Sync from SUSE:SLFO:Main ovmf revision a1d993827a05d44c5b6bd1086943dbba

2024-08-28 11:03:46 +02:00 · 2024-08-28 11:03:46 +02:00 · fd120cb2a3
commit fd120cb2a3
parent e3fd4e1de9
21 changed files with 1546 additions and 539 deletions
--- a/descriptors.tar.xz
+++ b/descriptors.tar.xz
--- a/descriptors.tar.xz.README
+++ b/descriptors.tar.xz.README
@ -0,0 +1,10 @@
+descriptors for libvirt
+======================
+
+All descriptors be maintained in SUSE repo on github:
+
+https://github.com/SUSE/ovmf-descriptors
+
+All elements of descriptor in .json have defined here:
+
+https://gitlab.com/qemu/qemu/-/blob/master/docs/interop/firmware.json
--- a/edk2-edk2-stable202305.tar.gz
+++ b/edk2-edk2-stable202305.tar.gz
--- a/edk2-edk2-stable202402.tar.gz
+++ b/edk2-edk2-stable202402.tar.gz
--- a/gen-key-enrollment-iso.sh
+++ b/gen-key-enrollment-iso.sh
@ -1,113 +0,0 @@
-#!/bin/bash -e
-# The script to generate the key enrollment iso file
-#  based on build_iso() in https://git.kraxel.org/cgit/jenkins/edk2/tree/edk2.git.spec
-
-# Example: $0 X64 Shell.efi EnrollDefaultKeys.efi default key.iso
-
-usage()
-{
-        PROG_NAME=$1
-        echo "Usage: $PROG_NAME <Arch> <Shell> <Enroller> <Type> <ISO NAME>"
-        echo "ex: $PROG_NAME X64 Shell.efi EnrollDefaultKeys.efi default key.iso"
-}
-
-ARCH=$(echo $1 | tr '[:lower:'] '[:upper:]')
-UEFI_SHELL_BINARY="$2"
-ENROLLER_BINARY="$3"
-TYPE="$4"
-ISO_NAME="$5"
-
-# Check the arguments
-if [ x$ARCH != xX64 ] && [ x$ARCH != xAARCH64 ]; then
-        echo "Supported architecture: X64, AARCH64"
-        usage $0
-        exit 1
-fi
-
-if [ x$UEFI_SHELL_BINARY == x ] || [ ! -e "$UEFI_SHELL_BINARY" ]; then
-        echo "Please specify the UEFI shell binary"
-        usage $0
-        exit 1
-fi
-
-if [ x$ENROLLER_BINARY == x ] || [ ! -e "$ENROLLER_BINARY" ]; then
-        echo "Please specify the enroller binary"
-        usage $0
-        exit 1
-fi
-
-if [ x$TYPE == x ]; then
-        echo "Please specify the type of image: default or no-default"
-        usage $0
-        exit 1
-fi
-
-if [ x$ISO_NAME == x ]; then
-        echo "Please specify the name of output iso"
-        usage $0
-        exit 1
-fi
-
-ISO_PATH=$(realpath $ISO_NAME)
-
-TMP_DIR=$(mktemp -d)
-
-cp $UEFI_SHELL_BINARY $TMP_DIR/Shell.efi
-cp $ENROLLER_BINARY   $TMP_DIR/EnrollDefaultKeys.efi
-
-UEFI_BOOT_EFI=$(
-	if [ $ARCH == "X64" ]; then
-		echo bootx64.efi
-	elif [ $ARCH == "AARCH64" ]; then
-		echo bootaa64.efi
-        else
-                exit 1
-	fi
-)
-
-UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY")
-ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY")
-START_SCRIPT=$TMP_DIR/"startup.nsh"
-
-# Enter the first ESP
-echo "fs0:" > $START_SCRIPT
-# Enroll the keys
-if [ $TYPE == "default" ]; then
-	echo "EnrollDefaultKeys.efi" >> $START_SCRIPT
-else
-	echo "EnrollDefaultKeys.efi --no-default" >> $START_SCRIPT
-fi
-# Reset BootOrder
-echo "setvar BootOrder -guid 8be4df61-93ca-11d2-aa0d-00e098032b8c -bs -rt -nv =" >> $START_SCRIPT
-# Shutdown the system
-echo "reset -s" >> $START_SCRIPT
-
-UEFI_SHELL_IMAGE=uefi_shell_${ARCH}_${TYPE}.img
-# Add 1MB then 10% for metadata
-UEFI_SHELL_IMAGE_KB=$((
-	(UEFI_SHELL_SIZE + ENROLLER_SIZE +
-	 1 * 1024 * 1024) * 11 / 10 / 1024
-))
-
-pushd $TMP_DIR
-
-# Create non-partitioned FAT image
-rm -f -- "$UEFI_SHELL_IMAGE"
-/usr/sbin/mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB"
-
-export MTOOLS_SKIP_CHECK=1
-mmd	-i "$UEFI_SHELL_IMAGE"				::efi
-mmd	-i "$UEFI_SHELL_IMAGE"				::efi/boot
-mcopy	-i "$UEFI_SHELL_IMAGE"	Shell.efi       	::efi/boot/$UEFI_BOOT_EFI
-mcopy	-i "$UEFI_SHELL_IMAGE"	"$START_SCRIPT"		::efi/boot/startup.nsh
-mcopy	-i "$UEFI_SHELL_IMAGE"	EnrollDefaultKeys.efi	::EnrollDefaultKeys.efi
-mdir	-i "$UEFI_SHELL_IMAGE"	-/			::
-
-# build ISO with FAT image file as El Torito EFI boot image
-mkisofs -input-charset ASCII -J -rational-rock \
-	-eltorito-platform efi -eltorito-boot "$UEFI_SHELL_IMAGE" \
-	-no-emul-boot -o "$ISO_PATH" -- "$UEFI_SHELL_IMAGE"
-
-popd
-
-#rm -rf $TMP_DIR
--- a/mbedtls-3.3.0.tar.gz
+++ b/mbedtls-3.3.0.tar.gz
--- a/openSUSE-UEFI-SIGN-Certificate-2048.crt
+++ b/openSUSE-UEFI-SIGN-Certificate-2048.crt
@ -1,27 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
-blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
-bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
-EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4
-MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
-CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
-RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
-HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
-RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
-0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
-p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
-EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
-AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
-KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB
-hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
-AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
-Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
-Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB
-AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld
-gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6
-mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp
-HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS
-8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo
-8Gu+1aY2qw6wZ+TKiiRRYjQ=
-----END CERTIFICATE-----
--- a/openssl-1.1.1t.tar.gz
+++ b/openssl-1.1.1t.tar.gz
--- a/openssl-1.1.1t.tar.gz.asc
+++ b/openssl-1.1.1t.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmPiVA4ACgkQ1enkP335
-7owO9Q/+I6mvbNQeSgpOaOu//sVRGVkOD9pfZJsxZJtQuiYPQtXLlwkZyoh3Ft8b
-Gty7sC6zXwWA2sbo4LGeum3jnjb7nb/x3+5O8KARPLFRpy2/4okL3uZnAw8Pr5ps
-8VjCEIm9l9UmuWNZPWRQZPtup6Uz5u97/kVLQE17qFQW1bwiUixR+Yc+ICyW/hUQ
-F13tbV2GVkoVdJKwD9UpwAs6ft0+faXtkEASNyLykcrTbGbBPVVpieXiH/Vuv6BX
-1Ax/oBR5Xem9bGSZkCa5KZMDOqR08GUEA1zqa9Hh8VN4hH11w0cjyKPK9U6dQmAH
-P6clMEtbNMYPr3pHO4Ufgwf0OzdnLfxIf8qCiqQcNLmBnCG0NHM0/8zJmiGg1O6r
-Fy0P9/nSQ5CIT3t27Xcn8RciwTR7YClEyBtNGS1JdDzGJmomTqmxBns/QyZyKtlG
-V+7IsNfUBVdCF4AUP7BRC+SkHf/2/fDyCPETg27AQz/iOUC9KU0DgKLQtmnnRKk0
-Uz49l/WSVJARzPS5y55o8NUEv/QhnSct2eGjYeO3RiikuHDVQoH9R663G6E1koMq
-fahxEs0FX39hALOt/CVisZ/H8trIy3r3Buc7EmqLHj/Q40I5IJA9ZCzi1e8UviQV
-pQpkVru5VJVwNsm8KB/aBOm6J00mi2kbXMPrW1zwfmJAwt+iSJ4=
-=nNu+
-----END PGP SIGNATURE-----
--- a/openssl-3.0.9.tar.gz
+++ b/openssl-3.0.9.tar.gz
--- a/openssl-3.0.9.tar.gz.asc
+++ b/openssl-3.0.9.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmR17NgACgkQUnRmohyn
+nm2DuQ/+PxsaZnPjeBsFYNu8soZzJptfzHsM/9pqsdb3JY0IJhvFx4Y+GkoYZ/5/
+Q+tkomRl6pBkqUrMfJbcEbP8dIjQuOGzFxpfnzzVgS0JOZUlYamTyNGTbNIY5uw
+ZjCFNOAD9fMl7WrZRps39Ksf1C4cmiyoujK0sa7hTXmz4pG/xDZew1JelYJ48vXb
+KK7jUqh2KVnByY/gwdxiEge8GV0xZgV/MykJVPUy1AFH0YGVx+/dFwY/qIo5kSVJ
+kCrSNYD19pWi9xVNVnrGY2rtPnjd0+8r+ZGMfXRJtmA6/rqfJA0YgsUBbb6WunFM
+LdDiAykAWcsoY/fUdsYXXi1lotRm8PHpoXTF3HcbSadlQo3aAJyrv4SCWh0pJNQs
+5R4Buy9oOK4M+nsw7Syn16JSkm/Go0lgYxNYwIY6qJaPPXCRX6B+Ra8hZ7ZHFOGt
+Q+4eg0HExtUOiX1rF0a1oUyLR54xQQS0GgsdWaQn8WyWndETf0zX/+gGOgk5eqKT
+xduOrHHsGDHxzgwL+kKN56/1nyysZ4Dz0exDugLdj6FPm/CRz1oGZ9lLLr2Wum8K
+D6NWA5EoE+NfN9esPBZWyHsGzqSLrUT1Z79/IzS3FX3OctQwmWS10vGtH+XKVVjp
+0x6drrPInjBOuX5d271rvB9k6sW9VE7gRkuVeBL8oX8pARDK8yo=
+=rUmE
+-----END PGP SIGNATURE-----
--- a/openssl.keyring
+++ b/openssl.keyring
@ -1,94 +1,113 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Comment: 7953 AC1F BC3D C8B3 B292  393E D5E9 E43F 7DF9 EE8C
-Comment: Richard Levitte <levitte@lp.se>
-Comment: Richard Levitte <levitte@openssl.org>
-Comment: Richard Levitte <richard@levitte.org>

