pool/ovmf
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

3 Commits
factory ... slfo-main

Author SHA256 Message Date
Richard Lyu
e2f05fed82 Add backported patch to enable iSCSI boot support by default (bsc#1245454) 
- Add backported patch to enable iSCSI boot support by default (bsc#1245454)
    - ovmf-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch
        502f0dfda4 OvmfPkg: Add NETWORK_ISCSI_DEFAULT_ENABLE build flag
    - Add build flag NETWORK_ISCSI_DEFAULT_ENABLE for x64 OVMF to enable iSCSI boot support by default
 2025-09-26 13:21:52 +08:00
Richard Lyu
86b00fdffd Update firmware descriptors 
- Update firmware descriptors to remove tab whitespace (bsc#1247847)
    - Replace tab whitespace with spaces in 50-ovmf-x86_64-sev.json
    - Replace tab whitespace with spaces in 50-ovmf-x86_64-sev-snp.json
- Update firmware descriptors for SEV-SNP and TDX (bsc#1247847)
    - Add 50-ovmf-x86_64-sev-snp.json to support the 'amd-sev-snp' feature.
    - Remove the sev-snp feature from 50-ovmf-x86_64-sev.json.
    - Update the device in 60-ovmf-x86_64-tdx.json from 'pflash' to 'memory'.
 2025-09-26 13:19:18 +08:00
Adrian Schröter
0532de05fa Sync changes to SLFO-1.2 branch 2025-08-20 10:02:10 +02:00
23 changed files with 2437 additions and 646 deletions
Expand all files Collapse all files

BIN
descriptors.tar.xz LFS
View File

Binary file not shown.

BIN
edk2-edk2-stable202502.tar.gz LFS Normal file
View File

Binary file not shown.

3
edk2-edk2-stable202505.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5f2b5e3a267230f82e4566592fd0bfac5e205ad90520b2c9bf80f575293b7015
size 18329425

39
ovmf-Increase-FVMAIN-Size-for-Compatibility-with-2MB-Size.patch Normal file
View File

@@ -0,0 +1,39 @@
From 95dec3e148d6ac27fc19e5a5c2396a3c3cf01633 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Mon, 17 Mar 2025 12:07:48 +0800
Subject: [PATCH] Increase FVMAIN Size for Compatibility with 2MB Size Limit
In edk2-stable202502, the increase in code space caused an increase in
size, leading to build failures for OVMF under the 2MB size limit due
to insufficient space, because FVMAIN_COMPACT had insufficient space.
This patch adjusts the memory layout by reducing SEVFV size by 0x10000,
as its usage is below 50%, and reallocates the freed 0x10000 space to
FVMAIN_COMPACT. This ensures sufficient space to accommodate all code
within the FD_SIZE_2MB.
Signed-off-by: Richard Lyu <richard.lyu@suse.com>
---
OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
index 6170c5993c..e2543a1535 100644
--- a/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
+++ b/OvmfPkg/Include/Fdf/OvmfPkgDefines.fdf.inc
@@ -45,9 +45,9 @@ DEFINE FW_BLOCKS = 0x200
DEFINE CODE_BASE_ADDRESS = 0xFFE20000
DEFINE CODE_SIZE = 0x001E0000
DEFINE CODE_BLOCKS = 0x1E0
-DEFINE FVMAIN_SIZE = 0x001AC000
-DEFINE SECFV_OFFSET = 0x001CC000
-DEFINE SECFV_SIZE = 0x34000
+DEFINE FVMAIN_SIZE = 0x001BC000
+DEFINE SECFV_OFFSET = 0x001DC000
+DEFINE SECFV_SIZE = 0x24000
!endif
!if $(FD_SIZE_IN_KB) == 4096
--
2.43.0

32
ovmf-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch Normal file
View File

@@ -0,0 +1,32 @@
From 9bceb16000056f31119c79014788bc99d5cfdc3d Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Tue, 17 Dec 2024 09:07:00 +0100
Subject: [PATCH] Maintainers.txt: Add reviewer for SVSM vTPM related modules
Add reviewers for the TPM2 code under SecurityPkg/
related to SVSM vTPM.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
Maintainers.txt | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Maintainers.txt b/Maintainers.txt
index df7cfdeeaf..48c3afeae5 100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -599,6 +599,11 @@ SecurityPkg: Tcg related modules
F: SecurityPkg/Tcg/
R: Rahul Kumar <rahul1.kumar@intel.com> [rahul1-kumar]
+SecurityPkg: SVSM related modules
+F: SecurityPkg/Library/Tpm2DeviceLibDTpm/*Svsm*
+R: Oliver Steffen <osteffen@redhat.com> [osteffenrh]
+R: Tom Lendacky <thomas.lendacky@amd.com> [tlendacky]
+
ShellPkg
F: ShellPkg/
W: https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg
--
2.43.0

46
ovmf-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch Normal file
View File

@@ -0,0 +1,46 @@
From fa74200c92693add490b18615c2821ba72a2d58d Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:07:48 +0100
Subject: [PATCH] MdePkg/AmdSev: Add SVSM protocol call numbers
Add protocol and call numbers as defined in the "Secure VM Service
Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00
https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/58019.pdf
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
MdePkg/Include/Register/Amd/Svsm.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/MdePkg/Include/Register/Amd/Svsm.h b/MdePkg/Include/Register/Amd/Svsm.h
index 9a989f8031..704a3c70d9 100644
--- a/MdePkg/Include/Register/Amd/Svsm.h
+++ b/MdePkg/Include/Register/Amd/Svsm.h
@@ -98,4 +98,23 @@ typedef union {
UINT64 Uint64;
} SVSM_FUNCTION;
+/// SVSM Guest Protocols
+/// @{
+#define SVSM_PROTOCOL_CORE 0
+#define SVSM_PROTOCOL_ATTESTATION 1
+#define SVSM_PROTOCOL_VTPM 2
+/// @}
+
+/// SVSM Core Protocol calls
+/// @{
+#define SVSM_CORE_REMAP_CA 0
+#define SVSM_CORE_PVALIDATE 1
+#define SVSM_CORE_CREATE_VCPU 2
+#define SVSM_CORE_DELETE_VCPU 3
+#define SVSM_CORE_DEPOSIT_MEM 4
+#define SVSM_CORE_WITHDRAW_MEM 5
+#define SVSM_CORE_QUERY_PROTOCOL 6
+#define SVSM_CORE_CONFIGURE_VTOM 7
+/// @}
+
#endif
--
2.43.0

31
ovmf-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch Normal file
View File

@@ -0,0 +1,31 @@
From 70f806ec23fb1c376afe33f2f054819a03e21641 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:17:07 +0100
Subject: [PATCH] MdePkg/AmdSev: Add SVSM protocol vTPM call numbers
Add call numbers for the SVSM vTPM protocol, as defined in the "Secure
VM Service Module for SEV-SNP Guests" Publication # 58019 Revision: 1.00
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
MdePkg/Include/Register/Amd/Svsm.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/MdePkg/Include/Register/Amd/Svsm.h b/MdePkg/Include/Register/Amd/Svsm.h
index 704a3c70d9..08716a40b5 100644
--- a/MdePkg/Include/Register/Amd/Svsm.h
+++ b/MdePkg/Include/Register/Amd/Svsm.h
@@ -117,4 +117,10 @@ typedef union {
#define SVSM_CORE_CONFIGURE_VTOM 7
/// @}
+/// SVSM vTPM Protocol calls
+/// @{
+#define SVSM_VTPM_QUERY 0
+#define SVSM_VTPM_CMD 1
+/// @}
+
#endif
--
2.43.0

57
ovmf-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch Normal file
View File

@@ -0,0 +1,57 @@
From c526b923ff146045e55208fa13b05de3720eddc2 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Wed, 10 Sep 2025 21:56:11 +0800
Subject: [PATCH] OvmfPkg: Add NETWORK_ISCSI_DEFAULT_ENABLE build flag
REF: https://github.com/tianocore/edk2/issues/11483
Introduce a new build flag NETWORK_ISCSI_DEFAULT_ENABLE to control
whether iSCSI support is enabled by default without setting fwcfg. This
allows developers to decide at build time if the IScsiDxe driver should be
included and enabled by default.
If NETWORK_ISCSI_DEFAULT_ENABLE is set to FALSE, IScsiDxe will still be
built when NETWORK_ISCSI_ENABLE is TRUE, but the default PCD value
(gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue) will be
set to "no". This ensures iSCSI remains disabled at runtime unless enabled
explicitly by fwcfg.
This change provides more flexibility for both build-time and runtime
configuration of iSCSI support.
Signed-off-by: Richard Lyu <richard.lyu@suse.com>
---
OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc | 4 +++-
OvmfPkg/OvmfPkgX64.dsc | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc b/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
index 051fe950ce..288216373a 100644
--- a/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
+++ b/OvmfPkg/Include/Dsc/NetworkComponents.dsc.inc
@@ -48,7 +48,9 @@
UefiDriverEntryPoint|OvmfPkg/Library/UefiDriverEntryPointFwCfgOverrideLib/UefiDriverEntryPointFwCfgOverrideLib.inf
<PcdsFixedAtBuild>
gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideFwCfgVarName|"opt/org.tianocore/ISCSISupport"
- gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue|"no"
+ !if $(NETWORK_ISCSI_DEFAULT_ENABLE) == FALSE
+ gUefiOvmfPkgTokenSpaceGuid.PcdEntryPointOverrideDefaultValue|"no"
+ !endif
}
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index f859db6acd..7d7bb5dbb0 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -51,6 +51,7 @@
DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
DEFINE NETWORK_ISCSI_ENABLE = TRUE
+ DEFINE NETWORK_ISCSI_DEFAULT_ENABLE = FALSE
DEFINE NETWORK_PXE_BOOT_ENABLE = TRUE
!include NetworkPkg/NetworkDefines.dsc.inc
--
2.46.1

52
ovmf-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch Normal file
View File

@@ -0,0 +1,52 @@
From 458198aa49c39fa61ab735c0fb3cd22d1f6fdee7 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 12:09:32 +0100
Subject: [PATCH] OvmfPkg/AmdSvmLib: Use named protocol and call constants
Make use of the named protocol and call constants for SVSM
communication.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
index 6c79ee7d91..dfaccdc9e9 100644
--- a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
+++ b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
@@ -213,8 +213,8 @@ SvsmPvalidate (
Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
ZeroMem (Caa->SvsmBuffer, sizeof (Caa->SvsmBuffer));
- Function.Id.Protocol = 0;
- Function.Id.CallId = 1;
+ Function.Id.Protocol = SVSM_PROTOCOL_CORE;
+ Function.Id.CallId = SVSM_CORE_PVALIDATE;
Request = (SVSM_PVALIDATE_REQUEST *)Caa->SvsmBuffer;
EntryLimit = ((sizeof (Caa->SvsmBuffer) - sizeof (*Request)) /
@@ -407,17 +407,17 @@ SvsmVmsaRmpAdjust (
SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
- Function.Id.Protocol = 0;
+ Function.Id.Protocol = SVSM_PROTOCOL_CORE;
if (SetVmsa) {
- Function.Id.CallId = 2;
+ Function.Id.CallId = SVSM_CORE_CREATE_VCPU;
SvsmCallData.RaxIn = Function.Uint64;
SvsmCallData.RcxIn = (UINT64)(UINTN)Vmsa;
SvsmCallData.RdxIn = (UINT64)(UINTN)Vmsa + SIZE_4KB;
SvsmCallData.R8In = ApicId;
} else {
- Function.Id.CallId = 3;
+ Function.Id.CallId = SVSM_CORE_DELETE_VCPU;
SvsmCallData.RaxIn = Function.Uint64;
SvsmCallData.RcxIn = (UINT64)(UINTN)Vmsa;
--
2.43.0

135
ovmf-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch Normal file
View File

@@ -0,0 +1,135 @@
From 40b4e190d37dca895f46d816eca154d07c761ae7 Mon Sep 17 00:00:00 2001
From: Claudio Carvalho <cclaudio@linux.ibm.com>
Date: Mon, 10 Jun 2024 22:29:57 +0300
Subject: [PATCH] OvmfPkg/AmdSvsmLib: Add the SVSM vTPM protocol
As described in the SVSM specification, guest components can call to the
SVSM vTPM through the vTPM protocol (protocol-id 2).
The SVSM vTPM protocol follows the Microsoft TPM Simulator interface
(MSSIM) and supports two services:
- SVSM_VTPM_QUERY (call-id 0): query MSSIM commands and vTPM features
supported.
- SVSM_VTPM_CMD (call-id 1): send a MSSIM command to be run by the vTPM
and get the result.
This patch adds support for SVSM_VTPM_QUERY and SVSM_VTPM_CMD to invoke
a SVSM when the guest is running at VMPL0.
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c | 95 +++++++++++++++++++++++++
1 file changed, 95 insertions(+)
diff --git a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
index dfaccdc9e9..e286ac0bc0 100644
--- a/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
+++ b/OvmfPkg/Library/AmdSvsmLib/AmdSvsmLib.c
@@ -498,3 +498,98 @@ AmdSvsmSnpVmsaRmpAdjust (
return AmdSvsmIsSvsmPresent () ? SvsmVmsaRmpAdjust (Vmsa, ApicId, SetVmsa)
: BaseVmsaRmpAdjust (Vmsa, SetVmsa);
}
+
+/**
+ Perform a SVSM_VTPM_QUERY operation
+
+ Query the support provided by the SVSM vTPM.
+
+ @param[out] PlatformCommands It will contain a bitmap indicating the
+ supported vTPM platform commands.
+ @param[out] Features It will contain a bitmap indicating the
+ supported vTPM features.
+
+ @retval TRUE The query was processed.
+ @retval FALSE The query was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmQuery (
+ OUT UINT64 *PlatformCommands,
+ OUT UINT64 *Features
+ )
+{
+ SVSM_CALL_DATA SvsmCallData;
+ SVSM_FUNCTION Function;
+ UINTN Ret;
+
+ if (!PlatformCommands && !Features) {
+ return FALSE;
+ }
+
+ if (!AmdSvsmIsSvsmPresent ()) {
+ return FALSE;
+ }
+
+ Function.Id.Protocol = SVSM_PROTOCOL_VTPM;
+ Function.Id.CallId = SVSM_VTPM_QUERY;
+
+ SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
+ SvsmCallData.RaxIn = Function.Uint64;
+
+ Ret = SvsmMsrProtocol (&SvsmCallData);
+ if (Ret != 0) {
+ return FALSE;
+ }
+
+ if (PlatformCommands) {
+ *PlatformCommands = SvsmCallData.RcxOut;
+ }
+
+ if (Features) {
+ *Features = SvsmCallData.RdxOut;
+ }
+
+ return TRUE;
+}
+
+/**
+ Perform a SVSM_VTPM_CMD operation
+
+ Send the specified vTPM platform command to the SVSM vTPM.
+
+ @param[in, out] Buffer It should contain the vTPM platform command
+ request. The respective response will be returned
+ in the same Buffer, but not all commands specify a
+ response.
+
+ @retval TRUE The command was processed.
+ @retval FALSE The command was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmCmd (
+ IN OUT UINT8 *Buffer
+ )
+{
+ SVSM_CALL_DATA SvsmCallData;
+ SVSM_FUNCTION Function;
+ UINTN Ret;
+
+ if (!AmdSvsmIsSvsmPresent ()) {
+ return FALSE;
+ }
+
+ Function.Id.Protocol = SVSM_PROTOCOL_VTPM;
+ Function.Id.CallId = SVSM_VTPM_CMD;
+
+ SvsmCallData.Caa = (SVSM_CAA *)AmdSvsmSnpGetCaa ();
+ SvsmCallData.RaxIn = Function.Uint64;
+ SvsmCallData.RcxIn = (UINT64)(UINTN)Buffer;
+
+ Ret = SvsmMsrProtocol (&SvsmCallData);
+
+ return (Ret == 0) ? TRUE : FALSE;
+}
--
2.43.0

45
ovmf-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch Normal file
View File

