import edk2-20220126gitbb1bba3d77-13.el8_10.2

SOURCES/edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch

@@ -0,0 +1,56 @@
+From 045496325e278716e724ffdf9685667a8766d4f3 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 10:34:52 -0400
+Subject: [PATCH 28/31] CryptoPkg/Test: call ProcessLibraryConstructorList
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [28/31] 5ff484fbc68d094fbcdda2772c2869818c67de8d
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit 94961b8817eec6f8d0434555ac50a7aa51c22201
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date:   Fri Jun 14 11:45:49 2024 +0200
+
+    CryptoPkg/Test: call ProcessLibraryConstructorList
+
+    Needed to properly initialize BaseRngLib.
+
+    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
+index 88a3f96305..0ba9f35840 100644
+--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
++++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
+@@ -8,6 +8,11 @@
+ **/
+ #include "TestBaseCryptLib.h"
+ 
++VOID
++EFIAPI
++ProcessLibraryConstructorList (
++  VOID
++  );
+ 
+ /**
+   Initialize the unit test framework, suite, and unit tests for the
+@@ -77,5 +82,6 @@ main (
+   char *argv[]
+   )
+ {
++  ProcessLibraryConstructorList ();
+   return UefiTestMain ();
+ }
+-- 
+2.39.3
+

SOURCES/edk2-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch

@@ -0,0 +1,66 @@
+From 2e4b2b8fce40cf93f35e052102f37fee07b2e64a Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Mon, 10 Jun 2024 18:13:29 -0400
+Subject: [PATCH 02/31] MdeModulePkg: Potential UINT32 overflow in S3
+ ResumeCount
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [2/31] a3592c3437041cbd33a6c11feb3d0999e122c8c0
+
+JIRA: https://issues.redhat.com/browse/RHEL-40099
+CVE: CVE-2024-1298
+Upstream: Merged
+
+commit 284dbac43da752ee34825c8b3f6f9e8281cb5a19
+Author: Shanmugavel Pakkirisamy <shanmugavelx.pakkirisamy@intel.com>
+Date:   Mon May 6 17:53:09 2024 +0800
+
+    MdeModulePkg: Potential UINT32 overflow in S3 ResumeCount
+
+    REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
+
+    Attacker able to modify physical memory and ResumeCount.
+    System will crash/DoS when ResumeCount reaches its MAX_UINT32.
+
+    Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+    Cc: Dandan Bi <dandan.bi@intel.com>
+    Cc: Liming Gao <gaoliming@byosoft.com.cn>
+
+    Signed-off-by: Pakkirisamy ShanmugavelX <shanmugavelx.pakkirisamy@intel.com>
+    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../FirmwarePerformancePei.c                         | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+index 6881466201..54b3bc3c54 100644
+--- a/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
++++ b/MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.c
+@@ -110,11 +110,15 @@ FpdtStatusCodeListenerPei (
+   //
+   S3ResumeTotal = MultU64x32 (AcpiS3ResumeRecord->AverageResume, AcpiS3ResumeRecord->ResumeCount);
+   AcpiS3ResumeRecord->ResumeCount++;
+-  AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++  if (AcpiS3ResumeRecord->ResumeCount > 0) {
++    AcpiS3ResumeRecord->AverageResume = DivU64x32 (S3ResumeTotal + AcpiS3ResumeRecord->FullResume, AcpiS3ResumeRecord->ResumeCount);
++    DEBUG ((DEBUG_INFO, "\nFPDT: S3 Resume Performance - AverageResume = 0x%x\n", AcpiS3ResumeRecord->AverageResume));
++  } else {
++    DEBUG ((DEBUG_ERROR, "\nFPDT: S3 ResumeCount reaches the MAX_UINT32 value. S3 ResumeCount record reset to Zero."));
++  }
+ 
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = %d\n", AcpiS3ResumeRecord->ResumeCount));
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = %ld\n", AcpiS3ResumeRecord->FullResume));
+-  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - AverageResume = %ld\n", AcpiS3ResumeRecord->AverageResume));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - ResumeCount   = 0x%x\n", AcpiS3ResumeRecord->ResumeCount));
++  DEBUG ((DEBUG_INFO, "FPDT: S3 Resume Performance - FullResume    = 0x%x\n", AcpiS3ResumeRecord->FullResume));
+ 
+   //
+   // Update S3 Suspend Performance Record.
+-- 
+2.39.3
+