-xsFNBFQwazYBEAC01v949yFYzwbn0UkEkM3MHTrDqWbp+erhXqdVD5ymG/pXvmqx
-5KlxL1TZMuWEFuaq9EVkW8Wm5glk4D14IalIVKARAMDwqgNrPnw0GCAmNIf+Omvl
-G7gdsSR93eALJp1vvKZpeEVZj0M0gQ1i4QIIR8PMqs+2jaYyed4HhRYzUbGKZMnr
-94Onby8FIAYq0B79VqBv5NfMc2KEKrLXwuDSjtZd2TGB7qeLF7sCczyFoi5XTj+B
-iVfdxCzoYEa1Rjp5hGllVj85w2DdfKED/BW7VCel4H+WTZGqTFQ1e3kPo1KdqlwD
-F+Ci2JFU6myPy0LpHrNhn6FsdQGOuRKgYPycol7VzJHKtcGNMDkUFGV2DsgljQuW
-Sj5TNNX5umFCIIN94eLvHtV9bXP98yKB/5pr2JhagL6kdU7OE0c/mugA05gGQTUJ
-DeLNsRq54YC+CLyM9dxMvH7yB43yMfUvgKcSRt0sHUo8g5aOYdFq0SXQUr8+t/iH
-3t5/JxhqBik8FBiu0aISsTDUbvbxQQQe/LhfR+FWDZRFwHOL0VELapfw1whitGG+
-y+F9fQIJfa5yzEiC9AWYZjHRaFB7q6LAvF0V8vP+pkT157fTK63W53mt1+VPMt2L
-732i+/Cqy/6HzwOdnNnNyfEdvm2Jojs8KXN20vChnfUGifvTjxuiFib9sQARAQAB
-zR9SaWNoYXJkIExldml0dGUgPGxldml0dGVAbHAuc2U+wsGPBBMBAgAiBQJUMGwd
-AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8
-PcizspI5PtXp5D99+e6Mq7QP/iNhBEDJYRTrYc6JAmRIg6YyiKjeOx8kXtVCe9+q
-CzC+Y9ehyZB5Dyl0Ybej9jNJdEDJzDHKzVwU4NrfefcTWqUOQDNbpClGtXcQHlUt
-hjREPWpyAEH1OhD5NDTSMI5YYKZDEfiN6oEpWlc7WK0mXZuY5mHOo0B3yNDfV845
-+7CGPK9zuE56/f9SLmCaFsCkNMGbvV4ybLRoBfZdnC5NPOKyJXQ0TG0CbxGMgIN5
-cOrBphU+ZrPYY+p4jEoD5rvFugQl4+oRsvxygpJV5t8pe1ihNMhmzu3CpRtMjmRA
-dzK+27Z8p7m8BORuoC+NbXVpcmjIueXDkYdxP+09qUyw8xE398tAuEXpbCVoQ68b
-6NDCBpowgvUu34zxDn0wKdt2YGHB6z7Kl7b8RycWG3Y8u/Hs+l6QehEmiy6UKXl7
-zW3PIi3192WzElUi7TtG/btqC6YPs0U3SQMkNWzwkjbKM9bC4gPFMK05a8QENc66
-M+USWjNg0TiAkGP9PDlpYyhtjicCTgL51lDm8LBXr9cbzvXav7Jc6NVh7Zby89r1
-DsPFzfDkccOX6nSnqYMISmvRUGrGfgrkeeM0MNu93aPTrs+0fxq+HJIZEhX/YCyQ
-N4jqM+hQGh9bOwM7BacaP9F9vnq2hDK2WIXlWChX9Q70xArViJqzI8/76Ph1inPb
-jbJczSVSaWNoYXJkIExldml0dGUgPGxldml0dGVAb3BlbnNzbC5vcmc+wsGPBBMB
-AgAiBQJUMGwKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnu
-jBYhBHlTrB+8PcizspI5PtXp5D99+e6M1bAP/0byoJMiMsswapbBypQCT/vQmaoX
-jZzNcU4qAKlB5EMlHkxl1T8ytEXxmNMd/e0ltV9HALeBqX1eYHS7oTG3rMXKuYVY
-TO19eM2wLiCW664EUtOsB9zAnpp6X+8UWMoNEpWlEHgkdlADQ0xIrrH3pt29SAbd
-x0QsvwkWPawEoKMoUiGPnVY4hAt7Xx9gDmWEa2T6tExd9soBBTIuIpTH3MbAEHsv
-nBbdyarNltGF/pXYGMmGaYmU0WujqKzqpBpy3zwd0Rx1Kms5e0ZcypVzqx3Xgcue
-W8fbMPTZbG+Z922GUFDJ139WjAA2FsMJ9ES7XIIoJh/4nfBwk+PXcj29TieDnl2r
-d4x7Yxnqp4Vzau+IARz9Vr1OIFVlQbaSdXfmDFi/fvVf9CJZnWwcSwkqp4pk50Zy
-nEA+8TzEQj08jdj0+yrJNvbRxqbIafzSmoU77bANs4gc0WOdTTpvv4honUQROARp
-G/JT47hE7ATVGNdF7bmWNEyEYFtZMdGP0xD+K0xEgsir65aruVixVrNKxOX9wqx6
-JGzHTSTgtAVYAvMIsWJTLuCXZbMRmmmmubfyVaMAisz5UIYD+TCPncuJ1dMUW9WI
-uLNFGLTRGHri01EWe2epaHZWA0WB0cQZaeGpc7C986WskDi9SA9ZzCIGW4oQIBQX
-lRJjjYxIBCnjxtUWzSVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRAbGV2aXR0ZS5v
-cmc+wsGSBBMBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVDBtJgIZ
-AQAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp5D99+e6MmN0P/AmpB8DasBnj
-h9fAlBM8kEZ23MHVdEguPWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh
-4V86hIYgLK9tisZyby+5NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvd
-ooy/4ThXNS16HcsJRckan6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1
-C3I+oL3+qWwiqAG9hp/zedsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6
-MZPiFBRGsARRRFfTRGkzI9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFA
-nwf5MeO3MqzvjocoUyoZNc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4
-+1WmLxwcF0n3xaB04KCvXTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbY
-k81XfXBuBKv7Vxk0fRYf9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9
-fyZn/sv+UCLrMR6fyD/5EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W
-3mDDxJoaYe5bE2p0ca+mwEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlF
-IEUgucXLOLQHyEl+kEkCLEmSbn71WsM8wsGPBBMBAgAiBQJUMGs2AhsDBgsJCAcD
-AgYVCAIJCgsEFgIDAQIeAQIXgAAhCRDV6eQ/ffnujBYhBHlTrB+8PcizspI5PtXp
-5D99+e6MbdMP/1yj/fl/t8sl6ZH8v26uBBLSUeZPJYef9TCoe6akV//x4JLujB8y
-dGGW8bToC680zpuYlNn+avMwmjyocPwe7Cqgev6AyO+CjspoodM9Xai0y10CAHCl
-vGAW8mX7c79jtLcMB/Z/0+5u4ErkzfwyURRpB5deLcQ4LhyRVZbLQ72fdCrmPYzO
-e6Rhmfr9nWKL/oHDTLDUtRjAXdurI8YQKK9nCtbsM2uytvYkzpD2wx0B16rB7N04
-QLJBNDyOUJwnm4K+Xt9LLs8NUJ8JXCdwXKXGrFFbt2b3vmy0y4/NR5AUoS444ao5
-1mybA19WkCcCj5mSKmfZ9Dfbv6K3JCJx4ra5uJT2HP2M3NugtumQ1KPBUlNApVC6
-u+Vn7SMqFW/KFRCxOjXDWWU+F4prqzOVc5SYqIUOk7XVxgj1FBryw5Wel5iq1Bn8
-La1Fv3Hs/+pUKHRYYIC48kRET7h6oCmBiNn+XmU0A2qZnIyblmVpmfYftj3UWUC0
-S86qf/dRi8unTXYl8qEQyOSPz8g6t2RDgEsJOzKhiO+j+wcBYVOgrSgsawC8yxjA
-zfVwkprUJognVBJFCv4sKMb9wg99iEacI6O401w3FQy5FyokjmxXzrhn0UPj3t35
-wd81WZ5HWaBSLnBo8HklfDyaybPlXODldSI7OGOch/0/CZEQzQwzsmnazsFNBFQw
-azYBEADPNcBdaXTUwkG81K9NRKsKGVZ1coVRxkOx2+VD2THTY45sBx9MGmQsmSpj
-U45kx/wO5KiTVj+bM+scSzwNgERqLiyf/2hgOIDYaoyKSfAfIVCmm5pSa2Ad01RV
-9qT3i0eSSpa1Kpx8eAHKcVsDsWb2ZCd8/MI9778cCjrCbPI4o9zEVK+fjtmYKtdk
-HsEoMSVU6Jy86E908OLaJbOeo1a7bSKs4tU8zGWAX+ddY5Cb+w3cHQb4QheDWZHM
-el8ZcEgTah7huS6lUA4seQnTKXHmkIZ+uNtB3gFMKso/6GoOGZnUTk8dPY3POLY1
-nbMQ/dEvMQpFxLCOBNQP0lhO4DGP0KuwLXzq2XAxrylX5tY0bNmZKLTjhi4CbKAt
-c/+iwMUkQQXJRw7Vlp9Fp9ogOvzx/YlMaZQZZixg5uN2b4UD5cWliHn4Aq7DkTzQ
-Je31m7sezA3cLnFR86ol2X77y79n0GRjGsMa+b+e9NRWNKs28JiCPF3ya31Kk+3+
-sjauCZQW3KYx31Il5bO3ulLHOtxhSkCUHx5sJ81NJIhZFr+7yAel/ECCiT9KbVbh
-ddJBHsd7GNkwzb1QivcqnYiBW9QzXkQ+xAKHfS7YM5ooYcg6G7jw89/W0xznnGiz
-5JTjMkj1s9cppQ8tdqiV4Uemvx/96Nr5F7n++UJZ7Oval9/zswARAQABwsF2BBgB
-AgAJBQJUMGs2AhsMACEJENXp5D99+e6MFiEEeVOsH7w9yLOykjk+1enkP3357ozr
-2A//YzMQJ6Mo+/SU328dOeoseI/sFypuK882pPhXfJqX8l8H1zyHbKWy5lLLiv1M
-oNOC/8pWbpv2QlWyN3PKrB6srClnpPyiHIO37/lQBcpjvAfy9HWpl21FDxn9Ruxn
-a/IMYwq60EjE5h8NynNn57vydF3qTcTqkhtHW61L3vbBAcz9VMSay9QVm1f6qzM5
-WbbLxp1sfNjQWKSo381kjs1Vj7yCTBrJul3qSeX0CsRB7WF5VYMalpNTHPRIqCWp
-zTMcO3E5SSGIJy+AqwAZZvFiylGrSsux6TnVEVJ07s0nn1yj3q7Ii7av+waGmTf7
-9B0AyZv0IZ4j4NUWFNnGhsG1bEumFLkQl7Id/M61k0yKOusHdzDcZbCzecyww1w3
-WD+j4wvGkfBy4mQRqLiyjutsN/dpxRRkULATME+TH9J5eNq0A5sRRaayEiA1TDcA
-WfF0PtA4smNy1GyIarobC+xn8AENi4eeYZBbfDfh8oRhEsICQ6rs098wiYz8jtZ/
-pOruzbiD7ZKDy+vjKtYqgjGnioHQalJCZrKTUnREpH102pg1Cw6v2OcjiXsqU5L7
-Yrhv1jQIluII051VIJ/QBWe5uT7YiJOsMLMQGWvkObPXEYLld2UF6hK6MH4epkwV
-/w1uNqnlvIeEFgHTKmSHvfwlAF64lUiDCUdWExXybKkE2NY=
-=1H60
+mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr
+55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH
+F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi
+UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag
+pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K
