diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:56:00 +0000 | 
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-05 01:56:00 +0000 | 
| commit | 2464dab3c47fde2134b3d0318bf123ec024f7d36 (patch) | |
| tree | 5c8e4f5928100c6dd587e063b7b1de59d2236845 | |
| parent | 8480e1261515a3215ba6618ae9eec8fd3d59de3f (diff) | |
automatic import of edk2openeuler24.03_LTS
54 files changed, 8723 insertions, 0 deletions
| @@ -0,0 +1,3 @@ +/DBXUpdate-20230509.x64.bin +/edk2-3e722403cd.tar.xz +/openssl-rhel-8e5beb77088bfec064d60506b1e76ddb0ac417fe.tar.xz diff --git a/0003-Remove-paths-leading-to-submodules.patch b/0003-Remove-paths-leading-to-submodules.patch new file mode 100644 index 0000000..d22a3b7 --- /dev/null +++ b/0003-Remove-paths-leading-to-submodules.patch @@ -0,0 +1,65 @@ +From de9f92d118c1374243d9d3f006088a29ec7dcf8d Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina <mrezanin@redhat.com> +Date: Thu, 24 Mar 2022 03:23:02 -0400 +Subject: [PATCH] Remove paths leading to submodules + +We removed submodules used upstream. However, edk2 build system requires +such include paths to resolve successfully, regardless of the firmware +platform being built. + +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + BaseTools/Source/C/GNUmakefile | 1 - + MdeModulePkg/MdeModulePkg.dec  | 3 --- + MdePkg/MdePkg.dec              | 5 ----- + 3 files changed, 9 deletions(-) + +diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile +index 5275f657ef..39d7199753 100644 +--- a/BaseTools/Source/C/GNUmakefile ++++ b/BaseTools/Source/C/GNUmakefile +@@ -51,7 +51,6 @@ all: makerootdir subdirs + LIBRARIES = Common
 + VFRAUTOGEN = VfrCompile/VfrLexer.h
 + APPLICATIONS = \
 +-  BrotliCompress \
 +   VfrCompile \
 +   EfiRom \
 +   GenFfs \
 +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index f7339f0aec..badb93238f 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -26,9 +26,6 @@ +   Include
 +   Test/Mock/Include
 + 
 +-[Includes.Common.Private]
 +-  Library/BrotliCustomDecompressLib/brotli/c/include
 +-
 + [LibraryClasses]
 +   ##  @libraryclass  Defines a set of methods to reset whole system.
 +   ResetSystemLib|Include/Library/ResetSystemLib.h
 +diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec +index bf94549cbf..605b0f1be8 100644 +--- a/MdePkg/MdePkg.dec ++++ b/MdePkg/MdePkg.dec +@@ -29,7 +29,6 @@ +   Include
 +   Test/UnitTest/Include
 +   Test/Mock/Include
 +-  Library/MipiSysTLib/mipisyst/library/include
 + 
 + [Includes.IA32]
 +   Include/Ia32
 +@@ -295,10 +294,6 @@ +   #
 +   FdtLib|Include/Library/FdtLib.h
 + 
 +-  ##  @libraryclass  Provides general mipi sys-T services.
 +-  #
 +-  MipiSysTLib|Include/Library/MipiSysTLib.h
 +-
 +   ##  @libraryclass  Provides API to output Trace Hub debug message.
 +   #
 +   TraceHubDebugSysTLib|Include/Library/TraceHubDebugSysTLib.h
 diff --git a/0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch b/0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch new file mode 100644 index 0000000..0a57269 --- /dev/null +++ b/0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch @@ -0,0 +1,190 @@ +From 5c48211bdce4b30c86e92636e852e9da4ede4c1e Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Tue, 25 Feb 2014 22:40:01 +0100 +Subject: [PATCH] MdeModulePkg: TerminalDxe: set xterm resolution on mode + change (RH only) + +Notes for rebase to edk2-stable202311: + +- Minor context changes due to new PCDs (for USB Networking) being added. + +Notes for rebase to edk2-stable202205: + +- Minor context changes due to fd306d1dbc MdeModulePkg: Add PcdTdxSharedBitMask + +Notes for rebase to edk2-stable202202: + +- Minor context changes due to 1436aea4d MdeModulePkg: Apply uncrustify changes + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Resolve harmless conflict in "MdeModulePkg/MdeModulePkg.dec", +  originating from new upstream commits +  - 45bc28172fbf ("MdeModulePkg.dec: Change PCDs for status code.", +                  2020-06-18), +  - 0785c619a58a ("MdeModulePkg/Bus/Pci/PciBusDxe: Support PCIe Resizable +                  BAR Capability", 2021-01-04), +  - ef23012e5439 ("MdeModulePkg: Change default value of +                  PcdPcieResizableBarSupport to FALSE", 2021-01-14). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve trivial conflict in "MdeModulePkg/MdeModulePkg.dec", arising +  from upstream commit 166830d8f7ca ("MdeModulePkg/dec: add +  PcdTcgPfpMeasurementRevision PCD", 2020-01-06). + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- Conflict in "MdeModulePkg/MdeModulePkg.dec" due to upstream commits +  - 1103ba946aee ("MdeModulePkg: Add Capsule On Disk related definition.", +    2019-06-26), +  - 1c7b3eb84631 ("MdeModulePkg/DxeIpl: Introduce PCD +    PcdUse5LevelPageTable", 2019-08-09), +  with easy manual resolution. + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like +  a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no change + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- Refresh downstream-only commit 2909e025db68 against "MdeModulePkg.dec" +  context change from upstream commits e043f7895b83 ("MdeModulePkg: Add +  PCD PcdPteMemoryEncryptionAddressOrMask", 2017-02-27) and 76081dfcc5b2 +  ("MdeModulePkg: Add PROMPT&HELP string of pcd to UNI file", 2017-03-03). + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- refresh commit 519b9751573e against various context changes + +The + +  CSI Ps ; Ps ; Ps t + +escape sequence serves for window manipulation. We can use the + +  CSI 8 ; <rows> ; <columns> t + +sequence to adapt eg. the xterm window size to the selected console mode. + +Reference: <http://rtfm.etla.org/xterm/ctlseq.html> +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +(cherry picked from commit 2909e025db6878723b49644a8a0cf160d07e6444) +(cherry picked from commit b9c5c901f25e48d68eef6e78a4abca00e153f574) +(cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90) +(cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb) +(cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc) +(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c) +(cherry picked from commit bc2266f20de5db1636e09a07e4a72c8dbf505f5a) +--- + MdeModulePkg/MdeModulePkg.dec                 |  4 +++ + .../Console/TerminalDxe/TerminalConOut.c      | 30 +++++++++++++++++++ + .../Console/TerminalDxe/TerminalDxe.inf       |  2 ++ + 3 files changed, 36 insertions(+) + +diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec +index badb93238f..3a67acc090 100644 +--- a/MdeModulePkg/MdeModulePkg.dec ++++ b/MdeModulePkg/MdeModulePkg.dec +@@ -2222,6 +2222,10 @@ +   # @Prompt The value is use for Usb Network rate limiting supported.
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdUsbNetworkRateLimitingFactor|100|UINT32|0x10000028
 + 
 ++  ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal ++  #  mode change. ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE|BOOLEAN|0x00010080 ++ + [PcdsPatchableInModule]
 +   ## Specify memory size with page number for PEI code when
 +   #  Loading Module at Fixed Address feature is enabled.
 +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c +index 7809869e7d..3be801039b 100644 +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c +@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + 
 + **/
 + 
 ++#include <Library/PrintLib.h> ++ + #include "Terminal.h"
 + 
 + //
 +@@ -80,6 +82,16 @@ CHAR16  mSetCursorPositionString[] = { ESC, '[', '0', '0', ';', '0', '0', 'H', 0 + CHAR16  mCursorForwardString[]     = { ESC, '[', '0', '0', 'C', 0 };
 + CHAR16  mCursorBackwardString[]    = { ESC, '[', '0', '0', 'D', 0 };
 + 
 ++// ++// Note that this is an ASCII format string, taking two INT32 arguments: ++// rows, columns. ++// ++// A %d (INT32) format specification can expand to at most 11 characters. ++// ++CHAR8 mResizeTextAreaFormatString[] = "\x1B[8;%d;%dt"; ++#define RESIZE_SEQ_SIZE (sizeof mResizeTextAreaFormatString + 2 * (11 - 2)) ++ ++ + //
 + // Body of the ConOut functions
 + //
 +@@ -498,6 +510,24 @@ TerminalConOutSetMode ( +     return EFI_DEVICE_ERROR;
 +   }
 + 
 ++  if (PcdGetBool (PcdResizeXterm)) { ++    CHAR16 ResizeSequence[RESIZE_SEQ_SIZE]; ++ ++    UnicodeSPrintAsciiFormat ( ++      ResizeSequence, ++      sizeof ResizeSequence, ++      mResizeTextAreaFormatString, ++      (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Rows, ++      (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Columns ++      ); ++    TerminalDevice->OutputEscChar = TRUE; ++    Status                        = This->OutputString (This, ResizeSequence); ++    TerminalDevice->OutputEscChar = FALSE; ++    if (EFI_ERROR (Status)) { ++      return EFI_DEVICE_ERROR; ++    } ++  } ++ +   This->Mode->Mode = (INT32)ModeNumber;
 + 
 +   Status = This->ClearScreen (This);
 +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf +index b2a8aeba85..96810f337c 100644 +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf +@@ -55,6 +55,7 @@ +   DebugLib
 +   PcdLib
 +   BaseLib
 ++  PrintLib + 
 + [Guids]
 +   ## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
 +@@ -87,6 +88,7 @@ + [Pcd]
 +   gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType           ## SOMETIMES_CONSUMES
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable    ## CONSUMES
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm             ## CONSUMES + 
 + # [Event]
 + # # Relative timer event set by UnicodeToEfiKey(), used to be one 2 seconds input timeout.
 diff --git a/0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch b/0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch new file mode 100644 index 0000000..16da78e --- /dev/null +++ b/0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch @@ -0,0 +1,212 @@ +From 0976965c3dd6ac841f59dc09220a6637060ba901 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Wed, 14 Oct 2015 15:59:06 +0200 +Subject: [PATCH] OvmfPkg: take PcdResizeXterm from the QEMU command line (RH + only) + +Notes about edk2-stable202205 rebase + +- Necessary minor fixes for upstream changes + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been +  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit +  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +  We've always patched all those DSC/FDF files in OvmfPkg down-stream that +  made sense at least in theory on QEMU. (For example, we've always +  patched "OvmfPkgIa32.dsc" and "OvmfPkgIa32.fdf", even though we never +  build or ship the pure IA32 firmware platform.) Follow suit with +  "AmdSevX64.dsc". + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve contextual conflict in the DSC files, from upstream commit +  b0ed7ebdebd1 ("OvmfPkg: set fixed FlashNvStorage base addresses with -D +  SMM_REQUIRE", 2020-03-12). + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like +  a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no change + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- refresh downstream-only commit 8abc2a6ddad2 against context differences +  in the DSC files from upstream commit 5e167d7e784c +  ("OvmfPkg/PlatformPei: don't allocate reserved mem varstore if +  SMM_REQUIRE", 2017-03-12). + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- no changes + +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +(cherry picked from commit 6fa0c4d67c0bb8bde2ddd6db41c19eb0c40b2721) +(cherry picked from commit 8abc2a6ddad25af7e88dc0cf57d55dfb75fbf92d) +(cherry picked from commit b311932d3841c017a0f0fec553edcac365cc2038) +(cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3) +(cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853) +(cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2) +(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f) +(cherry picked from commit 51e0de961029af84b5bdbfddcc9762b1819d500f) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc        |  1 + + OvmfPkg/CloudHv/CloudHvX64.dsc      |  1 + + OvmfPkg/IntelTdx/IntelTdxX64.dsc    |  1 + + OvmfPkg/Microvm/MicrovmX64.dsc      |  2 +- + OvmfPkg/OvmfPkgIa32.dsc             |  1 + + OvmfPkg/OvmfPkgIa32X64.dsc          |  1 + + OvmfPkg/OvmfPkgX64.dsc              |  1 + + OvmfPkg/PlatformPei/Platform.c      | 13 +++++++++++++ + OvmfPkg/PlatformPei/PlatformPei.inf |  1 + + 9 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 8eb6f4f24f..627fded641 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -484,6 +484,7 @@ + [PcdsDynamicDefault]
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
 + 
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
 +diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc +index 4996885301..51a49c09ad 100644 +--- a/OvmfPkg/CloudHv/CloudHvX64.dsc ++++ b/OvmfPkg/CloudHv/CloudHvX64.dsc +@@ -581,6 +581,7 @@ +   #   ($(SMM_REQUIRE) == FALSE)
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
 + 
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE + !if $(SMM_REQUIRE) == FALSE
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
 +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +index 0931ce061a..9f49b60ff0 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +@@ -477,6 +477,7 @@ +   #   ($(SMM_REQUIRE) == FALSE)
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
 + 
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
 +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index 69de4dd3f1..fb73f2e089 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -590,7 +590,7 @@ +   # only set when
 +   #   ($(SMM_REQUIRE) == FALSE)
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
 +-
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 2ca005d768..dddef5ed0e 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -599,6 +599,7 @@ +   #   ($(SMM_REQUIRE) == FALSE)
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
 + 
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
 + !if $(SMM_REQUIRE) == FALSE
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index a39070a626..933abb258f 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -611,6 +611,7 @@ +   #   ($(SMM_REQUIRE) == FALSE)
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
 + 
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
 + !if $(SMM_REQUIRE) == FALSE
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 1b90aa8f57..04157ab14b 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -629,6 +629,7 @@ +   #   ($(SMM_REQUIRE) == FALSE)
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
 + 
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
 + !if $(SMM_REQUIRE) == FALSE
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
 +diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c +index df35726ff6..6c786bfc1e 100644 +--- a/OvmfPkg/PlatformPei/Platform.c ++++ b/OvmfPkg/PlatformPei/Platform.c +@@ -41,6 +41,18 @@ + 
 + #include "Platform.h"
 + 
 ++#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName)                   \ ++          do {                                                      \ ++            BOOLEAN       Setting;                                  \ ++            RETURN_STATUS PcdStatus;                                \ ++                                                                    \ ++            if (!RETURN_ERROR (QemuFwCfgParseBool (                 \ ++                              "opt/ovmf/" #TokenName, &Setting))) { \ ++              PcdStatus = PcdSetBoolS (TokenName, Setting);         \ ++              ASSERT_RETURN_ERROR (PcdStatus);                      \ ++            }                                                       \ ++          } while (0) ++ + EFI_PEI_PPI_DESCRIPTOR  mPpiBootMode[] = {
 +   {
 +     EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
 +@@ -355,6 +367,7 @@ InitializePlatform ( +     MemTypeInfoInitialization (PlatformInfoHob);
 +     MemMapInitialization (PlatformInfoHob);
 +     NoexecDxeInitialization (PlatformInfoHob);
 ++    UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm); +   }
 + 
 +   InstallClearCacheCallback ();
 +diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf +index e036018eab..a2f59e8fc8 100644 +--- a/OvmfPkg/PlatformPei/PlatformPei.inf ++++ b/OvmfPkg/PlatformPei/PlatformPei.inf +@@ -103,6 +103,7 @@ +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm +   gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
 +   gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
 diff --git a/0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch b/0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch new file mode 100644 index 0000000..47be70d --- /dev/null +++ b/0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch @@ -0,0 +1,201 @@ +From 4c45a397402f58a67b1d4ea1348bb79f3716c7a5 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Sun, 26 Jul 2015 08:02:50 +0000 +Subject: [PATCH] ArmVirtPkg: take PcdResizeXterm from the QEMU command line + (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- Resolve leading context divergence in "ArmVirtPkg/ArmVirtQemu.dsc", +  arising from upstream commits: + +  - 82662a3b5f56 ("ArmVirtPkg/PlatformPeiLib: discover the TPM base +                  address from the DT", 2020-03-04) + +  - ddd34a818315 ("ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI +                  phase", 2020-03-04) + +  - cdc3fa54184a ("ArmVirtPkg: control PXEv4 / PXEv6 boot support from the +                  QEMU command line", 2020-04-28) + +- Rework the downstream patch quite a bit, paralleling the upstream work +  done for <https://bugzilla.tianocore.org/show_bug.cgi?id=2681> in commit +  range 64ab457d1f21..cdc3fa54184a: + +  - Refresh copyright year in TerminalPcdProducerLib.{inf,c}. Also replace +    open-coded BSDL with "SPDX-License-Identifier: BSD-2-Clause-Patent". + +  - Simplify LIBRARY_CLASS: this lib instance is meant to be consumed only +    via NULL class resolution (basically: as a plugin), so use NULL for +    LIBRARY_CLASS, not "TerminalPcdProducerLib|DXE_DRIVER". + +  - Sort the [Packages] section alphabetically in the INF file. + +  - Replace the open-coded GetNamedFwCfgBoolean() function with a call to +    QemuFwCfgParseBool(), from QemuFwCfgSimpleParserLib. + +  - Add the SOMETIMES_PRODUCES usage comment in the [Pcd] section of the +    INF file. + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like +  a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no change + +Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase: + +- Refresh downstream-only commit d4564d39dfdb against context changes in +  "ArmVirtPkg/ArmVirtQemu.dsc" from upstream commit 7e5f1b673870 +  ("ArmVirtPkg/PlatformHasAcpiDtDxe: allow guest level ACPI disable +  override", 2017-03-29). + +Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase: + +- Adapt commit 6b97969096a3 to the fact that upstream has deprecated such +  setter functions for dynamic PCDs that don't return a status code (such +  as PcdSetBool()). Employ PcdSetBoolS(), and assert that it succeeds -- +  there's really no circumstance in this case when it could fail. + +Contributed-under: TianoCore Contribution Agreement 1.0 +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +(cherry picked from commit d4564d39dfdbf74e762af43314005a2c026cb262) +(cherry picked from commit c9081ebe3bcd28e5cce4bf58bd8d4fca12f9af7c) +(cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65) +(cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806) +(cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04) +(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99) +(cherry picked from commit a5f7a57bf390f1f340ff1d1f1884a73716817ef1) +--- + ArmVirtPkg/ArmVirtQemu.dsc                    |  7 +++- + .../TerminalPcdProducerLib.c                  | 34 +++++++++++++++++++ + .../TerminalPcdProducerLib.inf                | 33 ++++++++++++++++++ + 3 files changed, 73 insertions(+), 1 deletion(-) + create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c + create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 64aa4e96e5..c37c4ba61e 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -311,6 +311,8 @@ +   gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
 + !endif
 + 
 ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE ++ + [PcdsDynamicHii]
 +   gUefiOvmfPkgTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gOvmfVariableGuid|0x0|FALSE|NV,BS
 + 
 +@@ -416,7 +418,10 @@ +   MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
 +   MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
 +   MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
 +-  MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
 ++  MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf { ++    <LibraryClasses> ++      NULL|ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf ++  } +   MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
 + 
 +   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
 +diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c +new file mode 100644 +index 0000000000..37f71c5e4c +--- /dev/null ++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c +@@ -0,0 +1,34 @@ ++/** @file ++*  Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg ++* ++*  Copyright (C) 2015-2020, Red Hat, Inc. ++*  Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR> ++* ++*  SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#include <Library/DebugLib.h> ++#include <Library/PcdLib.h> ++#include <Library/QemuFwCfgSimpleParserLib.h> ++ ++#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName)                             \ ++          do {                                                                \ ++            BOOLEAN       Setting;                                            \ ++            RETURN_STATUS PcdStatus;                                          \ ++                                                                              \ ++            if (!RETURN_ERROR (QemuFwCfgParseBool (                           \ ++                    "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \ ++              PcdStatus = PcdSetBoolS (TokenName, Setting);                   \ ++              ASSERT_RETURN_ERROR (PcdStatus);                                \ ++            }                                                                 \ ++          } while (0) ++ ++RETURN_STATUS ++EFIAPI ++TerminalPcdProducerLibConstructor ( ++  VOID ++  ) ++{ ++  UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm); ++  return RETURN_SUCCESS; ++} +diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf +new file mode 100644 +index 0000000000..c840f6f97a +--- /dev/null ++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf +@@ -0,0 +1,33 @@ ++## @file ++#  Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg ++# ++#  Copyright (C) 2015-2020, Red Hat, Inc. ++#  Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR> ++# ++#  SPDX-License-Identifier: BSD-2-Clause-Patent ++## ++ ++[Defines] ++  INF_VERSION                    = 0x00010005 ++  BASE_NAME                      = TerminalPcdProducerLib ++  FILE_GUID                      = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96 ++  MODULE_TYPE                    = BASE ++  VERSION_STRING                 = 1.0 ++  LIBRARY_CLASS                  = NULL ++  CONSTRUCTOR                    = TerminalPcdProducerLibConstructor ++ ++[Sources] ++  TerminalPcdProducerLib.c ++ ++[Packages] ++  MdeModulePkg/MdeModulePkg.dec ++  MdePkg/MdePkg.dec ++  OvmfPkg/OvmfPkg.dec ++ ++[LibraryClasses] ++  DebugLib ++  PcdLib ++  QemuFwCfgSimpleParserLib ++ ++[Pcd] ++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES diff --git a/0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch b/0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch new file mode 100644 index 0000000..c8fc3b2 --- /dev/null +++ b/0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch @@ -0,0 +1,118 @@ +From 3dbb4913b3e1c0413dd3016681aca3a3d12edd0d Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 21 Nov 2017 00:57:45 +0100 +Subject: [PATCH] OvmfPkg: enable DEBUG_VERBOSE (RHEL only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been +  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit +  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch +  management: Message-id, Patchwork-id, O-Subject, Acked-by, From +  (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- context difference from upstream commit 46bb81200742 ("OvmfPkg: Make +  SOURCE_DEBUG_ENABLE actually need to be set to TRUE", 2019-10-22) +  resolved automatically + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like +  a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +Set the DEBUG_VERBOSE bit (0x00400000) in the log mask. We want detailed +debug messages, and code in OvmfPkg logs many messages on the +DEBUG_VERBOSE level. + +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +(this patch was previously applied as commit 78d3ed73172b5738e32d2b0bc03f7984b9584117) +(cherry picked from commit 7aeeaabc9871f657e65d2b99d81011b4964a1ce9) +(cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76) +(cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027) +(cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50) +(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89) +(cherry picked from commit 5ecc18badaabe774d9d0806b027ab63a30c6a2d7) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +- + OvmfPkg/OvmfPkgIa32.dsc      | 2 +- + OvmfPkg/OvmfPkgIa32X64.dsc   | 2 +- + OvmfPkg/OvmfPkgX64.dsc       | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 627fded641..cef43b34b7 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -429,7 +429,7 @@ +   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
 +   #                             // significantly impact boot performance
 +   # DEBUG_ERROR     0x80000000  // Error
 +-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F + 
 + !if $(SOURCE_DEBUG_ENABLE) == TRUE
 +   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index dddef5ed0e..270bd612e5 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -535,7 +535,7 @@ +   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
 +   #                             // significantly impact boot performance
 +   # DEBUG_ERROR     0x80000000  // Error
 +-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
 + 
 + !if $(SOURCE_DEBUG_ENABLE) == TRUE
 +   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 933abb258f..269a4b2b21 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -542,7 +542,7 @@ +   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
 +   #                             // significantly impact boot performance
 +   # DEBUG_ERROR     0x80000000  // Error
 +-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
 + 
 + !if $(SOURCE_DEBUG_ENABLE) == TRUE
 +   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 04157ab14b..9614cc1c56 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -561,7 +561,7 @@ +   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
 +   #                             // significantly impact boot performance
 +   # DEBUG_ERROR     0x80000000  // Error
 +-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
 + 
 + !if $(SOURCE_DEBUG_ENABLE) == TRUE
 +   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
 diff --git a/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch b/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch new file mode 100644 index 0000000..d433969 --- /dev/null +++ b/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch @@ -0,0 +1,171 @@ +From ac8f2a85bad100eaf42d3537b6fcb37fa3db5fd9 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 21 Nov 2017 00:57:46 +0100 +Subject: [PATCH] OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in + QemuVideoDxe/QemuRamfbDxe (RH) + +edk2-stable202402 rebase: + +- context changes due to CSM support removal. + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been +  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit +  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch +  management: Message-id, Patchwork-id, O-Subject, Acked-by, From +  (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- Due to upstream commit 4b04d9d73604 ("OvmfPkg: Don't build in +  QemuVideoDxe when we have CSM", 2019-06-26), the contexts of +  "QemuVideoDxe.inf" / "QemuRamfbDxe.inf" have changed in the DSC files. +  Resolve the conflict manually. + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- Upstream commit 1d25ff51af5c ("OvmfPkg: add QemuRamfbDxe", 2018-06-14) +  introduced another GOP driver that consumes FrameBufferBltLib, and +  thereby produces a large number of (mostly useless) debug messages at +  the DEBUG_VERBOSE level. Extend the patch to suppress those messages in +  both QemuVideoDxe and QemuRamfbDxe; update the subject accordingly. +  QemuRamfbDxe itself doesn't log anything at the VERBOSE level (see also +  the original commit message at the bottom of this downstream patch). + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like +  a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses +MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to +FrameBufferBltLib. + +The FrameBufferBltLib instance added in commit b1ca386074bd +("MdeModulePkg: Add FrameBufferBltLib library instance") logs many +messages on the VERBOSE level; for example, a normal boot with OVMF can +produce 500+ "VideoFill" messages, dependent on the progress bar, when the +VERBOSE bit is set in PcdDebugPrintErrorLevel. + +QemuVideoDxe itself doesn't log anything at the VERBOSE level, so we lose +none of its messages this way. + +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +(this patch was previously applied as commit 9b0d031dee7e823f6717bab73e422fbc6f0a6c52) +(cherry picked from commit 9122d5f2e8d8d289064d1e1700cb61964d9931f3) +(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0) +(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1) +(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850) +(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4) +(cherry picked from commit 1355849ad97c1e4a5c430597a377165a5cc118f7) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32.dsc      | 10 ++++++++-- + OvmfPkg/OvmfPkgIa32X64.dsc   | 10 ++++++++-- + OvmfPkg/OvmfPkgX64.dsc       | 10 ++++++++-- + 4 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index cef43b34b7..f53380aca2 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -691,8 +691,14 @@ +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 + 
 +-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 +-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 ++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf { ++    <PcdsFixedAtBuild> ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++  } ++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++    <PcdsFixedAtBuild> ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++  } +   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 + 
 +   #
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 270bd612e5..d942c7354a 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -828,8 +828,14 @@ +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 + 
 +-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 +-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 ++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 ++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 +   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
 + 
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 269a4b2b21..d915b847cb 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -842,8 +842,14 @@ +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 + 
 +-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 +-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 ++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 ++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 +   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
 + 
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 9614cc1c56..12ee5510bd 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -910,8 +910,14 @@ +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 + 
 +-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 +-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 ++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 ++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 +   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
 + 
 diff --git a/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch b/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch new file mode 100644 index 0000000..4de197b --- /dev/null +++ b/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch @@ -0,0 +1,94 @@ +From 511531fe074c28dd8139f722b25979df1995e492 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Wed, 27 Jan 2016 03:05:18 +0100 +Subject: [PATCH] ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in + QemuRamfbDxe (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- The previous version of this patch (downstream commit 76b4ac28e975) +  caused a regression (RHBZ#1714446), which was fixed up in downstream +  commit 5a216abaa737 ("ArmVirtPkg: silence DEBUG_VERBOSE masking +  ~0x00400000 in QemuRamfbDxe (RH only)", 2019-08-05). + +  Squash the fixup into the original patch. Fuse the commit messages. +  (Acked-by tags are not preserved, lest we confuse ourselves while +  reviewing this rebase.) + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- new patch, due to upstream commit c64688f36a8b ("ArmVirtPkg: add +  QemuRamfbDxe", 2018-06-14) + +QemuRamfbDxe uses FrameBufferLib. The FrameBufferBltLib instance added in +commit b1ca386074bd ("MdeModulePkg: Add FrameBufferBltLib library +instance") logs many messages on the VERBOSE level; for example, a normal +boot with ArmVirtQemu[Kernel] can produce 500+ "VideoFill" messages, +dependent on the progress bar, when the VERBOSE bit is set in +PcdDebugPrintErrorLevel. + +Clear the VERBOSE bit without touching other bits -- those other bits +differ between the "silent" and "verbose" builds, so we can't set them as +constants. + +QemuRamfbDxe itself doesn't log anything at the VERBOSE level, so we lose +none of its messages, with the VERBOSE bit clear. + +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +(cherry picked from commit 76b4ac28e975bd63c25db903a1d42c47b38cc756) +Reported-by: Andrew Jones <drjones@redhat.com> +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com> +(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc) +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84) +(cherry picked from commit e7f57f154439c1c18ea5030b01f8d7bc492698b2) +--- + ArmVirtPkg/ArmVirtQemu.dsc       | 5 ++++- + ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index c37c4ba61e..00e656d0c9 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -546,7 +546,10 @@ +   #
 +   # Video support
 +   #
 +-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 ++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++    <PcdsFixedAtBuild> ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF ++  } +   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/PlatformDxe/Platform.inf
 + 
 +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 2cf96accbd..c7918c8cf3 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -450,7 +450,10 @@ +   #
 +   # Video support
 +   #
 +-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 ++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf { ++    <PcdsFixedAtBuild> ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF ++  } +   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/PlatformDxe/Platform.inf
 + 
 diff --git a/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch b/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch new file mode 100644 index 0000000..08fcb0b --- /dev/null +++ b/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch @@ -0,0 +1,92 @@ +From 3bf394bd43a4cf00c2b52b965b47b8194a406166 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daude <philmd@redhat.com> +Date: Thu, 1 Aug 2019 20:43:48 +0200 +Subject: [PATCH] OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64 + silent builds (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- no change + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- We have to carry this downstream-only patch -- committed originally as +  aaaedc1e2cfd -- indefinitely. + +- To avoid confusion, remove the tags from the commit message that had +  been added by the downstream maintainer scripts, such as: Message-id, +  Patchwork-id, O-Subject, Acked-by. These remain available on the +  original downstream commit. The Bugzilla line is preserved, as it +  doesn't relate to a specific posting, but to the problem. + +Bugzilla: 1714446 + +To suppress an error message on the silent build when ramfb is +not configured, change QemuRamfbDxe to return EFI_SUCCESS even +when it fails. +Some memory is wasted (driver stays resident without +any good use), but it is mostly harmless, as the memory +is released by the OS after ExitBootServices(). + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com> +(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7) +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca) +(cherry picked from commit deb3451034326b75fd760aba47a5171493ff055e) +--- + OvmfPkg/QemuRamfbDxe/QemuRamfb.c      | 14 ++++++++++++++ + OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf |  1 + + 2 files changed, 15 insertions(+) + +diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c +index 5a1044f0dc..83c6d26c74 100644 +--- a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c ++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c +@@ -13,6 +13,7 @@ + #include <Library/BaseLib.h>
 + #include <Library/BaseMemoryLib.h>
 + #include <Library/DebugLib.h>
 ++#include <Library/DebugPrintErrorLevelLib.h> + #include <Library/DevicePathLib.h>
 + #include <Library/FrameBufferBltLib.h>
 + #include <Library/MemoryAllocationLib.h>
 +@@ -259,6 +260,19 @@ InitializeQemuRamfb ( + 
 +   Status = QemuFwCfgFindFile ("etc/ramfb", &mRamfbFwCfgItem, &FwCfgSize);
 +   if (EFI_ERROR (Status)) {
 ++#if defined (MDE_CPU_AARCH64) ++    // ++    // RHBZ#1714446 ++    // If no ramfb device was configured, this platform DXE driver should ++    // returns EFI_NOT_FOUND, so the DXE Core can unload it. However, even ++    // using a silent build, an error message is issued to the guest console. ++    // Since this confuse users, return success and stay resident. The wasted ++    // guest RAM still gets freed later after ExitBootServices(). ++    // ++    if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++      return EFI_SUCCESS; ++    } ++#endif +     return EFI_NOT_FOUND;
 +   }
 + 
 +diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +index e3890b8c20..f79a4bc987 100644 +--- a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf ++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf +@@ -29,6 +29,7 @@ +   BaseLib
 +   BaseMemoryLib
 +   DebugLib
 ++  DebugPrintErrorLevelLib +   DevicePathLib
 +   FrameBufferBltLib
 +   MemoryAllocationLib
 diff --git a/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch new file mode 100644 index 0000000..d81f03a --- /dev/null +++ b/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch @@ -0,0 +1,128 @@ +From b9ac7e96d76caa161d1689c0436551e95728ac0e Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 21 Nov 2017 00:57:47 +0100 +Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe + (RH only) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been +  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit +  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077. + +- Remove obsolete commit message tags related to downstream patch +  management: Message-id, Patchwork-id, O-Subject, Acked-by, From +  (RHBZ#1846481). + +Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] -> +RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase: + +- no change + +Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] -> +RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase: + +- no change + +Notes about the RHEL-8.0/20180508-ee3198e672e2 -> +RHEL-8.1/20190308-89910a39dcfd rebase: + +- no change + +Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 -> +RHEL-8.0/20180508-ee3198e672e2 rebase: + +- reorder the rebase changelog in the commit message so that it reads like +  a blog: place more recent entries near the top +- no changes to the patch body + +Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase: + +- no changes + +Bugzilla: 1488247 + +NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE +level. + +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +(this patch was previously applied as commit 5f432837b9c60c2929b13dda1a1b488d5c3a6d2f) +(cherry picked from commit 33e00146eb878588ad1395d7b1ae38f401729da4) +(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8) +(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6) +(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958) +(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6) +(cherry picked from commit ed89844b47f46cfe911f1bf2bda40e537a908502) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++- + OvmfPkg/OvmfPkgIa32.dsc      | 5 ++++- + OvmfPkg/OvmfPkgIa32X64.dsc   | 5 ++++- + OvmfPkg/OvmfPkgX64.dsc       | 5 ++++- + 4 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index f53380aca2..32f47704bc 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -686,7 +686,10 @@ +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
 +   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
 +-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
 ++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf { ++    <PcdsFixedAtBuild> ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F ++  } +   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
 +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index d942c7354a..49540d54d0 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -823,7 +823,10 @@ +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
 +   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
 +-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
 ++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 +   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
 +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index d915b847cb..1c4e0514ed 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -837,7 +837,10 @@ +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
 +   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
 +-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
 ++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 +   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
 +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 12ee5510bd..e50e63b3f6 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -905,7 +905,10 @@ +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
 +   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
 +-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
 ++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
 ++    <PcdsFixedAtBuild>
 ++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 ++  }
 +   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
 +   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
 +   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
 diff --git a/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch b/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch new file mode 100644 index 0000000..8f928ba --- /dev/null +++ b/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch @@ -0,0 +1,80 @@ +From 8c67b1b96e42c39a3562c8790ae5985a240edfce Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Wed, 24 Jun 2020 11:31:36 +0200 +Subject: [PATCH] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel" + in silent aa64 build (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Remove obsolete commit message tags related to downstream patch +  management: Message-id, Patchwork-id, O-Subject, Acked-by, From, +  RH-Acked-by, RH-Author (RHBZ#1846481). + +Bugzilla: 1844682 + +If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe +should return EFI_NOT_FOUND, so that the DXE Core can unload it. However, +the associated error message, logged by the DXE Core to the serial +console, is not desired in the silent edk2-aarch64 build, given that the +absence of "-kernel" is nothing out of the ordinary. Therefore, return +success and stay resident. The wasted guest RAM still gets freed after +ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +(cherry picked from commit 9adcdf493ebbd11efb74e2905ab5f6c8996e096d) +--- + .../QemuKernelLoaderFsDxe.c                     | 17 +++++++++++++++++ + .../QemuKernelLoaderFsDxe.inf                   |  1 + + 2 files changed, 18 insertions(+) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 3c12085f6c..e192809198 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -19,6 +19,7 @@ + #include <Library/BaseMemoryLib.h>
 + #include <Library/BlobVerifierLib.h>
 + #include <Library/DebugLib.h>
 ++#include <Library/DebugPrintErrorLevelLib.h> + #include <Library/DevicePathLib.h>
 + #include <Library/MemoryAllocationLib.h>
 + #include <Library/QemuFwCfgLib.h>
 +@@ -1081,6 +1082,22 @@ QemuKernelLoaderFsDxeEntrypoint ( + 
 +   if (KernelBlob->Data == NULL) {
 +     Status = EFI_NOT_FOUND;
 ++#if defined (MDE_CPU_AARCH64) ++    // ++    // RHBZ#1844682 ++    // ++    // If the "-kernel" QEMU option is not being used, this platform DXE driver ++    // should return EFI_NOT_FOUND, so that the DXE Core can unload it. ++    // However, the associated error message, logged by the DXE Core to the ++    // serial console, is not desired in the silent edk2-aarch64 build, given ++    // that the absence of "-kernel" is nothing out of the ordinary. Therefore, ++    // return success and stay resident. The wasted guest RAM still gets freed ++    // after ExitBootServices(). ++    // ++    if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++      Status = EFI_SUCCESS; ++    } ++#endif +     goto FreeBlobs;
 +   }
 + 
 +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +index 7b35adb8e0..23d9f5fca1 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +@@ -28,6 +28,7 @@ +   BaseLib
 +   BaseMemoryLib
 +   DebugLib
 ++  DebugPrintErrorLevelLib +   DevicePathLib
 +   MemoryAllocationLib
 +   QemuFwCfgLib
 diff --git a/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch b/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch new file mode 100644 index 0000000..02d0290 --- /dev/null +++ b/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch @@ -0,0 +1,79 @@ +From de3d6fb999bd464f08c11b879cb4587295f3c0b1 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek <lersek@redhat.com> +Date: Wed, 24 Jun 2020 11:40:09 +0200 +Subject: [PATCH] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent + aa64 build (RH) + +Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] -> +RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase: + +- Remove obsolete commit message tags related to downstream patch +  management: Message-id, Patchwork-id, O-Subject, Acked-by, From, +  RH-Acked-by, RH-Author (RHBZ#1846481). + +Bugzilla: 1844682 + +If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED, +so that the DXE Core can unload it. However, the associated error message, +logged by the DXE Core to the serial console, is not desired in the silent +edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out +of the ordinary. Therefore, return success and stay resident. The wasted +guest RAM still gets freed after ExitBootServices(). + +(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.) + +Signed-off-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +(cherry picked from commit cbce29f7749477e271f9764fed82de94724af5df) +--- + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c   | 17 +++++++++++++++++ + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf |  1 + + 2 files changed, 18 insertions(+) + +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +index b55b6c12d2..0be885c391 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +@@ -29,6 +29,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #include <Protocol/ResetNotification.h>
 + 
 + #include <Library/DebugLib.h>
 ++#include <Library/DebugPrintErrorLevelLib.h> + #include <Library/BaseMemoryLib.h>
 + #include <Library/UefiRuntimeServicesTableLib.h>
 + #include <Library/UefiDriverEntryPoint.h>
 +@@ -2743,6 +2744,22 @@ DriverEntry ( +       CompareGuid (PcdGetPtr (PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid))
 +   {
 +     DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n"));
