Remove backports.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+++ /dev/null
-From 772fa11ac82579a8f6fa171e6b835f68af3f64be Mon Sep 17 00:00:00 2001
-From: Rebecca Cran <rebecca@bsdio.com>
-Date: Mon, 26 May 2025 08:01:39 -0600
-Subject: [PATCH] SecurityPkg: Don't define bool type if building in C23 mode
-
-In C23 bool is a built-in type, so it's not necessary to typedef
-bool in LibspdmStdBoolAlt.h.
-
-Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
-
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/772fa11ac82579a8f6fa171e6b835f68af3f64be]
-
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
----
- .../DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h b/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
-index 08af7296d0..395ef22d43 100644
---- a/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
-+++ b/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
-@@ -10,7 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
- #ifndef LIBSPDM_STDBOOL_ALT_H\r
- #define LIBSPDM_STDBOOL_ALT_H\r
- \r
-+// In C23, bool is a built-in type\r
-+#if __STDC_VERSION__ < 202311L\r
- typedef BOOLEAN bool;\r
-+#endif\r
- \r
- #ifndef true\r
- #define true TRUE\r
---
-2.34.1
-
-From 61583b59620946683551f43c6110e656604a252f Mon Sep 17 00:00:00 2001
+From 0f859c6de2914cd984f8a0dd61471b91a2371bfa Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Date: Thu, 9 Jun 2016 02:23:01 -0700
-Subject: [PATCH 1/4] ovmf: update path to native BaseTools
+Subject: [PATCH] ovmf: update path to native BaseTools
BaseTools is a set of utilities to build EDK-based firmware. These utilities
are used during the build process. Thus, they need to be built natively.
echo $EDK_TOOLS_PATH
source edksetup.sh BaseTools
else
---
-2.39.5
-
-From aacbf7c91732b9959e569e90844cf9de078b2f14 Mon Sep 17 00:00:00 2001
+From 9dbd082516fdd7100f99f0f389b8eef5ececab19 Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Date: Fri, 26 Jul 2019 17:34:26 -0400
-Subject: [PATCH 2/4] BaseTools: makefile: adjust to build in under bitbake
+Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
Prepend the build flags with those of bitbake. This is to build
using the bitbake native sysroot include and library directories.
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
-index d369908a09..22c670f316 100644
+index 55a7307a5e..e36e6a8f04 100644
--- a/BaseTools/Source/C/Makefiles/header.makefile
+++ b/BaseTools/Source/C/Makefiles/header.makefile
-@@ -85,35 +85,34 @@ endif
+@@ -154,35 +154,34 @@ endif
\r
INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)\r
INCLUDE += -I $(EDK2_PATH)/MdePkg/Include\r
ifeq ($(HOST_ARCH), IA32)\r
#\r
# Snow Leopard is a 32-bit and 64-bit environment. uname -m returns i386, but gcc defaults\r
---
-2.39.5
-
-From 96fa2a7f2f54f1e6330275b5eba07e1efdbd865b Mon Sep 17 00:00:00 2001
+From eb6db21ed0a845dce149d17acf8673d5188adea4 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 14 Jun 2021 19:56:28 +0200
-Subject: [PATCH 3/4] debug prefix map
+Subject: [PATCH] debug prefix map
We want to pass ${DEBUG_PREFIX_MAP} to gcc commands and also pass in
--debug-prefix-map to nasm (we carry a patch to nasm for this). The