+/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv
+MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8
+laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB
+HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3
+zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06
+YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB
+tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK
+o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe
+AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy
+U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE
+KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W
+nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh
+1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I
+m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj
+kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD
+IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M
+8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6
+z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41
+xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM
+MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh
+BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL
+AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk
+8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO
+UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv
+FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW
+FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q
+UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy
+Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS
+2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW
+kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm
+T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI
+yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I
+8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J
+AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL
+CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh
+KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo
+2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ
+J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4
+yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M
+cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A
+ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly
+Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y
+q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt
+Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj
+hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI
+w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93
+VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27
+1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp
+djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50
+IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK
+bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn
+gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w
+NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh
+D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H
+a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB
+HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc
+nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv
+Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy
+Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+
+otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5
+SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358
+cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0
+8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ
+vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV
+yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A
+HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg
+K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs
+aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh
+uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE
+cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk
+RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F
+9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/
+JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g
+muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN
+86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr
+HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S
+DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE
+ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro
+uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY
+YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl
+JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u
+aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq
+oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7
+FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM
+ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL
+vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+
+i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb
+PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum
+ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE
+N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH
+eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs
+LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM
+JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh
+QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB
+uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS
+nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u
+sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD
+NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C
+nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE
+FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ
+qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX
+Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc
+zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2
+TIdjvGbJ/k4qxw==
+=Ctij
 -----END PGP PUBLIC KEY BLOCK-----
--- a/openssl.keyring.README
+++ b/openssl.keyring.README
@ -61,3 +61,25 @@ gpg:                 aka "Richard Levitte <levitte@openssl.org>" [unknown]

