update edk2 to edk2-stable202502 tag and refresh patches

Drop patches applied upstream and refresh the others. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-10-03 23:58:58 +00:00 · 2025-03-05 16:29:58 +01:00 · 2025-03-05 16:29:58 +01:00 · f9e300ba84
commit f9e300ba84
parent 45b5f70df9
9 changed files with 33 additions and 7422 deletions
--- a/debian/patches/ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
+++ b/debian/patches/ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
@ -4,25 +4,21 @@ Description: ArmVirtPkg: Disable the EFI memory attributes protocol
 Author: dann frazier <dannf@debian.org>
 Bug-Debian: https://bugs.debian.org/1042438
 Bug-Ubuntu: https://launchpad.net/bugs/2036604
-Last-Update: 2023-09-23
+Last-Update: 2025-03-01

-Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.c
-===================================================================
--- edk2-2023.05.orig/ArmPkg/Drivers/CpuDxe/CpuDxe.c
-+++ edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.c
-@@ -244,8 +244,6 @@ CpuDxeInitialize (
-                   &mCpuHandle,
+--- a/ArmPkg/Drivers/CpuDxe/CpuDxe.c
+++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.c
+@@ -429,8 +429,6 @@
+                   &CpuHandle,
                   &gEfiCpuArchProtocolGuid,
                   &mCpu,
 -                  &gEfiMemoryAttributeProtocolGuid,
 -                  &mMemoryAttribute,
                   NULL
                   );
- 
-Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.h
-===================================================================
--- edk2-2023.05.orig/ArmPkg/Drivers/CpuDxe/CpuDxe.h
-+++ edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.h
+   if (EFI_ERROR (Status)) {
+--- a/ArmPkg/Drivers/CpuDxe/CpuDxe.h
+++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.h
@@ -30,12 +30,9 @@
 #include <Protocol/Cpu.h>
 #include <Protocol/DebugSupport.h>
@ -36,10 +32,8 @@ Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.h
 /**
   This function registers and enables the handler specified by InterruptHandler for a processor
   interrupt or exception type specified by InterruptType. If InterruptHandler is NULL, then the
-Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
-===================================================================
--- edk2-2023.05.orig/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
-+++ edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
+--- a/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
+++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
@@ -23,7 +23,6 @@
   CpuDxe.h
   CpuMmuCommon.c
@ -48,11 +42,11 @@ Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
 
 [Sources.ARM]
   Arm/Mmu.c
-@@ -54,7 +53,6 @@
+@@ -55,7 +54,6 @@
 
 [Protocols]
   gEfiCpuArchProtocolGuid
 -  gEfiMemoryAttributeProtocolGuid
+   gHardwareInterruptProtocolGuid
 