SOURCES/edk2-MdeModulePkg-Rng-Add-GUID-to-describe-unsafe-Rng-alg.patch

@@ -0,0 +1,90 @@
+From 5ba444af245d59e3208260478aa710d4f143f259 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 16:06:25 -0400
+Subject: [PATCH 20/31] MdeModulePkg/Rng: Add GUID to describe unsafe Rng
+ algorithms
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [20/31] d0e553560d60122f2fe5f33923b5b943c138a18d
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit 414c0f20896f3dec412135fa4260f8aad8bef246
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:07 2023 +0200
+
+    MdeModulePkg/Rng: Add GUID to describe unsafe Rng algorithms
+
+    BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441
+
+    The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
+    implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
+    To allow the RngDxe to detect when such implementation is used,
+    a GetRngGuid() function is added in a following patch.
+
+    Prepare GetRngGuid() return values and add a gEdkiiRngAlgorithmUnSafe
+    to describe an unsafe implementation, cf. the BaseRngLibTimerLib.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ MdeModulePkg/Include/Guid/RngAlgorithm.h | 23 +++++++++++++++++++++++
+ MdeModulePkg/MdeModulePkg.dec            |  3 +++
+ 2 files changed, 26 insertions(+)
+ create mode 100644 MdeModulePkg/Include/Guid/RngAlgorithm.h
+
+diff --git a/MdeModulePkg/Include/Guid/RngAlgorithm.h b/MdeModulePkg/Include/Guid/RngAlgorithm.h
+new file mode 100644
+index 0000000000..e2ac2ba3e5
+--- /dev/null
++++ b/MdeModulePkg/Include/Guid/RngAlgorithm.h
+@@ -0,0 +1,23 @@
++/** @file
++  Rng Algorithm
++
++  Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#ifndef RNG_ALGORITHM_GUID_H_
++#define RNG_ALGORITHM_GUID_H_
++
++///
++/// The implementation of a Random Number Generator might be unsafe, when using
++/// a dummy implementation for instance. Allow identifying such implementation
++/// with this GUID.
++///
++#define EDKII_RNG_ALGORITHM_UNSAFE \
++  { \
++    0x869f728c, 0x409d, 0x4ab4, {0xac, 0x03, 0x71, 0xd3, 0x09, 0xc1, 0xb3, 0xf4 } \
++  }
++
++extern EFI_GUID  gEdkiiRngAlgorithmUnSafe;
++
++#endif // #ifndef RNG_ALGORITHM_GUID_H_
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
+index 08d59dfb3e..3513a9678a 100644
+--- a/MdeModulePkg/MdeModulePkg.dec
++++ b/MdeModulePkg/MdeModulePkg.dec
+@@ -401,6 +401,9 @@
+   ## Include/Guid/MigratedFvInfo.h
+   gEdkiiMigratedFvInfoGuid = { 0xc1ab12f7, 0x74aa, 0x408d, { 0xa2, 0xf4, 0xc6, 0xce, 0xfd, 0x17, 0x98, 0x71 } }
+ 
++  ## Include/Guid/RngAlgorithm.h
++  gEdkiiRngAlgorithmUnSafe = { 0x869f728c, 0x409d, 0x4ab4, {0xac, 0x03, 0x71, 0xd3, 0x09, 0xc1, 0xb3, 0xf4 }}
++
+   #
+   # GUID defined in UniversalPayload
+   #
+-- 
+2.39.3
+

SOURCES/edk2-MdePkg-Add-deprecated-warning-to-BaseRngLibTimer.patch

@@ -0,0 +1,89 @@
+From 3800b9ee5d6d4c05c7e27f949c3b32c422c78f2d Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 16:02:31 -0400
+Subject: [PATCH 16/31] MdePkg: Add deprecated warning to BaseRngLibTimer
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [16/31] 6e199344d083e90f60cbe01dfb3c2a3719e3177d
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit e93468442b7da7bc80e00014e854c0c8a0a7184b
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:03 2023 +0200
+
+    MdePkg: Add deprecated warning to BaseRngLibTimer
+
+    BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4504
+
+    To keep the MdePkg self-contained and avoid dependencies on GUIDs
+    defined in other packages, the BaseRngLibTimer was moved to the
+    MdePkg.
+    Add a constructor to warn and request to use the MdeModulePkg
+    implementation.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../BaseRngLibTimerLib/BaseRngLibTimerLib.inf |  1 +
+ .../Library/BaseRngLibTimerLib/RngLibTimer.c  | 22 +++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf b/MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+index f857290e82..96c90db63f 100644
+--- a/MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
++++ b/MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+@@ -23,6 +23,7 @@
+   MODULE_TYPE                    = BASE
+   VERSION_STRING                 = 1.0
+   LIBRARY_CLASS                  = RngLib
++  CONSTRUCTOR                    = BaseRngLibTimerConstructor
+ 
+ [Sources]
+   RngLibTimer.c
+diff --git a/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
+index 54d29d96f3..6b8392162b 100644
+--- a/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
++++ b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
+@@ -13,6 +13,28 @@
+ 
+ #define DEFAULT_DELAY_TIME_IN_MICROSECONDS 10
+ 
++/**
++  This implementation is to be replaced by its MdeModulePkg copy.
++  The cause being that some GUIDs (gEdkiiRngAlgorithmUnSafe) cannot
++  be defined in the MdePkg.
++
++  @retval EFI_SUCCESS   The constructor always returns EFI_SUCCESS.
++**/
++RETURN_STATUS
++EFIAPI
++BaseRngLibTimerConstructor (
++  VOID
++  )
++{
++  DEBUG ((
++    DEBUG_WARN,
++    "Warning: This BaseRngTimerLib implementation will be deprecated. "
++    "Please use the MdeModulePkg implementation equivalent.\n"
++    ));
++
++  return RETURN_SUCCESS;
++}
++
+ /**
+  Using the TimerLib GetPerformanceCounterProperties() we delay
+  for enough time for the PerformanceCounter to increment.
+-- 
+2.39.3
+

