proxmox-mirrors/pve-edk2-firmware
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-edk2-firmware synced 2025-10-04 10:23:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update edk2 to edk2-stable202502 tag and refresh patches

Browse Source 
Drop patches applied upstream and refresh the others.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2025-03-05 16:29:58 +01:00
parent 45b5f70df9
commit f9e300ba84
9 changed files with 33 additions and 7422 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
debian/patches/ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch vendored
View File

@ -4,25 +4,21 @@ Description: ArmVirtPkg: Disable the EFI memory attributes protocol
Author: dann frazier <dannf@debian.org> Author: dann frazier <dannf@debian.org>
Bug-Debian: https://bugs.debian.org/1042438 Bug-Debian: https://bugs.debian.org/1042438
Bug-Ubuntu: https://launchpad.net/bugs/2036604 Bug-Ubuntu: https://launchpad.net/bugs/2036604
Last-Update: 2023-09-23 Last-Update: 2025-03-01
Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.c --- a/ArmPkg/Drivers/CpuDxe/CpuDxe.c
=================================================================== +++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.c
--- edk2-2023.05.orig/ArmPkg/Drivers/CpuDxe/CpuDxe.c @@ -429,8 +429,6 @@
+++ edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.c &CpuHandle,
@@ -244,8 +244,6 @@ CpuDxeInitialize (
&mCpuHandle,
&gEfiCpuArchProtocolGuid, &gEfiCpuArchProtocolGuid,
&mCpu, &mCpu,
- &gEfiMemoryAttributeProtocolGuid, - &gEfiMemoryAttributeProtocolGuid,
- &mMemoryAttribute, - &mMemoryAttribute,
NULL NULL
); );
if (EFI_ERROR (Status)) {
Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.h --- a/ArmPkg/Drivers/CpuDxe/CpuDxe.h
=================================================================== +++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.h
--- edk2-2023.05.orig/ArmPkg/Drivers/CpuDxe/CpuDxe.h
+++ edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.h
@@ -30,12 +30,9 @@ @@ -30,12 +30,9 @@
#include <Protocol/Cpu.h> #include <Protocol/Cpu.h>
#include <Protocol/DebugSupport.h> #include <Protocol/DebugSupport.h>
@ -36,10 +32,8 @@ Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.h
/** /**
This function registers and enables the handler specified by InterruptHandler for a processor This function registers and enables the handler specified by InterruptHandler for a processor
interrupt or exception type specified by InterruptType. If InterruptHandler is NULL, then the interrupt or exception type specified by InterruptType. If InterruptHandler is NULL, then the
Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.inf --- a/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
=================================================================== +++ b/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
--- edk2-2023.05.orig/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
+++ edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
@@ -23,7 +23,6 @@ @@ -23,7 +23,6 @@
CpuDxe.h CpuDxe.h
CpuMmuCommon.c CpuMmuCommon.c
@ -48,11 +42,11 @@ Index: edk2-2023.05/ArmPkg/Drivers/CpuDxe/CpuDxe.inf
[Sources.ARM] [Sources.ARM]
Arm/Mmu.c Arm/Mmu.c
@@ -54,7 +53,6 @@ @@ -55,7 +54,6 @@
[Protocols] [Protocols]
gEfiCpuArchProtocolGuid gEfiCpuArchProtocolGuid
- gEfiMemoryAttributeProtocolGuid - gEfiMemoryAttributeProtocolGuid
gHardwareInterruptProtocolGuid
[Guids] [Guids]
gEfiDebugImageInfoTableGuid

7277
debian/patches/CVE-2023-45229_45237.patch vendored
View File

File diff suppressed because it is too large Load Diff

100
debian/patches/CVE-2023-48733-Disable-the-Shell-when-SecureBoot-is-enabled.patch vendored
View File