BaseTools/Conf/tools_def.template | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
+diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
+index 0caa1c9001..dd86b3249d 100755
--- a/BaseTools/Conf/tools_def.template
+++ b/BaseTools/Conf/tools_def.template
-@@ -920,7 +920,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --a
+@@ -920,7 +920,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink="$(DEBUG_DIR)/$(MODULE_
*_*_*_DTC_PATH = DEF(DTC_BIN)\r
\r
# All supported GCC archs except LOONGARCH64 support -mstack-protector-guard=global, so set that on everything except LOONGARCH64\r
DEFINE GCC_IA32_X64_CC_FLAGS = -mstack-protector-guard=global\r
DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie -mstack-protector-guard=global\r
DEFINE GCC_LOONGARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections\r
-@@ -941,8 +941,8 @@ DEFINE GCC_ARM_ASLDLINK_FLAGS = DEF
+@@ -938,8 +938,8 @@ DEFINE GCC_ARM_AARCH64_ASLDLINK_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0 DEF(GC
+ DEFINE GCC_ARM_ASLDLINK_FLAGS = DEF(GCC_ARM_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT) DEF(GCC_ARM_AARCH64_ASLDLINK_FLAGS)\r
DEFINE GCC_AARCH64_ASLDLINK_FLAGS = DEF(GCC_AARCH64_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT) DEF(GCC_ARM_AARCH64_ASLDLINK_FLAGS)\r
DEFINE GCC_LOONGARCH64_ASLDLINK_FLAGS = DEF(GCC_LOONGARCH64_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT)\r
- DEFINE GCC_IA32_X64_DLINK_FLAGS = DEF(GCC_IA32_X64_DLINK_COMMON) --entry _$(IMAGE_ENTRY_POINT) --file-alignment 0x20 --section-alignment 0x20 -Map $(DEST_DIR_DEBUG)/$(BASE_NAME).map\r
-DEFINE GCC_ASM_FLAGS = -c -x assembler -imacros AutoGen.h\r
-DEFINE GCC_PP_FLAGS = -E -x assembler-with-cpp -include AutoGen.h\r
+DEFINE GCC_ASM_FLAGS = -c -x assembler -imacros AutoGen.h ENV(GCC_PREFIX_MAP)\r
+DEFINE GCC_PP_FLAGS = -E -x assembler-with-cpp -include AutoGen.h ENV(GCC_PREFIX_MAP)\r
- DEFINE GCC_VFRPP_FLAGS = -x c -E -P -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h\r
+ DEFINE GCC_VFRPP_FLAGS = -x c -E -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h\r
DEFINE GCC_ASLPP_FLAGS = -x c -E -include AutoGen.h\r
DEFINE GCC_ASLCC_FLAGS = -x c\r
-@@ -1095,7 +1095,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS
+@@ -1092,7 +1092,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS = -mabi=lp64d -march=loongarch64 DEF(
*_GCC48_IA32_DLINK2_FLAGS = DEF(GCC48_IA32_DLINK2_FLAGS)\r
*_GCC48_IA32_RC_FLAGS = DEF(GCC_IA32_RC_FLAGS)\r
*_GCC48_IA32_OBJCOPY_FLAGS =\r
\r
DEBUG_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS)\r
RELEASE_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS) -Wno-unused-but-set-variable\r
-@@ -1123,7 +1123,7 @@ RELEASE_GCC48_IA32_CC_FLAGS = DEF(
+@@ -1120,7 +1120,7 @@ RELEASE_GCC48_IA32_CC_FLAGS = DEF(GCC48_IA32_CC_FLAGS) -Wno-unused-but-set
*_GCC48_X64_DLINK2_FLAGS = DEF(GCC48_X64_DLINK2_FLAGS)\r
*_GCC48_X64_RC_FLAGS = DEF(GCC_X64_RC_FLAGS)\r
*_GCC48_X64_OBJCOPY_FLAGS =\r
\r
DEBUG_GCC48_X64_CC_FLAGS = DEF(GCC48_X64_CC_FLAGS)\r
RELEASE_GCC48_X64_CC_FLAGS = DEF(GCC48_X64_CC_FLAGS) -Wno-unused-but-set-variable\r
-@@ -1232,7 +1232,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(G
