d3d..b139f1668c 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -1822,9 +1822,9 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosEntryPointProvideMethod|0x3|UINT32|0x00010069 + + ## This PCD specifies the additional pad size in FPDT Basic Boot Performance Table for +- # the extension FPDT boot records received after ReadyToBoot and before ExitBootService. ++ # the extension FPDT boot records received after EndOfDxe and before ExitBootService. + # @Prompt Pad size for extension FPDT boot records. +- gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x20000|UINT32|0x0001005F ++ gEfiMdeModulePkgTokenSpaceGuid.PcdExtFpdtBootRecordPadSize|0x30000|UINT32|0x0001005F + + ## Indicates if ConIn device are connected on demand.

+ # TRUE - ConIn device are not connected during BDS and ReadKeyStroke/ReadKeyStrokeEx produced +diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c +index 61a7704b37..68755554ad 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.c +@@ -5,7 +5,7 @@ + for Firmware Basic Boot Performance Record and other boot performance records, + and install FPDT to ACPI table. + +- Copyright (c) 2011 - 2019, Intel Corporation. All rights reserved.
++ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -32,6 +33,8 @@ + #include + #include + #include ++#include ++#include + + #define SMM_BOOT_RECORD_COMM_SIZE (OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + sizeof(SMM_BOOT_RECORD_COMMUNICATE)) + +@@ -278,11 +281,12 @@ InstallFirmwarePerformanceDataTable ( + VOID + ) + { +- EFI_STATUS Status; +- EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol; +- UINTN BootPerformanceDataSize; +- FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; +- UINTN Size; ++ EFI_STATUS Status; ++ EFI_ACPI_TABLE_PROTOCOL *AcpiTableProtocol; ++ UINTN BootPerformanceDataSize; ++ FIRMWARE_PERFORMANCE_VARIABLE PerformanceVariable; ++ UINTN Size; ++ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicyProtocol; + + // + // Get AcpiTable Protocol. +@@ -292,6 +296,14 @@ InstallFirmwarePerformanceDataTable ( + return Status; + } + ++ // ++ // Get VariablePolicy Protocol. ++ // ++ Status = gBS->LocateProtocol(&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicyProtocol); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ + if (mReceivedAcpiBootPerformanceTable != NULL) { + mAcpiBootPerformanceTable = mReceivedAcpiBootPerformanceTable; + mAcpiBootPerformanceTable->BasicBoot.ResetEnd = mBootPerformanceTableTemplate.BasicBoot.ResetEnd; +@@ -369,6 +381,24 @@ InstallFirmwarePerformanceDataTable ( + &PerformanceVariable + ); + ++ // ++ // Lock the variable which stores the Performance Table pointers. ++ // ++ Status = RegisterBasicVariablePolicy ( ++ VariablePolicyProtocol, ++ &gEfiFirmwarePerformanceGuid, ++ EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME, ++ VARIABLE_POLICY_NO_MIN_SIZE, ++ VARIABLE_POLICY_NO_MAX_SIZE, ++ VARIABLE_POLICY_NO_MUST_ATTR, ++ VARIABLE_POLICY_NO_CANT_ATTR, ++ VARIABLE_POLICY_TYPE_LOCK_NOW ++ ); ++ if (EFI_ERROR(Status)) { ++ DEBUG((DEBUG_ERROR, "[FirmwarePerformanceDxe] Error when lock variable %s, Status = %r\n", EFI_FIRMWARE_PERFORMANCE_VARIABLE_NAME, Status)); ++ ASSERT_EFI_ERROR(Status); ++ } ++ + // + // Publish Firmware Performance Data Table. + // +@@ -501,18 +531,12 @@ FpdtStatusCodeListenerDxe ( + DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - OsLoaderStartImageStart = %ld\n", mAcpiBootPerformanceTable->BasicBoot.OsLoaderStartImageStart)); + DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesEntry = 0\n")); + DEBUG ((EFI_D_INFO, "FPDT: Boot Performance - ExitBootServicesExit = 0\n")); +- } else if (Value == (EFI_SOFTWARE_DXE_BS_DRIVER | EFI_SW_DXE_BS_PC_READY_TO_BOOT_EVENT)) { +- if (mAcpiBootPerformanceTable == NULL) { +- // +- // ACPI Firmware Performance Data Table not installed yet, install it now. +- // +- InstallFirmwarePerformanceDataTable (); +- } + } else if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) { + // + // Get the Boot performance table and then install it to ACPI table. + // + CopyMem (&mReceivedAcpiBootPerformanceTable, Data + 1, Data->Size); ++ InstallFirmwarePerformanceDataTable (); + } else if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) { + DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerDxe: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableDxe\n")); + Status = EFI_UNSUPPORTED; +@@ -526,6 +550,32 @@ FpdtStatusCodeListenerDxe ( + return Status; + } + ++/** ++ Notify function for event EndOfDxe. ++ ++ This is used to install ACPI Firmware Performance Data Table for basic boot records. ++ ++ @param[in] Event The Event that is being processed. ++ @param[in] Context The Event Context. ++ ++**/ ++VOID ++EFIAPI ++FpdtEndOfDxeEventNotify ( ++ IN EFI_EVENT Event, ++ IN VOID *Context ++ ) ++{ ++ // ++ // When performance is enabled, the FPDT will be installed when DxeCorePerformanceLib report the data to FimwarePerformanceDxe. ++ // This is used to install the FPDT for the basic boot recods when performance infrastructure is not enabled. ++ // ++ if ((PcdGet8(PcdPerformanceLibraryPropertyMask) & PERFORMANCE_LIBRARY_PROPERTY_MEASUREMENT_ENABLED) != 0) { ++ return; ++ } ++ ASSERT (mReceivedAcpiBootPerformanceTable == NULL); ++ InstallFirmwarePerformanceDataTable (); ++} + + /** + Notify function for event EVT_SIGNAL_EXIT_BOOT_SERVICES. This is used to record +@@ -596,6 +646,7 @@ FirmwarePerformanceDxeEntryPoint ( + FIRMWARE_SEC_PERFORMANCE *Performance; + VOID *Registration; + UINT64 OemTableId; ++ EFI_EVENT EndOfDxeEvent; + + CopyMem ( + mFirmwarePerformanceTableTemplate.Header.OemId, +@@ -620,6 +671,19 @@ FirmwarePerformanceDxeEntryPoint ( + Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerDxe, TPL_HIGH_LEVEL); + ASSERT_EFI_ERROR (Status); + ++ // ++ // Register the notify function to install FPDT at EndOfDxe. ++ // ++ Status = gBS->CreateEventEx ( ++ EVT_NOTIFY_SIGNAL, ++ TPL_NOTIFY, ++ FpdtEndOfDxeEventNotify, ++ NULL, ++ &gEfiEndOfDxeEventGroupGuid, ++ &EndOfDxeEvent ++ ); ++ ASSERT_EFI_ERROR (Status); ++ + // + // Register the notify function to update FPDT on ExitBootServices Event. + // +diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf +index 1debb0193e..0411a22e66 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableDxe/FirmwarePerformanceDxe.inf +@@ -5,7 +5,7 @@ + # for Firmware Basic Boot Performance Record and other boot performance records, + # and install FPDT to ACPI table. + # +-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
+ # SPDX-License-Identifier: BSD-2-Clause-Patent + # + ## +@@ -46,12 +46,14 @@ + HobLib + LockBoxLib + UefiLib ++ VariablePolicyHelperLib + + [Protocols] + gEfiAcpiTableProtocolGuid ## CONSUMES + gEfiRscHandlerProtocolGuid ## CONSUMES + gEfiVariableArchProtocolGuid ## CONSUMES + gEfiLockBoxProtocolGuid ## CONSUMES ++ gEdkiiVariablePolicyProtocolGuid ## CONSUMES + + [Guids] + gEfiEventExitBootServicesGuid ## CONSUMES ## Event +@@ -63,6 +65,7 @@ + gEfiFirmwarePerformanceGuid + gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data + gFirmwarePerformanceS3PointerGuid ## PRODUCES ## UNDEFINED # SaveLockBox ++ gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event + + [Pcd] + gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeOsLoaderLoad ## CONSUMES +@@ -72,6 +75,7 @@ + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision ## CONSUMES ++ gEfiMdePkgTokenSpaceGuid.PcdPerformanceLibraryPropertyMask ## CONSUMES + + [FeaturePcd] + gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwarePerformanceDataTableS3Support ## CONSUMES +diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c +index d6c6e7693e..dbd9fe1842 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.c +@@ -11,7 +11,7 @@ + + FpdtSmiHandler() will receive untrusted input and do basic validation. + +- Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
++ Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ +@@ -29,21 +29,12 @@ + #include + #include + #include +-#include + #include +-#include + #include + +-SMM_BOOT_PERFORMANCE_TABLE *mSmmBootPerformanceTable = NULL; +- + EFI_SMM_RSC_HANDLER_PROTOCOL *mRscHandlerProtocol = NULL; + UINT64 mSuspendStartTime = 0; + BOOLEAN mS3SuspendLockBoxSaved = FALSE; +-UINT32 mBootRecordSize = 0; +-UINT8 *mBootRecordBuffer = NULL; +- +-SPIN_LOCK mSmmFpdtLock; +-BOOLEAN mSmramIsOutOfResource = FALSE; + + /** + Report status code listener for SMM. This is used to record the performance +@@ -85,21 +76,6 @@ FpdtStatusCodeListenerSmm ( + return EFI_UNSUPPORTED; + } + +- // +- // Collect one or more Boot records in boot time +- // +- if (Data != NULL && CompareGuid (&Data->Type, &gEdkiiFpdtExtendedFirmwarePerformanceGuid)) { +- AcquireSpinLock (&mSmmFpdtLock); +- // +- // Get the boot performance data. +- // +- CopyMem (&mSmmBootPerformanceTable, Data + 1, Data->Size); +- mBootRecordBuffer = ((UINT8 *) (mSmmBootPerformanceTable)) + sizeof (SMM_BOOT_PERFORMANCE_TABLE); +- +- ReleaseSpinLock (&mSmmFpdtLock); +- return EFI_SUCCESS; +- } +- + if (Data != NULL && CompareGuid (&Data->Type, &gEfiFirmwarePerformanceGuid)) { + DEBUG ((DEBUG_ERROR, "FpdtStatusCodeListenerSmm: Performance data reported through gEfiFirmwarePerformanceGuid will not be collected by FirmwarePerformanceDataTableSmm\n")); + return EFI_UNSUPPORTED; +@@ -154,118 +130,6 @@ FpdtStatusCodeListenerSmm ( + return EFI_SUCCESS; + } + +-/** +- Communication service SMI Handler entry. +- +- This SMI handler provides services for report SMM boot records. +- +- Caution: This function may receive untrusted input. +- Communicate buffer and buffer size are external input, so this function will do basic validation. +- +- @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). +- @param[in] RegisterContext Points to an optional handler context which was specified when the +- handler was registered. +- @param[in, out] CommBuffer A pointer to a collection of data in memory that will +- be conveyed from a non-SMM environment into an SMM environment. +- @param[in, out] CommBufferSize The size of the CommBuffer. +- +- @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers +- should still be called. +- @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should +- still be called. +- @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still +- be called. +- @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced. +- +-**/ +-EFI_STATUS +-EFIAPI +-FpdtSmiHandler ( +- IN EFI_HANDLE DispatchHandle, +- IN CONST VOID *RegisterContext, +- IN OUT VOID *CommBuffer, +- IN OUT UINTN *CommBufferSize +- ) +-{ +- EFI_STATUS Status; +- SMM_BOOT_RECORD_COMMUNICATE *SmmCommData; +- UINTN BootRecordOffset; +- UINTN BootRecordSize; +- VOID *BootRecordData; +- UINTN TempCommBufferSize; +- +- // +- // If input is invalid, stop processing this SMI +- // +- if (CommBuffer == NULL || CommBufferSize == NULL) { +- return EFI_SUCCESS; +- } +- +- TempCommBufferSize = *CommBufferSize; +- +- if(TempCommBufferSize < sizeof (SMM_BOOT_RECORD_COMMUNICATE)) { +- return EFI_SUCCESS; +- } +- +- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) { +- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM communication data buffer in SMRAM or overflow!\n")); +- return EFI_SUCCESS; +- } +- +- SmmCommData = (SMM_BOOT_RECORD_COMMUNICATE*)CommBuffer; +- +- Status = EFI_SUCCESS; +- +- switch (SmmCommData->Function) { +- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_SIZE : +- if (mSmmBootPerformanceTable != NULL) { +- mBootRecordSize = mSmmBootPerformanceTable->Header.Length - sizeof (SMM_BOOT_PERFORMANCE_TABLE); +- } +- SmmCommData->BootRecordSize = mBootRecordSize; +- break; +- +- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA : +- Status = EFI_UNSUPPORTED; +- break; +- +- case SMM_FPDT_FUNCTION_GET_BOOT_RECORD_DATA_BY_OFFSET : +- BootRecordOffset = SmmCommData->BootRecordOffset; +- BootRecordData = SmmCommData->BootRecordData; +- BootRecordSize = SmmCommData->BootRecordSize; +- if (BootRecordData == NULL || BootRecordOffset >= mBootRecordSize) { +- Status = EFI_INVALID_PARAMETER; +- break; +- } +- +- // +- // Sanity check +- // +- if (BootRecordSize > mBootRecordSize - BootRecordOffset) { +- BootRecordSize = mBootRecordSize - BootRecordOffset; +- } +- SmmCommData->BootRecordSize = BootRecordSize; +- if (!SmmIsBufferOutsideSmmValid ((UINTN)BootRecordData, BootRecordSize)) { +- DEBUG ((EFI_D_ERROR, "FpdtSmiHandler: SMM Data buffer in SMRAM or overflow!\n")); +- Status = EFI_ACCESS_DENIED; +- break; +- } +- +- CopyMem ( +- (UINT8*)BootRecordData, +- mBootRecordBuffer + BootRecordOffset, +- BootRecordSize +- ); +- break; +- +- default: +- Status = EFI_UNSUPPORTED; +- } +- +- SmmCommData->ReturnStatus = Status; +- +- return EFI_SUCCESS; +-} +- + /** + The module Entry Point of the Firmware Performance Data Table SMM driver. + +@@ -284,12 +148,6 @@ FirmwarePerformanceSmmEntryPoint ( + ) + { + EFI_STATUS Status; +- EFI_HANDLE Handle; +- +- // +- // Initialize spin lock +- // +- InitializeSpinLock (&mSmmFpdtLock); + + // + // Get SMM Report Status Code Handler Protocol. +@@ -307,12 +165,5 @@ FirmwarePerformanceSmmEntryPoint ( + Status = mRscHandlerProtocol->Register (FpdtStatusCodeListenerSmm); + ASSERT_EFI_ERROR (Status); + +- // +- // Register SMI handler. +- // +- Handle = NULL; +- Status = gSmst->SmiHandlerRegister (FpdtSmiHandler, &gEfiFirmwarePerformanceGuid, &Handle); +- ASSERT_EFI_ERROR (Status); +- + return Status; + } +diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf +index 618cbd56ca..6be57553f0 100644 +--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf ++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTableSmm/FirmwarePerformanceSmm.inf +@@ -4,7 +4,7 @@ + # This module registers report status code listener to collect performance data + # for SMM boot performance records and S3 Suspend Performance Record. + # +-# Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
++# Copyright (c) 2011 - 2021, Intel Corporation. All rights reserved.