 [Guids]
-   gEfiDebugImageInfoTableGuid
--- a/debian/patches/CVE-2023-45229_45237.patch
+++ b/debian/patches/CVE-2023-45229_45237.patch
--- a/debian/patches/CVE-2023-48733-Disable-the-Shell-when-SecureBoot-is-enabled.patch
+++ b/debian/patches/CVE-2023-48733-Disable-the-Shell-when-SecureBoot-is-enabled.patch
@ -1,100 +0,0 @@
-From: Mate Kukri <mate.kukri@canonical.com>
-Date: Wed, 6 Dec 2023 15:47:42 +0000
-Subject: Shell: Disable the Shell when SecureBoot is enabled and not in
- SetupMode
-
-Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
---
- ShellPkg/Application/Shell/Shell.c   | 14 ++++++++++++++
- ShellPkg/Application/Shell/Shell.h   |  3 +++
- ShellPkg/Application/Shell/Shell.inf |  2 ++
- ShellPkg/ShellPkg.dsc                |  1 +
- 4 files changed, 20 insertions(+)
-
-Origin: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137/+attachment/5741528/+files/Disable-the-Shell-when-SecureBoot-is-enabled.patch
-Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641
-Bug-Ubuntu: https://launchpad.net/bugs/2040137
-Last-Updated: 2024-02-11
-Forwarded: https://bugzilla.tianocore.org/show_bug.cgi?id=4641#c0
-
-diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shell/Shell.c
-index f95c799..502013d 100644
--- a/ShellPkg/Application/Shell/Shell.c
-+++ b/ShellPkg/Application/Shell/Shell.c
-@@ -357,6 +357,20 @@ UefiMain (
-   EFI_HANDLE                      ConInHandle;
-   EFI_SIMPLE_TEXT_INPUT_PROTOCOL  *OldConIn;
-   SPLIT_LIST                      *Split;
-+  UINT8                           SetupMode;
-+
-+  //
-+  // Check for Secure Boot mode
-+  //
-+  if (IsSecureBootEnabled()) {
-+    Status = GetSetupMode (&SetupMode);
-+    if (EFI_ERROR (Status)) {
-+        return (Status);
-+    }
-+    if (SetupMode != 1) {
-+      return (EFI_SECURITY_VIOLATION);
-+    }
-+  }
- 
-   if (PcdGet8 (PcdShellSupportLevel) > 3) {
-     return (EFI_UNSUPPORTED);
-diff --git a/ShellPkg/Application/Shell/Shell.h b/ShellPkg/Application/Shell/Shell.h
-index 89b4ac6..595ec79 100644
--- a/ShellPkg/Application/Shell/Shell.h
-+++ b/ShellPkg/Application/Shell/Shell.h
-@@ -11,9 +11,11 @@
- #define _SHELL_INTERNAL_HEADER_
- 
- #include <Uefi.h>
-+#include <UefiSecureBoot.h>
- 
- #include <Guid/ShellVariableGuid.h>
- #include <Guid/ShellAliasGuid.h>
-+#include <Guid/ImageAuthentication.h>
- 
- #include <Protocol/LoadedImage.h>
- #include <Protocol/SimpleTextOut.h>
-@@ -42,6 +44,7 @@
- #include <Library/HandleParsingLib.h>
- #include <Library/FileHandleLib.h>
- #include <Library/UefiHiiServicesLib.h>
-+#include <Library/SecureBootVariableLib.h>
- 
- #include "ShellParametersProtocol.h"
- #include "ShellProtocol.h"
-diff --git a/ShellPkg/Application/Shell/Shell.inf b/ShellPkg/Application/Shell/Shell.inf
-index f1e41de..340585f 100644
--- a/ShellPkg/Application/Shell/Shell.inf
-+++ b/ShellPkg/Application/Shell/Shell.inf
-@@ -47,6 +47,7 @@
-   MdePkg/MdePkg.dec
-   ShellPkg/ShellPkg.dec
-   MdeModulePkg/MdeModulePkg.dec
-+  SecurityPkg/SecurityPkg.dec
- 
- [LibraryClasses]
-   BaseLib
-@@ -66,6 +67,7 @@
-   SortLib
-   HandleParsingLib
-   UefiHiiServicesLib
-+  SecureBootVariableLib
- 
- [Guids]
-   gShellVariableGuid                                      ## SOMETIMES_CONSUMES ## GUID
-diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc
-index dd0d886..28d6a87 100644
--- a/ShellPkg/ShellPkg.dsc
-+++ b/ShellPkg/ShellPkg.dsc
-@@ -64,6 +64,7 @@
-   DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
-   DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
-   ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf
-+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
- 
- [LibraryClasses.ARM,LibraryClasses.AARCH64]
-   #
--- a/debian/patches/Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
+++ b/debian/patches/Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
@ -9,9 +9,9 @@ Last-Update: 2023-07-21