+@@ -1229,7 +1229,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS = DEF(GCC48_AARCH64_CC_FLAGS) -Wno-unused-but-s
*_GCC49_IA32_DLINK2_FLAGS = DEF(GCC49_IA32_DLINK2_FLAGS)\r
*_GCC49_IA32_RC_FLAGS = DEF(GCC_IA32_RC_FLAGS)\r
*_GCC49_IA32_OBJCOPY_FLAGS =\r
\r
DEBUG_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS)\r
RELEASE_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) -Wno-unused-but-set-variable -Wno-unused-const-variable\r
-@@ -1260,7 +1260,7 @@ RELEASE_GCC49_IA32_CC_FLAGS = DEF(
+@@ -1257,7 +1257,7 @@ RELEASE_GCC49_IA32_CC_FLAGS = DEF(GCC49_IA32_CC_FLAGS) -Wno-unused-but-set
*_GCC49_X64_DLINK2_FLAGS = DEF(GCC49_X64_DLINK2_FLAGS)\r
*_GCC49_X64_RC_FLAGS = DEF(GCC_X64_RC_FLAGS)\r
*_GCC49_X64_OBJCOPY_FLAGS =\r
\r
DEBUG_GCC49_X64_CC_FLAGS = DEF(GCC49_X64_CC_FLAGS)\r
RELEASE_GCC49_X64_CC_FLAGS = DEF(GCC49_X64_CC_FLAGS) -Wno-unused-but-set-variable -Wno-unused-const-variable\r
-@@ -1519,7 +1519,7 @@ RELEASE_GCCNOLTO_AARCH64_DLINK_XIPFLAGS
+@@ -1516,7 +1516,7 @@ RELEASE_GCCNOLTO_AARCH64_DLINK_XIPFLAGS = -z common-page-size=0x20
*_GCC5_IA32_DLINK2_FLAGS = DEF(GCC5_IA32_DLINK2_FLAGS) -no-pie\r
*_GCC5_IA32_RC_FLAGS = DEF(GCC_IA32_RC_FLAGS)\r
*_GCC5_IA32_OBJCOPY_FLAGS =\r
\r
DEBUG_GCC5_IA32_CC_FLAGS = DEF(GCC5_IA32_CC_FLAGS) -flto\r
DEBUG_GCC5_IA32_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,-m,elf_i386,--oformat=elf32-i386\r
-@@ -1551,7 +1551,7 @@ RELEASE_GCC5_IA32_DLINK_FLAGS = DEF(G
+@@ -1548,7 +1548,7 @@ RELEASE_GCC5_IA32_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
*_GCC5_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS)\r
*_GCC5_X64_RC_FLAGS = DEF(GCC_X64_RC_FLAGS)\r
*_GCC5_X64_OBJCOPY_FLAGS =\r
-From fc2d3c17ff2a7b39e8d47b788eeaac5e1487cdee Mon Sep 17 00:00:00 2001
+From 0d22e07cd9cc35ede04c01d3141068db744d7677 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 14 Jun 2021 19:57:30 +0200
-Subject: [PATCH 4/4] reproducible
+Subject: [PATCH] reproducible
This patch fixes various things which make the build more reproducible. Some changes
here only change intermediate artefacts but that means when you have two build trees
.../Source/Python/AutoGen/ModuleAutoGen.py | 5 +++-
4 files changed, 24 insertions(+), 16 deletions(-)
+diff --git a/BaseTools/Source/C/GenFw/Elf64Convert.c b/BaseTools/Source/C/GenFw/Elf64Convert.c
+index 18594122ea..92b5f13cf6 100644
--- a/BaseTools/Source/C/GenFw/Elf64Convert.c
+++ b/BaseTools/Source/C/GenFw/Elf64Convert.c
-@@ -15,6 +15,8 @@ SPDX-License-Identifier: BSD-2-Clause-Pa
+@@ -15,6 +15,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <windows.h>\r
#undef RUNTIME_FUNCTION\r
#include <io.h>\r
\r
//\r
// Add more space in the .debug data region for the DllCharacteristicsEx\r
-@@ -2310,7 +2312,7 @@ WriteDebug64 (
+@@ -2322,7 +2324,7 @@ WriteDebug64 (
EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY *Nb10;\r
EFI_IMAGE_DEBUG_EX_DLLCHARACTERISTICS_ENTRY *DllEntry;\r
\r
\r
NtHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)(mCoffFile + mNtHdrOffset);\r
DataDir = &NtHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_DEBUG];\r
-@@ -2343,7 +2345,7 @@ WriteDebug64 (
+@@ -2355,7 +2357,7 @@ WriteDebug64 (
\r