+ # SPDX-License-Identifier: BSD-2-Clause-Patent + # + ## +@@ -51,10 +51,8 @@ + + [Guids] + ## SOMETIMES_PRODUCES ## UNDEFINED # SaveLockBox +- ## PRODUCES ## UNDEFINED # SmiHandlerRegister + ## SOMETIMES_CONSUMES ## UNDEFINED # StatusCode Data + gEfiFirmwarePerformanceGuid +- gEdkiiFpdtExtendedFirmwarePerformanceGuid ## SOMETIMES_PRODUCES ## UNDEFINED # StatusCode Data + + [Pcd] + gEfiMdeModulePkgTokenSpaceGuid.PcdProgressCodeS3SuspendStart ## CONSUMES +-- +2.27.0 + diff --git a/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch new file mode 100644 index 0000000..0fce38a --- /dev/null +++ b/0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch @@ -0,0 +1,378 @@ +From 6642e762e1cedae30a08e28c456de2372bda7766 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:20:57 +0800 +Subject: [PATCH 1/8] SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c + from edk2-platforms + +Import PeiDxeTpmPlatformHierarchyLib from edk2-platforms without any +modifications. + +Signed-off-by: Stefan Berger +--- + .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ + .../PeiDxeTpmPlatformHierarchyLib.c | 266 ++++++++++++++++++ + .../PeiDxeTpmPlatformHierarchyLib.inf | 45 +++ + 3 files changed, 338 insertions(+) + create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c + create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf + +diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +new file mode 100644 +index 0000000000..a872fa09dc +--- /dev/null ++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +@@ -0,0 +1,27 @@ ++/** @file ++ TPM Platform Hierarchy configuration library. ++ ++ This library provides functions for customizing the TPM's Platform Hierarchy ++ Authorization Value (platformAuth) and Platform Hierarchy Authorization ++ Policy (platformPolicy) can be defined through this function. ++ ++Copyright (c) 2019, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation.
++SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_ ++#define _TPM_PLATFORM_HIERARCHY_LIB_H_ ++ ++/** ++ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event. ++ ++**/ ++VOID ++EFIAPI ++ConfigureTpmPlatformHierarchy ( ++ VOID ++ ); ++ ++#endif +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +new file mode 100644 +index 0000000000..9812ab99ab +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -0,0 +1,266 @@ ++/** @file ++ TPM Platform Hierarchy configuration library. ++ ++ This library provides functions for customizing the TPM's Platform Hierarchy ++ Authorization Value (platformAuth) and Platform Hierarchy Authorization ++ Policy (platformPolicy) can be defined through this function. ++ ++ Copyright (c) 2019, Intel Corporation. All rights reserved.
++ Copyright (c) Microsoft Corporation.
++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++ @par Specification Reference: ++ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/ ++**/ ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++// ++// The authorization value may be no larger than the digest produced by the hash ++// algorithm used for context integrity. ++// ++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE ++ ++UINT16 mAuthSize; ++ ++/** ++ Generate high-quality entropy source through RDRAND. ++ ++ @param[in] Length Size of the buffer, in bytes, to fill with. ++ @param[out] Entropy Pointer to the buffer to store the entropy data. ++ ++ @retval EFI_SUCCESS Entropy generation succeeded. ++ @retval EFI_NOT_READY Failed to request random data. ++ ++**/ ++EFI_STATUS ++EFIAPI ++RdRandGenerateEntropy ( ++ IN UINTN Length, ++ OUT UINT8 *Entropy ++ ) ++{ ++ EFI_STATUS Status; ++ UINTN BlockCount; ++ UINT64 Seed[2]; ++ UINT8 *Ptr; ++ ++ Status = EFI_NOT_READY; ++ BlockCount = Length / 64; ++ Ptr = (UINT8 *)Entropy; ++ ++ // ++ // Generate high-quality seed for DRBG Entropy ++ // ++ while (BlockCount > 0) { ++ Status = GetRandomNumber128 (Seed); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ CopyMem (Ptr, Seed, 64); ++ ++ BlockCount--; ++ Ptr = Ptr + 64; ++ } ++ ++ // ++ // Populate the remained data as request. ++ // ++ Status = GetRandomNumber128 (Seed); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ CopyMem (Ptr, Seed, (Length % 64)); ++ ++ return Status; ++} ++ ++/** ++ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value ++ and limits an authValue to being no larger than the largest digest produced by a TPM. ++ ++ @param[out] AuthSize Tpm2 Auth size ++ ++ @retval EFI_SUCCESS Auth size returned. ++ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error. ++ ++**/ ++EFI_STATUS ++EFIAPI ++GetAuthSize ( ++ OUT UINT16 *AuthSize ++ ) ++{ ++ EFI_STATUS Status; ++ TPML_PCR_SELECTION Pcrs; ++ UINTN Index; ++ UINT16 DigestSize; ++ ++ Status = EFI_SUCCESS; ++ ++ while (mAuthSize == 0) { ++ ++ mAuthSize = SHA1_DIGEST_SIZE; ++ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); ++ Status = Tpm2GetCapabilityPcrs (&Pcrs); ++ ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); ++ break; ++ } ++ ++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); ++ ++ for (Index = 0; Index < Pcrs.count; Index++) { ++ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); ++ ++ switch (Pcrs.pcrSelections[Index].hash) { ++ case TPM_ALG_SHA1: ++ DigestSize = SHA1_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SHA256: ++ DigestSize = SHA256_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SHA384: ++ DigestSize = SHA384_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SHA512: ++ DigestSize = SHA512_DIGEST_SIZE; ++ break; ++ case TPM_ALG_SM3_256: ++ DigestSize = SM3_256_DIGEST_SIZE; ++ break; ++ default: ++ DigestSize = SHA1_DIGEST_SIZE; ++ break; ++ } ++ ++ if (DigestSize > mAuthSize) { ++ mAuthSize = DigestSize; ++ } ++ } ++ break; ++ } ++ ++ *AuthSize = mAuthSize; ++ return Status; ++} ++ ++/** ++ Set PlatformAuth to random value. ++**/ ++VOID ++RandomizePlatformAuth ( ++ VOID ++ ) ++{ ++ EFI_STATUS Status; ++ UINT16 AuthSize; ++ UINT8 *Rand; ++ UINTN RandSize; ++ TPM2B_AUTH NewPlatformAuth; ++ ++ // ++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null ++ // ++ ++ GetAuthSize (&AuthSize); ++ ++ ZeroMem (NewPlatformAuth.buffer, AuthSize); ++ NewPlatformAuth.size = AuthSize; ++ ++ // ++ // Allocate one buffer to store random data. ++ // ++ RandSize = MAX_NEW_AUTHORIZATION_SIZE; ++ Rand = AllocatePool (RandSize); ++ ++ RdRandGenerateEntropy (RandSize, Rand); ++ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); ++ ++ FreePool (Rand); ++ ++ // ++ // Send Tpm2HierarchyChangeAuth command with the new Auth value ++ // ++ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); ++ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); ++ ZeroMem (NewPlatformAuth.buffer, AuthSize); ++ ZeroMem (Rand, RandSize); ++} ++ ++/** ++ Disable the TPM platform hierarchy. ++ ++ @retval EFI_SUCCESS The TPM was disabled successfully. ++ @retval Others An error occurred attempting to disable the TPM platform hierarchy. ++ ++**/ ++EFI_STATUS ++DisableTpmPlatformHierarchy ( ++ VOID ++ ) ++{ ++ EFI_STATUS Status; ++ ++ // Make sure that we have use of the TPM. ++ Status = Tpm2RequestUseTpm (); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); ++ ASSERT_EFI_ERROR (Status); ++ return Status; ++ } ++ ++ // Let's do what we can to shut down the hierarchies. ++ ++ // Disable the PH NV. ++ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have ++ // been known to store the EK cert in the PH NV. If we disable it, the ++ // EK cert will be unreadable. ++ ++ // Disable the PH. ++ Status = Tpm2HierarchyControl ( ++ TPM_RH_PLATFORM, // AuthHandle ++ NULL, // AuthSession ++ TPM_RH_PLATFORM, // Hierarchy ++ NO // State ++ ); ++ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); ++ ASSERT_EFI_ERROR (Status); ++ } ++ ++ return Status; ++} ++ ++/** ++ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) ++ and Platform Hierarchy Authorization Policy (platformPolicy) ++ ++**/ ++VOID ++EFIAPI ++ConfigureTpmPlatformHierarchy ( ++ ) ++{ ++ if (PcdGetBool (PcdRandomizePlatformHierarchy)) { ++ // ++ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null ++ // ++ RandomizePlatformAuth (); ++ } else { ++ // ++ // Disable the hierarchy entirely (do not randomize it) ++ // ++ DisableTpmPlatformHierarchy (); ++ } ++} +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +new file mode 100644 +index 0000000000..b7a7fb0a08 +--- /dev/null ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -0,0 +1,45 @@ ++### @file ++# ++# TPM Platform Hierarchy configuration library. ++# ++# This library provides functions for customizing the TPM's Platform Hierarchy ++# Authorization Value (platformAuth) and Platform Hierarchy Authorization ++# Policy (platformPolicy) can be defined through this function. ++# ++# Copyright (c) 2019, Intel Corporation. All rights reserved.
++# Copyright (c) Microsoft Corporation.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++### ++ ++[Defines] ++ INF_VERSION = 0x00010005 ++ BASE_NAME = PeiDxeTpmPlatformHierarchyLib ++ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73 ++ MODULE_TYPE = PEIM ++ VERSION_STRING = 1.0 ++ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER ++ ++[LibraryClasses] ++ BaseLib ++ BaseMemoryLib ++ DebugLib ++ MemoryAllocationLib ++ PcdLib ++ RngLib ++ Tpm2CommandLib ++ Tpm2DeviceLib ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ SecurityPkg/SecurityPkg.dec ++ CryptoPkg/CryptoPkg.dec ++ MinPlatformPkg/MinPlatformPkg.dec ++ ++[Sources] ++ PeiDxeTpmPlatformHierarchyLib.c ++ ++[Pcd] ++ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy +-- +2.27.0 + diff --git a/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch b/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch new file mode 100644 index 0000000..e250097 --- /dev/null +++ b/0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch @@ -0,0 +1,121 @@ +From da8e34ff10bff3bff14c0bc5ee1f2e3f3d72428f Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:20:58 +0800 +Subject: [PATCH 2/8] SecurityPkg/TPM: Fix bugs in imported + PeiDxeTpmPlatformHierarchyLib + +Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../PeiDxeTpmPlatformHierarchyLib.c | 23 +++++-------------- + .../PeiDxeTpmPlatformHierarchyLib.inf | 5 ++-- + 2 files changed, 8 insertions(+), 20 deletions(-) + +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +index 9812ab99ab..d82a0ae1bd 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -18,7 +18,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -27,7 +26,6 @@ + // The authorization value may be no larger than the digest produced by the hash + // algorithm used for context integrity. + // +-#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE + + UINT16 mAuthSize; + +@@ -54,7 +52,7 @@ RdRandGenerateEntropy ( + UINT8 *Ptr; + + Status = EFI_NOT_READY; +- BlockCount = Length / 64; ++ BlockCount = Length / sizeof(Seed); + Ptr = (UINT8 *)Entropy; + + // +@@ -65,10 +63,10 @@ RdRandGenerateEntropy ( + if (EFI_ERROR (Status)) { + return Status; + } +- CopyMem (Ptr, Seed, 64); ++ CopyMem (Ptr, Seed, sizeof(Seed)); + + BlockCount--; +- Ptr = Ptr + 64; ++ Ptr = Ptr + sizeof(Seed); + } + + // +@@ -78,7 +76,7 @@ RdRandGenerateEntropy ( + if (EFI_ERROR (Status)) { + return Status; + } +- CopyMem (Ptr, Seed, (Length % 64)); ++ CopyMem (Ptr, Seed, (Length % sizeof(Seed))); + + return Status; + } +@@ -164,8 +162,6 @@ RandomizePlatformAuth ( + { + EFI_STATUS Status; + UINT16 AuthSize; +- UINT8 *Rand; +- UINTN RandSize; + TPM2B_AUTH NewPlatformAuth; + + // +@@ -174,19 +170,13 @@ RandomizePlatformAuth ( + + GetAuthSize (&AuthSize); + +- ZeroMem (NewPlatformAuth.buffer, AuthSize); + NewPlatformAuth.size = AuthSize; + + // +- // Allocate one buffer to store random data. ++ // Create the random bytes in the destination buffer + // +- RandSize = MAX_NEW_AUTHORIZATION_SIZE; +- Rand = AllocatePool (RandSize); +- +- RdRandGenerateEntropy (RandSize, Rand); +- CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); + +- FreePool (Rand); ++ RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer); + + // + // Send Tpm2HierarchyChangeAuth command with the new Auth value +@@ -194,7 +184,6 @@ RandomizePlatformAuth ( + Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); + DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); + ZeroMem (NewPlatformAuth.buffer, AuthSize); +- ZeroMem (Rand, RandSize); + } + + /** +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +index b7a7fb0a08..7bf666794f 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -1,6 +1,5 @@ +-### @file +-# +-# TPM Platform Hierarchy configuration library. ++## @file ++# TPM Platform Hierarchy configuration library. + # + # This library provides functions for customizing the TPM's Platform Hierarchy + # Authorization Value (platformAuth) and Platform Hierarchy Authorization +-- +2.27.0 + diff --git a/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch b/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch new file mode 100644 index 0000000..480ab1d --- /dev/null +++ b/0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch @@ -0,0 +1,161 @@ +From 4f998a6c11ca05dc19bafe54ecd43ed74bd2cb3c Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:20:59 +0800 +Subject: [PATCH 3/8] SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from + edk2-platforms + +Import Tcg2PlatformDxe from edk2-platforms without any modifications. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 85 +++++++++++++++++++ + .