CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

ovmf: update 202502 -> 202508

Browse Source 
Remove backports.

(From OE-Core rev: 172587a0288cde8137c836147d261fd50072ff05)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Alexander Kanavin 2025-09-02 15:03:19 +02:00 committed by Richard Purdie
parent 52cd561427
commit 7474ec79bd
11 changed files with 43 additions and 438 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
meta/recipes-core/ovmf/ovmf/0001-SecurityPkg-Don-t-define-bool-type-if-building-in-C2.patch
View File

@ -1,35 +0,0 @@
From 772fa11ac82579a8f6fa171e6b835f68af3f64be Mon Sep 17 00:00:00 2001
From: Rebecca Cran <rebecca@bsdio.com>
Date: Mon, 26 May 2025 08:01:39 -0600
Subject: [PATCH] SecurityPkg: Don't define bool type if building in C23 mode
In C23 bool is a built-in type, so it's not necessary to typedef
bool in LibspdmStdBoolAlt.h.
Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/772fa11ac82579a8f6fa171e6b835f68af3f64be]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
.../DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h b/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
index 08af7296d0..395ef22d43 100644
--- a/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
+++ b/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
@@ -10,7 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#ifndef LIBSPDM_STDBOOL_ALT_H
#define LIBSPDM_STDBOOL_ALT_H
+// In C23, bool is a built-in type
+#if __STDC_VERSION__ < 202311L
typedef BOOLEAN bool;
+#endif
#ifndef true
#define true TRUE
--
2.34.1

7
meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
View File

@ -1,7 +1,7 @@
From 61583b59620946683551f43c6110e656604a252f Mon Sep 17 00:00:00 2001
From 0f859c6de2914cd984f8a0dd61471b91a2371bfa Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Date: Thu, 9 Jun 2016 02:23:01 -0700
Subject: [PATCH 1/4] ovmf: update path to native BaseTools
Subject: [PATCH] ovmf: update path to native BaseTools
BaseTools is a set of utilities to build EDK-based firmware. These utilities
are used during the build process. Thus, they need to be built natively.
@ -28,6 +28,3 @@ index 279f0d099a..285f061bf4 100755
echo $EDK_TOOLS_PATH
source edksetup.sh BaseTools
else
--
2.39.5

11
meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
View File

@ -1,7 +1,7 @@
From aacbf7c91732b9959e569e90844cf9de078b2f14 Mon Sep 17 00:00:00 2001
From 9dbd082516fdd7100f99f0f389b8eef5ececab19 Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Date: Fri, 26 Jul 2019 17:34:26 -0400
Subject: [PATCH 2/4] BaseTools: makefile: adjust to build in under bitbake
Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
Prepend the build flags with those of bitbake. This is to build
using the bitbake native sysroot include and library directories.
@ -18,10 +18,10 @@ Upstream-Status: Inappropriate [needs to be converted to in-recipe fixups]
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
index d369908a09..22c670f316 100644
index 55a7307a5e..e36e6a8f04 100644
--- a/BaseTools/Source/C/Makefiles/header.makefile
+++ b/BaseTools/Source/C/Makefiles/header.makefile
@@ -85,35 +85,34 @@ endif
@@ -154,35 +154,34 @@ endif
INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
INCLUDE += -I $(EDK2_PATH)/MdePkg/Include
@ -64,6 +64,3 @@ index d369908a09..22c670f316 100644
ifeq ($(HOST_ARCH), IA32)
#
# Snow Leopard is a 32-bit and 64-bit environment. uname -m returns i386, but gcc defaults
--
2.39.5