@@ -0,0 +1,45 @@
From 856bdc8eec0fd450ffb582808ad9649a5d02b480 Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Fri, 25 Apr 2025 12:49:52 -0500
Subject: [PATCH] OvmfPkg/CcExitLib: Use the proper register when filtering
MSRs
The MsrExit() routine uses an incorrect register to check for the CAA MSR.
Instead of checking RCX, the input register for RDMSR/WRMSR that holds the
MSR value, it is checking RAX, which results in failure to detect the CAA
MSR request. The check should only be checking the lower 32-bits of the
register (ECX), too.
Change the check in MsrExit() to check the MSR value contained in ECX.
Fixes: 47001ab98914 ("Ovmfpkg/CcExitLib: Provide SVSM discovery support")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
OvmfPkg/Library/CcExitLib/CcExitVcHandler.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
index 2031fa9e22..2c12f78f8d 100644
--- a/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
+++ b/OvmfPkg/Library/CcExitLib/CcExitVcHandler.c
@@ -701,6 +701,7 @@ MsrExit (
MSR_SVSM_CAA_REGISTER Msr;
UINT64 ExitInfo1;
UINT64 Status;
+ UINT32 EcxIn;
ExitInfo1 = 0;
@@ -708,7 +709,8 @@ MsrExit (
// The SVSM CAA MSR is a software implemented MSR and not supported
// by the hardware, handle it directly.
//
- if (Regs->Rax == MSR_SVSM_CAA) {
+ EcxIn = (UINT32)(UINTN)Regs->Rcx;
+ if (EcxIn == MSR_SVSM_CAA) {
// Writes to the SVSM CAA MSR are ignored
if (*(InstructionData->OpCodes + 1) == 0x30) {
return 0;
--
2.43.0

43
ovmf-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch Normal file
View File

@@ -0,0 +1,43 @@
From 06b2f9dc4385ccf5ca4b86deb14832daa373629f Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:10:24 +0100
Subject: [PATCH] OvmfPkg: Use Tpm2Device lib with SVSM vTPM support
Switch over to Tpm2InstanceLibDTpmSvsm as the Tpm2 implementation to
support vTPMs provided by an SVSM.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc | 2 +-
OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
index 75ae09571e..2ea17084bd 100644
--- a/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
@@ -6,7 +6,7 @@
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
- NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
+ NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
diff --git a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
index 351ca5bb28..ff5346aae7 100644
--- a/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
+++ b/OvmfPkg/Include/Dsc/OvmfTpmLibs.dsc.inc
@@ -30,7 +30,7 @@
!if $(TPM1_ENABLE) == TRUE
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
!endif
- Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
!endif
!if $(TPM2_ENABLE) == TRUE || $(CC_MEASUREMENT_ENABLE) == TRUE
--
2.43.0

88
ovmf-Revert-Add-Stack-Cookie-Support-to-MSVC-and-GCC.patch
View File

@@ -1,18 +1,17 @@
From 772bda5290449d46546b7b19cda083ed50536e7b Mon Sep 17 00:00:00 2001
From 7b9e33357945b23e6bcdb21fb9d0ba5859ad9b0b Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Thu, 29 May 2025 14:25:56 +0800
Subject: [PATCH] Revert "BaseTools: Add Stack Cookie Support to MSVC and GCC
IA32/X64/ARM/AARCH64"
Date: Tue, 14 Jan 2025 19:31:48 +0800
Subject: [PATCH] ovmf Revert add stack cookie support to MSVC and GCC
This reverts commit f53f029122d4493e9db95e2424dd8f067f247661.
---
BaseTools/Conf/tools_def.template | 41 ++++++++++++++-----------------
1 file changed, 19 insertions(+), 22 deletions(-)
BaseTools/Conf/tools_def.template | 65 +++++++++++++++----------------
1 file changed, 31 insertions(+), 34 deletions(-)
diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
index de86f96733..2a479365da 100755
--- a/BaseTools/Conf/tools_def.template
+++ b/BaseTools/Conf/tools_def.template
Index: edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
===================================================================
--- edk2-edk2-stable202502.orig/BaseTools/Conf/tools_def.template
+++ edk2-edk2-stable202502/BaseTools/Conf/tools_def.template
@@ -21,9 +21,8 @@
# - Add GCC and GCCNOLTO
# - Deprecate GCC48, GCC49 and GCC5.
@@ -24,7 +23,7 @@ index de86f96733..2a479365da 100755
IDENTIFIER = Default TOOL_CHAIN_CONF
@@ -636,9 +635,9 @@ NOOPT_VS2017_AARCH64_DLINK_FLAGS = /NOLOGO /NODEFAULTLIB /IGNORE:4001 /OPT:REF
@@ -636,9 +635,9 @@ NOOPT_VS2017_AARCH64_DLINK_FLAGS = /NO
*_VS2019_IA32_PP_PATH = DEF(VS2019_BIN_IA32)\cl.exe
*_VS2019_IA32_ASM_PATH = DEF(VS2019_BIN_IA32)\ml.exe
@@ -37,7 +36,7 @@ index de86f96733..2a479365da 100755
DEBUG_VS2019_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd /Zi
RELEASE_VS2019_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd
@@ -666,9 +665,9 @@ NOOPT_VS2019_IA32_DLINK_FLAGS = /NOLOGO /NODEFAULTLIB /IGNORE:4001 /OPT:REF /O
@@ -666,9 +665,9 @@ NOOPT_VS2019_IA32_DLINK_FLAGS = /NOLOG
*_VS2019_X64_DLINK_PATH = DEF(VS2019_BIN_X64)\link.exe
*_VS2019_X64_ASLDLINK_PATH = DEF(VS2019_BIN_X64)\link.exe
@@ -50,7 +49,33 @@ index de86f96733..2a479365da 100755
DEBUG_VS2019_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd /Zi
RELEASE_VS2019_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd
@@ -779,9 +778,9 @@ NOOPT_VS2019_AARCH64_DLINK_FLAGS = /NOLOGO /NODEFAULTLIB /IGNORE:4001 /OPT:REF
@@ -696,9 +695,9 @@ NOOPT_VS2019_X64_DLINK_FLAGS = /NOLOG
*_VS2019_ARM_ASLPP_PATH = DEF(VS2019_BIN_ARM)\cl.exe
*_VS2019_ARM_ASLDLINK_PATH = DEF(VS2019_BIN_ARM)\link.exe
- DEBUG_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2019_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2019_ARM_ASM_FLAGS = /nologo /g
RELEASE_VS2019_ARM_ASM_FLAGS = /nologo
@@ -722,9 +721,9 @@ NOOPT_VS2019_ARM_DLINK_FLAGS = /NOL
*_VS2019_AARCH64_ASLPP_PATH = DEF(VS2019_BIN_AARCH64)\cl.exe
*_VS2019_AARCH64_ASLDLINK_PATH = DEF(VS2019_BIN_AARCH64)\link.exe
- DEBUG_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2019_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2019_AARCH64_ASM_FLAGS = /nologo /g
RELEASE_VS2019_AARCH64_ASM_FLAGS = /nologo
@@ -779,9 +778,9 @@ NOOPT_VS2019_AARCH64_DLINK_FLAGS = /NO
*_VS2022_IA32_ASM_PATH = DEF(VS2022_BIN_IA32)\ml.exe
*_VS2022_IA32_MAKE_FLAGS = /nologo
@@ -63,7 +88,7 @@ index de86f96733..2a479365da 100755
DEBUG_VS2022_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd /Zi
RELEASE_VS2022_IA32_ASM_FLAGS = /nologo /c /WX /W3 /Cx /coff /Zd
@@ -815,9 +814,9 @@ NOOPT_VS2022_IA32_DLINK_FLAGS = /NOLOGO /NODEFAULTLIB /IGNORE:4001 /OPT:REF /O
@@ -815,9 +814,9 @@ NOOPT_VS2022_IA32_DLINK_FLAGS = /NOLOG
*_VS2022_X64_DLINK_PATH = DEF(VS2022_BIN_X64)\link.exe
*_VS2022_X64_ASLDLINK_PATH = DEF(VS2022_BIN_X64)\link.exe
@@ -76,7 +101,33 @@ index de86f96733..2a479365da 100755
DEBUG_VS2022_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd /Zi
RELEASE_VS2022_X64_ASM_FLAGS = /nologo /c /WX /W3 /Cx /Zd
@@ -919,13 +918,11 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink="$(DEBUG_DIR)/$(MODULE_
@@ -852,9 +851,9 @@ NOOPT_VS2022_X64_DLINK_FLAGS = /NOLOG
*_VS2022_ARM_ASLDLINK_PATH = DEF(VS2022_BIN_ARM)\link.exe
*_VS2022_ARM_MAKE_FLAGS = /nologo
- DEBUG_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2022_ARM_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2022_ARM_ASM_FLAGS = /nologo /g
RELEASE_VS2022_ARM_ASM_FLAGS = /nologo
@@ -885,9 +884,9 @@ NOOPT_VS2022_ARM_DLINK_FLAGS = /NOL
*_VS2022_AARCH64_ASLDLINK_PATH = DEF(VS2022_BIN_AARCH64)\link.exe
*_VS2022_AARCH64_MAKE_FLAGS = /nologo
- DEBUG_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
-RELEASE_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
-NOOPT_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
+ DEBUG_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gw /Oi-
+RELEASE_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /O1b2 /GL /FIAutoGen.h /EHs-c- /GR- /GF /Gw /Oi-
+NOOPT_VS2022_AARCH64_CC_FLAGS = /nologo /c /WX /GS- /W4 /Gs32768 /D UNICODE /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Od /Oi-
DEBUG_VS2022_AARCH64_ASM_FLAGS = /nologo /g
RELEASE_VS2022_AARCH64_ASM_FLAGS = /nologo
@@ -919,13 +918,11 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --a
*_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
*_*_*_DTC_PATH = DEF(DTC_BIN)
@@ -93,7 +144,7 @@ index de86f96733..2a479365da 100755
DEFINE GCC_AARCH64_CC_XIPFLAGS = -mstrict-align -mgeneral-regs-only
DEFINE GCC_RISCV64_CC_XIPFLAGS = -mstrict-align -mgeneral-regs-only
DEFINE GCC_DLINK2_FLAGS_COMMON = -Wl,--script=$(EDK_TOOLS_PATH)/Scripts/GccBase.lds
@@ -961,8 +958,8 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps
@@ -961,8 +958,8 @@ DEFINE GCC_DEPS_FLAGS = -MM
DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
@@ -104,7 +155,7 @@ index de86f96733..2a479365da 100755
DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
@@ -971,7 +968,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x228 DEF
@@ -971,7 +968,7 @@ DEFINE GCC48_X64_DLINK2_FLAGS = -
DEFINE GCC48_ASM_FLAGS = DEF(GCC_ASM_FLAGS)
DEFINE GCC48_ARM_ASM_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
DEFINE GCC48_AARCH64_ASM_FLAGS = $(PLATFORM_FLAGS) DEF(GCC_ASM_FLAGS) -mlittle-endian
@@ -113,6 +164,3 @@ index de86f96733..2a479365da 100755
DEFINE GCC48_ARM_CC_XIPFLAGS = DEF(GCC_ARM_CC_XIPFLAGS)
DEFINE GCC48_AARCH64_CC_FLAGS = $(PLATFORM_FLAGS) -mcmodel=large DEF(GCC_AARCH64_CC_FLAGS)
DEFINE GCC48_AARCH64_CC_XIPFLAGS = DEF(GCC_AARCH64_CC_XIPFLAGS)
--
2.43.0

43
ovmf-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch
View File

@@ -1,6 +1,6 @@
From f059118317b6d3a1dfdeec45494d279842c855e4 Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Thu, 29 May 2025 13:22:47 +0800
From b8324bc3d5d44e5b1644a66f1b6e07b6e4ad9350 Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 15 Feb 2023 14:39:37 +0800
Subject: [PATCH] Revert "OvmfPkg/OvmfXen: Set PcdFSBClock"
This reverts commit 71cdb91f313380152d7bf38cfeebe76f5b2d39ac.
@@ -10,13 +10,13 @@ This reverts commit 71cdb91f313380152d7bf38cfeebe76f5b2d39ac.
OvmfPkg/XenPlatformPei/XenPlatformPei.inf | 1 -
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 088c63f5c2..6f636a79a2 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -451,6 +451,9 @@
# Point to the MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0xdc, 0x5b, 0xc2, 0xee, 0xf2, 0x67, 0x95, 0x4d, 0xb1, 0xd5, 0xf8, 0x1b, 0x20, 0x39, 0xd1, 0x1d }
Index: edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfXen.dsc
+++ edk2-edk2-stable202302/OvmfPkg/OvmfXen.dsc
@@ -456,6 +456,9 @@
# Point to the MdeModulePkg/Application/UiApp/UiApp.inf
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
+ ## Xen vlapic's frequence is 100 MHz
+ gEfiMdePkgTokenSpaceGuid.PcdFSBClock|100000000
@@ -24,7 +24,7 @@ index 088c63f5c2..6f636a79a2 100644
# We populate DXE IPL tables with 1G pages preferably on Xen
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable|TRUE
@@ -484,7 +487,6 @@
@@ -486,7 +489,6 @@
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Base|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Size|0x800000000
@@ -32,11 +32,11 @@ index 088c63f5c2..6f636a79a2 100644
gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|0
# Set video resolution for text setup.
diff --git a/OvmfPkg/XenPlatformPei/Xen.c b/OvmfPkg/XenPlatformPei/Xen.c
index a54fd55c70..68ae4801ae 100644
--- a/OvmfPkg/XenPlatformPei/Xen.c
+++ b/OvmfPkg/XenPlatformPei/Xen.c
@@ -613,9 +613,5 @@ CalibrateLapicTimer (
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/Xen.c
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/Xen.c
@@ -634,9 +634,5 @@ CalibrateLapicTimer (
Freq = DivU64x64Remainder (Dividend, TscTick2 - TscTick, NULL);
DEBUG ((DEBUG_INFO, "APIC Freq % 8lu Hz\n", Freq));
@@ -46,10 +46,10 @@ index a54fd55c70..68ae4801ae 100644
-
UnmapXenPage (SharedInfo);
}
diff --git a/OvmfPkg/XenPlatformPei/XenPlatformPei.inf b/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
index 20c27ff34b..790f4af551 100644
--- a/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
+++ b/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
Index: edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
+++ edk2-edk2-stable202302/OvmfPkg/XenPlatformPei/XenPlatformPei.inf
@@ -86,7 +86,6 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
@@ -58,6 +58,3 @@ index 20c27ff34b..790f4af551 100644
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy
gUefiCpuPkgTokenSpaceGuid.PcdCpuLocalApicBaseAddress
--
2.43.0

781
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch Normal file
View File