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 44 ++++++++++ + 2 files changed, 129 insertions(+) + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +new file mode 100644 +index 0000000000..150cf748ff +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +@@ -0,0 +1,85 @@ ++/** @file ++ Platform specific TPM2 component for configuring the Platform Hierarchy. ++ ++ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++/** ++ This callback function will run at the SmmReadyToLock event. ++ ++ Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth) ++ and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function. ++ ++ @param Event Pointer to this event ++ @param Context Event hanlder private data ++ **/ ++VOID ++EFIAPI ++SmmReadyToLockEventCallBack ( ++ IN EFI_EVENT Event, ++ IN VOID *Context ++ ) ++{ ++ EFI_STATUS Status; ++ VOID *Interface; ++ ++ // ++ // Try to locate it because EfiCreateProtocolNotifyEvent will trigger it once when registration. ++ // Just return if it is not found. ++ // ++ Status = gBS->LocateProtocol ( ++ &gEfiDxeSmmReadyToLockProtocolGuid, ++ NULL, ++ &Interface ++ ); ++ if (EFI_ERROR (Status)) { ++ return ; ++ } ++ ++ ConfigureTpmPlatformHierarchy (); ++ ++ gBS->CloseEvent (Event); ++} ++ ++/** ++ The driver's entry point. Will register a function for callback during SmmReadyToLock event to ++ configure the TPM's platform authorization. ++ ++ @param[in] ImageHandle The firmware allocated handle for the EFI image. ++ @param[in] SystemTable A pointer to the EFI System Table. ++ ++ @retval EFI_SUCCESS The entry point is executed successfully. ++ @retval other Some error occurs when executing this entry point. ++**/ ++EFI_STATUS ++EFIAPI ++Tcg2PlatformDxeEntryPoint ( ++ IN EFI_HANDLE ImageHandle, ++ IN EFI_SYSTEM_TABLE *SystemTable ++ ) ++{ ++ VOID *Registration; ++ EFI_EVENT Event; ++ ++ Event = EfiCreateProtocolNotifyEvent ( ++ &gEfiDxeSmmReadyToLockProtocolGuid, ++ TPL_CALLBACK, ++ SmmReadyToLockEventCallBack, ++ NULL, ++ &Registration ++ ); ++ ++ ASSERT (Event != NULL); ++ ++ return EFI_SUCCESS; ++} +diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +new file mode 100644 +index 0000000000..af29c1cd98 +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +@@ -0,0 +1,44 @@ ++### @file ++# Platform specific TPM2 component. ++# ++# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++### ++ ++[Defines] ++ INF_VERSION = 0x00010017 ++ BASE_NAME = Tcg2PlatformDxe ++ FILE_GUID = 5CAB08D5-AD8F-4d8b-B828-D17A8D9FE977 ++ VERSION_STRING = 1.0 ++ MODULE_TYPE = DXE_DRIVER ++ ENTRY_POINT = Tcg2PlatformDxeEntryPoint ++# ++# The following information is for reference only and not required by the build tools. ++# ++# VALID_ARCHITECTURES = IA32 X64 IPF ++# ++ ++[LibraryClasses] ++ BaseLib ++ UefiBootServicesTableLib ++ UefiDriverEntryPoint ++ DebugLib ++ UefiLib ++ TpmPlatformHierarchyLib ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ MinPlatformPkg/MinPlatformPkg.dec ++ SecurityPkg/SecurityPkg.dec ++ ++[Sources] ++ Tcg2PlatformDxe.c ++ ++[Protocols] ++ gEfiDxeSmmReadyToLockProtocolGuid ## SOMETIMES_CONSUMES ## NOTIFY ++ ++[Depex] ++ gEfiTcg2ProtocolGuid +-- +2.27.0 + diff --git a/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch b/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch new file mode 100644 index 0000000..b6bcac8 --- /dev/null +++ b/0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch @@ -0,0 +1,63 @@ +From edaa95dc147509a6c84225d70476c7dd9179cb57 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:00 +0800 +Subject: [PATCH 4/8] SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix + style issues + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h | 4 ++-- + .../PeiDxeTpmPlatformHierarchyLib.c | 2 +- + SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 3 +-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +index a872fa09dc..8d61a4867b 100644 +--- a/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h ++++ b/SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h +@@ -11,8 +11,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + + **/ + +-#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_ +-#define _TPM_PLATFORM_HIERARCHY_LIB_H_ ++#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_ ++#define TPM_PLATFORM_HIERARCHY_LIB_H_ + + /** + This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event. +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +index d82a0ae1bd..0bb04a20fc 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c +@@ -233,7 +233,7 @@ DisableTpmPlatformHierarchy ( + + /** + This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) +- and Platform Hierarchy Authorization Policy (platformPolicy) ++ and Platform Hierarchy Authorization Policy (platformPolicy). + + **/ + VOID +diff --git a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +index af29c1cd98..635302fe6f 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf ++++ b/SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +@@ -1,4 +1,4 @@ +-### @file ++## @file + # Platform specific TPM2 component. + # + # Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
+@@ -31,7 +31,6 @@ + [Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec +- MinPlatformPkg/MinPlatformPkg.dec + SecurityPkg/SecurityPkg.dec + + [Sources] +-- +2.27.0 + diff --git a/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch b/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch new file mode 100644 index 0000000..6b096da --- /dev/null +++ b/0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch @@ -0,0 +1,53 @@ +From 0282acbc3dee92ee04f1a212ca3f4c77e8b97207 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:01 +0800 +Subject: [PATCH 5/8] SecurityPkg: Introduce new PCD + PcdRandomizePlatformHierarchy + +Introduce the new PCD +gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy. +We need it for TpmPlatformHierarchyLib. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../PeiDxeTpmPlatformHierarchyLib.inf | 3 +-- + SecurityPkg/SecurityPkg.dec | 6 ++++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +index 7bf666794f..efe560e7ff 100644 +--- a/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++++ b/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf +@@ -35,10 +35,9 @@ + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec +- MinPlatformPkg/MinPlatformPkg.dec + + [Sources] + PeiDxeTpmPlatformHierarchyLib.c + + [Pcd] +- gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy ++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy +diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec +index 5335cc5397..276ea6e2dd 100644 +--- a/SecurityPkg/SecurityPkg.dec ++++ b/SecurityPkg/SecurityPkg.dec +@@ -291,6 +291,12 @@ + # @Prompt Physical presence of the platform operator. + gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001 + ++ ## Indicates whether the TPM2 platform hierarchy will be disabled by using ++ # a random password or by disabling the hierarchy ++ # TRUE - A random password will be used ++ # FALSE - The hierarchy will be disabled ++ gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy|TRUE|BOOLEAN|0x00010024 ++ + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] + ## Indicates whether TPM physical presence is locked during platform initialization. + # Once it is locked, it can not be unlocked for TPM life time.

+-- +2.27.0 + diff --git a/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch b/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch new file mode 100644 index 0000000..38acd0e --- /dev/null +++ b/0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch @@ -0,0 +1,191 @@ +From ede5db34ee1e35c16cf016b974046b1c499c19a6 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:03 +0800 +Subject: [PATCH 6/8] SecurityPkg/Tcg: Import Tcg2PlatformPei from + edk2-platforms + +Import Tcg2PlatformPei from edk2-platforms without any modifications. + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 107 ++++++++++++++++++ + .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 52 +++++++++ + 2 files changed, 159 insertions(+) + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c + create mode 100644 SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +new file mode 100644 +index 0000000000..66ec75ad0e +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +@@ -0,0 +1,107 @@ ++/** @file ++ ++Copyright (c) 2017, Intel Corporation. All rights reserved.
++Copyright (c) Microsoft Corporation.
++SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE ++ ++/** ++ This function handles PlatformInit task at the end of PEI ++ ++ @param[in] PeiServices Pointer to PEI Services Table. ++ @param[in] NotifyDesc Pointer to the descriptor for the Notification event that ++ caused this function to execute. ++ @param[in] Ppi Pointer to the PPI data associated with this function. ++ ++ @retval EFI_SUCCESS The function completes successfully ++ @retval others ++**/ ++EFI_STATUS ++EFIAPI ++PlatformInitEndOfPei ( ++ IN CONST EFI_PEI_SERVICES **PeiServices, ++ IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor, ++ IN VOID *Ppi ++ ) ++{ ++ VOID *TcgEventLog; ++ ++ // ++ // Try to get TcgEventLog in S3 to see if S3 error is reported. ++ // ++ TcgEventLog = GetFirstGuidHob(&gTcgEventEntryHobGuid); ++ if (TcgEventLog == NULL) { ++ TcgEventLog = GetFirstGuidHob(&gTcgEvent2EntryHobGuid); ++ } ++ ++ if (TcgEventLog == NULL) { ++ // ++ // no S3 error reported ++ // ++ return EFI_SUCCESS; ++ } ++ ++ // ++ // If there is S3 error on TPM_SU_STATE and success on TPM_SU_CLEAR, ++ // configure the TPM Platform Hierarchy. ++ // ++ ConfigureTpmPlatformHierarchy (); ++ ++ return EFI_SUCCESS; ++} ++ ++static EFI_PEI_NOTIFY_DESCRIPTOR mEndOfPeiNotifyList = { ++ (EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST), ++ &gEfiEndOfPeiSignalPpiGuid, ++ (EFI_PEIM_NOTIFY_ENTRY_POINT)PlatformInitEndOfPei ++}; ++ ++/** ++ Main entry ++ ++ @param[in] FileHandle Handle of the file being invoked. ++ @param[in] PeiServices Pointer to PEI Services table. ++ ++ @retval EFI_SUCCESS Install function successfully. ++ ++**/ ++EFI_STATUS ++EFIAPI ++Tcg2PlatformPeiEntryPoint ( ++ IN EFI_PEI_FILE_HANDLE FileHandle, ++ IN CONST EFI_PEI_SERVICES **PeiServices ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_BOOT_MODE BootMode; ++ ++ Status = PeiServicesGetBootMode (&BootMode); ++ ASSERT_EFI_ERROR(Status); ++ ++ if (BootMode != BOOT_ON_S3_RESUME) { ++ return EFI_SUCCESS; ++ } ++ ++ // ++ // Performing PlatformInitEndOfPei after EndOfPei PPI produced ++ // ++ Status = PeiServicesNotifyPpi (&mEndOfPeiNotifyList); ++ ++ return Status; ++} +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +new file mode 100644 +index 0000000000..579f09b940 +--- /dev/null ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +@@ -0,0 +1,52 @@ ++### @file ++# ++# Copyright (c) 2017, Intel Corporation. All rights reserved.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++### ++ ++[Defines] ++ INF_VERSION = 0x00010017 ++ BASE_NAME = Tcg2PlatformPei ++ FILE_GUID = 47727552-A54B-4A84-8CC1-BFF23E239636 ++ VERSION_STRING = 1.0 ++ MODULE_TYPE = PEIM ++ ENTRY_POINT = Tcg2PlatformPeiEntryPoint ++ ++# ++# The following information is for reference only and not required by the build tools. ++# ++# VALID_ARCHITECTURES = IA32 X64 IPF EBC ++# ++ ++[LibraryClasses] ++ PcdLib ++ BaseMemoryLib ++ MemoryAllocationLib ++ PeiServicesLib ++ PeimEntryPoint ++ DebugLib ++ Tpm2DeviceLib ++ Tpm2CommandLib ++ TpmPlatformHierarchyLib ++ RngLib ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ SecurityPkg/SecurityPkg.dec ++ MinPlatformPkg/MinPlatformPkg.dec ++ ++[Sources] ++ Tcg2PlatformPei.c ++ ++[Guids] ++ gTcgEventEntryHobGuid ++ gTcgEvent2EntryHobGuid ++ ++[Ppis] ++ gEfiEndOfPeiSignalPpiGuid ++ ++[Depex] ++ gEfiTpmDeviceSelectedGuid ++ +-- +2.27.0 + diff --git a/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch b/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch new file mode 100644 index 0000000..3a51c88 --- /dev/null +++ b/0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch @@ -0,0 +1,63 @@ +From 5134d284aafd4816e265b5c551ee32d6eb43bbc8 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:04 +0800 +Subject: [PATCH 7/8] SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix + style issues + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 11 ++++++----- + SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 4 ++-- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +index 66ec75ad0e..21d2c1433d 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +@@ -1,4 +1,5 @@ + /** @file ++ Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume + + Copyright (c) 2017, Intel Corporation. All rights reserved.
+ Copyright (c) Microsoft Corporation.
+@@ -24,12 +25,12 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + /** + This function handles PlatformInit task at the end of PEI + +- @param[in] PeiServices Pointer to PEI Services Table. +- @param[in] NotifyDesc Pointer to the descriptor for the Notification event that +- caused this function to execute. +- @param[in] Ppi Pointer to the PPI data associated with this function. ++ @param[in] PeiServices Pointer to PEI Services Table. ++ @param[in] NotifyDescriptor Pointer to the descriptor for the Notification event that ++ caused this function to execute. ++ @param[in] Ppi Pointer to the PPI data associated with this function. + +- @retval EFI_SUCCESS The function completes successfully ++ @retval EFI_SUCCESS The function completes successfully + @retval others + **/ + EFI_STATUS +diff --git a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +index 579f09b940..6f57de025b 100644 +--- a/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf ++++ b/SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf +@@ -1,4 +1,5 @@ +-### @file ++## @file ++# Configure TPM 2 platform hierarchy on TPM state resume failure on S3 resume + # + # Copyright (c) 2017, Intel Corporation. All rights reserved.