 --- a/ArmVirtPkg/ArmVirt.dsc.inc
 +++ b/ArmVirtPkg/ArmVirt.dsc.inc
-@@ -365,7 +365,7 @@
-   # reserved ones, with the exception of LoaderData regions, of which OS loaders
-   # (i.e., GRUB) may assume that its contents are executable.
+@@ -398,7 +398,7 @@
+   # build command line you can allow code execution in EfiLoaderData. This is
+   # required when using some outdated GRUB versions.
   #
 -  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
 +  gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1
--- a/debian/patches/brotlicompress-disable.diff
+++ b/debian/patches/brotlicompress-disable.diff
@ -5,14 +5,12 @@ Description: Do not attempt to compile removed BrotliCompress source
 of the Ubuntu security team), so we also need to disable the build.
 Author: dann frazier <dannf@debian.org>
 Forwarded: not-needed
-Last-Update: 2019-06-25
+Last-Update: 2023-03-09
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: edk2/BaseTools/Source/C/GNUmakefile
-===================================================================
--- edk2.orig/BaseTools/Source/C/GNUmakefile
-+++ edk2/BaseTools/Source/C/GNUmakefile
-@@ -48,7 +48,6 @@ all: makerootdir subdirs
+--- a/BaseTools/Source/C/GNUmakefile
+++ b/BaseTools/Source/C/GNUmakefile
+@@ -51,7 +51,6 @@
 LIBRARIES = Common
 VFRAUTOGEN = VfrCompile/VfrLexer.h
 APPLICATIONS = \
--- a/debian/patches/no-stack-protector-all-archs.diff
+++ b/debian/patches/no-stack-protector-all-archs.diff
@ -3,17 +3,15 @@ Description: pass -fno-stack-protector to all GCC toolchains
 The upstream build rules inexplicably pass -fno-stack-protector only
 when building for i386 and amd64.  Add this essential argument to the
 generic rules for gcc 4.8 and later.
-Last-Updated: 2019-03-14
-Index: edk2/BaseTools/Conf/tools_def.template
-===================================================================
--- edk2.orig/BaseTools/Conf/tools_def.template
-+++ edk2/BaseTools/Conf/tools_def.template
-@@ -1886,7 +1886,7 @@ DEFINE GCC_LOONGARCH64_RC_FLAGS    = -I binary -O elf64-loongarch     -B loongar
+Last-Updated: 2023-07-21
+--- a/BaseTools/Conf/tools_def.template
+++ b/BaseTools/Conf/tools_def.template
+@@ -959,7 +959,7 @@
 # GCC Build Flag for included header file list generation
 DEFINE GCC_DEPS_FLAGS              = -MMD -MF $@.deps
 
 -DEFINE GCC48_ALL_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
-+DEFINE GCC48_ALL_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
+DEFINE GCC48_ALL_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
 DEFINE GCC48_IA32_X64_DLINK_COMMON   = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
- DEFINE GCC48_IA32_CC_FLAGS           = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
- DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address  -fno-omit-frame-pointer
+ DEFINE GCC48_IA32_CC_FLAGS           = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m32 -march=i586 -malign-double -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
+ DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address  -fno-omit-frame-pointer
--- a/debian/patches/series
+++ b/debian/patches/series
@ -3,5 +3,3 @@ brotlicompress-disable.diff
 x64-baseline-abi.patch
 Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
 ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
-CVE-2023-45229_45237.patch
-CVE-2023-48733-Disable-the-Shell-when-SecureBoot-is-enabled.patch
--- a/debian/patches/x64-baseline-abi.patch
+++ b/debian/patches/x64-baseline-abi.patch
@ -5,16 +5,16 @@ Description: Explicitly target generic x86-64 ABI
 Author: dann frazier <dannf@debian.org>
 Bug-Ubuntu: http://launchpad.net/bugs/1976267
 Forwarded: https://edk2.groups.io/g/devel/message/90447
-Last-Update: 2022-06-10
+Last-Update: 2024-11-24

 --- a/BaseTools/Conf/tools_def.template
 +++ b/BaseTools/Conf/tools_def.template
-@@ -1889,7 +1889,7 @@ DEFINE GCC_DEPS_FLAGS              = -MMD -MF $@.deps
- DEFINE GCC48_ALL_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
+@@ -962,7 +962,7 @@
+ DEFINE GCC48_ALL_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
 DEFINE GCC48_IA32_X64_DLINK_COMMON   = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
- DEFINE GCC48_IA32_CC_FLAGS           = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
-DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address  -fno-omit-frame-pointer
-+DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) -m64 -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address
+ DEFINE GCC48_IA32_CC_FLAGS           = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m32 -march=i586 -malign-double -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
+-DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address  -fno-omit-frame-pointer
+DEFINE GCC48_X64_CC_FLAGS            = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m64 -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address  -fno-omit-frame-pointer
 DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
 DEFINE GCC48_IA32_X64_DLINK_FLAGS    = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
 DEFINE GCC48_IA32_DLINK2_FLAGS       = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 0f3867fa6ef0553e26c42f7d71ff6bdb98429742
+Subproject commit fbe0805b2091393406952e84724188f8c1941837