26
meta/recipes-core/ovmf/ovmf/0003-debug-prefix-map.patch
View File

@ -1,7 +1,7 @@
From 96fa2a7f2f54f1e6330275b5eba07e1efdbd865b Mon Sep 17 00:00:00 2001
From eb6db21ed0a845dce149d17acf8673d5188adea4 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 14 Jun 2021 19:56:28 +0200
Subject: [PATCH 3/4] debug prefix map
Subject: [PATCH] debug prefix map
We want to pass ${DEBUG_PREFIX_MAP} to gcc commands and also pass in
--debug-prefix-map to nasm (we carry a patch to nasm for this). The
@ -21,9 +21,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
BaseTools/Conf/tools_def.template | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
index 0caa1c9001..dd86b3249d 100755
--- a/BaseTools/Conf/tools_def.template
+++ b/BaseTools/Conf/tools_def.template
@@ -920,7 +920,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --a
@@ -920,7 +920,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink="$(DEBUG_DIR)/$(MODULE_
*_*_*_DTC_PATH = DEF(DTC_BIN)
# All supported GCC archs except LOONGARCH64 support -mstack-protector-guard=global, so set that on everything except LOONGARCH64
@ -32,18 +34,18 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
DEFINE GCC_IA32_X64_CC_FLAGS = -mstack-protector-guard=global
DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie -mstack-protector-guard=global
DEFINE GCC_LOONGARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections
@@ -941,8 +941,8 @@ DEFINE GCC_ARM_ASLDLINK_FLAGS = DEF
@@ -938,8 +938,8 @@ DEFINE GCC_ARM_AARCH64_ASLDLINK_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0 DEF(GC
DEFINE GCC_ARM_ASLDLINK_FLAGS = DEF(GCC_ARM_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT) DEF(GCC_ARM_AARCH64_ASLDLINK_FLAGS)
DEFINE GCC_AARCH64_ASLDLINK_FLAGS = DEF(GCC_AARCH64_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT) DEF(GCC_ARM_AARCH64_ASLDLINK_FLAGS)
DEFINE GCC_LOONGARCH64_ASLDLINK_FLAGS = DEF(GCC_LOONGARCH64_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT)
DEFINE GCC_IA32_X64_DLINK_FLAGS = DEF(GCC_IA32_X64_DLINK_COMMON) --entry _$(IMAGE_ENTRY_POINT) --file-alignment 0x20 --section-alignment 0x20 -Map $(DEST_DIR_DEBUG)/$(BASE_NAME).map
-DEFINE GCC_ASM_FLAGS = -c -x assembler -imacros AutoGen.h
-DEFINE GCC_PP_FLAGS = -E -x assembler-with-cpp -include AutoGen.h
+DEFINE GCC_ASM_FLAGS = -c -x assembler -imacros AutoGen.h ENV(GCC_PREFIX_MAP)
+DEFINE GCC_PP_FLAGS = -E -x assembler-with-cpp -include AutoGen.h ENV(GCC_PREFIX_MAP)
DEFINE GCC_VFRPP_FLAGS = -x c -E -P -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h
DEFINE GCC_VFRPP_FLAGS = -x c -E -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h
DEFINE GCC_ASLPP_FLAGS = -x c -E -include AutoGen.h
DEFINE GCC_ASLCC_FLAGS = -x c
@@ -1095,7 +1095,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS
@@ -1092,7 +1092,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS = -mabi=lp64d -march=loongarch64 DEF(
*_GCC48_IA32_DLINK2_FLAGS = DEF(GCC48_IA32_DLINK2_FLAGS)
*_GCC48_IA32_RC_FLAGS = DEF(GCC_IA32_RC_FLAGS)
*_GCC48_IA32_OBJCOPY_FLAGS =
@ -52,7 +54,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
DEBUG_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS)
RELEASE_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS) -Wno-unused-but-set-variable
@@ -1123,7 +1123,7 @@ RELEASE_GCC48_IA32_CC_FLAGS = DEF(
@@ -1120,7 +1120,7 @@ RELEASE_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS) -Wno-unused-but-set
*_GCC48_X64_DLINK2_FLAGS = DEF(GCC48_X64_DLINK2_FLAGS)
*_GCC48_X64_RC_FLAGS = DEF(GCC_X64_RC_FLAGS)
*_GCC48_X64_OBJCOPY_FLAGS =
@ -61,7 +63,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
DEBUG_GCC48_X64_CC_FLAGS = DEF(GCC48_X64_CC_FLAGS)
RELEASE_GCC48_X64_CC_FLAGS = DEF(GCC48_X64_CC_FLAGS) -Wno-unused-but-set-variable
@@ -1232,7 +1232,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(G
@@ -1229,7 +1229,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(GCC48_AARCH64_CC_FLAGS) -Wno-unused-but-s
*_GCC49_IA32_DLINK2_FLAGS = DEF(GCC49_IA32_DLINK2_FLAGS)
*_GCC49_IA32_RC_FLAGS = DEF(GCC_IA32_RC_FLAGS)
*_GCC49_IA32_OBJCOPY_FLAGS =
@ -70,7 +72,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
DEBUG_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS)
RELEASE_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) -Wno-unused-but-set-variable -Wno-unused-const-variable
@@ -1260,7 +1260,7 @@ RELEASE_GCC49_IA32_CC_FLAGS = DEF(
@@ -1257,7 +1257,7 @@ RELEASE_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) -Wno-unused-but-set
*_GCC49_X64_DLINK2_FLAGS = DEF(GCC49_X64_DLINK2_FLAGS)
*_GCC49_X64_RC_FLAGS = DEF(GCC_X64_RC_FLAGS)
*_GCC49_X64_OBJCOPY_FLAGS =
@ -79,7 +81,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
DEBUG_GCC49_X64_CC_FLAGS = DEF(GCC49_X64_CC_FLAGS)
RELEASE_GCC49_X64_CC_FLAGS = DEF(GCC49_X64_CC_FLAGS) -Wno-unused-but-set-variable -Wno-unused-const-variable
@@ -1519,7 +1519,7 @@ RELEASE_GCCNOLTO_AARCH64_DLINK_XIPFLAGS
@@ -1516,7 +1516,7 @@ RELEASE_GCCNOLTO_AARCH64_DLINK_XIPFLAGS = -z common-page-size=0x20
*_GCC5_IA32_DLINK2_FLAGS = DEF(GCC5_IA32_DLINK2_FLAGS) -no-pie
*_GCC5_IA32_RC_FLAGS = DEF(GCC_IA32_RC_FLAGS)
*_GCC5_IA32_OBJCOPY_FLAGS =
@ -88,7 +90,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
DEBUG_GCC5_IA32_CC_FLAGS = DEF(GCC5_IA32_CC_FLAGS) -flto
DEBUG_GCC5_IA32_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,-m,elf_i386,--oformat=elf32-i386
@@ -1551,7 +1551,7 @@ RELEASE_GCC5_IA32_DLINK_FLAGS = DEF(G
@@ -1548,7 +1548,7 @@ RELEASE_GCC5_IA32_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
*_GCC5_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS)
*_GCC5_X64_RC_FLAGS = DEF(GCC_X64_RC_FLAGS)
*_GCC5_X64_OBJCOPY_FLAGS =