 ++#if defined (MDE_CPU_AARCH64) ++    // ++    // RHBZ#1844682 ++    // ++    // If swtpm / vTPM2 is not being used, this driver should return ++    // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the ++    // associated error message, logged by the DXE Core to the serial console, ++    // is not desired in the silent edk2-aarch64 build, given that the absence ++    // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return ++    // success and stay resident. The wasted guest RAM still gets freed after ++    // ExitBootServices(). ++    // ++    if (GetDebugPrintErrorLevel () == DEBUG_ERROR) { ++      return EFI_SUCCESS; ++    } ++#endif +     return EFI_UNSUPPORTED;
 +   }
 + 
 +diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +index a645474bf3..dbb7a52f33 100644 +--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf ++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +@@ -55,6 +55,7 @@ +   UefiRuntimeServicesTableLib
 +   BaseMemoryLib
 +   DebugLib
 ++  DebugPrintErrorLevelLib +   Tpm2CommandLib
 +   PrintLib
 +   UefiLib
 diff --git a/0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch b/0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch new file mode 100644 index 0000000..24bdc73 --- /dev/null +++ b/0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch @@ -0,0 +1,126 @@ +From 3208551a4a7934a905ba33dde70bfea37c9a95af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:28:49 +0200 +Subject: [PATCH] OvmfPkg: Remove EbcDxe (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [2/19] 6777c3dc453e4aecddc20216f783ba2a5acccaa0 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove EFI Byte Code interpreter. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc      | 1 - + OvmfPkg/OvmfPkgIa32.fdf      | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc   | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf   | 1 - + OvmfPkg/OvmfPkgX64.dsc       | 1 - + OvmfPkg/OvmfPkgX64.fdf       | 1 - + 8 files changed, 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 32f47704bc..6b6e108d11 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -611,7 +611,6 @@ + !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
 +   }
 + 
 +-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 +   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 +   UefiCpuPkg/CpuDxe/CpuDxe.inf
 +   OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
 +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 595945181c..c176043482 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -212,7 +212,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + 
 + INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
 + INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 +-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 + INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 + INF  UefiCpuPkg/CpuDxe/CpuDxe.inf
 + INF  OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 49540d54d0..d368aa11fe 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -746,7 +746,6 @@ + !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
 +   }
 + 
 +-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 +   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 +   UefiCpuPkg/CpuDxe/CpuDxe.inf
 +   OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 0d4abb50a8..ef933def99 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -216,7 +216,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + 
 + INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
 + INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 +-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 + INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 + INF  UefiCpuPkg/CpuDxe/CpuDxe.inf
 + INF  OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 1c4e0514ed..cf09bdf785 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -760,7 +760,6 @@ + !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
 +   }
 + 
 +-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 +   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 +   UefiCpuPkg/CpuDxe/CpuDxe.inf
 +   OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 23a825a012..0cd98ada5a 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -217,7 +217,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + 
 + INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
 + INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 +-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 + INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 + INF  UefiCpuPkg/CpuDxe/CpuDxe.inf
 + INF  OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index e50e63b3f6..098d569381 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -805,7 +805,6 @@ + !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
 +   }
 + 
 +-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 +   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 + 
 +   UefiCpuPkg/CpuDxe/CpuDxe.inf {
 +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 4dcd6a033c..b201505214 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -245,7 +245,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf + 
 + INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
 + INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 +-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 + INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
 + 
 + INF  UefiCpuPkg/CpuDxe/CpuDxe.inf
 diff --git a/0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch b/0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch new file mode 100644 index 0000000..c07086a --- /dev/null +++ b/0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch @@ -0,0 +1,126 @@ +From 42becc4c97abe443d06bb128a4b7d5e279842715 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:28:59 +0200 +Subject: [PATCH] OvmfPkg: Remove VirtioGpu device driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [4/19] f0a41317291f2e9e3b5bd3125149c3866f23ab08 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +QemuVideoDxe binds virtio-vga, so VirtioGpu is not needed. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc      | 1 - + OvmfPkg/OvmfPkgIa32.fdf      | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc   | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf   | 1 - + OvmfPkg/OvmfPkgX64.dsc       | 1 - + OvmfPkg/OvmfPkgX64.fdf       | 1 - + 8 files changed, 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 6b6e108d11..5461c1290d 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -701,7 +701,6 @@ +     <PcdsFixedAtBuild> +       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F +   } +-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 + 
 +   #
 +   # ISA Support
 +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index c176043482..10538a0465 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -300,7 +300,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 + 
 + INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 +-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 + INF  OvmfPkg/PlatformDxe/Platform.inf
 + INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 + INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index d368aa11fe..40e78014c4 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -838,7 +838,6 @@ +     <PcdsFixedAtBuild>
 +       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 +   }
 +-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
 + 
 +   #
 +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index ef933def99..68d59968ec 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -317,7 +317,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + 
 + INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 + INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 +-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 + INF  OvmfPkg/PlatformDxe/Platform.inf
 + INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 + INF  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index cf09bdf785..6ade9aa0ef 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -852,7 +852,6 @@ +     <PcdsFixedAtBuild>
 +       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 +   }
 +-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
 + 
 +   #
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 0cd98ada5a..8891d96422 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -323,7 +323,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + 
 + INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 + INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 +-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 + INF  OvmfPkg/PlatformDxe/Platform.inf
 + INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 + INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 098d569381..8563835ae5 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -920,7 +920,6 @@ +     <PcdsFixedAtBuild>
 +       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
 +   }
 +-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 +   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
 + 
 +   #
 +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index b201505214..06ac4423da 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -356,7 +356,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf + 
 + INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
 + INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 +-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 + INF  OvmfPkg/PlatformDxe/Platform.inf
 + INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
 + INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf
 diff --git a/0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch b/0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch new file mode 100644 index 0000000..9aec177 --- /dev/null +++ b/0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch @@ -0,0 +1,100 @@ +From 67e5739ca9ba906914aade6b5ad84c420ad9af29 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:13 +0200 +Subject: [PATCH] OvmfPkg: Remove VirtioFsDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [9/19] b40d8a6b9c38568a74fb922b12bbae9f0e721f95 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the virtio-fs driver. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + OvmfPkg/OvmfPkgIa32.dsc    | 1 - + OvmfPkg/OvmfPkgIa32.fdf    | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf | 1 - + OvmfPkg/OvmfPkgX64.dsc     | 1 - + OvmfPkg/OvmfPkgX64.fdf     | 1 - + 6 files changed, 6 deletions(-) + +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 40e78014c4..afd2a3c5c0 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -816,7 +816,6 @@ +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
 +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 68d59968ec..c392b96470 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -290,7 +290,6 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + 
 + INF  FatPkg/EnhancedFatDxe/Fat.inf
 + INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 + 
 + INF MdeModulePkg/Logo/LogoDxe.inf
 + 
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 6ade9aa0ef..f5a4c57c8e 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -830,7 +830,6 @@ +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
 +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 8891d96422..6278daeeee 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -291,7 +291,6 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + 
 + INF  FatPkg/EnhancedFatDxe/Fat.inf
 + INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 + 
 + INF MdeModulePkg/Logo/LogoDxe.inf
 + 
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 8563835ae5..08b73a64c9 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -898,7 +898,6 @@ +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
 +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index 06ac4423da..fc4b6dd3a4 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -322,7 +322,6 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour + 
 + INF  FatPkg/EnhancedFatDxe/Fat.inf
 + INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 + 
 + INF MdeModulePkg/Logo/LogoDxe.inf
 + 
 diff --git a/0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch b/0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch new file mode 100644 index 0000000..7936459 --- /dev/null +++ b/0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch @@ -0,0 +1,61 @@ +From 9827ce562f432da36410ef0e9ce6d7971e502b99 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:16 +0200 +Subject: [PATCH] ArmVirtPkg: Remove VirtioFsDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [10/19] 808ad4385c24fbf34fb0ba359808e6d364e1d030 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the virtio-fs driver. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + ArmVirtPkg/ArmVirtQemu.dsc           | 1 - + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + ArmVirtPkg/ArmVirtQemuKernel.dsc     | 1 - + 3 files changed, 3 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index 00e656d0c9..d1deccaadc 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -464,7 +464,6 @@ +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 + 
 +   #
 +   # Bds
 +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 38906004d7..7205274bed 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -85,7 +85,6 @@ READ_LOCK_STATUS   = TRUE +   INF FatPkg/EnhancedFatDxe/Fat.inf
 +   INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-  INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 + 
 +   #
 +   # Status Code Routing
 +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index c7918c8cf3..9643fd5427 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -368,7 +368,6 @@ +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 + 
 +   #
 +   # Bds
 diff --git a/0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch new file mode 100644 index 0000000..33be900 --- /dev/null +++ b/0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch @@ -0,0 +1,126 @@ +From 98e35df340a8a5cd18cb386361c7da6350c54800 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:19 +0200 +Subject: [PATCH] OvmfPkg: Remove UdfDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [11/19] 21614de37221fca27d4eec0f03c5c8bce5911af3 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the UDF driver. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + OvmfPkg/AmdSev/AmdSevX64.dsc | 1 - + OvmfPkg/AmdSev/AmdSevX64.fdf | 1 - + OvmfPkg/OvmfPkgIa32.dsc      | 1 - + OvmfPkg/OvmfPkgIa32.fdf      | 1 - + OvmfPkg/OvmfPkgIa32X64.dsc   | 1 - + OvmfPkg/OvmfPkgIa32X64.fdf   | 1 - + OvmfPkg/OvmfPkgX64.dsc       | 1 - + OvmfPkg/OvmfPkgX64.fdf       | 1 - + 8 files changed, 8 deletions(-) + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index 5461c1290d..cf1ad83e09 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -679,7 +679,6 @@ +   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
 +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
 +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index 10538a0465..c56c98dc85 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -280,7 +280,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 + 
 + INF  FatPkg/EnhancedFatDxe/Fat.inf
 +-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 + 
 + INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
 + INF  OvmfPkg/AmdSev/Grub/Grub.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index afd2a3c5c0..d8ae542686 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -815,7 +815,6 @@ +   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
 +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
 +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index c392b96470..0ffa3be750 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -289,7 +289,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 + 
 + INF  FatPkg/EnhancedFatDxe/Fat.inf
 +-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 + 
 + INF MdeModulePkg/Logo/LogoDxe.inf
 + 
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index f5a4c57c8e..52ac2c96fc 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -829,7 +829,6 @@ +   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
 +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
 +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index 6278daeeee..c4f3ec0735 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -290,7 +290,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 + 
 + INF  FatPkg/EnhancedFatDxe/Fat.inf
 +-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 + 
 + INF MdeModulePkg/Logo/LogoDxe.inf
 + 
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index 08b73a64c9..f76d0ef7bc 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -897,7 +897,6 @@ +   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
 +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
 +   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
 +   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index fc4b6dd3a4..bedd85ef7a 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -321,7 +321,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf + INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 + 
 + INF  FatPkg/EnhancedFatDxe/Fat.inf
 +-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 + 
 + INF MdeModulePkg/Logo/LogoDxe.inf
 + 
 diff --git a/0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch b/0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch new file mode 100644 index 0000000..a0c6376 --- /dev/null +++ b/0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch @@ -0,0 +1,61 @@ +From 9b039f2eb195f37b724f86efc31c8a4d6abd217d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:22 +0200 +Subject: [PATCH] ArmVirtPkg: Remove UdfDxe filesystem driver (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [12/19] fcadb6a747b65e4d449d48131c9a2eeed4bd3c9a +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the UDF driver. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + ArmVirtPkg/ArmVirtQemu.dsc           | 1 - + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + ArmVirtPkg/ArmVirtQemuKernel.dsc     | 1 - + 3 files changed, 3 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc +index d1deccaadc..f91bb09fa3 100644 +--- a/ArmVirtPkg/ArmVirtQemu.dsc ++++ b/ArmVirtPkg/ArmVirtQemu.dsc +@@ -463,7 +463,6 @@ +   MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
 +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 + 
 +   #
 +   # Bds
 +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 7205274bed..24a9dac2fd 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -84,7 +84,6 @@ READ_LOCK_STATUS   = TRUE +   INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
 +   INF FatPkg/EnhancedFatDxe/Fat.inf
 +   INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +-  INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 + 
 +   #
 +   # Status Code Routing
 +diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc +index 9643fd5427..c2825aa4c2 100644 +--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc ++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc +@@ -367,7 +367,6 @@ +   MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
 +   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
 +   FatPkg/EnhancedFatDxe/Fat.inf
 +-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
 + 
 +   #
 +   # Bds
 diff --git a/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch b/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch new file mode 100644 index 0000000..5c57a7d --- /dev/null +++ b/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch @@ -0,0 +1,55 @@ +From d417cfeb0ed76b3187b44e2491611f55d6de33b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:25 +0200 +Subject: [PATCH] OvmfPkg: Remove TftpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rebase to edk2-stable202405: + +rewrite due to shell build config being moved to an include file + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [13/19] cf9ef346386ac89fa05b29d429d8d1b27cf0e3b0 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the command to download files in the shell via TFTP. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 4 ---- + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc        | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index 4075688e41..3663938054 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -6,10 +6,6 @@ + 
 + !if $(TOOL_CHAIN_TAG) != "XCODE5"
 + !if $(NETWORK_ENABLE) == TRUE
 +-  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
 +-    <PcdsFixedAtBuild>
 +-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +-  }
 +   ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
 +     <PcdsFixedAtBuild>
 +       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index 38f69747b0..1637083ff1 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -6,7 +6,6 @@ + 
 + !if $(TOOL_CHAIN_TAG) != "XCODE5"
 + !if $(NETWORK_ENABLE) == TRUE
 +-INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
 + INF  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
 + !endif
 + INF  ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
 diff --git a/0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch b/0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch new file mode 100644 index 0000000..ff09c46 --- /dev/null +++ b/0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch @@ -0,0 +1,54 @@ +From b548dd4acf23412e9266be15d65d7f8cfccbf028 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:28 +0200 +Subject: [PATCH] ArmVirtPkg: Remove TftpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [14/19] 12436014941bd4a7c99a26d779ebdcd75f169403 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the command to download files in the shell via TFTP. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + ArmVirtPkg/ArmVirt.dsc.inc           | 7 +++---- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 7044790a1e..ee98673e98 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -391,10 +391,9 @@ +   #
 +   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
 + 
 +-  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
 +-    <PcdsFixedAtBuild>
 +-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +-  }
 ++  # ++  # UEFI application (Shell Embedded Boot Loader) ++  # +   ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
 +     <PcdsFixedAtBuild>
 +       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 24a9dac2fd..1341de0a2f 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -100,7 +100,6 @@ READ_LOCK_STATUS   = TRUE +   INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + 
 +   INF ShellPkg/Application/Shell/Shell.inf
 +-  INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
 +   INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
 +   INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
 +   INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 diff --git a/0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch b/0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch new file mode 100644 index 0000000..9e5ba58 --- /dev/null +++ b/0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch @@ -0,0 +1,63 @@ +From 8a68c775e8ba00da3d725396fd8c78f67fbc8697 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:31 +0200 +Subject: [PATCH] OvmfPkg: Remove HttpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rebase to edk2-stable202405: + +rewrite due to shell build config being moved to an include file + +Rebase to edk2-stable202311: + +Minor update, context change due to new variable policy shell command. + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [15/19] 1911cf04f27467ef1175b1976864c1111d93d19e +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the command to download files in the shell via HTTP(S). + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 6 ------ + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc        | 3 --- + 2 files changed, 9 deletions(-) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index 3663938054..a568f1ecc5 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -5,12 +5,6 @@ + !if $(BUILD_SHELL) == TRUE
 + 
 + !if $(TOOL_CHAIN_TAG) != "XCODE5"
 +-!if $(NETWORK_ENABLE) == TRUE
 +-  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
 +-    <PcdsFixedAtBuild>
 +-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +-  }
 +-!endif
 +   ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf {
 +     <PcdsFixedAtBuild>
 +       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index 1637083ff1..c0118a46e2 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -5,9 +5,6 @@ + !if $(BUILD_SHELL) == TRUE && $(SECURE_BOOT_ENABLE) == FALSE
 + 
 + !if $(TOOL_CHAIN_TAG) != "XCODE5"
 +-!if $(NETWORK_ENABLE) == TRUE
 +-INF  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
 +-!endif
 + INF  ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
 + INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 + !endif
 diff --git a/0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch b/0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch new file mode 100644 index 0000000..331cf73 --- /dev/null +++ b/0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch @@ -0,0 +1,55 @@ +From 1f15cf34691e2f9604ee6efe142c2d710aad579c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:34 +0200 +Subject: [PATCH] ArmVirtPkg: Remove HttpDynamicCommand from shell (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Rebase to edk2-stable202311: + +Minor update, context change due to new variable policy shell command. + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [16/19] 07a74f1fdcdbb9a31d25ce9760edcd852e9574c3 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the command to download files in the shell via HTTP(S). + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + ArmVirtPkg/ArmVirt.dsc.inc           | 4 ---- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index ee98673e98..996b4ddfc4 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -394,10 +394,6 @@ +   # +   # UEFI application (Shell Embedded Boot Loader) +   # +-  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
 +-    <PcdsFixedAtBuild>
 +-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +-  }
 +   ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf {
 +     <PcdsFixedAtBuild>
 +       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index 1341de0a2f..b49bf7ad4e 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -100,7 +100,6 @@ READ_LOCK_STATUS   = TRUE +   INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + 
 +   INF ShellPkg/Application/Shell/Shell.inf
 +-  INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
 +   INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
 +   INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 + 
 diff --git a/0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch b/0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch new file mode 100644 index 0000000..c457ccc --- /dev/null +++ b/0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch @@ -0,0 +1,64 @@ +From cd1746c9920e93bf40994172881bc13cf185991c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:39 +0200 +Subject: [PATCH] OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +rebase to edk2-stable202405: + +rewrite due to shell build config being moved to an include file + +Rebase to edk2-stable202311: + +Minor update, context change due to new variable policy shell command. + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14 +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the command to register a file in the shell as the +initial ramdisk for a UEFI stubbed kernel, to be booted next. + +Note: as further dynamic shell commands might show up upstream, +we intentionally preserve the empty !ifdef'ry context to ease +future downstream rebases. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 4 ---- + OvmfPkg/Include/Fdf/ShellDxe.fdf.inc        | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +index a568f1ecc5..f7e0f5e90e 100644 +--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc ++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc +@@ -9,10 +9,6 @@ +     <PcdsFixedAtBuild>
 +       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +   }
 +-  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
 +-    <PcdsFixedAtBuild>
 +-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +-  }
 + !endif
 + 
 +   ShellPkg/Application/Shell/Shell.inf {
 +diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +index c0118a46e2..dced75e388 100644 +--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc ++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc +@@ -6,7 +6,6 @@ + 
 + !if $(TOOL_CHAIN_TAG) != "XCODE5"
 + INF  ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
 +-INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 + !endif
 + 
 + INF  ShellPkg/Application/Shell/Shell.inf
 diff --git a/0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch b/0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch new file mode 100644 index 0000000..2eb4418 --- /dev/null +++ b/0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch @@ -0,0 +1,66 @@ +From ec9c5e512252964f28c493d10b9f484b88c87c13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 1 Jul 2021 20:29:46 +0200 +Subject: [PATCH] ArmVirtPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Rebase to edk2-stable202311: + +Minor update, context change due to new variable policy shell command. + +RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com> +RH-MergeRequest: 3: Disable features for RHEL9 +RH-Commit: [18/19] 8f4e4007108462533e3d2050b84d8830073a7c0d +RH-Bugzilla: 1967747 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> + +Remove the command to register a file in the shell as the initial +ramdisk for a UEFI stubbed kernel, to be booted next. + +Suggested-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> +--- + ArmVirtPkg/ArmVirt.dsc.inc           | 10 +++------- + ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc |  1 - + 2 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc +index 996b4ddfc4..2561e10ff5 100644 +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -391,17 +391,13 @@ +   #
 +   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
 + 
 +-  # +-  # UEFI application (Shell Embedded Boot Loader) +-  # ++  #
 ++  # UEFI application (Shell Embedded Boot Loader)
 ++  #
 +   ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf {
 +     <PcdsFixedAtBuild>
 +       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +   }
 +-  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
 +-    <PcdsFixedAtBuild>
 +-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
 +-  }
 +   ShellPkg/Application/Shell/Shell.inf {
 +     <LibraryClasses>
 +       ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf
 +diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +index b49bf7ad4e..753afd799b 100644 +--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc ++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc +@@ -101,7 +101,6 @@ READ_LOCK_STATUS   = TRUE + 
 +   INF ShellPkg/Application/Shell/Shell.inf
 +   INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
 +-  INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 + 
 +   #
 +   # Bds
 diff --git a/0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch b/0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch new file mode 100644 index 0000000..97dd035 --- /dev/null +++ b/0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch @@ -0,0 +1,49 @@ +From 3d02fb6da82331176952e480160223136679ce74 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 28 Feb 2023 15:47:00 +0100 +Subject: [PATCH] UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug + +RH-Author: Gerd Hoffmann <kraxel@redhat.com> +RH-MergeRequest: 42: UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug +RH-Bugzilla: 2124143 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> +RH-Commit: [1/1] 5168501c31541a57aaeb3b3bd7c3602205eb7cdf (kraxel/centos-edk2) + +In case the number of CPUs can in increase beyond 255 +due to CPU hotplug choose x2apic mode. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +patch_name: edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch +present_in_specfile: true +location_in_specfile: 38 +--- + UefiCpuPkg/Library/MpInitLib/MpLib.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c +index d724456502..c478878bb0 100644 +--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c ++++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c +@@ -534,7 +534,9 @@ CollectProcessorCount ( +   //
 +   // Enable x2APIC mode if
 +   //  1. Number of CPU is greater than 255; or
 +-  //  2. There are any logical processors reporting an Initial APIC ID of 255 or greater.
 ++  //  2. The platform exposed the exact *boot* CPU count to us in advance, and
 ++  //     more than 255 logical processors are possible later, with hotplug; or
 ++  //  3. There are any logical processors reporting an Initial APIC ID of 255 or greater.
 +   //
 +   X2Apic = FALSE;
 +   if (CpuMpData->CpuCount > 255) {
 +@@ -542,6 +544,10 @@ CollectProcessorCount ( +     // If there are more than 255 processor found, force to enable X2APIC
 +     //
 +     X2Apic = TRUE;
 ++  } else if ((PcdGet32 (PcdCpuBootLogicalProcessorNumber) > 0) &&
 ++             (PcdGet32 (PcdCpuMaxLogicalProcessorNumber) > 255))
 ++  {
 ++    X2Apic = TRUE;
 +   } else {
 +     CpuInfoInHob = (CPU_INFO_IN_HOB *)(UINTN)CpuMpData->CpuInfoInHob;
 +     for (Index = 0; Index < CpuMpData->CpuCount; Index++) {
 diff --git a/0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch b/0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch new file mode 100644 index 0000000..8148351 --- /dev/null +++ b/0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch @@ -0,0 +1,121 @@ +From c916516d37fb50c187020bd01da21cca85c8e83a Mon Sep 17 00:00:00 2001 +From: Oliver Steffen <osteffen@redhat.com> +Date: Wed, 16 Aug 2023 12:09:40 +0200 +Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) + +RH-Author: Oliver Steffen <osteffen@redhat.com> +RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only) +RH-Bugzilla: 2218196 +RH-Acked-by: Gerd Hoffmann <None> +RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2) + +Add a callback at the end of the Dxe phase that sets the +"FB_NO_REBOOT" variable under the Shim GUID. +This is a workaround for a boot loop in case a confidential +guest that uses shim is booted with a vtpm device present. + +BZ 2218196 + +Signed-off-by: Oliver Steffen <osteffen@redhat.com> + +patch_name: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch +present_in_specfile: true +location_in_specfile: 44 +--- + OvmfPkg/AmdSevDxe/AmdSevDxe.c   | 42 +++++++++++++++++++++++++++++++++ + OvmfPkg/AmdSevDxe/AmdSevDxe.inf |  2 ++ + 2 files changed, 44 insertions(+) + +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +index d497a343d3..0eb88e50ff 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c +@@ -19,6 +19,7 @@ + #include <Library/MemoryAllocationLib.h>
 + #include <Library/UefiBootServicesTableLib.h>
 + #include <Guid/ConfidentialComputingSevSnpBlob.h>
 ++#include <Guid/GlobalVariable.h>
 + #include <Library/PcdLib.h>
 + #include <Pi/PiDxeCis.h>
 + #include <Protocol/SevMemoryAcceptance.h>
 +@@ -28,6 +29,10 @@ + // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h
 + #define EFI_MEMORY_INTERNAL_MASK  0x0700000000000000ULL
 + 
 ++static EFI_GUID  ShimLockGuid = {
 ++  0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 }
 ++};
 ++
 + STATIC
 + EFI_STATUS
 + AllocateConfidentialComputingBlob (
 +@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL  mMemoryAcceptProtocol = { +   AmdSevMemoryAccept
 + };
 + 
 ++VOID
 ++EFIAPI
 ++PopulateVarstore (
 ++  EFI_EVENT  Event,
 ++  VOID       *Context
 ++  )
 ++{
 ++  EFI_SYSTEM_TABLE  *SystemTable = (EFI_SYSTEM_TABLE *)Context;
 ++  EFI_STATUS        Status;
 ++
 ++  DEBUG ((DEBUG_INFO, "Populating Varstore\n"));
 ++  UINT32  data = 1;
 ++
 ++  Status = SystemTable->RuntimeServices->SetVariable (
 ++                                           L"FB_NO_REBOOT",
 ++                                           &ShimLockGuid,
 ++                                           EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
 ++                                           sizeof (data),
 ++                                           &data
 ++                                           );
 ++  ASSERT_EFI_ERROR (Status);
 ++
 ++  Status = SystemTable->BootServices->CloseEvent (Event);
 ++  ASSERT_EFI_ERROR (Status);
 ++}
 ++
 + EFI_STATUS
 + EFIAPI
 + AmdSevDxeEntryPoint (
 +@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint ( +   UINTN                                     NumEntries;
 +   UINTN                                     Index;
 +   CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION  *SnpBootDxeTable;
 ++  EFI_EVENT                                 PopulateVarstoreEvent;
 + 
 +   //
 +   // Do nothing when SEV is not enabled
 +@@ -361,5 +393,15 @@ AmdSevDxeEntryPoint ( +                   );
 +   }
 + 
 ++  Status = gBS->CreateEventEx (
 ++                  EVT_NOTIFY_SIGNAL,
 ++                  TPL_CALLBACK,
 ++                  PopulateVarstore,
 ++                  SystemTable,
 ++                  &gEfiEndOfDxeEventGroupGuid,
 ++                  &PopulateVarstoreEvent
 ++                  );
 ++  ASSERT_EFI_ERROR (Status);
 ++
 +   return EFI_SUCCESS;
 + }
 +diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +index e7c7d526c9..09cbd2b0ca 100644 +--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf ++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf +@@ -54,6 +54,8 @@ + [Guids]
 +   gConfidentialComputingSevSnpBlobGuid
 +   gEfiEventBeforeExitBootServicesGuid
 ++  gEfiEndOfDxeEventGroupGuid              ## CONSUMES ## Event
 ++
 + 
 + [Pcd]
 +   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId
 diff --git a/0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch b/0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch new file mode 100644 index 0000000..8b0a962 --- /dev/null +++ b/0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch @@ -0,0 +1,28 @@ +From 7a07b2f16eabf460891a21c05b30cd9c2f875a2a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 28 Aug 2023 13:11:02 +0200 +Subject: [PATCH] CryptoPkg/CrtLib: add stat.h include file. + +Needed by rhel downstream openssl patches. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + CryptoPkg/Library/Include/sys/stat.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + create mode 100644 CryptoPkg/Library/Include/sys/stat.h + +diff --git a/CryptoPkg/Library/Include/sys/stat.h b/CryptoPkg/Library/Include/sys/stat.h +new file mode 100644 +index 0000000000..22247bb2db +--- /dev/null ++++ b/CryptoPkg/Library/Include/sys/stat.h +@@ -0,0 +1,9 @@ ++/** @file ++  Include file to support building the third-party cryptographic library. ++ ++Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR> ++SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include <CrtLibSupport.h> diff --git a/0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch b/0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch new file mode 100644 index 0000000..b32c5bd --- /dev/null +++ b/0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch @@ -0,0 +1,139 @@ +From 168cfe83b250d3166817549c1e96e6b1f02bcab4 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 28 Aug 2023 13:27:09 +0200 +Subject: [PATCH] CryptoPkg/CrtLib: add access/open/read/write/close syscalls + +Needed by rhel downstream openssl patches, they use unix syscalls +for file access (instead of fopen + friends like the rest of the +code base).  No actual file access is needed for edk2, so just +add stubs to make linking work. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + .../Library/BaseCryptLib/SysCall/CrtWrapper.c | 46 +++++++++++++++++++ + CryptoPkg/Library/Include/CrtLibSupport.h     | 41 +++++++++++++++++ + 2 files changed, 87 insertions(+) + +diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c +index 37cdecc9bd..dfdb635536 100644 +--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c ++++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c +@@ -550,6 +550,52 @@ fread ( +   return 0;
 + }
 + 
 ++int
 ++access(
 ++  const char*,
 ++  int
 ++  )
 ++{
 ++  return -1;
 ++}
 ++
 ++int
 ++open (
 ++  const char *,
 ++  int
 ++  )
 ++{
 ++  return -1;
 ++}
 ++
 ++ssize_t
 ++read (
 ++  int,
 ++  void*,
 ++  size_t
 ++  )
 ++{
 ++  return -1;
 ++}
 ++
 ++ssize_t
 ++write (
 ++  int,
 ++  const void*,
 ++  size_t
 ++  )
 ++{
 ++  return -1;
 ++}
 ++
 ++int
 ++close (
 ++  int
 ++  )
 ++{
 ++  return -1;
 ++}
 ++
 + uid_t
 + getuid (
 +   void
 +diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h +index f36fe08f0c..7d98496af8 100644 +--- a/CryptoPkg/Library/Include/CrtLibSupport.h ++++ b/CryptoPkg/Library/Include/CrtLibSupport.h +@@ -78,6 +78,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + //
 + // Definitions for global constants used by CRT library routines
 + //
 ++#define EINTR         4
 + #define EINVAL        22              /* Invalid argument */
 + #define EAFNOSUPPORT  47              /* Address family not supported by protocol family */
 + #define INT_MAX       0x7FFFFFFF      /* Maximum (signed) int value */
 +@@ -102,6 +103,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + #define NS_INADDRSZ   4   /*%< IPv4 T_A */
 + #define NS_IN6ADDRSZ  16  /*%< IPv6 T_AAAA */
 + 
 ++#define O_RDONLY        00000000
 ++#define O_WRONLY        00000001
 ++#define O_RDWR          00000002
 ++
 ++#define R_OK  4
 ++#define W_OK  2
 ++#define X_OK  1
 ++#define F_OK  0
 ++
 + //
 + // Basic types mapping
 + //
 +@@ -324,6 +334,37 @@ fprintf     ( +   ...
 +   );
 + 
 ++int
 ++access(
 ++  const char*,
 ++  int
 ++  );
 ++
 ++int
 ++open (
 ++  const char *,
 ++  int
 ++  );
 ++
 ++ssize_t
 ++read (
 ++  int,
 ++  void*,
 ++  size_t
 ++  );
 ++
 ++ssize_t
 ++write (
 ++  int,
 ++  const void*,
 ++  size_t
 ++  );
 ++
 ++int
 ++close (
 ++  int
 ++  );
 ++
 + time_t
 + time        (
 +   time_t *
 diff --git a/0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch b/0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch new file mode 100644 index 0000000..63facbb --- /dev/null +++ b/0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch @@ -0,0 +1,194 @@ +From 4c49c1bcb2db128cc4d2ebb29b1ac53fe3ef6b18 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 30 Jan 2024 14:04:38 +0100 +Subject: [PATCH] OvmfPkg/Sec: Setup MTRR early in the boot process. + +RH-Author: Gerd Hoffmann <None> +RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process. +RH-Jira: RHEL-21704 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> +RH-Commit: [1/4] c4061788d34f409944898b48642d610c259161f3 (kraxel.rh/centos-src-edk2) + +Specifically before running lzma uncompress of the main firmware volume. +This is needed to make sure caching is enabled, otherwise the uncompress +can be extremely slow. + +Adapt the ASSERTs and MTRR setup in PlatformInitLib to the changes. + +Background:  Depending on virtual machine configuration kvm may uses EPT +memory types to apply guest MTRR settings.  In case MTRRs are disabled +kvm will use the uncachable memory type for all mappings.  The +vmx_get_mt_mask() function in the linux kernel handles this and can be +found here: + +https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/kvm/vmx/vmx.c?h=v6.7.1#n7580 + +In most VM configurations kvm uses MTRR_TYPE_WRBACK unconditionally.  In +case the VM has a mdev device assigned that is not the case though. + +Before commit e8aa4c6546ad ("UefiCpuPkg/ResetVector: Cache Disable +should not be set by default in CR0") kvm also ended up using +MTRR_TYPE_WRBACK due to KVM_X86_QUIRK_CD_NW_CLEARED.  After that commit +kvm evaluates guest mtrr settings, which why setting up MTRRs early is +important now. + +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-ID: <20240130130441.772484-2-kraxel@redhat.com> + +[ kraxel: Downstream-only for now.  Timely upstream merge is unlikely +          due to chinese holidays and rhel-9.4 deadlines are close. +          QE regression testing passed.  So go with upstream posted +          series v3 ] + +patch_name: edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch +present_in_specfile: true +location_in_specfile: 49 +--- + OvmfPkg/IntelTdx/Sec/SecMain.c              | 32 +++++++++++++++++++++ + OvmfPkg/Library/PlatformInitLib/MemDetect.c | 10 +++---- + OvmfPkg/Sec/SecMain.c                       | 32 +++++++++++++++++++++ + 3 files changed, 69 insertions(+), 5 deletions(-) + +diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c +index 4e750755bf..7094d86159 100644 +--- a/OvmfPkg/IntelTdx/Sec/SecMain.c ++++ b/OvmfPkg/IntelTdx/Sec/SecMain.c +@@ -26,6 +26,8 @@ + #include <Library/TdxHelperLib.h>
 + #include <Library/CcProbeLib.h>
 + #include <Library/PeilessStartupLib.h>
 ++#include <Register/Intel/ArchitecturalMsr.h> ++#include <Register/Intel/Cpuid.h> + 
 + #define SEC_IDT_ENTRY_COUNT  34
 + 
 +@@ -47,6 +49,31 @@ IA32_IDT_GATE_DESCRIPTOR  mIdtEntryTemplate = { +   }
 + };
 + 
 ++// ++// Enable MTRR early, set default type to write back. ++// Needed to make sure caching is enabled, ++// without this lzma decompress can be very slow. ++// ++STATIC ++VOID ++SecMtrrSetup ( ++  VOID ++  ) ++{ ++  CPUID_VERSION_INFO_EDX           Edx; ++  MSR_IA32_MTRR_DEF_TYPE_REGISTER  DefType; ++ ++  AsmCpuid (CPUID_VERSION_INFO, NULL, NULL, NULL, &Edx.Uint32); ++  if (!Edx.Bits.MTRR) { ++    return; ++  } ++ ++  DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE); ++  DefType.Bits.Type = 6; /* write back */ ++  DefType.Bits.E    = 1; /* enable */ ++  AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64); ++} ++ + VOID
 + EFIAPI
 + SecCoreStartupWithStack (
 +@@ -203,6 +230,11 @@ SecCoreStartupWithStack ( +   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
 +   DisableApicTimerInterrupt ();
 + 
 ++  // ++  // Initialize MTRR ++  // ++  SecMtrrSetup (); ++ +   PeilessStartup (&SecCoreData);
 + 
 +   ASSERT (FALSE);
 +diff --git a/OvmfPkg/Library/PlatformInitLib/MemDetect.c b/OvmfPkg/Library/PlatformInitLib/MemDetect.c +index e64c0ee324..b6ba63ef95 100644 +--- a/OvmfPkg/Library/PlatformInitLib/MemDetect.c ++++ b/OvmfPkg/Library/PlatformInitLib/MemDetect.c +@@ -1164,18 +1164,18 @@ PlatformQemuInitializeRam ( +     MtrrGetAllMtrrs (&MtrrSettings);
 + 
 +     //
 +-    // MTRRs disabled, fixed MTRRs disabled, default type is uncached
 ++    // See SecMtrrSetup(), default type should be write back +     //
 +-    ASSERT ((MtrrSettings.MtrrDefType & BIT11) == 0);
 ++    ASSERT ((MtrrSettings.MtrrDefType & BIT11) != 0); +     ASSERT ((MtrrSettings.MtrrDefType & BIT10) == 0);
 +-    ASSERT ((MtrrSettings.MtrrDefType & 0xFF) == 0);
 ++    ASSERT ((MtrrSettings.MtrrDefType & 0xFF) == MTRR_CACHE_WRITE_BACK); + 
 +     //
 +     // flip default type to writeback
 +     //
 +-    SetMem (&MtrrSettings.Fixed, sizeof MtrrSettings.Fixed, 0x06);
 ++    SetMem (&MtrrSettings.Fixed, sizeof MtrrSettings.Fixed, MTRR_CACHE_WRITE_BACK); +     ZeroMem (&MtrrSettings.Variables, sizeof MtrrSettings.Variables);
 +-    MtrrSettings.MtrrDefType |= BIT11 | BIT10 | 6;
 ++    MtrrSettings.MtrrDefType |= BIT10; +     MtrrSetAllMtrrs (&MtrrSettings);
 + 
 +     //
 +diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c +index 60dfa61842..725b57e2fa 100644 +--- a/OvmfPkg/Sec/SecMain.c ++++ b/OvmfPkg/Sec/SecMain.c +@@ -29,6 +29,8 @@ + #include <Ppi/MpInitLibDep.h>
 + #include <Library/TdxHelperLib.h>
 + #include <Library/CcProbeLib.h>
 ++#include <Register/Intel/ArchitecturalMsr.h> ++#include <Register/Intel/Cpuid.h> + #include "AmdSev.h"
 + 
 + #define SEC_IDT_ENTRY_COUNT  34
 +@@ -743,6 +745,31 @@ FindAndReportEntryPoints ( +   return;
 + }
 + 
 ++// ++// Enable MTRR early, set default type to write back. ++// Needed to make sure caching is enabled, ++// without this lzma decompress can be very slow. ++// ++STATIC ++VOID ++SecMtrrSetup ( ++  VOID ++  ) ++{ ++  CPUID_VERSION_INFO_EDX           Edx; ++  MSR_IA32_MTRR_DEF_TYPE_REGISTER  DefType; ++ ++  AsmCpuid (CPUID_VERSION_INFO, NULL, NULL, NULL, &Edx.Uint32); ++  if (!Edx.Bits.MTRR) { ++    return; ++  } ++ ++  DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE); ++  DefType.Bits.Type = 6; /* write back */ ++  DefType.Bits.E    = 1; /* enable */ ++  AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64); ++} ++ + VOID
 + EFIAPI
 + SecCoreStartupWithStack (
 +@@ -942,6 +969,11 @@ SecCoreStartupWithStack ( +   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
 +   DisableApicTimerInterrupt ();
 + 
 ++  // ++  // Initialize MTRR ++  // ++  SecMtrrSetup (); ++ +   //
 +   // Initialize Debug Agent to support source level debug in SEC/PEI phases before memory ready.