@@ -0,0 +1,781 @@
From e868ece3c7d12be79f46da64b7c841d0486ac621 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Wed, 11 Dec 2024 11:48:07 +0100
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Add TPM2 lib supporting SVSM
vTPM
SEV-SNP provides a feature known as VM Privilege Level (VMPL), which
allows for services to be run in the guest at different privilege
levels. By running at VMPL0 (most privileged VM level), the SVSM can be
used to provide privileged services, e.g. a virtual TPM, for the guest
rather than trust such services from the hypervisor.
This patch adds a DTpm driver to communicate with a virtual TPM running
in the SVSM. The driver follows the vTPM protocol documented in the SVSM
specification.
SVSM vTPM functionality is available as new device and instance
libraries, which can be consumed optionally, keeping changes to the
regular TPM implementation minimal.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c | 96 +++++++++++
.../Tpm2DeviceLibDTpmSvsm.inf | 66 ++++++++
.../Tpm2InstanceLibDTpmSvsm.c | 64 ++++++++
.../Tpm2InstanceLibDTpmSvsm.inf | 60 +++++++
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 2 +-
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c | 123 ++++++++++++++
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h | 30 ++++
.../Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c | 152 ++++++++++++++++++
.../Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h | 25 +++
SecurityPkg/SecurityPkg.ci.yaml | 1 +
SecurityPkg/SecurityPkg.dec | 10 ++
SecurityPkg/SecurityPkg.dsc | 12 ++
12 files changed, 640 insertions(+), 1 deletion(-)
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
new file mode 100644
index 0000000000..922b859168
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.c
@@ -0,0 +1,96 @@
+/** @file
+ This library is a TPM2 DTPM instance, supporting SVSM based vTPMs and regular
+ TPM2s at the same time.
+ Choosing this library means platform uses and only uses DTPM device as TPM2 engine.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/Tpm2DeviceLib.h>
+
+#include "Tpm2DeviceLibDTpm.h"
+#include "Tpm2PtpSvsmShim.h"
+
+/**
+ This service enables the sending of commands to the TPM2.
+
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
+
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ )
+{
+ return SvsmDTpm2SubmitCommand (
+ InputParameterBlockSize,
+ InputParameterBlock,
+ OutputParameterBlockSize,
+ OutputParameterBlock
+ );
+}
+
+/**
+ This service requests to use TPM2.
+
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
+ @retval EFI_NOT_FOUND TPM2 not found.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2RequestUseTpm (
+ VOID
+ )
+{
+ return SvsmDTpm2RequestUseTpm ();
+}
+
+/**
+ This service registers a TPM2 device.
+
+ @param Tpm2Device TPM2 device
+
+ @retval EFI_SUCCESS TPM2 device was registered successfully.
+ @retval EFI_UNSUPPORTED System does not support registering this TPM2 device.
+ @retval EFI_ALREADY_STARTED This TPM2 device is already registered.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2RegisterTpm2DeviceLib (
+ IN TPM2_DEVICE_INTERFACE *Tpm2Device
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Initialize the library and cache SVSM vTPM presence state and TPM interface type, if applicable.
+
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
+**/
+EFI_STATUS
+EFIAPI
+Tpm2DeviceLibConstructorSvsm (
+ VOID
+ )
+{
+ if (TryUseSvsmVTpm ()) {
+ return EFI_SUCCESS;
+ } else {
+ return InternalTpm2DeviceLibDTpmCommonConstructor ();
+ }
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
new file mode 100644
index 0000000000..da48bd3c60
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
@@ -0,0 +1,66 @@
+## @file
+# Provides SVSM based vTPM and regular TPM 2.0 TIS/PTP functions for DTPM
+#
+# Spec Compliance Info:
+# "TCG PC Client Platform TPM Profile(PTP) Specification Family 2.0 Level 00 Revision 00.43"
+# "TCG PC Client Specific TPM Interface Specification(TIS) Version 1.3"
+#
+# This library implements TIS (TPM Interface Specification) and
+# PTP (Platform TPM Profile) functions which is
+# used for every TPM 2.0 command. Choosing this library means platform uses and
+# only uses TPM 2.0 DTPM device.
+#
+# This version of the library additionally supports SVSM based vTPMs for confidential
+# virtual machines under AMD-SEV SNP.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
+# Copyright (c) 2024 Red Hat
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 1.30
+ BASE_NAME = Tpm2DeviceLibDTpmSvsm
+ MODULE_UNI_FILE = Tpm2DeviceLibDTpm.uni
+ FILE_GUID = EE79D4E4-8538-4FE6-A7EF-4095CB6B38E7
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = Tpm2DeviceLib|PEIM DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+ CONSTRUCTOR = Tpm2DeviceLibConstructorSvsm
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = X64
+#
+
+[Sources]
+ Tpm2Tis.c
+ Tpm2Svsm.c
+ Tpm2PtpSvsmShim.c
+ Tpm2Ptp.c
+ Tpm2DeviceLibDTpmSvsm.c
+ Tpm2DeviceLibDTpmBase.c
+ Tpm2DeviceLibDTpm.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ IoLib
+ TimerLib
+ DebugLib
+ PcdLib
+ AmdSvsmLib
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
new file mode 100644
index 0000000000..fda0b86347
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.c
@@ -0,0 +1,64 @@
+/** @file
+ This library is a TPM2 DTPM instance, supporting SVSM based vTPMs and regular
+ TPM2s at the same time.
+
+ It can be registered to Tpm2 Device router, to be active TPM2 engine,
+ based on platform setting.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/Tpm2DeviceLib.h>
+
+#include <Guid/TpmInstance.h>
+
+#include "Tpm2Ptp.h"
+#include "Tpm2DeviceLibDTpm.h"
+#include "Tpm2PtpSvsmShim.h"
+
+TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
+ TPM_DEVICE_INTERFACE_TPM20_DTPM,
+ SvsmDTpm2SubmitCommand,
+ SvsmDTpm2RequestUseTpm,
+};
+
+/**
+ Registers DTPM2.0 instance and caches current active TPM interface type.
+
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
+**/
+EFI_STATUS
+EFIAPI
+Tpm2InstanceLibDTpmConstructorSvsm (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ Status = Tpm2RegisterTpm2DeviceLib (&mDTpm2InternalTpm2Device);
+
+ if (Status == EFI_UNSUPPORTED) {
+ //
+ // Unsupported means platform policy does not need this instance enabled.
+ //
+ return EFI_SUCCESS;
+ }
+
+ if (Status != EFI_SUCCESS) {
+ return Status;
+ }
+
+ if (TryUseSvsmVTpm ()) {
+ // SVSM vTPM found.
+ return EFI_SUCCESS;
+ }
+
+ // No SVSM vTPM found; set up regular DTPM Ptp implementation
+ Status = InternalTpm2DeviceLibDTpmCommonConstructor ();
+ DumpPtpInfo ((VOID *)(UINTN)PcdGet64 (PcdTpmBaseAddress));
+
+ return Status;
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
new file mode 100644
index 0000000000..4baf363c11
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
@@ -0,0 +1,60 @@
+## @file
+# Provides a DTPM instance for SVSM based vTPMs and TPM 2.0 TIS/PTP.
+#
+# This library can be registered to Tpm 2.0 device router, to be active TPM 2.0
+# engine, based on platform setting. It supports both TIS (TPM Interface Specification)
+# and PTP (Platform TPM Profile) functions.
+#
+# This version of the library additionally supports SVSM based vTPMs for confidential
+# virtual machines under AMD SEV-SNP.
+#
+# Copyright (c) 2024 Red Hat
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 1.30
+ BASE_NAME = Tpm2InstanceLibDTpmSvsm
+ MODULE_UNI_FILE = Tpm2InstanceLibDTpm.uni
+ FILE_GUID = C7777207-A8DF-47E4-AA3C-E8BF74E7F233
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = Tpm2InstanceLibDTpmConstructorSvsm
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = X64
+#
+
+[Sources]
+ Tpm2Tis.c
+ Tpm2Svsm.c
+ Tpm2Ptp.c
+ Tpm2PtpSvsmShim.c
+ Tpm2InstanceLibDTpmSvsm.c
+ Tpm2DeviceLibDTpmBase.c
+ Tpm2DeviceLibDTpm.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ IoLib
+ TimerLib
+ DebugLib
+ PcdLib
+ AmdSvsmLib
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
index 238d6e8dba..95e7ce246a 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
@@ -1,5 +1,5 @@
/** @file
- PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by DTPM2.0 library.
Copyright (c) 2024 Red Hat
SPDX-License-Identifier: BSD-2-Clause-Patent
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
new file mode 100644
index 0000000000..8a49fe936f
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
@@ -0,0 +1,123 @@
+/** @file
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface shim that switches between
+ SVSM vTPM Ptp and regular Ptp implementations.
+
+ Use TryUseSvsmVTpm () do check for SVSM vTPM presnece and initialzie the shim.
+
+ The SVSM vTPM presence state is cached across library instances.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+#include <Library/Tpm2DeviceLib.h>
+#include <Library/PcdLib.h>
+#include <Library/DebugLib.h>
+#include "Tpm2Ptp.h"
+#include "Tpm2Svsm.h"
+
+/// SVSM vTPM presence state as stored in PcdSvsmVTpmPresence
+/// @{
+#define SVSM_VTPM_PRESENCE_UNKNOWN 0xFF
+#define SVSM_VTPM_PRESENT 0x01
+#define SVSM_VTPM_ABSENT 0x00
+/// @}
+
+static BOOLEAN mUseSvsmVTpm = FALSE;
+
+/**
+ Initializes SVSM vTPM if present, or otherwise uses TCG PTP method.
+
+ If an SVSM based vTPM is found, use it from now on.
+ If none is found, call the regular Ptp TPM implementation instead.
+
+ This function is meant to be called from the DTpm library constructor.
+ If it has not been called, the regular Ptp implementation is used.
+
+ @retval TRUE SVSM vTPM is present.
+ @retval FALSE SVSM vTPM was not discovered.
+ */
+BOOLEAN
+EFIAPI
+TryUseSvsmVTpm (
+ )
+{
+ UINT8 SvsmVTpmPresence = (UINT8)PcdGet8 (PcdSvsmVTpmPresence);
+
+ if (SvsmVTpmPresence == SVSM_VTPM_PRESENCE_UNKNOWN) {
+ SvsmVTpmPresence = Tpm2SvsmQueryTpmSendCmd () ? SVSM_VTPM_PRESENT : SVSM_VTPM_ABSENT;
+ PcdSet8S (PcdSvsmVTpmPresence, SvsmVTpmPresence);
+ if (SvsmVTpmPresence == SVSM_VTPM_PRESENT) {
+ DEBUG ((DEBUG_INFO, " Found SVSM vTPM\n"));
+ }
+ }
+
+ mUseSvsmVTpm = SvsmVTpmPresence == SVSM_VTPM_PRESENT;
+ return mUseSvsmVTpm;
+}
+
+/**
+ This service enables the sending of commands to the selected TPM2.
+
+ Commands are send to either the SVSM vTPM or the regular Ptp based TPM, depending
+ on what was discovered by TryUseSvsmVTpm ().
+
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
+
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
+**/
+EFI_STATUS
+EFIAPI
+SvsmDTpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ )
+{
+ if (mUseSvsmVTpm) {
+ return Tpm2SvsmTpmSendCommand (
+ InputParameterBlock,
+ InputParameterBlockSize,
+ OutputParameterBlock,
+ OutputParameterBlockSize
+ );
+ } else {
+ return DTpm2SubmitCommand (
+ InputParameterBlockSize,
+ InputParameterBlock,
+ OutputParameterBlockSize,
+ OutputParameterBlock
+ );
+ }
+}
+
+/**
+ This service requests to use TPM2.
+
+ Depending on what was discovered by TryUseSvsmVTpm (), this function either
+ returns EFI_SUCCESS, for SVSM vTPM, or calls the regular Ptp implementation.
+
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
+ @retval EFI_NOT_FOUND TPM2 not found.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+**/
+EFI_STATUS
+EFIAPI
+SvsmDTpm2RequestUseTpm (
+ VOID
+ )
+{
+ if (mUseSvsmVTpm) {
+ return EFI_SUCCESS;
+ } else {
+ return DTpm2RequestUseTpm ();
+ }
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
new file mode 100644
index 0000000000..6a604f8020
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.h
@@ -0,0 +1,30 @@
+/** @file
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface shim that switches between
+ SVSM vTPM Ptp and regular Ptp implementations.
+
+ Use TryUseSvsmVTpm () do check for SVSM vTPM presnece and initialzie the shim.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+BOOLEAN
+EFIAPI
+TryUseSvsmVTpm (
+ );
+
+EFI_STATUS
+EFIAPI
+SvsmDTpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ );
+
+EFI_STATUS
+EFIAPI
+SvsmDTpm2RequestUseTpm (
+ VOID
+ );
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
new file mode 100644
index 0000000000..d9b5907c75
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.c
@@ -0,0 +1,152 @@
+/** @file
+ SVSM TPM communication
+
+Copyright (C) 2024 James.Bottomley@HansenPartnership.com
+Copyright (C) 2024 IBM Corporation
+Copyright (C) 2024 Red Hat
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/AmdSvsmLib.h>
+#include <Library/PcdLib.h>
+
+#include "Tpm2Svsm.h"
+
+/**
+ Platform commands (MSSIM commands) can be sent through the
+ SVSM_VTPM_CMD operation. Each command can have its own
+ request and response structures.
+**/
+#define TPM_SEND_COMMAND 8
+
+#pragma pack(1)
+typedef struct _TPM2_SEND_CMD_REQ {
+ UINT32 Cmd;
+ UINT8 Locality;
+ UINT32 BufSize;
+ UINT8 Buf[];
+} TPM2_SEND_CMD_REQ;
+
+typedef struct _TPM2_SEND_CMD_RESP {
+ UINT32 Size;
+ UINT8 Buf[];
+} TPM2_SEND_CMD_RESP;
+#pragma pack()
+
+/* Max req/resp buffer size */
+#define TPM_PLATFORM_MAX_BUFFER 4096
+
+typedef union {
+ TPM2_SEND_CMD_REQ req;
+ TPM2_SEND_CMD_RESP resp;
+} SVSM_TPM_CMD_BUFFER;
+
+STATIC_ASSERT (sizeof (SVSM_TPM_CMD_BUFFER) <= TPM_PLATFORM_MAX_BUFFER, "SVSM_TPM_CMD_BUFFER too large");
+
+/**
+ Probe the SVSM vTPM for TPM_SEND_COMMAND support. The
+ TPM_SEND_COMMAND platform command can be used to execute a
+ TPM command and get the result.
+
+ @retval TRUE TPM_SEND_COMMAND is supported.
+ @retval FALSE TPM_SEND_COMMAND is not supported.
+
+**/
+BOOLEAN
+Tpm2SvsmQueryTpmSendCmd (
+ VOID
+ )
+{
+ UINT64 PlatformCmdBitmap;
+ UINT64 TpmSendMask;
+
+ PlatformCmdBitmap = 0;
+ TpmSendMask = 1 << TPM_SEND_COMMAND;
+
+ if (!AmdSvsmVtpmQuery (&PlatformCmdBitmap, NULL)) {
+ return FALSE;
+ }
+
+ return ((PlatformCmdBitmap & TpmSendMask) == TpmSendMask) ? TRUE : FALSE;
+}
+
+/**
+ Send a TPM command to the SVSM vTPM and return the TPM response.
+
+ @param[in] BufferIn It should contain the marshaled
+ TPM command.
+ @param[in] SizeIn Size of the TPM command.
+ @param[out] BufferOut It will contain the marshaled
+ TPM response.
+ @param[in, out] SizeOut Size of the BufferOut; it will also
+ be used to return the size of the
+ TPM response
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_INVALID_PARAMETER Buffer not provided.
+ @retval EFI_BUFFER_TOO_SMALL Response data buffer is too small.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+ @retval EFI_OUT_OF_RESOURCES Out of memory when allocating internal buffer.
+ @retval EFI_UNSUPPORTED Unsupported TPM version
+
+**/
+EFI_STATUS
+Tpm2SvsmTpmSendCommand (
+ IN UINT8 *BufferIn,
+ IN UINT32 SizeIn,
+ OUT UINT8 *BufferOut,
+ IN OUT UINT32 *SizeOut
+ )
+{
+ STATIC SVSM_TPM_CMD_BUFFER *Buffer = NULL;
+
+ if ((SizeIn == 0) || !BufferIn || !SizeOut || !BufferOut) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (SizeIn > TPM_PLATFORM_MAX_BUFFER - sizeof (TPM2_SEND_CMD_REQ)) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (Buffer == NULL) {
+ STATIC_ASSERT (sizeof (UINT64) >= sizeof (UINTN), "Pointer size larger than 64bit");
+ Buffer = (SVSM_TPM_CMD_BUFFER *)(UINTN)PcdGet64 (PcdSvsmVTpmBufferPtr);
+
+ if (Buffer == NULL) {
+ Buffer = (SVSM_TPM_CMD_BUFFER *)AllocatePages (EFI_SIZE_TO_PAGES (TPM_PLATFORM_MAX_BUFFER));
+ if (Buffer == NULL) {
+ DEBUG ((DEBUG_ERROR, "Unable to allocate SVSM vTPM buffer: %r", EFI_OUT_OF_RESOURCES));
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ PcdSet64S (PcdSvsmVTpmBufferPtr, (UINTN)(VOID *)Buffer);
+ }
+ }
+
+ Buffer->req.Cmd = TPM_SEND_COMMAND;
+ Buffer->req.Locality = 0;
+ Buffer->req.BufSize = SizeIn;
+ CopyMem (Buffer->req.Buf, BufferIn, SizeIn);
+
+ if (!AmdSvsmVtpmCmd ((UINT8 *)Buffer)) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (Buffer->resp.Size > TPM_PLATFORM_MAX_BUFFER - sizeof (TPM2_SEND_CMD_RESP)) {
+ return EFI_DEVICE_ERROR;
+ }
+
+ if (Buffer->resp.Size > *SizeOut) {
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ CopyMem (BufferOut, Buffer->resp.Buf, Buffer->resp.Size);
+ *SizeOut = Buffer->resp.Size;
+ return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
new file mode 100644
index 0000000000..f94901601f
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Svsm.h
@@ -0,0 +1,25 @@
+/** @file
+ SVSM TPM communication
+
+Copyright (C) 2024 James.Bottomley@HansenPartnership.com
+Copyright (C) 2024 IBM Corporation
+Copyright (C) 2024 Red Hat
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+
+BOOLEAN
+Tpm2SvsmQueryTpmSendCmd (
+ VOID
+ );
+
+EFI_STATUS
+Tpm2SvsmTpmSendCommand (
+ IN UINT8 *BufferIn,
+ IN UINT32 SizeIn,
+ OUT UINT8 *BufferOut,
+ IN OUT UINT32 *SizeOut
+ );
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
index 26fedd179c..a0fa965381 100644
--- a/SecurityPkg/SecurityPkg.ci.yaml
+++ b/SecurityPkg/SecurityPkg.ci.yaml
@@ -48,6 +48,7 @@
"AcceptableDependencies": [
"MdePkg/MdePkg.dec",
"MdeModulePkg/MdeModulePkg.dec",
+ "UefiCpuPkg/UefiCpuPkg.dec",
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec",
"SecurityPkg/SecurityPkg.dec",
"StandaloneMmPkg/StandaloneMmPkg.dec",
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 0589cfaf68..17fd0aeb81 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -604,6 +604,16 @@
## This PCD records LASA field in CC EVENTLOG ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026
+ ## This PCD caches the presence state of a AMD SEV-SNP SVSM-provided vTPM.
+ # 0xFF - Unknown - Probing needed
+ # 0x00 - No - Use regular TPM
+ # 0x01 - Yes - SVSM vTPM present
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence|0xFF|UINT8|0x00020030
+
+ ## This PCD stores the pointer to the communication buffer for a
+ # AMD SEV-SNP SVSM-provided vTPM.
+ gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr|0|UINT64|0x00020031
+
[PcdsFeatureFlag]
## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode.
# TRUE - Require PK to be self-signed.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index ea6a14c328..945a2dd393 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -369,6 +369,18 @@
TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
}
+ #
+ # AMD SEV-SNP SVSM vTPM
+ #
+ SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf {
+ <LibraryClasses>
+ AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
+ }
+ SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf {
+ <LibraryClasses>
+ AmdSvsmLib|UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.inf
+ }
+
#
# Hash2
#
--
2.43.0