32
meta/recipes-core/ovmf/ovmf/0004-reproducible.patch
View File

@ -1,7 +1,7 @@
From fc2d3c17ff2a7b39e8d47b788eeaac5e1487cdee Mon Sep 17 00:00:00 2001
From 0d22e07cd9cc35ede04c01d3141068db744d7677 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 14 Jun 2021 19:57:30 +0200
Subject: [PATCH 4/4] reproducible
Subject: [PATCH] reproducible
This patch fixes various things which make the build more reproducible. Some changes
here only change intermediate artefacts but that means when you have two build trees
@ -34,9 +34,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
.../Source/Python/AutoGen/ModuleAutoGen.py | 5 +++-
4 files changed, 24 insertions(+), 16 deletions(-)
diff --git a/BaseTools/Source/C/GenFw/Elf64Convert.c b/BaseTools/Source/C/GenFw/Elf64Convert.c
index 18594122ea..92b5f13cf6 100644
--- a/BaseTools/Source/C/GenFw/Elf64Convert.c
+++ b/BaseTools/Source/C/GenFw/Elf64Convert.c
@@ -15,6 +15,8 @@ SPDX-License-Identifier: BSD-2-Clause-Pa
@@ -15,6 +15,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <windows.h>
#undef RUNTIME_FUNCTION
#include <io.h>
@ -54,7 +56,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
//
// Add more space in the .debug data region for the DllCharacteristicsEx
@@ -2310,7 +2312,7 @@ WriteDebug64 (
@@ -2322,7 +2324,7 @@ WriteDebug64 (
EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY *Nb10;
EFI_IMAGE_DEBUG_EX_DLLCHARACTERISTICS_ENTRY *DllEntry;
@ -63,7 +65,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
NtHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)(mCoffFile + mNtHdrOffset);
DataDir = &NtHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_DEBUG];
@@ -2343,7 +2345,7 @@ WriteDebug64 (
@@ -2355,7 +2357,7 @@ WriteDebug64 (
Nb10 = (EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY*)(Dir + 1);
Nb10->Signature = CODEVIEW_SIGNATURE_NB10;
@ -72,6 +74,8 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
}
STATIC
diff --git a/BaseTools/Source/Python/AutoGen/BuildEngine.py b/BaseTools/Source/Python/AutoGen/BuildEngine.py
index b829a2503c..afe826b78f 100644
--- a/BaseTools/Source/Python/AutoGen/BuildEngine.py
+++ b/BaseTools/Source/Python/AutoGen/BuildEngine.py
@@ -70,6 +70,9 @@ class TargetDescBlock(object):
@ -84,9 +88,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
def AddInput(self, Input):
if Input not in self.Inputs:
self.Inputs.append(Input)
diff --git a/BaseTools/Source/Python/AutoGen/GenMake.py b/BaseTools/Source/Python/AutoGen/GenMake.py
index e5f282c4ac..27a34ef7c6 100755
--- a/BaseTools/Source/Python/AutoGen/GenMake.py
+++ b/BaseTools/Source/Python/AutoGen/GenMake.py
@@ -576,7 +576,7 @@ cleanlib:
@@ -571,7 +571,7 @@ cleanlib:
os.remove(RespFileList)
# convert source files and binary files to build targets
@ -95,7 +101,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
if len(self.ResultFileList) == 0 and len(MyAgo.SourceFileList) != 0:
EdkLogger.error("build", AUTOGEN_ERROR, "Nothing to build",
ExtraData="[%s]" % str(MyAgo))
@@ -727,7 +727,7 @@ cleanlib:
@@ -722,7 +722,7 @@ cleanlib:
OutputFile = ''
DepsFileList = []
@ -104,7 +110,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
if Cmd[2]:
for CopyCmd in Cmd[2]:
Src, Dst = CopyCmd
@@ -760,7 +760,7 @@ cleanlib:
@@ -755,7 +755,7 @@ cleanlib:
self.BuildTargetList.append('\t%s' % CmdString)
self.ParseSecCmd(DepsFileList, Cmd[1])
@ -113,7 +119,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
self.BuildTargetList.append('%s : %s' % (self.ReplaceMacro(SecOutputFile), self.ReplaceMacro(SecDepsFile)))
self.BuildTargetList.append('\t%s' % self.ReplaceMacro(SecCmd))
self.FfsOutputFileList = []
@@ -799,13 +799,13 @@ cleanlib:
@@ -794,13 +794,13 @@ cleanlib:
def CommandExceedLimit(self):
FlagDict = {
@ -134,7 +140,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
}
RespDict = {}
@@ -1019,9 +1019,9 @@ cleanlib:
@@ -1014,9 +1014,9 @@ cleanlib:
if not self.ObjTargetDict.get(T.Target.SubDir):
self.ObjTargetDict[T.Target.SubDir] = set()
self.ObjTargetDict[T.Target.SubDir].add(NewFile)
@ -146,9 +152,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
# Generate related macros if needed
if T.GenFileListMacro and T.FileListMacro not in self.FileListMacros:
self.FileListMacros[T.FileListMacro] = []
diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
index aa0b71632e..57c9cad117 100755
--- a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
+++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
@@ -1474,6 +1474,9 @@ class ModuleAutoGen(AutoGen):
@@ -1429,6 +1429,9 @@ class ModuleAutoGen(AutoGen):
for File in Files:
if File.lower().endswith('.pdb'):
AsBuiltInfDict['binary_item'].append('DISPOSABLE|' + File)
@ -158,7 +166,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
HeaderComments = self.Module.HeaderComments
StartPos = 0
for Index in range(len(HeaderComments)):
@@ -1749,7 +1752,7 @@ class ModuleAutoGen(AutoGen):
@@ -1704,7 +1707,7 @@ class ModuleAutoGen(AutoGen):
if os.path.exists (self.TimeStampPath):
os.remove (self.TimeStampPath)