 +   //
 diff --git a/0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch b/0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch new file mode 100644 index 0000000..1b439a4 --- /dev/null +++ b/0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch @@ -0,0 +1,41 @@ +From 3124da27dc460926f40477d247e021ceeabe0be3 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 30 Jan 2024 14:04:39 +0100 +Subject: [PATCH] MdePkg/ArchitecturalMsr.h: add #defines for MTRR cache types + +RH-Author: Gerd Hoffmann <None> +RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process. +RH-Jira: RHEL-21704 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> +RH-Commit: [2/4] a568bc2793d677462a2971aae9566a9bbc64b063 (kraxel.rh/centos-src-edk2) + +Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-ID: <20240130130441.772484-3-kraxel@redhat.com> + +patch_name: edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch +present_in_specfile: true +location_in_specfile: 50 +--- + MdePkg/Include/Register/Intel/ArchitecturalMsr.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h +index 756e7c86ec..08ba949cf7 100644 +--- a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h ++++ b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h +@@ -2103,6 +2103,13 @@ typedef union { + #define MSR_IA32_MTRR_PHYSBASE9  0x00000212
 + /// @}
 + 
 ++#define MSR_IA32_MTRR_CACHE_UNCACHEABLE      0 ++#define MSR_IA32_MTRR_CACHE_WRITE_COMBINING  1 ++#define MSR_IA32_MTRR_CACHE_WRITE_THROUGH    4 ++#define MSR_IA32_MTRR_CACHE_WRITE_PROTECTED  5 ++#define MSR_IA32_MTRR_CACHE_WRITE_BACK       6 ++#define MSR_IA32_MTRR_CACHE_INVALID_TYPE     7 ++ + /**
 +   MSR information returned for MSR indexes #MSR_IA32_MTRR_PHYSBASE0 to
 +   #MSR_IA32_MTRR_PHYSBASE9
 diff --git a/0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch b/0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch new file mode 100644 index 0000000..89772d7 --- /dev/null +++ b/0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch @@ -0,0 +1,70 @@ +From f015a541308b2d752c399b9ef9597c4585218032 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 30 Jan 2024 14:04:40 +0100 +Subject: [PATCH] UefiCpuPkg/MtrrLib.h: use cache type #defines from + ArchitecturalMsr.h + +RH-Author: Gerd Hoffmann <None> +RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process. +RH-Jira: RHEL-21704 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> +RH-Commit: [3/4] 8b766c97b247a8665662697534455c19423ff23c (kraxel.rh/centos-src-edk2) + +Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-ID: <20240130130441.772484-4-kraxel@redhat.com> + +patch_name: edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch +present_in_specfile: true +location_in_specfile: 51 +--- + UefiCpuPkg/Include/Library/MtrrLib.h | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/UefiCpuPkg/Include/Library/MtrrLib.h b/UefiCpuPkg/Include/Library/MtrrLib.h +index 86cc1aab3b..287d249a99 100644 +--- a/UefiCpuPkg/Include/Library/MtrrLib.h ++++ b/UefiCpuPkg/Include/Library/MtrrLib.h +@@ -9,6 +9,8 @@ + #ifndef  _MTRR_LIB_H_
 + #define  _MTRR_LIB_H_
 + 
 ++#include <Register/Intel/ArchitecturalMsr.h> ++ + //
 + // According to IA32 SDM, MTRRs number and MSR offset are always consistent
 + // for IA32 processor family
 +@@ -82,20 +84,20 @@ typedef struct _MTRR_SETTINGS_ { + // Memory cache types
 + //
 + typedef enum {
 +-  CacheUncacheable    = 0,
 +-  CacheWriteCombining = 1,
 +-  CacheWriteThrough   = 4,
 +-  CacheWriteProtected = 5,
 +-  CacheWriteBack      = 6,
 +-  CacheInvalid        = 7
 ++  CacheUncacheable    = MSR_IA32_MTRR_CACHE_UNCACHEABLE, ++  CacheWriteCombining = MSR_IA32_MTRR_CACHE_WRITE_COMBINING, ++  CacheWriteThrough   = MSR_IA32_MTRR_CACHE_WRITE_THROUGH, ++  CacheWriteProtected = MSR_IA32_MTRR_CACHE_WRITE_PROTECTED, ++  CacheWriteBack      = MSR_IA32_MTRR_CACHE_WRITE_BACK, ++  CacheInvalid        = MSR_IA32_MTRR_CACHE_INVALID_TYPE, + } MTRR_MEMORY_CACHE_TYPE;
 + 
 +-#define  MTRR_CACHE_UNCACHEABLE      0
 +-#define  MTRR_CACHE_WRITE_COMBINING  1
 +-#define  MTRR_CACHE_WRITE_THROUGH    4
 +-#define  MTRR_CACHE_WRITE_PROTECTED  5
 +-#define  MTRR_CACHE_WRITE_BACK       6
 +-#define  MTRR_CACHE_INVALID_TYPE     7
 ++#define  MTRR_CACHE_UNCACHEABLE      MSR_IA32_MTRR_CACHE_UNCACHEABLE ++#define  MTRR_CACHE_WRITE_COMBINING  MSR_IA32_MTRR_CACHE_WRITE_COMBINING ++#define  MTRR_CACHE_WRITE_THROUGH    MSR_IA32_MTRR_CACHE_WRITE_THROUGH ++#define  MTRR_CACHE_WRITE_PROTECTED  MSR_IA32_MTRR_CACHE_WRITE_PROTECTED ++#define  MTRR_CACHE_WRITE_BACK       MSR_IA32_MTRR_CACHE_WRITE_BACK ++#define  MTRR_CACHE_INVALID_TYPE     MSR_IA32_MTRR_CACHE_INVALID_TYPE + 
 + typedef struct {
 +   UINT64                    BaseAddress;
 diff --git a/0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch b/0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch new file mode 100644 index 0000000..4b65bd4 --- /dev/null +++ b/0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch @@ -0,0 +1,49 @@ +From dd543686c34fc3c6ddfafc0104066889ad9d1813 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 30 Jan 2024 14:04:41 +0100 +Subject: [PATCH] OvmfPkg/Sec: use cache type #defines from ArchitecturalMsr.h + +RH-Author: Gerd Hoffmann <None> +RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process. +RH-Jira: RHEL-21704 +RH-Acked-by: Laszlo Ersek <lersek@redhat.com> +RH-Commit: [4/4] 55f00e3e153ca945ca458e7abc26780a8d83ac85 (kraxel.rh/centos-src-edk2) + +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-ID: <20240130130441.772484-5-kraxel@redhat.com> + +patch_name: edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch +present_in_specfile: true +location_in_specfile: 52 +--- + OvmfPkg/IntelTdx/Sec/SecMain.c | 2 +- + OvmfPkg/Sec/SecMain.c          | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c +index 7094d86159..1a19f26178 100644 +--- a/OvmfPkg/IntelTdx/Sec/SecMain.c ++++ b/OvmfPkg/IntelTdx/Sec/SecMain.c +@@ -69,7 +69,7 @@ SecMtrrSetup ( +   } +  +   DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE); +-  DefType.Bits.Type = 6; /* write back */ ++  DefType.Bits.Type = MSR_IA32_MTRR_CACHE_WRITE_BACK; +   DefType.Bits.E    = 1; /* enable */ +   AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64); + } +diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c +index 725b57e2fa..26963b924d 100644 +--- a/OvmfPkg/Sec/SecMain.c ++++ b/OvmfPkg/Sec/SecMain.c +@@ -765,7 +765,7 @@ SecMtrrSetup ( +   } +  +   DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE); +-  DefType.Bits.Type = 6; /* write back */ ++  DefType.Bits.Type = MSR_IA32_MTRR_CACHE_WRITE_BACK; +   DefType.Bits.E    = 1; /* enable */ +   AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64); + } diff --git a/0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch b/0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch new file mode 100644 index 0000000..557b11d --- /dev/null +++ b/0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch @@ -0,0 +1,54 @@ +From bbd537bc6560494b0b08886364c38406b1e8107a Mon Sep 17 00:00:00 2001 +From: Sam <Sam_Tsai@wiwynn.com> +Date: Wed, 29 May 2024 07:46:03 +0800 +Subject: [PATCH] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in + iPXE environment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH" +REF: 1904a64 + +Issue Description: +An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was: + +NetworkPkg\TcpDxe\TcpDriver.c +Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, ​&mHash2ServiceHandle); + +Root Cause Analysis: +The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle. + +Implemented Solution: +To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly: + +NetworkPkg\TcpDxe\TcpDriver.c +Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle); + +This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error. + +Verification: +Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment. + +Cc: Doug Flick [MSFT] <doug.edk2@gmail.com> + +Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com> +Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com> +(cherry picked from commit ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3) +--- + NetworkPkg/TcpDxe/TcpDriver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c +index 40bba4080c..c6e7c0df54 100644 +--- a/NetworkPkg/TcpDxe/TcpDriver.c ++++ b/NetworkPkg/TcpDxe/TcpDriver.c +@@ -509,7 +509,7 @@ TcpDestroyService ( +     //
 +     // Destroy the instance of the hashing protocol for this controller.
 +     //
 +-    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
 ++    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle);
 +     if (EFI_ERROR (Status)) {
 +       return EFI_UNSUPPORTED;
 +     }
 diff --git a/0035-OvmfPkg-add-morlock-support.patch b/0035-OvmfPkg-add-morlock-support.patch new file mode 100644 index 0000000..1ad1a30 --- /dev/null +++ b/0035-OvmfPkg-add-morlock-support.patch @@ -0,0 +1,127 @@ +From 3f8eab199430de18c1c6a98d1d0772499b17cc86 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Wed, 8 May 2024 13:14:26 +0200 +Subject: [PATCH] OvmfPkg: add morlock support + +Add dsc + fdf include files to add the MorLock drivers to the build. +Add the include files to OVMF build configurations. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +(cherry picked from commit b45aff0dc9cb87f316eb17a11e5d4438175d9cca) +--- + OvmfPkg/Include/Dsc/MorLock.dsc.inc | 10 ++++++++++ + OvmfPkg/Include/Fdf/MorLock.fdf.inc | 10 ++++++++++ + OvmfPkg/OvmfPkgIa32.dsc             |  1 + + OvmfPkg/OvmfPkgIa32.fdf             |  1 + + OvmfPkg/OvmfPkgIa32X64.dsc          |  1 + + OvmfPkg/OvmfPkgIa32X64.fdf          |  1 + + OvmfPkg/OvmfPkgX64.dsc              |  1 + + OvmfPkg/OvmfPkgX64.fdf              |  1 + + 8 files changed, 26 insertions(+) + create mode 100644 OvmfPkg/Include/Dsc/MorLock.dsc.inc + create mode 100644 OvmfPkg/Include/Fdf/MorLock.fdf.inc + +diff --git a/OvmfPkg/Include/Dsc/MorLock.dsc.inc b/OvmfPkg/Include/Dsc/MorLock.dsc.inc +new file mode 100644 +index 0000000000..a8c5fb24b8 +--- /dev/null ++++ b/OvmfPkg/Include/Dsc/MorLock.dsc.inc +@@ -0,0 +1,10 @@ ++##
 ++# SPDX-License-Identifier: BSD-2-Clause-Patent
 ++#
 ++# MorLock support
 ++##
 ++
 ++  SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
 ++!if $(SMM_REQUIRE) == TRUE
 ++  SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf
 ++!endif
 +diff --git a/OvmfPkg/Include/Fdf/MorLock.fdf.inc b/OvmfPkg/Include/Fdf/MorLock.fdf.inc +new file mode 100644 +index 0000000000..20b7d6619a +--- /dev/null ++++ b/OvmfPkg/Include/Fdf/MorLock.fdf.inc +@@ -0,0 +1,10 @@ ++##
 ++# SPDX-License-Identifier: BSD-2-Clause-Patent
 ++#
 ++# MorLock support
 ++##
 ++
 ++INF SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
 ++!if $(SMM_REQUIRE) == TRUE
 ++INF SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf
 ++!endif
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index d8ae542686..65a866ae0c 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -887,6 +887,7 @@ +   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 ++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 0ffa3be750..10eb6fe72b 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -355,6 +355,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
 + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 ++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc
 + 
 + !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
 + INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 52ac2c96fc..679e25501b 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -901,6 +901,7 @@ +   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 ++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index c4f3ec0735..ff06bbfc6f 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -362,6 +362,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
 + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 ++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc
 + 
 + ################################################################################
 + 
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index f76d0ef7bc..d294fd4625 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -969,6 +969,7 @@ +   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 ++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index bedd85ef7a..f3b787201f 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -402,6 +402,7 @@ INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
 + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 ++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc
 + 
 + ################################################################################
 + 
 diff --git a/0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch b/0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch new file mode 100644 index 0000000..653b277 --- /dev/null +++ b/0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch @@ -0,0 +1,192 @@ +From 3899f089b8197f52ca63fe1561f8e5e1341f8198 Mon Sep 17 00:00:00 2001 +From: Pedro Falcato <pedro.falcato@gmail.com> +Date: Tue, 22 Nov 2022 22:31:03 +0000 +Subject: [PATCH] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID + +RDRAND has notoriously been broken many times over its lifespan. +Add a smoketest to RDRAND, in order to better sniff out potential +security concerns. + +Also add a proper CPUID test in order to support older CPUs which may +not have it; it was previously being tested but then promptly ignored. + +Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c +:x86_init_rdrand() per commit 049f9ae9.. + +Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection +code to MIT and the public domain. + +>On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote: +  <..> +>    I (re)wrote that function in Linux. I hereby relicense it as MIT, and +>    also place it into public domain. Do with it what you will now. +> +>    Jason + +BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163 + +Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com> +Cc: Michael D Kinney <michael.d.kinney@intel.com> +Cc: Liming Gao <gaoliming@byosoft.com.cn> +Cc: Zhiguang Liu <zhiguang.liu@intel.com> +Cc: Jason A. Donenfeld <Jason@zx2c4.com> +(cherry picked from commit c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a) +--- + MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++-- + 1 file changed, 91 insertions(+), 8 deletions(-) + +diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c +index 9bd68352f9..06d2a6f12d 100644 +--- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c ++++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c +@@ -3,6 +3,7 @@ +   to provide high-quality random numbers.
 + 
 + Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
 ++Copyright (c) 2022, Pedro Falcato. All rights reserved.<BR>
 + Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
 + Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
 + 
 +@@ -24,6 +25,88 @@ SPDX-License-Identifier: BSD-2-Clause-Patent + 
 + STATIC BOOLEAN  mRdRandSupported;
 + 
 ++//
 ++// Intel SDM says 10 tries is good enough for reliable RDRAND usage.
 ++//
 ++#define RDRAND_RETRIES  10
 ++
 ++#define RDRAND_TEST_SAMPLES  8
 ++
 ++#define RDRAND_MIN_CHANGE  5
 ++
 ++//
 ++// Add a define for native-word RDRAND, just for the test.
 ++//
 ++#ifdef MDE_CPU_X64
 ++#define ASM_RDRAND  AsmRdRand64
 ++#else
 ++#define ASM_RDRAND  AsmRdRand32
 ++#endif
 ++
 ++/**
 ++  Tests RDRAND for broken implementations.
 ++
 ++  @retval TRUE         RDRAND is reliable (and hopefully safe).
 ++  @retval FALSE        RDRAND is unreliable and should be disabled, despite CPUID.
 ++
 ++**/
 ++STATIC
 ++BOOLEAN
 ++TestRdRand (
 ++  VOID
 ++  )
 ++{
 ++  //
 ++  // Test for notoriously broken rdrand implementations that always return the same
 ++  // value, like the Zen 3 uarch (all-1s) or other several AMD families on suspend/resume (also all-1s).
 ++  // Note that this should be expanded to extensively test for other sorts of possible errata.
 ++  //
 ++
 ++  //
 ++  // Our algorithm samples rdrand $RDRAND_TEST_SAMPLES times and expects
 ++  // a different result $RDRAND_MIN_CHANGE times for reliable RDRAND usage.
 ++  //
 ++  UINTN   Prev;
 ++  UINT8   Idx;
 ++  UINT8   TestIteration;
 ++  UINT32  Changed;
 ++
 ++  Changed = 0;
 ++
 ++  for (TestIteration = 0; TestIteration < RDRAND_TEST_SAMPLES; TestIteration++) {
 ++    UINTN  Sample;
 ++    //
 ++    // Note: We use a retry loop for rdrand. Normal users get this in BaseRng.c
 ++    // Any failure to get a random number will assume RDRAND does not work.
 ++    //
 ++    for (Idx = 0; Idx < RDRAND_RETRIES; Idx++) {
 ++      if (ASM_RDRAND (&Sample)) {
 ++        break;
 ++      }
 ++    }
 ++
 ++    if (Idx == RDRAND_RETRIES) {
 ++      DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: Failed to get an RDRAND random number - disabling\n"));
 ++      return FALSE;
 ++    }
 ++
 ++    if (TestIteration != 0) {
 ++      Changed += Sample != Prev;
 ++    }
 ++
 ++    Prev = Sample;
 ++  }
 ++
 ++  if (Changed < RDRAND_MIN_CHANGE) {
 ++    DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: RDRAND not reliable - disabling\n"));
 ++    return FALSE;
 ++  }
 ++
 ++  return TRUE;
 ++}
 ++
 ++#undef ASM_RDRAND
 ++
 + /**
 +   The constructor function checks whether or not RDRAND instruction is supported
 +   by the host hardware.
 +@@ -48,10 +131,13 @@ BaseRngLibConstructor ( +   // CPUID. A value of 1 indicates that processor support RDRAND instruction.
 +   //
 +   AsmCpuid (1, 0, 0, &RegEcx, 0);
 +-  ASSERT ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
 + 
 +   mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
 + 
 ++  if (mRdRandSupported) {
 ++    mRdRandSupported = TestRdRand ();
 ++  }
 ++
 +   return EFI_SUCCESS;
 + }
 + 
 +@@ -70,6 +156,7 @@ ArchGetRandomNumber16 ( +   OUT     UINT16  *Rand
 +   )
 + {
 ++  ASSERT (mRdRandSupported);
 +   return AsmRdRand16 (Rand);
 + }
 + 
 +@@ -88,6 +175,7 @@ ArchGetRandomNumber32 ( +   OUT     UINT32  *Rand
 +   )
 + {
 ++  ASSERT (mRdRandSupported);
 +   return AsmRdRand32 (Rand);
 + }
 + 
 +@@ -106,6 +194,7 @@ ArchGetRandomNumber64 ( +   OUT     UINT64  *Rand
 +   )
 + {
 ++  ASSERT (mRdRandSupported);
 +   return AsmRdRand64 (Rand);
 + }
 + 
 +@@ -122,13 +211,7 @@ ArchIsRngSupported ( +   VOID
 +   )
 + {
 +-  /*
 +-     Existing software depends on this always returning TRUE, so for
 +-     now hard-code it.
 +-
 +-     return mRdRandSupported;
 +-  */
 +-  return TRUE;
 ++  return mRdRandSupported;
 + }
 + 
 + /**
 diff --git a/0037-SecurityPkg-RngDxe-add-rng-test.patch b/0037-SecurityPkg-RngDxe-add-rng-test.patch new file mode 100644 index 0000000..b894821 --- /dev/null +++ b/0037-SecurityPkg-RngDxe-add-rng-test.patch @@ -0,0 +1,43 @@ +From 4947d363211159647e9266fa20ad9d4c8bc52f71 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 31 May 2024 09:49:13 +0200 +Subject: [PATCH] SecurityPkg/RngDxe: add rng test + +Check whenever RngLib actually returns random numbers, only return +a non-zero number of Algorithms if that is the case. + +This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL +only in case it can actually deliver random numbers. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +(cherry picked from commit a61bc0accb8a76edba4f073fdc7bafc908df045d) +--- + SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +index 5723ed6957..8b0742bab6 100644 +--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c ++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +@@ -23,6 +23,7 @@ + 
 + #include <Library/BaseLib.h>
 + #include <Library/BaseMemoryLib.h>
 ++#include <Library/RngLib.h>
 + 
 + #include "RngDxeInternals.h"
 + 
 +@@ -43,7 +44,12 @@ GetAvailableAlgorithms ( +   VOID
 +   )
 + {
 +-  mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
 ++  UINT64  RngTest;
 ++
 ++  if (GetRandomNumber64 (&RngTest)) {
 ++    mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
 ++  }
 ++
 +   return EFI_SUCCESS;
 + }
 + 
 diff --git a/0038-OvmfPkg-wire-up-RngDxe.patch b/0038-OvmfPkg-wire-up-RngDxe.patch new file mode 100644 index 0000000..71d66be --- /dev/null +++ b/0038-OvmfPkg-wire-up-RngDxe.patch @@ -0,0 +1,301 @@ +From 0aa96c512c689426838ec1cf4aa78ff088c03a1e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 24 May 2024 12:51:17 +0200 +Subject: [PATCH] OvmfPkg: wire up RngDxe + +Add OvmfRng include snippets with the random number generator +configuration for OVMF.  Include RngDxe, build with BaseRngLib, +so the rdrand instruction is used (if available). + +Also move VirtioRng to the include snippets. + +Use the new include snippets for OVMF builds. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +(cherry picked from commit 712797cf19acd292bf203522a79e40e7e13d268b) +--- + OvmfPkg/AmdSev/AmdSevX64.dsc                  | 2 +- + OvmfPkg/AmdSev/AmdSevX64.fdf                  | 2 +- + OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc | 9 +++++++++ + OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc        | 6 ++++++ + OvmfPkg/IntelTdx/IntelTdxX64.dsc              | 2 +- + OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 2 +- + OvmfPkg/Microvm/MicrovmX64.dsc                | 2 +- + OvmfPkg/Microvm/MicrovmX64.fdf                | 2 +- + OvmfPkg/OvmfPkgIa32.dsc                       | 2 +- + OvmfPkg/OvmfPkgIa32.fdf                       | 2 +- + OvmfPkg/OvmfPkgIa32X64.dsc                    | 2 +- + OvmfPkg/OvmfPkgIa32X64.fdf                    | 2 +- + OvmfPkg/OvmfPkgX64.dsc                        | 2 +- + OvmfPkg/OvmfPkgX64.fdf                        | 2 +- + 14 files changed, 27 insertions(+), 12 deletions(-) + create mode 100644 OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc + create mode 100644 OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc + +diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc +index cf1ad83e09..4edc2a9069 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.dsc ++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc +@@ -649,7 +649,6 @@ +   OvmfPkg/Virtio10Dxe/Virtio10.inf
 +   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 +   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 +   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 + !endif
 +@@ -740,6 +739,7 @@ +   OvmfPkg/AmdSev/Grub/Grub.inf
 + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 ++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
 + 
 +   OvmfPkg/PlatformDxe/Platform.inf
 +   OvmfPkg/AmdSevDxe/AmdSevDxe.inf {
 +diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf +index c56c98dc85..480837b0fa 100644 +--- a/OvmfPkg/AmdSev/AmdSevX64.fdf ++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf +@@ -227,7 +227,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf + INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
 + INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 + INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 + INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 + !endif
 +@@ -318,6 +317,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
 + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 ++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
 + 
 + ################################################################################
 + 
 +diff --git a/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc +new file mode 100644 +index 0000000000..68839a0caa +--- /dev/null ++++ b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc +@@ -0,0 +1,9 @@ ++##
 ++#    SPDX-License-Identifier: BSD-2-Clause-Patent
 ++##
 ++
 ++  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf {
 ++    <LibraryClasses>
 ++      RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
 ++  }
 ++  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 +diff --git a/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc +new file mode 100644 +index 0000000000..99cb4a32b1 +--- /dev/null ++++ b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc +@@ -0,0 +1,6 @@ ++##
 ++#    SPDX-License-Identifier: BSD-2-Clause-Patent
 ++##
 ++
 ++INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 ++INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +index 9f49b60ff0..4b7e1596fc 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc +@@ -636,7 +636,6 @@ +   OvmfPkg/Virtio10Dxe/Virtio10.inf
 +   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 +   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 +   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 + !endif
 +@@ -719,6 +718,7 @@ +   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 ++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf +index ce5d542048..88d0f75ae2 100644 +--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf ++++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf +@@ -285,7 +285,6 @@ READ_LOCK_STATUS   = TRUE + #
 + INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
 + INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 + INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 + !endif
 +@@ -326,6 +325,7 @@ INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf + INF  OvmfPkg/PlatformDxe/Platform.inf
 + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 ++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
 + 
 + ################################################################################
 + 
 +diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc +index fb73f2e089..9206f01816 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.dsc ++++ b/OvmfPkg/Microvm/MicrovmX64.dsc +@@ -760,7 +760,6 @@ +   OvmfPkg/Virtio10Dxe/Virtio10.inf
 +   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 +   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 +   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 +   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
 +   MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
 +@@ -846,6 +845,7 @@ +   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 ++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf +index 055e659a35..c8268d7e8c 100644 +--- a/OvmfPkg/Microvm/MicrovmX64.fdf ++++ b/OvmfPkg/Microvm/MicrovmX64.fdf +@@ -207,7 +207,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf + INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
 + INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 + INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +@@ -299,6 +298,7 @@ INF  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf + INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 ++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
 + 
 + ################################################################################
 + 
 +diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc +index 65a866ae0c..b64c215585 100644 +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -784,7 +784,6 @@ +   OvmfPkg/Virtio10Dxe/Virtio10.inf
 +   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 +   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 +   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 +   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 +@@ -888,6 +887,7 @@ + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 + !include OvmfPkg/Include/Dsc/MorLock.dsc.inc
 ++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf +index 10eb6fe72b..c31276e4a3 100644 +--- a/OvmfPkg/OvmfPkgIa32.fdf ++++ b/OvmfPkg/OvmfPkgIa32.fdf +@@ -231,7 +231,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf + INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
 + INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 + INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 + INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 +@@ -356,6 +355,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 + !include OvmfPkg/Include/Fdf/MorLock.fdf.inc
 ++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
 + 
 + !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
 + INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc +index 679e25501b..ececac3757 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -798,7 +798,6 @@ +   OvmfPkg/Virtio10Dxe/Virtio10.inf
 +   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 +   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 +   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 +   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 +@@ -902,6 +901,7 @@ + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 + !include OvmfPkg/Include/Dsc/MorLock.dsc.inc
 ++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf +index ff06bbfc6f..a7b4aeac08 100644 +--- a/OvmfPkg/OvmfPkgIa32X64.fdf ++++ b/OvmfPkg/OvmfPkgIa32X64.fdf +@@ -232,7 +232,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf + INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
 + INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 + INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 + INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 +@@ -363,6 +362,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 + !include OvmfPkg/Include/Fdf/MorLock.fdf.inc
 ++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
 + 
 + ################################################################################
 + 
 +diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc +index d294fd4625..0ab4d3df06 100644 +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -866,7 +866,6 @@ +   OvmfPkg/Virtio10Dxe/Virtio10.inf
 +   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 +   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 +   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 +   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 +@@ -970,6 +969,7 @@ + 
 + !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
 + !include OvmfPkg/Include/Dsc/MorLock.dsc.inc
 ++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
 + 
 + !if $(SECURE_BOOT_ENABLE) == TRUE
 +   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 +diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf +index f3b787201f..ae08ac4fe9 100644 +--- a/OvmfPkg/OvmfPkgX64.fdf ++++ b/OvmfPkg/OvmfPkgX64.fdf +@@ -263,7 +263,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf + INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
 + INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
 + INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
 +-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
 + INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
 + !if $(PVSCSI_ENABLE) == TRUE
 + INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
 +@@ -403,6 +402,7 @@ INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf + 
 + !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
 + !include OvmfPkg/Include/Fdf/MorLock.fdf.inc
 ++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
 + 
 + ################################################################################
 + 
 diff --git a/0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch b/0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch new file mode 100644 index 0000000..0194b84 --- /dev/null +++ b/0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch @@ -0,0 +1,37 @@ +From d5d19043e62a268a492f9a1ef6a11380d8f7e784 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 14 Jun 2024 11:45:49 +0200 +Subject: [PATCH] CryptoPkg/Test: call ProcessLibraryConstructorList + +Needed to properly initialize BaseRngLib. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +(cherry picked from commit 94961b8817eec6f8d0434555ac50a7aa51c22201) +--- + .../Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c      | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c +index d0c1c7a4f7..48d463b8ad 100644 +--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c ++++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c +@@ -8,6 +8,12 @@ + **/
 + #include "TestBaseCryptLib.h"
 + 
 ++VOID
 ++EFIAPI
 ++ProcessLibraryConstructorList (
 ++  VOID
 ++  );
 ++
 + /**
 +   Initialize the unit test framework, suite, and unit tests for the
 +   sample unit tests and run the unit tests.
 +@@ -76,5 +82,6 @@ main ( +   char  *argv[]
 +   )
 + {
 ++  ProcessLibraryConstructorList ();
 +   return UefiTestMain ();
 + }
 diff --git a/0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch b/0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch new file mode 100644 index 0000000..d32e748 --- /dev/null +++ b/0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch @@ -0,0 +1,43 @@ +From 320207a3df995771af36639c7bdf89c4203cf1c2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 14 Jun 2024 11:45:53 +0200 +Subject: [PATCH] MdePkg/X86UnitTestHost: set rdrand cpuid bit + +Set the rdrand feature bit when faking cpuid for host test cases. +Needed to make the CryptoPkg test cases work. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +(cherry picked from commit 5e776299a2604b336a947e68593012ab2cc16eb4) +--- + MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c +index 8ba4f54a38..7f7276f7f4 100644 +--- a/MdePkg/Library/BaseLib/X86UnitTestHost.c ++++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c +@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid ( +   OUT     UINT32  *Edx   OPTIONAL
 +   )
 + {
 ++  UINT32  RetEcx;
 ++
 ++  RetEcx = 0;
 ++  switch (Index) {
 ++    case 1:
 ++      RetEcx |= BIT30; /* RdRand */
 ++      break;
 ++  }
 ++
 +   if (Eax != NULL) {
 +     *Eax = 0;
 +   }
 +@@ -75,7 +84,7 @@ UnitTestHostBaseLibAsmCpuid ( +   }
 + 
 +   if (Ecx != NULL) {
 +-    *Ecx = 0;
 ++    *Ecx = RetEcx;
 +   }
 + 
 +   if (Edx != NULL) {
 diff --git a/30-edk2-ovmf-x64-sb-enrolled.json b/30-edk2-ovmf-x64-sb-enrolled.json new file mode 100644 index 0000000..d77ed08 --- /dev/null +++ b/30-edk2-ovmf-x64-sb-enrolled.json @@ -0,0 +1,36 @@ +{ +    "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "split", +        "executable": { +            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", +            "format": "raw" +        }, +        "nvram-template": { +            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd", +            "format": "raw" +        } +    }, +    "targets": [ +        { +            "architecture": "x86_64", +            "machines": [ +                "pc-q35-*" +            ] +        } +    ], +    "features": [ +        "acpi-s3", +        "enrolled-keys", +        "requires-smm", +        "secure-boot", +        "verbose-dynamic" +    ], +    "tags": [ + +    ] +} diff --git a/40-edk2-ovmf-x64-sb.json b/40-edk2-ovmf-x64-sb.json new file mode 100644 index 0000000..02a7622 --- /dev/null +++ b/40-edk2-ovmf-x64-sb.json @@ -0,0 +1,35 @@ +{ +    "description": "OVMF with SB+SMM, empty varstore", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "split", +        "executable": { +            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd", +            "format": "raw" +        }, +        "nvram-template": { +            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", +            "format": "raw" +        } +    }, +    "targets": [ +        { +            "architecture": "x86_64", +            "machines": [ +                "pc-q35-*" +            ] +        } +    ], +    "features": [ +        "acpi-s3", +        "requires-smm", +        "secure-boot", +        "verbose-dynamic" +    ], +    "tags": [ + +    ] +} diff --git a/50-edk2-aarch64-qcow2.json b/50-edk2-aarch64-qcow2.json new file mode 100644 index 0000000..937d295 --- /dev/null +++ b/50-edk2-aarch64-qcow2.json @@ -0,0 +1,32 @@ +{ +    "description": "UEFI firmware for ARM64 virtual machines", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "split", +        "executable": { +            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2", +            "format": "qcow2" +        }, +        "nvram-template": { +            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2", +            "format": "qcow2" +        } +    }, +    "targets": [ +        { +            "architecture": "aarch64", +            "machines": [ +                "virt-*" +            ] +        } +    ], +    "features": [ + +    ], +    "tags": [ + +    ] +} diff --git a/50-edk2-ovmf-x64-nosb.json b/50-edk2-ovmf-x64-nosb.json new file mode 100644 index 0000000..c660e0c --- /dev/null +++ b/50-edk2-ovmf-x64-nosb.json @@ -0,0 +1,35 @@ +{ +    "description": "OVMF without SB+SMM, empty varstore", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "split", +        "executable": { +            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.fd", +            "format": "raw" +        }, +        "nvram-template": { +            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd", +            "format": "raw" +        } +    }, +    "targets": [ +        { +            "architecture": "x86_64", +            "machines": [ +                "pc-q35-*" +            ] +        } +    ], +    "features": [ +        "acpi-s3", +        "amd-sev", +        "amd-sev-es", +        "verbose-dynamic" +    ], +    "tags": [ + +    ] +} diff --git a/51-edk2-aarch64-raw.json b/51-edk2-aarch64-raw.json new file mode 100644 index 0000000..506bbe6 --- /dev/null +++ b/51-edk2-aarch64-raw.json @@ -0,0 +1,32 @@ +{ +    "description": "UEFI firmware for ARM64 virtual machines", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "split", +        "executable": { +            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw", +            "format": "raw" +        }, +        "nvram-template": { +            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", +            "format": "raw" +        } +    }, +    "targets": [ +        { +            "architecture": "aarch64", +            "machines": [ +                "virt-*" +            ] +        } +    ], +    "features": [ + +    ], +    "tags": [ + +    ] +} diff --git a/52-edk2-aarch64-verbose-qcow2.json b/52-edk2-aarch64-verbose-qcow2.json new file mode 100644 index 0000000..976f2a6 --- /dev/null +++ b/52-edk2-aarch64-verbose-qcow2.json @@ -0,0 +1,32 @@ +{ +    "description": "UEFI firmware for ARM64 virtual machines, verbose logs", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "split", +        "executable": { +            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2", +            "format": "qcow2" +        }, +        "nvram-template": { +            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2", +            "format": "qcow2" +        } +    }, +    "targets": [ +        { +            "architecture": "aarch64", +            "machines": [ +                "virt-*" +            ] +        } +    ], +    "features": [ +        "verbose-static" +    ], +    "tags": [ + +    ] +} diff --git a/53-edk2-aarch64-verbose-raw.json b/53-edk2-aarch64-verbose-raw.json new file mode 100644 index 0000000..fa0ed91 --- /dev/null +++ b/53-edk2-aarch64-verbose-raw.json @@ -0,0 +1,32 @@ +{ +    "description": "UEFI firmware for ARM64 virtual machines, verbose logs", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "split", +        "executable": { +            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw", +            "format": "raw" +        }, +        "nvram-template": { +            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw", +            "format": "raw" +        } +    }, +    "targets": [ +        { +            "architecture": "aarch64", +            "machines": [ +                "virt-*" +            ] +        } +    ], +    "features": [ +        "verbose-static" +    ], +    "tags": [ + +    ] +} diff --git a/60-edk2-ovmf-x64-amdsev.json b/60-edk2-ovmf-x64-amdsev.json new file mode 100644 index 0000000..9a561bc --- /dev/null +++ b/60-edk2-ovmf-x64-amdsev.json @@ -0,0 +1,31 @@ +{ +    "description": "OVMF with SEV-ES support", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "flash", +        "mode": "stateless", +        "executable": { +            "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd", +            "format": "raw" +        } +    }, +    "targets": [ +        { +            "architecture": "x86_64", +            "machines": [ +                "pc-q35-*" +            ] +        } +    ], +    "features": [ +        "amd-sev", +        "amd-sev-es", +        "amd-sev-snp", +        "verbose-dynamic" +    ], +    "tags": [ + +    ] +} diff --git a/60-edk2-ovmf-x64-inteltdx.json b/60-edk2-ovmf-x64-inteltdx.json new file mode 100644 index 0000000..445eb70 --- /dev/null +++ b/60-edk2-ovmf-x64-inteltdx.json @@ -0,0 +1,27 @@ +{ +    "description": "OVMF with TDX support", +    "interface-types": [ +        "uefi" +    ], +    "mapping": { +        "device": "memory", +        "filename": "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd" +    }, +    "targets": [ +        { +            "architecture": "x86_64", +            "machines": [ +                "pc-q35-*" +            ] +        } +    ], +    "features": [ +        "enrolled-keys", +        "intel-tdx", +        "secure-boot", +        "verbose-dynamic" +    ], +    "tags": [ + +    ] +} diff --git a/edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch b/edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch new file mode 100644 index 0000000..2198b6f --- /dev/null +++ b/edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch @@ -0,0 +1,43 @@ +From 880c1ca7420b873c5f81563b122d7bd1ebad72cb Mon Sep 17 00:00:00 2001 +From: Oliver Steffen <osteffen@redhat.com> +Date: Mon, 4 Mar 2024 15:32:58 +0100 +Subject: [PATCH] MdeModulePkg: Warn if out of flash space when writing + variables + +RH-Author: Oliver Steffen <osteffen@redhat.com> +RH-MergeRequest: 64: MdeModulePkg: Warn if out of flash space when writing variables +RH-Jira: RHEL-43442 +RH-Acked-by: Gerd Hoffmann <None> +RH-Commit: [1/1] b65130800090192f47f13d67ff14f902a4f5bfb5 (osteffen/edk2) + +Emit a DEBUG_WARN message if there is not enough flash space left to +write/update a variable. This condition is currently not logged +appropriately in all cases, given that full variable store can easily +render the system unbootable. +This new message helps identifying this condition. + +Signed-off-by: Oliver Steffen <osteffen@redhat.com> +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> +(cherry picked from commit 80b59ff8320d1bd134bf689fe9c0ddf4e0473b88) +Signed-off-by: Oliver Steffen <osteffen@redhat.com> +--- + MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +index d394d237a5..1c7659031d 100644 +--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c ++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +@@ -2364,6 +2364,8 @@ Done: +                   );