Nb10 = (EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY*)(Dir + 1);\r
Nb10->Signature = CODEVIEW_SIGNATURE_NB10;\r
}\r
\r
STATIC\r
+diff --git a/BaseTools/Source/Python/AutoGen/BuildEngine.py b/BaseTools/Source/Python/AutoGen/BuildEngine.py
+index b829a2503c..afe826b78f 100644
--- a/BaseTools/Source/Python/AutoGen/BuildEngine.py
+++ b/BaseTools/Source/Python/AutoGen/BuildEngine.py
@@ -70,6 +70,9 @@ class TargetDescBlock(object):
def AddInput(self, Input):\r
if Input not in self.Inputs:\r
self.Inputs.append(Input)\r
+diff --git a/BaseTools/Source/Python/AutoGen/GenMake.py b/BaseTools/Source/Python/AutoGen/GenMake.py
+index e5f282c4ac..27a34ef7c6 100755
--- a/BaseTools/Source/Python/AutoGen/GenMake.py
+++ b/BaseTools/Source/Python/AutoGen/GenMake.py
-@@ -576,7 +576,7 @@ cleanlib:
+@@ -571,7 +571,7 @@ cleanlib:
os.remove(RespFileList)\r
\r
# convert source files and binary files to build targets\r
if len(self.ResultFileList) == 0 and len(MyAgo.SourceFileList) != 0:\r
EdkLogger.error("build", AUTOGEN_ERROR, "Nothing to build",\r
ExtraData="[%s]" % str(MyAgo))\r
-@@ -727,7 +727,7 @@ cleanlib:
+@@ -722,7 +722,7 @@ cleanlib:
OutputFile = ''\r
DepsFileList = []\r
\r
if Cmd[2]:\r
for CopyCmd in Cmd[2]:\r
Src, Dst = CopyCmd\r
-@@ -760,7 +760,7 @@ cleanlib:
+@@ -755,7 +755,7 @@ cleanlib:
self.BuildTargetList.append('\t%s' % CmdString)\r
\r
self.ParseSecCmd(DepsFileList, Cmd[1])\r
self.BuildTargetList.append('%s : %s' % (self.ReplaceMacro(SecOutputFile), self.ReplaceMacro(SecDepsFile)))\r
self.BuildTargetList.append('\t%s' % self.ReplaceMacro(SecCmd))\r
self.FfsOutputFileList = []\r
-@@ -799,13 +799,13 @@ cleanlib:
+@@ -794,13 +794,13 @@ cleanlib:
\r
def CommandExceedLimit(self):\r
FlagDict = {\r
}\r
\r
RespDict = {}\r
-@@ -1019,9 +1019,9 @@ cleanlib:
+@@ -1014,9 +1014,9 @@ cleanlib:
if not self.ObjTargetDict.get(T.Target.SubDir):\r
self.ObjTargetDict[T.Target.SubDir] = set()\r
self.ObjTargetDict[T.Target.SubDir].add(NewFile)\r
# Generate related macros if needed\r
if T.GenFileListMacro and T.FileListMacro not in self.FileListMacros:\r
self.FileListMacros[T.FileListMacro] = []\r
+diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
+index aa0b71632e..57c9cad117 100755
--- a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
+++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
-@@ -1474,6 +1474,9 @@ class ModuleAutoGen(AutoGen):
+@@ -1429,6 +1429,9 @@ class ModuleAutoGen(AutoGen):
for File in Files:\r
if File.lower().endswith('.pdb'):\r
AsBuiltInfDict['binary_item'].append('DISPOSABLE|' + File)\r
HeaderComments = self.Module.HeaderComments\r
StartPos = 0\r
for Index in range(len(HeaderComments)):\r
-@@ -1749,7 +1752,7 @@ class ModuleAutoGen(AutoGen):
+@@ -1704,7 +1707,7 @@ class ModuleAutoGen(AutoGen):
if os.path.exists (self.TimeStampPath):\r
os.remove (self.TimeStampPath)\r
\r
+++ /dev/null
-From 2c8fb3e5164effc8a370e800fe91db7341e69116 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Mon, 7 Apr 2025 11:23:41 -0700
-Subject: [PATCH 1/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
-
-This commit updates the SecurityFixes.yaml file to include
-information about the CVE-2024-38797 vulnerability.