SOURCES/edk2-MdePkg-Apply-uncrustify-changes.patch

@@ -0,0 +1,94 @@
+From 1198bceefa4834c09e1edc1c558aeffe4930d1f5 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 11 Jun 2024 21:32:26 -0400
+Subject: [PATCH 03/31] MdePkg: Apply uncrustify changes
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [3/31] 422d94b837bf0e65164968272a358c2656f59838
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+This is a subset of the whitespace changes in the corresponding upstream
+commit. It is needed for the next commits in this series to apply with
+less fewer conflicts.
+
+commit 2f88bd3a1296c522317f1c21377876de63de5be7
+Author: Michael Kubacki <michael.kubacki@microsoft.com>
+Date:   Sun Dec 5 14:54:05 2021 -0800
+
+    MdePkg: Apply uncrustify changes
+
+    REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737
+
+    Apply uncrustify changes to .c/.h files in the MdePkg package
+
+    Cc: Andrew Fish <afish@apple.com>
+    Cc: Leif Lindholm <leif@nuviainc.com>
+    Cc: Michael D Kinney <michael.d.kinney@intel.com>
+    Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
+    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ MdePkg/Include/Protocol/Rng.h | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h
+index a0a05d1661..baf425587b 100644
+--- a/MdePkg/Include/Protocol/Rng.h
++++ b/MdePkg/Include/Protocol/Rng.h
+@@ -93,7 +93,7 @@ typedef EFI_GUID EFI_RNG_ALGORITHM;
+ **/
+ typedef
+ EFI_STATUS
+-(EFIAPI *EFI_RNG_GET_INFO) (
++(EFIAPI *EFI_RNG_GET_INFO)(
+   IN EFI_RNG_PROTOCOL             *This,
+   IN OUT UINTN                    *RNGAlgorithmListSize,
+   OUT EFI_RNG_ALGORITHM           *RNGAlgorithmList
+@@ -123,9 +123,9 @@ EFI_STATUS
+ **/
+ typedef
+ EFI_STATUS
+-(EFIAPI *EFI_RNG_GET_RNG) (
++(EFIAPI *EFI_RNG_GET_RNG)(
+   IN EFI_RNG_PROTOCOL            *This,
+-  IN EFI_RNG_ALGORITHM           *RNGAlgorithm, OPTIONAL
++  IN EFI_RNG_ALGORITHM           *RNGAlgorithm  OPTIONAL,
+   IN UINTN                       RNGValueLength,
+   OUT UINT8                      *RNGValue
+   );
+@@ -135,16 +135,16 @@ EFI_STATUS
+ /// applications, or entropy for seeding other random number generators.
+ ///
+ struct _EFI_RNG_PROTOCOL {
+-  EFI_RNG_GET_INFO                GetInfo;
+-  EFI_RNG_GET_RNG                 GetRNG;
++  EFI_RNG_GET_INFO    GetInfo;
++  EFI_RNG_GET_RNG     GetRNG;
+ };
+ 
+-extern EFI_GUID gEfiRngProtocolGuid;
+-extern EFI_GUID gEfiRngAlgorithmSp80090Hash256Guid;
+-extern EFI_GUID gEfiRngAlgorithmSp80090Hmac256Guid;
+-extern EFI_GUID gEfiRngAlgorithmSp80090Ctr256Guid;
+-extern EFI_GUID gEfiRngAlgorithmX9313DesGuid;
+-extern EFI_GUID gEfiRngAlgorithmX931AesGuid;
+-extern EFI_GUID gEfiRngAlgorithmRaw;
++extern EFI_GUID  gEfiRngProtocolGuid;
++extern EFI_GUID  gEfiRngAlgorithmSp80090Hash256Guid;
++extern EFI_GUID  gEfiRngAlgorithmSp80090Hmac256Guid;
++extern EFI_GUID  gEfiRngAlgorithmSp80090Ctr256Guid;
++extern EFI_GUID  gEfiRngAlgorithmX9313DesGuid;
++extern EFI_GUID  gEfiRngAlgorithmX931AesGuid;
++extern EFI_GUID  gEfiRngAlgorithmRaw;
+ 
+ #endif
+-- 
+2.39.3
+