 +       ASSERT_EFI_ERROR (Status);
 +     }
 ++  } else if (Status == EFI_OUT_OF_RESOURCES) {
 ++    DEBUG ((DEBUG_WARN, "UpdateVariable failed: Out of flash space\n"));
 +   }
 + 
 +   return Status;
 +--  +2.39.3 + diff --git a/edk2-build.py b/edk2-build.py new file mode 100755 index 0000000..cee7541 --- /dev/null +++ b/edk2-build.py @@ -0,0 +1,447 @@ +#!/usr/bin/python3 +""" +build helper script for edk2, see +https://gitlab.com/kraxel/edk2-build-config + +""" +import os +import sys +import time +import shutil +import argparse +import subprocess +import configparser + +rebase_prefix    = "" +version_override = None +release_date     = None + +# pylint: disable=unused-variable +def check_rebase(): +    """ detect 'git rebase -x edk2-build.py master' testbuilds """ +    global rebase_prefix +    global version_override +    gitdir = '.git' + +    if os.path.isfile(gitdir): +        with open(gitdir, 'r', encoding = 'utf-8') as f: +            (unused, gitdir) = f.read().split() + +    if not os.path.exists(f'{gitdir}/rebase-merge/msgnum'): +        return +    with open(f'{gitdir}/rebase-merge/msgnum', 'r', encoding = 'utf-8') as f: +        msgnum = int(f.read()) +    with open(f'{gitdir}/rebase-merge/end', 'r', encoding = 'utf-8') as f: +        end = int(f.read()) +    with open(f'{gitdir}/rebase-merge/head-name', 'r', encoding = 'utf-8') as f: +        head = f.read().strip().split('/') + +    rebase_prefix = f'[ {int(msgnum/2)} / {int(end/2)} - {head[-1]} ] ' +    if msgnum != end and not version_override: +        # fixed version speeds up builds +        version_override = "test-build-patch-series" + +def get_coredir(cfg): +    if cfg.has_option('global', 'core'): +        return os.path.abspath(cfg['global']['core']) +    return os.getcwd() + +def get_toolchain(cfg, build): +    if cfg.has_option(build, 'tool'): +        return cfg[build]['tool'] +    if cfg.has_option('global', 'tool'): +        return cfg['global']['tool'] +    return 'GCC5' + +def get_hostarch(): +    mach = os.uname().machine +    if mach == 'x86_64': +        return 'X64' +    if mach == 'aarch64': +        return 'AARCH64' +    if mach == 'riscv64': +        return 'RISCV64' +    return 'UNKNOWN' + +def get_version(cfg, silent = False): +    coredir = get_coredir(cfg) +    if version_override: +        version = version_override +        if not silent: +            print('') +            print(f'### version [override]: {version}') +        return version +    if os.environ.get('RPM_PACKAGE_NAME'): +        version = os.environ.get('RPM_PACKAGE_NAME') +        version += '-' + os.environ.get('RPM_PACKAGE_VERSION') +        version += '-' + os.environ.get('RPM_PACKAGE_RELEASE') +        if not silent: +            print('') +            print(f'### version [rpmbuild]: {version}') +        return version +    if os.path.exists(coredir + '/.git'): +        cmdline = [ 'git', 'describe', '--tags', '--abbrev=8', +                    '--match=edk2-stable*' ] +        result = subprocess.run(cmdline, cwd = coredir, +                                stdout = subprocess.PIPE, +                                check = True) +        version = result.stdout.decode().strip() +        if not silent: +            print('') +            print(f'### version [git]: {version}') +        return version +    return None + +def pcd_string(name, value): +    return f'{name}=L{value}\\0' + +def pcd_version(cfg, silent = False): +    version = get_version(cfg, silent) +    if version is None: +        return [] +    return [ '--pcd', pcd_string('PcdFirmwareVersionString', version) ] + +def pcd_release_date(): +    if release_date is None: +        return [] +    return [ '--pcd', pcd_string('PcdFirmwareReleaseDateString', release_date) ] + +def build_message(line, line2 = None, silent = False): +    if os.environ.get('TERM') in [ 'xterm', 'xterm-256color' ]: +        # setxterm  title +        start  = '\x1b]2;' +        end    = '\x07' +        print(f'{start}{rebase_prefix}{line}{end}', end = '') + +    if silent: +        print(f'### {rebase_prefix}{line}', flush = True) +    else: +        print('') +        print('###') +        print(f'### {rebase_prefix}{line}') +        if line2: +            print(f'### {line2}') +        print('###', flush = True) + +def build_run(cmdline, name, section, silent = False, nologs = False): +    if silent: +        logfile = f'{section}.log' +        if nologs: +            print(f'### building in silent mode [no log] ...', flush = True) +        else: +            print(f'### building in silent mode [{logfile}] ...', flush = True) +        start = time.time() +        result = subprocess.run(cmdline, check = False, +                                stdout = subprocess.PIPE, +                                stderr = subprocess.STDOUT) +        if not nologs: +            with open(logfile, 'wb') as f: +                f.write(result.stdout) + +        if result.returncode: +            print('### BUILD FAILURE') +            print('### cmdline') +            print(cmdline) +            print('### output') +            print(result.stdout.decode()) +            print(f'### exit code: {result.returncode}') +        else: +            secs = int(time.time() - start) +            print(f'### OK ({int(secs/60)}:{secs%60:02d})') +    else: +        print(cmdline, flush = True) +        result = subprocess.run(cmdline, check = False) +    if result.returncode: +        print(f'ERROR: {cmdline[0]} exited with {result.returncode}' +              f' while building {name}') +        sys.exit(result.returncode) + +def build_copy(plat, tgt, toolchain, dstdir, copy): +    srcdir = f'Build/{plat}/{tgt}_{toolchain}' +    names = copy.split() +    srcfile = names[0] +    if len(names) > 1: +        dstfile = names[1] +    else: +        dstfile = os.path.basename(srcfile) +    print(f'# copy: {srcdir} / {srcfile}  =>  {dstdir} / {dstfile}') + +    src = srcdir + '/' + srcfile +    dst = dstdir + '/' + dstfile +    os.makedirs(os.path.dirname(dst), exist_ok = True) +    shutil.copy(src, dst) + +def pad_file(dstdir, pad): +    args = pad.split() +    if len(args) < 2: +        raise RuntimeError(f'missing arg for pad ({args})') +    name = args[0] +    size = args[1] +    cmdline = [ +        'truncate', +        '--size', size, +        dstdir + '/' + name, +    ] +    print(f'# padding: {dstdir} / {name}  =>  {size}') +    subprocess.run(cmdline, check = True) + +# pylint: disable=too-many-branches +def build_one(cfg, build, jobs = None, silent = False, nologs = False): +    b = cfg[build] + +    cmdline  = [ 'build' ] +    cmdline += [ '-t', get_toolchain(cfg, build) ] +    cmdline += [ '-p', b['conf'] ] + +    if (b['conf'].startswith('OvmfPkg/') or +        b['conf'].startswith('ArmVirtPkg/')): +        cmdline += pcd_version(cfg, silent) +        cmdline += pcd_release_date() + +    if jobs: +        cmdline += [ '-n', jobs ] +    for arch in b['arch'].split(): +        if arch == 'HOST': +            cmdline += [ '-a', get_hostarch() ] +        else: +            cmdline += [ '-a', arch ] +    if 'opts' in b: +        for name in b['opts'].split(): +            section = 'opts.' + name +            for opt in cfg[section]: +                cmdline += [ '-D', opt + '=' + cfg[section][opt] ] +    if 'pcds' in b: +        for name in b['pcds'].split(): +            section = 'pcds.' + name +            for pcd in cfg[section]: +                cmdline += [ '--pcd', pcd + '=' + cfg[section][pcd] ] +    if 'tgts' in b: +        tgts = b['tgts'].split() +    else: +        tgts = [ 'DEBUG' ] +    for tgt in tgts: +        desc = None +        if 'desc' in b: +            desc = b['desc'] +        build_message(f'building: {b["conf"]} ({b["arch"]}, {tgt})', +                      f'description: {desc}', +                      silent = silent) +        build_run(cmdline + [ '-b', tgt ], +                  b['conf'], +                  build + '.' + tgt, +                  silent, +                  nologs) + +        if 'plat' in b: +            # copy files +            for cpy in b: +                if not cpy.startswith('cpy'): +                    continue +                build_copy(b['plat'], tgt, +                           get_toolchain(cfg, build), +                           b['dest'], b[cpy]) +            # pad builds +            for pad in b: +                if not pad.startswith('pad'): +                    continue +                pad_file(b['dest'], b[pad]) + +def build_basetools(silent = False, nologs = False): +    build_message('building: BaseTools', silent = silent) +    basedir = os.environ['EDK_TOOLS_PATH'] +    cmdline = [ 'make', '-C', basedir ] +    build_run(cmdline, 'BaseTools', 'build.basetools', silent, nologs) + +def binary_exists(name): +    for pdir in os.environ['PATH'].split(':'): +        if os.path.exists(pdir + '/' + name): +            return True +    return False + +def prepare_env(cfg, silent = False): +    """ mimic Conf/BuildEnv.sh """ +    workspace = os.getcwd() +    packages = [ workspace, ] +    path = os.environ['PATH'].split(':') +    dirs = [ +        'BaseTools/Bin/Linux-x86_64', +        'BaseTools/BinWrappers/PosixLike' +    ] + +    if cfg.has_option('global', 'pkgs'): +        for pkgdir in cfg['global']['pkgs'].split(): +            packages.append(os.path.abspath(pkgdir)) +    coredir = get_coredir(cfg) +    if coredir != workspace: +        packages.append(coredir) + +    # add basetools to path +    for pdir in dirs: +        p = coredir + '/' + pdir +        if not os.path.exists(p): +            continue +        if p in path: +            continue +        path.insert(0, p) + +    # run edksetup if needed +    toolsdef = coredir + '/Conf/tools_def.txt' +    if not os.path.exists(toolsdef): +        os.makedirs(os.path.dirname(toolsdef), exist_ok = True) +        build_message('running BaseTools/BuildEnv', silent = silent) +        cmdline = [ 'bash', 'BaseTools/BuildEnv' ] +        subprocess.run(cmdline, cwd = coredir, check = True) + +    # set variables +    os.environ['PATH'] = ':'.join(path) +    os.environ['PACKAGES_PATH'] = ':'.join(packages) +    os.environ['WORKSPACE'] = workspace +    os.environ['EDK_TOOLS_PATH'] = coredir + '/BaseTools' +    os.environ['CONF_PATH'] = coredir + '/Conf' +    os.environ['PYTHON_COMMAND'] = '/usr/bin/python3' +    os.environ['PYTHONHASHSEED'] = '1' + +    # for cross builds +    if binary_exists('arm-linux-gnueabi-gcc'): +        # ubuntu +        os.environ['GCC5_ARM_PREFIX'] = 'arm-linux-gnueabi-' +        os.environ['GCC_ARM_PREFIX'] = 'arm-linux-gnueabi-' +    elif binary_exists('arm-linux-gnu-gcc'): +        # fedora +        os.environ['GCC5_ARM_PREFIX'] = 'arm-linux-gnu-' +        os.environ['GCC_ARM_PREFIX'] = 'arm-linux-gnu-' +    if binary_exists('loongarch64-linux-gnu-gcc'): +        os.environ['GCC5_LOONGARCH64_PREFIX'] = 'loongarch64-linux-gnu-' +        os.environ['GCC_LOONGARCH64_PREFIX'] = 'loongarch64-linux-gnu-' + +    hostarch = os.uname().machine +    if binary_exists('aarch64-linux-gnu-gcc') and hostarch != 'aarch64': +        os.environ['GCC5_AARCH64_PREFIX'] = 'aarch64-linux-gnu-' +        os.environ['GCC_AARCH64_PREFIX'] = 'aarch64-linux-gnu-' +    if binary_exists('riscv64-linux-gnu-gcc') and hostarch != 'riscv64': +        os.environ['GCC5_RISCV64_PREFIX'] = 'riscv64-linux-gnu-' +        os.environ['GCC_RISCV64_PREFIX'] = 'riscv64-linux-gnu-' +    if binary_exists('x86_64-linux-gnu-gcc') and hostarch != 'x86_64': +        os.environ['GCC5_IA32_PREFIX'] = 'x86_64-linux-gnu-' +        os.environ['GCC5_X64_PREFIX'] = 'x86_64-linux-gnu-' +        os.environ['GCC5_BIN'] = 'x86_64-linux-gnu-' +        os.environ['GCC_IA32_PREFIX'] = 'x86_64-linux-gnu-' +        os.environ['GCC_X64_PREFIX'] = 'x86_64-linux-gnu-' +        os.environ['GCC_BIN'] = 'x86_64-linux-gnu-' + +def build_list(cfg): +    for build in cfg.sections(): +        if not build.startswith('build.'): +            continue +        name = build.lstrip('build.') +        desc = 'no description' +        if 'desc' in cfg[build]: +            desc = cfg[build]['desc'] +        print(f'# {name:20s} - {desc}') + +def main(): +    parser = argparse.ArgumentParser(prog = 'edk2-build', +                                     description = 'edk2 build helper script') +    parser.add_argument('-c', '--config', dest = 'configfile', +                        type = str, default = '.edk2.builds', metavar = 'FILE', +                        help = 'read configuration from FILE (default: .edk2.builds)') +    parser.add_argument('-C', '--directory', dest = 'directory', type = str, +                        help = 'change to DIR before building', metavar = 'DIR') +    parser.add_argument('-j', '--jobs', dest = 'jobs', type = str, +                        help = 'allow up to JOBS parallel build jobs', +                        metavar = 'JOBS') +    parser.add_argument('-m', '--match', dest = 'match', +                        type = str, action = 'append', +                        help = 'only run builds matching INCLUDE (substring)', +                        metavar = 'INCLUDE') +    parser.add_argument('-x', '--exclude', dest = 'exclude', +                        type = str, action = 'append', +                        help = 'skip builds matching EXCLUDE (substring)', +                        metavar = 'EXCLUDE') +    parser.add_argument('-l', '--list', dest = 'list', +                        action = 'store_true', default = False, +                        help = 'list build configs available') +    parser.add_argument('--silent', dest = 'silent', +                        action = 'store_true', default = False, +                        help = 'write build output to logfiles, ' +                        'write to console only on errors') +    parser.add_argument('--no-logs', dest = 'nologs', +                        action = 'store_true', default = False, +                        help = 'do not write build log files (with --silent)') +    parser.add_argument('--core', dest = 'core', type = str, metavar = 'DIR', +                        help = 'location of the core edk2 repository ' +                        '(i.e. where BuildTools are located)') +    parser.add_argument('--pkg', '--package', dest = 'pkgs', +                        type = str, action = 'append', metavar = 'DIR', +                        help = 'location(s) of additional packages ' +                        '(can be specified multiple times)') +    parser.add_argument('-t', '--toolchain', dest = 'toolchain', +                        type = str, metavar = 'NAME', +                        help = 'tool chain to be used to build edk2') +    parser.add_argument('--version-override', dest = 'version_override', +                        type = str, metavar = 'VERSION', +                        help = 'set firmware build version') +    parser.add_argument('--release-date', dest = 'release_date', +                        type = str, metavar = 'DATE', +                        help = 'set firmware build release date (in MM/DD/YYYY format)') +    options = parser.parse_args() + +    if options.directory: +        os.chdir(options.directory) + +    if not os.path.exists(options.configfile): +        print(f'config file "{options.configfile}" not found') +        return 1 + +    cfg = configparser.ConfigParser() +    cfg.optionxform = str +    cfg.read(options.configfile) + +    if options.list: +        build_list(cfg) +        return 0 + +    if not cfg.has_section('global'): +        cfg.add_section('global') +    if options.core: +        cfg.set('global', 'core', options.core) +    if options.pkgs: +        cfg.set('global', 'pkgs', ' '.join(options.pkgs)) +    if options.toolchain: +        cfg.set('global', 'tool', options.toolchain) + +    global version_override +    global release_date +    check_rebase() +    if options.version_override: +        version_override = options.version_override +    if options.release_date: +        release_date = options.release_date + +    prepare_env(cfg, options.silent) +    build_basetools(options.silent, options.nologs) +    for build in cfg.sections(): +        if not build.startswith('build.'): +            continue +        if options.match: +            matching = False +            for item in options.match: +                if item in build: +                    matching = True +            if not matching: +                print(f'# skipping "{build}" (not matching "{"|".join(options.match)}")') +                continue +        if options.exclude: +            exclude = False +            for item in options.exclude: +                if item in build: +                    print(f'# skipping "{build}" (matching "{item}")') +                    exclude = True +            if exclude: +                continue +        build_one(cfg, build, options.jobs, options.silent, options.nologs) + +    return 0 + +if __name__ == '__main__': +    sys.exit(main()) diff --git a/edk2-build.rhel-9 b/edk2-build.rhel-9 new file mode 100644 index 0000000..9088bf8 --- /dev/null +++ b/edk2-build.rhel-9 @@ -0,0 +1,129 @@ + +[opts.ovmf.common] +NETWORK_HTTP_BOOT_ENABLE = TRUE +NETWORK_IP6_ENABLE       = TRUE +NETWORK_TLS_ENABLE       = TRUE +NETWORK_ISCSI_ENABLE     = TRUE +NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE +TPM2_ENABLE              = TRUE +TPM2_CONFIG_ENABLE       = TRUE +TPM1_ENABLE              = FALSE +CAVIUM_ERRATUM_27456     = TRUE + +[opts.ovmf.4m] +FD_SIZE_4MB              = TRUE + +[opts.ovmf.sb.smm] +SECURE_BOOT_ENABLE       = TRUE +SMM_REQUIRE              = TRUE +# old downstream +EXCLUDE_SHELL_FROM_FD    = TRUE +# new upstream +BUILD_SHELL              = FALSE + +[opts.ovmf.sb.stateless] +SECURE_BOOT_ENABLE       = TRUE +SMM_REQUIRE              = FALSE + +[opts.armvirt.verbose] +DEBUG_PRINT_ERROR_LEVEL  = 0x8040004F + +[opts.armvirt.silent] +DEBUG_PRINT_ERROR_LEVEL  = 0x80000000 + + +[pcds.nx.strict] +PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD5 +PcdUninstallMemAttrProtocol    = FALSE + +[pcds.nx.broken.shim.grub] +# grub.efi uses EfiLoaderData for code +PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD1 +# shim.efi has broken MemAttr code +PcdUninstallMemAttrProtocol    = TRUE + + +##################################################################### +# stateful ovmf builds (with vars in flash) + +[build.ovmf.4m.default] +desc = ovmf build (64-bit, 4MB) +conf = OvmfPkg/OvmfPkgX64.dsc +arch = X64 +opts = ovmf.common +       ovmf.4m +plat = OvmfX64 +dest = RHEL-9/ovmf +cpy1 = FV/OVMF_CODE.fd OVMF_CODE.fd +cpy2 = FV/OVMF_VARS.fd +cpy3 = X64/Shell.efi + +[build.ovmf.4m.sb.smm] +desc = ovmf build (64-bit, 4MB, q35 only, needs smm, secure boot) +conf = OvmfPkg/OvmfPkgX64.dsc +arch = X64 +opts = ovmf.common +       ovmf.4m +       ovmf.sb.smm +plat = OvmfX64 +dest = RHEL-9/ovmf +cpy1 = FV/OVMF_CODE.fd OVMF_CODE.secboot.fd +cpy2 = X64/EnrollDefaultKeys.efi + + +##################################################################### +# stateless ovmf builds (firmware in rom or r/o flash) + +[build.ovmf.amdsev] +desc = ovmf build for AmdSev (4MB) +conf = OvmfPkg/AmdSev/AmdSevX64.dsc +arch = X64 +opts = ovmf.common +       ovmf.4m +plat = AmdSev +dest = RHEL-9/ovmf +cpy1 = FV/OVMF.fd OVMF.amdsev.fd + +[build.ovmf.inteltdx] +desc = ovmf build for IntelTdx (4MB) +conf = OvmfPkg/IntelTdx/IntelTdxX64.dsc +arch = X64 +opts = ovmf.common +       ovmf.4m +       ovmf.sb.stateless +plat = IntelTdx +dest = RHEL-9/ovmf +cpy1 = FV/OVMF.fd OVMF.inteltdx.fd + + +##################################################################### +# armvirt builds + +[build.armvirt.aa64.verbose] +desc = ArmVirt build for qemu, 64-bit (arm v8), verbose +conf = ArmVirtPkg/ArmVirtQemu.dsc +arch = AARCH64 +opts = ovmf.common +       armvirt.verbose +pcds = nx.broken.shim.grub +plat = ArmVirtQemu-AARCH64 +dest = RHEL-9/aarch64 +cpy1 = FV/QEMU_EFI.fd +cpy2 = FV/QEMU_VARS.fd +cpy3 = FV/QEMU_EFI.fd  QEMU_EFI-pflash.raw +cpy4 = FV/QEMU_VARS.fd vars-template-pflash.raw +pad3 = QEMU_EFI-pflash.raw      64m +pad4 = vars-template-pflash.raw 64m + +[build.armvirt.aa64.silent] +desc = ArmVirt build for qemu, 64-bit (arm v8), silent +conf = ArmVirtPkg/ArmVirtQemu.dsc +arch = AARCH64 +opts = ovmf.common +       armvirt.silent +pcds = nx.broken.shim.grub +plat = ArmVirtQemu-AARCH64 +dest = RHEL-9/aarch64 +cpy1 = FV/QEMU_EFI.fd  QEMU_EFI.silent.fd +cpy2 = FV/QEMU_EFI.fd  QEMU_EFI-silent-pflash.raw +pad2 = QEMU_EFI-silent-pflash.raw 64m diff --git a/edk2.spec b/edk2.spec new file mode 100644 index 0000000..74db305 --- /dev/null +++ b/edk2.spec @@ -0,0 +1,1509 @@ +ExclusiveArch: x86_64 aarch64 + +# edk2-stable202405 +%define GITDATE        20240524 +%define GITCOMMIT      3e722403cd +%define TOOLCHAIN      GCC + +%define OPENSSL_VER    3.0.7 +%define OPENSSL_HASH   8e5beb77088bfec064d60506b1e76ddb0ac417fe + +%define DBXDATE        20230509 + +%define build_ovmf 0 +%define build_aarch64 0 +%ifarch x86_64 +  %define build_ovmf 1 +%endif +%ifarch aarch64 +  %define build_aarch64 1 +%endif + +Name:       edk2 +Version:    %{GITDATE} +Release:    2%{?dist} +Summary:    UEFI firmware for 64-bit virtual machines +License:    BSD-2-Clause-Patent and Apache-2.0 and MIT +URL:        http://www.tianocore.org + +# The source tarball is created using following commands: +# COMMIT=ba91d0292e +# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \ +# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz +Source0: edk2-%{GITCOMMIT}.tar.xz +Source1: ovmf-whitepaper-c770f8c.txt +Source2: openssl-rhel-%{OPENSSL_HASH}.tar.xz + +# json description files +Source10: 50-edk2-aarch64-qcow2.json +Source11: 51-edk2-aarch64-raw.json +Source12: 52-edk2-aarch64-verbose-qcow2.json +Source13: 53-edk2-aarch64-verbose-raw.json + +Source40: 30-edk2-ovmf-x64-sb-enrolled.json +Source41: 40-edk2-ovmf-x64-sb.json +Source43: 50-edk2-ovmf-x64-nosb.json +Source44: 60-edk2-ovmf-x64-amdsev.json +Source45: 60-edk2-ovmf-x64-inteltdx.json + +# https://gitlab.com/kraxel/edk2-build-config +Source80: edk2-build.py +Source82: edk2-build.rhel-9 + +Source90: DBXUpdate-%{DBXDATE}.x64.bin +Patch1: 0003-Remove-paths-leading-to-submodules.patch +Patch2: 0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch +Patch3: 0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch +Patch4: 0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch +Patch5: 0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch +Patch6: 0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch +Patch7: 0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch +Patch8: 0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch +Patch9: 0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch +Patch10: 0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch +Patch11: 0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch +Patch12: 0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch +Patch13: 0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch +Patch14: 0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch +Patch15: 0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch +Patch16: 0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +Patch17: 0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch +Patch18: 0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch +Patch19: 0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch +Patch20: 0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch +Patch21: 0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch +Patch22: 0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch +Patch23: 0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch +Patch24: 0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch +Patch25: 0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch +Patch26: 0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch +Patch27: 0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch +Patch28: 0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch +Patch29: 0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch +Patch30: 0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch +Patch31: 0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch +Patch32: 0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch +Patch33: 0035-OvmfPkg-add-morlock-support.patch +Patch34: 0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch +Patch35: 0037-SecurityPkg-RngDxe-add-rng-test.patch +Patch36: 0038-OvmfPkg-wire-up-RngDxe.patch +Patch37: 0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch +Patch38: 0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch +# For RHEL-43442 - edk2 disconnects abnormally before loading the kernel +Patch39: edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch + +# python3-devel and libuuid-devel are required for building tools. +# python3-devel is also needed for varstore template generation and +# verification with "ovmf-vars-generator". +BuildRequires:  python3-devel +BuildRequires:  libuuid-devel +BuildRequires:  /usr/bin/iasl +BuildRequires:  binutils gcc git gcc-c++ make +BuildRequires:  perl perl(JSON) +BuildRequires:  qemu-img + +%if %{build_ovmf} +# Only OVMF includes 80x86 assembly files (*.nasm*). +BuildRequires:  nasm + +# Only OVMF includes the Secure Boot feature, for which we need to separate out +# the UEFI shell. +BuildRequires:  dosfstools +BuildRequires:  mtools +BuildRequires:  xorriso + +# secure boot enrollment +BuildRequires:  python3dist(virt-firmware) >= 23.4 + +# endif build_ovmf +%endif + + +%package ovmf +Summary:    UEFI firmware for x86_64 virtual machines +BuildArch:  noarch +Provides:   OVMF = %{version}-%{release} +Obsoletes:  OVMF < 20180508-100.gitee3198e672e2.el7 + +# OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL +# library. +Provides:   bundled(openssl) = %{OPENSSL_VER} +License:    BSD-2-Clause-Patent and Apache-2.0 + +# URL taken from the Maintainers.txt file. +URL:        http://www.tianocore.org/ovmf/ + +%description ovmf +OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for +Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU +and KVM. + + +%package aarch64 +Summary:    UEFI firmware for aarch64 virtual machines +BuildArch:  noarch +Provides:   AAVMF = %{version}-%{release} +Obsoletes:  AAVMF < 20180508-100.gitee3198e672e2.el7 + +# need libvirt version with qcow2 support +Conflicts:  libvirt-daemon-driver-qemu < 9.2.0 + +# No Secure Boot for AAVMF yet, but we include OpenSSL for the IPv6 stack. +Provides:   bundled(openssl) = %{OPENSSL_VER} +License:    BSD-2-Clause-Patent and Apache-2.0 + +# URL taken from the Maintainers.txt file. +URL:        https://github.com/tianocore/tianocore.github.io/wiki/ArmVirtPkg + +%description aarch64 +AAVMF (ARM Architecture Virtual Machine Firmware) is an EFI Development Kit II +platform that enables UEFI support for QEMU/KVM ARM Virtual Machines. This +package contains a 64-bit build. + + +%package tools +Summary:        EFI Development Kit II Tools +License:        BSD-2-Clause-Patent +URL:            https://github.com/tianocore/tianocore.github.io/wiki/BaseTools +%description tools +This package provides tools that are needed to +build EFI executables and ROMs using the GNU tools. + +%package tools-doc +Summary:        Documentation for EFI Development Kit II Tools +BuildArch:      noarch +License:        BSD-2-Clause-Patent +URL:            https://github.com/tianocore/tianocore.github.io/wiki/BaseTools +%description tools-doc +This package documents the tools that are needed to +build EFI executables and ROMs using the GNU tools. + +%description +EDK II is a modern, feature-rich, cross-platform firmware development +environment for the UEFI and PI specifications. This package contains sample +64-bit UEFI firmware builds for QEMU and KVM. + +%prep +# We needs some special git config options that %%autosetup won't give us. +# We init the git dir ourselves, then tell %%autosetup not to blow it away. +%setup -q -n edk2-%{GITCOMMIT} +git init -q +git config core.whitespace cr-at-eol +git config am.keepcr true +# -T is passed to %%setup to not re-extract the archive +# -D is passed to %%setup to not delete the existing archive dir +%autosetup -T -D -n edk2-%{GITCOMMIT} -S git_am + +cp -a -- %{SOURCE1} . +cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} . +cp -a -- %{SOURCE40} %{SOURCE41} %{SOURCE43} %{SOURCE44} %{SOURCE45} . +cp -a -- %{SOURCE80} %{SOURCE82} . +cp -a -- %{SOURCE90} . +tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x + +# Done by %setup, but we do not use it for the auxiliary tarballs +chmod -Rf a+rX,u+w,g-w,o-w . + +%build + +build_iso() { +  dir="$1" +  UEFI_SHELL_BINARY=${dir}/Shell.efi +  ENROLLER_BINARY=${dir}/EnrollDefaultKeys.efi +  UEFI_SHELL_IMAGE=uefi_shell.img +  ISO_IMAGE=${dir}/UefiShell.iso + +  UEFI_SHELL_BINARY_BNAME=$(basename -- "$UEFI_SHELL_BINARY") +  UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY") +  ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY") + +  # add 1MB then 10% for metadata +  UEFI_SHELL_IMAGE_KB=$(( +    (UEFI_SHELL_SIZE + ENROLLER_SIZE + 1 * 1024 * 1024) * 11 / 10 / 1024 +  )) + +  # create non-partitioned FAT image +  rm -f -- "$UEFI_SHELL_IMAGE" +  mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB" + +  # copy the shell binary into the FAT image +  export MTOOLS_SKIP_CHECK=1 +  mmd   -i "$UEFI_SHELL_IMAGE"                       ::efi +  mmd   -i "$UEFI_SHELL_IMAGE"                       ::efi/boot +  mcopy -i "$UEFI_SHELL_IMAGE"  "$UEFI_SHELL_BINARY" ::efi/boot/bootx64.efi +  mcopy -i "$UEFI_SHELL_IMAGE"  "$ENROLLER_BINARY"   :: +  mdir  -i "$UEFI_SHELL_IMAGE"  -/                   :: + +  # build ISO with FAT image file as El Torito EFI boot image +  mkisofs -input-charset ASCII -J -rational-rock \ +    -e "$UEFI_SHELL_IMAGE" -no-emul-boot \ +    -o "$ISO_IMAGE" "$UEFI_SHELL_IMAGE" +} + +export EXTRA_OPTFLAGS="%{optflags}" +export EXTRA_LDFLAGS="%{__global_ldflags}" +export RELEASE_DATE="$(echo %{GITDATE} | sed -e 's|\(....\)\(..\)\(..\)|\2/\3/\1|')" + +touch OvmfPkg/AmdSev/Grub/grub.efi   # dummy +python3 CryptoPkg/Library/OpensslLib/configure.py + +# include dirs of unused submodules +mkdir -p CryptoPkg/Library/MbedTlsLib/mbedtls/include +mkdir -p CryptoPkg/Library/MbedTlsLib/mbedtls/include/mbedtls +mkdir -p CryptoPkg/Library/MbedTlsLib/mbedtls/library +mkdir -p SecurityPkg/DeviceSecurity/SpdmLib/libspdm/include + +%if %{build_ovmf} +./edk2-build.py --config edk2-build.rhel-9 -m ovmf --release-date "$RELEASE_DATE" +build_iso RHEL-9/ovmf +cp DBXUpdate-%{DBXDATE}.x64.bin RHEL-9/ovmf +virt-fw-vars --input   RHEL-9/ovmf/OVMF_VARS.fd \ +             --output  RHEL-9/ovmf/OVMF_VARS.secboot.fd \ +             --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \ +             --enroll-redhat --secure-boot +virt-fw-vars --input   RHEL-9/ovmf/OVMF.inteltdx.fd \ +             --output  RHEL-9/ovmf/OVMF.inteltdx.secboot.fd \ +             --set-dbx DBXUpdate-%{DBXDATE}.x64.bin \ +             --enroll-redhat --secure-boot \ +             --set-fallback-no-reboot +%endif + +%if %{build_aarch64} +./edk2-build.py --config edk2-build.rhel-9 -m armvirt --release-date "$RELEASE_DATE" +for raw in */aarch64/*.raw; do +    qcow2="${raw%.raw}.qcow2" +    qemu-img convert -f raw -O qcow2 -o cluster_size=4096 -S 4096 "$raw" "$qcow2" +done +%endif + +%install + +cp -a OvmfPkg/License.txt License.OvmfPkg.txt +cp -a CryptoPkg/Library/OpensslLib/openssl/LICENSE.txt LICENSE.openssl +mkdir -p %{buildroot}%{_datadir}/qemu/firmware + +# install the tools +mkdir -p %{buildroot}%{_bindir} \ +         %{buildroot}%{_datadir}/%{name}/Conf \ +         %{buildroot}%{_datadir}/%{name}/Scripts +install BaseTools/Source/C/bin/* \ +        %{buildroot}%{_bindir} +install BaseTools/BinWrappers/PosixLike/LzmaF86Compress \ +        %{buildroot}%{_bindir} +install BaseTools/BuildEnv \ +        %{buildroot}%{_datadir}/%{name} +install BaseTools/Conf/*.template \ +        %{buildroot}%{_datadir}/%{name}/Conf +install BaseTools/Scripts/GccBase.lds \ +        %{buildroot}%{_datadir}/%{name}/Scripts + +mkdir -p %{buildroot}%{_datadir}/%{name} +cp -av RHEL-9/* %{buildroot}%{_datadir}/%{name} + +%if %{build_ovmf} +mkdir -p %{buildroot}%{_datadir}/OVMF + +ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd %{buildroot}%{_datadir}/OVMF/ +ln -s ../%{name}/ovmf/OVMF_VARS.fd         %{buildroot}%{_datadir}/OVMF/ +ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd %{buildroot}%{_datadir}/OVMF/ +ln -s ../%{name}/ovmf/UefiShell.iso        %{buildroot}%{_datadir}/OVMF/ +ln -s OVMF_CODE.fd %{buildroot}%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd + +install -m 0644 \ +        30-edk2-ovmf-x64-sb-enrolled.json \ +        40-edk2-ovmf-x64-sb.json \ +        50-edk2-ovmf-x64-nosb.json \ +        60-edk2-ovmf-x64-amdsev.json \ +        60-edk2-ovmf-x64-inteltdx.json \ +        %{buildroot}%{_datadir}/qemu/firmware + +# endif build_ovmf +%endif + +%if %{build_aarch64} +mkdir -p %{buildroot}%{_datadir}/AAVMF + +ln -s ../%{name}/aarch64/QEMU_EFI-pflash.raw \ +  %{buildroot}%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd +ln -s ../%{name}/aarch64/QEMU_EFI-silent-pflash.raw \ +  %{buildroot}%{_datadir}/AAVMF/AAVMF_CODE.fd +ln -s ../%{name}/aarch64/vars-template-pflash.raw \ +  %{buildroot}%{_datadir}/AAVMF/AAVMF_VARS.fd + +install -m 0644 \ +        50-edk2-aarch64-qcow2.json \ +        51-edk2-aarch64-raw.json \ +        52-edk2-aarch64-verbose-qcow2.json \ +        53-edk2-aarch64-verbose-raw.json \ +        %{buildroot}%{_datadir}/qemu/firmware + +# endif build_aarch64 +%endif + +%check + +%global common_files \ +  %%license License.txt License.OvmfPkg.txt License-History.txt LICENSE.openssl \ +  %%dir %%{_datadir}/%%{name}/ \ +  %%dir %%{_datadir}/qemu \ +  %%dir %%{_datadir}/qemu/firmware + +%if %{build_ovmf} +%files ovmf +%common_files +%doc OvmfPkg/README +%doc ovmf-whitepaper-c770f8c.txt +%dir %{_datadir}/OVMF/ +%dir %{_datadir}/%{name}/ovmf/ +%{_datadir}/%{name}/ovmf/OVMF_CODE.fd +%{_datadir}/%{name}/ovmf/OVMF_CODE.cc.fd +%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd +%{_datadir}/%{name}/ovmf/OVMF_VARS.fd +%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd +%{_datadir}/%{name}/ovmf/OVMF.amdsev.fd +%{_datadir}/%{name}/ovmf/OVMF.inteltdx.fd +%{_datadir}/%{name}/ovmf/OVMF.inteltdx.secboot.fd +%{_datadir}/%{name}/ovmf/DBXUpdate*.bin +%{_datadir}/%{name}/ovmf/UefiShell.iso +%{_datadir}/OVMF/OVMF_CODE.secboot.fd +%{_datadir}/OVMF/OVMF_VARS.fd +%{_datadir}/OVMF/OVMF_VARS.secboot.fd +%{_datadir}/OVMF/UefiShell.iso +%{_datadir}/%{name}/ovmf/Shell.efi +%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi +%{_datadir}/qemu/firmware/30-edk2-ovmf-x64-sb-enrolled.json +%{_datadir}/qemu/firmware/40-edk2-ovmf-x64-sb.json +%{_datadir}/qemu/firmware/50-edk2-ovmf-x64-nosb.json +%{_datadir}/qemu/firmware/60-edk2-ovmf-x64-amdsev.json +%{_datadir}/qemu/firmware/60-edk2-ovmf-x64-inteltdx.json +# endif build_ovmf +%endif + +%if %{build_aarch64} +%files aarch64 +%common_files +%dir %{_datadir}/AAVMF/ +%dir %{_datadir}/%{name}/aarch64/ +%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.* +%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.* +%{_datadir}/%{name}/aarch64/vars-template-pflash.* +%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd +%{_datadir}/AAVMF/AAVMF_CODE.fd +%{_datadir}/AAVMF/AAVMF_VARS.fd +%{_datadir}/%{name}/aarch64/QEMU_EFI.fd +%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd +%{_datadir}/%{name}/aarch64/QEMU_VARS.fd +%{_datadir}/qemu/firmware/50-edk2-aarch64-qcow2.json +%{_datadir}/qemu/firmware/51-edk2-aarch64-raw.json +%{_datadir}/qemu/firmware/52-edk2-aarch64-verbose-qcow2.json +%{_datadir}/qemu/firmware/53-edk2-aarch64-verbose-raw.json +# endif build_aarch64 +%endif + +%files tools +%license License.txt +%license License-History.txt +%{_bindir}/DevicePath +%{_bindir}/EfiRom +%{_bindir}/GenCrc32 +%{_bindir}/GenFfs +%{_bindir}/GenFv +%{_bindir}/GenFw +%{_bindir}/GenSec +%{_bindir}/LzmaCompress +%{_bindir}/LzmaF86Compress +%{_bindir}/TianoCompress +%{_bindir}/VfrCompile +%{_bindir}/VolInfo +%dir %{_datadir}/%{name} +%{_datadir}/%{name}/BuildEnv +%{_datadir}/%{name}/Conf +%{_datadir}/%{name}/Scripts + +%files tools-doc +%doc BaseTools/UserManuals/*.rtf + + +%changelog +* Thu Jul 25 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240524-2 +- edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch [RHEL-43442] +- Resolves: RHEL-43442 +  (edk2 disconnects abnormally before loading the kernel) + +* Thu Jun 20 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240524-1 +- Rebase to edk2-stable202405 +- Bumo openssl to 8e5beb77088b +- Resolves: RHEL-32486 +  (rebase to edk2-stable202405 [rhel-9]) +- Resolves: RHEL-36446 +  (edk2: enable MOR [rhel-9]) +- Resolves: RHEL-21653 +  (CVE-2023-6237 edk2: openssl: Excessive time spent checking invalid RSA public keys [rhel-9]) +- Resolves: RHEL-21150 +  (CVE-2023-6129 edk2: mysql: openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC) +- Resolves: RHEL-22490 +  (CVE-2024-0727 edk2: openssl: denial of service via null dereference [rhel-9]) + +* Mon Apr 08 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20240214-2 +- edk2-OvmfPkg-PlatformPei-log-a-warning-when-memory-is-tig.patch [RHEL-22202] +- edk2-OvmfPkg-PlatformPei-consider-AP-stacks-for-pei-memor.patch [RHEL-22202] +- edk2-OvmfPkg-PlatformPei-rewrite-page-table-calculation.patch [RHEL-22202] +- edk2-OvmfPkg-PlatformPei-log-pei-memory-cap-details.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p2.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p3.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p4.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-Add-support-for-multiple-HOBs-t.p5.patch [RHEL-22202] +- edk2-UefiCpuPkg-MpInitLib-return-early-in-GetBspNumber.patch [RHEL-22202] +- Resolves: RHEL-22202 +  ([EDK2] Support booting with 4096 vcpus) + +* Tue Feb 27 2024 Gerd Hoffmann <kraxel@redhat.com> - 20240214-1 +- Rebase to edk2-stable202302 +- Resolves: RHEL-26879 + +* Thu Feb 22 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6 +- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p2.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p3.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523p4.