-
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/519366f542e9370bee982b1c3687ffedb5cabc21]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- SecurityPkg/SecurityFixes.yaml | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
-index b4006b4..06b597a 100644
---- a/SecurityPkg/SecurityFixes.yaml
-+++ b/SecurityPkg/SecurityFixes.yaml
-@@ -40,3 +40,18 @@ CVE_2022_36764:
- - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c\r
- links:\r
- - https://bugzilla.tianocore.org/show_bug.cgi?id=4118\r
-+CVE_2024_38797:\r
-+ commit-titles:\r
-+ - "SecurityPkg: Out of bound read in HashPeImageByType()"\r
-+ - "SecurityPkg: Improving HashPeImageByType () logic"\r
-+ - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"\r
-+ cve: CVE-2024-38797\r
-+ date_reported: 2024-06-04 12:00 UTC\r
-+ description: Out of bound read in HashPeImageByType()\r
-+ note:\r
-+ files_impacted:\r
-+ - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c\r
-+ - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c\r
-+ links:\r
-+ - https://bugzilla.tianocore.org/show_bug.cgi?id=2214\r
-+ - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf\r
---
-2.34.1
-
+++ /dev/null
-From 1a7be26382c4a34504875f094e15fe371d44192e Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Thu, 3 Oct 2024 09:37:18 -0700
-Subject: [PATCH 2/4] SecurityPkg: Out of bound read in HashPeImageByType()
-
-In HashPeImageByType(), the hash of PE/COFF image is calculated.
-This function may get untrusted input.
-
-Inside this function, the following code verifies the loaded image has
-the correct format, by reading the second byte of the buffer.
-
-```c
- if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
- ...
- }
-```
-
-The input image is not trusted and that may not have the second byte to
-read. So this poses an out of bound read error.
-
-With below fix we are assuring that we don't do out of bound read. i.e,
-we make sure that AuthDataSize is greater than 1.
-
-```c
- if (AuthDataSize > 1
- && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
- ...
- }
-```
-
-AuthDataSize size is verified before reading the second byte.
-So if AuthDataSize is less than 2, the second byte will not be read, and
-the out of bound read situation won't occur.
-
-Tested the patch on real platform with and without TPM connected and
-verified image is booting fine.
-
-Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-index b05da19..2afa2c9 100644
---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-@@ -642,7 +642,7 @@ HashPeImageByType (
- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
- // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
- //\r
-- if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {\r
-+ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
- //\r
- // Only support two bytes of Long Form of Length Encoding.\r
- //\r
---
-2.34.1
-
+++ /dev/null
-From 4db363db013a92937431234252fc9d84e44fc120 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Thu, 3 Oct 2024 10:16:57 -0700
-Subject: [PATCH 3/4] SecurityPkg: Improving HashPeImageByType () logic
-
-Namely:
-
-(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
- to TRUE for Index==0, then it will evaluate to TRUE for all other
- Index values as well. As a result, the (Index == HASHALG_MAX)
- condition will fire after the loop, and we'll return
- EFI_UNSUPPORTED.
-
- While this is correct, functionally speaking, it is wasteful to
- keep re-checking TWO_BYTE_ENCODE in the loop body. The check
- should be made at the top of the function, and EFI_UNSUPPORTED
- should be returned at once, if appropriate.
-
-(2) If the hash algorithm selected by Index has such a large OID that
- the OID comparison cannot even be performed (because AuthDataSize
- is not large enough for containing the OID in question, starting
- at offset 32), then the function returns EFI_UNSUPPORTED at once.
-
- This is bogus; this case should simply be treated as an OID
- mismatch, and the loop should advance to the next Index value /
- hash algorithm candidate. A remaining hash algo may have a shorter
- OID and yield an OID match.