SOURCES/edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch

@@ -0,0 +1,213 @@
+From 1d4b6d489cb919faa3ad67a3ae53fe26c4cd0a75 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 10:32:29 -0400
+Subject: [PATCH 25/31] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check
+ CPUID
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [25/31] 11804d6f86a644ae2c3dcad89c633ad63b794d3f
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a
+Author: Pedro Falcato <pedro.falcato@gmail.com>
+Date:   Tue Nov 22 22:31:03 2022 +0000
+
+    MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID
+
+    RDRAND has notoriously been broken many times over its lifespan.
+    Add a smoketest to RDRAND, in order to better sniff out potential
+    security concerns.
+
+    Also add a proper CPUID test in order to support older CPUs which may
+    not have it; it was previously being tested but then promptly ignored.
+
+    Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c
+    :x86_init_rdrand() per commit 049f9ae9..
+
+    Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection
+    code to MIT and the public domain.
+
+    >On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
+      <..>
+    >    I (re)wrote that function in Linux. I hereby relicense it as MIT, and
+    >    also place it into public domain. Do with it what you will now.
+    >
+    >    Jason
+
+    BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163
+
+    Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
+    Cc: Michael D Kinney <michael.d.kinney@intel.com>
+    Cc: Liming Gao <gaoliming@byosoft.com.cn>
+    Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+    Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+
+Signed-off-by: Jon Maloy <jmaloy@gmail.com>
+---
+ MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++--
+ 1 file changed, 91 insertions(+), 8 deletions(-)
+
+diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+index aee8ea04e8..7132ab0efd 100644
+--- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c
++++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+@@ -3,6 +3,7 @@
+   to provide high-quality random numbers.
+ 
+ Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
++Copyright (c) 2022, Pedro Falcato. All rights reserved.<BR>
+ Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
+ Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+ 
+@@ -25,6 +26,88 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ STATIC BOOLEAN mRdRandSupported;
+ 
++//
++// Intel SDM says 10 tries is good enough for reliable RDRAND usage.
++//
++#define RDRAND_RETRIES  10
++
++#define RDRAND_TEST_SAMPLES  8
++
++#define RDRAND_MIN_CHANGE  5
++
++//
++// Add a define for native-word RDRAND, just for the test.
++//
++#ifdef MDE_CPU_X64
++#define ASM_RDRAND  AsmRdRand64
++#else
++#define ASM_RDRAND  AsmRdRand32
++#endif
++
++/**
++  Tests RDRAND for broken implementations.
++
++  @retval TRUE         RDRAND is reliable (and hopefully safe).
++  @retval FALSE        RDRAND is unreliable and should be disabled, despite CPUID.
++
++**/
++STATIC
++BOOLEAN
++TestRdRand (
++  VOID
++  )
++{
++  //
++  // Test for notoriously broken rdrand implementations that always return the same
++  // value, like the Zen 3 uarch (all-1s) or other several AMD families on suspend/resume (also all-1s).
++  // Note that this should be expanded to extensively test for other sorts of possible errata.
++  //
++
++  //
++  // Our algorithm samples rdrand $RDRAND_TEST_SAMPLES times and expects
++  // a different result $RDRAND_MIN_CHANGE times for reliable RDRAND usage.
++  //
++  UINTN   Prev;
++  UINT8   Idx;
++  UINT8   TestIteration;
++  UINT32  Changed;
++
++  Changed = 0;
++
++  for (TestIteration = 0; TestIteration < RDRAND_TEST_SAMPLES; TestIteration++) {
++    UINTN  Sample;
++    //
++    // Note: We use a retry loop for rdrand. Normal users get this in BaseRng.c
++    // Any failure to get a random number will assume RDRAND does not work.
++    //
++    for (Idx = 0; Idx < RDRAND_RETRIES; Idx++) {
++      if (ASM_RDRAND (&Sample)) {
++        break;
++      }
++    }
++
++    if (Idx == RDRAND_RETRIES) {
++      DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: Failed to get an RDRAND random number - disabling\n"));
++      return FALSE;
++    }
++
++    if (TestIteration != 0) {
++      Changed += Sample != Prev;
++    }
++
++    Prev = Sample;
++  }
++
++  if (Changed < RDRAND_MIN_CHANGE) {
++    DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: RDRAND not reliable - disabling\n"));
++    return FALSE;
++  }
++
++  return TRUE;
++}
++
++#undef ASM_RDRAND
++
+ /**
+   The constructor function checks whether or not RDRAND instruction is supported
+   by the host hardware.
+@@ -49,10 +132,13 @@ BaseRngLibConstructor (
+   // CPUID. A value of 1 indicates that processor support RDRAND instruction.
+   //
+   AsmCpuid (1, 0, 0, &RegEcx, 0);
+-  ASSERT ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
+ 
+   mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
+ 
++  if (mRdRandSupported) {
++    mRdRandSupported = TestRdRand ();
++  }
++
+   return EFI_SUCCESS;
+ }
+ 
+@@ -71,6 +157,7 @@ ArchGetRandomNumber16 (
+   OUT     UINT16                    *Rand
+   )
+ {
++  ASSERT (mRdRandSupported);
+   return AsmRdRand16 (Rand);
+ }
+ 
+@@ -89,6 +176,7 @@ ArchGetRandomNumber32 (
+   OUT     UINT32                    *Rand
+   )
+ {
++  ASSERT (mRdRandSupported);
+   return AsmRdRand32 (Rand);
+ }
+ 
+@@ -107,6 +195,7 @@ ArchGetRandomNumber64 (
+   OUT     UINT64                    *Rand
+   )
+ {
++  ASSERT (mRdRandSupported);
+   return AsmRdRand64 (Rand);
+ }
+ 
+@@ -123,13 +212,7 @@ ArchIsRngSupported (
+   VOID
+   )
+ {
+-  /*
+-     Existing software depends on this always returning TRUE, so for
+-     now hard-code it.
+-
+-     return mRdRandSupported;
+-  */
+-  return TRUE;
++  return mRdRandSupported;
+ }
+ 
+ /**
+-- 
+2.39.3
+