199
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch Normal file
View File

@@ -0,0 +1,199 @@
From edf5e365c104fb86623b6359ac53d79777d521bf Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Mon, 16 Dec 2024 17:25:36 +0100
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Add header file for Tpm2Ptp.c
A some of functions implemented in Tpm2Ptp.c are forward declared in a
couple of places. To clean this up, introduce a header that contains
these declarations in a central place and use it instead.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c | 35 +-----------
.../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c | 45 +---------------
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 2 +
.../Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h | 53 +++++++++++++++++++
4 files changed, 57 insertions(+), 78 deletions(-)
create mode 100644 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index e0897417ba..828fb856ad 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -13,42 +13,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/Tpm2DeviceLib.h>
#include <Library/PcdLib.h>
+#include "Tpm2Ptp.h"
#include "Tpm2DeviceLibDTpm.h"
-/**
- This service enables the sending of commands to the TPM2.
-
- @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
- @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
- @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
- @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
-
- @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
- @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
- @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2SubmitCommand (
- IN UINT32 InputParameterBlockSize,
- IN UINT8 *InputParameterBlock,
- IN OUT UINT32 *OutputParameterBlockSize,
- IN UINT8 *OutputParameterBlock
- );
-
-/**
- This service requests use TPM2.
-
- @retval EFI_SUCCESS Get the control of TPM2 chip.
- @retval EFI_NOT_FOUND TPM2 not found.
- @retval EFI_DEVICE_ERROR Unexpected device behavior.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2RequestUseTpm (
- VOID
- );
-
/**
This service enables the sending of commands to the TPM2.
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
index 11796d5b97..2762626575 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
@@ -16,52 +16,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Guid/TpmInstance.h>
+#include "Tpm2Ptp.h"
#include "Tpm2DeviceLibDTpm.h"
-/**
- Dump PTP register information.
-
- @param[in] Register Pointer to PTP register.
-**/
-VOID
-DumpPtpInfo (
- IN VOID *Register
- );
-
-/**
- This service enables the sending of commands to the TPM2.
-
- @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
- @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
- @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
- @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
-
- @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
- @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
- @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2SubmitCommand (
- IN UINT32 InputParameterBlockSize,
- IN UINT8 *InputParameterBlock,
- IN OUT UINT32 *OutputParameterBlockSize,
- IN UINT8 *OutputParameterBlock
- );
-
-/**
- This service requests use TPM2.
-
- @retval EFI_SUCCESS Get the control of TPM2 chip.
- @retval EFI_NOT_FOUND TPM2 not found.
- @retval EFI_DEVICE_ERROR Unexpected device behavior.
-**/
-EFI_STATUS
-EFIAPI
-DTpm2RequestUseTpm (
- VOID
- );
-
TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
TPM_DEVICE_INTERFACE_TPM20_DTPM,
DTpm2SubmitCommand,
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
index dee01d9707..d1565c72d7 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
@@ -22,6 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "Tpm2DeviceLibDTpm.h"
+#include "Tpm2Ptp.h"
+
//
// Execution of the command may take from several seconds to minutes for certain
// commands, such as key generation.
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
new file mode 100644
index 0000000000..238d6e8dba
--- /dev/null
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.h
@@ -0,0 +1,53 @@
+/** @file
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
+
+Copyright (c) 2024 Red Hat
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+
+/**
+ Dump PTP register information.
+
+ @param[in] Register Pointer to PTP register.
+**/
+VOID
+DumpPtpInfo (
+ IN VOID *Register
+ );
+
+/**
+ This service enables the sending of commands to the TPM2.
+
+ @param[in] InputParameterBlockSize Size of the TPM2 input parameter block.
+ @param[in] InputParameterBlock Pointer to the TPM2 input parameter block.
+ @param[in,out] OutputParameterBlockSize Size of the TPM2 output parameter block.
+ @param[in] OutputParameterBlock Pointer to the TPM2 output parameter block.
+
+ @retval EFI_SUCCESS The command byte stream was successfully sent to the device and a response was successfully received.
+ @retval EFI_DEVICE_ERROR The command was not successfully sent to the device or a response was not successfully received from the device.
+ @retval EFI_BUFFER_TOO_SMALL The output parameter block is too small.
+**/
+EFI_STATUS
+EFIAPI
+DTpm2SubmitCommand (
+ IN UINT32 InputParameterBlockSize,
+ IN UINT8 *InputParameterBlock,
+ IN OUT UINT32 *OutputParameterBlockSize,
+ IN UINT8 *OutputParameterBlock
+ );
+
+/**
+ This service requests use TPM2.
+
+ @retval EFI_SUCCESS Get the control of TPM2 chip.
+ @retval EFI_NOT_FOUND TPM2 not found.
+ @retval EFI_DEVICE_ERROR Unexpected device behavior.
+**/
+EFI_STATUS
+EFIAPI
+DTpm2RequestUseTpm (
+ VOID
+ );
--
2.43.0

153
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch Normal file
View File

@@ -0,0 +1,153 @@
From c2d8e9236787270384bab6af9d9db0071468e9e5 Mon Sep 17 00:00:00 2001
From: Jacob Xu <jacobhxu@google.com>
Date: Fri, 28 Mar 2025 18:49:58 +0000
Subject: [PATCH] SecurityPkg-Tpm2DeviceLibDTpm: Check SNP enabled prior to
using AmdSvsmLib
AmdSvsmLib currently doesn't check if SNP enabled, thus using AmdSvsmLib
may errantly cause the caller code to believe SVSM is present. This
leads to boot failure on non-SNP enabled VMs.
We use the PcdConfidentialComputingGuestAttr since it remains valid
after MpInitLib runs which invalidates PcdSevEsWorkArea's cached
sev-status msr which we use to check for SNP enabled in other places.
The added functions ConfidentialComputingGuestHas() and
AmdMemEncryptionAttrCheck() are copied from MpLib.c, which is intended
to be replaced later on with a more minimal library perhaps in MdePkg to
cleanup some of the circular dependencies currently surrounding SvsmLib.
Signed-off-by: Jacob Xu <jacobhxu@google.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
---
.../Tpm2DeviceLibDTpmSvsm.inf | 1 +
.../Tpm2InstanceLibDTpmSvsm.inf | 1 +
.../Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c | 79 +++++++++++++++++++
3 files changed, 81 insertions(+)
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
index da48bd3c60..0efcd4fca7 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpmSvsm.inf
@@ -64,3 +64,4 @@
gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
index 4baf363c11..357dfeb21f 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpmSvsm.inf
@@ -58,3 +58,4 @@
gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmPresence ## PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdSvsmVTpmBufferPtr ## PRODUCES
+ gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr ## CONSUMES
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
index 8a49fe936f..b8c592043a 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2PtpSvsmShim.c
@@ -15,6 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/Tpm2DeviceLib.h>
#include <Library/PcdLib.h>
#include <Library/DebugLib.h>
+#include <ConfidentialComputingGuestAttr.h>
#include "Tpm2Ptp.h"
#include "Tpm2Svsm.h"
@@ -27,6 +28,80 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
static BOOLEAN mUseSvsmVTpm = FALSE;
+/**
+ The function check if the specified Attr is set.
+
+ @param[in] CurrentAttr The current attribute.
+ @param[in] Attr The attribute to check.
+
+ @retval TRUE The specified Attr is set.
+ @retval FALSE The specified Attr is not set.
+
+**/
+STATIC
+BOOLEAN
+AmdMemEncryptionAttrCheck (
+ IN UINT64 CurrentAttr,
+ IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
+ )
+{
+ UINT64 CurrentLevel;
+
+ CurrentLevel = CurrentAttr & CCAttrTypeMask;
+
+ switch (Attr) {
+ case CCAttrAmdSev:
+ //
+ // SEV is automatically enabled if SEV-ES or SEV-SNP is active.
+ //
+ return CurrentLevel >= CCAttrAmdSev;
+ case CCAttrAmdSevEs:
+ //
+ // SEV-ES is automatically enabled if SEV-SNP is active.
+ //
+ return CurrentLevel >= CCAttrAmdSevEs;
+ case CCAttrAmdSevSnp:
+ return CurrentLevel == CCAttrAmdSevSnp;
+ case CCAttrFeatureAmdSevEsDebugVirtualization:
+ return !!(CurrentAttr & CCAttrFeatureAmdSevEsDebugVirtualization);
+ default:
+ return FALSE;
+ }
+}
+
+/**
+ Check if the specified confidential computing attribute is active.
+
+ @param[in] Attr The attribute to check.
+
+ @retval TRUE The specified Attr is active.
+ @retval FALSE The specified Attr is not active.
+
+**/
+STATIC
+BOOLEAN
+EFIAPI
+ConfidentialComputingGuestHas (
+ IN CONFIDENTIAL_COMPUTING_GUEST_ATTR Attr
+ )
+{
+ UINT64 CurrentAttr;
+
+ //
+ // Get the current CC attribute.
+ //
+ CurrentAttr = PcdGet64 (PcdConfidentialComputingGuestAttr);
+
+ //
+ // If attr is for the AMD group then call AMD specific checks.
+ //
+ if (((RShiftU64 (CurrentAttr, 8)) & 0xff) == 1) {
+ return AmdMemEncryptionAttrCheck (CurrentAttr, Attr);
+ }
+
+ return (CurrentAttr == Attr);
+}
+
/**
Initializes SVSM vTPM if present, or otherwise uses TCG PTP method.
@@ -44,6 +119,10 @@ EFIAPI
TryUseSvsmVTpm (
)
{
+ if (!ConfidentialComputingGuestHas (CCAttrAmdSevSnp)) {
+ return FALSE;
+ }
+
UINT8 SvsmVTpmPresence = (UINT8)PcdGet8 (PcdSvsmVTpmPresence);
if (SvsmVTpmPresence == SVSM_VTPM_PRESENCE_UNKNOWN) {
--
2.43.0

89
ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch Normal file
View File

@@ -0,0 +1,89 @@
From 87f454532a612066c3caacd240782fc40f31c152 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Tue, 7 Jan 2025 12:58:21 +0100
Subject: [PATCH] SecurityPkg/Tpm2DeviceLibDTpm: Improve spelling/grammar of
comments
Fix some spelling/grammar mistakes in the documentation comments.
Suggested-by: Dionna Glaze <dionnaglaze@google.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c | 14 +++++++-------
.../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c | 4 ++--
SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 2 +-
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index 7cc55df436..e0897417ba 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -79,9 +79,9 @@ Tpm2SubmitCommand (
}
/**
- This service requests use TPM2.
+ This service requests to use TPM2.
- @retval EFI_SUCCESS Get the control of TPM2 chip.
+ @retval EFI_SUCCESS Get the control of the TPM2 chip.
@retval EFI_NOT_FOUND TPM2 not found.
@retval EFI_DEVICE_ERROR Unexpected device behavior.
**/
@@ -95,13 +95,13 @@ Tpm2RequestUseTpm (
}
/**
- This service register TPM2 device.
+ This service registers a TPM2 device.
@param Tpm2Device TPM2 device
- @retval EFI_SUCCESS This TPM2 device is registered successfully.
- @retval EFI_UNSUPPORTED System does not support register this TPM2 device.
- @retval EFI_ALREADY_STARTED System already register this TPM2 device.
+ @retval EFI_SUCCESS TPM2 device was registered successfully.
+ @retval EFI_UNSUPPORTED System does not support registering this TPM2 device.
+ @retval EFI_ALREADY_STARTED This TPM2 device is already registered.
**/
EFI_STATUS
EFIAPI
@@ -115,7 +115,7 @@ Tpm2RegisterTpm2DeviceLib (
/**
The function caches current active TPM interface type.
- @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support register DTPM2.0 instance
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
**/
EFI_STATUS
EFIAPI
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
index 7d3e4bef86..11796d5b97 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
@@ -69,9 +69,9 @@ TPM2_DEVICE_INTERFACE mDTpm2InternalTpm2Device = {
};
/**
- The function register DTPM2.0 instance and caches current active TPM interface type.
+ Registers DTPM2.0 instance and caches current active TPM interface type.
- @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support register DTPM2.0 instance
+ @retval EFI_SUCCESS DTPM2.0 instance is registered, or system does not support registering a DTPM2.0 instance
**/
EFI_STATUS
EFIAPI
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
index eac9f0e299..dee01d9707 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
@@ -1,5 +1,5 @@
/** @file
- PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by dTPM2.0 library.
+ PTP (Platform TPM Profile) CRB (Command Response Buffer) interface used by DTPM2.0 library.
Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
Copyright (c), Microsoft Corporation.
--
2.43.0

129
ovmf-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch Normal file
View File