 Please maintain the openssl.keyring file in ovmf package with new openssl
 tarball and signature. 
+
+Take the key of signature from gpg server
+----------------------------------------- 
+
+Sometimes that the gpg key will be removed or changed from otc.html on
+www.openssl.org, you can NOT find the key for tarball verification.
+
+Another way for getting the gpg key is from key server.
+e.g.
+gpg --keyserver 'keys.openpgp.org' --recv-keys 'DC7032662AF885E2F47F243F527466A21CA79E6D'
+
+The above command will download the key from gpg key server to your local
+machine. Then you can use it to verify openssl source code tarball:
+
+gpg --verify openssl-1.1.1u.tar.gz.asc openssl-1.1.1u.tar.gz
+
+If you confirmed that the key can be used to verify tarball. Then you can
+export it to openssl.keyring file for uploading to OBS/IBS: 
+
+gpg2 -a --export DC7032662AF885E2F47F243F527466A21CA79E6D > openssl.keyring
+
+
--- a/ovmf-EmbeddedPkg-Library-Support-SOURCE_DATE_EPOCH-in-Vir.patch
+++ b/ovmf-EmbeddedPkg-Library-Support-SOURCE_DATE_EPOCH-in-Vir.patch
@ -0,0 +1,36 @@
+From 441bc6b75c8edcfa825b324e05f7cd838feac2bb Mon Sep 17 00:00:00 2001
+From: "Lee, Chun-Yi" <jlee@suse.com>
+Date: Thu, 11 Apr 2024 19:36:30 +0800
+Subject: [PATCH] EmbeddedPkg/Library: Support SOURCE_DATE_EPOCH in
+ VirtualRealTimeClockLib for reproducible
+
+RISC-V ovmf used VirtualRealTimeClockLib but the default epoch is a
+compilation time. It causes that the RISC-V ovmf binary image is NOT
+reproducible.
+
+This patch added the support of SOURCE_DATE_EPOCH by printenv command.
+If SOURCE_DATE_EPOCH be found then we use it as BUILD_EPOCH. Otherwise
+we run date command for setting BUILD_EPOCH.
+
+For distributions want a reproducible RISC-V ovmf image, they should
+export SOURCE_DATE_EPOCH environment variable before building ovmf.
+
+References: https://reproducible-builds.org/docs/source-date-epoch/
+Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
+---
+ .../Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf b/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf
+index 5d0f867eb6..0bd6bcee75 100644
+--- a/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf
+++ b/EmbeddedPkg/Library/VirtualRealTimeClockLib/VirtualRealTimeClockLib.inf
+@@ -34,4 +34,4 @@
+ 
+ # Current usage of this library expects GCC in a UNIX-like shell environment with the date command
+ [BuildOptions]
+-  GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`date +%s`
+  GCC:*_*_*_CC_FLAGS = -DBUILD_EPOCH=`printenv SOURCE_DATE_EPOCH || date +%s` 
+-- 
+2.44.0
+
--- a/ovmf-OvmfPkg-SmbiosPlatformDxe-tweak-fallback-release-dat.patch
+++ b/ovmf-OvmfPkg-SmbiosPlatformDxe-tweak-fallback-release-dat.patch
@ -0,0 +1,48 @@
+From 9aa057b298345f868dc0ca55e76128037c54e3aa Mon Sep 17 00:00:00 2001
+From: "Lee, Chun-Yi" <jlee@suse.com>
+Date: Sun, 4 Feb 2024 17:32:13 +0800
+Subject: [PATCH] OvmfPkg/SmbiosPlatformDxe: tweak fallback release date again
+
+In case PcdFirmwareReleaseDateString is not set use a valid date
+as fallback. But the default valid date can _NOT_ pass the Microsoft
+SVVP test "Check SMBIOS Table Specific Requirements". The test emitted
+the error message:
+
+BIOS Release Date string is unexpected length: 8. This string must be in
+MM/DD/YYYY format. No other format is allowed and no additional information
+may be included. See field description in the SMBIOS specification.
+
+Base on SMBIOS spec v3.7.0:
+
+08h     2.0+    BIOS Release Date       BYTE    STRING
+String number of the BIOS release date. The date
+string, if supplied, is in either mm/dd/yy or
+mm/dd/yyyy format. If the year portion of the string
+is two digits, the year is assumed to be 19yy.
+NOTE: The mm/dd/yyyy format is required for SMBIOS
+version 2.3 and later.
+
+So, let's tweek the fallback release date again.
+
+Fixes: a0f9628705e3 ("OvmfPkg/SmbiosPlatformDxe: tweak fallback release date") [edk2-stable202305~327]
+Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
+---
+ OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c b/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
+index 0ca3776..e929da6 100644
+--- a/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
+++ b/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
+@@ -160,7 +160,7 @@ InstallAllStructures (
+     DateStr = (CHAR16 *)FixedPcdGetPtr (PcdFirmwareReleaseDateString);
+     DateLen = StrLen (DateStr);
+     if (DateLen < 3) {
+-      DateStr = L"2/2/2022";
+      DateStr = L"02/02/2022";
+       DateLen = StrLen (DateStr);
+     }
+ 
+-- 
+2.35.3
+
--- a/ovmf-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch
+++ b/ovmf-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch
@ -1,51 +0,0 @@
-From 251820bfcd28abecf8a67ee94d82c8ab47547b0b Mon Sep 17 00:00:00 2001
-From: Joey Lee <jlee@suse.com>
-Date: Mon, 20 Mar 2023 13:14:57 +0100
-Subject: [PATCH] Revert "OvmfPkg/PlatformPei: Update
- ReserveEmuVariableNvStore"
-
-This reverts commit 58eb8517ad7b56574f8f04b770a59a9cbed796c4.
-(bsc#1209266)
-
-Signed-off-by: Joey Lee <jlee@suse.com>
---
- OvmfPkg/PlatformPei/Platform.c | 25 ++++++++++++++++++-------
- 1 file changed, 18 insertions(+), 7 deletions(-)
-
-Index: edk2-edk2-stable202305/OvmfPkg/PlatformPei/Platform.c
-===================================================================
--- edk2-edk2-stable202305.orig/OvmfPkg/PlatformPei/Platform.c
-+++ edk2-edk2-stable202305/OvmfPkg/PlatformPei/Platform.c
-@@ -219,14 +219,24 @@ ReserveEmuVariableNvStore (
-   EFI_PHYSICAL_ADDRESS  VariableStore;
-   RETURN_STATUS         PcdStatus;
- 
-  VariableStore = (EFI_PHYSICAL_ADDRESS)(UINTN)PlatformReserveEmuVariableNvStore ();