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- edk2-NetworkPkg-Updating-SecurityFixes.yaml.patch [RHEL-21841 RHEL-21843 RHEL-21845 RHEL-21847 RHEL-21849 RHEL-21851 RHEL-21853] +- Resolves: RHEL-21841 +  (CVE-2023-45229 edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message [rhel-9]) +- Resolves: RHEL-21843 +  (CVE-2023-45230 edk2: Buffer overflow in the DHCPv6 client via a long Server ID option [rhel-9]) +- Resolves: RHEL-21845 +  (CVE-2023-45231 edk2: Out of Bounds read when handling a ND Redirect message with truncated options [rhel-9]) +- Resolves: RHEL-21847 +  (CVE-2023-45232 edk2: Infinite loop when parsing unknown options in the Destination Options header [rhel-9]) +- Resolves: RHEL-21849 +  (TRIAGE CVE-2023-45233 edk2: Infinite loop when parsing a PadN option in the Destination Options header [rhel-9]) +- Resolves: RHEL-21851 +  (CVE-2023-45234 edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message [rhel-9]) +- Resolves: RHEL-21853 +  (TRIAGE CVE-2023-45235 edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message [rhel-9]) + +* Mon Feb 19 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-5 +- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21157] +- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch [RHEL-21157] +- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch [RHEL-21157] +- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-411-3.patch [RHEL-21157] +- edk2-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch [RHEL-21157] +- edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch [RHEL-21704] +- edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch [RHEL-21704] +- edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch [RHEL-21704] +- edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch [RHEL-21704] +- Resolves: RHEL-21157 +  (CVE-2022-36764 edk2: heap buffer overflow in Tcg2MeasurePeImage() [rhel-9]) +- Resolves: RHEL-21704 +  (vGPU VM take several minutes to show tianocore logo if firmware is ovmf) + +* Wed Jan 31 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-4 +- edk2-OvmfPkg-VirtNorFlashDxe-add-casts-to-UINTN-and-UINT3.patch [RHEL-20963] +- edk2-OvmfPkg-VirtNorFlashDxe-clarify-block-write-logic-fi.patch [RHEL-20963] +- edk2-OvmfPkg-VirtNorFlashDxe-add-a-loop-for-NorFlashWrite.patch [RHEL-20963] +- edk2-OvmfPkg-VirtNorFlashDxe-allow-larger-writes-without-.patch [RHEL-20963] +- edk2-OvmfPkg-VirtNorFlashDxe-ValidateFvHeader-unwritten-s.patch [RHEL-20963] +- edk2-OvmfPkg-VirtNorFlashDxe-move-DoErase-code-block-into.patch [RHEL-20963] +- Resolves: RHEL-20963 +  ([rhel9] guest fails to boot due to ASSERT error) + +* Mon Jan 22 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-3 +- edk2-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch [RHEL-21155] +- edk2-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch [RHEL-21155] +- edk2-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch [RHEL-21155] +- Resolves: RHEL-21155 +  (CVE-2022-36763 edk2: heap buffer overflow in Tcg2MeasureGptTable() [rhel-9]) + +* Mon Jan 15 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-2 +- edk2-OvmfPkg-RiscVVirt-use-gEfiAuthenticatedVariableGuid-.patch [RHEL-20963] +- edk2-OvmfPkg-VirtNorFlashDxe-stop-accepting-gEfiVariableG.patch [RHEL-20963] +- edk2-OvmfPkg-VirtNorFlashDxe-sanity-check-variables.patch [RHEL-20963] +- Resolves: RHEL-20963 +  ([rhel9] guest fails to boot due to ASSERT error) + +* Fri Dec 15 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-1 +- Rebase to edk2-stable202311 [RHEL-12323] +- Switch to OpenSSL 3.0 [RHEL-49] +- Resolves: RHEL-12323 +  (Rebase EDK2 for RHEL 9.4) +- Resolves: RHEL-49 +  (consume / bundle RHEL-9 OpenSSL (version 3.0.x) in RHEL-9 edk2) + +* Mon Oct 09 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230524-4 +- edk2-OvmfPkg-ResetVector-Fix-assembler-bit-test-flag-chec.patch [RHEL-9943] +- Resolves: RHEL-9943 +  ([EDK2][AMDSERVER Bug] OvmfPkg/ResetVector: Fix assembler bit test flag check [rhel-9.3.0.z]) + +* Thu Aug 24 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230524-3 +- edk2-OvmfPkg-AmdSev-fix-BdsPlatform.c-assertion-failure-d.patch [bz#2190244] +- edk2-OvmfPkg-IoMmuDxe-add-locking-to-IoMmuAllocateBounceB.patch [bz#2211060] +- edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch [bz#2218196] +- Resolves: bz#2190244 +  ([EDK2] [AMDSERVER 9.3 Bug] OVMF AP Creation Fixes) +- Resolves: bz#2211060 +  (SEV-es guest randomly stuck at boot to hard drive screen from powerdown and boot again) +- Resolves: bz#2218196 +  (Add vtpm devices with OVMF.amdsev.fd causes VM reset) + +* Mon Jul 10 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230524-2 +- edk2-ArmVirt-add-VirtioSerialDxe-to-ArmVirtQemu-builds.patch [RHEL-643] +- edk2-ArmVirt-PlatformBootManagerLib-factor-out-IsVirtio.patch [RHEL-643] +- edk2-ArmVirt-PlatformBootManagerLib-factor-out-IsVirtioPc.patch [RHEL-643] +- edk2-ArmVirt-PlatformBootManagerLib-set-up-virtio-serial-.patch [RHEL-643] +- edk2-OvmfPkg-VirtioSerialDxe-use-TPL_NOTIFY.patch [RHEL-643] +- edk2-OvmfPkg-VirtioSerialDxe-Remove-noisy-debug-print-on-.patch [RHEL-643] +- edk2-OvmfPkg-PlatformInitLib-limit-phys-bits-to-46.patch [bz#2174749] +- edk2-Revert-OvmfPkg-disable-dynamic-mmio-window-rhel-only.patch [bz#2174749] +- edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch [bz#2124143] +- edk2-OvmfPkg-PlatformInitLib-check-PcdUse1GPageTable.patch [RHEL-644] +- edk2-OvmfPkg-OvmfPkgIa32X64-enable-1G-pages.patch [RHEL-644] +- edk2-OvmfPkg-MicrovmX64-enable-1G-pages.patch [RHEL-644] +- Resolves: RHEL-643 +  (add virtio serial support to armvirt) +- Resolves: bz#2174749 +  ([edk2] re-enable dynamic mmio window) +- Resolves: bz#2124143 +  (ovmf must consider max cpu count not boot cpu count for apic mode [rhel-9]) +- Resolves: RHEL-644 +  (enable gigabyte pages) + +* Tue Jun 27 2023 Oliver Steffen <osteffen@redhat.com> - 20230524-1 +- Rebase to edk2-stable202305 tag [RHEL-585] +  Resolves: RHEL-585 +  ([rhel-9.3] rebase EDK2 to edk2-stable202305) + +* Mon May 22 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230301gitf80f052277c8-5 +- edk2-dbx-update-2023-05-09-black-lotus-edition.patch [RHEL-470] +- edk2-json-descriptors-explicitly-set-mode-split.patch [RHEL-469] +- Resolves: RHEL-470 +  (edk2: update variable store with latest dbx updates (may 9, black lotus edition)) +- Resolves: RHEL-469 +  (explicitly set mode = split in firmware json description files) + +* Tue May 16 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230301gitf80f052277c8-4 +- edk2-OvmfPkg-Clarify-invariants-for-NestedInterruptTplLib.patch [bz#2189136] +- edk2-OvmfPkg-Relax-assertion-that-interrupts-do-not-occur.patch [bz#2189136] +- Resolves: bz#2189136 +  (windows 11 installation broken with edk2-20230301gitf80f052277c8-1.el9) + +* Mon May 08 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230301gitf80f052277c8-3 +- edk2-add-aarch64-qcow2-images.patch [bz#2186754] +- edk2-update-json-files.patch [bz#2186754] +- edk2-add-libvirt-version-conflict.patch [bz#2186754] +- edk2-add-dbx-update-blob-rh-only.patch [RHEL-377] +- edk2-spec-apply-dbx-update-rh-only.patch [RHEL-377] +- Resolves: bz#2186754 +  (edk2: Add firmware images in qcow2 format) +- Resolves: RHEL-377 +  (edk2: ship secure build variable store with latest dbx updates) + +* Wed Apr 05 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20230301gitf80f052277c8-2 +- edk2-build-script-update.patch [bz#2183230] +- edk2-PcdDxeNxMemoryProtectionPolicy-update.patch [bz#2183230] +- Resolves: bz#2183230 +  ([edk2] Instruction abort exception when booting a VM) + +* Wed Mar 22 2023 Miroslav Rezanina <mrezanin@redaht.com> - 20230301gitf80f052277c8-1 +- Rebase to edk2-stable202302 [RHEL-266] +- Resolves: RHEL-266 +  (rebase edk2 to 2023-02 stable tag) + +* Fri Mar 17 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-9 +- edk2-remove-amd-sev-feature-flag-from-secure-boot-builds-.patch [bz#2169247] +- Resolves: bz#2169247 +  ([edk2] Install a sev guest with enrolled secure boot failed) + +* Fri Mar 10 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-8 +- edk2-OvmfPkg-disable-dynamic-mmio-window-rhel-only.patch [bz#2174605] +- Resolves: bz#2174605 +  ([EDK2] disable dynamic mmio window) + +* Tue Feb 21 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-7 +- edk2-Revert-MdeModulePkg-TerminalDxe-add-other-text-resol.patch [bz#2162307] +- Resolves: bz#2162307 +  (Broken GRUB output on a serial console) + +* Mon Feb 13 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-6 +- edk2-update-build-script-rhel-only.patch [bz#2168046] +- edk2-update-build-config-rhel-only.patch [bz#2168046] +- edk2-add-release-date-to-builds-rh-only.patch [bz#2168046] +- edk2-openssl-update.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583] +- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583] +- Resolves: bz#2168046 +  ([SVVP] job 'Check SMBIOS Table Specific Requirements' failed on win2022) +- Resolves: bz#2164534 +  (CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-9]) +- Resolves: bz#2164550 +  (CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-9]) +- Resolves: bz#2164565 +  (CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-9]) +- Resolves: bz#2164583 +  (CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-9]) + +* Mon Feb 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-5 +- edk2-Revert-ArmVirtPkg-ArmVirtQemu-enable-initial-ID-map-.patch [bz#2157656] +- Resolves: bz#2157656 +  ([edk2] [aarch64] Unable to initialize EFI firmware when using edk2-aarch64-20221207gitfff6d81270b5-1.el9 in some hardwares) + +* Wed Jan 18 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-4 +- edk2-ArmVirt-don-t-use-unaligned-CopyMem-on-NOR-flash.patch [bz#2158173] +- Resolves: bz#2158173 +  ([aarch64][numa] Failed to create 2 numa nodes in some hardwares) + +* Mon Jan 16 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-3 +- edk2-OvmfPkg-VirtNorFlashDxe-map-flash-memory-as-uncachea.patch [bz#2158173] +- edk2-MdePkg-Remove-Itanium-leftover-data-structure-RH-onl.patch [bz#1983086] +- Resolves: bz#2158173 +  ([aarch64][numa] Failed to create 2 numa nodes in some hardwares) +- Resolves: bz#1983086 +  (Assertion failure when creating 1024 VCPU VM: [...]UefiCpuPkg/CpuMpPei/CpuBist.c(186): !EFI_ERROR (Status)) + +* Thu Jan 05 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-2 +- edk2-use-rpm-build-flags-rh-only.patch [RHEL-177] +- Resolves: RHEL-177 +  (Enable GNU_RELRO security protection) + +* Thu Dec 15 2022 Camilla Conte <cconte@redhat.com> - 20221207gitfff6d81270b5-1 +- Rebase to edk2-stable202211 tag +  Resolves: RHEL-119 +  (rebase edk2 to edk2-stable202211) +- Resolves: RHEL-75 +  (edk2 builds should show the build version) +- Resolves: bz#2132951 +  (edk2: Sort traditional virtualization builds before Confidential Computing builds) + +* Mon Nov 21 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220826gitba0e0e4c6a-2 +- edk2-MdeModulePkg-PiSmmCore-SmmEntryPoint-underflow-CVE-2.patch [bz#1989857] +- Resolves: bz#1989857 +  (CVE-2021-38578 edk2: integer underflow in SmmEntryPoint function leads to potential SMM privilege escalation [rhel-9.0]) + +* Tue Oct 11 2022 Miroslav Rezanina <mrezanin@redhat.com> -  0220826gitba0e0e4c6a-1 +- Rebase to edk2-stable202208 tag [RHELX-59] +  Resolves: RHELX-59 +  (rebase edk2 to 2022-08 stable tag) + +* Fri Sep 16 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220526git16779ede2d36-4 +- edk2-OvmfPkg-QemuVideoDxe-fix-bochs-mode-init.patch [RHELX-58] +- Resolves: RHELX-58 +  (Guest console turns black with uefi rhel guests and stdvga) + +* Mon Aug 01 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220526git16779ede2d36-3 +- edk2-openssl-jump-to-8.7.0-branch-2022-07-22.patch [bz#2074843] +- edk2-ovmf-vars-generator-Use-max-cpu.patch [bz#2111567] +- Resolves: bz#2074843 +  (edk2: sync openssl sources with rhel openssl rpm) +- Resolves: bz#2111567 +  (EDK2 build stuck with qemu-kvm-7.0.0-8.el9 or newer) + +* Fri Jun 24 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220526git16779ede2d36-2 +- edk2-OvmfPkg-Update-target-machines-config.patch [bz#2090752] +- Resolves: bz#2090752 +  (Add RHEL 8.5, 8,6 and 9.x machine types to firmware descriptor files 50-edk2-ovmf-{amdsev,cc}.json) + +* Mon Jun 13 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220526git16779ede2d36-1 +- Rebase to edk2-stable-202205 [bz#2074831] +- Resolves: bz#2074831 +  (rebase edk2 to May 2022 release (edk2-stable202205)) + +* Thu May 26 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220221gitb24306f15d-2 +- edk2-Revert-ArmVirtPkg-Remove-QemuRamfbDxe-display-device.patch [bz#2087220] +- edk2-Revert-OvmfPkg-Remove-QemuRamfbDxe-display-device-dr.patch [bz#2087220] +- Resolves: bz#2087220 +  (VNC display show "Guest has not initialized the display" when using ramfb + ovmf) + +* Thu Mar 31 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220221gitb24306f15d-1 +- Rebae to edk-stable-202202 [bz#2056910] +- Resolves: bz#2056910 +  ([rebase] update edk2 to feb '22 release (edk2-stable202202xx)) + +* Wed Mar 23 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-4 +- edk2-Revert-OvmfPkg-Remove-NvmExpressDxe-device-driver-RH.patch [bz#2044196] +- edk2-Revert-ArmVirtPkg-Remove-NvmExpressDxe-device-driver.patch [bz#2044196] +- Resolves: bz#2044196 +  (RFE: [nvme-vfio] The virt-install interface throws info "Failed to set new efi boot target"  when install a vm on a hostdev nvme disk) + +* Wed Feb 23 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-3 +- edk2-spec-build-amdsev-variant.patch [bz#2054661] +- edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch [bz#2041755] +- Resolves: bz#2054661 +  (RFE:  Support measured AMD SEV boot with kernel/initrd/cmdline in OVMF) +- Resolves: bz#2041755 +  (Mark SEV launch secret area as reserved) + +* Tue Feb 08 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-2 +- edk2-OvmfPkg-remove-unused-TPM-options-from-MicrovmX64.ds.patch [bz#1935497] +- edk2-OvmfPkg-move-tcg-configuration-to-dsc-and-fdf-includ.patch [bz#1935497] +- edk2-OvmfPkg-drop-TPM_CONFIG_ENABLE.patch [bz#1935497] +- edk2-OvmfPkg-create-Tcg12ConfigPei.inf.patch [bz#1935497] +- edk2-OvmfPkg-rework-TPM-configuration.patch [bz#1935497] +- edk2-spec-adapt-specfile-to-build-option-changes-disable-.patch [bz#1935497] +- Resolves: bz#1935497 +  (edk2  implements and/or uses the deprecated MD5 and SHA-1 algorithms by default) + +* Tue Feb 01 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-1 +- Rebase to latest upstream release [bz#2018388] +- Resolves: bz#2018388 +  ([rebase] update edk2 to nov '21 release (edk2-stable202111xx)) + +* Fri Jan 14 2022 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-8 +- edk2-Revert-advertise-OpenSSL-on-TianoCore-splash-screen-.patch [bz#2027286] +- Resolves: bz#2027286 +  (Remove the customized boot splash logo patch) + +* Mon Nov 01 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-7 +- edk2-fix-tpm-build-options.patch [bz#2000396] +- Resolves: bz#2000396 +  ([aarch64][RHEL9] The lack of TPMFinalLog in efi causes the tpm self-test in the guest to fail) + +* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 20210527gite1999b264f1f-6 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags +  Related: rhbz#1991688 + +* Fri Aug 06 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-5 +- edk2-MdeModulePkg-PartitionDxe-Ignore-PMBR-BootIndicator-.patch [bz#1988760] +- Resolves: bz#1988760 +  (edk2 does not ignore PMBR protective record BootIndicator as required by UEFI spec) + +* Fri Jul 30 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-4 +- edk2-spec-remove-Group-and-defattr.patch [bz#1983789] +- edk2-spec-Add-BuildRequires-make.patch [bz#1983789] +- edk2-spec-don-t-conditionalize-package-definitions.patch [bz#1983789] +- edk2-spec-Use-autosetup-with-our-required-git-config-opti.patch [bz#1983789] +- edk2-spec-Replace-ifarch-else-conditionals-with-build_XXX.patch [bz#1983789] +- edk2-spec-Move-D-TPM_ENABLE-to-common-CC_FLAGS.patch [bz#1983789] +- edk2-spec-Add-qemu_package-and-qemu_binary.patch [bz#1983789] +- edk2-spec-Remove-extra-true-at-end-of-check.patch [bz#1983789] +- edk2-spec-Move-check-to-between-install-and-files.patch [bz#1983789] +- edk2-spec-Add-qosb_testing-macro.patch [bz#1983789] +- edk2-spec-Split-out-build_iso-function.patch [bz#1983789] +- edk2-spec-Replace-RPM_BUILD_ROOT-with-buildroot.patch [bz#1983789] +- edk2-spec-Use-make_build-macro.patch [bz#1983789] +- edk2-spec-Factor-out-OVMF_FLAGS-and-OVMF_SB_FLAGS.patch [bz#1983789] +- edk2-spec-Don-t-put-build-output-in-the-top-directory.patch [bz#1983789] +- edk2-spec-Centralize-non-firmware-install-files-at-the-to.patch [bz#1983789] +- Resolves: bz#1983789 +  (Make spec easier to share with Fedora) + +* Mon Jul 12 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-3 +- edk2-OvmfPkg-Remove-PrintDxe-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-EbcDxe-RHEL-only.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-EbcDxe-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-QemuRamfbDxe-display-device-driver-RH.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-QemuRamfbDxe-display-device-driver.patch [bz#1967747] +- edk2-OvmfPkg-Remove-NvmExpressDxe-device-driver-RHEL-only.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-NvmExpressDxe-device-driver-RHEL-o.patch [bz#1967747] +- edk2-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch [bz#1967747] +- edk2-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch [bz#1967747] +- edk2-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch [bz#1967747] +- edk2-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch [bz#1967747] +- edk2-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch [bz#1967747] +- edk2-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch [bz#1967747] +- edk2-OvmfPkg-Remove-Xen-Drivers-RHEL-only.patch [bz#1967747] +- Resolves: bz#1967747 +  (edk2: review features and drivers shipped in RHEL) + +* Fri Jul 02 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-2 +- edk2-NetworkPkg-IScsiDxe-wrap-IScsiCHAP-source-files-to-8.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-simplify-ISCSI_CHAP_AUTH_DATA.In.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-clean-up-ISCSI_CHAP_AUTH_DATA.Ou.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-clean-up-library-class-dependenc.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-fix-potential-integer-overflow-i.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-assert-that-IScsiBinToHex-always.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-reformat-IScsiHexToBin-leading-c.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-hex-parsing.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-fix-IScsiHexToBin-buffer-overflo.patch [bz#1961100] +- edk2-NetworkPkg-IScsiDxe-check-IScsiHexToBin-return-value.patch [bz#1961100] +- edk2-redhat-build-UefiShell.iso-with-xorriso-rather-than-.patch [bz#1971840] +- Resolves: bz#1961100 +  (edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe [rhel-9.0]) +- Resolves: bz#1971840 +  (Please replace genisoimage with xorriso) + +* Wed Jun 23 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20210527gite1999b264f1f-1 +- Rebase to edk2-stable202105 [bz#1938254] +- Sync edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch from RHEL-8 +- Sync edk2-redhat-add-OVMF-binary-that-will-support-SEV-ES.patch from RHEL-8 +- Resolves: bz#1938254 +  ((edk2-rebase-rhel-9.0) - rebase edk2 to edk2-stable202105 for RHEL-9-Beta) + +* Fri Jan 08 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-1.el9 +- Include fixes to build in RHEL 9 environment (bz#1906468) +- Resolves: bz#1906468 +  ([RHEL9][FTBFS] edk2 FTBFS on Red Hat Enterprise Linux 9.0.0 Alpha) + +* Mon Nov 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8 +- edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177] +- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177] +- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch [bz#1849177] +- edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch [bz#1893806] +- edk2-redhat-bump-OpenSSL-dist-git-submodule-to-1.1.1g-RHE.patch [bz#1893806] +- Resolves: bz#1849177 +  (OVMF: negotiate "SMI on VCPU hotplug" with QEMU) +- Resolves: bz#1893806 +  (attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later)) + +* Mon Aug 10 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-3.el8 +- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch [bz#1861718] +- Resolves: bz#1861718 +  (Very slow boot when overcommitting CPU) + +* Wed Jun 24 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-2.el8 +- edk2-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch [bz#1844682] +- edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch [bz#1844682] +- edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch [bz#1844682] +- Resolves: bz#1844682 +  (silent build of edk2-aarch64 logs DEBUG_ERROR messages that don't actually report serious errors) + +* Sat Jun 13 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-1.el8 +- Rebase to edk2-stable202005 [bz#1817035] +- Resolves: bz#1817035 +  ((edk2-rebase-rhel-8.3) - rebase edk2 to upstream tag edk2-stable202005 for RHEL-8.3) + +* Fri Mar 27 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-9.el8 +- edk2-OvmfPkg-QemuVideoDxe-unbreak-secondary-vga-and-bochs.patch [bz#1806359] +- Resolves: bz#1806359 +  (bochs-display cannot show graphic wihout driver attach) + +* Tue Feb 18 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-8.el8 +- edk2-MdeModulePkg-Enable-Disable-S3BootScript-dynamically.patch [bz#1801274] +- edk2-MdeModulePkg-PiDxeS3BootScriptLib-Fix-potential-nume.patch [bz#1801274] +- Resolves: bz#1801274 +  (CVE-2019-14563 edk2: numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib [rhel-8]) + +* Tue Feb 11 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-7.el8 +- edk2-SecurityPkg-Fix-spelling-errors-PARTIAL-PICK.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-simplify-Ver.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-remove-else-.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-keep-PE-COFF.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-narrow-down-.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-o.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-remove-super.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-unnest-AddIm.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-eliminate-St.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-retval-f.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-imgexec-.patch [bz#1751993] +- edk2-SecurityPkg-DxeImageVerificationHandler-fix-defer-vs.patch [bz#1751993] +- Resolves: bz#1751993 +  (DxeImageVerificationLib handles "DENY execute on security violation" like "DEFER execute on security violation" [rhel8]) + +* Tue Jan 21 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-6.el8 +- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-fix-2M-4K-page-splitting-r.patch [bz#1789335] +- Resolves: bz#1789335 +  (VM with edk2 can't boot when setting memory with '-m 2001') + +* Thu Jan 16 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-5.el8 +- edk2-MdeModulePkg-UefiBootManagerLib-log-reserved-mem-all.patch [bz#1789797] +- edk2-NetworkPkg-HttpDxe-fix-32-bit-truncation-in-HTTPS-do.patch [bz#1789797] +- Resolves: bz#1789797 +  (Backport upstream patch series: "UefiBootManagerLib, HttpDxe: tweaks for large HTTP(S) downloads" to improve HTTP(S) Boot experience with large (4GiB+) files) + +* Wed Dec 11 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-4.el8 +- edk2-redhat-set-guest-RAM-size-to-768M-for-SB-varstore-te.patch [bz#1778301] +- edk2-redhat-re-enable-Secure-Boot-varstore-template-verif.patch [bz#1778301] +- Resolves: bz#1778301 +  (re-enable Secure Boot (varstore template) verification in %check) + +* Thu Dec 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-3.el8 +- Update used openssl version [bz#1616029] +- Resolves: bz#1616029 +  (rebuild edk2 against the final RHEL-8.2.0 version of OpenSSL-1.1.1) + +* Mon Dec 02 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-2.el8 +- edk2-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch [bz#1536624] +- edk2-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch [bz#1536624] +- edk2-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch [bz#1536624] +- edk2-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch [bz#1536624] +- edk2-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch [bz#1536624] +- edk2-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch [bz#1536624] +- edk2-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch [bz#1536624] +- edk2-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch [bz#1536624] +- edk2-redhat-enable-HTTPS-Boot.patch [bz#1536624] +- Resolves: bz#1536624 +  (HTTPS enablement in OVMF) + +* Fri Nov 29 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190829git37eef91017ad-1.el8 +- Rebase to edk2-stable201908 [bz#1748180] +- Resolves: bz#1748180 +  ((edk2-rebase-rhel-8.2) - rebase edk2 to upstream tag edk2-stable201908 for RHEL-8.2) + +* Mon Aug 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190308git89910a39dcfd-6.el8 +- edk2-ArmVirtPkg-silence-DEBUG_VERBOSE-masking-0x00400000-.patch [bz#1714446] +- edk2-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch [bz#1714446] +- edk2-ArmPkg-DebugPeCoffExtraActionLib-debugger-commands-a.patch [bz#1714446] +- Resolves: bz#1714446 +  (edk2-aarch64 silent build is not silent enough) + +* Tue Jul 02 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190308git89910a39dcfd-5.el8 +- edk2-redhat-add-D-TPM2_ENABLE-to-the-edk2-ovmf-build-flag.patch [bz#1693205] +- Resolves: bz#1693205 +  (edk2: Enable TPM2 support) + +* Tue Jun 11 2019 Miroslav Rezanina <mrezanin@redhat.com> - 20190308git89910a39dcfd-4.el8 +- edk2-OvmfPkg-raise-the-PCIEXBAR-base-to-2816-MB-on-Q35.patch [bz#1666941] +- edk2-OvmfPkg-PlatformPei-set-32-bit-UC-area-at-PciBase-Pc.patch [bz#1666941] +- Resolves: bz#1666941 +  (UEFI guest cannot boot into os when setting some special memory size) + +* Tue Apr 09 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20190308git89910a39dcfd-2.el8 +- edk2-redhat-provide-firmware-descriptor-meta-files.patch [bz#1600230] +- Resolves: bz#1600230 +  ([RHEL 8.1] RFE: provide firmware descriptor meta-files for the edk2-ovmf and edk2-aarch64 firmware images) + +* Mon Apr 08 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20190308git89910a39dcfd-1.el8 +- Rebase to edk2-20190308git89910a39dcfd + +* Mon Jan 21 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-9.el8 +- edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1662184] +- edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1662184] +- edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1662184] +- edk2-git-Use-HTTPS-support.patch [] +- Resolves: bz#1662184 +  (backport fix for (theoretical?) regression introduced by earlier CVE fixes) + +* Wed Nov 21 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-8.el8 +- edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch [bz#1643377] +- Resolves: bz#1643377 +  (Exception when grubx64.efi used for UEFI netboot) + +* Tue Nov 06 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8 +- edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1641436] +- edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1641449 bz#1641453 bz#1641464 bz#1641469] +- edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1641453 bz#1641464 bz#1641469] +- edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1641445 bz#1641453 bz#1641464 bz#1641469] +- Resolves: bz#1641436 +  (CVE-2018-3613 edk2: Logic error in MdeModulePkg in EDK II firmware allows for privilege escalation by authenticated users [rhel-8]) +- Resolves: bz#1641445 +  (CVE-2017-5731 edk2: Privilege escalation via processing of malformed files in TianoCompress.c [rhel-8]) +- Resolves: bz#1641449 +  (CVE-2017-5732 edk2: Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c [rhel-8]) +- Resolves: bz#1641453 +  (CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]) +- Resolves: bz#1641464 +  (CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]) +- Resolves: bz#1641469 +  (CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]) + +* Tue Sep 04 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8 +- edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch [bz#1607906] +- edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch [bz#1607906] +- edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch [bz#1607906] +- edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch [bz#1607906] +- edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch [bz#1607906] +- edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch [bz#1607906] +- edk2-redhat-inject-the-RPM-compile-and-link-options-to-th.patch [bz#1607906] +- Resolves: bz#1607906 +  (edk2-tools: Does not use RPM build flags) + +* Wed Aug 08 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-4.el8 +- edk2-redhat-provide-virtual-bundled-OpenSSL-in-edk2-ovmf-.patch [bz#1607801] +- Resolves: bz#1607801 +  (add 'Provides: bundled(openssl) = 1.1.0h' to the spec file) + +* Tue Jul 24 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-3.el8 +- edk2-redhat-Provide-and-Obsolete-OVMF-and-AAVMF.patch [bz#1596148] +- edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch [bz#1536627] +- edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch [bz#1536627] +- edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch [bz#1536627] +- edk2-redhat-add-D-NETWORK_IP6_ENABLE-to-the-build-flags.patch [bz#1536627] +- edk2-redhat-update-license-fields-and-files-in-the-spec-f.patch [bz#1536627] +- Resolves: bz#1536627 +  (IPv6 enablement in OVMF) +- Resolves: bz#1596148 +  (restore Provides/Obsoletes macros for OVMF and AAVMF, from RHEL-8 Alpha) + +* Tue Jul 10 2018 Danilo C. L. de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-2.el8 +- Rebase edk2 on top of 20180508gitee3198e672e2 + +* Fri Jun 08 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-2.gitee3198e672e2 +- OvmfPkg/PlatformBootManagerLib: connect consoles unconditionally [bz#1577546] +- build OVMF varstore template with SB enabled / certs enrolled [bz#1561128] +- connect Virtio RNG devices again [bz#1579518] +- Resolves: bz#1577546 +  (no input consoles connected under certain circumstances) +- Resolves: bz#1561128 +  (OVMF Secure boot enablement (enrollment of default keys)) +- Resolves: bz#1579518 +  (EFI_RNG_PROTOCOL no longer produced for virtio-rng) +* Wed Dec 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-4.git92d07e48907f.el7 +- ovmf-MdeModulePkg-Core-Dxe-log-informative-memprotect-msg.patch [bz#1520485] +- ovmf-MdeModulePkg-BdsDxe-fall-back-to-a-Boot-Manager-Menu.patch [bz#1515418] +- Resolves: bz#1515418 +  (RFE: Provide diagnostics for failed boot) +- Resolves: bz#1520485 +  (AAVMF: two new messages with silent build) + +* Fri Dec 01 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-3.git92d07e48907f.el7 +- ovmf-UefiCpuPkg-CpuDxe-Fix-multiple-entries-of-RT_CODE-in.patch [bz#1518308] +- ovmf-MdeModulePkg-DxeCore-Filter-out-all-paging-capabilit.patch [bz#1518308] +- ovmf-MdeModulePkg-Core-Merge-memory-map-after-filtering-p.patch [bz#1518308] +- Resolves: bz#1518308 +  (UEFI memory map regression (runtime code entry splitting) introduced by c1cab54ce57c) + +* Mon Nov 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-2.git92d07e48907f.el7 +- ovmf-MdeModulePkg-Bds-Remove-assertion-in-BmCharToUint.patch [bz#1513632] +- ovmf-MdeModulePkg-Bds-Check-variable-name-even-if-OptionN.patch [bz#1513632] +- ovmf-MdeModulePkg-PciBus-Fix-bug-that-PCI-BUS-claims-too-.patch [bz#1514105] +- ovmf-OvmfPkg-make-it-a-proper-BASE-library.patch [bz#1488247] +- ovmf-OvmfPkg-create-a-separate-PlatformDebugLibIoPort-ins.patch [bz#1488247] +- ovmf-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch [bz#1488247] +- ovmf-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch [bz#1488247] +- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch [bz#1488247] +- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch [bz#1488247] +- ovmf-Revert-redhat-introduce-separate-silent-and-verbose-.patch [bz#1488247] +- Resolves: bz#1488247 +  (make debug logging no-op unless a debug console is active) +- Resolves: bz#1513632 +  ([RHEL-ALT 7.5] AAVMF fails to boot after setting BootNext) +- Resolves: bz#1514105 +  (backport edk2 commit 6e3287442774 so that PciBusDxe not over-claim resources) + +* Wed Oct 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-1.git92d07e48907f.el7 +- Rebase to 92d07e48907f [bz#1469787] +- Resolves: bz#1469787 +  ((ovmf-rebase-rhel-7.5) Rebase OVMF for RHEL-7.5) +- Resolves: bz#1434740 +  (OvmfPkg/PciHotPlugInitDxe: don't reserve IO space when IO support is disabled) +- Resolves: bz#1434747 +  ([Q35] code12 error when hotplug x710 device in win2016) +- Resolves: bz#1447027 +  (Guest cannot boot with 240 or above vcpus when using ovmf) +- Resolves: bz#1458192 +  ([Q35] recognize "usb-storage" devices in XHCI ports) +- Resolves: bz#1468526 +  (>1TB RAM support) +- Resolves: bz#1488247 +  (provide "OVMF_CODE.secboot.verbose.fd" for log capturing; silence "OVMF_CODE.secboot.fd") +- Resolves: bz#1496170 +  (Inconsistent MOR control variables exposed by OVMF, breaks Windows Device Guard) + +* Fri May 12 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-5.gitc325e41585e3.el7 +- ovmf-OvmfPkg-EnrollDefaultKeys-update-SignatureOwner-GUID.patch [bz#1443351] +- ovmf-OvmfPkg-EnrollDefaultKeys-expose-CertType-parameter-.patch [bz#1443351] +- ovmf-OvmfPkg-EnrollDefaultKeys-blacklist-empty-file-in-db.patch [bz#1443351] +- ovmf-OvmfPkg-introduce-the-FD_SIZE_IN_KB-macro-build-flag.patch [bz#1443351] +- ovmf-OvmfPkg-OvmfPkg.fdf.inc-extract-VARS_LIVE_SIZE-and-V.patch [bz#1443351] +- ovmf-OvmfPkg-introduce-4MB-flash-image-mainly-for-Windows.patch [bz#1443351] +- ovmf-OvmfPkg-raise-max-variable-size-auth-non-auth-to-33K.patch [bz#1443351] +- ovmf-OvmfPkg-PlatformPei-handle-non-power-of-two-spare-si.patch [bz#1443351] +- ovmf-redhat-update-local-build-instructions-with-D-FD_SIZ.patch [bz#1443351] +- ovmf-redhat-update-OVMF-build-commands-with-D-FD_SIZE_4MB.patch [bz#1443351] +- Resolves: bz#1443351 +  ([svvp][ovmf] job "Secure Boot Logo Test" failed  with q35&ovmf) + +* Fri Apr 28 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-4.gitc325e41585e3.el7 +- ovmf-ShellPkg-Shell-clean-up-bogus-member-types-in-SPLIT_.patch [bz#1442908] +- ovmf-ShellPkg-Shell-eliminate-double-free-in-RunSplitComm.patch [bz#1442908] +- Resolves: bz#1442908 +  (Guest hang when running a wrong command in Uefishell) + +* Tue Apr 04 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-3.gitc325e41585e3.el7 +- ovmf-ArmVirtPkg-FdtClientDxe-supplement-missing-EFIAPI-ca.patch [bz#1430262] +- ovmf-ArmVirtPkg-ArmVirtPL031FdtClientLib-unconditionally-.patch [bz#1430262] +- ovmf-MdeModulePkg-RamDiskDxe-fix-C-string-literal-catenat.patch [bz#1430262] +- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-ACPI-GUID.patch [bz#1430262] +- ovmf-EmbeddedPkg-introduce-PlatformHasAcpiLib.patch [bz#1430262] +- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-Device-Tree.patch [bz#1430262] +- ovmf-ArmVirtPkg-add-PlatformHasAcpiDtDxe.patch [bz#1430262] +- ovmf-ArmVirtPkg-enable-AcpiTableDxe-and-EFI_ACPI_TABLE_PR.patch [bz#1430262] +- ovmf-ArmVirtPkg-FdtClientDxe-install-DT-as-sysconfig-tabl.patch [bz#1430262] +- ovmf-ArmVirtPkg-PlatformHasAcpiDtDxe-don-t-expose-DT-if-Q.patch [bz#1430262] +- ovmf-ArmVirtPkg-remove-PURE_ACPI_BOOT_ENABLE-and-PcdPureA.patch [bz#1430262] +- Resolves: bz#1430262 +  (AAVMF: forward QEMU's DT to the guest OS only if ACPI payload is unavailable) + +* Mon Mar 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-2.gitc325e41585e3.el7 +- ovmf-MdeModulePkg-Core-Dxe-downgrade-CodeSegmentCount-is-.patch [bz#1433428] +- Resolves: bz#1433428 +  (AAVMF: Fix error message during ARM guest VM installation) + +* Wed Mar 08 2017 Laszlo Ersek <lersek@redhat.com> - ovmf-20170228-1.gitc325e41585e3.el7 +- Rebase to upstream c325e41585e3 [bz#1416919] +- Resolves: bz#1373812 +  (guest boot from network even set 'boot order=1' for virtio disk with OVMF) +- Resolves: bz#1380282 +  (Update OVMF to openssl-1.0.2k-hobbled) +- Resolves: bz#1412313 +  (select broadcast SMI if available) +- Resolves: bz#1416919 +  (Rebase OVMF for RHEL-7.4) +- Resolves: bz#1426330 +  (disable libssl in CryptoPkg) + +* Mon Sep 12 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160608b-1.git988715a.el7 +- rework downstream-only commit dde83a75b566 "setup the tree for the secure +  boot feature (RHEL only)", excluding patent-encumbered files from the +  upstream OpenSSL 1.0.2g tarball [bz#1374710] +- rework downstream-only commit dfc3ca1ee509 "CryptoPkg/OpensslLib: Upgrade +  OpenSSL version to 1.0.2h", excluding patent-encumbered files from the +  upstream OpenSSL 1.0.2h tarball [bz#1374710] + +* Thu Aug 04 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160608-3.git988715a.el7 +- ovmf-MdePkg-PCI-Add-missing-PCI-PCIE-definitions.patch [bz#1332408] +- ovmf-ArmPlatformPkg-NorFlashDxe-accept-both-non-secure-an.patch [bz#1353494] +- ovmf-ArmVirtPkg-ArmVirtQemu-switch-secure-boot-build-to-N.patch [bz#1353494] +- ovmf-ArmPlatformPkg-NorFlashAuthenticatedDxe-remove-this-.patch [bz#1353494] +- ovmf-ArmVirtPkg-add-FDF-definition-for-empty-varstore.patch [bz#1353494] +- ovmf-redhat-package-the-varstore-template-produced-by-the.patch [bz#1353494] +- ovmf-ArmVirtPkg-Re-add-the-Driver-Health-Manager.patch [bz#1353494] +- ovmf-ArmVirtPkg-HighMemDxe-allow-patchable-PCD-for-PcdSys.patch [bz#1353494] +- ovmf-ArmVirtPkg-ArmVirtQemuKernel-make-ACPI-support-AARCH.patch [bz#1353494] +- ovmf-ArmVirtPkg-align-ArmVirtQemuKernel-with-ArmVirtQemu.patch [bz#1353494] +- ovmf-ArmVirtPkg-ArmVirtQemu-factor-out-shared-FV.FvMain-d.patch [bz#1353494] +- ovmf-ArmVirtPkg-factor-out-Rules-FDF-section.patch [bz#1353494] +- ovmf-ArmVirtPkg-add-name-GUIDs-to-FvMain-instances.patch [bz#1353494] +- ovmf-OvmfPkg-add-a-Name-GUID-to-each-Firmware-Volume.patch [bz#1353494] +- ovmf-OvmfPkg-PlatformBootManagerLib-remove-stale-FvFile-b.patch [bz#1353494] +- ovmf-MdePkg-IndustryStandard-introduce-EFI_PCI_CAPABILITY.patch [bz#1332408] +- ovmf-MdeModulePkg-PciBusDxe-look-for-the-right-capability.patch [bz#1332408] +- ovmf-MdeModulePkg-PciBusDxe-recognize-hotplug-capable-PCI.patch [bz#1332408] +- ovmf-OvmfPkg-add-PciHotPlugInitDxe.patch [bz#1332408] +- ovmf-ArmPkg-ArmGicLib-manage-GICv3-SPI-state-at-the-distr.patch [bz#1356655] +- ovmf-ArmVirtPkg-PlatformBootManagerLib-remove-stale-FvFil.patch [bz#1353494] +- ovmf-OvmfPkg-EnrollDefaultKeys-assign-Status-before-readi.patch [bz#1356913] +- ovmf-OvmfPkg-EnrollDefaultKeys-silence-VS2015x86-warning-.patch [bz#1356913] +- ovmf-CryptoPkg-update-openssl-to-ignore-RVCT-3079.patch [bz#1356184] +- ovmf-CryptoPkg-Fix-typos-in-comments.patch [bz#1356184] +- ovmf-CryptoPkg-BaseCryptLib-Avoid-passing-NULL-ptr-to-fun.patch [bz#1356184] +- ovmf-CryptoPkg-BaseCryptLib-Init-the-content-of-struct-Ce.patch [bz#1356184] +- ovmf-CryptoPkg-OpensslLib-Upgrade-OpenSSL-version-to-1.0..patch [bz#1356184] +- Resolves: bz#1332408 +  (Q35 machine can not hot-plug scsi controller under switch) +- Resolves: bz#1353494 +  ([OVMF] "EFI Internal Shell" should be removed from "Boot Manager") +- Resolves: bz#1356184 +  (refresh embedded OpenSSL to 1.0.2h) +- Resolves: bz#1356655 +  (AAVMF: stop accessing unmapped gicv3 registers) +- Resolves: bz#1356913 +  (fix use-without-initialization in EnrollDefaultKeys.efi) + +* Tue Jul 12 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160608-2.git988715a.el7 +- ovmf-ArmPkg-ArmGicV3Dxe-configure-all-interrupts-as-non-s.patch [bz#1349407] +- ovmf-ArmVirtPkg-PlatformBootManagerLib-Postpone-the-shell.patch [bz#1353689] +- Resolves: bz#1349407 +  (AArch64: backport fix to run over gicv3 emulation) +- Resolves: bz#1353689 +  (AAVMF: Drops to shell with uninitialized NVRAM file) + +* Thu Jun 9 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160608-1.git988715a.el7 +- Resolves: bz#1341733 +  (prevent SMM stack overflow in OVMF while enrolling certificates in "db") +- Resolves: bz#1257882 +  (FEAT: support to boot from virtio 1.0 modern devices) +- Resolves: bz#1333238 +  (Q35 machine can not boot up successfully with more than 3 virtio-scsi +  storage controller under switch) +- Resolves: bz#1330955 +  (VM can not be booted up from hard disk successfully when with a passthrough +  USB stick) + +* Thu May 19 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160419-2.git90bb4c5.el7 +- Submit scratch builds from the exploded tree again to +  supp-rhel-7.3-candidate, despite FatPkg being OSS at this point; see +  bz#1329559. + +* Wed Apr 20 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160419-1.git90bb4c5.el7 +- FatPkg is under the 2-clause BSDL now; "ovmf" has become OSS +- upgrade to openssl-1.0.2g +- Resolves: bz#1323363 +  (remove "-D SECURE_BOOT_ENABLE" from AAVMF) +- Resolves: bz#1257882 +  (FEAT: support to boot from virtio 1.0 modern devices) +- Resolves: bz#1308678 +  (clearly separate SB-less, SMM-less OVMF binary from SB+SMM OVMF binary) + +* Fri Feb 19 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160202-2.gitd7c0dfa.el7 +- ovmf-restore-TianoCore-splash-logo-without-OpenSSL-advert.patch [bz#1308678] +- ovmf-OvmfPkg-ArmVirtPkg-show-OpenSSL-less-logo-without-Se.patch [bz#1308678] +- ovmf-OvmfPkg-simplify-VARIABLE_STORE_HEADER-generation.patch [bz#1308678] +- ovmf-redhat-bring-back-OVMF_CODE.fd-but-without-SB-and-wi.patch [bz#1308678] +- ovmf-redhat-rename-OVMF_CODE.smm.fd-to-OVMF_CODE.secboot..patch [bz#1308678] + +* Tue Feb 2 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160202-1.gitd7c0dfa.el7 +- rebase to upstream d7c0dfa +- update OpenSSL to 1.0.2e (upstream) +- update FatPkg to SVN r97 (upstream) +- drive NVMe devices (upstream) +- resize xterm on serial console mode change, when requested with +  -fw_cfg name=opt/(ovmf|aavmf)/PcdResizeXterm,string=y +  (downstream) +- Resolves: bz#1259395 +  (revert / roll back AAVMF fix for BZ 1188054) +- Resolves: bz#1202819 +  (OVMF: secure boot limitations) +- Resolves: bz#1182495 +  (OVMF rejects iPXE oprom when Secure Boot is enabled) + +* Thu Nov 5 2015 Laszlo Ersek <lersek@redhat.com> - ovmf-20151104-1.gitb9ffeab.el7 +- rebase to upstream b9ffeab +- Resolves: bz#1207554 +  ([AAVMF] AArch64: populate SMBIOS) +- Resolves: bz#1270279 +  (AAVMF: output improvements) + +* Thu Jun 25 2015 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20150414-2.gitc9e5618.el7 +- ovmf-OvmfPkg-PlatformPei-set-SMBIOS-entry-point-version-d.patch [bz#1232876] +- Resolves: bz#1232876 +  (OVMF should install a version 2.8 SMBIOS entry point) + +* Sat Apr 18 2015 Laszlo Ersek <lersek@redhat.com> - 20150414-1.gitc9e5618.el7 +- rebase from upstream 9ece15a to c9e5618 +- adapt .gitignore files +- update to openssl-0.9.8zf +- create Logo-OpenSSL.bmp rather than modifying Logo.bmp in-place +- update to FatPkg SVN r93 (git 8ff136aa) +- drop the following downstream-only patches (obviated by upstream +  counterparts): +  "tools_def.template: use forward slash with --add-gnu-debuglink (RHEL only)" +  "tools_def.template: take GCC48 prefixes from environment (RHEL only)" +  "OvmfPkg: set video resolution of text setup to 640x480 (RHEL only)" +  "OvmfPkg: resolve OrderedCollectionLib with base red-black tree instance" +  "OvmfPkg: AcpiPlatformDxe: actualize QemuLoader.h