@@ -0,0 +1,129 @@
From 87d4cdd09e4d9432c150a3a029dcad7da38bcffa Mon Sep 17 00:00:00 2001
From: Claudio Carvalho <cclaudio@linux.ibm.com>
Date: Mon, 10 Jun 2024 22:29:25 +0300
Subject: [PATCH] UefiCpuPkg/AmdSvsmLib: Stub the SVSM vTPM protocol for
non-VMPL0 guests
We need to stub the SVSM vTPM protocol in the UefiCpuPkg in order to
support a SEV-SNP guest running under a SVSM at VMPL1 or lower.
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Co-authored-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
UefiCpuPkg/Include/Library/AmdSvsmLib.h | 41 ++++++++++++++++
.../Library/AmdSvsmLibNull/AmdSvsmLibNull.c | 47 +++++++++++++++++++
2 files changed, 88 insertions(+)
diff --git a/UefiCpuPkg/Include/Library/AmdSvsmLib.h b/UefiCpuPkg/Include/Library/AmdSvsmLib.h
index 40e0e5bd42..693b79bda5 100644
--- a/UefiCpuPkg/Include/Library/AmdSvsmLib.h
+++ b/UefiCpuPkg/Include/Library/AmdSvsmLib.h
@@ -98,4 +98,45 @@ AmdSvsmSnpVmsaRmpAdjust (
IN BOOLEAN SetVmsa
);
+/**
+ Perform a SVSM_VTPM_QUERY operation
+
+ Query the support provided by the SVSM vTPM.
+
+ @param[out] PlatformCommands It will contain a bitmap indicating the
+ supported vTPM platform commands.
+ @param[out] Features It will contain a bitmap indicating the
+ supported vTPM features.
+
+ @retval TRUE The query was processed.
+ @retval FALSE The query was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmQuery (
+ OUT UINT64 *PlatformCommands,
+ OUT UINT64 *Features
+ );
+
+/**
+ Perform a SVSM_VTPM_CMD operation
+
+ Send the specified vTPM platform command to the SVSM vTPM.
+
+ @param[in, out] Buffer It should contain the vTPM platform command
+ request. The respective response will be returned
+ in the same Buffer, but not all commands specify a
+ response.
+
+ @retval TRUE The command was processed.
+ @retval FALSE The command was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmCmd (
+ IN OUT UINT8 *Buffer
+ );
+
#endif
diff --git a/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c b/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
index a83fcbd6ce..fc6871c7b2 100644
--- a/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
+++ b/UefiCpuPkg/Library/AmdSvsmLibNull/AmdSvsmLibNull.c
@@ -106,3 +106,50 @@ AmdSvsmSnpVmsaRmpAdjust (
{
return EFI_UNSUPPORTED;
}
+
+/**
+ Perform a SVSM_VTPM_QUERY operation
+
+ Query the support provided by the SVSM vTPM.
+
+ @param[out] PlatformCommands It will contain a bitmap indicating the
+ supported vTPM platform commands.
+ @param[out] Features It will contain a bitmap indicating the
+ supported vTPM features.
+
+ @retval TRUE The query was processed.
+ @retval FALSE The query was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmQuery (
+ OUT UINT64 *PlatformCommands,
+ OUT UINT64 *Features
+ )
+{
+ return FALSE;
+}
+
+/**
+ Perform a SVSM_VTPM_CMD operation
+
+ Send the specified vTPM platform command to the SVSM vTPM.
+
+ @param[in, out] Buffer It should contain the vTPM platform command
+ request. The respective response will be returned
+ in the same Buffer, but not all commands specify a
+ response.
+
+ @retval TRUE The command was processed.
+ @retval FALSE The command was not processed.
+
+**/
+BOOLEAN
+EFIAPI
+AmdSvsmVtpmCmd (
+ IN OUT UINT8 *Buffer
+ )
+{
+ return FALSE;
+}
--
2.43.0

242
ovmf-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch Normal file
View File

@@ -0,0 +1,242 @@
From dca5d26bc57ef4a554448e41d302e732bca03d8a Mon Sep 17 00:00:00 2001
From: Tom Lendacky <thomas.lendacky@amd.com>
Date: Thu, 27 Mar 2025 14:30:58 -0500
Subject: [PATCH] UefiCpuPkg/MpInitLib: Fix SNP AP creation when using known
APIC IDs
A typical initial AP boot up will choose a CpuNumber based on the ApIndex
value that it gets back after a locked increment of the ApIndex value.
The ApIndex to APIC ID relationship is random, which is not an issue when
a broadcast INIT-SIPI is performed.
With SNP and a hypervisor that supports retrieval of the known APIC IDs,
the broadcast INIT-SIPI method is replaced by waking each individual vCPU.
In this situation, a specific VMSA is associated with a specific APIC ID.
However, random assignment of an ApIndex can break this association. This
isn't typically an issue, because the AP bring-up finishes with the AP
issuing a HLT instruction, which is intercepted by the hypervisor and the
AP won't run again until the next INIT-SIPI. However, when HLT isn't
intercepted by the hypervisor (Qemu '-overcommit cpu-pm=on' parameter),
then the HLT does not exit to the hypervisor. On the next INIT-SIPI, it
can happen that a VMRUN is executed with a different VMSA address than
was originally used, and if that VMSA is still in a VMRUN on another AP,
then the executing VMRUN will fail, crashing the guest.
To fix this issue, add a CPU exchange info field, SevSnpKnownInitApicId,
that indicates the APs are starting with an already known initial APIC ID
and set the initial APIC ID and APIC ID in the CPU_INFO_IN_HOB HOB.
During AP boot, the SevSnpKnownInitApicId field will result in the
CpuNumber being set to the index with a matching APIC ID (similar to AP
booting when the InitFlag != ApInitConfig).
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
---
UefiCpuPkg/Library/MpInitLib/AmdSev.c | 2 +
UefiCpuPkg/Library/MpInitLib/MpEqu.inc | 1 +
UefiCpuPkg/Library/MpInitLib/MpLib.h | 1 +
UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c | 38 +++++++++---
UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm | 60 ++++++++++++++++++-
UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm | 4 ++
6 files changed, 98 insertions(+), 8 deletions(-)
diff --git a/UefiCpuPkg/Library/MpInitLib/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/AmdSev.c
index 75429e3dae..5108873c3b 100644
--- a/UefiCpuPkg/Library/MpInitLib/AmdSev.c
+++ b/UefiCpuPkg/Library/MpInitLib/AmdSev.c
@@ -293,6 +293,8 @@ FillExchangeInfoDataSevEs (
);
ExchangeInfo->ExtTopoAvail = !!ExtTopoEbx.Bits.LogicalProcessors;
}
+
+ ExchangeInfo->SevSnpKnownInitApicId = FALSE;
}
/**
diff --git a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
index 317e627b58..d8ba9ea124 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
+++ b/UefiCpuPkg/Library/MpInitLib/MpEqu.inc
@@ -97,6 +97,7 @@ struc MP_CPU_EXCHANGE_INFO
.SevSnpIsEnabled CTYPE_BOOLEAN 1
.GhcbBase: CTYPE_UINTN 1
.ExtTopoAvail: CTYPE_BOOLEAN 1
+ .SevSnpKnownInitApicId: CTYPE_BOOLEAN 1
endstruc
MP_CPU_EXCHANGE_INFO_OFFSET equ (Flat32Start - RendezvousFunnelProcStart)
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.h b/UefiCpuPkg/Library/MpInitLib/MpLib.h
index 145538b6ee..a63bb81bef 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.h
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.h
@@ -239,6 +239,7 @@ typedef struct {
BOOLEAN SevSnpIsEnabled;
UINTN GhcbBase;
BOOLEAN ExtTopoAvail;
+ BOOLEAN SevSnpKnownInitApicId;
} MP_CPU_EXCHANGE_INFO;
#pragma pack()
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
index a75e1e2018..56cd7a1138 100644
--- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
+++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.c
@@ -271,18 +271,27 @@ SevSnpCreateAP (
IN INTN ProcessorNumber
)
{
- CPU_INFO_IN_HOB *CpuInfoInHob;
- CPU_AP_DATA *CpuData;
- UINTN Index;
- UINTN MaxIndex;
- UINT32 ApicId;
- EFI_HOB_GUID_TYPE *GuidHob;
- GHCB_APIC_IDS *GhcbApicIds;
+ CPU_INFO_IN_HOB *CpuInfoInHob;
+ CPU_AP_DATA *CpuData;
+ UINTN Index;
+ UINTN MaxIndex;
+ UINT32 ApicId;
+ EFI_HOB_GUID_TYPE *GuidHob;
+ GHCB_APIC_IDS *GhcbApicIds;
+ volatile MP_CPU_EXCHANGE_INFO *ExchangeInfo;
ASSERT (CpuMpData->MpCpuExchangeInfo->BufferStart < 0x100000);
+ ExchangeInfo = CpuMpData->MpCpuExchangeInfo;
CpuInfoInHob = (CPU_INFO_IN_HOB *)(UINTN)CpuMpData->CpuInfoInHob;
+ //
+ // Set to FALSE by default. This is only set to TRUE when the InitFlag
+ // is equal to ApInitConfig and the GHCB APIC ID List NAE event has
+ // been called.
+ //
+ ExchangeInfo->SevSnpKnownInitApicId = FALSE;
+
if (ProcessorNumber < 0) {
if (CpuMpData->InitFlag == ApInitConfig) {
//
@@ -294,6 +303,14 @@ SevSnpCreateAP (
GuidHob = GetFirstGuidHob (&gGhcbApicIdsGuid);
GhcbApicIds = (GHCB_APIC_IDS *)(*(UINTN *)GET_GUID_HOB_DATA (GuidHob));
MaxIndex = MIN (GhcbApicIds->NumEntries, PcdGet32 (PcdCpuMaxLogicalProcessorNumber));
+
+ //
+ // Set to TRUE so that ApicId and SEV-SNP SaveArea stay in sync. When
+ // the InitFlag is ApInitConfig, the random order of AP initialization
+ // can end up with an Index / ApicId mismatch (see X64/AmdSev.nasm).
+ //
+ ExchangeInfo->SevSnpKnownInitApicId = TRUE;
+ DEBUG ((DEBUG_INFO, "SEV-SNP: Using known initial APIC IDs\n"));
} else {
//
// APs have been previously started.
@@ -308,6 +325,13 @@ SevSnpCreateAP (
if (CpuMpData->InitFlag == ApInitConfig) {
ApicId = GhcbApicIds->ApicIds[Index];
+ //
+ // Set the ApicId values so that the proper AP data structure
+ // can be found during boot.
+ //
+ CpuInfoInHob[Index].InitialApicId = ApicId;
+ CpuInfoInHob[Index].ApicId = ApicId;
+
//
// For the first boot, use the BSP register information.
//
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
index 2efa3cb104..66d63a2b90 100644
--- a/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
+++ b/UefiCpuPkg/Library/MpInitLib/X64/AmdSev.nasm
@@ -15,6 +15,57 @@
%define SIZE_4KB 0x1000
+;
+; This function will ensure that CpuNumber and ApicId are in sync when using
+; the ApicIds retrieved via the GHCB APIC ID List NAE event to start the APs
+; when the InitFlag is ApInitConfig. If this is not done, the CpuNumber to
+; ApicId relationship may not hold, which would result in the ApicId to VSMA
+; relationship getting out of sync after the first AP boot.
+;
+SevSnpGetInitCpuNumber:
+ ;
+ ; If not an SNP guest, leave EBX (CpuNumber) as is
+ ;
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpIsEnabled)]
+ cmp byte [edi], 1 ; SevSnpIsEnabled
+ jne SevSnpGetCpuNumberDone
+
+ ;
+ ; If not starting the AP with a specific ApicId, leave EBX (CpuNumber) as is
+ ;
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpKnownInitApicId)]
+ cmp byte [edi], 1 ; SevSnpKnownInitApicId
+ jne SevSnpGetCpuNumberDone
+
+ ;
+ ; Use existing code to retrieve the ApicId. SevEsGetApicId will return to
+ ; the SevSnpGetInitApicId label if SevSnpKnownInitApicId is set.
+ ;
+ jmp SevEsGetApicId
+
+SevSnpGetInitApicId:
+ ;
+ ; EDX holds the ApicId, get processor number for this AP
+ ;
+ xor ebx, ebx
+ lea eax, [esi + MP_CPU_EXCHANGE_INFO_FIELD (CpuInfo)]
+ mov rdi, [eax]
+
+SevSnpGetNextProcNumber:
+ cmp dword [rdi + CPU_INFO_IN_HOB.InitialApicId], edx ; APIC ID match?
+ jz SevSnpGetCpuNumberDone
+ add rdi, CPU_INFO_IN_HOB_size
+ inc ebx
+ jmp SevSnpGetNextProcNumber
+
+SevSnpGetCpuNumberDone:
+ ;
+ ; If SevSnpKnownInitApicId is set, EBX now holds the CpuNumber for this
+ ; ApicId, which matches how it was started in SevSnpCreateAP(). Otherwise,
+ ; EBX is unchanged and holds the CpuNumber based on the startup order.
+ ;
+ OneTimeCallRet SevSnpGetInitCpuNumber
+
RegisterGhcbGpa:
;
; Register GHCB GPA when SEV-SNP is enabled
@@ -193,7 +244,14 @@ RestoreGhcb:
mov rdx, rbx
- ; x2APIC ID or APIC ID is in EDX
+ ;
+ ; x2APIC ID or APIC ID is in EDX. If SevSnpKnownInitApicId is set, then
+ ; return to SevSnpGetInitApicId, otherwise return to GetProcessorNumber.
+ ;
+ lea edi, [esi + MP_CPU_EXCHANGE_INFO_FIELD (SevSnpKnownInitApicId)]
+ cmp byte [edi], 1 ; SevSnpKnownInitApicId
+ je SevSnpGetInitApicId
+
jmp GetProcessorNumber
SevEsGetApicIdExit:
diff --git a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
index 40e80ffab4..95ee65e288 100644
--- a/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
+++ b/UefiCpuPkg/Library/MpInitLib/X64/MpFuncs.nasm
@@ -173,6 +173,10 @@ LongModeStart:
lock xadd dword [edi], ebx ; EBX = ApIndex++
inc ebx ; EBX is CpuNumber
+ ; If running under AMD SEV-SNP and starting with a known ApicId,
+ ; adjust EBX to be the actual CpuNumber
+ OneTimeCall SevSnpGetInitCpuNumber
+
; program stack
mov edi, esi
add edi, MP_CPU_EXCHANGE_INFO_FIELD (StackSize)
--
2.43.0