-  PcdStatus     = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore);
-
-  if (FeaturePcdGet (PcdSecureBootSupported)) {
-    // restore emulated VarStore from pristine ROM copy
-    PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore);
-  }
-
-+  //
-+  // Allocate storage for NV variables early on so it will be
-+  // at a consistent address.  Since VM memory is preserved
-+  // across reboots, this allows the NV variable storage to survive
-+  // a VM reboot.
-+  //
-+  VariableStore =
-+    (EFI_PHYSICAL_ADDRESS)(UINTN)
-+    AllocateRuntimePages (
-+      EFI_SIZE_TO_PAGES (2 * PcdGet32 (PcdFlashNvStorageFtwSpareSize))
-+      );
-+  DEBUG ((
-+    DEBUG_INFO,
-+    "Reserved variable store memory: 0x%lX; size: %dkb\n",
-+    VariableStore,
-+    (2 * PcdGet32 (PcdFlashNvStorageFtwSpareSize)) / 1024
-+    ));
-+  PcdStatus = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore);
-   ASSERT_RETURN_ERROR (PcdStatus);
- }
- 
--- a/ovmf-build-funcs.sh
+++ b/ovmf-build-funcs.sh
@ -1,90 +0,0 @@
-#!/bin/bash
-
-# Generate PK/KEK OEM strings
-pkkek_oemstr()
-{
-	local CERT_FILE=$1
-	sed \
-		-e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \
-		-e '/^-----END CERTIFICATE-----$/d' \
-		$CERT_FILE \
-		| tr -d '\n'
-}
-
-# Build the varstore template
-build_template()
-{
-	local ARCH=$(echo $1 | tr '[:lower:'] '[:upper:]')
-	local PREFIX="$2"
-	local KEY="$3"
-	local PKKEK_FILE="$4"
-	local ISO_FILE="$5"
-	local TYPE="$6"
-
-	# QEMU parameters
-	#  pflash parameters
-	local PFLASH=""
-	if [ $TYPE == "separate" ]; then
-		local FW_CODE_ORIG="${PREFIX}-code.bin"
-		local FW_VARS_ORIG="${PREFIX}-vars.bin"
-		local FW_CODE="${PREFIX}-${KEY}-code.bin"
-		local FW_VARS="${PREFIX}-${KEY}-vars.bin"
-		local PFLASH_CODE="-drive if=pflash,format=raw,unit=0,readonly=on,file=$FW_CODE"
-		local PFLASH_VARS="-drive if=pflash,format=raw,unit=1,file=$FW_VARS"
-
-		ln -s "$FW_CODE_ORIG" "$FW_CODE"
-		cp "$FW_VARS_ORIG" "$FW_VARS"
-
-		PFLASH="$PFLASH_CODE $PFLASH_VARS"
-	elif [ $TYPE == "unified" ]; then
-		local UNIFIED_FW_ORIG="${PREFIX}.bin"
-		local UNIFIED_FW="${PREFIX}-${KEY}.bin"
-
-		cp "$UNIFIED_FW_ORIG" "$UNIFIED_FW"
-
-		PFLASH="-drive if=pflash,format=raw,unit=0,file=$UNIFIED_FW"
-	fi
-
-	#  smbios parameters for PK and KEK
-	local SMBIOS="-smbios type=11,value=$(pkkek_oemstr $PKKEK_FILE)"
-
-	#  memory: 256MB
-	local MEMORY="-m 256"
-
-	# kvm
-	local FW_CFG="-fw_cfg name=opt/org.tianocore/X-Cpuhp-Bugcheck-Override,string=yes"
-
-	#  redirect display to stdio and disable network
-	local MISC="-display none -no-user-config -nodefaults -smp 1"
-	MISC="$MISC -serial stdio"
-
-	#  set cdrom device
-	local CDROM="-device virtio-scsi-pci,id=scsi0"
-	CDROM="$CDROM -device scsi-cd,drive=cd0,bus=scsi0.0,bootindex=0"
-	CDROM="$CDROM -drive media=cdrom,if=none,id=cd0,format=raw,readonly=on"
-	CDROM="$CDROM,file=${ISO_FILE}"
-
-	if [ $ARCH == "X64" ]; then
-		# qemu command
-		local QEMU="qemu-system-x86_64"
-
-		# machine parameters
-		local MACHINE="-machine q35"
-		if [[ "$PREFIX" == *"-smm" ]]; then
-			MACHINE="$MACHINE,smm=on,accel=tcg"
-			MACHINE="$MACHINE -global driver=cfi.pflash01,property=secure,value=on"
-			MACHINE="$MACHINE -global ICH9-LPC.disable_s3=1"
-		fi
-		MACHINE="$MACHINE -chardev pty,id=charserial1"
-		MACHINE="$MACHINE -device isa-serial,chardev=charserial1,id=serial1"
-	elif [ $ARCH == "AARCH64" ]; then
-		# qemu command
-		local QEMU="qemu-system-aarch64"
-
-		# machine parameters
-		local MACHINE="-cpu cortex-a57 -machine virt"
-	fi
-
-	# Launch the VM
-	$QEMU $MACHINE $MEMORY $FW_CFG $PFLASH $SMBIOS $CDROM $MISC
-}
--- a/ovmf-riscv64-missing-memcpy.patch
+++ b/ovmf-riscv64-missing-memcpy.patch
@ -1,12 +0,0 @@
--- edk2-edk2-stable202302.orig/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
-+++ edk2-edk2-stable202302/CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
-@@ -43,6 +43,9 @@
- [Sources.X64]
-   CopyMem.c
- 
-+[Sources.RISCV64]
-+  CopyMem.c
-+
- [Packages]
-   MdePkg/MdePkg.dec
- 
--- a/ovmf-set-fixed-enroll-time.patch
+++ b/ovmf-set-fixed-enroll-time.patch
@ -1,33 +0,0 @@
-From c0cec3409f3abda1e2359a79ccac575b4ea1838b Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Tue, 21 May 2019 16:56:06 +0800
-Subject: [PATCH 1/1] OvmfPkg/EnrollDefaultKeys: Set the fixed time
-
-For the reproducible build, we need to set the fixed time when setting
-the authenticate variables.
-
-Signed-off-by: Gary Lin <glin@suse.com>
---
- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-Index: edk2-edk2-stable202202/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-===================================================================
--- edk2-edk2-stable202202.orig/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-+++ edk2-edk2-stable202202/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
-@@ -324,6 +324,15 @@ EnrollListOfCerts (
-     goto FreeData;
-   }
- 
-+  // Set the fixed time for the reproducible build
-+  // 2019-5-20 00:00:00
-+  SingleHeader->TimeStamp.Year       = 2019;
-+  SingleHeader->TimeStamp.Month      = 5;
-+  SingleHeader->TimeStamp.Day        = 20;
-+  SingleHeader->TimeStamp.Hour       = 0;
-+  SingleHeader->TimeStamp.Minute     = 0;
-+  SingleHeader->TimeStamp.Second     = 0;
-+ 
-   SingleHeader->TimeStamp.Pad1       = 0;
-   SingleHeader->TimeStamp.Nanosecond = 0;
-   SingleHeader->TimeStamp.TimeZone   = 0;
--- a/ovmf.changes
+++ b/ovmf.changes
--- a/ovmf.spec
+++ b/ovmf.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ovmf
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -18,7 +18,7 @@