-
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/5df518ec510324f48ed1cf0376150960644b41f0]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- .../DxeImageVerificationLib.c | 37 ++++++++++---------
- 1 file changed, 19 insertions(+), 18 deletions(-)
-
-diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-index 2afa2c9..2eca39d 100644
---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-@@ -618,6 +618,7 @@ Done:
- @param[in] AuthDataSize Size of the Authenticode Signature in bytes.\r
- \r
- @retval EFI_UNSUPPORTED Hash algorithm is not supported.\r
-+ @retval EFI_BAD_BUFFER_SIZE AuthData provided is invalid size.\r
- @retval EFI_SUCCESS Hash successfully.\r
- \r
- **/\r
-@@ -629,28 +630,28 @@ HashPeImageByType (
- {\r
- UINT8 Index;\r
- \r
-- for (Index = 0; Index < HASHALG_MAX; Index++) {\r
-+ //\r
-+ // Check the Hash algorithm in PE/COFF Authenticode.\r
-+ // According to PKCS#7 Definition:\r
-+ // SignedData ::= SEQUENCE {\r
-+ // version Version,\r
-+ // digestAlgorithms DigestAlgorithmIdentifiers,\r
-+ // contentInfo ContentInfo,\r
-+ // .... }\r
-+ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
-+ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
-+ // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
-+ //\r
-+ if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
- //\r
-- // Check the Hash algorithm in PE/COFF Authenticode.\r
-- // According to PKCS#7 Definition:\r
-- // SignedData ::= SEQUENCE {\r
-- // version Version,\r
-- // digestAlgorithms DigestAlgorithmIdentifiers,\r
-- // contentInfo ContentInfo,\r
-- // .... }\r
-- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
-- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
-- // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
-+ // Only support two bytes of Long Form of Length Encoding.\r
- //\r
-- if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
-- //\r
-- // Only support two bytes of Long Form of Length Encoding.\r
-- //\r
-- continue;\r
-- }\r
-+ return EFI_BAD_BUFFER_SIZE;\r
-+ }\r
- \r
-+ for (Index = 0; Index < HASHALG_MAX; Index++) {\r
- if (AuthDataSize < 32 + mHash[Index].OidLength) {\r
-- return EFI_UNSUPPORTED;\r
-+ continue;\r
- }\r
- \r
- if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {\r
---
-2.34.1
-
+++ /dev/null
-From cb3342702c5c1f8a4ddbb6d503a98ed720d14eb3 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Fri, 17 Jan 2025 11:30:17 -0800
-Subject: [PATCH 4/4] SecurityPkg: Improving
- SecureBootConfigImpl:HashPeImageByType () logic
-
-Namely:
-
-(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
- to TRUE for Index==0, then it will evaluate to TRUE for all other
- Index values as well. As a result, the (Index == HASHALG_MAX)
- condition will fire after the loop, and we'll return
- EFI_UNSUPPORTED.
-
- While this is correct, functionally speaking, it is wasteful to
- keep re-checking TWO_BYTE_ENCODE in the loop body. The check
- should be made at the top of the function, and EFI_UNSUPPORTED
- should be returned at once, if appropriate.
-
-(2) If the hash algorithm selected by Index has such a large OID that
- the OID comparison cannot even be performed (because AuthDataSize
- is not large enough for containing the OID in question, starting
- at offset 32), then the function returns EFI_UNSUPPORTED at once.
-
- This is bogus; this case should simply be treated as an OID
- mismatch, and the loop should advance to the next Index value /
- hash algorithm candidate. A remaining hash algo may have a shorter
- OID and yield an OID match.