SOURCES/edk2-MdePkg-DxeRngLib-Request-raw-algorithm-instead-of-de.patch

@@ -0,0 +1,66 @@
+From 3351bd0ba07cc490c344d2dc54b86833993ca5a2 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 15:58:58 -0400
+Subject: [PATCH 18/31] MdePkg/DxeRngLib: Request raw algorithm instead of
+ default
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [18/31] fa2da700127ae713aa578638c2390673fc49522d
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit bd1f0eecc1dfe51ba20161bef8860d12392006bd
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:05 2023 +0200
+
+    MdePkg/DxeRngLib: Request raw algorithm instead of default
+
+    The DxeRngLib tries to generate a random number using the 3 NIST
+    SP 800-90 compliant DRBG algorithms, i.e. 256-bits CTR, HASH and HMAC.
+    If none of the call is successful, the fallback option is the default
+    RNG algorithm of the EFI_RNG_PROTOCOL. This default algorithm might
+    be an unsafe implementation.
+
+    Try requesting the Raw algorithm before requesting the default one.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ MdePkg/Library/DxeRngLib/DxeRngLib.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.c b/MdePkg/Library/DxeRngLib/DxeRngLib.c
+index 9c3d67b5a6..4b2fc1cde5 100644
+--- a/MdePkg/Library/DxeRngLib/DxeRngLib.c
++++ b/MdePkg/Library/DxeRngLib/DxeRngLib.c
+@@ -64,9 +64,16 @@ GenerateRandomNumberViaNist800Algorithm (
+   if (!EFI_ERROR (Status)) {
+     return Status;
+   }
++
++  Status = RngProtocol->GetRNG (RngProtocol, &gEfiRngAlgorithmRaw, BufferSize, Buffer);
++  DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm Raw - Status = %r\n", __func__, Status));
++  if (!EFI_ERROR (Status)) {
++    return Status;
++  }
++
+   // If all the other methods have failed, use the default method from the RngProtocol
+   Status = RngProtocol->GetRNG (RngProtocol, NULL, BufferSize, Buffer);
+-  DEBUG((DEBUG_INFO, "%a: GetRNG algorithm Hash-256 - Status = %r\n", __FUNCTION__, Status));
++  DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status));
+   if (!EFI_ERROR (Status)) {
+     return Status;
+   }
+-- 
+2.39.3
+