 %undefine _build_create_debug
-%global openssl_version 1.1.1t
+%global openssl_version 3.0.9
 %global softfloat_version b64af41c3276f
 %if 0%{?suse_version} < 1599
 %bcond_with build_riscv64
@ -27,21 +27,21 @@
 %endif

 Name:           ovmf
-Version:        202305
+Version:        202402
 Release:        0
 Summary:        Open Virtual Machine Firmware
 License:        BSD-2-Clause-Patent
 Group:          System/Emulators/PC
 URL:            https://github.com/tianocore/edk2
 Source0:        edk2-edk2-stable%{version}.tar.gz
-Source1:        https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz
-Source111:      https://www.openssl.org/source/old/1.1.1/openssl-%{openssl_version}.tar.gz.asc
+Source1:        https://www.openssl.org/source/old/3.0/openssl-%{openssl_version}.tar.gz
+Source111:      https://www.openssl.org/source/old/3.0/openssl-%{openssl_version}.tar.gz.asc
 Source112:      openssl.keyring
 Source113:      openssl.keyring.README
+Source114:      descriptors.tar.xz.README
 Source2:        README
 Source3:        SLES-UEFI-CA-Certificate-2048.crt
 Source4:        openSUSE-UEFI-CA-Certificate-2048.crt
-Source5:        openSUSE-UEFI-SIGN-Certificate-2048.crt
 # berkeley-softfloat-3: https://github.com/ucb-bar/berkeley-softfloat-3
 Source6:        berkeley-softfloat-3-%{softfloat_version}.tar.xz
 Source7:        descriptors.tar.xz
@ -49,14 +49,13 @@ Source7:        descriptors.tar.xz
 Source8:        oniguruma-v6.9.4_mark1-src.tar.xz
 # public-mipi-sys-t: https://github.com/MIPI-Alliance/public-mipi-sys-t
 Source9:        public-mipi-sys-t-1.1-edk2.tar.gz
+# mbedtls: https://github.com/Mbed-TLS/mbedtls
+Source10:       mbedtls-3.3.0.tar.gz
 Source100:      %{name}-rpmlintrc
 Source101:      gdb_uefi.py.in
-Source102:      gen-key-enrollment-iso.sh
-Source103:      ovmf-build-funcs.sh
 Patch1:         %{name}-gdb-symbols.patch
 Patch2:         %{name}-pie.patch
 Patch3:         %{name}-disable-ia32-firmware-piepic.patch
-Patch4:         %{name}-set-fixed-enroll-time.patch
 Patch5:         %{name}-disable-brotli.patch
 Patch6:         %{name}-ignore-spurious-GCC-12-warning.patch
 # Bug 1205978 - Got Page-Fault exception when VM is booting with edk2-stable202211 ovmf
@ -65,9 +64,10 @@ Patch7:         %{name}-Revert-OvmfPkg-PlatformInitLib-dynamic-mmio-window-s.pat
 Patch8:         %{name}-Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
 # Bug 1205613 - L3: win 2k22 UEFI xen VMs cannot boot in xen after upgrade
 Patch9:         %{name}-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch
-# Bug 1209266 - OVMF firmware hangs when booting SEV or SEV-ES guest
-Patch10:        %{name}-Revert-OvmfPkg-PlatformPei-Update-ReserveEmuVariable.patch
-Patch11:        ovmf-riscv64-missing-memcpy.patch
+# Bug 1219024 - SVVP test Check SMBIOS Table Specific Requirements fails
+Patch11:        %{name}-OvmfPkg-SmbiosPlatformDxe-tweak-fallback-release-dat.patch
+# Bug 1217704 - ovmf: reproducible builds problem in ovmf-riscv64-code.bin
+Patch12:        %{name}-EmbeddedPkg-Library-Support-SOURCE_DATE_EPOCH-in-Vir.patch
 BuildRequires:  bc
 BuildRequires:  cross-arm-binutils
 BuildRequires:  cross-arm-gcc%{gcc_version}
@ -82,10 +82,8 @@ BuildRequires:  mtools
 BuildRequires:  nasm
 BuildRequires:  openssl
 BuildRequires:  python3
-BuildRequires:  qemu-arm >= 3.0.0
-BuildRequires:  qemu-ipxe
-BuildRequires:  qemu-x86 >= 3.0.0
 BuildRequires:  unzip
+BuildRequires:  virt-firmware
 %ifnarch aarch64
 BuildRequires:  cross-aarch64-binutils
 BuildRequires:  cross-aarch64-gcc%{gcc_version}
@ -101,7 +99,7 @@ BuildRequires:  cross-riscv64-gcc%{gcc_version}
 %endif
 %endif
 # Only build on the architectures with
-#  1. cross-compilers, 2. iasl, 3. qemu-arm and qemu-x86
+#  1. cross-compilers, 2. iasl
 ExclusiveArch:  x86_64 aarch64 riscv64