43
meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
View File

@ -1,43 +0,0 @@
From 2c8fb3e5164effc8a370e800fe91db7341e69116 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Mon, 7 Apr 2025 11:23:41 -0700
Subject: [PATCH 1/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
This commit updates the SecurityFixes.yaml file to include
information about the CVE-2024-38797 vulnerability.
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
CVE: CVE-2024-38797
Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/519366f542e9370bee982b1c3687ffedb5cabc21]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
SecurityPkg/SecurityFixes.yaml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
index b4006b4..06b597a 100644
--- a/SecurityPkg/SecurityFixes.yaml
+++ b/SecurityPkg/SecurityFixes.yaml
@@ -40,3 +40,18 @@ CVE_2022_36764:
- Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c
links:
- https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+CVE_2024_38797:
+ commit-titles:
+ - "SecurityPkg: Out of bound read in HashPeImageByType()"
+ - "SecurityPkg: Improving HashPeImageByType () logic"
+ - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"
+ cve: CVE-2024-38797
+ date_reported: 2024-06-04 12:00 UTC
+ description: Out of bound read in HashPeImageByType()
+ note:
+ files_impacted:
+ - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c
+ - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c
+ links:
+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2214
+ - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
--
2.34.1

63
meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
View File

@ -1,63 +0,0 @@
From 1a7be26382c4a34504875f094e15fe371d44192e Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Thu, 3 Oct 2024 09:37:18 -0700
Subject: [PATCH 2/4] SecurityPkg: Out of bound read in HashPeImageByType()
In HashPeImageByType(), the hash of PE/COFF image is calculated.
This function may get untrusted input.
Inside this function, the following code verifies the loaded image has
the correct format, by reading the second byte of the buffer.
```c
if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
...
}
```
The input image is not trusted and that may not have the second byte to
read. So this poses an out of bound read error.
With below fix we are assuring that we don't do out of bound read. i.e,
we make sure that AuthDataSize is greater than 1.
```c
if (AuthDataSize > 1
&& (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
...
}
```
AuthDataSize size is verified before reading the second byte.
So if AuthDataSize is less than 2, the second byte will not be read, and
the out of bound read situation won't occur.
Tested the patch on real platform with and without TPM connected and
verified image is booting fine.
Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
CVE: CVE-2024-38797
Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index b05da19..2afa2c9 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -642,7 +642,7 @@ HashPeImageByType (
// This field has the fixed offset (+32) in final Authenticode ASN.1 data.
// Fixed offset (+32) is calculated based on two bytes of length encoding.
//
- if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
//
// Only support two bytes of Long Form of Length Encoding.
//
--
2.34.1