SOURCES/edk2-MdePkg-Rng-Add-GUID-to-describe-Arm-Rndr-Rng-algorit.patch

@@ -0,0 +1,91 @@
+From 2a01056c29542a10941cb32929032b80df091a17 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 16:04:48 -0400
+Subject: [PATCH 19/31] MdePkg/Rng: Add GUID to describe Arm Rndr Rng
+ algorithms
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [19/31] 58b0f069c74b00eb6476427dd84a50a86aceb598
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:06 2023 +0200
+
+    MdePkg/Rng: Add GUID to describe Arm Rndr Rng algorithms
+
+    BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441
+
+    The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
+    implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
+    To allow the RngDxe to detect when such implementation is used,
+    a GetRngGuid() function is added in a following patch.
+
+    Prepare GetRngGuid() return values and add a gEfiRngAlgorithmArmRndr
+    to describe a Rng algorithm accessed through Arm's RNDR instruction.
+    [1] states that the implementation of this algorithm should be
+    compliant to NIST SP900-80. The compliance is not guaranteed.
+
+    [1] Arm Architecture Reference Manual Armv8, for A-profile architecture
+    sK12.1 'Properties of the generated random number'
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ MdePkg/Include/Protocol/Rng.h | 10 ++++++++++
+ MdePkg/MdePkg.dec             |  1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h
+index baf425587b..38bde53240 100644
+--- a/MdePkg/Include/Protocol/Rng.h
++++ b/MdePkg/Include/Protocol/Rng.h
+@@ -67,6 +67,15 @@ typedef EFI_GUID EFI_RNG_ALGORITHM;
+   { \
+     0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 } \
+   }
++///
++/// The Arm Architecture states the RNDR that the DRBG algorithm should be compliant
++/// with NIST SP800-90A, while not mandating a particular algorithm, so as to be
++/// inclusive of different geographies.
++///
++#define EFI_RNG_ALGORITHM_ARM_RNDR \
++  { \
++    0x43d2fde3, 0x9d4e, 0x4d79,  {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41} \
++  }
+ 
+ /**
+   Returns information about the random number generation implementation.
+@@ -146,5 +155,6 @@ extern EFI_GUID  gEfiRngAlgorithmSp80090Ctr256Guid;
+ extern EFI_GUID  gEfiRngAlgorithmX9313DesGuid;
+ extern EFI_GUID  gEfiRngAlgorithmX931AesGuid;
+ extern EFI_GUID  gEfiRngAlgorithmRaw;
++extern EFI_GUID  gEfiRngAlgorithmArmRndr;
+ 
+ #endif
+diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
+index 8f05e822ac..36501e8bb9 100644
+--- a/MdePkg/MdePkg.dec
++++ b/MdePkg/MdePkg.dec
+@@ -594,6 +594,7 @@
+   gEfiRngAlgorithmX9313DesGuid       = { 0x63c4785a, 0xca34, 0x4012, {0xa3, 0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 }}
+   gEfiRngAlgorithmX931AesGuid        = { 0xacd03321, 0x777e, 0x4d3d, {0xb1, 0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 }}
+   gEfiRngAlgorithmRaw                = { 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 }}
++  gEfiRngAlgorithmArmRndr            = { 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41 }}
+ 
+   ## Include/Protocol/AdapterInformation.h
+   gEfiAdapterInfoMediaStateGuid       = { 0xD7C74207, 0xA831, 0x4A26, {0xB1, 0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 }}
+-- 
+2.39.3
+