 %description
@ -194,17 +192,7 @@ virt board.
 PKG_TO_REMOVE="EmulatorPkg"
 rm -rf $PKG_TO_REMOVE

-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
+%autopatch -p1

 # add openssl
 pushd CryptoPkg/Library/OpensslLib/openssl
@ -229,7 +217,10 @@ pushd MdePkg/Library/MipiSysTLib/mipisyst
 tar -xf %{SOURCE9} --strip 1
 popd

-chmod +x %{SOURCE102}
+# add mbedtls
+pushd CryptoPkg/Library/MbedTlsLib/mbedtls
+tar -xf %{SOURCE10} --strip 1
+popd

 %build

@ -239,7 +230,6 @@ export PYTHON_COMMAND=python3

 # For some reason ARM still uses TPM2_CONFIG_ENABLE
 OVMF_FLAGS=" \
-	-D SECURE_BOOT_ENABLE \
 	-D TPM2_ENABLE \
 	-D TPM2_CONFIG_ENABLE \
 	-D NETWORK_IP6_ENABLE \
@ -258,16 +248,23 @@ FLAVORS_X86=("ovmf-ia32")
 BUILD_OPTIONS_X86=" \
 	$OVMF_FLAGS \
 	-D FD_SIZE_2MB \
+	-D SECURE_BOOT_ENABLE \
+	-D BUILD_SHELL=FALSE \
 	-a IA32 \
 	-p OvmfPkg/OvmfPkgIa32.dsc \
 	-b DEBUG \
 	-t $TOOL_CHAIN \
 "

-# Flavors for x86_64: 2MB, 4MB, and 4MB+SMM
-FLAVORS_X64=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm")
+# Flavors for x86_64: 2MB, 4MB, 4MB+SMM and AMD SEV
+FLAVORS_X64=("ovmf-x86_64" "ovmf-x86_64-4m" "ovmf-x86_64-smm" "ovmf-x86_64-sev")
+# Flavors will NOT enroll default kek/db keys
+FLAVORS_X64_SKIP_SB_KEY=("ovmf-x86_64-sev")
+# Flavors only support unified image (no separate *-code/-vars files)
+FLAVORS_X64_UNIFIED_ONLY=("ovmf-x86_64-sev")
 BUILD_OPTIONS_X64=" \
 	$OVMF_FLAGS \
+	-D BUILD_SHELL=FALSE \
 	-a X64 \
 	-b DEBUG \
 	-t $TOOL_CHAIN \
@ -277,6 +274,7 @@ BUILD_OPTIONS_X64=" \
 FLAVORS_AA64=("aavmf-aarch64")
 BUILD_OPTIONS_AA64=" \
 	$OVMF_FLAGS \
+	-D SECURE_BOOT_ENABLE \
 	-D NETWORK_TLS_ENABLE \
 	-a AARCH64 \
 	-p ArmVirtPkg/ArmVirtQemu.dsc \
@ -297,6 +295,7 @@ BUILD_OPTIONS_AA32=" \
 FLAVORS_RV64=("riscv")
 BUILD_OPTIONS_RV64=" \
 	$OVMF_FLAGS \
+	-D SECURE_BOOT_ENABLE \
 	-a RISCV64 \
 	-p OvmfPkg/RiscVVirt/RiscVVirtQemu.dsc \
 	-b DEBUG \
@ -316,7 +315,6 @@ BUILD_OPTIONS_RV64=" \
 %endif

 # Import the build functions
-source %{SOURCE103}
 source ./edksetup.sh

 ### Build x86 UEFI Images ###
@ -359,15 +357,17 @@ collect_x86_64_debug_files()

 declare -A EXTRA_FLAGS_X64
 EXTRA_FLAGS_X64=(
-	[ovmf-x86_64]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_2MB -D BUILD_SHELL=FALSE"
-	[ovmf-x86_64-4m]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE"
-	[ovmf-x86_64-smm]="-a IA32 -p OvmfPkg/OvmfPkgIa32X64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SMM_REQUIRE -D BUILD_SHELL=FALSE"
+	[ovmf-x86_64]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_2MB -D SECURE_BOOT_ENABLE"
+	[ovmf-x86_64-4m]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SECURE_BOOT_ENABLE"
+	[ovmf-x86_64-smm]="-a IA32 -p OvmfPkg/OvmfPkgIa32X64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE -D SMM_REQUIRE -D SECURE_BOOT_ENABLE"
+	[ovmf-x86_64-sev]="-p OvmfPkg/OvmfPkgX64.dsc -D FD_SIZE_4MB -D NETWORK_TLS_ENABLE"
 )
 declare -A OUTDIR_X64
 OUTDIR_X64=(
 	[ovmf-x86_64]="OvmfX64"
 	[ovmf-x86_64-4m]="OvmfX64"
 	[ovmf-x86_64-smm]="Ovmf3264"
+	[ovmf-x86_64-sev]="OvmfX64"
 )

 %ifnarch x86_64
@ -385,10 +385,11 @@ for flavor in ${FLAVORS_X64[@]}; do
 %endif
 done

-# Copy Shell.efi and EnrollDefaultKeys.efi
-mkdir X64
-cp Build/OvmfX64/DEBUG_*/X64/Shell.efi X64
-cp Build/OvmfX64/DEBUG_*/X64/EnrollDefaultKeys.efi X64
+# remove -code/-vars files for unfied only flavors
+for flavor in ${FLAVORS_X64_UNIFIED_ONLY[@]}; do
+	rm $flavor-code.bin
+	rm $flavor-vars.bin
+done

 %ifarch x86_64
 # Collect the source
@ -427,14 +428,10 @@ export ${TOOL_CHAIN}_AARCH64_PREFIX="aarch64-suse-linux-"
 build $BUILD_OPTIONS_AA64

 cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin
-dd of="aavmf-aarch64-code.bin" if="/dev/zero" bs=1M count=64
-dd of="aavmf-aarch64-code.bin" if="qemu-uefi-aarch64.bin" conv=notrunc
-dd of="aavmf-aarch64-vars.bin" if="/dev/zero" bs=1M count=64
-
-# Copy Shell.efi and EnrollDefaultKeys.efi
-mkdir AARCH64
-cp Build/ArmVirtQemu-AARCH64/DEBUG_*/AARCH64/Shell.efi AARCH64
-cp Build/ArmVirtQemu-AARCH64/DEBUG_*/AARCH64/EnrollDefaultKeys.efi AARCH64
+cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch64-code.bin
+truncate -s 64M aavmf-aarch64-code.bin
+cp Build/ArmVirtQemu-AARCH64/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch64-vars.bin
+truncate -s 64M aavmf-aarch64-vars.bin

 # Remove the temporary build files to reduce the disk usage (bsc#1178244)
 rm -rf Build/ArmVirtQemu-AARCH64/
@ -450,9 +447,10 @@ export ${TOOL_CHAIN}_ARM_PREFIX="arm-suse-linux-gnueabi-"
 build $BUILD_OPTIONS_AA32

 cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch32.bin
-dd of="aavmf-aarch32-code.bin" if="/dev/zero" bs=1M count=64
-dd of="aavmf-aarch32-code.bin" if="qemu-uefi-aarch32.bin" conv=notrunc
-dd of="aavmf-aarch32-vars.bin" if="/dev/zero" bs=1M count=64
+cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_EFI.fd aavmf-aarch32-code.bin
+truncate -s 64M aavmf-aarch32-code.bin
+cp Build/ArmVirtQemu-ARM/DEBUG_GCC*/FV/QEMU_VARS.fd aavmf-aarch32-vars.bin
+truncate -s 64M aavmf-aarch32-vars.bin