+ # +@@ -35,7 +36,6 @@ + [Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec +- MinPlatformPkg/MinPlatformPkg.dec + + [Sources] + Tcg2PlatformPei.c +-- +2.27.0 + diff --git a/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch b/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch new file mode 100644 index 0000000..beb2c1f --- /dev/null +++ b/0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch @@ -0,0 +1,68 @@ +From e031b8396ba1ad059f7c1dc6e28e9fc4ca6aaae9 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Mon, 13 Sep 2021 22:21:06 +0800 +Subject: [PATCH 8/8] SecurityPkg: Add references to header and inf files to + SecurityPkg + +Signed-off-by: Stefan Berger +Reviewed-by: Jiewen Yao +--- + SecurityPkg/SecurityPkg.dec | 4 ++++ + SecurityPkg/SecurityPkg.dsc | 12 ++++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec +index 276ea6e2dd..beffd08772 100644 +--- a/SecurityPkg/SecurityPkg.dec ++++ b/SecurityPkg/SecurityPkg.dec +@@ -68,6 +68,10 @@ + # + Tcg2PhysicalPresenceLib|Include/Library/Tcg2PhysicalPresenceLib.h + ++ ## @libraryclass Handle TPM 2.0 platform hierarchy configuration ++ # ++ TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h ++ + ## @libraryclass Provides interfaces about TCG storage generic command. + # + TcgStorageCoreLib|Include/Library/TcgStorageCoreLib.h +diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc +index a2eeadda7a..8d5371295a 100644 +--- a/SecurityPkg/SecurityPkg.dsc ++++ b/SecurityPkg/SecurityPkg.dsc +@@ -211,6 +211,8 @@ + + SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf + ++ SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ + # + # TCG Storage. + # +@@ -272,6 +274,11 @@ + NULL|SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf + } + ++ SecurityPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++ + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf +@@ -288,6 +295,11 @@ + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + } + ++ SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { ++ ++ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf ++ } ++ + # + # Hash2 + # +-- +2.27.0 + diff --git a/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch b/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch new file mode 100644 index 0000000..a4db4de --- /dev/null +++ b/0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch @@ -0,0 +1,50 @@ +From 85a19a714c4b4702edc59db0a3419f48fffe2b0a Mon Sep 17 00:00:00 2001 +From: Jinhua Cao +Date: Thu, 17 Feb 2022 17:38:41 +0800 +Subject: [PATCH] OvmfPkg: VirtioNetDxe: Extend the RxBufferSize to avoid data + truncation + +1822 net card needs at least 1536 bytes for DMA, even we never negotiate +VIRTIO_NET_F_MRG_RXBUF. The original max size of packet is 15144 which would +cause data trucation. Now we extend the RxBufSize to 9014(Jumbo Frame type) +so that we can avoid it. + +Signed-off-by: Jinhua Cao +--- + OvmfPkg/Include/IndustryStandard/Virtio095Net.h | 7 +++++++ + OvmfPkg/VirtioNetDxe/SnpInitialize.c | 3 ++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/Include/IndustryStandard/Virtio095Net.h b/OvmfPkg/Include/IndustryStandard/Virtio095Net.h +index 9c0ed5ed24..28f5cc0899 100644 +--- a/OvmfPkg/Include/IndustryStandard/Virtio095Net.h ++++ b/OvmfPkg/Include/IndustryStandard/Virtio095Net.h +@@ -88,4 +88,11 @@ typedef struct { + #define VIRTIO_NET_S_LINK_UP BIT0 + #define VIRTIO_NET_S_ANNOUNCE BIT1 + ++// ++// 1822 net card needs at least 1536 bytes for DMA, even we never negotiate ++// VIRTIO_NET_F_MRG_RXBUF. The original max size of packet is 15144 which would ++// cause data trucation. Now we extend the RxBufSize to 9014(Jumbo Frame type) ++// so that we can avoid it. ++#define VIRTIO_RXBUF_JUMBO_PADDING 7500 ++ + #endif // _VIRTIO_0_9_5_NET_H_ +diff --git a/OvmfPkg/VirtioNetDxe/SnpInitialize.c b/OvmfPkg/VirtioNetDxe/SnpInitialize.c +index bb3b552d68..6febfea3bb 100644 +--- a/OvmfPkg/VirtioNetDxe/SnpInitialize.c ++++ b/OvmfPkg/VirtioNetDxe/SnpInitialize.c +@@ -337,7 +337,8 @@ VirtioNetInitRx ( + // and Ethernet payload). + // + RxBufSize = VirtioNetReqSize + +- (Dev->Snm.MediaHeaderSize + Dev->Snm.MaxPacketSize); ++ (Dev->Snm.MediaHeaderSize + Dev->Snm.MaxPacketSize) + ++ VIRTIO_RXBUF_JUMBO_PADDING; + + // + // Limit the number of pending RX packets if the queue is big. The division +-- +2.27.0 + diff --git a/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch b/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch new file mode 100644 index 0000000..082e057 --- /dev/null +++ b/0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch @@ -0,0 +1,191 @@ +From f6ec1dd34fb6b9757b5ead465ee2ea20c182b0ac Mon Sep 17 00:00:00 2001 +From: Guomin Jiang +Date: Wed, 13 Jan 2021 18:08:09 +0800 +Subject: [PATCH] UefiCpuPkg: Move MigrateGdt from DiscoverMemory to + TempRamDone. (CVE-2019-11098) + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1614 +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3160 + +The GDT still in flash with commit 60b12e69fb1c8c7180fdda92f008248b9ec83db1 +after TempRamDone + +So move the action to TempRamDone event to avoid reading GDT from flash. + +Signed-off-by: Guomin Jiang +Cc: Eric Dong +Cc: Ray Ni +Cc: Laszlo Ersek +Cc: Rahul Kumar +Cc: Debkumar De +Cc: Harry Han +Cc: Catharine West +Reviewed-by: Ray Ni +--- + UefiCpuPkg/CpuMpPei/CpuMpPei.c | 37 -------------------------- + UefiCpuPkg/CpuMpPei/CpuMpPei.inf | 1 - + UefiCpuPkg/CpuMpPei/CpuPaging.c | 8 ------ + UefiCpuPkg/SecCore/SecCore.inf | 1 + + UefiCpuPkg/SecCore/SecMain.c | 45 ++++++++++++++++++++++++++++++++ + 5 files changed, 46 insertions(+), 46 deletions(-) + +diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.c b/UefiCpuPkg/CpuMpPei/CpuMpPei.c +index 40729a09b9..3c1bad6470 100644 +--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.c ++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.c +@@ -429,43 +429,6 @@ GetGdtr ( + AsmReadGdtr ((IA32_DESCRIPTOR *)Buffer); + } + +-/** +- Migrates the Global Descriptor Table (GDT) to permanent memory. +- +- @retval EFI_SUCCESS The GDT was migrated successfully. +- @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory. +- +-**/ +-EFI_STATUS +-MigrateGdt ( +- VOID +- ) +-{ +- EFI_STATUS Status; +- UINTN GdtBufferSize; +- IA32_DESCRIPTOR Gdtr; +- VOID *GdtBuffer; +- +- AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr); +- GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1; +- +- Status = PeiServicesAllocatePool ( +- GdtBufferSize, +- &GdtBuffer +- ); +- ASSERT (GdtBuffer != NULL); +- if (EFI_ERROR (Status)) { +- return EFI_OUT_OF_RESOURCES; +- } +- +- GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR)); +- CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1); +- Gdtr.Base = (UINTN) GdtBuffer; +- AsmWriteGdtr (&Gdtr); +- +- return EFI_SUCCESS; +-} +- + /** + Initializes CPU exceptions handlers for the sake of stack switch requirement. + +diff --git a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf +index ba829d816e..7444bdb968 100644 +--- a/UefiCpuPkg/CpuMpPei/CpuMpPei.inf ++++ b/UefiCpuPkg/CpuMpPei/CpuMpPei.inf +@@ -67,7 +67,6 @@ + gUefiCpuPkgTokenSpaceGuid.PcdCpuStackSwitchExceptionList ## SOMETIMES_CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdCpuKnownGoodStackSize ## SOMETIMES_CONSUMES + gUefiCpuPkgTokenSpaceGuid.PcdCpuApStackSize ## SOMETIMES_CONSUMES +- gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES + + [Depex] + TRUE +diff --git a/UefiCpuPkg/CpuMpPei/CpuPaging.c b/UefiCpuPkg/CpuMpPei/CpuPaging.c +index 50ad4277af..3e261d6657 100644 +--- a/UefiCpuPkg/CpuMpPei/CpuPaging.c ++++ b/UefiCpuPkg/CpuMpPei/CpuPaging.c +@@ -605,17 +605,9 @@ MemoryDiscoveredPpiNotifyCallback ( + { + EFI_STATUS Status; + BOOLEAN InitStackGuard; +- BOOLEAN InterruptState; + EDKII_MIGRATED_FV_INFO *MigratedFvInfo; + EFI_PEI_HOB_POINTERS Hob; + +- if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { +- InterruptState = SaveAndDisableInterrupts (); +- Status = MigrateGdt (); +- ASSERT_EFI_ERROR (Status); +- SetInterruptState (InterruptState); +- } +- + // + // Paging must be setup first. Otherwise the exception TSS setup during MP + // initialization later will not contain paging information and then fail +diff --git a/UefiCpuPkg/SecCore/SecCore.inf b/UefiCpuPkg/SecCore/SecCore.inf +index 545781d6b4..ded83beb52 100644 +--- a/UefiCpuPkg/SecCore/SecCore.inf ++++ b/UefiCpuPkg/SecCore/SecCore.inf +@@ -77,6 +77,7 @@ + + [Pcd] + gUefiCpuPkgTokenSpaceGuid.PcdPeiTemporaryRamStackSize ## CONSUMES ++ gEfiMdeModulePkgTokenSpaceGuid.PcdMigrateTemporaryRamFirmwareVolumes ## CONSUMES + + [UserExtensions.TianoCore."ExtraFiles"] + SecCoreExtra.uni +diff --git a/UefiCpuPkg/SecCore/SecMain.c b/UefiCpuPkg/SecCore/SecMain.c +index 155be49a60..2416c4ce56 100644 +--- a/UefiCpuPkg/SecCore/SecMain.c ++++ b/UefiCpuPkg/SecCore/SecMain.c +@@ -35,6 +35,43 @@ EFI_PEI_PPI_DESCRIPTOR mPeiSecPlatformInformationPpi[] = { + } + }; + ++/** ++ Migrates the Global Descriptor Table (GDT) to permanent memory. ++ ++ @retval EFI_SUCCESS The GDT was migrated successfully. ++ @retval EFI_OUT_OF_RESOURCES The GDT could not be migrated due to lack of available memory. ++ ++**/ ++EFI_STATUS ++MigrateGdt ( ++ VOID ++ ) ++{ ++ EFI_STATUS Status; ++ UINTN GdtBufferSize; ++ IA32_DESCRIPTOR Gdtr; ++ VOID *GdtBuffer; ++ ++ AsmReadGdtr ((IA32_DESCRIPTOR *) &Gdtr); ++ GdtBufferSize = sizeof (IA32_SEGMENT_DESCRIPTOR) -1 + Gdtr.Limit + 1; ++ ++ Status = PeiServicesAllocatePool ( ++ GdtBufferSize, ++ &GdtBuffer ++ ); ++ ASSERT (GdtBuffer != NULL); ++ if (EFI_ERROR (Status)) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ++ GdtBuffer = ALIGN_POINTER (GdtBuffer, sizeof (IA32_SEGMENT_DESCRIPTOR)); ++ CopyMem (GdtBuffer, (VOID *) Gdtr.Base, Gdtr.Limit + 1); ++ Gdtr.Base = (UINTN) GdtBuffer; ++ AsmWriteGdtr (&Gdtr); ++ ++ return EFI_SUCCESS; ++} ++ + // + // These are IDT entries pointing to 10:FFFFFFE4h. + // +@@ -409,6 +446,14 @@ SecTemporaryRamDone ( + // + State = SaveAndDisableInterrupts (); + ++ // ++ // Migrate GDT before NEM near down ++ // ++ if (PcdGetBool (PcdMigrateTemporaryRamFirmwareVolumes)) { ++ Status = MigrateGdt (); ++ ASSERT_EFI_ERROR (Status); ++ } ++ + // + // Disable Temporary RAM after Stack and Heap have been migrated at this point. + // +-- +2.27.0 + diff --git a/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch b/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch new file mode 100644 index 0000000..00641ee --- /dev/null +++ b/0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch @@ -0,0 +1,208 @@ +From cab1f02565d3b29081dd21afb074f35fdb4e1fd6 Mon Sep 17 00:00:00 2001 +From: Miki Demeter +Date: Thu, 27 Oct 2022 16:20:54 -0700 +Subject: [PATCH] MdeModulePkg/PiSmmCore:SmmEntryPoint underflow(CVE-2021-38578) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3387 + +Added use of SafeIntLib to validate values are not causing overflows or +underflows in user controlled values when calculating buffer sizes. + +Signed-off-by: Miki Demeter +Reviewed-by: Michael D Kinney +Cc: Jian J Wang +Cc: Liming Gao +Reviewed-by: Liming Gao +--- + MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 41 ++++++++++++++++++----- + MdeModulePkg/Core/PiSmmCore/PiSmmCore.h | 1 + + MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf | 1 + + MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c | 31 +++++++++++++---- + MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf | 1 + + 5 files changed, 60 insertions(+), 15 deletions(-) + +diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +index 9e5c6cbe33..875c7c0258 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c +@@ -609,6 +609,7 @@ SmmEndOfS3ResumeHandler ( + @param[in] Size2 Size of Buff2 + + @retval TRUE Buffers overlap in memory. ++ @retval TRUE Math error. Prevents potential math over and underflows. + @retval FALSE Buffer doesn't overlap. + + **/ +@@ -620,11 +621,24 @@ InternalIsBufferOverlapped ( + IN UINTN Size2 + ) + { ++ UINTN End1; ++ UINTN End2; ++ BOOLEAN IsOverUnderflow1; ++ BOOLEAN IsOverUnderflow2; ++ ++ // Check for over or underflow ++ IsOverUnderflow1 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff1, Size1, &End1)); ++ IsOverUnderflow2 = EFI_ERROR (SafeUintnAdd ((UINTN)Buff2, Size2, &End2)); ++ ++ if (IsOverUnderflow1 || IsOverUnderflow2) { ++ return TRUE; ++ } ++ + // + // If buff1's end is less than the start of buff2, then it's ok. + // Also, if buff1's start is beyond buff2's end, then it's ok. + // +- if (((Buff1 + Size1) <= Buff2) || (Buff1 >= (Buff2 + Size2))) { ++ if ((End1 <= (UINTN)Buff2) || ((UINTN)Buff1 >= End2)) { + return FALSE; + } + +@@ -651,6 +665,7 @@ SmmEntryPoint ( + EFI_SMM_COMMUNICATE_HEADER *CommunicateHeader; + BOOLEAN InLegacyBoot; + BOOLEAN IsOverlapped; ++ BOOLEAN IsOverUnderflow; + VOID *CommunicationBuffer; + UINTN BufferSize; + +@@ -699,23 +714,31 @@ SmmEntryPoint ( + (UINT8 *) gSmmCorePrivate, + sizeof (*gSmmCorePrivate) + ); +- if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || IsOverlapped) { ++ // ++ // Check for over or underflows ++ // ++ IsOverUnderflow = EFI_ERROR (SafeUintnSub (BufferSize, OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data), &BufferSize)); ++ ++ if (!SmmIsBufferOutsideSmmValid ((UINTN)CommunicationBuffer, BufferSize) || ++ IsOverlapped || IsOverUnderflow) ++ { + // + // If CommunicationBuffer is not in valid address scope, + // or there is overlap between gSmmCorePrivate and CommunicationBuffer, ++ // or there is over or underflow, + // return EFI_INVALID_PARAMETER + // + gSmmCorePrivate->CommunicationBuffer = NULL; + gSmmCorePrivate->ReturnStatus = EFI_ACCESS_DENIED; + } else { + CommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *)CommunicationBuffer; +- BufferSize -= OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data); +- Status = SmiManage ( +- &CommunicateHeader->HeaderGuid, +- NULL, +- CommunicateHeader->Data, +- &BufferSize +- ); ++ // BufferSize was updated by the SafeUintnSub() call above. ++ Status = SmiManage ( ++ &CommunicateHeader->HeaderGuid, ++ NULL, ++ CommunicateHeader->Data, ++ &BufferSize ++ ); + // + // Update CommunicationBuffer, BufferSize and ReturnStatus + // Communicate service finished, reset the pointer to CommBuffer to NULL +diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h +index 71422b9dfc..b8a490a8c3 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.h +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + #include "PiSmmCorePrivateData.h" + #include "HeapGuard.h" +diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf +index c8bfae3860..3df44b38f1 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf +@@ -60,6 +60,7 @@ + PerformanceLib + HobLib + SmmMemLib ++ SafeIntLib + + [Protocols] + gEfiDxeSmmReadyToLockProtocolGuid ## UNDEFINED # SmiHandlerRegister +diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +index 4f00cebaf5..fbba868fd0 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c +@@ -34,8 +34,8 @@ + #include + #include + #include +- + #include "PiSmmCorePrivateData.h" ++#include + + #define SMRAM_CAPABILITIES (EFI_MEMORY_WB | EFI_MEMORY_UC) + +@@ -1354,6 +1354,7 @@ SmmSplitSmramEntry ( + @param[in] ReservedRangeToCompare Pointer to EFI_SMM_RESERVED_SMRAM_REGION to compare. + + @retval TRUE There is overlap. ++ @retval TRUE Math error. + @retval FALSE There is no overlap. + + **/ +@@ -1353,11 +1354,29 @@ SmmIsSmramOverlap ( + IN EFI_SMM_RESERVED_SMRAM_REGION *ReservedRangeToCompare + ) + { +- UINT64 RangeToCompareEnd; +- UINT64 ReservedRangeToCompareEnd; +- +- RangeToCompareEnd = RangeToCompare->CpuStart + RangeToCompare->PhysicalSize; +- ReservedRangeToCompareEnd = ReservedRangeToCompare->SmramReservedStart + ReservedRangeToCompare->SmramReservedSize; ++ UINT64 RangeToCompareEnd; ++ UINT64 ReservedRangeToCompareEnd; ++ BOOLEAN IsOverUnderflow1; ++ BOOLEAN IsOverUnderflow2; ++ ++ // Check for over or underflow. ++ IsOverUnderflow1 = EFI_ERROR ( ++ SafeUint64Add ( ++ (UINT64)RangeToCompare->CpuStart, ++ RangeToCompare->PhysicalSize, ++ &RangeToCompareEnd ++ ) ++ ); ++ IsOverUnderflow2 = EFI_ERROR ( ++ SafeUint64Add ( ++ (UINT64)ReservedRangeToCompare->SmramReservedStart, ++ ReservedRangeToCompare->SmramReservedSize, ++ &ReservedRangeToCompareEnd ++ ) ++ ); ++ if (IsOverUnderflow1 || IsOverUnderflow2) { ++ return TRUE; ++ } + + if ((RangeToCompare->CpuStart >= ReservedRangeToCompare->SmramReservedStart) && + (RangeToCompare->CpuStart < ReservedRangeToCompareEnd)) { +diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf +index 6109d6b544..ddeb39cee2 100644 +--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf ++++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf +@@ -46,6 +46,7 @@ + DxeServicesLib + PcdLib + ReportStatusCodeLib ++ SafeIntLib + + [Protocols] + gEfiSmmBase2ProtocolGuid ## PRODUCES +-- +2.27.0 + diff --git a/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch new file mode 100644 index 0000000..99ddb6f --- /dev/null +++ b/0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch @@ -0,0 +1,43 @@ +From a114dc3c9af48a8f8ed22e738944a9c3e830a088 Mon Sep 17 00:00:00 2001 +From Shao Denghui +Date: Mon, 20 Feb 2023 21:59:31 +0800 +Subject: [PATCH] [PATCH] Avoid dangling ptrs in header and data params for + PEM_read_bio_ex In the event of a failure in PEM_read_bio_ex() we free the + buffers we allocated for the header and data buffers. However we were not + clearing the ptrs stored in *header and *data. Since, on success, the caller + is responsible for freeing these ptrs this can potentially lead to a double + free if the caller frees them even on failure. + +Thanks to Dawei Wang for reporting this issue. + +Based on a proposed patch by Kurt Roeckx. + +CVE-2022-4450 + +Reference: https://github.com/openssl/openssl/commit/ee6243f3947107d655f6dee96f63861561a5aaeb + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz + +Signed-off-by: Shao Denghui +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c +index 64baf71..6c7c4fe 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pem/pem_lib.c +@@ -940,7 +940,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, + *data = pem_malloc(len, flags); + if (*header == NULL || *data == NULL) { + pem_free(*header, flags, 0); ++ *header = NULL; + pem_free(*data, flags, 0); ++ *data = NULL; + goto end; + } + BIO_read(headerB, *header, headerlen); +-- +2.27.0 + diff --git a/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch new file mode 100644 index 0000000..9852ad6 --- /dev/null +++ b/0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch @@ -0,0 +1,57 @@ +From 7dd5a23212e3c7bf25a9cd7689681beb89b2d20f Mon Sep 17 00:00:00 2001 +From Shao Denghui +Date: Tue, 21 Feb 2023 20:12:59 +0800 +Subject: [PATCH] [PATCH] pk7_doit.c: Check return of BIO_set_md() calls + +These calls invoke EVP_DigestInit() which can fail for digests +with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write() +or EVP_DigestFinal() from BIO_read() will segfault on NULL +dereference. This can be triggered by an attacker providing +PKCS7 data digested with MD4 for example if the legacy provider +is not loaded. + +If BIO_set_md() fails the md BIO cannot be used. + +CVE-2023-0401 + +Reference: https://github.com/openssl/openssl/commit/6eebe6c0238178356114a96a7858f36b24172847 + +Reviewed-by: Paul Dale +Reviewed-by: Richard Levitte + +Signed-off-by: Shao Denghui +--- + .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +index f63fbc5..bbfcf27 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +@@ -67,7 +67,10 @@ static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) + goto err; + } + +- BIO_set_md(btmp, md); ++ if (BIO_set_md(btmp, md) <= 0) { ++ PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB); ++ goto err; ++ } + if (*pbio == NULL) + *pbio = btmp; + else if (!BIO_push(*pbio, btmp)) { +@@ -454,7 +457,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) + goto err; + } + +- BIO_set_md(btmp, evp_md); ++ if (BIO_set_md(btmp, evp_md) <= 0) { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); ++ goto err; ++ } + if (out == NULL) + out = btmp; + else +-- +2.27.0 + diff --git a/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch b/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch new file mode 100644 index 0000000..0c51792 --- /dev/null +++ b/0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch @@ -0,0 +1,106 @@ +From 93bb2a5f1df1617502c24f287ea4e5ca351aef95 Mon Sep 17 00:00:00 2001 +From: chenhuiying +Date: Sat, 25 Feb 2023 15:05:15 +0800 +Subject: [PATCH] Fix a UAF resulting from a bug in BIO_new_NDEF + +If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will +be part of an invalid BIO chain. This causes a "use after free" when the +BIO is eventually freed. + +Based on an original patch by Viktor Dukhovni and an idea from Theo +Buehler. + +Thanks to Octavio Galland for reporting this issue. + +REF: https://github.com/openssl/openssl/commit/c3829dd8825c654652201e16f8a0a0c46ee3f344 +Signed-off-by: chenhuiying +--- + .../OpensslLib/openssl/crypto/asn1/bio_ndef.c | 39 +++++++++++++++---- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c +index 6222c99..cf52468 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/bio_ndef.c +@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); + static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, + void *parg); + ++/* ++ * On success, the returned BIO owns the input BIO as part of its BIO chain. ++ * On failure, NULL is returned and the input BIO is owned by the caller. ++ * ++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() ++ */ + BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + { + NDEF_SUPPORT *ndef_aux = NULL; + BIO *asn_bio = NULL; + const ASN1_AUX *aux = it->funcs; + ASN1_STREAM_ARG sarg; ++ BIO *pop_bio = NULL; + + if (!aux || !aux->asn1_cb) { + ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); +@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + out = BIO_push(asn_bio, out); + if (out == NULL) + goto err; ++ pop_bio = asn_bio; + +- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); +- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); ++ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 ++ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 ++ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) ++ goto err; + + /* +- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure +- * needs. ++ * Now let the callback prepend any digest, cipher, etc., that the BIO's ++ * ASN1 structure needs. + */ + + sarg.out = out; + sarg.ndef_bio = NULL; + sarg.boundary = NULL; + +- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) ++ /* ++ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the ++ * middle of some partially built, but not returned BIO chain. ++ */ ++ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { ++ /* ++ * ndef_aux is now owned by asn_bio so we must not free it in the err ++ * clean up block ++ */ ++ ndef_aux = NULL; + goto err; ++ } ++ ++ /* ++ * We must not fail now because the callback has prepended additional ++ * BIOs to the chain ++ */ + + ndef_aux->val = val; + ndef_aux->it = it; +@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) + ndef_aux->boundary = sarg.boundary; + ndef_aux->out = out; + +- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); +- + return sarg.ndef_bio; + + err: ++ /* BIO_pop() is NULL safe */ ++ (void)BIO_pop(pop_bio); + BIO_free(asn_bio); + OPENSSL_free(ndef_aux); + return NULL; +-- +2.27.0 + diff --git a/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch b/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch new file mode 100644 index 0000000..f42b436 --- /dev/null +++ b/0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch @@ -0,0 +1,79 @@ +From cb81a80d059f41b0930fcc36c36a155244f3873a Mon Sep 17 00:00:00 2001 +From: chenhuiying +Date: Sat, 25 Feb 2023 16:18:41 +0800 +Subject: [PATCH] Check CMS failure during BIO setup with -stream is handled correctly + +Test for the issue fixed in the previous commit + +REF:https://github.com/openssl/openssl/commit/f040f2577891d2bdb7610566c172233844cf673a +Signed-off-by: chenhuiying +--- + .../openssl/test/recipes/80-test_cms.t | 15 +++++++++++++-- + .../openssl/test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ + 2 files changed, 31 insertions(+), 2 deletions(-) + create mode 100644 CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t +index 5dc6a3a..ec11bfc 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t +@@ -13,7 +13,7 @@ use warnings; + use POSIX; + use File::Spec::Functions qw/catfile/; + use File::Compare qw/compare_text/; +-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; ++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; + use OpenSSL::Test::Utils; + + setup("test_cms"); +@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt"); + my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + = disabled qw/des dh dsa ec ec2m rc2 zlib/; + +-plan tests => 6; ++plan tests => 7; + + my @smime_pkcs7_tests = ( + +@@ -584,3 +584,14 @@ sub check_availability { + + return ""; + } ++ ++# Check that we get the expected failure return code ++with({ exit_checker => sub { return shift == 6; } }, ++ sub { ++ ok(run(app(['openssl', 'cms', '-encrypt', ++ '-in', srctop_file("test", "smcont.txt"), ++ '-stream', '-recip', ++ srctop_file("test/smime-certs", "badrsa.pem"), ++ ])), ++ "Check failure during BIO setup with -stream is handled correctly"); ++ }); +diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem +new file mode 100644 +index 0000000..f824fc2 +--- /dev/null ++++ b/CryptoPkg/Library/OpensslLib/openssl/test/smime-certs/badrsa.pem +@@ -0,0 +1,18 @@ ++-----BEGIN CERTIFICATE----- ++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD ++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY ++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN ++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw ++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A ++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s ++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 ++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB ++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww ++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm ++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW ++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt ++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d ++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv ++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ ++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= ++-----END CERTIFICATE----- +-- +2.27.0 + diff --git a/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch new file mode 100644 index 0000000..e670922 --- /dev/null +++ b/0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch @@ -0,0 +1,102 @@ +From fe9395b9fe1507236eafd147dc0cd4a8c9bf1fe6 Mon Sep 17 00:00:00 2001 +From: chenhuiying +Date: Sat, 25 Feb 2023 17:54:23 +0800 +Subject: [PATCH] Correctly compare EdiPartyName in GENERAL_NAME_cmp() + +If a GENERAL_NAME field contained EdiPartyName data then it was +incorrectly being handled as type "other". This could lead to a +segmentation fault. + +Many thanks to David Benjamin from Google for reporting this issue. + +CVE-2020-1971 + +reference: https://github.com/openssl/openssl/commit/f960d81215ebf3f65e03d4d5d857fb9b666d6920 +Signed-off-by: chenhuiying +--- + .../openssl/crypto/x509v3/v3_genn.c | 45 +++++++++++++++++-- + 1 file changed, 42 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +index 23e3bc4..23778e2 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +@@ -57,6 +57,37 @@ GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a) + (char *)a); + } + ++static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) ++{ ++ int res; ++ ++ if (a == NULL || b == NULL) { ++ /* ++ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it ++ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here ++ */ ++ return -1; ++ } ++ if (a->nameAssigner == NULL && b->nameAssigner != NULL) ++ return -1; ++ if (a->nameAssigner != NULL && b->nameAssigner == NULL) ++ return 1; ++ /* If we get here then both have nameAssigner set, or both unset */ ++ if (a->nameAssigner != NULL) { ++ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner); ++ if (res != 0) ++ return res; ++ } ++ /* ++ * partyName is required, so these should never be NULL. We treat it in ++ * the same way as the a == NULL || b == NULL case above ++ */ ++ if (a->partyName == NULL || b->partyName == NULL) ++ return -1; ++ ++ return ASN1_STRING_cmp(a->partyName, b->partyName); ++} ++ + /* Returns 0 if they are equal, != 0 otherwise. */ + int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + { +@@ -66,8 +97,11 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: ++ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ break; ++ + case GEN_EDIPARTY: +- result = ASN1_TYPE_cmp(a->d.other, b->d.other); ++ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName); + break; + + case GEN_OTHERNAME: +@@ -114,8 +148,11 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) + { + switch (type) { + case GEN_X400: ++ a->d.x400Address = value; ++ break; ++ + case GEN_EDIPARTY: +- a->d.other = value; ++ a->d.ediPartyName = value; + break; + + case GEN_OTHERNAME: +@@ -149,8 +186,10 @@ void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) + *ptype = a->type; + switch (a->type) { + case GEN_X400: ++ return a->d.x400Address; ++ + case GEN_EDIPARTY: +- return a->d.other; ++ return a->d.ediPartyName; + + case GEN_OTHERNAME: + return a->d.otherName; +-- +2.27.0 + diff --git a/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch new file mode 100644 index 0000000..24e3c8a --- /dev/null +++ b/0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch @@ -0,0 +1,41 @@ +From 7553d2119f3c899f779eaacafff63feaa843814a Mon Sep 17 00:00:00 2001 +From: s00803682 +Date: Sat, 25 Feb 2023 18:22:13 +0800 +Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1) + +REF: https://github.com/openssl/openssl/commit/2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 +Signed-off-by: chenhuiying +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c | 2 +- + CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +index 23778e2..12ce733 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509v3/v3_genn.c +@@ -97,7 +97,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) + return -1; + switch (a->type) { + case GEN_X400: +- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); ++ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); + break; + + case GEN_EDIPARTY: +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h +index 6c6eca3..b80438d 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/x509v3.h +@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { + OTHERNAME *otherName; /* otherName */ + ASN1_IA5STRING *rfc822Name; + ASN1_IA5STRING *dNSName; +- ASN1_TYPE *x400Address; ++ ASN1_STRING *x400Address; + X509_NAME *directoryName; + EDIPARTYNAME *ediPartyName; + ASN1_IA5STRING *uniformResourceIdentifier; +-- +2.27.0 + diff --git a/0029-Fix-Timing-Oracle-in-RSA-decryption.patch b/0029-Fix-Timing-Oracle-in-RSA-decryption.patch new file mode 100644 index 0000000..3e57625 --- /dev/null +++ b/0029-Fix-Timing-Oracle-in-RSA-decryption.patch @@ -0,0 +1,834 @@ +From df422474e4e7e2f380840eeb9d6e466312fe0879 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 20 Jan 2023 15:26:54 +0000 +Subject: [PATCH] Fix Timing Oracle in RSA decryption + +A timing based side channel exists in the OpenSSL RSA Decryption +implementation which could be sufficient to recover a plaintext across +a network in a Bleichenbacher style attack. To achieve a successful +decryption an attacker would have to be able to send a very large number +of trial messages for decryption. The vulnerability affects all RSA +padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + +Patch written by Dmitry Belyavsky and Hubert Kario + +CVE-2022-4304 + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz + +reference: https://github.com/openssl/openssl/pull/20284 +Signed-off-by: yexiao +--- + CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + + .../Library/OpensslLib/OpensslLibCrypto.inf | 1 + + .../OpensslLib/openssl/crypto/bn/bn_blind.c | 14 - + .../OpensslLib/openssl/crypto/bn/bn_err.c | 2 + + .../OpensslLib/openssl/crypto/bn/bn_local.h | 14 + + .../OpensslLib/openssl/crypto/bn/build.info | 3 +- + .../openssl/crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++ + .../OpensslLib/openssl/crypto/err/openssl.txt | 3 +- + .../OpensslLib/openssl/crypto/rsa/rsa_ossl.c | 17 +- + .../OpensslLib/openssl/include/crypto/bn.h | 5 + + .../openssl/include/openssl/bnerr.h | 1 + + 11 files changed, 655 insertions(+), 20 deletions(-) + create mode 100644 CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c + +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +index b00bb74..ec5be59 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +@@ -155,6 +155,7 @@ + $(OPENSSL_PATH)/crypto/bn/bn_sqr.c + $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c + $(OPENSSL_PATH)/crypto/bn/bn_srp.c ++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c + $(OPENSSL_PATH)/crypto/bn/bn_word.c + $(OPENSSL_PATH)/crypto/bn/bn_x931p.c + $(OPENSSL_PATH)/crypto/buffer/buf_err.c +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +index 3557711..ee68e48 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +@@ -155,6 +155,7 @@ + $(OPENSSL_PATH)/crypto/bn/bn_sqr.c + $(OPENSSL_PATH)/crypto/bn/bn_sqrt.c + $(OPENSSL_PATH)/crypto/bn/bn_srp.c ++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c + $(OPENSSL_PATH)/crypto/bn/bn_word.c + $(OPENSSL_PATH)/crypto/bn/bn_x931p.c + $(OPENSSL_PATH)/crypto/buffer/buf_err.c +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c +index 76fc7eb..6e9d239 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_blind.c +@@ -13,20 +13,6 @@ + + #define BN_BLINDING_COUNTER 32 + +-struct bn_blinding_st { +- BIGNUM *A; +- BIGNUM *Ai; +- BIGNUM *e; +- BIGNUM *mod; /* just a reference */ +- CRYPTO_THREAD_ID tid; +- int counter; +- unsigned long flags; +- BN_MONT_CTX *m_ctx; +- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, +- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +- CRYPTO_RWLOCK *lock; +-}; +- + BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) + { + BN_BLINDING *ret = NULL; +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c +index dd87c15..3dd8d9a 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_err.c +@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { + {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, + {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, ++ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), ++ "ossl_bn_rsa_do_unblind"}, + {0, NULL} + }; + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h +index 8ad69cc..0965135 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_local.h +@@ -263,6 +263,20 @@ struct bn_gencb_st { + } cb; + }; + ++struct bn_blinding_st { ++ BIGNUM *A; ++ BIGNUM *Ai; ++ BIGNUM *e; ++ BIGNUM *mod; /* just a reference */ ++ CRYPTO_THREAD_ID tid; ++ int counter; ++ unsigned long flags; ++ BN_MONT_CTX *m_ctx; ++ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); ++ CRYPTO_RWLOCK *lock; ++}; ++ + /*- + * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions + * +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info +index b9ed532..c9fe2fd 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/build.info +@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ + bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ + {- $target{bn_asm_src} -} \ + bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ +- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c ++ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ ++ rsa_sup_mul.c + + INCLUDE[bn_exp.o]=.. + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c +new file mode 100644 +index 0000000..acafefd +--- /dev/null ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/rsa_sup_mul.c +@@ -0,0 +1,614 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "internal/numbers.h" ++#include "internal/constant_time.h" ++#include "bn_local.h" ++ ++# if BN_BYTES == 8 ++typedef uint64_t limb_t; ++# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 ++/* nonstandard; implemented by gcc on 64-bit platforms */ ++typedef __uint128_t limb2_t; ++# define HAVE_LIMB2_T ++# endif ++# define LIMB_BIT_SIZE 64 ++# define LIMB_BYTE_SIZE 8 ++# elif BN_BYTES == 4 ++typedef uint32_t limb_t; ++typedef uint64_t limb2_t; ++# define LIMB_BIT_SIZE 32 ++# define LIMB_BYTE_SIZE 4 ++# define HAVE_LIMB2_T ++# else ++# error "Not supported" ++# endif ++ ++/* ++ * For multiplication we're using schoolbook multiplication, ++ * so if we have two numbers, each with 6 "digits" (words) ++ * the multiplication is calculated as follows: ++ * A B C D E F ++ * x I J K L M N ++ * -------------- ++ * N*F ++ * N*E ++ * N*D ++ * N*C ++ * N*B ++ * N*A ++ * M*F ++ * M*E ++ * M*D ++ * M*C ++ * M*B ++ * M*A ++ * L*F ++ * L*E ++ * L*D ++ * L*C ++ * L*B ++ * L*A ++ * K*F ++ * K*E ++ * K*D ++ * K*C ++ * K*B ++ * K*A ++ * J*F ++ * J*E ++ * J*D ++ * J*C ++ * J*B ++ * J*A ++ * I*F ++ * I*E ++ * I*D ++ * I*C ++ * I*B ++ * + I*A ++ * ========================== ++ * N*B N*D N*F ++ * + N*A N*C N*E ++ * + M*B M*D M*F ++ * + M*A M*C M*E ++ * + L*B L*D L*F ++ * + L*A L*C L*E ++ * + K*B K*D K*F ++ * + K*A K*C K*E ++ * + J*B J*D J*F ++ * + J*A J*C J*E ++ * + I*B I*D I*F ++ * + I*A I*C I*E ++ * ++ * 1+1 1+3 1+5 ++ * 1+0 1+2 1+4 ++ * 0+1 0+3 0+5 ++ * 0+0 0+2 0+4 ++ * ++ * 0 1 2 3 4 5 6 ++ * which requires n^2 multiplications and 2n full length additions ++ * as we can keep every other result of limb multiplication in two separate ++ * limbs ++ */ ++ ++#if defined HAVE_LIMB2_T ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb2_t t; ++ /* ++ * this is idiomatic code to tell compiler to use the native mul ++ * those three lines will actually compile to single instruction ++ */ ++ ++ t = (limb2_t)a * b; ++ *hi = t >> LIMB_BIT_SIZE; ++ *lo = (limb_t)t; ++} ++#elif (BN_BYTES == 8) && (defined _MSC_VER) ++/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ ++#pragma intrinsic(_umul128) ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ *lo = _umul128(a, b, hi); ++} ++#else ++/* ++ * if the compiler doesn't have either a 128bit data type nor a "return ++ * high 64 bits of multiplication" ++ */ ++static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) ++{ ++ limb_t a_low = (limb_t)(uint32_t)a; ++ limb_t a_hi = a >> 32; ++ limb_t b_low = (limb_t)(uint32_t)b; ++ limb_t b_hi = b >> 32; ++ ++ limb_t p0 = a_low * b_low; ++ limb_t p1 = a_low * b_hi; ++ limb_t p2 = a_hi * b_low; ++ limb_t p3 = a_hi * b_hi; ++ ++ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); ++ ++ *lo = p0 + (p1 << 32) + (p2 << 32); ++ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; ++} ++#endif ++ ++/* add two limbs with carry in, return carry out */ ++static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) ++{ ++ limb_t carry1, carry2, t; ++ /* ++ * `c = a + b; if (c < a)` is idiomatic code that makes compilers ++ * use add with carry on assembly level ++ */ ++ ++ *ret = a + carry; ++ if (*ret < a) ++ carry1 = 1; ++ else ++ carry1 = 0; ++ ++ t = *ret; ++ *ret = t + b; ++ if (*ret < t) ++ carry2 = 1; ++ else ++ carry2 = 0; ++ ++ return carry1 + carry2; ++} ++ ++/* ++ * add two numbers of the same size, return overflow ++ * ++ * add a to b, place result in ret; all arrays need to be n limbs long ++ * return overflow from addition (0 or 1) ++ */ ++static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t c = 0; ++ ossl_ssize_t i; ++ ++ for(i = n - 1; i > -1; i--) ++ c = _add_limb(&ret[i], a[i], b[i], c); ++ ++ return c; ++} ++ ++/* ++ * return number of limbs necessary for temporary values ++ * when multiplying numbers n limbs large ++ */ ++static ossl_inline size_t mul_limb_numb(size_t n) ++{ ++ return 2 * n * 2; ++} ++ ++/* ++ * multiply two numbers of the same size ++ * ++ * multiply a by b, place result in ret; a and b need to be n limbs long ++ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs ++ * long ++ */ ++static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) ++{ ++ limb_t *r_odd, *r_even; ++ size_t i, j, k; ++ ++ r_odd = tmp; ++ r_even = &tmp[2 * n]; ++ ++ memset(ret, 0, 2 * n * sizeof(limb_t)); ++ ++ for (i = 0; i < n; i++) { ++ for (k = 0; k < i + n + 1; k++) { ++ r_even[k] = 0; ++ r_odd[k] = 0; ++ } ++ for (j = 0; j < n; j++) { ++ /* ++ * place results from even and odd limbs in separate arrays so that ++ * we don't have to calculate overflow every time we get individual ++ * limb multiplication result ++ */ ++ if (j % 2 == 0) ++ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); ++ else ++ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); ++ } ++ /* ++ * skip the least significant limbs when adding multiples of ++ * more significant limbs (they're zero anyway) ++ */ ++ add(ret, ret, r_even, n + i + 1); ++ add(ret, ret, r_odd, n + i + 1); ++ } ++} ++ ++/* modifies the value in place by performing a right shift by one bit */ ++static ossl_inline void rshift1(limb_t *val, size_t n) ++{ ++ limb_t shift_in = 0, shift_out = 0; ++ size_t i; ++ ++ for (i = 0; i < n; i++) { ++ shift_out = val[i] & 1; ++ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); ++ shift_in = shift_out; ++ } ++} ++ ++/* extend the LSB of flag to all bits of limb */ ++static ossl_inline limb_t mk_mask(limb_t flag) ++{ ++ flag |= flag << 1; ++ flag |= flag << 2; ++ flag |= flag << 4; ++ flag |= flag << 8; ++ flag |= flag << 16; ++#if (LIMB_BYTE_SIZE == 8) ++ flag |= flag << 32; ++#endif ++ return flag; ++} ++ ++/* ++ * copy from either a or b to ret based on flag ++ * when flag == 0, then copies from b ++ * when flag == 1, then copies from a ++ */ ++static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ /* ++ * would be more efficient with non volatile mask, but then gcc ++ * generates code with jumps ++ */ ++ volatile limb_t mask; ++ size_t i; ++ ++ mask = mk_mask(flag); ++ for (i = 0; i < n; i++) { ++#if (LIMB_BYTE_SIZE == 8) ++ ret[i] = constant_time_select_64(mask, a[i], b[i]); ++#else ++ ret[i] = constant_time_select_32(mask, a[i], b[i]); ++#endif ++ } ++} ++ ++static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) ++{ ++ limb_t borrow1, borrow2, t; ++ /* ++ * while it doesn't look constant-time, this is idiomatic code ++ * to tell compilers to use the carry bit from subtraction ++ */ ++ ++ *ret = a - borrow; ++ if (*ret > a) ++ borrow1 = 1; ++ else ++ borrow1 = 0; ++ ++ t = *ret; ++ *ret = t - b; ++ if (*ret > t) ++ borrow2 = 1; ++ else ++ borrow2 = 0; ++ ++ return borrow1 + borrow2; ++} ++ ++/* ++ * place the result of a - b into ret, return the borrow bit. ++ * All arrays need to be n limbs long ++ */ ++static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) ++{ ++ limb_t borrow = 0; ++ ossl_ssize_t i; ++ ++ for (i = n - 1; i > -1; i--) ++ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); ++ ++ return borrow; ++} ++ ++/* return the number of limbs necessary to allocate for the mod() tmp operand */ ++static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) ++{ ++ return (anum + modnum) * 3; ++} ++ ++/* ++ * calculate a % mod, place the result in ret ++ * size of a is defined by anum, size of ret and mod is modnum, ++ * size of tmp is returned by mod_limb_numb() ++ */ ++static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, ++ size_t modnum, limb_t *tmp) ++{ ++ limb_t *atmp, *modtmp, *rettmp; ++ limb_t res; ++ size_t i; ++ ++ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); ++ ++ atmp = tmp; ++ modtmp = &tmp[anum + modnum]; ++ rettmp = &tmp[(anum + modnum) * 2]; ++ ++ for (i = modnum; i 0; i--, rp--) { ++ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); ++ v = v + carry + rp[-1]; ++ carry |= (v != rp[-1]); ++ carry &= (v <= rp[-1]); ++ rp[-1] = v; ++ } ++ ++ /* perform the final reduction by mod... */ ++ carry -= sub(ret, rp, mod, modnum); ++ ++ /* ...conditionally */ ++ cselect(carry, ret, rp, ret, modnum); ++} ++ ++/* allocated buffer should be freed afterwards */ ++static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) ++{ ++ int i; ++ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ limb_t *ptr = buf + (limbs - real_limbs); ++ ++ for (i = 0; i < real_limbs; i++) ++ ptr[i] = bn->d[real_limbs - i - 1]; ++} ++ ++#if LIMB_BYTE_SIZE == 8 ++static ossl_inline uint64_t be64(uint64_t host) ++{ ++ const union { ++ long one; ++ char little; ++ } is_endian = { 1 }; ++ ++ if (is_endian.little) { ++ uint64_t big = 0; ++ ++ big |= (host & 0xff00000000000000) >> 56; ++ big |= (host & 0x00ff000000000000) >> 40; ++ big |= (host & 0x0000ff0000000000) >> 24; ++ big |= (host & 0x000000ff00000000) >> 8; ++ big |= (host & 0x00000000ff000000) << 8; ++ big |= (host & 0x0000000000ff0000) << 24; ++ big |= (host & 0x000000000000ff00) << 40; ++ big |= (host & 0x00000000000000ff) << 56; ++ return big; ++ } else { ++ return host; ++ } ++} ++ ++#else ++/* Not all platforms have htobe32(). */ ++static ossl_inline uint32_t be32(uint32_t host) ++{ ++ const union { ++ long one; ++ char little; ++ } is_endian = { 1 }; ++ ++ if (is_endian.little) { ++ uint32_t big = 0; ++ ++ big |= (host & 0xff000000) >> 24; ++ big |= (host & 0x00ff0000) >> 8; ++ big |= (host & 0x0000ff00) << 8; ++ big |= (host & 0x000000ff) << 24; ++ return big; ++ } else { ++ return host; ++ } ++} ++#endif ++ ++/* ++ * We assume that intermediate, possible_arg2, blinding, and ctx are used ++ * similar to BN_BLINDING_invert_ex() arguments. ++ * to_mod is RSA modulus. ++ * buf and num is the serialization buffer and its length. ++ * ++ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished ++ * we serialize the new structure instead of BIGNUMs taking endianness into account. ++ */ ++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, ++ const BN_BLINDING *blinding, ++ const BIGNUM *possible_arg2, ++ const BIGNUM *to_mod, BN_CTX *ctx, ++ unsigned char *buf, int num) ++{ ++ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; ++ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; ++ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; ++ size_t l_tmp_count = 0; ++ int ret = 0; ++ size_t i; ++ unsigned char *tmp; ++ const BIGNUM *arg1 = intermediate; ++ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; ++ ++ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; ++ ++ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; ++ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); ++ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); ++ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); ++ ++ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) ++ goto err; ++ ++ BN_to_limb(arg1, l_im, l_size); ++ BN_to_limb(arg2, l_mul, l_size); ++ BN_to_limb(to_mod, l_mod, l_mod_count); ++ ++ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); ++ ++ if (blinding->m_ctx != NULL) { ++ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? ++ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); ++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); ++ } else { ++ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? ++ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); ++ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); ++ } ++ ++ if ((l_ret == NULL) || (l_tmp == NULL)) ++ goto err; ++ ++ if (blinding->m_ctx != NULL) { ++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); ++ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, ++ blinding->m_ctx->n0[0], l_tmp); ++ } else { ++ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); ++ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); ++ } ++ ++ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ ++ if (num < BN_num_bytes(to_mod)) { ++ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); ++ goto err; ++ } ++ ++ memset(buf, 0, num); ++ tmp = buf + num - BN_num_bytes(to_mod); ++ for (i = 0; i < l_mod_count; i++) { ++#if LIMB_BYTE_SIZE == 8 ++ l_buf = be64(l_ret[i]); ++#else ++ l_buf = be32(l_ret[i]); ++#endif ++ if (i == 0) { ++ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); ++ ++ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); ++ tmp += delta; ++ } else { ++ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); ++ tmp += LIMB_BYTE_SIZE; ++ } ++ } ++ ret = num; ++ ++ err: ++ OPENSSL_free(l_im); ++ OPENSSL_free(l_mul); ++ OPENSSL_free(l_mod); ++ OPENSSL_free(l_tmp); ++ OPENSSL_free(l_ret); ++ ++ return ret; ++} +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt +index 35512f9..03d1640 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/err/openssl.txt +@@ -1,4 +1,4 @@ +-# Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. + # + # Licensed under the OpenSSL license (the "License"). You may not use + # this file except in compliance with the License. You can obtain a copy +@@ -231,6 +231,7 @@ BN_F_BN_RSHIFT:146:BN_rshift + BN_F_BN_SET_WORDS:144:bn_set_words + BN_F_BN_STACK_PUSH:148:BN_STACK_push + BN_F_BN_USUB:115:BN_usub ++BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind + BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow + BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean + BUF_F_BUF_MEM_NEW:101:BUF_MEM_new +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c +index b52a66f..6c3c0cf 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_ossl.c +@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BN_free(d); + } + +- if (blinding) +- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) ++ if (blinding) { ++ /* ++ * ossl_bn_rsa_do_unblind() combines blinding inversion and ++ * 0-padded BN BE serialization ++ */ ++ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, ++ buf, num); ++ if (j == 0) + goto err; +- +- j = BN_bn2binpad(ret, buf, num); ++ } else { ++ j = BN_bn2binpad(ret, buf, num); ++ if (j < 0) ++ goto err; ++ } + + switch (padding) { + case RSA_PKCS1_PADDING: +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h +index 60afda1..b5f36fb 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h +@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); + int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); + int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, + const BIGNUM *d, BN_CTX *ctx); ++int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, ++ const BN_BLINDING *blinding, ++ const BIGNUM *possible_arg2, ++ const BIGNUM *to_mod, BN_CTX *ctx, ++ unsigned char *buf, int num); + + #endif +diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h +index 9f3c7cf..a0752ce 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/include/openssl/bnerr.h +@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); + # define BN_F_BN_SET_WORDS 144 + # define BN_F_BN_STACK_PUSH 148 + # define BN_F_BN_USUB 115 ++# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 + + /* + * BN reason codes. +-- +2.33.0 + diff --git a/0030-brotli-Fix-VLA-parameter-warning-893.patch b/0030-brotli-Fix-VLA-parameter-warning-893.patch new file mode 100644 index 0000000..9f6974e --- /dev/null +++ b/0030-brotli-Fix-VLA-parameter-warning-893.patch @@ -0,0 +1,89 @@ +From 0a3944c8c99b8d10cc4325f721b7c273d2b41f7b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adri=C3=A1n=20Herrera=20Arcila?= +Date: Wed, 23 Jun 2021 08:53:59 +0100 +Subject: [PATCH] Fix VLA parameter warning (#893) + +Make VLA buffer types consistent in declarations and definitions. +Resolves build crash when using -Werror due to "vla-parameter" warning. + +Signed-off-by: Adrian Herrera + +reference: https://github.com/google/brotli/pull/893 +Signed-off-by: Jiabo Feng +--- + BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c | 6 ++++-- + BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c | 5 +++-- + .../Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c | 6 ++++-- + .../Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c | 5 +++-- + 4 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c +index ae5a3d3..7eee968 100644 +--- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c ++++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c +@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( + } + + BrotliDecoderResult BrotliDecoderDecompress( +- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, +- uint8_t* decoded_buffer) { ++ size_t encoded_size, ++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], ++ size_t* decoded_size, ++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { + BrotliDecoderState s; + BrotliDecoderResult result; + size_t total_out = 0; +diff --git a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c +index 8d90937..0c49c64 100644 +--- a/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c ++++ b/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/enc/encode.c +@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( + + BROTLI_BOOL BrotliEncoderCompress( + int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, +- const uint8_t* input_buffer, size_t* encoded_size, +- uint8_t* encoded_buffer) { ++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], ++ size_t* encoded_size, ++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { + BrotliEncoderState* s; + size_t out_size = *encoded_size; + const uint8_t* input_start = input_buffer; + +diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +index ae5a3d3..7eee968 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c ++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( + } + + BrotliDecoderResult BrotliDecoderDecompress( +- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, +- uint8_t* decoded_buffer) { ++ size_t encoded_size, ++ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], ++ size_t* decoded_size, ++ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { + BrotliDecoderState s; + BrotliDecoderResult result; + size_t total_out = 0; +diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c +index 8d90937..0c49c64 100644 +--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c ++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c +@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( + + BROTLI_BOOL BrotliEncoderCompress( + int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, +- const uint8_t* input_buffer, size_t* encoded_size, +- uint8_t* encoded_buffer) { ++ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], ++ size_t* encoded_size, ++ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { + BrotliEncoderState* s; + size_t out_size = *encoded_size; + const uint8_t* input_start = input_buffer; +-- +2.41.0 + diff --git a/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch b/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch new file mode 100644 index 0000000..bde72b3 --- /dev/null +++ b/0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch @@ -0,0 +1,48 @@ +From ae8272ef787d80950803c521a13a308651bdc62e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 20 Dec 2021 22:32:38 +0800 +Subject: [PATCH] MdeModulePkg/UsbBusDxe: fix NOOPT build error + +gcc-11 (fedora 35): + +/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c: In function ?UsbIoBulkTransfer?: +/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c:277:12: error: ?UsbHcBulkTransfer? accessing 80 bytes in a region of size 8 [-Werror=stringop-overflow=] + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Hao A Wu + +reference: https://github.com/tianocore/edk2/pull/2347 +Signed-off-by: Jiabo Feng +--- + MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c | 2 +- + MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c +index 12d08c0b74..740e7babb0 100644 +--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c ++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c +@@ -285,7 +285,7 @@ UsbHcBulkTransfer ( + IN UINT8 DevSpeed, + IN UINTN MaxPacket, + IN UINT8 BufferNum, +- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM], ++ IN OUT VOID *Data[], + IN OUT UINTN *DataLength, + IN OUT UINT8 *DataToggle, + IN UINTN TimeOut, +diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h +index 04cf36d3c8..d93370a6c2 100644 +--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h ++++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h +@@ -149,7 +149,7 @@ UsbHcBulkTransfer ( + IN UINT8 DevSpeed, + IN UINTN MaxPacket, + IN UINT8 BufferNum, +- IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM], ++ IN OUT VOID *Data[], + IN OUT UINTN *DataLength, + IN OUT UINT8 *DataToggle, + IN UINTN TimeOut, +-- +2.41.0 diff --git a/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch b/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch new file mode 100644 index 0000000..5919700 --- /dev/null +++ b/0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch @@ -0,0 +1,50 @@ +From 7b005f344e533cd913c3ca05b266f9872df886d1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 24 Mar 2022 20:04:34 +0800 +Subject: [PATCH 1/3] BaseTools: fix gcc12 warning + +GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free] + 545 | Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +GenFfs.c:544:5: note: call to ?fclose? here + 544 | fclose (InFileHandle); + | ^~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Bob Feng + +reference: https://github.com/tianocore/edk2/pull/2694 +Signed-off-by: Jiabo Feng +--- + BaseTools/Source/C/GenFfs/GenFfs.c | 2 +- + BaseTools/Source/C/GenSec/GenSec.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/BaseTools/Source/C/GenFfs/GenFfs.c b/BaseTools/Source/C/GenFfs/GenFfs.c +index 949025c333..d78d62ab36 100644 +--- a/BaseTools/Source/C/GenFfs/GenFfs.c ++++ b/BaseTools/Source/C/GenFfs/GenFfs.c +@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) + PeFileBuffer = (UINT8 *) malloc (PeFileSize); + if (PeFileBuffer == NULL) { + fclose (InFileHandle); +- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); ++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile); + return EFI_OUT_OF_RESOURCES; + } + fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle); +diff --git a/BaseTools/Source/C/GenSec/GenSec.c b/BaseTools/Source/C/GenSec/GenSec.c +index d54a4f9e0a..b1d05367ec 100644 +--- a/BaseTools/Source/C/GenSec/GenSec.c ++++ b/BaseTools/Source/C/GenSec/GenSec.c +@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment) + PeFileBuffer = (UINT8 *) malloc (PeFileSize); + if (PeFileBuffer == NULL) { + fclose (InFileHandle); +- Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); ++ Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile); + return EFI_OUT_OF_RESOURCES; + } + fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle); +-- +2.41.0 \ No newline at end of file diff --git a/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch b/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch new file mode 100644 index 0000000..2ceedd5 --- /dev/null +++ b/0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch @@ -0,0 +1,53 @@ +From 85021f8cf22d1bd4114803c6c610dea5ef0059f1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 24 Mar 2022 20:04:35 +0800 +Subject: [PATCH 2/3] BaseTools: fix gcc12 warning + +Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?: +Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=] + 2828 | p->rc.outStream = &outStream.vt; + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here + 2811 | CLzmaEnc_SeqOutStreamBuf outStream; + | ^~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here +Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=] + 2828 | p->rc.outStream = &outStream.vt; + | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here + 2811 | CLzmaEnc_SeqOutStreamBuf outStream; + | ^~~~~~~~~ +Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here +cc1: all warnings being treated as errors + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Bob Feng + +reference: https://github.com/tianocore/edk2/pull/2694 +Signed-off-by: Jiabo Feng +--- + BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c +index 4e9b499f8d..4b9f5fa692 100644 +--- a/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c ++++ b/BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c +@@ -2638,12 +2638,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, Bool reInit, + + nowPos64 = p->nowPos64; + RangeEnc_Init(&p->rc); +- p->rc.outStream = &outStream.vt; + + if (desiredPackSize == 0) + return SZ_ERROR_OUTPUT_EOF; + ++ p->rc.outStream = &outStream.vt; + res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize); ++ p->rc.outStream = NULL; + + *unpackSize = (UInt32)(p->nowPos64 - nowPos64); + *destLen -= outStream.rem; +-- +2.41.0.windows.1 + diff --git a/0034-Basetools-turn-off-gcc12-warning.patch b/0034-Basetools-turn-off-gcc12-warning.patch new file mode 100644 index 0000000..f17e7b0 --- /dev/null +++ b/0034-Basetools-turn-off-gcc12-warning.patch @@ -0,0 +1,43 @@ +From 22130dcd98b4d4b76ac8d922adb4a2dbc86fa52c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 24 Mar 2022 20:04:36 +0800 +Subject: [PATCH 3/3] Basetools: turn off gcc12 warning + +In function ?SetDevicePathEndNode?, + inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5: +DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=] + 321 | memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from