@ -1,100 +0,0 @@
From: Mate Kukri <mate.kukri@canonical.com>
Date: Wed, 6 Dec 2023 15:47:42 +0000
Subject: Shell: Disable the Shell when SecureBoot is enabled and not in
SetupMode
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
---
ShellPkg/Application/Shell/Shell.c | 14 ++++++++++++++
ShellPkg/Application/Shell/Shell.h | 3 +++
ShellPkg/Application/Shell/Shell.inf | 2 ++
ShellPkg/ShellPkg.dsc | 1 +
4 files changed, 20 insertions(+)
Origin: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137/+attachment/5741528/+files/Disable-the-Shell-when-SecureBoot-is-enabled.patch
Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641
Bug-Ubuntu: https://launchpad.net/bugs/2040137
Last-Updated: 2024-02-11
Forwarded: https://bugzilla.tianocore.org/show_bug.cgi?id=4641#c0
diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shell/Shell.c
index f95c799..502013d 100644
--- a/ShellPkg/Application/Shell/Shell.c
+++ b/ShellPkg/Application/Shell/Shell.c
@@ -357,6 +357,20 @@ UefiMain (
EFI_HANDLE ConInHandle;
EFI_SIMPLE_TEXT_INPUT_PROTOCOL *OldConIn;
SPLIT_LIST *Split;
+ UINT8 SetupMode;
+
+ //
+ // Check for Secure Boot mode
+ //
+ if (IsSecureBootEnabled()) {
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ return (Status);
+ }
+ if (SetupMode != 1) {
+ return (EFI_SECURITY_VIOLATION);
+ }
+ }
if (PcdGet8 (PcdShellSupportLevel) > 3) {
return (EFI_UNSUPPORTED);
diff --git a/ShellPkg/Application/Shell/Shell.h b/ShellPkg/Application/Shell/Shell.h
index 89b4ac6..595ec79 100644
--- a/ShellPkg/Application/Shell/Shell.h
+++ b/ShellPkg/Application/Shell/Shell.h
@@ -11,9 +11,11 @@
#define _SHELL_INTERNAL_HEADER_
#include <Uefi.h>
+#include <UefiSecureBoot.h>
#include <Guid/ShellVariableGuid.h>
#include <Guid/ShellAliasGuid.h>
+#include <Guid/ImageAuthentication.h>
#include <Protocol/LoadedImage.h>
#include <Protocol/SimpleTextOut.h>
@@ -42,6 +44,7 @@
#include <Library/HandleParsingLib.h>
#include <Library/FileHandleLib.h>
#include <Library/UefiHiiServicesLib.h>
+#include <Library/SecureBootVariableLib.h>
#include "ShellParametersProtocol.h"
#include "ShellProtocol.h"
diff --git a/ShellPkg/Application/Shell/Shell.inf b/ShellPkg/Application/Shell/Shell.inf
index f1e41de..340585f 100644
--- a/ShellPkg/Application/Shell/Shell.inf
+++ b/ShellPkg/Application/Shell/Shell.inf
@@ -47,6 +47,7 @@
MdePkg/MdePkg.dec
ShellPkg/ShellPkg.dec
MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
[LibraryClasses]
BaseLib
@@ -66,6 +67,7 @@
SortLib
HandleParsingLib
UefiHiiServicesLib
+ SecureBootVariableLib
[Guids]
gShellVariableGuid ## SOMETIMES_CONSUMES ## GUID
diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc
index dd0d886..28d6a87 100644
--- a/ShellPkg/ShellPkg.dsc
+++ b/ShellPkg/ShellPkg.dsc
@@ -64,6 +64,7 @@
DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
[LibraryClasses.ARM,LibraryClasses.AARCH64]
#

6
debian/patches/Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch vendored
View File

@ -9,9 +9,9 @@ Last-Update: 2023-07-21
--- a/ArmVirtPkg/ArmVirt.dsc.inc --- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -365,7 +365,7 @@ @@ -398,7 +398,7 @@
# reserved ones, with the exception of LoaderData regions, of which OS loaders # build command line you can allow code execution in EfiLoaderData. This is
# (i.e., GRUB) may assume that its contents are executable. # required when using some outdated GRUB versions.
# #
- gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5 - gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD5
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1 + gEfiMdeModulePkgTokenSpaceGuid.PcdDxeNxMemoryProtectionPolicy|0xC000000000007FD1