comments" +  "OvmfPkg: AcpiPlatformDxe: remove current ACPI table loader" +  "OvmfPkg: AcpiPlatformDxe: implement QEMU's full ACPI table loader interface" +  "OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size" +  "OvmfPkg: disable stale fork of SecureBootConfigDxe" +  "OvmfPkg: SecureBootConfigDxe: remove stale fork" +  "Try to read key strike even when ..." +  "OvmfPkg: BDS: remove dead call to PlatformBdsEnterFrontPage()" +  "OvmfPkg: BDS: drop useless return statement" +  "OvmfPkg: BDS: don't overwrite the BDS Front Page timeout" +  "OvmfPkg: BDS: optimize second argument in PlatformBdsEnterFrontPage() call" +  'OvmfPkg: BDS: drop superfluous "connect first boot option" logic' +  "OvmfPkg: BDS: drop custom boot timeout, revert to IntelFrameworkModulePkg's" +  "Add comments to clarify mPubKeyStore buffer MemCopy. ..." +  "MdeModulePkg/SecurityPkg Variable: Add boundary check..." +  "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit" +  "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE" +  "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands" +- merge downstream AAVMF patch "adapt packaging to Arm64", which forces us to +  rename the main package from "OVMF" to "ovmf" +- drop the following ARM BDS specific tweaks (we'll only build the Intel BDS): +  "ArmPlatformPkg/Bds: generate ESP Image boot option if user pref is unset +   (Acadia)" +  "ArmPlatformPkg/Bds: check for other defaults too if user pref is unset +   (Acadia)" +  "ArmPlatformPkg/ArmVirtualizationPkg: auto-detect boot path (Acadia)" +  "ArmPlatformPkg/Bds: initialize ConIn/ConOut/ErrOut before connecting +   terminals" +  "ArmPlatformPkg/Bds: let FindCandidate() search all filesystems" +  "ArmPlatformPkg/Bds: FindCandidateOnHandle(): log full device path" +  "ArmPlatformPkg/Bds: fall back to Boot Menu when no default option was found" +  "ArmPlatformPkg/Bds: always connect drivers before looking at boot options" +- drop patch "ArmPlatformPkg/ArmVirtualizationPkg: enable DEBUG_VERBOSE (Acadia +  only)", obsoleted by fixed bug 1197141 +- tweak patch "write up build instructions (for interactive, local development) +  (RHELSA)". The defaults in "BaseTools/Conf/target.template", ie. +  ACTIVE_PLATFORM and TARGET_ARCH, are set for OVMF / X64. The AAVMF build +  instructions now spell out the necessary override options (-p and -a, +  respectively). +- extend patch "build FAT driver from source (RHELSA)" to the Xen build as well +  (only for consistency; we don't build for Xen). +- drop the following downstream-only AAVMF patches, due to the 77d5dac -> +  c9e5618 AAVMF rebase & join: +  "redhat/process-rh-specific.sh: fix check for hunk-less filtered patches" +  "redhat/process-rh-specific.sh: suppress missing files in final 'rm'" +  "ArmVirtualizationQemu: build UEFI shell from source (Acadia only)" +  "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE" +  "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands" +  "ArmVirtualizationPkg: work around cache incoherence on KVM affecting DTB" +  "Changed build target to supp-rhel-7.1-candidate" +  "ArmVirtualizationPkg: VirtFdtDxe: forward FwCfg addresses from DTB to PCDs" +  "ArmVirtualizationPkg: introduce QemuFwCfgLib instance for DXE drivers" +  "ArmVirtualizationPkg: clone PlatformIntelBdsLib from ArmPlatformPkg" +  "ArmVirtualizationPkg: PlatformIntelBdsLib: add basic policy" +  "OvmfPkg: extract QemuBootOrderLib" +  "OvmfPkg: QemuBootOrderLib: featurize PCI-like device path translation" +  "OvmfPkg: introduce VIRTIO_MMIO_TRANSPORT_GUID" +  "ArmVirtualizationPkg: VirtFdtDxe: use dedicated VIRTIO_MMIO_TRANSPORT_GUID" +  "OvmfPkg: QemuBootOrderLib: widen ParseUnitAddressHexList() to UINT64" +  "OvmfPkg: QemuBootOrderLib: OFW-to-UEFI translation for virtio-mmio" +  "ArmVirtualizationPkg: PlatformIntelBdsLib: adhere to QEMU's boot order" +  "ArmVirtualizationPkg: identify "new shell" as builtin shell for Intel BDS" +  "ArmVirtualizationPkg: Intel BDS: load EFI-stubbed Linux kernel from fw_cfg" +  'Revert "ArmVirtualizationPkg: work around cache incoherence on KVM affecting +   DTB"' +  "OvmfPkg: QemuBootOrderLib: expose QEMU's "-boot menu=on[, splash-time=N]"" +  "OvmfPkg: PlatformBdsLib: get front page timeout from QEMU" +  "ArmVirtualizationPkg: PlatformIntelBdsLib: get front page timeout from QEMU" +  "ArmPkg: ArmArchTimerLib: clean up comments" +  "ArmPkg: ArmArchTimerLib: use edk2-conformant (UINT64 * UINT32) / UINT32" +  "ArmPkg: ArmArchTimerLib: conditionally rebase to actual timer frequency" +  "ArmVirtualizationQemu: ask the hardware for the timer frequency" +  "ArmPkg: DebugPeCoffExtraActionLib: debugger commands are not errors" +  "ArmPlatformPkg: PEIM startup is not an error" +  "ArmVirtualizationPkg: PlatformIntelBdsLib: lack of QEMU kernel is no error" +  "ArmVirtualizationPkg: expose debug message bitmask on build command line" +- tweak patch "rebase to upstream 77d5dac (Acadia only)": update spec changelog +  only +- tweak patch "spec: build AAVMF with the Intel BDS driver (RHELSA only)": +  apply "-D INTEL_BDS" to manual build instructions in redhat/README too +- tweak patch "spec: build and install verbose and silent (default) AAVMF +  binaries": apply DEBUG_PRINT_ERROR_LEVEL setting to interactive build +  instructions in redhat/README too +- install OVMF whitepaper as part of the OVMF build's documentation +- Resolves: bz#1211337 +  (merge AAVMF into OVMF) +- Resolves: bz#1206523 +  ([AAVMF] fix missing cache maintenance) + +* Fri Mar 06 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-5.git77d5dac.el7_1 +- aavmf-ArmPkg-DebugPeCoffExtraActionLib-debugger-commands-a.patch [bz#1197141] +- aavmf-ArmPlatformPkg-PEIM-startup-is-not-an-error.patch [bz#1197141] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-lack-of-QEM.patch [bz#1197141] +- aavmf-ArmVirtualizationPkg-expose-debug-message-bitmask-on.patch [bz#1197141] +- aavmf-spec-build-and-install-verbose-and-silent-default-AA.patch [bz#1197141] +- Resolves: bz#1197141 +  (create silent & verbose builds) + +* Tue Feb 10 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-4.git77d5dac.el7 +- aavmf-ArmPkg-ArmArchTimerLib-clean-up-comments.patch [bz#1188247] +- aavmf-ArmPkg-ArmArchTimerLib-use-edk2-conformant-UINT64-UI.patch [bz#1188247] +- aavmf-ArmPkg-ArmArchTimerLib-conditionally-rebase-to-actua.patch [bz#1188247] +- aavmf-ArmVirtualizationQemu-ask-the-hardware-for-the-timer.patch [bz#1188247] +- aavmf-ArmPkg-TimerDxe-smack-down-spurious-timer-interrupt-.patch [bz#1188054] +- Resolves: bz#1188054 +  (guest reboot (asked from within AAVMF) regressed in 3.19.0-0.rc5.58.aa7a host kernel) +- Resolves: bz#1188247 +  (backport "fix gBS->Stall()" series) + +* Mon Jan 19 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-3.git77d5dac.el7 +- aavmf-OvmfPkg-QemuBootOrderLib-expose-QEMU-s-boot-menu-on-.patch [bz#1172756] +- aavmf-OvmfPkg-PlatformBdsLib-get-front-page-timeout-from-Q.patch [bz#1172756] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-get-front-p.patch [bz#1172756] +- Resolves: bz#1172756 +  ([RFE]Expose boot-menu shortcut to domain via AAVMF) + +* Wed Jan 14 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-2.git77d5dac.el7 +- aavmf-ArmVirtualizationPkg-VirtFdtDxe-forward-FwCfg-addres.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-introduce-QemuFwCfgLib-instance.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-clone-PlatformIntelBdsLib-from-.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-add-basic-p.patch [bz#1172749] +- aavmf-OvmfPkg-extract-QemuBootOrderLib.patch [bz#1172749] +- aavmf-OvmfPkg-QemuBootOrderLib-featurize-PCI-like-device-p.patch [bz#1172749] +- aavmf-OvmfPkg-introduce-VIRTIO_MMIO_TRANSPORT_GUID.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-VirtFdtDxe-use-dedicated-VIRTIO.patch [bz#1172749] +- aavmf-OvmfPkg-QemuBootOrderLib-widen-ParseUnitAddressHexLi.patch [bz#1172749] +- aavmf-OvmfPkg-QemuBootOrderLib-OFW-to-UEFI-translation-for.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-adhere-to-Q.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-identify-new-shell-as-builtin-s.patch [bz#1172749] +- aavmf-ArmVirtualizationPkg-Intel-BDS-load-EFI-stubbed-Linu.patch [bz#1172749] +- aavmf-spec-build-AAVMF-with-the-Intel-BDS-driver-RHELSA-on.patch [bz#1172749] +- aavmf-Revert-ArmVirtualizationPkg-work-around-cache-incohe.patch [bz#1172910] +- Resolves: bz#1172749 +  (implement fw_cfg, boot order handling, and -kernel booting in ArmVirtualizationQemu) +- Resolves: bz#1172910 +  (revert Acadia-only workaround (commit df7bca4e) once Acadia host kernel (KVM) is fixed) + +* Fri Dec 05 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-7.git9ece15a.el7 +- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-READ.patch [bz#1166971] +- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-othe.patch [bz#1166971] +- Resolves: bz#1166971 +  (virtio-scsi disks and cd-roms with nonzero LUN are rejected with errors) + +* Tue Nov 25 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-6.git9ece15a.el7 +- ovmf-OvmfPkg-AcpiPlatformDxe-make-dependency-on-PCI-enume.patch [bz#1166027] +- Resolves: bz#1166027 +  (backport "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit") + +* Tue Nov 18 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-4.git9ece15a.el7 +- ovmf-Add-comments-to-clarify-mPubKeyStore-buffer-MemCopy.patch [bz#1162314] +- ovmf-MdeModulePkg-SecurityPkg-Variable-Add-boundary-check.patch [bz#1162314] +- Resolves: bz#1162314 + (EMBARGOED OVMF: uefi: INTEL-TA-201410-001 && INTEL-TA-201410-002 [rhel-7.1]) + +* Thu Nov 13 2014 Laszlo Ersek <lersek@redhat.com> - AAVMF-20141113-1.git77d5dac +- rebased to upstream 77d5dac +  <https://bugzilla.redhat.com/show_bug.cgi?id=1162314#c1> +- patch "ArmVirtualizationPkg: FdtPL011SerialPortLib: support UEFI_APPLICATION" +  is now upstream (SVN r16219, git edb5073) + +* Thu Nov 13 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-3.git9ece15a.el7 +- ovmf-Revert-OvmfPkg-set-video-resolution-of-text-setup-to.patch [bz#1153927] +- ovmf-Try-to-read-key-strike-even-when-the-TimeOuts-value-.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-remove-dead-call-to-PlatformBdsEnterFron.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-drop-useless-return-statement.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-don-t-overwrite-the-BDS-Front-Page-timeo.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-optimize-second-argument-in-PlatformBdsE.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-drop-superfluous-connect-first-boot-opti.patch [bz#1153927] +- ovmf-OvmfPkg-BDS-drop-custom-boot-timeout-revert-to-Intel.patch [bz#1153927] +- ovmf-OvmfPkg-set-video-resolution-of-text-setup-to-640x48.patch [bz#1153927] +- Resolves: bz#1153927 +  (set NEXTBOOT to uefi setting failed from Windows Recovery console) + +* Tue Nov 11 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-2.git9ece15a +- ovmf-redhat-process-rh-specific.sh-suppress-missing-files.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-QemuVideoDxe-fix-querying-of-.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-implement-QEM.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-remove-curren.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-actualize-Qem.patch [bz#1145784] +- ovmf-Revert-RH-only-OvmfPkg-resolve-OrderedCollectionLib-.patch [bz#1145784] +- ovmf-OvmfPkg-QemuVideoDxe-work-around-misreported-QXL-fra.patch [bz#1145784] +- ovmf-OvmfPkg-resolve-OrderedCollectionLib-with-base-red-b.patch [bz#1145784] +- ovmf-OvmfPkg-AcpiPlatformDxe-actualize-QemuLoader.h-comme.patch [bz#1145784] +- ovmf-OvmfPkg-AcpiPlatformDxe-remove-current-ACPI-table-lo.patch [bz#1145784] +- ovmf-OvmfPkg-AcpiPlatformDxe-implement-QEMU-s-full-ACPI-t.patch [bz#1145784] +- ovmf-spec-build-small-bootable-ISO-with-standalone-UEFI-s.patch [bz#1147592] +- ovmf-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch [bz#1147592] +- ovmf-spec-exclude-the-UEFI-shell-from-the-SecureBoot-enab.patch [bz#1147592] +- ovmf-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch [bz#1148296] +- ovmf-spec-package-EnrollDefaultKeys.efi-on-UefiShell.iso-.patch [bz#1148296] +- ovmf-OvmfPkg-disable-stale-fork-of-SecureBootConfigDxe.patch [bz#1148294] +- ovmf-OvmfPkg-SecureBootConfigDxe-remove-stale-fork.patch [bz#1148294] +- Resolves: bz#1145784 +  (OVMF sync with QXL and ACPI patches up to edk2 7a9612ce) +- Resolves: bz#1147592 +  (the binary RPM should include a small ISO file with a directly bootable UEFI shell binary) +- Resolves: bz#1148294 +  (drop OvmfPkg's stale fork of SecureBootConfigDxe) +- Resolves: bz#1148296 +  (provide a non-interactive way to auto-enroll important SecureBoot certificates) + +* Wed Oct 15 2014 Laszlo Ersek <lersek@redhat.com> - AAVMF-20141015-1.gitc373687 +- ported packaging to aarch64 / AAVMF + +* Fri Aug 22 2014 Laszlo Ersek <lersek@redhat.com> - 20140822-1.git9ece15a.el7 +- rebase from upstream 3facc08 to 9ece15a +- update to openssl-0.9.8zb +- update to FatPkg SVN r86 (git 2355ea2c) +- the following patches of Paolo Bonzini have been merged in upstream; drop the +  downstream-only copies: +  7bc1421 edksetup.sh: Look for BuildEnv under EDK_TOOLS_PATH +  d549344 edksetup.sh: Ensure that WORKSPACE points to the top of an edk2 +          checkout +  1c023eb BuildEnv: remove useless check before setting $WORKSPACE +- include the following patches that have been pending review on the upstream +  list for a long time: +  [PATCH 0/4] OvmfPkg: complete client for QEMU's ACPI loader interface +  http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8369 +  [PATCH] OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size +  http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8515 +- nasm is a build-time dependency now because upstream BuildTools has started +  to call it directly + +* Wed Jul 23 2014 Laszlo Ersek <lersek@redhat.com> - 20140723-1.git3facc08.el7 +- rebase from upstream a618eaa to 3facc08 +- update to openssl-0.9.8za +- drop downstream-only split varstore patch, rely on upstream's + +* Tue Jun 24 2014 Miroslav Rezanina <mrezanin@redhat.com> - 20140619-1.gita618eaa.el7 +- Initial version diff --git a/ovmf-whitepaper-c770f8c.txt b/ovmf-whitepaper-c770f8c.txt new file mode 100644 index 0000000..ba727b4 --- /dev/null +++ b/ovmf-whitepaper-c770f8c.txt @@ -0,0 +1,2422 @@ +Open Virtual Machine Firmware (OVMF) Status Report +July 2014 (with updates in August 2014 - January 2015) + +Author: Laszlo Ersek <lersek@redhat.com> +Copyright (C) 2014-2015, Red Hat, Inc. +CC BY-SA 4.0 <http://creativecommons.org/licenses/by-sa/4.0/> + +Abstract +-------- + +The Unified Extensible Firmware Interface (UEFI) is a specification that +defines a software interface between an operating system and platform firmware. +UEFI is designed to replace the Basic Input/Output System (BIOS) firmware +interface. + +Hardware platform vendors have been increasingly adopting the UEFI +Specification to govern their boot firmware developments. OVMF (Open Virtual +Machine Firmware), a sub-project of Intel's EFI Development Kit II (edk2), +enables UEFI support for Ia32 and X64 Virtual Machines. + +This paper reports on the status of the OVMF project, treats features and +limitations, gives end-user hints, and examines some areas in-depth. + +Keywords: ACPI, boot options, CSM, edk2, firmware, flash, fw_cfg, KVM, memory +map, non-volatile variables, OVMF, PCD, QEMU, reset vector, S3, Secure Boot, +Smbios, SMM, TianoCore, UEFI, VBE shim, Virtio + +Table of Contents +----------------- + +- Motivation +- Scope +- Example qemu invocation +- Installation of OVMF guests with virt-manager and virt-install +- Supported guest operating systems +- Compatibility Support Module (CSM) +- Phases of the boot process +- Project structure +- Platform Configuration Database (PCD) +- Firmware image structure +- S3 (suspend to RAM and resume) +- A comprehensive memory map of OVMF +- Known Secure Boot limitations +- Variable store and LockBox in SMRAM +- Select features +  - X64-specific reset vector for OVMF +  - Client library for QEMU's firmware configuration interface +  - Guest ACPI tables +  - Guest SMBIOS tables +  - Platform-specific boot policy +  - Virtio drivers +  - Platform Driver +  - Video driver +- Afterword + +Motivation +---------- + +OVMF extends the usual benefits of virtualization to UEFI. Reasons to use OVMF +include: + +- Legacy-free guests. A UEFI-based environment eliminates dependencies on +  legacy address spaces and devices. This is especially beneficial when used +  with physically assigned devices where the legacy operating mode is +  troublesome to support, ex. assigned graphics cards operating in legacy-free, +  non-VGA mode in the guest. + +- Future proof guests. The x86 market is steadily moving towards a legacy-free +  platform and guest operating systems may eventually require a UEFI +  environment. OVMF provides that next generation firmware support for such +  applications. + +- GUID partition tables (GPTs). MBR partition tables represent partition +  offsets and sizes with 32-bit integers, in units of 512 byte sectors. This +  limits the addressable portion of the disk to 2 TB. GPT represents logical +  block addresses with 64 bits. + +- Liberating boot loader binaries from residing in contested and poorly defined +  space between the partition table and the partitions. + +- Support for booting off disks (eg. pass-through physical SCSI devices) with a +  4kB physical and logical sector size, i.e. which don't have 512-byte block +  emulation. + +- Development and testing of Secure Boot-related features in guest operating +  systems. Although OVMF's Secure Boot implementation is currently not secure +  against malicious UEFI drivers, UEFI applications, and guest kernels, +  trusted guest code that only uses standard UEFI interfaces will find a valid +  Secure Boot environment under OVMF, with working key enrollment and signature +  validation. This enables development and testing of portable, Secure +  Boot-related guest code. + +- Presence of non-volatile UEFI variables. This furthers development and +  testing of OS installers, UEFI boot loaders, and unique, dependent guest OS +  features. For example, an efivars-backed pstore (persistent storage) +  file system works under Linux. + +- Altogether, a near production-level UEFI environment for virtual machines +  when Secure Boot is not required. + +Scope +----- + +UEFI and especially Secure Boot have been topics fraught with controversy and +political activism. This paper sidesteps these aspects and strives to focus on +use cases, hands-on information for end users, and technical details. + +Unless stated otherwise, the expression "X supports Y" means "X is technically +compatible with interfaces provided or required by Y". It does not imply +support as an activity performed by natural persons or companies. + +We discuss the status of OVMF at a state no earlier than edk2 SVN revision +16158. The paper concentrates on upstream projects and communities, but +occasionally it pans out about OVMF as it is planned to be shipped (as +Technical Preview) in Red Hat Enterprise Linux 7.1. Such digressions are marked +with the [RHEL] margin notation. + +Although other VMMs and accelerators are known to support (or plan to support) +OVMF to various degrees -- for example, VirtualBox, Xen, BHyVe --, we'll +emphasize OVMF on qemu/KVM, because QEMU and KVM have always been Red Hat's +focus wrt. OVMF. + +The recommended upstream QEMU version is 2.1+. The recommended host Linux +kernel (KVM) version is 3.10+. The recommended QEMU machine type is +"qemu-system-x86_64 -M pc-i440fx-2.1" or later. + +The term "TianoCore" is used interchangeably with "edk2" in this paper. + +Example qemu invocation +----------------------- + +The following commands give a quick foretaste of installing a UEFI operating +system on OVMF, relying only on upstream edk2 and qemu. + +- Clone and build OVMF: + +  git clone https://github.com/tianocore/edk2.git +  cd edk2 +  nice OvmfPkg/build.sh -a X64 -n $(getconf _NPROCESSORS_ONLN) + +  (Note that this ad-hoc build will not include the Secure Boot feature.) + +- The build output file, "OVMF.fd", includes not only the executable firmware +  code, but the non-volatile variable store as well. For this reason, make a +  VM-specific copy of the build output (the variable store should be private to +  the virtual machine): + +  cp Build/OvmfX64/DEBUG_GCC4?/FV/OVMF.fd fedora.flash + +  (The variable store and the firmware executable are also available in the +  build output as separate files: "OVMF_VARS.fd" and "OVMF_CODE.fd". This +  enables central management and updates of the firmware executable, while each +  virtual machine can retain its own variable store.) + +- Download a Fedora LiveCD: + +  wget https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Xfce-x86_64-20-1.iso + +- Create a virtual disk (qcow2 format, 20 GB in size): + +  qemu-img create -f qcow2 fedora.img 20G + +- Create the following qemu wrapper script under the name "fedora.sh": + +  # Basic virtual machine properties: a recent i440fx machine type, KVM +  # acceleration, 2048 MB RAM, two VCPUs. +  OPTS="-M pc-i440fx-2.1 -enable-kvm -m 2048 -smp 2" + +  # The OVMF binary, including the non-volatile variable store, appears as a +  # "normal" qemu drive on the host side, and it is exposed to the guest as a +  # persistent flash device. +  OPTS="$OPTS -drive if=pflash,format=raw,file=fedora.flash" + +  # The hard disk is exposed to the guest as a virtio-block device. OVMF has a +  # driver stack that supports such a disk. We specify this disk as first boot +  # option. OVMF recognizes the boot order specification. +  OPTS="$OPTS -drive id=disk0,if=none,format=qcow2,file=fedora.img" +  OPTS="$OPTS -device virtio-blk-pci,drive=disk0,bootindex=0" + +  # The Fedora installer disk appears as an IDE CD-ROM in the guest. This is +  # the 2nd boot option. +  OPTS="$OPTS -drive id=cd0,if=none,format=raw,readonly" +  OPTS="$OPTS,file=Fedora-Live-Xfce-x86_64-20-1.iso" +  OPTS="$OPTS -device ide-cd,bus=ide.1,drive=cd0,bootindex=1" + +  # The following setting enables S3 (suspend to RAM). OVMF supports S3 +  # suspend/resume. +  OPTS="$OPTS -global PIIX4_PM.disable_s3=0" + +  # OVMF emits a number of info / debug messages to the QEMU debug console, at +  # ioport 0x402. We configure qemu so that the debug console is indeed +  # available at that ioport. We redirect the host side of the debug console to +  # a file. +  OPTS="$OPTS -global isa-debugcon.iobase=0x402 -debugcon file:fedora.ovmf.log" + +  # QEMU accepts various commands and queries from the user on the monitor +  # interface. Connect the monitor with the qemu process's standard input and +  # output. +  OPTS="$OPTS -monitor stdio" + +  # A USB tablet device in the guest allows for accurate pointer tracking +  # between the host and the guest. +  OPTS="$OPTS -device piix3-usb-uhci -device usb-tablet" + +  # Provide the guest with a virtual network card (virtio-net). +  # +  # Normally, qemu provides the guest with a UEFI-conformant network driver +  # from the iPXE project, in the form of a PCI expansion ROM. For this test, +  # we disable the expansion ROM and allow OVMF's built-in virtio-net driver to +  # take effect. +  # +  # On the host side, we use the SLIRP ("user") network backend, which has +  # relatively low performance, but it doesn't require extra privileges from +  # the user executing qemu. +  OPTS="$OPTS -netdev id=net0,type=user" +  OPTS="$OPTS -device virtio-net-pci,netdev=net0,romfile=" + +  # A Spice QXL GPU is recommended as the primary VGA-compatible display +  # device. It is a full-featured virtual video card, with great operating +  # system driver support. OVMF supports it too. +  OPTS="$OPTS -device qxl-vga" + +  qemu-system-x86_64 $OPTS + +- Start the Fedora guest: + +  sh fedora.sh + +- The above command can be used for both installation and later boots of the +  Fedora guest. + +- In order to verify basic OVMF network connectivity: + +  - Assuming that the non-privileged user running qemu belongs to group G +    (where G is a numeric identifier), ensure as root on the host that the +    group range in file "/proc/sys/net/ipv4/ping_group_range" includes G. + +  - As the non-privileged user, boot the guest as usual. + +  - On the TianoCore splash screen, press ESC. + +  - Navigate to Boot Manager | EFI Internal Shell + +  - In the UEFI Shell, issue the following commands: + +    ifconfig -s eth0 dhcp +    ping A.B.C.D + +    where A.B.C.D is a public IPv4 address in dotted decimal notation that your +    host can reach. + +  - Type "quit" at the (qemu) monitor prompt. + +Installation of OVMF guests with virt-manager and virt-install +-------------------------------------------------------------- + +(1) Assuming OVMF has been installed on the host with the following files: +    - /usr/share/OVMF/OVMF_CODE.fd +    - /usr/share/OVMF/OVMF_VARS.fd + +    locate the "nvram" stanza in "/etc/libvirt/qemu.conf", and edit it as +    follows: + +    nvram = [ "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd" ] + +(2) Restart libvirtd with your Linux distribution's service management tool; +    for example, + +    systemctl restart libvirtd + +(3) In virt-manager, proceed with the guest installation as usual: +    - select File | New Virtual Machine, +    - advance to Step 5 of 5, +    - in Step 5, check "Customize configuration before install", +    - click Finish; +    - in the customization dialog, select Overview | Firmware, and choose UEFI, +    - click Apply and Begin Installation. + +(4) With virt-install: + +    LDR="loader=/usr/share/OVMF/OVMF_CODE.fd,loader_ro=yes,loader_type=pflash" +    virt-install \ +      --name fedora20 \ +      --memory 2048 \ +      --vcpus 2 \ +      --os-variant fedora20 \ +      --boot hd,cdrom,$LDR \ +      --disk size=20 \ +      --disk path=Fedora-Live-Xfce-x86_64-20-1.iso,device=cdrom,bus=scsi + +(5) A popular, distribution-independent, bleeding-edge OVMF package is +    available under <https://www.kraxel.org/repos/>, courtesy of Gerd Hoffmann. + +    The "edk2.git-ovmf-x64" package provides the following files, among others: +    - /usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd +    - /usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd + +    When using this package, adapt steps (1) and (4) accordingly. + +(6) Additionally, the "edk2.git-ovmf-x64" package seeks to simplify the +    enablement of Secure Boot in a virtual machine (strictly for development +    and testing purposes). + +    - Boot the virtual machine off the CD-ROM image called +      "/usr/share/edk2.git/ovmf-x64/UefiShell.iso"; before or after installing +      the main guest operating system. + +    - When the UEFI shell appears, issue the following commands: + +      EnrollDefaultKeys.efi +      reset -s + +    - The EnrollDefaultKeys.efi utility enrolls the following keys: + +      - A static example X.509 certificate (CN=TestCommonName) as Platform Key +        and first Key Exchange Key. + +        The private key matching this certificate has been destroyed (but you +        shouldn't trust this statement). + +      - "Microsoft Corporation KEK CA 2011" as second Key Exchange Key +        (SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30). + +      - "Microsoft Windows Production PCA 2011" as first DB entry +        (SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d). + +      - "Microsoft Corporation UEFI CA 2011" as second DB entry +        (SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3). + +      These keys suffice to boot released versions of popular Linux +      distributions (through the shim.efi utility), and Windows 8 and Windows +      Server 2012 R2, in Secure Boot mode. + +Supported guest operating systems +--------------------------------- + +Upstream OVMF does not favor some guest operating systems over others for +political or ideological reasons. However, some operating systems are harder to +obtain and/or technically more difficult to support. The general expectation is +that recent UEFI OSes should just work. Please consult the "OvmfPkg/README" +file. + +The following guest OSes were tested with OVMF: +- Red Hat Enterprise Linux 6 +- Red Hat Enterprise Linux 7 +- Fedora 18 +- Fedora 19 +- Fedora 20 +- Windows Server 2008 R2 SP1 +- Windows Server 2012 +- Windows 8 + +Notes about Windows Server 2008 R2 (paraphrasing the "OvmfPkg/README" file): + +- QEMU should be started with one of the "-device qxl-vga" and "-device VGA" +  options. + +- Only one video mode, 1024x768x32, is supported at OS runtime. + +  Please refer to the section about QemuVideoDxe (OVMF's built-in video driver) +  for more details on this limitation. + +- The qxl-vga video card is recommended ("-device qxl-vga"). After booting the +  installed guest OS, select the video card in Device Manager, and upgrade the +  video driver to the QXL XDDM one. + +  The QXL XDDM driver can be downloaded from +  <http://www.spice-space.org/download.html>, under Guest | Windows binaries. + +  This driver enables additional graphics resolutions at OS runtime, and +  provides S3 (suspend/resume) capability. + +Notes about Windows Server 2012 and Windows 8: + +- QEMU should be started with the "-device qxl-vga,revision=4" option (or a +  later revision, if available). + +- The guest OS's builtin video driver inherits the video mode / frame buffer +  from OVMF. There's no way to change the resolution at OS runtime. + +  For this reason, a platform driver has been developed for OVMF, which allows +  users to change the preferred video mode in the firmware. Please refer to the +  section about PlatformDxe for details. + +- It is recommended to upgrade the guest OS's video driver to the QXL WDDM one, +  via Device Manager. + +  Binaries for the QXL WDDM driver can be found at +  <http://people.redhat.com/~vrozenfe/qxlwddm> (pick a version greater than or +  equal to 0.6), while the source code resides at +  <https://github.com/vrozenfe/qxl-dod>. + +  This driver enables additional graphics resolutions at OS runtime, and +  provides S3 (suspend/resume) capability. + +Compatibility Support Module (CSM) +---------------------------------- + +Collaboration between SeaBIOS and OVMF developers has enabled SeaBIOS to be +built as a Compatibility Support Module, and OVMF to embed and use it. + +Benefits of a SeaBIOS CSM include: + +- The ability to boot legacy (non-UEFI) operating systems, such as legacy Linux +  systems, Windows 7, OpenBSD 5.2, FreeBSD 8/9, NetBSD, DragonflyBSD, Solaris +  10/11. + +- Legacy (non-UEFI-compliant) PCI expansion ROMs, such as a VGA BIOS, mapped by +  QEMU in emulated devices' ROM BARs, are loaded and executed by OVMF. + +  For example, this grants the Windows Server 2008 R2 SP1 guest's native, +  legacy video driver access to all modes of all QEMU video cards. + +Building the CSM target of the SeaBIOS source tree is out of scope for this +report. Additionally, upstream OVMF does not enable the CSM by default. + +Interested users and developers should look for OVMF's "-D CSM_ENABLE" +build-time option, and check out the <https://www.kraxel.org/repos/> continuous +integration repository, which provides CSM-enabled OVMF builds. + +[RHEL] The "OVMF_CODE.fd" firmware image made available on the Red Hat +       Enterprise Linux 7.1 host does not include a Compatibility Support +       Module, for the following reasons: + +       - Virtual machines running officially supported, legacy guest operating +         systems should just use the standalone SeaBIOS firmware. Firmware +         selection is flexible in virtualization, see eg. "Installation of OVMF +         guests with virt-manager and virt-install" above. + +       - The 16-bit thunking interface between OVMF and SeaBIOS is very complex +         and presents a large debugging and support burden, based on past +         experience. + +       - Secure Boot is incompatible with CSM. + +       - Inter-project dependencies should be minimized whenever possible. + +       - Using the default QXL video card, the Windows 2008 R2 SP1 guest can be +         installed with its built-in, legacy video driver. Said driver will +         select the only available video mode, 1024x768x32. After installation, +         the video driver can be upgraded to the full-featured QXL XDDM driver. + +Phases of the boot process +-------------------------- + +The PI and UEFI specifications, and Intel's UEFI and EDK II Learning and +Development materials provide ample information on PI and UEFI concepts. The +following is an absolutely minimal, rough glossary that is included only to +help readers new to PI and UEFI understand references in later, OVMF-specific +sections. We defer heavily to the official specifications and the training +materials, and frequently quote them below. + +A central concept to mention early is the GUID -- globally unique identifier. A +GUID is a 128-bit number, written as XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, +where each X stands for a hexadecimal nibble. GUIDs are used to name everything +in PI and in UEFI. Programmers introduce new GUIDs with the "uuidgen" utility, +and standards bodies standardize well-known services by positing their GUIDs. + +The boot process is roughly divided in the following phases: + +- Reset vector code. + +- SEC: Security phase. This phase is the root of firmware integrity. + +- PEI: Pre-EFI Initialization. This phase performs "minimal processor, chipset +  and platform configuration for the purpose of discovering memory". Modules in +  PEI collectively save their findings about the platform in a list of HOBs +  (hand-off blocks). + +  When developing PEI code, the Platform Initialization (PI) specification +  should be consulted. + +- DXE: Driver eXecution Environment, pronounced as "Dixie". This "is the phase +  where the bulk of the booting occurs: devices are enumerated and initialized, +  UEFI services are supported, and protocols and drivers are implemented. Also, +  the tables that create the UEFI interface are produced". + +  On the PEI/DXE boundary, the HOBs produced by PEI are consumed. For example, +  this is how the memory space map is configured initially. + +- BDS: Boot Device Selection. It is "responsible for determining how and where +  you want to boot the operating system". + +  When developing DXE and BDS code, it is mainly the UEFI specification that +  should be consulted. When speaking about DXE, BDS is frequently considered to +  be a part of it. + +The following concepts are tied to specific boot process phases: + +- PEIM: a PEI Module (pronounced "PIM"). A binary module running in the PEI +  phase, consuming some PPIs and producing other PPIs, and producing HOBs. + +- PPI: PEIM-to-PEIM interface. A structure of function pointers and related +  data members that establishes a PEI service, or an instance of a PEI service. +  PPIs are identified by GUID. + +  An example is EFI_PEI_S3_RESUME2_PPI (6D582DBC-DB85-4514-8FCC-5ADF6227B147). + +- DXE driver: a binary module running in the DXE and BDS phases, consuming some +  protocols and producing other protocols. + +- Protocol: A structure of function pointers and related data members that +  establishes a DXE service, or an instance of a DXE service. Protocols are +  identified by GUID. + +  An example is EFI_BLOCK_IO_PROTOCOL (964E5B21-6459-11D2-8E39-00A0C969723B). + +- Architectural protocols: a set of standard protocols that are foundational to +  the working of a UEFI system. Each architectural protocol has at most one +  instance. Architectural protocols are implemented by a subset of DXE drivers. +  DXE drivers explicitly list the set of protocols (including architectural +  protocols) that they need to work. UEFI drivers can only be loaded once all +  architectural protocols have become available during the DXE phase. + +  An example is EFI_VARIABLE_WRITE_ARCH_PROTOCOL +  (6441F818-6362-4E44-B570-7DBA31DD2453). + +Project structure +----------------- + +The term "OVMF" usually denotes the project (community and development effort) +that provide and maintain the subject matter UEFI firmware for virtual +machines. However the term is also frequently applied to the firmware binary +proper that a virtual machine executes. + +OVMF emerges as a compilation of several modules from the edk2 source +repository. "edk2" stands for EFI Development Kit II; it is a "modern, +feature-rich, cross-platform firmware development environment for the UEFI and +PI specifications". + +The composition of OVMF is dictated by the following build control files: + +  OvmfPkg/OvmfPkgIa32.dsc +  OvmfPkg/OvmfPkgIa32.fdf + +  OvmfPkg/OvmfPkgIa32X64.dsc +  OvmfPkg/OvmfPkgIa32X64.fdf + +  OvmfPkg/OvmfPkgX64.dsc +  OvmfPkg/OvmfPkgX64.fdf + +The format of these files is described in the edk2 DSC and FDF specifications. +Roughly, the DSC file determines: +- library instance resolutions for library class requirements presented by the +  modules to be compiled, +- the set of modules to compile. + +The FDF file roughly determines: +- what binary modules (compilation output files, precompiled binaries, graphics +  image files, verbatim binary sections) to include in the firmware image, +- how to lay out the firmware image. + +The Ia32 flavor of these files builds a firmware where both PEI and DXE phases +are 32-bit. The Ia32X64 flavor builds a firmware where the PEI phase consists +of 32-bit modules, and the DXE phase is 64-bit. The X64 flavor builds a purely +64-bit firmware. + +The word size of the DXE phase must match the word size of the runtime OS -- a +32-bit DXE can't cooperate with a 64-bit OS, and a 64-bit DXE can't work a +32-bit OS. + +OVMF pulls together modules from across the edk2 tree. For example: + +- common drivers and libraries that are platform independent are usually +  located under MdeModulePkg and MdePkg, + +- common but hardware-specific drivers and libraries that match QEMU's +  pc-i440fx-* machine type are pulled in from IntelFrameworkModulePkg, +  PcAtChipsetPkg and UefiCpuPkg, + +- the platform independent UEFI Shell is built from ShellPkg, + +- OvmfPkg includes drivers and libraries that are useful for virtual machines +  and may or may not be specific to QEMU's pc-i440fx-* machine type. + +Platform Configuration Database (PCD) +------------------------------------- + +Like the "Phases of the boot process" section, this one introduces a concept in +very raw form. We defer to the PCD related edk2 specifications, and we won't +discuss implementation details here. Our purpose is only to offer the reader a +usable (albeit possibly inaccurate) definition, so that we can refer to PCDs +later on. + +Colloquially, when we say "PCD", we actually mean "PCD entry"; that is, an +entry stored in the Platform Configuration Database. + +The Platform Configuration Database is +- a firmware-wide +- name-value store +- of scalars and buffers +- where each entry may be +  - build-time constant, or +  - run-time dynamic, or +  - theoretically, a middle option: patchable in the firmware file itself, +    using a dedicated tool. (OVMF does not utilize externally patchable +    entries.) + +A PCD entry is declared in the DEC file of the edk2 top-level Package directory +whose modules (drivers and libraries) are the primary consumers of the PCD +entry. (See for example OvmfPkg/OvmfPkg.dec). Basically, a PCD in a DEC file +exposes a simple customization point. + +Interest in a PCD entry is communicated to the build system by naming the PCD +entry in the INF file of the interested module (application, driver or +library). The module may read and -- dependent on the PCD entry's category -- +write the PCD entry. + +Let's investigate the characteristics of the Database and the PCD entries. + +- Firmware-wide: technically, all modules may access all entries they are +  interested in, assuming they advertise their interest in their INF files. +  With careful design, PCDs enable inter-driver propagation of (simple) system +  configuration. PCDs are available in both PEI and DXE. + +  (UEFI drivers meant to be portable (ie. from third party vendors) are not +  supposed to use PCDs, since PCDs qualify internal to the specific edk2 +  firmware in question.) + +- Name-value store of scalars and buffers: each PCD has a symbolic name, and a +  fixed scalar type (UINT16, UINT32 etc), or VOID* for buffers. Each PCD entry +  belongs to a namespace, where a namespace is (obviously) a GUID, defined in +  the DEC file. + +- A DEC file can permit several categories for a PCD: +  - build-time constant ("FixedAtBuild"), +  - patchable in the firmware image ("PatchableInModule", unused in OVMF), +  - runtime modifiable ("Dynamic"). + +The platform description file (DSC) of a top-level Package directory may choose +the exact category for a given PCD entry that its modules wish to use, and +assign a default (or constant) initial value to it. + +In addition, the edk2 build system too can initialize PCD entries to values +that it calculates while laying out the flash device image. Such PCD +assignments are described in the FDF control file. + +Firmware image structure +------------------------ + +(We assume the common X64 choice for both PEI and DXE, and the default DEBUG +build target.) + +The OvmfPkg/OvmfPkgX64.fdf file