99
meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
View File

@ -1,99 +0,0 @@
From 4db363db013a92937431234252fc9d84e44fc120 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Thu, 3 Oct 2024 10:16:57 -0700
Subject: [PATCH 3/4] SecurityPkg: Improving HashPeImageByType () logic
Namely:
(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
to TRUE for Index==0, then it will evaluate to TRUE for all other
Index values as well. As a result, the (Index == HASHALG_MAX)
condition will fire after the loop, and we'll return
EFI_UNSUPPORTED.
While this is correct, functionally speaking, it is wasteful to
keep re-checking TWO_BYTE_ENCODE in the loop body. The check
should be made at the top of the function, and EFI_UNSUPPORTED
should be returned at once, if appropriate.
(2) If the hash algorithm selected by Index has such a large OID that
the OID comparison cannot even be performed (because AuthDataSize
is not large enough for containing the OID in question, starting
at offset 32), then the function returns EFI_UNSUPPORTED at once.
This is bogus; this case should simply be treated as an OID
mismatch, and the loop should advance to the next Index value /
hash algorithm candidate. A remaining hash algo may have a shorter
OID and yield an OID match.
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
CVE: CVE-2024-38797
Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/5df518ec510324f48ed1cf0376150960644b41f0]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../DxeImageVerificationLib.c | 37 ++++++++++---------
1 file changed, 19 insertions(+), 18 deletions(-)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 2afa2c9..2eca39d 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -618,6 +618,7 @@ Done:
@param[in] AuthDataSize Size of the Authenticode Signature in bytes.
@retval EFI_UNSUPPORTED Hash algorithm is not supported.
+ @retval EFI_BAD_BUFFER_SIZE AuthData provided is invalid size.
@retval EFI_SUCCESS Hash successfully.
**/
@@ -629,28 +630,28 @@ HashPeImageByType (
{
UINT8 Index;
- for (Index = 0; Index < HASHALG_MAX; Index++) {
+ //
+ // Check the Hash algorithm in PE/COFF Authenticode.
+ // According to PKCS#7 Definition:
+ // SignedData ::= SEQUENCE {
+ // version Version,
+ // digestAlgorithms DigestAlgorithmIdentifiers,
+ // contentInfo ContentInfo,
+ // .... }
+ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+ // Fixed offset (+32) is calculated based on two bytes of length encoding.
+ //
+ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
//
- // Check the Hash algorithm in PE/COFF Authenticode.
- // According to PKCS#7 Definition:
- // SignedData ::= SEQUENCE {
- // version Version,
- // digestAlgorithms DigestAlgorithmIdentifiers,
- // contentInfo ContentInfo,
- // .... }
- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
- // Fixed offset (+32) is calculated based on two bytes of length encoding.
+ // Only support two bytes of Long Form of Length Encoding.
//
- if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
- //
- // Only support two bytes of Long Form of Length Encoding.
- //
- continue;
- }
+ return EFI_BAD_BUFFER_SIZE;
+ }
+ for (Index = 0; Index < HASHALG_MAX; Index++) {
if (AuthDataSize < 32 + mHash[Index].OidLength) {
- return EFI_UNSUPPORTED;
+ continue;
}
if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
--
2.34.1