10
debian/patches/brotlicompress-disable.diff vendored
View File

@ -5,14 +5,12 @@ Description: Do not attempt to compile removed BrotliCompress source
of the Ubuntu security team), so we also need to disable the build. of the Ubuntu security team), so we also need to disable the build.
Author: dann frazier <dannf@debian.org> Author: dann frazier <dannf@debian.org>
Forwarded: not-needed Forwarded: not-needed
Last-Update: 2019-06-25 Last-Update: 2023-03-09
--- ---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: edk2/BaseTools/Source/C/GNUmakefile --- a/BaseTools/Source/C/GNUmakefile
=================================================================== +++ b/BaseTools/Source/C/GNUmakefile
--- edk2.orig/BaseTools/Source/C/GNUmakefile @@ -51,7 +51,6 @@
+++ edk2/BaseTools/Source/C/GNUmakefile
@@ -48,7 +48,6 @@ all: makerootdir subdirs
LIBRARIES = Common LIBRARIES = Common
VFRAUTOGEN = VfrCompile/VfrLexer.h VFRAUTOGEN = VfrCompile/VfrLexer.h
APPLICATIONS = \ APPLICATIONS = \

14
debian/patches/no-stack-protector-all-archs.diff vendored
View File

@ -3,17 +3,15 @@ Description: pass -fno-stack-protector to all GCC toolchains
The upstream build rules inexplicably pass -fno-stack-protector only The upstream build rules inexplicably pass -fno-stack-protector only
when building for i386 and amd64. Add this essential argument to the when building for i386 and amd64. Add this essential argument to the
generic rules for gcc 4.8 and later. generic rules for gcc 4.8 and later.
Last-Updated: 2019-03-14 Last-Updated: 2023-07-21
Index: edk2/BaseTools/Conf/tools_def.template --- a/BaseTools/Conf/tools_def.template
=================================================================== +++ b/BaseTools/Conf/tools_def.template
--- edk2.orig/BaseTools/Conf/tools_def.template @@ -959,7 +959,7 @@
+++ edk2/BaseTools/Conf/tools_def.template
@@ -1886,7 +1886,7 @@ DEFINE GCC_LOONGARCH64_RC_FLAGS = -I binary -O elf64-loongarch -B loongar
# GCC Build Flag for included header file list generation # GCC Build Flag for included header file list generation
DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps
-DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings -DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
+DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings +DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m32 -march=i586 -malign-double -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer

2
debian/patches/series vendored
View File

@ -3,5 +3,3 @@ brotlicompress-disable.diff
x64-baseline-abi.patch x64-baseline-abi.patch
Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch
ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch
CVE-2023-45229_45237.patch
CVE-2023-48733-Disable-the-Shell-when-SecureBoot-is-enabled.patch

10
debian/patches/x64-baseline-abi.patch vendored
View File

@ -5,16 +5,16 @@ Description: Explicitly target generic x86-64 ABI
Author: dann frazier <dannf@debian.org> Author: dann frazier <dannf@debian.org>
Bug-Ubuntu: http://launchpad.net/bugs/1976267 Bug-Ubuntu: http://launchpad.net/bugs/1976267
Forwarded: https://edk2.groups.io/g/devel/message/90447 Forwarded: https://edk2.groups.io/g/devel/message/90447
Last-Update: 2022-06-10 Last-Update: 2024-11-24
--- a/BaseTools/Conf/tools_def.template --- a/BaseTools/Conf/tools_def.template
+++ b/BaseTools/Conf/tools_def.template +++ b/BaseTools/Conf/tools_def.template
@@ -1889,7 +1889,7 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps @@ -962,7 +962,7 @@
DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings DEFINE GCC48_ALL_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -ffunction-sections -fdata-sections -fno-stack-protector -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings
DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20
DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m32 -march=i586 -malign-double -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
-DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer -DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
+DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address +DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) DEF(GCC_IA32_X64_CC_FLAGS) -m64 -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address -fno-omit-frame-pointer
DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable
DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive
DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON) DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON)

2
edk2

@ -1 +1 @@
Subproject commit 0f3867fa6ef0553e26c42f7d71ff6bdb98429742 Subproject commit fbe0805b2091393406952e84724188f8c1941837