SOURCES/edk2-MdePkg-Rng-Add-GetRngGuid-to-RngLib.patch

@@ -0,0 +1,409 @@
+From b466e2545e25ebb2004ae9b9f95c6c2f60d1f168 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 16:08:28 -0400
+Subject: [PATCH 21/31] MdePkg/Rng: Add GetRngGuid() to RngLib
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [21/31] 54783ad88ba101c620240aa463c5d758fa416c31
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit 5443c2dc310d2c8eb15fb8eefd5057342e78cd0d
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:08 2023 +0200
+
+    MdePkg/Rng: Add GetRngGuid() to RngLib
+
+    The EFI_RNG_PROTOCOL can use the RngLib. The RngLib has multiple
+    implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
+    To allow the RngDxe to detect when such implementation is used,
+    add a GetRngGuid() function to the RngLib.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../BaseRngLibTimerLib/BaseRngLibTimerLib.inf |  4 ++
+ .../Library/BaseRngLibTimerLib/RngLibTimer.c  | 28 +++++++++++++
+ MdePkg/Include/Library/RngLib.h               | 19 ++++++++-
+ MdePkg/Library/BaseRngLib/AArch64/Rndr.c      | 42 +++++++++++++++++++
+ MdePkg/Library/BaseRngLib/BaseRngLib.inf      | 10 +++++
+ MdePkg/Library/BaseRngLib/Rand/RdRand.c       | 26 ++++++++++++
+ .../Library/BaseRngLibNull/BaseRngLibNull.c   | 22 ++++++++++
+ .../Library/BaseRngLibTimerLib/RngLibTimer.c  | 23 ++++++++++
+ MdePkg/Library/DxeRngLib/DxeRngLib.c          | 28 +++++++++++++
+ 9 files changed, 201 insertions(+), 1 deletion(-)
+
+diff --git a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+index f729001060..8461260cc8 100644
+--- a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
++++ b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+@@ -29,6 +29,10 @@
+ 
+ [Packages]
+   MdePkg/MdePkg.dec
++  MdeModulePkg/MdeModulePkg.dec
++
++[Guids]
++  gEdkiiRngAlgorithmUnSafe
+ 
+ [LibraryClasses]
+   BaseLib
+diff --git a/MdeModulePkg/Library/BaseRngLibTimerLib/RngLibTimer.c b/MdeModulePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
+index 980854d67b..28ff46c71f 100644
+--- a/MdeModulePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
++++ b/MdeModulePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
+@@ -2,14 +2,18 @@
+   BaseRng Library that uses the TimerLib to provide reasonably random numbers.
+   Do not use this on a production system.
+ 
++  Copyright (c) 2023, Arm Limited. All rights reserved.
+   Copyright (c) Microsoft Corporation.
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+ 
+ #include <Base.h>
++#include <Uefi.h>
+ #include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
+ #include <Library/TimerLib.h>
++#include <Guid/RngAlgorithm.h>
+ 
+ #define DEFAULT_DELAY_TIME_IN_MICROSECONDS  10
+ 
+@@ -190,3 +194,27 @@ GetRandomNumber128 (
+   // Read second 64 bits
+   return GetRandomNumber64 (++Rand);
+ }
++
++/**
++  Get a GUID identifying the RNG algorithm implementation.
++
++  @param [out] RngGuid  If success, contains the GUID identifying
++                        the RNG algorithm implementation.
++
++  @retval EFI_SUCCESS             Success.
++  @retval EFI_UNSUPPORTED         Not supported.
++  @retval EFI_INVALID_PARAMETER   Invalid parameter.
++**/
++EFI_STATUS
++EFIAPI
++GetRngGuid (
++  GUID  *RngGuid
++  )
++{
++  if (RngGuid == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  CopyMem (RngGuid, &gEdkiiRngAlgorithmUnSafe, sizeof (*RngGuid));
++  return EFI_SUCCESS;
++}
+diff --git a/MdePkg/Include/Library/RngLib.h b/MdePkg/Include/Library/RngLib.h
+index 05e513022e..801aa6d5bd 100644
+--- a/MdePkg/Include/Library/RngLib.h
++++ b/MdePkg/Include/Library/RngLib.h
+@@ -1,6 +1,7 @@
+ /** @file
+   Provides random number generator services.
+ 
++Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
+ Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -77,4 +78,20 @@ GetRandomNumber128 (
+   OUT     UINT64                    *Rand
+   );
+ 
+-#endif  // __RNG_LIB_H__
++/**
++  Get a GUID identifying the RNG algorithm implementation.
++
++  @param [out] RngGuid  If success, contains the GUID identifying
++                        the RNG algorithm implementation.
++
++  @retval EFI_SUCCESS             Success.
++  @retval EFI_UNSUPPORTED         Not supported.
++  @retval EFI_INVALID_PARAMETER   Invalid parameter.
++**/
++EFI_STATUS
++EFIAPI
++GetRngGuid (
++  GUID  *RngGuid
++  );
++
++#endif // __RNG_LIB_H__
+diff --git a/MdePkg/Library/BaseRngLib/AArch64/Rndr.c b/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
+index c9f8c813ed..7641314a54 100644
+--- a/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
++++ b/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
+@@ -2,6 +2,7 @@
+   Random number generator service that uses the RNDR instruction
+   to provide pseudorandom numbers.
+ 
++  Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
+   Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
+   Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+ 
+@@ -11,6 +12,7 @@
+ 
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
+ #include <Library/RngLib.h>
+ 
+@@ -137,3 +139,43 @@ ArchIsRngSupported (
+ {
+   return mRndrSupported;
+ }
++
++/**
++  Get a GUID identifying the RNG algorithm implementation.
++
++  @param [out] RngGuid  If success, contains the GUID identifying
++                        the RNG algorithm implementation.
++
++  @retval EFI_SUCCESS             Success.
++  @retval EFI_UNSUPPORTED         Not supported.
++  @retval EFI_INVALID_PARAMETER   Invalid parameter.
++**/
++EFI_STATUS
++EFIAPI
++GetRngGuid (
++  GUID  *RngGuid
++  )
++{
++  GUID  *RngLibGuid;
++
++  if (RngGuid == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  if (!mRndrSupported) {
++    return EFI_UNSUPPORTED;
++  }