UefiDevicePathLib.h:22, + from DevicePathUtilities.c:16: +../Include/Protocol/DevicePath.h: In function ?FileDevicePath?: +../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1 + 51 | UINT8 Type; ///< 0x01 Hardware Device Path. + | ^~~~ + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Bob Feng + +reference: https://github.com/tianocore/edk2/pull/2694 +Signed-off-by: Jiabo Feng +--- + BaseTools/Source/C/DevicePath/GNUmakefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/BaseTools/Source/C/DevicePath/GNUmakefile b/BaseTools/Source/C/DevicePath/GNUmakefile +index 7ca08af966..b05d2bddfa 100644 +--- a/BaseTools/Source/C/DevicePath/GNUmakefile ++++ b/BaseTools/Source/C/DevicePath/GNUmakefile +@@ -13,6 +13,9 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o DevicePathUtili + + include $(MAKEROOT)/Makefiles/app.makefile + ++# gcc 12 trips over device path handling ++BUILD_CFLAGS += -Wno-error=stringop-overflow ++ + LIBS = -lCommon + ifeq ($(CYGWIN), CYGWIN) + LIBS += -L/lib/e2fsprogs -luuid +-- +2.41.0 + diff --git a/0035-add-file-edk2-aarch64-json.patch b/0035-add-file-edk2-aarch64-json.patch new file mode 100644 index 0000000..2103508 --- /dev/null +++ b/0035-add-file-edk2-aarch64-json.patch @@ -0,0 +1,50 @@ +From 32a67be9c4f5d12a0beeacff4142bb47c9cd0ee7 Mon Sep 17 00:00:00 2001 +From: tzing_t +Date: Mon, 30 Oct 2023 11:00:44 +0000 +Subject: [PATCH] add file edk2-aarch64.json + +--- + edk2-aarch64.json | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 edk2-aarch64.json + +diff --git a/edk2-aarch64.json b/edk2-aarch64.json +new file mode 100644 +index 0000000..5bbfa6a +--- /dev/null ++++ b/edk2-aarch64.json +@@ -0,0 +1,31 @@ ++{ ++ "description": "UEFI firmware for ARM64 virtual machines", ++ "interface-types": [ ++ "uefi" ++ ], ++ "mapping": { ++ "device": "flash", ++ "executable": { ++ "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw", ++ "format": "raw" ++ }, ++ "nvram-template": { ++ "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", ++ "format": "raw" ++ } ++ }, ++ "targets": [ ++ { ++ "architecture": "aarch64", ++ "machines": [ ++ "virt-*" ++ ] ++ } ++ ], ++ "features": [ ++ ++ ], ++ "tags": [ ++ ++ ] ++} +-- +2.33.0 + diff --git a/edk2.spec b/edk2.spec new file mode 100644 index 0000000..2a40409 --- /dev/null +++ b/edk2.spec @@ -0,0 +1,378 @@ +%global stable_date 202011 +%global release_tag edk2-stable%{stable_date} +%global openssl_version 1.1.1f +%global _python_bytecompile_extra 0 + +Name: edk2 +Version: %{stable_date} +Release: 14 +Summary: EFI Development Kit II +License: BSD-2-Clause-Patent +URL: https://github.com/tianocore/edk2 +Source0: https://github.com/tianocore/edk2/archive/%{release_tag}.tar.gz +Source1: openssl-%{openssl_version}.tar.gz +Source2: brotli.tar.gz + +# for CVE-2021-38575 +Patch0001: 0001-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch +Patch0002: 0002-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch +Patch0003: 0003-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch +Patch0004: 0004-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch +Patch0005: 0005-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch +Patch0006: 0006-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch +Patch0007: 0007-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch +Patch0008: 0008-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch +Patch0009: 0009-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch +Patch0010: 0010-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch + +# for CVE-2021-28216 +Patch0011: 0011-MdeModulePkg-FPDT-Lock-boot-performance-table-addres.patch + +# for CVE-2021-38576 +Patch0012: 0012-SecurityPkg-TPM-Import-PeiDxeTpmPlatformHierarchyLib.patch +Patch0013: 0013-SecurityPkg-TPM-Fix-bugs-in-imported-PeiDxeTpmPlatfo.patch +Patch0014: 0014-SecrutiyPkg-Tcg-Import-Tcg2PlatformDxe-from-edk2-pla.patch +Patch0015: 0015-SecurityPkg-Tcg-Make-Tcg2PlatformDxe-buildable-and-f.patch +Patch0016: 0016-SecurityPkg-Introduce-new-PCD-PcdRandomizePlatformHi.patch +Patch0017: 0017-SecurityPkg-Tcg-Import-Tcg2PlatformPei-from-edk2-pla.patch +Patch0018: 0018-SecurityPkg-Tcg-Make-Tcg2PlatformPei-buildable-and-f.patch +Patch0019: 0019-SecurityPkg-Add-references-to-header-and-inf-files-t.patch + +Patch0020: 0020-OvmfPkg-VirtioNetDxe-Extend-the-RxBufferSize-to-avoi.patch + +Patch0021: 0021-UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch + +Patch0022: 0022-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch +Patch0023: 0023-PATCH-Avoid-dangling-ptrs-in-header-and-data-params-.patch +Patch0024: 0024-PATCH-pk7_doit.c-Check-return-of-BIO_set_md-calls.patch +Patch0025: 0025-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch +Patch0026: 0026-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch +Patch0027: 0027-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch +Patch0028: 0028-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch + +# for CVE-2022-4304 +Patch0029: 0029-Fix-Timing-Oracle-in-RSA-decryption.patch + +# solving the compilation failure problem of gcc 12.3.0 +Patch0030: 0030-brotli-Fix-VLA-parameter-warning-893.patch +Patch0031: 0031-MdeModulePkg-UsbBusDxe-fix-NOOPT-build-error.patch +Patch0032: 0032-BaseTools-GenEfs-GenSec-fix-gcc12-warning.patch +Patch0033: 0033-BaseTools-LzmaCompress-fix-gcc12-warning.patch +Patch0034: 0034-Basetools-turn-off-gcc12-warning.patch + +Patch0035: 0035-add-file-edk2-aarch64-json.patch + +BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command + +%description +EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. + +%package devel +Summary: EFI Development Kit II Tools +%description devel +This package provides tools that are needed to build EFI executables and ROMs using the GNU tools. + +%package -n python3-%{name}-devel +Summary: EFI Development Kit II Tools +Requires: python3 +BuildArch: noarch +%description -n python3-%{name}-devel +This package provides tools that are needed to build EFI executables and ROMs using the GNU tools. + +%package help +Summary: Documentation for EFI Development Kit II Tools +BuildArch: noarch +%description help +This package documents the tools that are needed to build EFI executables and ROMs using the GNU tools. + +%ifarch aarch64 +%package aarch64 +Summary: AARCH64 Virtual Machine Firmware +BuildArch: noarch +%description aarch64 +EFI Development Kit II AARCH64 UEFI Firmware +%endif + +%ifarch x86_64 +%package ovmf +Summary: Open Virtual Machine Firmware +BuildArch: noarch +%description ovmf +EFI Development Kit II Open Virtual Machine Firmware (x64) +%endif + +%ifarch %{ix86} +%package ovmf-ia32 +Summary: Open Virtual Machine Firmware +BuildArch: noarch +%description ovmf-ia32 +EFI Development Kit II Open Virtual Machine Firmware (ia32) +%endif + +%prep +%setup -n edk2-%{release_tag} +tar -xf %{SOURCE1} -C CryptoPkg/Library/OpensslLib/openssl --strip-components=1 +tar -xf %{SOURCE2} -C MdeModulePkg/Library/BrotliCustomDecompressLib/brotli --strip-components=1 +tar -xf %{SOURCE2} -C BaseTools/Source/C/BrotliCompress/brotli --strip-components=1 +%autopatch -p1 + +%build +NCPUS=`/usr/bin/getconf _NPROCESSORS_ONLN` +BUILD_OPTION="-t GCC5 -n $NCPUS -b RELEASE" + +make -C BaseTools %{?_smp_mflags} EXTRA_OPTFLAGS="%{optflags}" EXTRA_LDFLAGS="%{__global_ldflags}" +. ./edksetup.sh + +COMMON_FLAGS="-D NETWORK_IP6_ENABLE" +%ifarch aarch64 + BUILD_OPTION="$BUILD_OPTION -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc --cmd-len=65536 $COMMON_FLAGS" +%endif + +%ifarch x86_64 + BUILD_OPTION="$BUILD_OPTION -a X64 -p OvmfPkg/OvmfPkgX64.dsc $COMMON_FLAGS" +%endif + +%ifarch %{ix86} + BUILD_OPTION="$BUILD_OPTION -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc" +%endif +BUILD_OPTION="$BUILD_OPTION -D SECURE_BOOT_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM2_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM2_CONFIG_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM_ENABLE=TRUE" +BUILD_OPTION="$BUILD_OPTION -D TPM_CONFIG_ENABLE=TRUE" +build $BUILD_OPTION + +%install +cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl +mkdir -p %{buildroot}%{_bindir} \ + %{buildroot}%{_datadir}/%{name}/Conf \ + %{buildroot}%{_datadir}/%{name}/Scripts +install BaseTools/Source/C/bin/* %{buildroot}%{_bindir} +install BaseTools/BuildEnv %{buildroot}%{_datadir}/%{name} +install BaseTools/Conf/*.template %{buildroot}%{_datadir}/%{name}/Conf +install BaseTools/Scripts/GccBase.lds %{buildroot}%{_datadir}/%{name}/Scripts + +%ifarch aarch64 +mkdir -p %{buildroot}%{_datadir}/qemu/firmware +install -m 0644 edk2-aarch64.json \ + %{buildroot}%{_datadir}/qemu/firmware/edk2-aarch64.json +# endif build_aarch64 +%endif + +cp -R BaseTools/Source/Python %{buildroot}%{_datadir}/%{name}/Python +find %{buildroot}%{_datadir}/%{name}/Python -name '__pycache__'|xargs rm -rf + +for i in build BPDG GenDepex GenFds GenPatchPcdTable PatchPcdValue Pkcs7Sign Rsa2048Sha256Sign TargetTool Trim UPT; do +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/$i/$i.py' "$@"' > %{buildroot}%{_bindir}/$i + chmod +x %{buildroot}%{_bindir}/$i +done + +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/Ecc/EccMain.py' "$@"' > %{buildroot}%{_bindir}/Ecc +chmod +x %{buildroot}%{_bindir}/Ecc + +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/Capsule/GenerateCapsule.py' "$@"' > %{buildroot}%{_bindir}/GenerateCapsule +chmod +x %{buildroot}%{_bindir}/GenerateCapsule + +echo '#!/usr/bin/env bash +export PYTHONPATH=%{_datadir}/%{name}/Python${PYTHONPATH:+:"$PYTHONPATH"} +exec python3 '%{_datadir}/%{name}/Python/Rsa2048Sha256Sign/Rsa2048Sha256GenerateKeys.py' "$@"' > %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys +chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys + +%ifarch aarch64 + mkdir -p %{buildroot}/usr/share/%{name}/aarch64 + cp Build/ArmVirtQemu-AARCH64/RELEASE_*/FV/*.fd %{buildroot}/usr/share/%{name}/aarch64 + dd of="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI-pflash.raw" if="/dev/zero" bs=1M count=64 + dd of="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI-pflash.raw" if="%{buildroot}/usr/share/%{name}/aarch64/QEMU_EFI.fd" conv=notrunc + dd of="%{buildroot}/usr/share/%{name}/aarch64/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64 +%endif + +%ifarch x86_64 + mkdir -p %{buildroot}/usr/share/%{name}/ovmf + cp Build/OvmfX64/*/FV/OVMF*.fd %{buildroot}/usr/share/%{name}/ovmf +%endif + +%ifarch %{ix86} + mkdir -p %{buildroot}/usr/share/%{name}/ovmf-ia32 + cp Build/OvmfIa32/*/FV/OVMF_CODE.fd %{buildroot}/usr/share/%{name}/ovmf-ia32 +%endif + +%files devel +%license License.txt +%license LICENSE.openssl +%{_bindir}/BrotliCompress +%{_bindir}/DevicePath +%{_bindir}/EfiRom +%{_bindir}/GenCrc32 +%{_bindir}/GenFfs +%{_bindir}/GenFv +%{_bindir}/GenFw +%{_bindir}/GenSec +%{_bindir}/LzmaCompress +%{_bindir}/Split +%{_bindir}/TianoCompress +%{_bindir}/VfrCompile +%{_bindir}/VolInfo +%{_datadir}/%{name}/BuildEnv +%{_datadir}/%{name}/Conf +%{_datadir}/%{name}/Scripts + +%files -n python3-%{name}-devel +%{_bindir}/BPDG +%{_bindir}/Ecc +%{_bindir}/GenDepex +%{_bindir}/GenFds +%{_bindir}/GenPatchPcdTable +%{_bindir}/GenerateCapsule +%{_bindir}/Pkcs7Sign +%{_bindir}/PatchPcdValue +%{_bindir}/Rsa2048Sha256GenerateKeys +%{_bindir}/Rsa2048Sha256Sign +%{_bindir}/TargetTool +%{_bindir}/Trim +%{_bindir}/UPT +%{_bindir}/build +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/Python + +%files help +%doc BaseTools/UserManuals/*.rtf + +%ifarch aarch64 +%files aarch64 +%license OvmfPkg/License.txt +%license LICENSE.openssl +%dir /usr/share/%{name} +%dir /usr/share/%{name}/aarch64 +/usr/share/%{name}/aarch64/QEMU*.fd +/usr/share/%{name}/aarch64/*.raw +%{_datadir}/qemu/firmware/edk2-aarch64.json +%endif + +%ifarch x86_64 +%files ovmf +%license OvmfPkg/License.txt +%license LICENSE.openssl +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/ovmf +%endif + +%ifarch %{ix86} +%license OvmfPkg/License.txt +%license LICENSE.openssl +%files ovfm-ia32 +%dir /usr/share/%{name} +%endif + +%changelog +* Mon Oct 30 2023 zhengting - 202011-14 +- add edk2-aarch64-json + +* Thu Jul 13 2023 Jiabo Feng - 202011-13 +- solving the compilation failure problem of gcc 12.3.0 + +* Fri Mar 10 2023 yexiao - 202011-12 +- fix CVE-2022-4304 + +* Sun Feb 26 2023 chenhuiying - 202011-11 +- fix CVE-2023-0286 + +* Sun Feb 26 2023 chenhuiying - 202011-10 +- fix CVE-2023-0215 + +* Sat Feb 25 2023 shaodenghui - 202011-9 +- fix CVE-2023-0401 + +* Mon Feb 20 2023 shaodenghui - 202011-8 +- fix CVE-2022-4450 + +* Tue Nov 29 2022 chenhuiying - 202011-7 +- fix CVE-2021-38578 + +* Thu Sep 29 2022 chenhuiying - 202011-6 +* fix CVE-2019-11098 + +* Tue Jun 14 2022 miaoyubo - 202011-5 +- Enable TPM for pcr0-7 + +* Wed Apr 27 2022 yezengruan - 202011-4 +- update the format of changelog + +* Thu Feb 17 2022 Jinhua Cao - 202011-3 +- OvmfPkg: VirtioNetDxe: Extend the RxBufferSize to avoid data truncation + +* Tue Feb 15 2022 Jinhua Cao - 202011-2 +- fix CVE-2021-38576 + +* Mon Feb 7 2022 Jinhua Cao - 202011-1 +- update edk2 to stable 202011 + +* Wed Jan 12 2022 Jinhua Cao - 202002-11 +- BaseTools: fix ucs-2 lookup on python3.9 +- BaseTools: Work around array.array.tostring() removal in python3.9 + +* Wed Dec 1 2021 Jinhua Cao - 202002-10 +- fix CVE-2021-28216 + +* Wed Sep 22 2021 imxcc - 202002-9 +- fix cve-2021-38575 + +* Tue Aug 31 2021 miaoyubo - 202002-8 +- MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed + +* Fri Jul 30 2021 Zhenyu Ye - 202002-7 +- ArmPkg/CompilerIntrinsicsLib: provide atomics intrinsics + +* Mon Jun 28 2021 Jiajie Li - 202002-6 +- Fix CVE-2021-28210 + +* Tue Oct 27 2020 AlexChen - 202002-5 +- remove build requires of python2 + +* Mon Sep 28 2020 FangYing - 202002-4 +- update the Source0 to http url + +* Fri Jul 31 2020 jiangfangjie - 202002-3 +- ArmVirtPkg/ArmVirtQemu: enable TPM2 based measured boot +- ArmVirtPkg/ArmVirtQemu: enable the TPM2 configuration module + +* Mon Jul 27 2020 zhangxinhao - 202002-2 +- add build option "-D SECURE_BOOT_ENABLE=TRUE" to enable secure boot + +* Thu May 7 2020 openEuler Buildteam - 202002-1 +- Update edk2 to stable202002 and OpenSSL to 1.1.1f + +* Thu Mar 19 2020 openEuler Buildteam - 201908-9 +- fix an overflow bug in rsaz_512_sqr +- use the correct maximum indent + +* Tue Mar 17 2020 openEuler Buildteam - 201908-8 +- enable multiple threads compiling +- Pass EXTRA_OPTFLAGS and EXTRA_OPTFLAGS options to make command +- enable IPv6 for X86_64 + +* Sun Mar 15 2020 openEuler Buildteam - 201908-7 +- fix missing OVMF.fd in package + +* Sat Feb 22 2020 openEuler Buildteam - 201908-6 +- add build requires of python2 + +* Mon Dec 30 2019 Heyi Guo - 201908-5 +- Upgrade openssl to 1.1.1d + +* Tue Nov 26 2019 openEuler Buildteam - 201908-4 +- add build requires of nasm + +* Tue Nov 26 2019 openEuler Buildteam - 201908-3 +- Correct name of package ovmf + +* Mon Sep 30 2019 zhanghailiang - 201908-2 +- Enable IPv6 suppport and Modify Release number to 2 + +* Wed Sep 18 2019 openEuler Buildteam - 201908-1 +- Package init diff --git a/sources b/sources new file mode 100644 index 0000000..fa3ed6b --- /dev/null +++ b/sources @@ -0,0 +1,3 @@ +8f2f18f20f2a3ae186c90413fbb39ec1 brotli.tar.gz +6f896f055082159f88d7a54ee24763c1 edk2-stable202011.tar.gz +3f486f2f4435ef14b81814dbbc7b48bb openssl-1.1.1f.tar.gz -- cgit v1.2.3