-
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/8676572908b950dd4d1f8985006011be99c0a5b6]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- .../SecureBootConfigImpl.c | 37 +++++++++++--------
- 1 file changed, 21 insertions(+), 16 deletions(-)
-
-diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
-index 6d4560c..155e755 100644
---- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
-+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
-@@ -2096,30 +2096,35 @@ HashPeImageByType (
- {\r
- UINT8 Index;\r
- WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;\r
-+ UINT32 PkcsCertSize;\r
- \r
- PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset);\r
-+ PkcsCertSize = mSecDataDir->SizeOfCert;\r
- \r
-- for (Index = 0; Index < HASHALG_MAX; Index++) {\r
-+ //\r
-+ // Check the Hash algorithm in PE/COFF Authenticode.\r
-+ // According to PKCS#7 Definition:\r
-+ // SignedData ::= SEQUENCE {\r
-+ // version Version,\r
-+ // digestAlgorithms DigestAlgorithmIdentifiers,\r
-+ // contentInfo ContentInfo,\r
-+ // .... }\r
-+ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
-+ // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
-+ // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
-+ //\r
-+ if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {\r
- //\r
-- // Check the Hash algorithm in PE/COFF Authenticode.\r
-- // According to PKCS#7 Definition:\r
-- // SignedData ::= SEQUENCE {\r
-- // version Version,\r
-- // digestAlgorithms DigestAlgorithmIdentifiers,\r
-- // contentInfo ContentInfo,\r
-- // .... }\r
-- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
-- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
-- // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
-+ // Only support two bytes of Long Form of Length Encoding.\r
- //\r
-- if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {\r
-- //\r
-- // Only support two bytes of Long Form of Length Encoding.\r
-- //\r
-+ return EFI_BAD_BUFFER_SIZE;\r
-+ }\r
-+\r
-+ for (Index = 0; Index < HASHALG_MAX; Index++) {\r
-+ if (PkcsCertSize < 32 + mHash[Index].OidLength) {\r
- continue;\r
- }\r
- \r
-- //\r
- if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {\r
- break;\r
- }\r
---
-2.34.1
-
+++ /dev/null
-From 4b028816b5619ede6c3720664478055e09151516 Mon Sep 17 00:00:00 2001
-From: Madhavan <madavtechy@gmail.com>
-Date: Fri, 14 Mar 2025 14:15:13 -0400
-Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
- bz4206
-
-Used SafeUint32Add to calculate and validate OutTransferLength with
-boundary check in IScsiOnR2TRcvd to avoid integer overflow
-
-Signed-off-by: Madhavan <madavtechy@gmail.com>
-
-CVE: CVE-2025-2295
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
-index ef587649a0..fb48e6304d 100644
---- a/NetworkPkg/IScsiDxe/IScsiProto.c
-+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
-@@ -1,7 +1,7 @@
- /** @file\r
- The implementation of iSCSI protocol based on RFC3720.\r
- \r
--Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>\r
-+Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
- \r
- **/\r
-@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
- EFI_STATUS Status;\r
- ISCSI_XFER_CONTEXT *XferContext;\r
- UINT8 *Data;\r
-+ UINT32 TransferLength;\r
- \r
- R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);\r
- if (R2THdr == NULL) {\r
-@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
- XferContext->Offset = R2THdr->BufferOffset;\r
- XferContext->DesiredLength = R2THdr->DesiredDataTransferLength;\r
- \r
-- if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||\r
-+ Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);\r
-+ if (EFI_ERROR (Status)) {\r
-+ return EFI_PROTOCOL_ERROR;\r
-+ }\r
-+\r
-+ if ((TransferLength > Packet->OutTransferLength) ||\r
- (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)\r
- )\r
- {\r
---
-2.48.1
-
#see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch
BUILD_CFLAGS += "-Wno-error=stringop-overflow"
-SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
+SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;tag=${PV} \
file://0001-ovmf-update-path-to-native-BaseTools.patch \
file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
file://0003-debug-prefix-map.patch \
file://0004-reproducible.patch \
- file://CVE-2025-2295.patch \
- file://CVE-2024-38797-1.patch \
- file://CVE-2024-38797-2.patch \
- file://CVE-2024-38797-3.patch \
- file://CVE-2024-38797-4.patch \
- file://0001-SecurityPkg-Don-t-define-bool-type-if-building-in-C2.patch \
"
-PV = "edk2-stable202502"
-SRCREV = "fbe0805b2091393406952e84724188f8c1941837"
+PV = "edk2-stable202508"
+SRCREV = "d46aa46c8361194521391aa581593e556c707c6e"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
CVE_PRODUCT = "edk2"
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