402
ovmf-gdb-symbols.patch
View File

@@ -1,212 +1,207 @@
From d4fc3987941016cba0a2cd1d4037b87bc5937f5e Mon Sep 17 00:00:00 2001
From: Richard Lyu <richard.lyu@suse.com>
Date: Thu, 29 May 2025 12:12:23 +0800
Subject: [PATCH] Add DebugPkg
From 263791566fbe25755aebde54c98d5aea061414f3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 24 Jun 2014 11:57:32 +0800
Subject: [PATCH 1/3] Add DebugPkg
---
DebugPkg/DebugPkg.dec | 34 ++++
DebugPkg/GdbSyms/GdbSyms.c | 78 ++++++++
DebugPkg/GdbSyms/GdbSyms.c | 70 +++++++
DebugPkg/GdbSyms/GdbSyms.inf | 57 ++++++
DebugPkg/Scripts/gdb_uefi.py | 350 +++++++++++++++++++++++++++++++++++
OvmfPkg/OvmfPkgX64.dsc | 3 +
5 files changed, 522 insertions(+)
DebugPkg/Scripts/gdb_uefi.py | 348 +++++++++++++++++++++++++++++++++++
4 files changed, 509 insertions(+)
create mode 100644 DebugPkg/DebugPkg.dec
create mode 100644 DebugPkg/GdbSyms/GdbSyms.c
create mode 100644 DebugPkg/GdbSyms/GdbSyms.inf
create mode 100644 DebugPkg/Scripts/gdb_uefi.py
diff --git a/DebugPkg/DebugPkg.dec b/DebugPkg/DebugPkg.dec
new file mode 100644
index 0000000000..b39a660e45
Index: edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
===================================================================
--- /dev/null
+++ b/DebugPkg/DebugPkg.dec
+++ edk2-edk2-stable202302/DebugPkg/DebugPkg.dec
@@ -0,0 +1,34 @@
+## @file
+# Debug package - various useful stuff for debugging.
+#
+# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ DEC_VERSION = 0x00010005
+ PACKAGE_NAME = DebugPkg
+ PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5
+ PACKAGE_VERSION = 0.1
+
+[Includes]
+ Include
+
+[Guids]
+
+[Protocols]
+
+[PcdsFixedAtBuild]
+
+[PcdsDynamic]
+
+[LibraryClasses]
+
diff --git a/DebugPkg/GdbSyms/GdbSyms.c b/DebugPkg/GdbSyms/GdbSyms.c
new file mode 100644
index 0000000000..9780cff802
+## @file
+# Debug package - various useful stuff for debugging.
+#
+# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+#
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ DEC_VERSION = 0x00010005
+ PACKAGE_NAME = DebugPkg
+ PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5
+ PACKAGE_VERSION = 0.1
+
+[Includes]
+ Include
+
+[Guids]
+
+[Protocols]
+
+[PcdsFixedAtBuild]
+
+[PcdsDynamic]
+
+[LibraryClasses]
+
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
===================================================================
--- /dev/null
+++ b/DebugPkg/GdbSyms/GdbSyms.c
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.c
@@ -0,0 +1,78 @@
+/** @file
+
+ Bare-minimum GDB symbols needed for reloading symbols.
+
+ This is not a "driver" and should not be placed in a FD.
+
+ Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "PiDxe.h"
+
+#include <Library/UefiLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/BaseLib.h>
+#include <Library/UefiRuntimeLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/PcdLib.h>
+#include <Guid/DebugImageInfoTable.h>
+
+/**
+ Main entry point.
+
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS Successfully initialized.
+
+**/
+EFI_STATUS
+EFIAPI
+Initialize (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_SYSTEM_TABLE_POINTER ESTP;
+ EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH;
+ EFI_IMAGE_DOS_HEADER EIDH;
+ EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU;
+ EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE;
+ EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE;
+ EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE;
+ EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME;
+ UINTN Dummy =
+ (UINTN) &ESTP |
+ (UINTN) &EDIITH |
+ (UINTN) &EIDH |
+ (UINTN) &EIOHU |
+ (UINTN) &EIDDE |
+ (UINTN) &EIDCNE |
+ (UINTN) &EIDCRE |
+ (UINTN) &EIDCME |
+ 1
+ ;
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &ESTP));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EDIITH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIOHU));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDDE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCNE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCRE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCME));
+ return !!Dummy & EFI_SUCCESS;
+}
+
+
diff --git a/DebugPkg/GdbSyms/GdbSyms.inf b/DebugPkg/GdbSyms/GdbSyms.inf
new file mode 100644
index 0000000000..0a18a33c73
+/** @file
+
+ Bare-minimum GDB symbols needed for reloading symbols.
+
+ This is not a "driver" and should not be placed in a FD.
+
+ Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+
+ This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "PiDxe.h"
+
+#include <Library/UefiLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/BaseLib.h>
+#include <Library/UefiRuntimeLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DevicePathLib.h>
+#include <Library/PcdLib.h>
+#include <Guid/DebugImageInfoTable.h>
+
+/**
+ Main entry point.
+
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS Successfully initialized.
+
+**/
+EFI_STATUS
+EFIAPI
+Initialize (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_SYSTEM_TABLE_POINTER ESTP;
+ EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH;
+ EFI_IMAGE_DOS_HEADER EIDH;
+ EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU;
+ EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE;
+ EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE;
+ EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE;
+ EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME;
+ UINTN Dummy =
+ (UINTN) &ESTP |
+ (UINTN) &EDIITH |
+ (UINTN) &EIDH |
+ (UINTN) &EIOHU |
+ (UINTN) &EIDDE |
+ (UINTN) &EIDCNE |
+ (UINTN) &EIDCRE |
+ (UINTN) &EIDCME |
+ 1
+ ;
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &ESTP));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EDIITH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDH));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIOHU));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDDE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCNE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCRE));
+ DEBUG ((DEBUG_VERBOSE, "%a: %llx\n", __FUNCTION__, &EIDCME));
+ return !!Dummy & EFI_SUCCESS;
+}
+
+
Index: edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
===================================================================
--- /dev/null
+++ b/DebugPkg/GdbSyms/GdbSyms.inf
+++ edk2-edk2-stable202302/DebugPkg/GdbSyms/GdbSyms.inf
@@ -0,0 +1,57 @@
+## @file
+#
+# Bare-minimum GDB symbols needed for reloading symbols.
+#
+# This is not a "driver" and should not be placed in a FD.
+#
+# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = GdbSyms
+ FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = Initialize
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM
+#
+
+[Sources]
+ GdbSyms.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ DxeServicesTableLib
+ HobLib
+ MemoryAllocationLib
+ PcdLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ UefiLib
+
+[Guids]
+
+[Protocols]
+
+[Depex]
+ TRUE
+
diff --git a/DebugPkg/Scripts/gdb_uefi.py b/DebugPkg/Scripts/gdb_uefi.py
new file mode 100644
index 0000000000..3db87a4de4
+## @file
+#
+# Bare-minimum GDB symbols needed for reloading symbols.
+#
+# This is not a "driver" and should not be placed in a FD.
+#
+# Copyright (c) 2011, Andrei Warkentin <andreiw@motorola.com>
+#
+# This program and the accompanying materials
+# are licensed and made available under the terms and conditions of the BSD License
+# which accompanies this distribution. The full text of the license may be found at
+# http://opensource.org/licenses/bsd-license.php
+# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = GdbSyms
+ FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = Initialize
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM
+#
+
+[Sources]
+ GdbSyms.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ DxeServicesTableLib
+ HobLib
+ MemoryAllocationLib
+ PcdLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ UefiLib
+
+[Guids]
+
+[Protocols]
+
+[Depex]
+ TRUE
+
Index: edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
===================================================================
--- /dev/null
+++ b/DebugPkg/Scripts/gdb_uefi.py
+++ edk2-edk2-stable202302/DebugPkg/Scripts/gdb_uefi.py
@@ -0,0 +1,350 @@
+"""
+Allows loading TianoCore symbols into a GDB session attached to EFI
@@ -558,20 +553,13 @@ index 0000000000..3db87a4de4
+ReloadUefi ()
+
+
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 60fccc19d2..a2784bbd40 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -1063,6 +1063,9 @@
Index: edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
===================================================================
--- edk2-edk2-stable202302.orig/OvmfPkg/OvmfPkgX64.dsc
+++ edk2-edk2-stable202302/OvmfPkg/OvmfPkgX64.dsc
@@ -1123,3 +1123,5 @@
# TPM support
#
!include OvmfPkg/Include/Dsc/OvmfTpmComponentsDxe.dsc.inc
+ DebugPkg/GdbSyms/GdbSyms.inf
+
+
#
# Smbios Measurement support
#
--
2.43.0
+ DebugPkg/GdbSyms/GdbSyms.inf