 # Remove the temporary build files to reduce the disk usage (bsc#1178244)
 rm -rf Build/ArmVirtQemu-ARM/
@ -466,10 +464,10 @@ export ${TOOL_CHAIN}_RISCV64_PREFIX="riscv64-suse-linux-"
 # Build the UEFI image without keys
 build $BUILD_OPTIONS_RV64

-cp Build/RiscVVirtQemu/DEBUG_GCC*/FV/RISCV_VIRT.fd qemu-uefi-riscv64.bin
-dd of="ovmf-riscv64-code.bin" if="/dev/zero" bs=1M count=32
-dd of="ovmf-riscv64-code.bin" if="qemu-uefi-riscv64.bin" conv=notrunc
-dd of="ovmf-riscv64-vars.bin" if="/dev/zero" bs=1M count=32
+cp Build/RiscVVirtQemu/DEBUG_GCC*/FV/RISCV_VIRT_CODE.fd ovmf-riscv64-code.bin
+truncate -s 32M ovmf-riscv64-code.bin
+cp Build/RiscVVirtQemu/DEBUG_GCC*/FV/RISCV_VIRT_VARS.fd ovmf-riscv64-vars.bin
+truncate -s 32M ovmf-riscv64-vars.bin

 # Remove the temporary build files to reduce the disk usage (bsc#1178244)
 rm -rf Build/RiscVVirtQemu/
@ -503,27 +501,13 @@ generate_sb_var_templates()
 {
 	local ARCH=$1

-	# Assign the key iso file
-	local MS_ISO_FILE=ms-keys-${ARCH}.iso
-	local NOMS_ISO_FILE=no-ms-keys-${ARCH}.iso
-	declare -A KEY_ISO_FILES
-	KEY_ISO_FILES=(
-		[ms]=$MS_ISO_FILE
-		[suse]=$NOMS_ISO_FILE
-		[opensuse]=$NOMS_ISO_FILE
-		[devel]=$NOMS_ISO_FILE
-	)
-
-	# Create the iso images
-	local GEN_ISO=%{SOURCE102}
-	local SHELL=${ARCH}/Shell.efi
-	local ENROLLER=${ARCH}/EnrollDefaultKeys.efi
-	$GEN_ISO $ARCH $SHELL $ENROLLER default    $MS_ISO_FILE
-	$GEN_ISO $ARCH $SHELL $ENROLLER no-default $NOMS_ISO_FILE
-
 	# We only build the variable templates for X64 and AARCH64
 	if [ "$ARCH" == "X64" ]; then
 		FLAVORS=${FLAVORS_X64[@]}
+		# some flavors should NOT enroll default keys
+		for skip in ${FLAVORS_X64_SKIP_SB_KEY[@]}; do
+   			FLAVORS=("${FLAVORS[@]/$skip}")
+		done
 	elif [ "$ARCH" == "AARCH64" ]; then
 		FLAVORS=${FLAVORS_AA64[@]}
 	fi
@ -531,9 +515,15 @@ generate_sb_var_templates()
 	# Generate the varstore templates
 	for flavor in ${FLAVORS[@]}; do
 		for key in ${KEY_SOURCES[@]}; do
-			build_template "$ARCH" "$flavor" "$key" \
-				"${PKKEK[$key]}" "${KEY_ISO_FILES[$key]}" \
-				"separate"
+			ln "${flavor}-code.bin" "${flavor}-${key}-code.bin"
+
+			if [ "$key" == "ms" ]; then
+				virt-fw-vars --secure-boot --enroll-cert "${PKKEK[$key]}" -i "${flavor}-vars.bin" -o "${flavor}-${key}-vars.bin"
+			else
+				# GUID of EnrollDefaultKeys.efi, already used by virt-fw-vars for PK and KEK
+				virt-fw-vars --secure-boot --enroll-cert "${PKKEK[$key]}" -i "${flavor}-vars.bin" -o "${flavor}-${key}-vars.bin" \
+					     --no-microsoft --microsoft-kek none --add-db a0baa8a3-041d-48a8-bc87-c36d121b5e3d "${PKKEK[$key]}"
+			fi
 		done
 	done

@ -542,9 +532,7 @@ generate_sb_var_templates()
 		# backward compatibility. (bsc#1159793)
 		for flavor in ${FLAVORS[@]}; do
 			for key in ${KEY_SOURCES[@]}; do
-				build_template "$ARCH" "$flavor" "$key" \
-					"${PKKEK[$key]}" "${KEY_ISO_FILES[$key]}" \
-					"unified"
+				cat "${flavor}-${key}-vars.bin" "${flavor}-code.bin" > "${flavor}-${key}.bin"
 			done
 		done
 	fi
@ -581,6 +569,7 @@ install -m 0644 -D qemu-uefi-*.bin -t %{buildroot}/%{_datadir}/qemu/
 install -m 0644 -D aavmf-*.bin -t %{buildroot}/%{_datadir}/qemu/
 install -m 0644 -D descriptors/*.json \
 	-t %{buildroot}/%{_datadir}/qemu/firmware
+
 %fdupes %{buildroot}/%{_datadir}/qemu/

 %ifarch x86_64
@ -595,31 +584,12 @@ mv source/ovmf-x86_64* %{buildroot}%{_prefix}/src/debug
 %fdupes -s %{buildroot}%{_prefix}/src/debug/ovmf-x86_64
 %endif

-# Install Secure Boot key enroller
-mkdir -p %{buildroot}/%{_datadir}/ovmf/
-install -m 0755 %{SOURCE102} %{buildroot}/%{_datadir}/ovmf/
-%ifarch x86_64
-install -m 0644 X64/*.efi %{buildroot}/%{_datadir}/ovmf/
-%endif
-%ifarch aarch64
-install -m 0644 AARCH64/*.efi %{buildroot}/%{_datadir}/ovmf/
-%endif
-%ifarch riscv64
-# Nothing there yet
-#install -m 0644 RISCV64/*.efi %{buildroot}/%{_datadir}/ovmf/
-%endif
-
 %if %{without build_riscv64}
 rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
 %endif

 %files
 %doc README
-%dir %{_datadir}/ovmf/
-%ifnarch riscv64
-%{_datadir}/ovmf/*.efi
-%endif
-%{_datadir}/ovmf/*.sh

 %files tools
 %doc BaseTools/UserManuals/EfiRom_Utility_Man_Page.rtf
@ -670,7 +640,6 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
 %files -n qemu-uefi-riscv64
 %license License.txt
 %dir %{_datadir}/qemu/
-%{_datadir}/qemu/qemu-uefi-riscv64.bin
 %{_datadir}/qemu/ovmf-riscv64-code.bin
 %{_datadir}/qemu/ovmf-riscv64-vars.bin
 %dir %{_datadir}/qemu/firmware