defines the following layout for the flash +device image "OVMF.fd": + +  Description                     Compression type        Size +  ------------------------------  ----------------------  ------- +  Non-volatile data storage       open-coded binary data   128 KB +    Variable store                                          56 KB +    Event log                                                4 KB +    Working block                                            4 KB +    Spare area                                              64 KB + +  FVMAIN_COMPACT                  uncompressed            1712 KB +    FV Firmware File System file  LZMA compressed +      PEIFV                       uncompressed             896 KB +        individual PEI modules    uncompressed +      DXEFV                       uncompressed            8192 KB +        individual DXE modules    uncompressed + +  SECFV                           uncompressed             208 KB +    SEC driver +    reset vector code + +The top-level image consists of three regions (three firmware volumes): +- non-volatile data store (128 KB), +- main firmware volume (FVMAIN_COMPACT, 1712 KB), +- firmware volume containing the reset vector code and the SEC phase code (208 +  KB). + +In total, the OVMF.fd file has size 128 KB + 1712 KB + 208 KB == 2 MB. + +(1) The firmware volume with non-volatile data store (128 KB) has the following +    internal structure, in blocks of 4 KB: + +            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  L: event log +       LIVE | varstore                  |L|W|  W: working block +            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +      SPARE |                               | +            +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +    The first half of this firmware volume is "live", while the second half is +    "spare". The spare half is important when the variable driver reclaims +    unused storage and reorganizes the variable store. + +    The live half dedicates 14 blocks (56 KB) to the variable store itself. On +    top of those, one block is set aside for an event log, and one block is +    used as the working block of the fault tolerant write protocol. Fault +    tolerant writes are used to recover from an occasional (virtual) power loss +    during variable updates. + +    The blocks in this firmware volume are accessed, in stacking order from +    least abstract to most abstract, by: + +    - EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL (provided by +      OvmfPkg/QemuFlashFvbServicesRuntimeDxe), + +    - EFI_FAULT_TOLERANT_WRITE_PROTOCOL (provided by +      MdeModulePkg/Universal/FaultTolerantWriteDxe), + +    - architectural protocols instrumental to the runtime UEFI variable +      services: +      - EFI_VARIABLE_ARCH_PROTOCOL, +      - EFI_VARIABLE_WRITE_ARCH_PROTOCOL. + +      In a non-secure boot build, the DXE driver providing these architectural +      protocols is MdeModulePkg/Universal/Variable/RuntimeDxe. In a secure boot +      build, where authenticated variables are available, the DXE driver +      offering these protocols is SecurityPkg/VariableAuthenticated/RuntimeDxe. + +(2) The main firmware volume (FVMAIN_COMPACT, 1712 KB) embeds further firmware +    volumes. The outermost layer is a Firmware File System (FFS), carrying a +    single file. This file holds an LZMA-compressed section, which embeds two +    firmware volumes: PEIFV (896 KB) with PEIMs, and DXEFV (8192 KB) with DXE +    and UEFI drivers. + +    This scheme enables us to build 896 KB worth of PEI drivers and 8192 KB +    worth of DXE and UEFI drivers, compress them all with LZMA in one go, and +    store the compressed result in 1712 KB, saving room in the flash device. + +(3) The SECFV firmware volume (208 KB) is not compressed. It carries the +    "volume top file" with the reset vector code, to end at 4 GB in +    guest-physical address space, and the SEC phase driver (OvmfPkg/Sec). + +    The last 16 bytes of the volume top file (mapped directly under 4 GB) +    contain a NOP slide and a jump instruction. This is where QEMU starts +    executing the firmware, at address 0xFFFF_FFF0. The reset vector and the +    SEC driver run from flash directly. + +    The SEC driver locates FVMAIN_COMPACT in the flash, and decompresses the +    main firmware image to RAM. The rest of OVMF (PEI, DXE, BDS phases) run +    from RAM. + +As already mentioned, the OVMF.fd file is mapped by qemu's +"hw/block/pflash_cfi01.c" device just under 4 GB in guest-physical address +space, according to the command line option + +  -drive if=pflash,format=raw,file=fedora.flash + +(refer to the Example qemu invocation). This is a "ROMD device", which can +switch out of "ROMD mode" and back into it. + +Namely, in the default ROMD mode, the guest-physical address range backed by +the flash device reads and executes as ROM (it does not trap from KVM to QEMU). +The first write access in this mode traps to QEMU, and flips the device out of +ROMD mode. + +In non-ROMD mode, the flash chip is programmed by storing CFI (Common Flash +Interface) command values at the flash-covered addresses; both reads and writes +trap to QEMU, and the flash contents are modified and synchronized to the +host-side file. A special CFI command flips the flash device back to ROMD mode. + +Qemu implements the above based on the KVM_CAP_READONLY_MEM / KVM_MEM_READONLY +KVM features, and OVMF puts it to use in its EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL +implementation, under "OvmfPkg/QemuFlashFvbServicesRuntimeDxe". + +IMPORTANT: Never pass OVMF.fd to qemu with the -bios option. That option maps +the firmware image as ROM into the guest's address space, and forces OVMF to +emulate non-volatile variables with a fallback driver that is bound to have +insufficient and confusing semantics. + +The 128 KB firmware volume with the variable store, discussed under (1), is +also built as a separate host-side file, named "OVMF_VARS.fd". The "rest" is +built into a third file, "OVMF_CODE.fd", which is only 1920 KB in size. The +variable store is mapped into its usual location, at 4 GB - 2 MB = 0xFFE0_0000, +through the following qemu options: + +  -drive if=pflash,format=raw,readonly,file=OVMF_CODE.fd   \ +  -drive if=pflash,format=raw,file=fedora.varstore.fd + +This way qemu configures two flash chips consecutively, with start addresses +growing downwards, which is transparent to OVMF. + +[RHEL] Red Hat Enterprise Linux 7.1 ships a Secure Boot-enabled, X64, DEBUG +       firmware only. Furthermore, only the split files ("OVMF_VARS.fd" and +       "OVMF_CODE.fd") are available. + +S3 (suspend to RAM and resume) +------------------------------ + +As noted in Example qemu invocation, the + +  -global PIIX4_PM.disable_s3=0 + +command line option tells qemu and OVMF if the user would like to enable S3 +support. (This is corresponds to the /domain/pm/suspend-to-mem/@enabled libvirt +domain XML attribute.) + +Implementing / orchestrating S3 was a considerable community effort in OVMF. A +detailed description exceeds the scope of this report; we only make a few +statements. + +(1) S3-related PPIs and protocols are well documented in the PI specification. + +(2) Edk2 contains most modules that are needed to implement S3 on a given +    platform. One abstraction that is central to the porting / extending of the +    S3-related modules to a new platform is the LockBox library interface, +    which a specific platform can fill in by implementing its own LockBox +    library instance. + +    The LockBox library provides a privileged name-value store (to be addressed +    by GUIDs). The privilege separation stretches between the firmware and the +    operating system. That is, the S3-related machinery of the firmware saves +    some items in the LockBox securely, under well-known GUIDs, before booting +    the operating system. During resume (which is a form of warm reset), the +    firmware is activated again, and retrieves items from the LockBox. Before +    jumping to the OS's resume vector, the LockBox is secured again. + +    We'll return to this later when we separately discuss SMRAM and SMM. + +(3) During resume, the DXE and later phases are never reached; only the reset +    vector, and the SEC and PEI phases of the firmware run. The platform is +    supposed to detect a resume in progress during PEI, and to store that fact +    in the BootMode field of the Phase Handoff Information Table (PHIT) HOB. +    OVMF keys this off the CMOS, see OvmfPkg/PlatformPei. + +    At the end of PEI, the DXE IPL PEIM (Initial Program Load PEI Module, see +    MdeModulePkg/Core/DxeIplPeim) examines the Boot Mode, and if it says "S3 +    resume in progress", then the IPL branches to the PEIM that exports +    EFI_PEI_S3_RESUME2_PPI (provided by UefiCpuPkg/Universal/Acpi/S3Resume2Pei) +    rather than loading the DXE core. + +    S3Resume2Pei executes the technical steps of the resumption, relying on the +    contents of the LockBox. + +(4) During first boot (or after a normal platform reset), when DXE does run, +    hardware drivers in the DXE phase are encouraged to "stash" their hardware +    configuration steps (eg. accesses to PCI config space, I/O ports, memory +    mapped addresses, and so on) in a centrally maintained, so called "S3 boot +    script". Hardware accesses are represented with opcodes of a special binary +    script language. + +    This boot script is to be replayed during resume, by S3Resume2Pei. The +    general goal is to bring back hardware devices -- which have been powered +    off during suspend -- to their original after-first-boot state, and in +    particular, to do so quickly. + +    At the moment, OVMF saves only one opcode in the S3 resume boot script: an +    INFORMATION opcode, with contents 0xDEADBEEF (in network byte order). The +    consensus between Linux developers seems to be that boot firmware is only +    responsible for restoring basic chipset state, which OVMF does during PEI +    anyway, independently of S3 vs. normal reset. (One example is the power +    management registers of the i440fx chipset.) Device and peripheral state is +    the responsibility of the runtime operating system. + +    Although an experimental OVMF S3 boot script was at one point captured for +    the virtual Cirrus VGA card, such a boot script cannot follow eg. video +    mode changes effected by the OS. Hence the operating system can never avoid +    restoring device state, and most Linux display drivers (eg. stdvga, QXL) +    already cover S3 resume fully. + +    The XDDM and WDDM driver models used under Windows OSes seem to recognize +    this notion of runtime OS responsibility as well. (See the list of OSes +    supported by OVMF in a separate section.) + +(5) The S3 suspend/resume data flow in OVMF is included here tersely, for +    interested developers. + +    (a) BdsLibBootViaBootOption() +          EFI_ACPI_S3_SAVE_PROTOCOL [AcpiS3SaveDxe] +          - saves ACPI S3 Context to LockBox  ---------------------+ +            (including FACS address -- FACS ACPI table             | +            contains OS waking vector)                             | +                                                                   | +          - prepares boot script:                                  | +            EFI_S3_SAVE_STATE_PROTOCOL.Write() [S3SaveStateDxe]    | +              S3BootScriptLib [PiDxeS3BootScriptLib]               | +              - opcodes & arguments are saved in NVS.  --+         | +                                                         |         | +          - issues a notification by installing          |         | +            EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL           |         | +                                                         |         | +    (b) EFI_S3_SAVE_STATE_PROTOCOL [S3SaveStateDxe]      |         | +          S3BootScriptLib [PiDxeS3BootScriptLib]         |         | +          - closes script with special opcode  <---------+         | +          - script is available in non-volatile memory             | +            via PcdS3BootScriptTablePrivateDataPtr  --+            | +                                                      |            | +        BootScriptExecutorDxe                         |            | +          S3BootScriptLib [PiDxeS3BootScriptLib]      |            | +          - Knows about boot script location by  <----+            | +            synchronizing with the other library                   | +            instance via                                           | +            PcdS3BootScriptTablePrivateDataPtr.                    | +          - Copies relocated image of itself to                    | +            reserved memory. --------------------------------+     | +          - Saved image contains pointer to boot script.  ---|--+  | +                                                             |  |  | +    Runtime:                                                 |  |  | +                                                             |  |  | +    (c) OS is booted, writes OS waking vector to FACS,       |  |  | +        suspends machine                                     |  |  | +                                                             |  |  | +    S3 Resume (PEI):                                         |  |  | +                                                             |  |  | +    (d) PlatformPei sets S3 Boot Mode based on CMOS          |  |  | +                                                             |  |  | +    (e) DXE core is skipped and EFI_PEI_S3_RESUME2 is        |  |  | +        called as last step of PEI                           |  |  | +                                                             |  |  | +    (f) S3Resume2Pei retrieves from LockBox:                 |  |  | +        - ACPI S3 Context (path to FACS)  <------------------|--|--+ +                                          |                  |  | +                                          +------------------|--|--+ +        - Boot Script Executor Image  <----------------------+  |  | +                                                                |  | +    (g) BootScriptExecutorDxe                                   |  | +          S3BootScriptLib [PiDxeS3BootScriptLib]                |  | +          - executes boot script  <-----------------------------+  | +                                                                   | +    (h) OS waking vector available from ACPI S3 Context / FACS  <--+ +        is called + +A comprehensive memory map of OVMF +---------------------------------- + +The following section gives a detailed analysis of memory ranges below 4 GB +that OVMF statically uses. + +In the rightmost column, the PCD entry is identified by which the source refers +to the address or size in question. + +The flash-covered range has been discussed previously in "Firmware image +structure", therefore we include it only for completeness. Due to the fact that +this range is always backed by a memory mapped device (and never RAM), it is +unaffected by S3 (suspend to RAM and resume). + ++--------------------------+ 4194304 KB +|                          | +|          SECFV           | size: 208 KB +|                          | ++--------------------------+ 4194096 KB +|                          | +|      FVMAIN_COMPACT      | size: 1712 KB +|                          | ++--------------------------+ 4192384 KB +|                          | +|      variable store      | size: 64 KB   PcdFlashNvStorageFtwSpareSize +|        spare area        | +|                          | ++--------------------------+ 4192320 KB    PcdOvmfFlashNvStorageFtwSpareBase +|                          | +|    FTW working block     | size: 4 KB    PcdFlashNvStorageFtwWorkingSize +|                          | ++--------------------------+ 4192316 KB    PcdOvmfFlashNvStorageFtwWorkingBase +|                          | +|       Event log of       | size: 4 KB    PcdOvmfFlashNvStorageEventLogSize +|   non-volatile storage   | +|                          | ++--------------------------+ 4192312 KB    PcdOvmfFlashNvStorageEventLogBase +|                          | +|      variable store      | size: 56 KB   PcdFlashNvStorageVariableSize +|                          | ++--------------------------+ 4192256 KB    PcdOvmfFlashNvStorageVariableBase + +The flash-mapped image of OVMF.fd covers the entire structure above (2048 KB). + +When using the split files, the address 4192384 KB +(PcdOvmfFlashNvStorageFtwSpareBase + PcdFlashNvStorageFtwSpareSize) is the +boundary between the mapped images of OVMF_VARS.fd (56 KB + 4 KB + 4 KB + 64 KB += 128 KB) and OVMF_CODE.fd (1712 KB + 208 KB = 1920 KB). + +With regard to RAM that is statically used by OVMF, S3 (suspend to RAM and +resume) complicates matters. Many ranges have been introduced only to support +S3, hence for all ranges below, the following questions will be audited: + +(a) when and how a given range is initialized after first boot of the VM, +(b) how it is protected from memory allocations during DXE, +(c) how it is protected from the OS, +(d) how it is accessed on the S3 resume path, +(e) how it is accessed on the warm reset path. + +Importantly, the term "protected" is meant as protection against inadvertent +reallocations and overwrites by co-operating DXE and OS modules. It does not +imply security against malicious code. + ++--------------------------+ 17408 KB +|                          | +|DXEFV from FVMAIN_COMPACT | size: 8192 KB PcdOvmfDxeMemFvSize +|  decompressed firmware   | +| volume with DXE modules  | +|                          | ++--------------------------+ 9216 KB       PcdOvmfDxeMemFvBase +|                          | +|PEIFV from FVMAIN_COMPACT | size: 896 KB  PcdOvmfPeiMemFvSize +|  decompressed firmware   | +| volume with PEI modules  | +|                          | ++--------------------------+ 8320 KB       PcdOvmfPeiMemFvBase +|                          | +| permanent PEI memory for | size: 32 KB   PcdS3AcpiReservedMemorySize +|   the S3 resume path     | +|                          | ++--------------------------+ 8288 KB       PcdS3AcpiReservedMemoryBase +|                          | +|  temporary SEC/PEI heap  | size: 32 KB   PcdOvmfSecPeiTempRamSize +|         and stack        | +|                          | ++--------------------------+ 8256 KB       PcdOvmfSecPeiTempRamBase +|                          | +|          unused          | size: 32 KB +|                          | ++--------------------------+ 8224 KB +|                          | +|      SEC's table of      | size: 4 KB    PcdGuidedExtractHandlerTableSize +| GUIDed section handlers  | +|                          | ++--------------------------+ 8220 KB       PcdGuidedExtractHandlerTableAddress +|                          | +|     LockBox storage      | size: 4 KB    PcdOvmfLockBoxStorageSize +|                          | ++--------------------------+ 8216 KB       PcdOvmfLockBoxStorageBase +|                          | +| early page tables on X64 | size: 24 KB   PcdOvmfSecPageTablesSize +|                          | ++--------------------------+ 8192 KB       PcdOvmfSecPageTablesBase + +(1) Early page tables on X64: + +  (a) when and how it is initialized after first boot of the VM + +    The range is filled in during the SEC phase +    [OvmfPkg/ResetVector/Ia32/PageTables64.asm]. The CR3 register is verified +    against the base address in SecCoreStartupWithStack() +    [OvmfPkg/Sec/SecMain.c]. + +  (b) how it is protected from memory allocations during DXE + +    If S3 was enabled on the QEMU command line (see "-global +    PIIX4_PM.disable_s3=0" earlier), then InitializeRamRegions() +    [OvmfPkg/PlatformPei/MemDetect.c] protects the range with an AcpiNVS memory +    allocation HOB, in PEI. + +    If S3 was disabled, then this range is not protected. DXE's own page tables +    are first built while still in PEI (see HandOffToDxeCore() +    [MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c]). Those tables are located +    in permanent PEI memory. After CR3 is switched over to them (which occurs +    before jumping to the DXE core entry point), we don't have to preserve the +    initial tables. + +  (c) how it is protected from the OS + +    If S3 is enabled, then (1b) reserves it from the OS too. + +    If S3 is disabled, then the range needs no protection. + +  (d) how it is accessed on the S3 resume path + +    It is rewritten same as in (1a), which is fine because (1c) reserved it. + +  (e) how it is accessed on the warm reset path + +    It is rewritten same as in (1a). + +(2) LockBox storage: + +  (a) when and how it is initialized after first boot of the VM + +    InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the +    area during PEI. This is correct but not strictly necessary, since on first +    boot the area is zero-filled anyway. + +    The LockBox signature of the area is filled in by the PEI module or DXE +    driver that has been linked against OVMF's LockBoxLib and is run first. The +    signature is written in LockBoxLibInitialize() +    [OvmfPkg/Library/LockBoxLib/LockBoxLib.c]. + +    Any module calling SaveLockBox() [OvmfPkg/Library/LockBoxLib/LockBoxLib.c] +    will co-populate this area. + +  (b) how it is protected from memory allocations during DXE + +    If S3 is enabled, then InitializeRamRegions() +    [OvmfPkg/PlatformPei/MemDetect.c] protects the range as AcpiNVS. + +    Otherwise, the range is covered with a BootServicesData memory allocation +    HOB. + +  (c) how it is protected from the OS + +    If S3 is enabled, then (2b) protects it sufficiently. + +    Otherwise the range requires no runtime protection, and the +    BootServicesData allocation type from (2b) ensures that the range will be +    released to the OS. + +  (d) how it is accessed on the S3 resume path + +    The S3 Resume PEIM restores data from the LockBox, which has been correctly +    protected in (2c). + +  (e) how it is accessed on the warm reset path + +    InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the +    range during PEI, effectively emptying the LockBox. Modules will +    re-populate the LockBox as described in (2a). + +(3) SEC's table of GUIDed section handlers + +  (a) when and how it is initialized after first boot of the VM + +    The following two library instances are linked into SecMain: +    - IntelFrameworkModulePkg/Library/LzmaCustomDecompressLib, +    - MdePkg/Library/BaseExtractGuidedSectionLib. + +    The first library registers its LZMA decompressor plugin (which is a called +    a "section handler") by calling the second library: + +    LzmaDecompressLibConstructor() [GuidedSectionExtraction.c] +      ExtractGuidedSectionRegisterHandlers() [BaseExtractGuidedSectionLib.c] + +    The second library maintains its table of registered "section handlers", to +    be indexed by GUID, in this fixed memory area, independently of S3 +    enablement. + +    (The decompression of FVMAIN_COMPACT's FFS file section that contains the +    PEIFV and DXEFV firmware volumes occurs with the LZMA decompressor +    registered above. See (6) and (7) below.) + +  (b) how it is protected from memory allocations during DXE + +    There is no need to protect this area from DXE: because nothing else in +    OVMF links against BaseExtractGuidedSectionLib, the area loses its +    significance as soon as OVMF progresses from SEC to PEI, therefore DXE is +    allowed to overwrite the region. + +  (c) how it is protected from the OS + +    When S3 is enabled, we cover the range with an AcpiNVS memory allocation +    HOB in InitializeRamRegions(). + +    When S3 is disabled, the range is not protected. + +  (d) how it is accessed on the S3 resume path + +    The table of registered section handlers is again managed by +    BaseExtractGuidedSectionLib linked into SecMain exclusively. Section +    handler registrations update the table in-place (based on GUID matches). + +  (e) how it is accessed on the warm reset path + +    If S3 is enabled, then the OS won't damage the table (due to (3c)), thus +    see (3d). + +    If S3 is disabled, then the OS has most probably overwritten the range with +    its own data, hence (3a) -- complete reinitialization -- will come into +    effect, based on the table signature check in BaseExtractGuidedSectionLib. + +(4) temporary SEC/PEI heap and stack + +  (a) when and how it is initialized after first boot of the VM + +    The range is configured in [OvmfPkg/Sec/X64/SecEntry.S] and +    SecCoreStartupWithStack() [OvmfPkg/Sec/SecMain.c]. The stack half is read & +    written by the CPU transparently. The heap half is used for memory +    allocations during PEI. + +    Data is migrated out (to permanent PEI stack & memory) in (or soon after) +    PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c]. + +  (b) how it is protected from memory allocations during DXE + +    It is not necessary to protect this range during DXE because its use ends +    still in PEI. + +  (c) how it is protected from the OS + +    If S3 is enabled, then InitializeRamRegions() +    [OvmfPkg/PlatformPei/MemDetect.c] reserves it as AcpiNVS. + +    If S3 is disabled, then the range doesn't require protection. + +  (d) how it is accessed on the S3 resume path + +    Same as in (4a), except the target area of the migration triggered by +    PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c] is different -- see +    (5). + +  (e) how it is accessed on the warm reset path + +    Same as in (4a). The stack and heap halves both may contain garbage, but it +    doesn't matter. + +(5) permanent PEI memory for the S3 resume path + +  (a) when and how it is initialized after first boot of the VM + +    No particular initialization or use. + +  (b) how it is protected from memory allocations during DXE + +    We don't need to protect this area during DXE. + +  (c) how it is protected from the OS + +    When S3 is enabled, InitializeRamRegions() +    [OvmfPkg/PlatformPei/MemDetect.c] makes sure the OS stays away by covering +    the range with an AcpiNVS memory allocation HOB. + +    When S3 is disabled, the range needs no protection. + +  (d) how it is accessed on the S3 resume path + +    PublishPeiMemory() installs the range as permanent RAM for PEI. The range +    will serve as stack and will satisfy allocation requests during the rest of +    PEI. OS data won't overlap due to (5c). + +  (e) how it is accessed on the warm reset path + +    Same as (5a). + +(6) PEIFV -- decompressed firmware volume with PEI modules + +  (a) when and how it is initialized after first boot of the VM + +    DecompressMemFvs() [OvmfPkg/Sec/SecMain.c] populates the area, by +    decompressing the flash-mapped FVMAIN_COMPACT volume's contents. (Refer to +    "Firmware image structure".) + +  (b) how it is protected from memory allocations during DXE + +    When S3 is disabled, PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c] +    covers the range with a BootServicesData memory allocation HOB. + +    When S3 is enabled, the same is coverage is ensured, just with the stronger +    AcpiNVS memory allocation type. + +  (c) how it is protected from the OS + +    When S3 is disabled, it is not necessary to keep the range from the OS. + +    Otherwise the AcpiNVS type allocation from (6b) provides coverage. + +  (d) how it is accessed on the S3 resume path + +    Rather than decompressing it again from FVMAIN_COMPACT, GetS3ResumePeiFv() +    [OvmfPkg/Sec/SecMain.c] reuses the protected area for parsing / execution +    from (6c). + +  (e) how it is accessed on the warm reset path + +    Same as (6a). + +(7) DXEFV -- decompressed firmware volume with DXE modules + +  (a) when and how it is initialized after first boot of the VM + +    Same as (6a). + +  (b) how it is protected from memory allocations during DXE + +    PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c] covers the range with a +    BootServicesData memory allocation HOB. + +  (c) how it is protected from the OS + +    The OS is allowed to release and reuse this range. + +  (d) how it is accessed on the S3 resume path + +    It's not; DXE never runs during S3 resume. + +  (e) how it is accessed on the warm reset path + +    Same as in (7a). + +Known Secure Boot limitations +----------------------------- + +Under "Motivation" we've mentioned that OVMF's Secure Boot implementation is +not suitable for production use yet -- it's only good for development and +testing of standards-conformant, non-malicious guest code (UEFI and operating +system alike). + +Now that we've examined the persistent flash device, the workings of S3, and +the memory map, we can discuss two currently known shortcomings of OVMF's +Secure Boot that in fact make it insecure. (Clearly problems other than these +two might exist; the set of issues considered here is not meant to be +exhaustive.) + +One trait of Secure Boot is tamper-evidence. Secure Boot may not prevent +malicious modification of software components (for example, operating system +drivers), but by being the root of integrity on a platform, it can catch (or +indirectly contribute to catching) unauthorized changes, by way of signature +and certificate checks at the earliest phases of boot. + +If an attacker can tamper with key material stored in authenticated and/or +boot-time only persistent variables (for example, PK, KEK, db, dbt, dbx), then +the intended security of this scheme is compromised. The UEFI 2.4A +specification says + +- in section 28.3.4: + +  Platform Keys: + +    The public key must be stored in non-volatile storage which is tamper and +    delete resistant. + +  Key Exchange Keys: + +    The public key must be stored in non-volatile storage which is tamper +    resistant. + +- in section 28.6.1: + +  The signature database variables db, dbt, and dbx must be stored in +  tamper-resistant non-volatile storage. + +(1) The combination of QEMU, KVM, and OVMF does not provide this kind of +    resistance. The variable store in the emulated flash chip is directly +    accessible to, and reprogrammable by, UEFI drivers, applications, and +    operating systems. + +(2) Under "S3 (suspend to RAM and resume)" we pointed out that the LockBox +    storage must be similarly secure and tamper-resistant. + +    On the S3 resume path, the PEIM providing EFI_PEI_S3_RESUME2_PPI +    (UefiCpuPkg/Universal/Acpi/S3Resume2Pei) restores and interprets data from +    the LockBox that has been saved there during boot. This PEIM, being part of +    the firmware, has full access to the platform. If an operating system can +    tamper with the contents of the LockBox, then at the next resume the +    platform's integrity might be subverted. + +    OVMF stores the LockBox in normal guest RAM (refer to the memory map +    section above). Operating systems and third party UEFI drivers and UEFI +    applications that respect the UEFI memory map will not inadvertently +    overwrite the LockBox storage, but there's nothing to prevent eg. a +    malicious kernel from modifying the LockBox. + +One means to address these issues is SMM and SMRAM (System Management Mode and +System Management RAM). + +During boot and resume, the firmware can enter and leave SMM and access SMRAM. +Before the DXE phase is left, and control is transferred to the BDS phase (when +third party UEFI drivers and applications can be loaded, and an operating +system can be loaded), SMRAM is locked in hardware, and subsequent modules +cannot access it directly. (See EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL.) + +Once SMRAM has been locked, UEFI drivers and the operating system can enter SMM +by raising a System Management Interrupt (SMI), at which point trusted code +(part of the platform firmware) takes control. SMRAM is also unlocked by +platform reset, at which point the boot firmware takes control again. + +Variable store and LockBox in SMRAM +----------------------------------- + +Edk2 provides almost all components to implement the variable store and the +LockBox in SMRAM. In this section we summarize ideas for utilizing those +facilities. + +The SMRAM and SMM infrastructure in edk2 is built up as follows: + +(1) The platform hardware provides SMM / SMI / SMRAM. + +    Qemu/KVM doesn't support these features currently and should implement them +    in the longer term. + +(2) The platform vendor (in this case, OVMF developers) implement device +    drivers for the platform's System Management Mode: + +    - EFI_SMM_CONTROL2_PROTOCOL: for raising a synchronous (and/or) periodic +      SMI(s); that is, for entering SMM. + +    - EFI_SMM_ACCESS2_PROTOCOL: for describing and accessing SMRAM. + +    These protocols are documented in the PI Specification, Volume 4. + +(3) The platform DSC file is to include the following platform-independent +    modules: + +    - MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf: SMM Initial Program Load +    - MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf: SMM Core + +(4) At this point, modules of type DXE_SMM_DRIVER can be loaded. + +    Such drivers are privileged. They run in SMM, have access to SMRAM, and are +    separated and switched from other drivers through SMIs. Secure +    communication between unprivileged (non-SMM) and privileged (SMM) drivers +    happens through EFI_SMM_COMMUNICATION_PROTOCOL (implemented by the SMM +    Core, see (3)). + +    DXE_SMM_DRIVER modules must sanitize their input (coming from unprivileged +    drivers) carefully. + +(5) The authenticated runtime variable services driver (for Secure Boot builds) +    is located under "SecurityPkg/VariableAuthenticated/RuntimeDxe". OVMF +    currently builds the driver (a DXE_RUNTIME_DRIVER module) with the +    "VariableRuntimeDxe.inf" control file (refer to "OvmfPkg/OvmfPkgX64.dsc"), +    which does not use SMM. + +    The directory includes two more INF files: + +    - VariableSmm.inf -- module type: DXE_SMM_DRIVER. A privileged driver that +      runs in SMM and has access to SMRAM. + +    - VariableSmmRuntimeDxe.inf -- module type: DXE_RUNTIME_DRIVER. A +      non-privileged driver that implements the variable runtime services +      (replacing the current "VariableRuntimeDxe.inf" file) by communicating +      with the above privileged SMM half via EFI_SMM_COMMUNICATION_PROTOCOL. + +(6) An SMRAM-based LockBox implementation needs to be discussed in two parts, +    because the LockBox is accessed in both PEI and DXE. + +    (a) During DXE, drivers save data in the LockBox. A save operation is +        layered as follows: + +        - The unprivileged driver wishing to store data in the LockBox links +          against the "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.inf" +          library instance. + +          The library allows the unprivileged driver to format requests for the +          privileged SMM LockBox driver (see below), and to parse responses. + +        - The privileged SMM LockBox driver is built from +          "MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf". This +          driver has module type DXE_SMM_DRIVER and can access SMRAM. + +          The driver delegates command parsing and response formatting to +          "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf". + +        - The above two halves (unprivileged and privileged) mirror what we've +          seen in case of the variable service drivers, under (5). + +    (b) In PEI, the S3 Resume PEIM (UefiCpuPkg/Universal/Acpi/S3Resume2Pei) +        retrieves data from the LockBox. + +        Presumably, S3Resume2Pei should be considered an "unprivileged PEIM", +        and the SMRAM access should be layered as seen in DXE. Unfortunately, +        edk2 does not implement all of the layers in PEI -- the code either +        doesn't exist, or it is not open source: + +  role         | DXE: protocol/module           | PEI: PPI/module +  -------------+--------------------------------+------------------------------ +  unprivileged | any                            | S3Resume2Pei.inf +  driver       |                                | +  -------------+--------------------------------+------------------------------ +  command      | LIBRARY_CLASS = LockBoxLib     | LIBRARY_CLASS = LockBoxLib +  formatting   |                                | +  and response | SmmLockBoxDxeLib.inf           | SmmLockBoxPeiLib.inf +  parsing      |                                | +  -------------+--------------------------------+------------------------------ +  privilege    | EFI_SMM_COMMUNICATION_PROTOCOL | EFI_PEI_SMM_COMMUNICATION_PPI +  separation   |                                | +               | PiSmmCore.inf                  | missing! +  -------------+--------------------------------+------------------------------ +  platform SMM | EFI_SMM_CONTROL2_PROTOCOL      | PEI_SMM_CONTROL_PPI +  and SMRAM    | EFI_SMM_ACCESS2_PROTOCOL       | PEI_SMM_ACCESS_PPI +  access       |                                | +               | to be done in OVMF             | to be done in OVMF +  -------------+--------------------------------+------------------------------ +  command      | LIBRARY_CLASS = LockBoxLib     | LIBRARY_CLASS = LockBoxLib +  parsing and  |                                | +  response     | SmmLockBoxSmmLib.inf           | missing! +  formatting   |                                | +  -------------+--------------------------------+------------------------------ +  privileged   | SmmLockBox.inf                 | missing! +  LockBox      |                                | +  driver       |                                | + +        Alternatively, in the future OVMF might be able to provide a LockBoxLib +        instance (an SmmLockBoxPeiLib substitute) for S3Resume2Pei that +        accesses SMRAM directly, eliminating the need for deeper layers in the +        stack (that is, EFI_PEI_SMM_COMMUNICATION_PPI and deeper). + +        In fact, a "thin" EFI_PEI_SMM_COMMUNICATION_PPI implementation whose +        sole Communicate() member invariably returns EFI_NOT_STARTED would +        cause the current SmmLockBoxPeiLib library instance to directly perform +        full-depth SMRAM access and LockBox search, obviating the "missing" +        cells. (With reference to A Tour Beyond BIOS: Implementing S3 Resume +        with EDK2, by Jiewen Yao and Vincent Zimmer, October 2014.) + +Select features +--------------- + +In this section we'll browse the top-level "OvmfPkg" package directory, and +discuss the more interesting drivers and libraries that have not been mentioned +thus far. + +X64-specific reset vector for OVMF +.................................. + +The "OvmfPkg/ResetVector" directory customizes the reset vector (found in +"UefiCpuPkg/ResetVector/Vtf0") for "OvmfPkgX64.fdf", that is, when the SEC/PEI +phases run in 64-bit (ie. long) mode. + +The reset vector's control flow looks roughly like: + +  resetVector                               [Ia16/ResetVectorVtf0.asm] +  EarlyBspInitReal16                        [Ia16/Init16.asm] +  Main16                                    [Main.asm] +    EarlyInit16                             [Ia16/Init16.asm] + +    ; Transition the processor from +    ; 16-bit real mode to 32-bit flat mode +    TransitionFromReal16To32BitFlat         [Ia16/Real16ToFlat32.asm] + +    ; Search for the +    ; Boot Firmware Volume (BFV) +    Flat32SearchForBfvBase                  [Ia32/SearchForBfvBase.asm] + +    ; Search for the SEC entry point +    Flat32SearchForSecEntryPoint            [Ia32/SearchForSecEntry.asm] + +    %ifdef ARCH_IA32 +      ; Jump to the 32-bit SEC entry point +    %else +      ; Transition the processor +      ; from 32-bit flat mode +      ; to 64-bit flat mode +      Transition32FlatTo64Flat              [Ia32/Flat32ToFlat64.asm] + +        SetCr3ForPageTables64               [Ia32/PageTables64.asm] +          ; set CR3 to page tables +          ; built into the ROM image + +        ; enable PAE +        ; set LME +        ; enable paging + +      ; Jump to the 64-bit SEC entry point +    %endif + +On physical platforms, the initial page tables referenced by +SetCr3ForPageTables64 are built statically into the flash device image, and are +present in ROM at runtime. This is fine on physical platforms because the +pre-built page table entries have the Accessed and Dirty bits set from the +start. + +Accordingly, for OVMF running in long mode on qemu/KVM, the initial page tables +were mapped as a KVM_MEM_READONLY slot, as part of QEMU's pflash device (refer +to "Firmware image structure" above). + +In spite of the Accessed and Dirty bits being pre-set in the read-only, +in-flash PTEs, in a virtual machine attempts are made to update said PTE bits, +differently from physical hardware. The component attempting to update the +read-only PTEs can be one of the following: + +- The processor itself, if it supports nested paging, and the user enables that +  processor feature, + +- KVM code implementing shadow paging, otherwise. + +The first case presents no user-visible symptoms, but the second case (KVM, +shadow paging) used to cause a triple fault, prior to Linux commit ba6a354 +("KVM: mmu: allow page tables to be in read-only slots"). + +For compatibility with earlier KVM versions, the