440
ovmf.changes
View File

@@ -1,10 +1,32 @@
-------------------------------------------------------------------
Tue Sep 23 04:10:51 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- Add backported patch to enable iSCSI boot support by default (bsc#1245454)
- ovmf-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch
502f0dfda4 OvmfPkg: Add NETWORK_ISCSI_DEFAULT_ENABLE build flag
- Add build flag NETWORK_ISCSI_DEFAULT_ENABLE for x64 OVMF to enable iSCSI boot support by default
-------------------------------------------------------------------
Wed Aug 13 23:05:06 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- Update firmware descriptors to remove tab whitespace (bsc#1247847)
- Replace tab whitespace with spaces in 50-ovmf-x86_64-sev.json
- Replace tab whitespace with spaces in 50-ovmf-x86_64-sev-snp.json
-------------------------------------------------------------------
Tue Aug 12 01:52:15 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- Update firmware descriptors for SEV-SNP and TDX (bsc#1247847)
- Add 50-ovmf-x86_64-sev-snp.json to support the 'amd-sev-snp' feature.
- Remove the sev-snp feature from 50-ovmf-x86_64-sev.json.
- Update the device in 60-ovmf-x86_64-tdx.json from 'pflash' to 'memory'.
- Add 50-ovmf-x86_64-sev-snp.json to support the 'amd-sev-snp' feature.
- Remove the sev-snp feature from 50-ovmf-x86_64-sev.json.
- Update the device in 60-ovmf-x86_64-tdx.json from 'pflash' to 'memory'.
-------------------------------------------------------------------
Tue Jul 8 07:35:55 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- Backport the patch from edk2-stable202505 (jsc#PED-13202)
- ovmf-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch
dca5d26bc57e UefiCpuPkg/MpInitLib: Fix SNP AP creation when using known APIC IDs
-------------------------------------------------------------------
Fri Jul 4 06:08:42 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
@@ -32,410 +54,52 @@ Wed Jul 2 08:28:34 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
-------------------------------------------------------------------
Fri Jun 27 02:53:08 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- Enables UEFI Shell support for guests on X64 and AARCH64 platforms (bsc#1244266)
- Build Shell.efi independently
- Enables UEFI Shell support for virtual machines on X64 and AARCH64 platforms (bsc#1244266)
- Build Shell.efi and install it to /usr/share/ovmf/
- Add ovmf-ShellPkg-Add-post-script-for-Shell-installation.patch
- Install Shell.efi to EFI boot partition (/boot/efi/EFI/opensuse/ or /boot/efi/EFI/sles/)
- Register Shell.efi as a boot entry
- Add post-install and post-uninstall scripts in /usr/share/ovmf/
- Install Shell.efi to the EFI boot partition
(/boot/efi/EFI/opensuse/ or /boot/efi/EFI/sles/)
- Register Shell.efi as a UEFI boot entry
-------------------------------------------------------------------
Thu Jun 26 02:03:11 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
Thu Jun 26 02:03:11 UTC 2025 - YI HSIN Lyu <richard.lyu@suse.com>
- Add patch to make Ovmf builds reproducible in OvmfPkg and ArmVirtPkg (bsc#1244218)
- Add ovmf-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
-------------------------------------------------------------------
Fri Jun 20 09:41:45 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
Fri Jun 20 08:51:08 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- Enable TDVF firmware to boot TDX guest VM with Secure boot (jsc#PED-13070)
- Add ovmf-x86_64-tdx-secureboot.bin
- Add 60-ovmf-x86_64-tdx.json
- Add 60-ovmf-x86_64-tdx.json
-------------------------------------------------------------------
Wed May 28 09:46:23 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
Mon Jun 16 06:42:35 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- Update to edk2-stable202505
- New Features & Bug Fixes (https://github.com/tianocore/edk2/releases):
- NetworkPkg/IScsiDxe:Fix for out of bound memory access for bz4207 (CVE-2024-38805)
- Multiple packages: stop using EmbeddedPkg libfdt
- Adding support for TPM over FF-A on ARM platforms
- SecurityPkg: Prevent invalid DBX from being set
- SecurityPkg: Out of bound read in HashPeImageByType()
- Adding support for MM Communicate v3
- BaseTools: Disable VS2019/2022 ARM/AARCH64 Stack Cookies
- Introduce Redfish Platform Wanted Device Lib
- HobLib: Add two new APIs in HobLib
- Patches (git log --oneline --date-order edk2-stable202502..edk2-stable202505):
6951dfe7d5 OvmfPkg/VirtCommunicationDxe: add IoLib to VirtMmCommunication.inf
2e5b357a1f SecurityPkg/Tpm2InstanceLibFfa: Fix constructor wrong name
5ea30a061c MdeModulePkg/HiiDatabaseDxe: Fix BlockSize length
b3a2f7ff24 NetworkPkg/IScsiDxe:Fix for out of bound memory access for bz4207 (CVE-2024-38805)
607c58ef01 .github: Compare collaborator GitHub ID's in single case
399a40e5cb ArmVirtPkg: Fix dsc include ordering
b2db39cefe MdeModulePkg: Correct Usb Mouse Z for absolute pointer.
fc215474c4 UefiCpuPkg: Enable the IPI vectors on LoongArch
7cea938ac5 UefiCpuPkg: Fix a bug about MP init on LoongArch
43e29830ef BaseTools: Fix Macro Expansion on Machine Architecture for Components
5bc52de687 MdeModulePkg: DebugImageInfoTable: Fix Array Maintenance
867fad874a MdeModulePkg: Fix Image Memory Protection Applying
28653a1c8a UefiCpuPkg/PiSmmCpuDxeSmm: Fix SMRAM memory leak during S3 resume
d6101acb08 MdeModulePkg: Shortcircuit GCD Dumping Logic if Not Printing
2cff8743ce MdeModulePkg/Spi: Solving potential null ptr deref. in SpiNorFlashJedecSfdp
02ec228654 BaseTools: Change arm align value from 32 to 64
77b199b7b9 BaseTools: Update tools_def for aarch64
dca5d26bc5 UefiCpuPkg/MpInitLib: Fix SNP AP creation when using known APIC IDs
dd8c272555 MdeModulePkg/AcpiTableDxe: Add function for extract ACPI table from HOB.
225bf1277c RedfishPkg/RedfishExDxe: call platform device wanted lib
b2c4294c49 RedfishPkg: introduce platform wanted device lib
31fc56c70a ArmFfaLib: Replace SMCCC_VERSION check with FF-A version check
9948a30645 MdePkg/IndustryStandard: fix PASID supported bit
8aad683e59 ArmVirtPkg,DynamicTablesPkg,EmbeddedPkg,OvmfPkg: use MdePkg BaseFdtLib
37652b830e ArmVirtPkg/ArmVirtCloudHv: add missing PrePiLib dependency/resolution
a862c07a3a MdePkg/BaseFdtLib: add FdtGetPropertyW wrapper
cc52f88e61 MdePkg/BaseFdtLib: add FdtSubnodeOffset prototype
e25331fc45 MdePkg,UefiPayloadPkg: clean up BaseFdtLib API confusion
e1dee2bcfa MdeModulePkg SpiBus: Use correct GUID
defdccd4ae ShellPkg: Add PCIe extended capability
aa32d2cfc2 MdePkg: Add additional PCIe extended capabilities
98351bb0d9 NetworkPkg: Add PCD for HTTP transfer buffer size
d985bd4b97 BaseTools: Scripts: efi_debugging.py: search for EFI_SYSTEM_TABLE_POINTER
55b4688157 BaseTools/Conf: Enable GCC preprocessor line-markers for VFR
bf99048365 BaseTools: Add support for GCC preprocessor line directives
091bd7958b ReadMe.rst: Update pipeline badges for new pipelines
7664c0b4a6 DynamicTablesPkg: Fix incorrect WSMT table size
5ccb5fff02 MdeModulePkg: DxeCore: Set Image Protections Through GCD
6c6d6f42db MdeModulePkg: DxeCore: Lower Image Protection Print to Verbose Log Level
856bdc8eec OvmfPkg/CcExitLib: Use the proper register when filtering MSRs
956ef6cd8b ArmPkg/ArmScmiDxe: Use array indexing to access adjacent buffers
c6db76402c MdeModulePkg BmDriverHealth.c: Support dump the driver name
135e07c6e5 DeviceManagerUiLib:Update DeviceManager form data when the form opens.
864cc900ab DisplayEngineDxe: Fix length when displaying menu string
7711e8a167 DynamicTablesPkg: Add Dbg2Generator Hostbased test
d8d47a0ae6 DynamicTablesPkg: Add support for non-serial DBG2 devices
42c6deb6f8 DynamicTablesPkg/AcpiDbg2Lib.inf: Add support for X64 Build
8910f722c9 OvmfPkg/VirtMmCommunicationDxe: stop on init failure
4846ac933f ArmVirtPkg: set PcdQemuVarsRequire
9af96e21d8 OvmfPkg: add PcdQemuVarsRequire
cd6f84b70c ArmVirtPkg/ArmVirtQemu: add QEMU_PV_VARS option
44989944a0 OvmfPkg/OvmfPkgX64: add QEMU_PV_VARS option
9dd47eeea1 OvmfPkg: add new VirtMmCommunicationDxe driver
d198c80157 OvmfPkg: add IndustryStandard/QemuUefiVars.h
d85ee54d53 OvmfPkg/HardwareInfoLib: add support for qemu vars device
26fb5edff3 MdeModulePkg/ArmFfaLib: Add depex on gEfiPeiMemoryDiscoveredPpiGuid
002d69ad9e OvmfPkg: Update ubuntu VM image to 24.04
06746e4b06 EmulatorPkg: Update ubuntu VM image to 24.04
e944c98e1b ArmVirtPkg: Update ubuntu VM image to 24.04
1ac795ea6c .azurepipelines: Update ubuntu VM image to 24.04
b833c2f3a6 .pytool: Update pipeline filename instructions
ab3a451b1b OvmfPkg: Update pipeline filenames
b9f565f8c9 EmulatorPkg: Update pipeline filenames
1566205a40 ArmVirtPkg: Rename Linux pipeline file
a0d785a560 .azurepipelines: Update pipeline filenames
d3b2ee2df3 ShellPkg: Updated Memory Form Factor definition per SMBIOS 3.8.0
1c4c85a003 MdePkg/Library: Remove unused gEfiDevicePathProtocolGuid
be4ae9a97d MdePkg/Include/Ppi: Add back gEdkiiPeiMpServices2PpiGuid
3c79bd38e0 UefiCpuPkg: Add back gEdkiiPeiMpServices2PpiGuid
63e4713c48 OvmfPkg: switch 4M builds to full openssl
30c754d853 OvmfPkg: move openssl/tls library config to .dsc.inc file
f96d38f432 ArmPkg/ArmScmiDxe: Fix SCMI param overwrite in multi-transaction scenario
8406e672e8 MdePkg: Updated Memory Form Factor definition per SMBIOS 3.8.0
99a5f388df UefiPayloadPkg: Fix a typo in SMM base
238dfc54d0 UefiPayloadPkg: Add MemoryTypeInformation HOB
19c6189f54 UefiPayloadPkg: Fix SMM build failure
003873db21 MdeModulePkg: PiSmmIpl: Fix physical address dereferencing
2e85d12685 CryptoPkg: Resolve CodeQL Errors
62390a89c5 MdePkg: Fix typos in PerformanceLib.h
5e5ca20bf7 Maintainers.txt: Add Kun Qin as reviewer for ARM-FFA folders in SecurityPkg
548c29129c SecurityPkg: Tpm2InstanceLibFfa: Introduce Tpm2InstanceLib over FF-A
86d5680817 SecurityPkg: Tpm2DeviceLibFfa: Introduce TPM device library over FF-A
df77417d39 SecurityPkg: Tpm2ServiceFfa: Introduce TPM over FF-A Definitions
7d297e370e SecurityPkg: Tcg2AcpiFfa: Add Tcg2Acpi for FFA enabled ARM platforms
219c3bac05 SecurityPkg: SmmTcg2PhysicalPresenceLib: Add ARM platforms implementation
ec5d8ad35f SecurityPkg: Tcg2StandaloneMmArm: Add Tcg2StandaloneMm for ARM platforms
f89ae9ca2a SecurityPkg: PhysicalPresenceData: Add a GUID used for ACPI functions
29960f389f MdePkg: Add conditional backwards compatibility to MpServices2 aliases
e5dae263fe UefiCpuPkg/S3Resume2Pei: Rename EDKII_PEI_MP_SERVICES2_PPI
7aa2b3106c UefiCpuPkg/Test: Rename EDKII_PEI_MP_SERVICES2_PPI
1d6b8aafa7 UefiCpuPkg/Library: Rename EDKII_PEI_MP_SERVICES2_PPI
b66d325cc0 UefiCpuPkg/Include: Rename EDKII_PEI_MP_SERVICES2_PPI
7de3a1014f UefiCpuPkg/CpuMpPei: Rename EDKII_PEI_MP_SERVICES2_PPI
997e4e393f OvmfPkg: Rename EDKII_PEI_MP_SERVICES2_PPI
aef50446ce UefiCpuPkg: Remove EDKII_PEI_MP_SERVICES2_PPI
27b063a1ff MdePkg: Add EFI_PEI_MP_SERVICES2_PPI
89b595d115 OvmfPkg/QemuKernelLoaderFsDxe: fix allocation failure check
be720b8d6c EmbeddedPkg: Add two new APIs in PrePiHobLib
9ae1c8d425 ArmVirtPkg: Add two new APIs in ArmVirtDxeHobLib
6b48cdc917 StandaloneMmPkg: Add two new APIs in HobLib
cdd31b6460 UefiPayloadPkg: Add two new APIs in HobLib
a9cf419ed9 MdeModulePkg: Add two new APIs in BaseHobLibNull
161fa22bef MdePkg: Add two new APIs in HobLib
3872c38049 MdePkg/Include: Add two new APIs in HobLib.h
cd76265f1a OvmfPkg: Enable Smbios measurement
8d3c7c196d DynamicTablesPkg: AcpiSpcrLib: Support as-is baud rate setting
28b952a56b MdePkg: Add as-is baud rate setting to SPCR
edaae7bc75 ShellPkg: AcpiView: Add parser support for SPCR Revision 4
605582551a DynamicTablesPkg: AcpiSpcrLib: Add support for SPCR revision 4
1f6c875d37 SecurityPkg/OpalPasswordDxe: Improve the function to get device name
c2d8e92367 SecurityPkg-Tpm2DeviceLibDTpm: Check SNP enabled prior to using AmdSvsmLib
eefd4fdb78 SecurityPkg: Update SecureBootVariableLibUnitTest
bfb1a45eec SecurityPkg: SecureBootVariableLib: Prevent Invalid DBX
5f5cf1c1ab Remove unnecessary RsaFree call in failing path
fce142fd31 SecurityPkg/AuthVariableLib: Fix memory leak in CheckSignatureListFormat
2e81eb8f05 MdeModulePkg/PlatformDriOverrideDxe:Fix typos
1968afafb0 MdeModulePkg/DriverHealthManagerDxe:Fix typo
948d4ba0be MdeModulePkg/UsbMassStorageDxe: Remove excessive logging
b917a5b7b3 MdeModulePkg/UsbMassStorageDxe: Remove Port Reset
0f1c0d2d2d BaseTools:Expression.py Adding a check for missing '}' in the parser
1805068b5e BaseTools:Expression.py Add Assertion for PCD with value {}
a1b623b938 BaseTools:Expression.py Size used before Init
fdede2e1ea MdeModulePkg: Update MM buffer structs alignment
c5e3a840b9 UefiCpuPkg: Add StmmCore for IntelMmSaveStateLib,SmmCpuPlatformHookLibNull.
51229eee58 ArmPkg,ArmVirtPkg,UefiPayloadPkg: make PcdVFPEnabled ARM-only
6d886c3054 ArmPkg/CpuDxe: drop unused PcdVFPEnabled declaration
6952d1fa90 ArmPlatformPkg/Sec: clean up FP enabling code
0368687299 ArmVirtPkg: clean up FP enabling code
7fe2436480 ArmPkg/ArmLib: don't check for FP support on AArch64
6ddfd378e5 MdeModulePkg/BootManagerUiLib: hide UiApp from boot entries
7c6ef8eac2 BaseTools: Fix FMMT Compress wrong behavior
18988ea3e6 MdeModulePkg: ArmFfaLib: Move Rx/Tx hob definition to Include/Guid folder
be03ceb117 ArmPkg: ArmFfaLib: Move ArmFfaLib implementation to MdeModulePkg
937ffef8ed ArmPkg: ArmFfaLib.h: Move to MdePkg
541c46a705 ArmPkg: ArmSvcLib: Move ArmSvcLib to MdePkg
211bb9b839 ArmPkg: ArmSmcLibNull: Move ArmSmcLibNull to MdePkg
86099b948b ArmPkg: ArmSmcLib: Move ArmSmcLib to MdePkg
014689399f ArmPkg: FF-A headers: Move to MdePkg
9bcb2e41f7 ArmPkg: ArmStdSmc.h: Move to MdePkg
ec91ff2451 MdeModulePkg/DisplayEngineDxe:Fix typos in comments.
d8531a1e1a UefiPayloadPkg: Add support for Firmware Volume Block Protocol
034de59fb7 UefiPayloadPkg: Add SmmStoreLib
c67d975cfc UefiPayloadPkg: Add SmmStoreInfoGuid
d23edb21a3 UefiPayloadPkg/Include/Coreboot: Add definitions for SMMSTOREv2 table
70df56728f Increase FVMAIN Size for Compatibility with 2MB Size Limit
4e4edd0f07 StandaloneMmPkg/Core: Performance logging for MM driver load and start
7aa96096a3 UefiPayloadPkg: Drop SmbiosVersionLib for SmbiosDxe on AArch64
d79d8d6a8d SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
025ab811fb SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic
b90693965b SecurityPkg: Improving HashPeImageByType () logic
5f08635ee7 SecurityPkg: Out of bound read in HashPeImageByType()
e4140a5701 ShellPkg: Added ArmV9 processors support for SmbiosView command
d0b64b21a3 BaseTools: Dump library dependency chain on build failure
c9ff197059 UefiPayloadPkg: UefiPayloadEntry: Don't use reserved DRAM
1d5063763b GitHub Action: Bump actions/create-github-app-token from 1 to 2
f3e02ae545 StandaloneMmPkg: MmCommunicationDxe: Add EFI_MM_COMMUNICATION3_PROTOCOL
bed033dbf7 StandaloneMmPkg: StandaloneMmIplPei: Add EFI_PEI_MM_COMMUNICATION3_PPI
05f47b8486 MdeModulePkg: PiSmmIpl: Update MessageLength calculation for MmCommunicate
249ca10af0 StandaloneMmPkg: StandaloneMmCore: Parsing new MM communicate header
9dec81092b MdeModulePkg: PiSmmCore: Added parser of new MM communicate header
3da340ccdd MdePkg: MmCommunication: Introduce EFI_PEI_MM_COMMUNICATION3_PPI to MdePkg
11cc0d639e MdePkg: MmCommunication: Introduce EFI_MM_COMMUNICATION3_PROTOCOL to MdePkg
7d1b9d3c3c MdePkg: MmCommunication: Introduce EFI_MM_COMMUNICATE_HEADER_V3 to MdePkg
59805c7697 ShellPkg/SmbiosView: Decode for InterfaceTypeSpecificData of SMBIOS type42
7e8cd32353 MdePkg/IndustryStandard: Define enums of MCTPHostInterface from DSP0239
cf5a955774 MdePkg/IndustryStandard: Fix typos in IoRemappingTable.h
e0b2187754 MdeModulePkg/CustomizedDisplayLib:Fix wrong ColumnIndexWidth special case.
8baa1c5120 ArmPkg: ArmStandaloneMmCoreEntryPoint: Support 18 register DIRECT_REQ2
8d03c42d38 ArmPkg: ArmFfaLib: Update FF-A direct message to support 18 registers
47b793f38c ArmPkg: ArmSvcLib: Support all 18 registers
c0ecd11e62 ArmPkg: ArmSmcLib: Support all 18 registers
213973e9e5 EmulatorPkg: Add stub to read redfish host interface serial number
4a055eb486 RedfishPkg: Populate serial number in SMBIOS type 42 record
76c282b075 Maintainers.txt: Add new maintainer to BaseTools section
069dfae3e5 MdePkg: Fix typo in I2cMaster.h, SetBusFrequench -> SetBusFrequency
30f3fa0af7 StandaloneMmCorePerformanceLib.inf: Add gEfiEventExitBootServicesGuid
09faa4a1ce BaseTools/build: Reduce special FV full to warning
a088d9ceb0 ArmPlatformPkg/PeilessSec: drop _SetSVCMode sequence for Arm
ad6639cf3e ArmPlatformPkg/PeilessSec: drop _SetSVCMode symbol from AArch64
5d3314d0bf MdeModulePkg/Core: Add Hot Pluggable type to Attribute Conversion Table
3907f8a0ba RedfishPkg/RedfishHttpDxe : Fix the incorrect length of the Basic Auth
9006a9b5e4 PrmPkg: Correct the flags for X64 GCC compiler
14b730cde8 MdeModulePkg/Universal: Remove dynamic PcdStatusCodeUseSerial usage in MM
5c6fea49ee StandaloneMmPkg: Produce gMmStatusCodeUseSerialHobGuid HOB
b7ef717177 StandaloneMmPkg: Add gMmStatusCodeUseSerialHobGuid HOB definition
a7ab45ace2 BaseTools/FMMT: Fix GUID Tool Not Found the Shell Script Issue
95bf74fac1 MdeModulePkg/DxeCorePerformanceLib: Fix incorrect size calculation
e01f4180b3 BaseTools: Fix missing module PCD in compile information of build report
b279ac9f36 BaseTools/GenFv: Ensure the minimum pad file size for the FV with VTF
1c51a268b7 MdeModulePkg: Add Standalone MM perf library support
11b44c5cd1 MdeModulePkg: Add Standalone MM Core performance support
874c24baae MdeModulePkg/DxeCorePerformanceLib: Use EFI_MM_COMMUNICATE_HEADER
cd387d2c77 UefiCpuPkg MpInformation2.h: Include PiMultiPhase.h
2a3926dadc MdePkg: IndustryStandard: Rename ACPI SPCR revision 4 structure
589be8d301 Maintainers.txt: Update StandaloneMmPkg reviewer
2eac71a1ee OvmfPkg/IntelTdx: Cache and measure FwCfg
81c2c92074 OvmfPkg/PlatformPei: Cache and measure FwCfg items
4d2af7b91a OvmfPkg: Refactor QEMU_FW_CFG_CACHE_WORK_AREA
fb56dc78ef OvmfPkg/QemuFwCfgLib: Support Cache FwCfg with optional measurement
be529ef3c9 OvmfPkg/QemuFwCfgLib: Add FwCfg cache interface
63408b2895 OvmfPkg/PeilessStartupLib: Build PlatformInfoHob before InitializePlatform
f66078a713 OvmfPkg/PlatformInitLib.h: Add QEMU_FW_CFG_CACHE_WORK_AREA
151326e542 OvmfPkg.dec: Add gOvmfFwCfgInfoHobGuid
ebba67b754 SecurityPkg: Add TpmMeasurementLib for SEC phase
425d97caef Maintainers.txt: Add Shuo Liu as UefiPayloadPkg Reviewer
22919e560b MdeModulePkg/VarCheckHiiLib: clean up VarCheckHiiLibReceiveHiiBinHandler
f6aba88ac8 MdeModulePkg/VarCheckHiiLib: don't return success for invalid input
1c6ce560f0 ArmPkg: Add a protocol notification for gEfiDxeMmReadyToLockProtocolGuid
f1a2bd2333 MdeModulePkg/XhciDxe: Adjust out-of-range bInterval values
70db6510d1 MdeModulePkg/XhciDxe: Refactor endpoint interval calculation
17cdc512f0 NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI bz4206
2fe270a361 UefiCpuPkg: Remove TdxMeasurementLib
62e28d89c4 OvmfPkg: Update the .INF file for the changes of TdxMeasurementLib
f919709c86 MdeModulePkg: Move TdxMeasurementLib from UefiCpuPkg
5a1c723cfa ArmVirtPkg: Kvmtool: Rely on InterruptMap to generate PCI related tables
8c208049d4 ArmVirtPkg: Kvmtool: Advertise all serial ports
9bceb16000 Maintainers.txt: Add reviewer for SVSM vTPM related modules
06b2f9dc43 OvmfPkg: Use Tpm2Device lib with SVSM vTPM support
e868ece3c7 SecurityPkg/Tpm2DeviceLibDTpm: Add TPM2 lib supporting SVSM vTPM
edf5e365c1 SecurityPkg/Tpm2DeviceLibDTpm: Add header file for Tpm2Ptp.c
87f454532a SecurityPkg/Tpm2DeviceLibDTpm: Improve spelling/grammar of comments
40b4e190d3 OvmfPkg/AmdSvsmLib: Add the SVSM vTPM protocol
70f806ec23 MdePkg/AmdSev: Add SVSM protocol vTPM call numbers
87d4cdd09e UefiCpuPkg/AmdSvsmLib: Stub the SVSM vTPM protocol for non-VMPL0 guests
458198aa49 OvmfPkg/AmdSvmLib: Use named protocol and call constants
fa74200c92 MdePkg/AmdSev: Add SVSM protocol call numbers
e095a3c59b .mergify: Use tianocore-issues to rebase PRs for merge
015c4a37c3 StandaloneMmPkg: Disable assert when gMmCommBufferHobGuid not found.
f47d897f93 UnitTestFrameworkPkg: Avoid duplicate library function names
9ac1704af6 OvmfPkg: Use user-specified opt/ovmf/X-PciMmio64Mb value unconditionally
2aff039da7 UefiPayloadPkg: Parse PCI RB Segment info when its available in FDT
1e0051e293 BaseTools: Fix Debug Macro Checking to Include Scanning Files
25ccb6ec54 DynamicTablesPkg/AcpiFacsLib: Fix Issue from Debug Macro Checking
dd5cce3e53 OvmfPkg/PlatformBootManagerCommonLib: Set UiApp as an optional boot option
ca278f14c2 OvmfPkg/PlatformBootManagerCommonLib: Disable autoboot for EFI Shell
4e19daa852 ArmVirtPkg: use BootManagerMenuApp as BootManagerMenu
6bfd522477 ArmVirtPkg: add BootManagerMenuApp to dependencies.
f25e3d0d2c OvmfPkg/HardwareInfoLib: Reserve device type ID for SVSM
e489721275 DynamicTablesPkg/AcpiSsdtCpuTopologyLib: Correct _STA method for X64
6c30f430bd Maintainers.txt: Transfer Ray's Reviewer role to Dandan
dfecb2646f CapsuleApp: Fix proper return after capsule update
80c04eb46f NetworkPkg/HttpBootDxe: Add proxy connect flow to *GetBootFile()
884585818f NetworkPkg/HttpBootDxe: Add ProxyUri handling in start/stop path.
69b0bed49e Network/HttpBootDxe: Modify device path parser to detect Proxy URI node.
cd397f16a5 NetworkPkg/HttpBootDxe: Added ProxyUri field to HTTP_BOOT_PRIVATE_DATA.
592ff1e98f MdeModulePkg/UefiBootManagerLib: Handle device path with Proxy URI.
7f0fc4189a NetworkPkg/HttpBootDxe: Use ProxyUri from HII to build boot option
3e0d879a08 NetworkPkg/HttpBootDxe: Add Proxy URI field to HII.
fa21977197 NetworkPkg/HttpDxe: Add HTTPS handling in HTTP CONNECT path.
f5148b1267 NetworkPkg/HttpDxe: Added support for HTTP CONNECT request.
2880ca12ce MdePkg/Http: Add EFI_HTTP_CONNECT_REQUEST_DATA structure
4b1a426487 MdePkg: Add ACPI CEDT table structures
a093f6eccd PrmPkg: Align Data Buffer Signature to Spec
842c4c8afd PrmPkg: PRM support for non-existent MMIO ranges
168180aa04 Removing Chinni from maintainer list
8e9d56f8ee DynamicTablesPkg: Tolerate NULL when freeing MADT table
dfe43d74bc DynamicTablesPkg: Resolve cppcheck findings in macros
81031a51a0 BaseTools: Disable VS2019/2022 ARM/AARCH64 Stack Cookies
03e66e0a03 BaseTools/Source/C: Disable VS flexible array member warning
71188e9063 BaseTools: Add BUILDRULEFAMILY for CLANGDWARF
72db37b2f1 StandaloneMmPkg/Library: Print warning message if GUID HOB not found
de13423277 UnitTestFrameworkPkg: Fix host test /WHOLEARCHIVE regression
35cf1d7eb0 MdePkg: fix fru device description string copy error.
2b6f979744 workflows: Add UniversalPayload in to git work flow
988ea5f571 UefiPayloadPkg: Add stuart build support.
d684097661 .github/stale.yml: Exempt type:code-first changes
1cc2af8a64 .github: Add EDK II Code First form
6234d09f75 OvmfPkg/PlatformInitLib: fix typo
deee46d276 CryptoPkg/Library/OpensslLib: Fix CLANG compatibility issues
19e2b06625 UefiPayloadPkg: Add new option "--add_cc_flags" in UniversalPayloadBuild.py
a0d2a64ada UefiPayloadPkg: Add macro to control HandOffFdt configuration
f4d93446be pip-requirements.txt: Update pip modules
99625fe4b2 MdePkg: delete EFI 1.10 USB Host Controller Protocol
cc910e4c08 ShellPkg: drop support for obsolete EFI_USB_HC_PROTOCOL
1c96d59e71 MdeModulePkg/UhciDxe: drop unused UsbHcProtocol references
17a90f66d6 MdeModulePkg/UsbBusDxe: drop support for obsolete EFI_USB_HC_PROTOCOL
67df979ad2 DebugMacroCheck: Do not show progress bar with zero items
dea4e20bd4 MdeModulePkg: Add duplicate exception for gUiAppFileGuid
20247e2342 ArmPkg/ArmTransferListLib: improve coding style compliance
6782a2b5fc OvmfPkg: add new runtime config option to documentation for FirmwareSetup
d147d384ac OvmfPkg/PlatformBootManagerCommonLib: Introduce OvmfFindLoadOption
9b6da0b80b OvmfPkg: Add duplicate exception for gUiAppFileGuid
d433b4c8e4 OvmfPkg/PlatformBootManagerLib: Register UiApp as an optional boot option
896907b53b OvmfPkg/PlatformBootManagerLib: Disable autoboot for EFI Shell
9d9e3a2ba8 OvmfPkg: use BootManagerMenuApp as BootManagerMenu
45a56d7505 OvmfPkg: add BootManagerMenuApp to dependencies.
786ae76884 IntelFsp2WrapperPkg: Bootloader need to recover fs and gs
b509393160 MdeModulePkg/DxeCapsuleLibFmp: Check for NULL in IsValidCapsuleHeader
d03e9e701b CryptoPkg: Add sleep function to BaseCryptLibMbedTls Timerwrapper
55a887297c SecurityPkg: fix possible out of bond array access in debug traces
9224a2b917 MdeModulePkg/TerminalDxe: Support multiple modes for SetMode function
a1b2eeb6ff CI: Install a fresh python virtual env every time (Linux)
29f02d0161 MdeModulePkg/HiiDatabaseDxe: Prevent linker error
c46bc0ea98 MdePkg/BaseMemoryLib: Prevent potential VS2022 linker failure
f79218f4dd ArmVirtPkg: Add support for fw_cfg for EFI Shell
7862dcb802 OvmfPkg: Make PlatformBootManagerLibLight use PlatformBootManagerCommonLib
716f150a8b OvmfPkg: Make PlatformBootManagerLib use PlatformBootManagerCommonLib
f3d0fd96d1 OvmfPkg: add PlatformBootManagerCommonLib to dependencies
05330c09d0 ArmVirtPkg: add PlatformBootManagerCommonLib to dependencies
a255b52fbc OvmfPkg: Introduce PlatformBootManagerCommonLib
566aece5b8 ArmVirtPkg: move USB drivers to UsbComponents.dsc.inc
de1e14856d ArmVirtPkg: move network configuration to NetworkComponents.dsc.inc
7fa3814887 RedfishPkg: Correct %g arguments in DEBUG calls
473a22d233 IntelFsp2Pkg : Set FSP-I upd data pointer to NULL as default
67fe6b41b2 MdeModulePkg/UefiBootManagerLib: Apply var policy to HDDP
f75e6952ca ArmPkg: ArmFfaSvc: Adding missing FF-A definitions
49ae82a08e DynamicTablesPkg: AcpiMadtLibArm: Correct value of GICC.GICRBaseAddress
3b93347ee3 CryptoPkg: Update generated files based on openssl 3.4.1
a59d7fa14e CryptoPkg: Update openssl submodule to 3.4.1
de29ae677a StandaloneMmPkg/MmIpl : Add EFI_HOB_HANDOFF_INFO_TABLE to MM HOB list
1428b94fc0 MdeModulePkg/Variable: Init var policy after SMM variable is ready
0f136602fd DynamicTablesPkg: Add _STA method to CPU object
eb1beb6e95 MdePkg/IndustryStandard: Add _STA bit definitions
565a458adc DynamicTablesPkg: Add _PSD and _CPC support for X64
70f53a1b32 DynamicTablesPkg: Add _CST, _CSD, _PCT, and _PSS objects
704eaf5cda DynamicTablesPkg: Adds C-state and P-state namespace objects
ef4ea08e8f DynamicTablesPkg/AmlLib: Implement C-State and P-State ACPI object
86af841a20 MdePkg/IndustryStandard: Add _CSD version definition
6d1bdc2b55 StandaloneMmPkg: Produce StandaloneMM Entry/Exit Notify Protocol.
8d0a57d65a IntelFsp2Pkg/FspSecCore: Update FSP global data in FSP-S/I entry
af2a04699d MdeModulePkg: Add the EFI_RESOURCE_ATTRIBUTE_SPECIAL_PURPOSE attribute
2625e91963 ArmPkg/ArmStandaloneMmCoreEntryPoint: Fix cast on clang
3e7e3e2467 MdePkg/AArch64: fix AsmMacroLib signed value handling for MOV32/MOV64
81803b9eba OvmfPkg: Add SmmCommunicationDxe
0058f7486f .azurepipelines: Introduce Build.Archlist for Azure GCC5 pipeline
f0a2015373 UefiPayloadPkg: Add AARCH64 support
9757ffaa38 UefiPayloadPkg: Update logic of fetching Processor Physical Address size
9fe0980a77 UefiCpuPkg: Add common architecture level library support
8f57cf0829 EmulatorPkg/Unix/Host: Skip symbol unloading for stripped images
e2bb5b530b StandaloneMmPkg/Core: dump HOB list in MMRAM
1b71ddea42 StandaloneMmPkg/Core: pass HOB list in MMRAM to library constructor
8e92e8761c IntelFsp2Pkg/FspSecCore: initialize FspMode in FSP_GLOBAL_DATA
83a86f465c UefiPayloadPkg: Allow boot timeout to be configured
063e19bab2 IntelFsp2Pkg: Fixing TemporaryRamSize Configurability option.
- Remove the following patches because they are merged to edk2-stable202505:
- 70df56728f ovmf-Increase-FVMAIN-Size-for-Compatibility-with-2MB-Size.patch
- 9bceb16000 ovmf-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch
- 87d4cdd09e ovmf-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch
- 40b4e190d3 ovmf-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch
- 06b2f9dc43 ovmf-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch
- 458198aa49 ovmf-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch
- fa74200c92 ovmf-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch
- 70f806ec23 ovmf-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch
- edf5e365c1 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch
- e868ece3c7 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch
- 87f454532a ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch
- c2d8e92367 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch
- Refresh patches:
- ovmf-gdb-symbols.patch
- ovmf-Revert-OvmfPkg-OvmfXen-Set-PcdFSBClock.patch
- ovmf-Revert-Add-Stack-Cookie-Support-to-MSVC-and-GCC.patch
- Add the patch from edk2-stable202505 (bsc#1243199)
- ovmf-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch
856bdc8eec0f OvmfPkg/CcExitLib: Use the proper register when filtering MSRs
-------------------------------------------------------------------
Wed May 7 09:52:50 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
Wed May 7 09:52:50 UTC 2025 - YI HSIN Lyu <richard.lyu@suse.com>
- Add patchset to enable SVSM vTPM support in OVMF (jsc#PED-12743, jsc#PED-12767)
- 9bceb16000 ovmf-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch
- 87d4cdd09e ovmf-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch
- 40b4e190d3 ovmf-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch
- 06b2f9dc43 ovmf-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch
- 458198aa49 ovmf-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch
- fa74200c92 ovmf-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch
- 70f806ec23 ovmf-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch
- edf5e365c1 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch
- e868ece3c7 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch
- 87f454532a ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch
- c2d8e92367 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch
- 9bceb1600005 ovmf-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch
- 87d4cdd09e4d ovmf-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch
- 40b4e190d37d ovmf-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch
- 06b2f9dc4385 ovmf-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch
- 458198aa49c3 ovmf-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch
- fa74200c9269 ovmf-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch
- 70f806ec23fb ovmf-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch
- edf5e365c104 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch
- e868ece3c7d1 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch
- 87f454532a61 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch
- c2d8e9236787 ovmf-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch
-------------------------------------------------------------------
Wed May 7 02:55:27 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
Wed May 7 02:55:27 UTC 2025 - YI HSIN Lyu <richard.lyu@suse.com>
- Remove non-unified SEV/TDX images due to potential security risks. (bsc#1232762)
- ovmf-x86_64-sev-code.bin
@@ -444,7 +108,7 @@ Wed May 7 02:55:27 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
- ovmf-x86_64-tdx-vars.bin
-------------------------------------------------------------------
Mon Apr 28 03:59:31 UTC 2025 - Richard Lyu <richard.lyu@suse.com>
Mon Apr 28 03:59:31 UTC 2025 - YI HSIN Lyu <richard.lyu@suse.com>
- Add TDX flavor OVMF using Config-B (OvmfPkg/IntelTdx/IntelTdxX64.dsc).
Full TDX functionality has been supported with Config-B.