97
meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
View File

@ -1,97 +0,0 @@
From cb3342702c5c1f8a4ddbb6d503a98ed720d14eb3 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Fri, 17 Jan 2025 11:30:17 -0800
Subject: [PATCH 4/4] SecurityPkg: Improving
SecureBootConfigImpl:HashPeImageByType () logic
Namely:
(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
to TRUE for Index==0, then it will evaluate to TRUE for all other
Index values as well. As a result, the (Index == HASHALG_MAX)
condition will fire after the loop, and we'll return
EFI_UNSUPPORTED.
While this is correct, functionally speaking, it is wasteful to
keep re-checking TWO_BYTE_ENCODE in the loop body. The check
should be made at the top of the function, and EFI_UNSUPPORTED
should be returned at once, if appropriate.
(2) If the hash algorithm selected by Index has such a large OID that
the OID comparison cannot even be performed (because AuthDataSize
is not large enough for containing the OID in question, starting
at offset 32), then the function returns EFI_UNSUPPORTED at once.
This is bogus; this case should simply be treated as an OID
mismatch, and the loop should advance to the next Index value /
hash algorithm candidate. A remaining hash algo may have a shorter
OID and yield an OID match.
Signed-off-by: Doug Flick <DougFlick@microsoft.com>
CVE: CVE-2024-38797
Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/8676572908b950dd4d1f8985006011be99c0a5b6]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../SecureBootConfigImpl.c | 37 +++++++++++--------
1 file changed, 21 insertions(+), 16 deletions(-)
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 6d4560c..155e755 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -2096,30 +2096,35 @@ HashPeImageByType (
{
UINT8 Index;
WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
+ UINT32 PkcsCertSize;
PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset);
+ PkcsCertSize = mSecDataDir->SizeOfCert;
- for (Index = 0; Index < HASHALG_MAX; Index++) {
+ //
+ // Check the Hash algorithm in PE/COFF Authenticode.
+ // According to PKCS#7 Definition:
+ // SignedData ::= SEQUENCE {
+ // version Version,
+ // digestAlgorithms DigestAlgorithmIdentifiers,
+ // contentInfo ContentInfo,
+ // .... }
+ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
+ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
+ // Fixed offset (+32) is calculated based on two bytes of length encoding.
+ //
+ if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {
//
- // Check the Hash algorithm in PE/COFF Authenticode.
- // According to PKCS#7 Definition:
- // SignedData ::= SEQUENCE {
- // version Version,
- // digestAlgorithms DigestAlgorithmIdentifiers,
- // contentInfo ContentInfo,
- // .... }
- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
- // Fixed offset (+32) is calculated based on two bytes of length encoding.
+ // Only support two bytes of Long Form of Length Encoding.
//
- if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
- //
- // Only support two bytes of Long Form of Length Encoding.
- //
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ for (Index = 0; Index < HASHALG_MAX; Index++) {
+ if (PkcsCertSize < 32 + mHash[Index].OidLength) {
continue;
}
- //
if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
break;
}
--
2.34.1

56
meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
View File

@ -1,56 +0,0 @@
From 4b028816b5619ede6c3720664478055e09151516 Mon Sep 17 00:00:00 2001
From: Madhavan <madavtechy@gmail.com>
Date: Fri, 14 Mar 2025 14:15:13 -0400
Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
bz4206
Used SafeUint32Add to calculate and validate OutTransferLength with
boundary check in IScsiOnR2TRcvd to avoid integer overflow
Signed-off-by: Madhavan <madavtechy@gmail.com>
CVE: CVE-2025-2295
Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
index ef587649a0..fb48e6304d 100644
--- a/NetworkPkg/IScsiDxe/IScsiProto.c
+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
@@ -1,7 +1,7 @@
/** @file
The implementation of iSCSI protocol based on RFC3720.
-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
EFI_STATUS Status;
ISCSI_XFER_CONTEXT *XferContext;
UINT8 *Data;
+ UINT32 TransferLength;
R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
if (R2THdr == NULL) {
@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
XferContext->Offset = R2THdr->BufferOffset;
XferContext->DesiredLength = R2THdr->DesiredDataTransferLength;
- if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||
+ Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
+ if (EFI_ERROR (Status)) {
+ return EFI_PROTOCOL_ERROR;
+ }
+
+ if ((TransferLength > Packet->OutTransferLength) ||
(XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
)
{
--
2.48.1

12
meta/recipes-core/ovmf/ovmf_git.bb
View File

@ -20,21 +20,15 @@ PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,,"
#see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch
BUILD_CFLAGS += "-Wno-error=stringop-overflow"
SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;tag=${PV} \
file://0001-ovmf-update-path-to-native-BaseTools.patch \
file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
file://0003-debug-prefix-map.patch \
file://0004-reproducible.patch \
file://CVE-2025-2295.patch \
file://CVE-2024-38797-1.patch \
file://CVE-2024-38797-2.patch \
file://CVE-2024-38797-3.patch \
file://CVE-2024-38797-4.patch \
file://0001-SecurityPkg-Don-t-define-bool-type-if-building-in-C2.patch \
"
PV = "edk2-stable202502"
SRCREV = "fbe0805b2091393406952e84724188f8c1941837"
PV = "edk2-stable202508"
SRCREV = "d46aa46c8361194521391aa581593e556c707c6e"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
CVE_PRODUCT = "edk2"