OvmfPkg/ResetVector directory +adapts the generic reset vector code as follows: + +      Transition32FlatTo64Flat         [UefiCpuPkg/.../Ia32/Flat32ToFlat64.asm] + +        SetCr3ForPageTables64       [OvmfPkg/ResetVector/Ia32/PageTables64.asm] + +          ; dynamically build the initial page tables in RAM, at address +          ; PcdOvmfSecPageTablesBase (refer to the memory map above), +          ; identity-mapping the first 4 GB of address space + +          ; set CR3 to PcdOvmfSecPageTablesBase + +        ; enable PAE +        ; set LME +        ; enable paging + +This way the PTEs that earlier KVM versions try to update (during shadow +paging) are located in a read-write memory slot, and the write attempts +succeed. + +Client library for QEMU's firmware configuration interface +.......................................................... + +QEMU provides a write-only, 16-bit wide control port, and a read-write, 8-bit +wide data port for exchanging configuration elements with the firmware. + +The firmware writes a selector (a key) to the control port (0x510), and then +reads the corresponding configuration data (produced by QEMU) from the data +port (0x511). + +If the selected entry is writable, the firmware may overwrite it. If QEMU has +associated a callback with the entry, then when the entry is completely +rewritten, QEMU runs the callback. (OVMF does not rewrite any entries at the +moment.) + +A number of selector values (keys) are predefined. In particular, key 0x19 +selects (returns) a directory of { name, selector, size } triplets, roughly +speaking. + +The firmware can request configuration elements by well-known name as well, by +looking up the selector value first in the directory, by name, and then writing +the selector to the control port. The number of bytes to read subsequently from +the data port is known from the directory entry's "size" field. + +By convention, directory entries (well-known symbolic names of configuration +elements) are formatted as POSIX pathnames. For example, the array selected by +the "etc/system-states" name indicates (among other things) whether the user +enabled S3 support in QEMU. + +The above interface is called "fw_cfg". + +The binary data associated with a symbolic name is called an "fw_cfg file". + +OVMF's fw_cfg client library is found in "OvmfPkg/Library/QemuFwCfgLib". OVMF +discovers many aspects of the virtual system with it; we refer to a few +examples below. + +Guest ACPI tables +................. + +An operating system discovers a good amount of its hardware by parsing ACPI +tables, and by interpreting ACPI objects and methods. On physical hardware, the +platform vendor's firmware installs ACPI tables in memory that match both the +hardware present in the system and the user's firmware configuration ("BIOS +setup"). + +Under qemu/KVM, the owner of the (virtual) hardware configuration is QEMU. +Hardware can easily be reconfigured on the command line. Furthermore, features +like CPU hotplug, PCI hotplug, memory hotplug are continuously developed for +QEMU, and operating systems need direct ACPI support to exploit these features. + +For this reason, QEMU builds its own ACPI tables dynamically, in a +self-descriptive manner, and exports them to the firmware through a complex, +multi-file fw_cfg interface. It is rooted in the "etc/table-loader" fw_cfg +file. (Further details of this interface are out of scope for this report.) + +OVMF's AcpiPlatformDxe driver fetches the ACPI tables, and installs them for +the guest OS with the EFI_ACPI_TABLE_PROTOCOL (which is in turn provided by the +generic "MdeModulePkg/Universal/Acpi/AcpiTableDxe" driver). + +For earlier QEMU versions and machine types (which we generally don't recommend +for OVMF; see "Scope"), the "OvmfPkg/AcpiTables" directory contains a few +static ACPI table templates. When the "etc/table-loader" fw_cfg file is +unavailable, AcpiPlatformDxe installs these default tables (with a little bit +of dynamic patching). + +When OVMF runs in a Xen domU, AcpiTableDxe also installs ACPI tables that +originate from the hypervisor's environment. + +Guest SMBIOS tables +................... + +Quoting the SMBIOS Reference Specification, + +  [...] the System Management BIOS Reference Specification addresses how +  motherboard and system vendors present management information about their +  products in a standard format [...] + +In practice SMBIOS tables are just another set of tables that the platform +vendor's firmware installs in RAM for the operating system, and, importantly, +for management applications running on the OS. Without rehashing the "Guest +ACPI tables" section in full, let's map the OVMF roles seen there from ACPI to +SMBIOS: + +  role                     | ACPI                    | SMBIOS +  -------------------------+-------------------------+------------------------- +  fw_cfg file              | etc/table-loader        | etc/smbios/smbios-tables +  -------------------------+-------------------------+------------------------- +  OVMF driver              | AcpiPlatformDxe         | SmbiosPlatformDxe +  under "OvmfPkg"          |                         | +  -------------------------+-------------------------+------------------------- +  Underlying protocol,     | EFI_ACPI_TABLE_PROTOCOL | EFI_SMBIOS_PROTOCOL +  implemented by generic   |                         | +  driver under             | Acpi/AcpiTableDxe       | SmbiosDxe +  "MdeModulePkg/Universal" |                         | +  -------------------------+-------------------------+------------------------- +  default tables available | yes                     | [RHEL] yes, Type0 and +  for earlier QEMU machine |                         |        Type1 tables +  types, with hot-patching |                         | +  -------------------------+-------------------------+------------------------- +  tables fetched in Xen    | yes                     | yes +  domUs                    |                         | + +Platform-specific boot policy +............................. + +OVMF's BDS (Boot Device Selection) phase is implemented by +IntelFrameworkModulePkg/Universal/BdsDxe. Roughly speaking, this large driver: + +- provides the EFI BDS architectural protocol (which DXE transfers control to +  after dispatching all DXE drivers), + +- connects drivers to devices, + +- enumerates boot devices, + +- auto-generates boot options, + +- provides "BIOS setup" screens, such as: + +  - Boot Manager, for booting an option, + +  - Boot Maintenance Manager, for adding, deleting, and reordering boot +    options, changing console properties etc, + +  - Device Manager, where devices can register configuration forms, including + +    - Secure Boot configuration forms, + +    - OVMF's Platform Driver form (see under PlatformDxe). + +Firmware that includes the "IntelFrameworkModulePkg/Universal/BdsDxe" driver +can customize its behavior by providing an instance of the PlatformBdsLib +library class. The driver links against this platform library, and the +platform library can call Intel's BDS utility functions from +"IntelFrameworkModulePkg/Library/GenericBdsLib". + +OVMF's PlatformBdsLib instance can be found in +"OvmfPkg/Library/PlatformBdsLib". The main function where the BdsDxe driver +enters the library is PlatformBdsPolicyBehavior(). We mention two OVMF +particulars here. + +(1) OVMF is capable of loading kernel images directly from fw_cfg, matching +    QEMU's -kernel, -initrd, and -append command line options. This feature is +    useful for rapid, repeated Linux kernel testing, and is implemented in the +    following call tree: + +    PlatformBdsPolicyBehavior() [OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c] +      TryRunningQemuKernel() [OvmfPkg/Library/PlatformBdsLib/QemuKernel.c] +        LoadLinux*() [OvmfPkg/Library/LoadLinuxLib/Linux.c] + +    OvmfPkg/Library/LoadLinuxLib ports the efilinux bootloader project into +    OvmfPkg. + +(2) OVMF seeks to comply with the boot order specification passed down by QEMU +    over fw_cfg. + +    (a) About Boot Modes + +      During the PEI phase, OVMF determines and stores the Boot Mode in the +      PHIT HOB (already mentioned in "S3 (suspend to RAM and resume)"). The +      boot mode is supposed to influence the rest of the system, for example it +      distinguishes S3 resume (BOOT_ON_S3_RESUME) from a "normal" boot. + +      In general, "normal" boots can be further differentiated from each other; +      for example for speed reasons. When the firmware can tell during PEI that +      the chassis has not been opened since last power-up, then it might want +      to save time by not connecting all devices and not enumerating all boot +      options from scratch; it could just rely on the stored results of the +      last enumeration. The matching BootMode value, to be set during PEI, +      would be BOOT_ASSUMING_NO_CONFIGURATION_CHANGES. + +      OVMF only sets one of the following two boot modes, based on CMOS +      contents: +      - BOOT_ON_S3_RESUME, +      - BOOT_WITH_FULL_CONFIGURATION. + +      For BOOT_ON_S3_RESUME, please refer to "S3 (suspend to RAM and resume)". +      The other boot mode supported by OVMF, BOOT_WITH_FULL_CONFIGURATION, is +      an appropriate "catch-all" for a virtual machine, where hardware can +      easily change from boot to boot. + +    (b) Auto-generation of boot options + +      Accordingly, when not resuming from S3 sleep (*), OVMF always connects +      all devices, and enumerates all bootable devices as new boot options +      (non-volatile variables called Boot####). + +      (*) During S3 resume, DXE is not reached, hence BDS isn't either. + +      The auto-enumerated boot options are stored in the BootOrder non-volatile +      variable after any preexistent options. (Boot options may exist before +      auto-enumeration eg. because the user added them manually with the Boot +      Maintenance Manager or the efibootmgr utility. They could also originate +      from an earlier auto-enumeration.) + +      PlatformBdsPolicyBehavior()                   [OvmfPkg/.../BdsPlatform.c] +        TryRunningQemuKernel()                       [OvmfPkg/.../QemuKernel.c] +        BdsLibConnectAll()           [IntelFrameworkModulePkg/.../BdsConnect.c] +        BdsLibEnumerateAllBootOption()  [IntelFrameworkModulePkg/.../BdsBoot.c] +          BdsLibBuildOptionFromHandle() [IntelFrameworkModulePkg/.../BdsBoot.c] +            BdsLibRegisterNewOption()   [IntelFrameworkModulePkg/.../BdsMisc.c] +              // +              // Append the new option number to the original option order +              // + +    (c) Relative UEFI device paths in boot options + +      The handling of relative ("short-form") UEFI device paths is best +      demonstrated through an example, and by quoting the UEFI 2.4A +      specification. + +      A short-form hard drive UEFI device path could be (displaying each device +      path node on a separate line for readability): + +        HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/ +        \EFI\fedora\shim.efi + +      This device path lacks prefix nodes (eg. hardware or messaging type +      nodes) that would lead to the hard drive. During load option processing, +      the above short-form or relative device path could be matched against the +      following absolute device path: + +        PciRoot(0x0)/ +        Pci(0x4,0x0)/ +        HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/ +        \EFI\fedora\shim.efi + +      The motivation for this type of device path matching / completion is to +      allow the user to move around the hard drive (for example, to plug a +      controller in a different PCI slot, or to expose the block device on a +      different iSCSI path) and still enable the firmware to find the hard +      drive. + +      The UEFI specification says, + +        9.3.6 Media Device Path +        9.3.6.1 Hard Drive + +          [...] Section 3.1.2 defines special rules for processing the Hard +          Drive Media Device Path. These special rules enable a disk's location +          to change and still have the system boot from the disk. [...] + +        3.1.2 Load Option Processing + +          [...] The boot manager must [...] support booting from a short-form +          device path that starts with the first element being a hard drive +          media device path [...]. The boot manager must use the GUID or +          signature and partition number in the hard drive device path to match +          it to a device in the system. If the drive supports the GPT +          partitioning scheme the GUID in the hard drive media device path is +          compared with the UniquePartitionGuid field of the GUID Partition +          Entry [...]. If the drive supports the PC-AT MBR scheme the signature +          in the hard drive media device path is compared with the +          UniqueMBRSignature in the Legacy Master Boot Record [...]. If a +          signature match is made, then the partition number must also be +          matched. The hard drive device path can be appended to the matching +          hardware device path and normal boot behavior can then be used. If +          more than one device matches the hard drive device path, the boot +          manager will pick one arbitrarily. Thus the operating system must +          ensure the uniqueness of the signatures on hard drives to guarantee +          deterministic boot behavior. + +      Edk2 implements and exposes the device path completion logic in the +      already referenced "IntelFrameworkModulePkg/Library/GenericBdsLib" +      library, in the BdsExpandPartitionPartialDevicePathToFull() function. + +    (d) Filtering and reordering the boot options based on fw_cfg + +      Once we have an "all-inclusive", partly preexistent, partly freshly +      auto-generated boot option list from bullet (b), OVMF loads QEMU's +      requested boot order from fw_cfg, and filters and reorders the list from +      (b) with it: + +      PlatformBdsPolicyBehavior()                   [OvmfPkg/.../BdsPlatform.c] +        TryRunningQemuKernel()                       [OvmfPkg/.../QemuKernel.c] +        BdsLibConnectAll()           [IntelFrameworkModulePkg/.../BdsConnect.c] +        BdsLibEnumerateAllBootOption()  [IntelFrameworkModulePkg/.../BdsBoot.c] +        SetBootOrderFromQemu()                    [OvmfPkg/.../QemuBootOrder.c] + +      According to the (preferred) "-device ...,bootindex=N" and the (legacy) +      '-boot order=drives' command line options, QEMU requests a boot order +      from the firmware through the "bootorder" fw_cfg file. (For a bootindex +      example, refer to the "Example qemu invocation" section.) + +      This fw_cfg file consists of OpenFirmware (OFW) device paths -- note: not +      UEFI device paths! --, one per line. An example list is: + +        /pci@i0cf8/scsi@4/disk@0,0 +        /pci@i0cf8/ide@1,1/drive@1/disk@0 +        /pci@i0cf8/ethernet@3/ethernet-phy@0 + +      OVMF filters and reorders the boot option list from bullet (b) with the +      following nested loops algorithm: + +        new_uefi_order := <empty> +        for each qemu_ofw_path in QEMU's OpenFirmware device path list: +          qemu_uefi_path_prefix := translate(qemu_ofw_path) + +          for each boot_option in current_uefi_order: +            full_boot_option := complete(boot_option) + +            if match(qemu_uefi_path_prefix, full_boot_option): +              append(new_uefi_order, boot_option) +              break + +        for each unmatched boot_option in current_uefi_order: +          if survives(boot_option): +            append(new_uefi_order, boot_option) + +        current_uefi_order := new_uefi_order + +      OVMF iterates over QEMU's OFW device paths in order, translates each to a +      UEFI device path prefix, tries to match the translated prefix against the +      UEFI boot options (which are completed from relative form to absolute +      form for the purpose of prefix matching), and if there's a match, the +      matching boot option is appended to the new boot order (which starts out +      empty). + +      (We elaborate on the translate() function under bullet (e). The +      complete() function has been explained in bullet (c).) + +      In addition, UEFI boot options that remain unmatched after filtering and +      reordering are post-processed, and some of them "survive". Due to the +      fact that OpenFirmware device paths have less expressive power than their +      UEFI counterparts, some UEFI boot options are simply inexpressible (hence +      unmatchable) by the nested loops algorithm. + +      An important example is the memory-mapped UEFI shell, whose UEFI device +      path is inexpressible by QEMU's OFW device paths: + +        MemoryMapped(0xB,0x900000,0x10FFFFF)/ +        FvFile(7C04A583-9E3E-4F1C-AD65-E05268D0B4D1) + +      (Side remark: notice that the address range visible in the MemoryMapped() +      node corresponds to DXEFV under "comprehensive memory map of OVMF"! In +      addition, the FvFile() node's GUID originates from the FILE_GUID entry of +      "ShellPkg/Application/Shell/Shell.inf".) + +      The UEFI shell can be booted by pressing ESC in OVMF on the TianoCore +      splash screen, and navigating to Boot Manager | EFI Internal Shell. If +      the "survival policy" was not implemented, the UEFI shell's boot option +      would always be filtered out. + +      The current "survival policy" preserves all boot options that start with +      neither PciRoot() nor HD(). + +    (e) Translating QEMU's OpenFirmware device paths to UEFI device path +        prefixes + +      In this section we list the (strictly heuristical) mappings currently +      performed by OVMF. + +      The "prefix only" nature of the translation output is rooted minimally in +      the fact that QEMU's OpenFirmware device paths cannot carry pathnames +      within filesystems. There's no way to specify eg. + +        \EFI\fedora\shim.efi + +      in an OFW device path, therefore a UEFI device path translated from an +      OFW device path can at best be a prefix (not a full match) of a UEFI +      device path that ends with "\EFI\fedora\shim.efi". + +      - IDE disk, IDE CD-ROM: + +        OpenFirmware device path: + +          /pci@i0cf8/ide@1,1/drive@0/disk@0 +               ^         ^ ^       ^      ^ +               |         | |       |      master or slave +               |         | |       primary or secondary +               |         PCI slot & function holding IDE controller +               PCI root at system bus port, PIO + +        UEFI device path prefix: + +          PciRoot(0x0)/Pci(0x1,0x1)/Ata(Primary,Master,0x0) +                                                       ^ +                                                       fixed LUN + +      - Floppy disk: + +        OpenFirmware device path: + +          /pci@i0cf8/isa@1/fdc@03f0/floppy@0 +               ^         ^     ^           ^ +               |         |     |           A: or B: +               |         |     ISA controller io-port (hex) +               |         PCI slot holding ISA controller +               PCI root at system bus port, PIO + +        UEFI device path prefix: + +          PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0) +                                           ^ +                                           ACPI UID (A: or B:) + +      - Virtio-block disk: + +        OpenFirmware device path: + +          /pci@i0cf8/scsi@6[,3]/disk@0,0 +               ^          ^  ^       ^ ^ +               |          |  |       fixed +               |          |  PCI function corresponding to disk (optional) +               |          PCI slot holding disk +               PCI root at system bus port, PIO + +        UEFI device path prefixes (dependent on the presence of a nonzero PCI +        function in the OFW device path): + +          PciRoot(0x0)/Pci(0x6,0x0)/HD( +          PciRoot(0x0)/Pci(0x6,0x3)/HD( + +      - Virtio-scsi disk and virtio-scsi passthrough: + +        OpenFirmware device path: + +          /pci@i0cf8/scsi@7[,3]/channel@0/disk@2,3 +               ^          ^             ^      ^ ^ +               |          |             |      | LUN +               |          |             |      target +               |          |             channel (unused, fixed 0) +               |          PCI slot[, function] holding SCSI controller +               PCI root at system bus port, PIO + +        UEFI device path prefixes (dependent on the presence of a nonzero PCI +        function in the OFW device path): + +          PciRoot(0x0)/Pci(0x7,0x0)/Scsi(0x2,0x3) +          PciRoot(0x0)/Pci(0x7,0x3)/Scsi(0x2,0x3) + +      - Emulated and passed-through (physical) network cards: + +        OpenFirmware device path: + +          /pci@i0cf8/ethernet@3[,2] +               ^              ^ +               |              PCI slot[, function] holding Ethernet card +               PCI root at system bus port, PIO + +        UEFI device path prefixes (dependent on the presence of a nonzero PCI +        function in the OFW device path): + +          PciRoot(0x0)/Pci(0x3,0x0) +          PciRoot(0x0)/Pci(0x3,0x2) + +Virtio drivers +.............. + +UEFI abstracts various types of hardware resources into protocols, and allows +firmware developers to implement those protocols in device drivers. The Virtio +Specification defines various types of virtual hardware for virtual machines. +Connecting the two specifications, OVMF provides UEFI drivers for QEMU's +virtio-block, virtio-scsi, and virtio-net devices. + +The following diagram presents the protocol and driver stack related to Virtio +devices in edk2 and OVMF. Each node in the graph identifies a protocol and/or +the edk2 driver that produces it. Nodes on the top are more abstract. + +  EFI_BLOCK_IO_PROTOCOL                             EFI_SIMPLE_NETWORK_PROTOCOL +  [OvmfPkg/VirtioBlkDxe]                              [OvmfPkg/VirtioNetDxe] +             |                                                   | +             |         EFI_EXT_SCSI_PASS_THRU_PROTOCOL           | +             |             [OvmfPkg/VirtioScsiDxe]               | +             |                        |                          | +             +------------------------+--------------------------+ +                                      | +                           VIRTIO_DEVICE_PROTOCOL +                                      | +                +---------------------+---------------------+ +                |                                           | +  [OvmfPkg/VirtioPciDeviceDxe]                  [custom platform drivers] +                |                                           | +                |                                           | +       EFI_PCI_IO_PROTOCOL                [OvmfPkg/Library/VirtioMmioDeviceLib] + [MdeModulePkg/Bus/Pci/PciBusDxe]              direct MMIO register access + +The top three drivers produce standard UEFI abstractions: the Block IO +Protocol, the Extended SCSI Pass Thru Protocol, and the Simple Network +Protocol, for virtio-block, virtio-scsi, and virtio-net devices, respectively. + +Comparing these device-specific virtio drivers to each other, we can determine: + +- They all conform to the UEFI Driver Model. This means that their entry point +  functions don't immediately start to search for devices and to drive them, +  they only register instances of the EFI_DRIVER_BINDING_PROTOCOL. The UEFI +  Driver Model then enumerates devices and chains matching drivers +  automatically. + +- They are as minimal as possible, while remaining correct (refer to source +  code comments for details). For example, VirtioBlkDxe and VirtioScsiDxe both +  support only one request in flight. + +  In theory, VirtioBlkDxe could implement EFI_BLOCK_IO2_PROTOCOL, which allows +  queueing. Similarly, VirtioScsiDxe does not support the non-blocking mode of +  EFI_EXT_SCSI_PASS_THRU_PROTOCOL.PassThru(). (Which is permitted by the UEFI +  specification.) Both VirtioBlkDxe and VirtioScsiDxe delegate synchronous +  request handling to "OvmfPkg/Library/VirtioLib". This limitation helps keep +  the implementation simple, and testing thus far seems to imply satisfactory +  performance, for a virtual boot firmware. + +  VirtioNetDxe cannot avoid queueing, because EFI_SIMPLE_NETWORK_PROTOCOL +  requires it on the interface level. Consequently, VirtioNetDxe is +  significantly more complex than VirtioBlkDxe and VirtioScsiDxe. Technical +  notes are provided in "OvmfPkg/VirtioNetDxe/TechNotes.txt". + +- None of these drivers access hardware directly. Instead, the Virtio Device +  Protocol (OvmfPkg/Include/Protocol/VirtioDevice.h) collects / extracts virtio +  operations defined in the Virtio Specification, and these backend-independent +  virtio device drivers go through the abstract VIRTIO_DEVICE_PROTOCOL. + +  IMPORTANT: the VIRTIO_DEVICE_PROTOCOL is not a standard UEFI protocol. It is +  internal to edk2 and not described in the UEFI specification. It should only +  be used by drivers and applications that live inside the edk2 source tree. + +Currently two providers exist for VIRTIO_DEVICE_PROTOCOL: + +- The first one is the "more traditional" virtio-pci backend, implemented by +  OvmfPkg/VirtioPciDeviceDxe. This driver also complies with the UEFI Driver +  Model. It consumes an instance of the EFI_PCI_IO_PROTOCOL, and, if the PCI +  device/function under probing appears to be a virtio device, it produces a +  Virtio Device Protocol instance for it. The driver translates abstract virtio +  operations to PCI accesses. + +- The second provider, the virtio-mmio backend, is a library, not a driver, +  living in OvmfPkg/Library/VirtioMmioDeviceLib. This library translates +  abstract virtio operations to MMIO accesses. + +  The virtio-mmio backend is only a library -- rather than a standalone, UEFI +  Driver Model-compliant driver -- because the type of resource it consumes, an +  MMIO register block base address, is not enumerable. + +  In other words, while the PCI root bridge driver and the PCI bus driver +  produce instances of EFI_PCI_IO_PROTOCOL automatically, thereby enabling the +  UEFI Driver Model to probe devices and stack up drivers automatically, no +  such enumeration exists for MMIO register blocks. + +  For this reason, VirtioMmioDeviceLib needs to be linked into thin, custom +  platform drivers that dispose over this kind of information. As soon as a +  driver knows about the MMIO register block base addresses, it can pass each +  to the library, and then the VIRTIO_DEVICE_PROTOCOL will be instantiated +  (assuming a valid virtio-mmio register block of course). From that point on +  the UEFI Driver Model again takes care of the chaining. + +  Typically, such a custom driver does not conform to the UEFI Driver Model +  (because that would presuppose auto-enumeration for MMIO register blocks). +  Hence it has the following responsibilities: + +  - it shall behave as a "wrapper" UEFI driver around the library, + +  - it shall know virtio-mmio base addresses, + +  - in its entry point function, it shall create a new UEFI handle with an +    instance of the EFI_DEVICE_PATH_PROTOCOL for each virtio-mmio device it +    knows the base address for, + +  - it shall call VirtioMmioInstallDevice() on those handles, with the +    corresponding base addresses. + +  OVMF itself does not employ VirtioMmioDeviceLib. However, the library is used +  (or has been tested as Proof-of-Concept) in the following 64-bit and 32-bit +  ARM emulator setups: + +  - in "RTSM_VE_FOUNDATIONV8_EFI.fd" and "FVP_AARCH64_EFI.fd", on ARM Holdings' +    ARM(R) v8-A Foundation Model and ARM(R) AEMv8-A Base Platform FVP +    emulators, respectively: + +                           EFI_BLOCK_IO_PROTOCOL +                           [OvmfPkg/VirtioBlkDxe] +                                      | +                           VIRTIO_DEVICE_PROTOCOL +        [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf] +                                      | +                    [OvmfPkg/Library/VirtioMmioDeviceLib] +                         direct MMIO register access + +  - in "RTSM_VE_CORTEX-A15_EFI.fd" and "RTSM_VE_CORTEX-A15_MPCORE_EFI.fd", on +    "qemu-system-arm -M vexpress-a15": + +        EFI_BLOCK_IO_PROTOCOL            EFI_SIMPLE_NETWORK_PROTOCOL +        [OvmfPkg/VirtioBlkDxe]             [OvmfPkg/VirtioNetDxe] +                   |                                  | +                   +------------------+---------------+ +                                      | +                           VIRTIO_DEVICE_PROTOCOL +        [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf] +                                      | +                    [OvmfPkg/Library/VirtioMmioDeviceLib] +                         direct MMIO register access + +  In the above ARM / VirtioMmioDeviceLib configurations, VirtioBlkDxe was +  tested with booting Linux distributions, while VirtioNetDxe was tested with +  pinging public IPv4 addresses from the UEFI shell. + +Platform Driver +............... + +Sometimes, elements of persistent firmware configuration are best exposed to +the user in a friendly way. OVMF's platform driver (OvmfPkg/PlatformDxe) +presents such settings on the "OVMF Platform Configuration" dialog: + +- Press ESC on the TianoCore splash screen, +- Navigate to Device Manager | OVMF Platform Configuration. + +At the moment, OVMF's platform driver handles only one setting: the preferred +graphics resolution. This is useful for two purposes: + +- Some UEFI shell commands, like DRIVERS and DEVICES, benefit from a wide +  display. Using the MODE shell command, the user can switch to a larger text +  resolution (limited by the graphics resolution), and see the command output +  in a more easily consumable way. + +  [RHEL] The list of text modes available to the MODE command is also limited +         by ConSplitterDxe (found under MdeModulePkg/Universal/Console). +         ConSplitterDxe builds an intersection of text modes that are +         simultaneously supported by all consoles that ConSplitterDxe +         multiplexes console output to. + +         In practice, the strongest text mode restriction comes from +         TerminalDxe, which provides console I/O on serial ports. TerminalDxe +         has a very limited built-in list of text modes, heavily pruning the +         intersection built by ConSplitterDxe, and made available to the MODE +         command. + +         On the Red Hat Enterprise Linux 7.1 host, TerminalDxe's list of modes +         has been extended with text resolutions that match the Spice QXL GPU's +         common graphics resolutions. This way a "full screen" text mode should +         always be available in the MODE command. + +- The other advantage of controlling the graphics resolution lies with UEFI +  operating systems that don't (yet) have a native driver for QEMU's virtual +  video cards  -- eg. the Spice QXL GPU. Such OSes may choose to inherit the +  properties of OVMF's EFI_GRAPHICS_OUTPUT_PROTOCOL (provided by +  OvmfPkg/QemuVideoDxe, see later). + +  Although the display can be used at runtime in such cases, by direct +  framebuffer access, its properties, for example, the resolution, cannot be +  modified. The platform driver allows the user to select the preferred GOP +  resolution, reboot, and let the guest OS inherit that preferred resolution. + +The platform driver has three access points: the "normal" driver entry point, a +set of HII callbacks, and a GOP installation callback. + +(1) Driver entry point: the PlatformInit() function. + +    (a) First, this function loads any available settings, and makes them take +        effect. For the preferred graphics resolution in particular, this means +        setting the following PCDs: + +          gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution +          gEfiMdeModulePkgTokenSpaceGuid.PcdVideoVerticalResolution + +        These PCDs influence the GraphicsConsoleDxe driver (located under +        MdeModulePkg/Universal/Console), which switches to the preferred +        graphics mode, and produces EFI_SIMPLE_TEXT_OUTPUT_PROTOCOLs on GOPs: + +                    EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL +          [MdeModulePkg/Universal/Console/GraphicsConsoleDxe] +                                   | +                      EFI_GRAPHICS_OUTPUT_PROTOCOL +                         [OvmfPkg/QemuVideoDxe] +                                   | +                          EFI_PCI_IO_PROTOCOL +                   [MdeModulePkg/Bus/Pci/PciBusDxe] + +  (b) Second, the driver entry point registers the user interface, including +      HII callbacks. + +  (c) Third, the driver entry point registers a GOP installation callback. + +(2) HII callbacks and the user interface. + +    The Human Interface Infrastructure (HII) "is a set of protocols that allow +    a UEFI driver to provide the ability to register user interface and +    configuration content with the platform firmware". + +    OVMF's platform driver: + +    - provides a static, basic, visual form (PlatformForms.vfr), written in the +      Visual Forms Representation language, + +    - includes a UCS-16 encoded message catalog (Platform.uni), + +    - includes source code that dynamically populates parts of the form, with +      the help of MdeModulePkg/Library/UefiHiiLib -- this library simplifies +      the handling of IFR (Internal Forms Representation) opcodes, + +    - processes form actions that the user takes (Callback() function), + +    - loads and saves platform configuration in a private, non-volatile +      variable (ExtractConfig() and RouteConfig() functions). + +    The ExtractConfig() HII callback implements the following stack of +    conversions, for loading configuration and presenting it to the user: + +          MultiConfigAltResp       -- form engine / HII communication +                  ^ +                  | +           [BlockToConfig] +                  | +           MAIN_FORM_STATE         -- binary representation of form/widget +                  ^                   state +                  | +      [PlatformConfigToFormState] +                  | +           PLATFORM_CONFIG         -- accessible to DXE and UEFI drivers +                  ^ +                  | +         [PlatformConfigLoad] +                  | +        UEFI non-volatile variable -- accessible to external utilities + +    The layers are very similar for the reverse direction, ie. when taking +    input from the user, and saving the configuration (RouteConfig() HII +    callback): + +             ConfigResp            -- form engine / HII communication +                  | +           [ConfigToBlock] +                  | +                  v +           MAIN_FORM_STATE         -- binary representation of form/widget +                  |                   state +      [FormStateToPlatformConfig] +                  | +                  v +           PLATFORM_CONFIG         -- accessible to DXE and UEFI drivers +                  | +         [PlatformConfigSave] +                  | +                  v +        UEFI non-volatile variable -- accessible to external utilities + +(3) When the platform driver starts, a GOP may not be available yet. Thus the +    driver entry point registers a callback (the GopInstalled() function) for +    GOP installations. + +    When the first GOP is produced (usually by QemuVideoDxe, or potentially by +    a third party video driver), PlatformDxe retrieves the list of graphics +    modes the GOP supports, and dynamically populates the drop-down list of +    available resolutions on the form. The GOP installation callback is then +    removed. + +Video driver +............ + +OvmfPkg/QemuVideoDxe is OVMF's built-in video driver. We can divide its +services in two parts: graphics output protocol (primary), and Int10h (VBE) +shim (secondary). + +(1) QemuVideoDxe conforms to the UEFI Driver Model; it produces an instance of +    the EFI_GRAPHICS_OUTPUT_PROTOCOL (GOP) on each PCI display that it supports +    and is connected to: + +                      EFI_GRAPHICS_OUTPUT_PROTOCOL +                         [OvmfPkg/QemuVideoDxe] +                                   | +                          EFI_PCI_IO_PROTOCOL +                   [MdeModulePkg/Bus/Pci/PciBusDxe] + +    It supports the following QEMU video cards: + +    - Cirrus 5430 ("-device cirrus-vga"), +    - Standard VGA ("-device VGA"), +    - QXL VGA ("-device qxl-vga", "-device qxl"). + +    For Cirrus the following resolutions and color depths are available: +    640x480x32, 800x600x32, 1024x768x24. On stdvga and QXL a long list of +    resolutions is available. The list is filtered against the frame buffer +    size during initialization. + +    The size of the QXL VGA compatibility framebuffer can be changed with the + +      -device qxl-vga,vgamem_mb=$NUM_MB + +    QEMU option. If $NUM_MB exceeds 32, then the following is necessary +    instead: + +      -device qxl-vga,vgamem_mb=$NUM_MB,ram_size_mb=$((NUM_MB*2)) + +    because the compatibility framebuffer can't cover more than half of PCI BAR +    #0. The latter defaults to 64MB in size, and is controlled by the +    "ram_size_mb" property. + +(2) When QemuVideoDxe binds the first Standard VGA or QXL VGA device, and there +    is no real VGA BIOS present in the C to F segments (which could originate +    from a legacy PCI option ROM -- refer to "Compatibility Support Module +    (CSM)"), then QemuVideoDxe installs a minimal, "fake" VGA BIOS -- an Int10h +    (VBE) "shim". + +    The shim is implemented in 16-bit assembly in +    "OvmfPkg/QemuVideoDxe/VbeShim.asm". The "VbeShim.sh" shell script assembles +    it and formats it as a C array ("VbeShim.h") with the help of the "nasm" +    utility. The driver's InstallVbeShim() function copies the shim in place +    (the C segment), and fills in the VBE Info and VBE Mode Info structures. +    The real-mode 10h interrupt vector is pointed to the shim's handler. + +    The shim is (correctly) irrelevant and invisible for all UEFI operating +    systems we know about -- except Windows Server 2008 R2 and other Windows +    operating systems in that family. + +    Namely, the Windows 2008 R2 SP1 (and Windows 7) UEFI guest's default video +    driver dereferences the real mode Int10h vector, loads the pointed-to +    handler code, and executes what it thinks to be VGA BIOS services in an +    internal real-mode emulator. Consequently, video mode switching used not to +    work in Windows 2008 R2 SP1 when it ran on the "pure UEFI" build of OVMF, +    making the guest uninstallable. Hence the (otherwise optional, non-default) +    Compatibility Support Module (CSM) ended up a requirement for running such +    guests. + +    The hard dependency on the sophisticated SeaBIOS CSM and the complex +    supporting edk2 infrastructure, for enabling this family of guests, was +    considered suboptimal by some members of the upstream community, + +    [RHEL] and was certainly considered a serious maintenance disadvantage for +           Red Hat Enterprise Linux 7.1 hosts. + +    Thus, the shim has been collaboratively developed for the Windows 7 / +    Windows Server 2008 R2 family. The shim provides a real stdvga / QXL +    implementation for the few services that are in fact necessary for the +    Windows 2008 R2 SP1 (and Windows 7) UEFI guest, plus some "fakes" that the +    guest invokes but whose effect is not important. The only supported mode is +    1024x768x32, which is enough to install the guest and then upgrade its +    video driver to the full-featured QXL XDDM one. + +    The C segment is not present in the UEFI memory map prepared by OVMF. +    Memory space that would cover it is never added (either in PEI, in the form +    of memory resource descriptor HOBs, or in DXE, via gDS->AddMemorySpace()). +    This way the handler body is invisible to all other UEFI guests, and the +    rest of edk2. + +    The Int10h real-mode IVT entry is covered with a Boot Services Code page, +    making that too inaccessible to the rest of edk2. Due to the allocation +    type, UEFI guest OSes different from the Windows Server 2008 family can +    reclaim the page at zero. (The Windows 2008 family accesses that page +    regardless of the allocation type.) + +Afterword +--------- + +After the bulk of this document was written in July 2014, OVMF development has +not stopped. To name two significant code contributions from the community: in +January 2015, OVMF runs on the "q35" machine type of QEMU, and it features a +driver for Xen paravirtual block devices (and another for the underlying Xen +bus). + +Furthermore, a dedicated virtualization platform has been contributed to +ArmPlatformPkg that plays a role parallel to OvmfPkg's. It targets the "virt" +machine type of qemu-system-arm and qemu-system-aarch64. Parts of OvmfPkg are +being refactored and modularized so they can be reused in +"ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc". @@ -0,0 +1,3 @@ +e09c9f9545003f71247c7e636d956259  DBXUpdate-20230509.x64.bin +b764e33600748b2f709f15a2e913b43c  edk2-3e722403cd.tar.xz +5391481ae1f1db4fc81d1f20b37acff2  openssl-rhel-8e5beb77088bfec064d60506b1e76ddb0ac417fe.tar.xz | 