27
ovmf.spec
View File

@@ -27,7 +27,7 @@
%endif
Name: ovmf
Version: 202505
Version: 202502
Release: 0
Summary: Open Virtual Machine Firmware
License: BSD-2-Clause-Patent
@@ -60,6 +60,8 @@ Source101: gdb_uefi.py.in
Patch1: %{name}-gdb-symbols.patch
Patch2: %{name}-pie.patch
Patch3: %{name}-disable-ia32-firmware-piepic.patch
# Bug 1245454 - iSCSI boot support is disabled in OVMF images
Patch4: %{name}-OvmfPkg-Add-NETWORK_ISCSI_DEFAULT_ENABLE-build-flag.patch
Patch6: %{name}-ignore-spurious-GCC-12-warning.patch
# Bug 1207095 - ASSERT [ArmCpuDxe] /home/abuild/rpmbuild/BUILD/edk2-edk2-stable202211/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(333): ((BOOLEAN)(0==1))
Patch8: %{name}-Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
@@ -72,10 +74,27 @@ Patch10: %{name}-Revert-Add-Stack-Cookie-Support-to-MSVC-and-GCC.patch
Patch11: %{name}-BaseTools-Using-gcc12-for-building-image.patch
%endif
%endif
Patch12: %{name}-Increase-FVMAIN-Size-for-Compatibility-with-2MB-Size.patch
# Bug 1240420 - UEFI boot breaks: X64 Exception Type - 0E(#PF - Page-Fault) CPU Apic ID - 00000000
Patch13: %{name}-UefiCpuPkg-Disable-EFI-memory-attributes-protocol.patch
# Add vTPM support for SVSM in OVMF (jsc#PED-12743, jsc#PED-12767)
Patch14: %{name}-Maintainers.txt-Add-reviewer-for-SVSM-vTPM-related-m.patch
Patch15: %{name}-UefiCpuPkg-AmdSvsmLib-Stub-the-SVSM-vTPM-protocol-fo.patch
Patch16: %{name}-OvmfPkg-AmdSvsmLib-Add-the-SVSM-vTPM-protocol.patch
Patch17: %{name}-OvmfPkg-Use-Tpm2Device-lib-with-SVSM-vTPM-support.patch
Patch18: %{name}-OvmfPkg-AmdSvmLib-Use-named-protocol-and-call-consta.patch
Patch19: %{name}-MdePkg-AmdSev-Add-SVSM-protocol-call-numbers.patch
Patch20: %{name}-MdePkg-AmdSev-Add-SVSM-protocol-vTPM-call-numbers.patch
Patch21: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Add-header-file-for-Tp.patch
Patch22: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Add-TPM2-lib-supportin.patch
Patch23: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Improve-spelling-gramm.patch
Patch24: %{name}-SecurityPkg-Tpm2DeviceLibDTpm-Check-SNP-enabled-prio.patch
# Bug 1243199 - SVSM: [OVMF] Fix MSR register filtering for CAA MSR
Patch25: %{name}-OvmfPkg-CcExitLib-Use-the-proper-register-when-filte.patch
# Bug 1244218 - ovmf: non-deterministic .bin files (about unreproducible)
Patch14: %{name}-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
Patch26: %{name}-OvmfPkg-ArmVirtPkg-Keep-JSON-stack-cookie-files.patch
# Impl: SEV-SNP: [OVMF] AP Creation using APIC ID list results in VMRUN exit with #VMEXIT_INVALID (jsc#PED-13202)
Patch27: %{name}-UefiCpuPkg-MpInitLib-Fix-SNP-AP-creation.patch
BuildRequires: bc
BuildRequires: cross-arm-binutils
BuildRequires: cross-arm-gcc%{gcc_version}
@@ -296,6 +315,7 @@ FLAVORS_X64_SKIP_SB_KEY=("ovmf-x86_64-sev" "ovmf-x86_64-tdx")
FLAVORS_X64_UNIFIED_ONLY=("ovmf-x86_64-sev" "ovmf-x86_64-tdx")
BUILD_OPTIONS_X64=" \
$OVMF_FLAGS \
-D NETWORK_ISCSI_DEFAULT_ENABLE \
-D BUILD_SHELL=FALSE \
-a X64 \
-b DEBUG \
@@ -582,6 +602,7 @@ generate_sb_var_templates()
done
done
fi
}
# Generate the variable stores with default Secure Boot keys
@@ -692,4 +713,4 @@ rm %{buildroot}%{_datadir}/qemu/firmware/*-riscv64*.json
%{_datadir}/qemu/firmware/*-riscv64*.json
%endif
%changelog
%changelog