++
++  //
++  // If the platform advertises the algorithm behind RNDR instruction,
++  // use it. Otherwise use gEfiRngAlgorithmArmRndr.
++  //
++  RngLibGuid = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
++  if (!IsZeroGuid (RngLibGuid)) {
++    CopyMem (RngGuid, RngLibGuid, sizeof (*RngGuid));
++  } else {
++    CopyMem (RngGuid, &gEfiRngAlgorithmArmRndr, sizeof (*RngGuid));
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/MdePkg/Library/BaseRngLib/BaseRngLib.inf b/MdePkg/Library/BaseRngLib/BaseRngLib.inf
+index 1fcceb9414..49503b139b 100644
+--- a/MdePkg/Library/BaseRngLib/BaseRngLib.inf
++++ b/MdePkg/Library/BaseRngLib/BaseRngLib.inf
+@@ -4,6 +4,7 @@
+ #  BaseRng Library that uses CPU RNG instructions (e.g. RdRand) to
+ #  provide random numbers.
+ #
++#  Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
+ #  Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
+ #  Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+ #
+@@ -43,9 +44,18 @@
+   AArch64/ArmReadIdIsar0.asm | MSFT
+   AArch64/ArmRng.asm         | MSFT
+ 
++[Guids.AARCH64]
++  gEfiRngAlgorithmArmRndr
++
++[Guids.Ia32, Guids.X64]
++  gEfiRngAlgorithmSp80090Ctr256Guid
++
+ [Packages]
+   MdePkg/MdePkg.dec
+ 
++[Pcd.AARCH64]
++  gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm
++
+ [LibraryClasses]
+   BaseLib
+   DebugLib
+diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+index 09fb875ac3..aee8ea04e8 100644
+--- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c
++++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+@@ -2,6 +2,7 @@
+   Random number generator services that uses RdRand instruction access
+   to provide high-quality random numbers.
+ 
++Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
+ Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
+ Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+ 
+@@ -11,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ #include <Uefi.h>
+ #include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
+ 
+ #include "BaseRngLibInternals.h"
+@@ -129,3 +131,27 @@ ArchIsRngSupported (
+   */
+   return TRUE;
+ }
++
++/**
++  Get a GUID identifying the RNG algorithm implementation.
++
++  @param [out] RngGuid  If success, contains the GUID identifying
++                        the RNG algorithm implementation.
++
++  @retval EFI_SUCCESS             Success.
++  @retval EFI_UNSUPPORTED         Not supported.
++  @retval EFI_INVALID_PARAMETER   Invalid parameter.
++**/
++EFI_STATUS
++EFIAPI
++GetRngGuid (
++  GUID  *RngGuid
++  )
++{
++  if (RngGuid == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  CopyMem (RngGuid, &gEfiRngAlgorithmSp80090Ctr256Guid, sizeof (*RngGuid));
++  return EFI_SUCCESS;
++}
+diff --git a/MdePkg/Library/BaseRngLibNull/BaseRngLibNull.c b/MdePkg/Library/BaseRngLibNull/BaseRngLibNull.c
+index cad30599ea..34a18e6a4d 100644
+--- a/MdePkg/Library/BaseRngLibNull/BaseRngLibNull.c
++++ b/MdePkg/Library/BaseRngLibNull/BaseRngLibNull.c
+@@ -1,13 +1,16 @@
+ /** @file
+   Null version of Random number generator services.
+ 
++Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+ 
++#include <Uefi.h>
+ #include <Library/DebugLib.h>
+ #include <Library/RngLib.h>
++#include <Protocol/Rng.h>
+ 
+ /**
+   Generates a 16-bit random number.
+@@ -92,3 +95,22 @@ GetRandomNumber128 (
+   ASSERT (FALSE);
+   return FALSE;
+ }
++
++/**
++  Get a GUID identifying the RNG algorithm implementation.
++
++  @param [out] RngGuid  If success, contains the GUID identifying
++                        the RNG algorithm implementation.
++
++  @retval EFI_SUCCESS             Success.
++  @retval EFI_UNSUPPORTED         Not supported.
++  @retval EFI_INVALID_PARAMETER   Invalid parameter.
++**/
++EFI_STATUS
++EFIAPI
++GetRngGuid (
++  GUID  *RngGuid
++  )
++{
++  return EFI_UNSUPPORTED;
++}
+diff --git a/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
+index 6b8392162b..7337500fec 100644
+--- a/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
++++ b/MdePkg/Library/BaseRngLibTimerLib/RngLibTimer.c
+@@ -209,3 +209,26 @@ GetRandomNumber128 (
+   // Read second 64 bits
+   return GetRandomNumber64 (++Rand);
+ }
++
++/**
++  Get a GUID identifying the RNG algorithm implementation.
++
++  @param [out] RngGuid  If success, contains the GUID identifying
++                        the RNG algorithm implementation.
++
++  @retval EFI_SUCCESS             Success.
++  @retval EFI_UNSUPPORTED         Not supported.
++  @retval EFI_INVALID_PARAMETER   Invalid parameter.
++**/
++RETURN_STATUS
++EFIAPI
++GetRngGuid (
++  GUID  *RngGuid
++  )
++{
++  /* This implementation is to be replaced by its MdeModulePkg copy.
++   * The cause being that some GUIDs (gEdkiiRngAlgorithmUnSafe) cannot
++   * be defined in the MdePkg.
++   */
++  return RETURN_UNSUPPORTED;
++}
+diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.c b/MdePkg/Library/DxeRngLib/DxeRngLib.c
+index 4b2fc1cde5..20248b4107 100644
+--- a/MdePkg/Library/DxeRngLib/DxeRngLib.c
++++ b/MdePkg/Library/DxeRngLib/DxeRngLib.c
+@@ -1,6 +1,7 @@
+ /** @file
+  Provides an implementation of the library class RngLib that uses the Rng protocol.
+ 
++ Copyright (c) 2023, Arm Limited. All rights reserved.
+  Copyright (c) Microsoft Corporation. All rights reserved.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -204,3 +205,30 @@ GetRandomNumber128 (
+   }
+   return TRUE;
+ }
++
++/**
++  Get a GUID identifying the RNG algorithm implementation.
++
++  @param [out] RngGuid  If success, contains the GUID identifying
++                        the RNG algorithm implementation.
++
++  @retval EFI_SUCCESS             Success.
++  @retval EFI_UNSUPPORTED         Not supported.
++  @retval EFI_INVALID_PARAMETER   Invalid parameter.
++**/
++EFI_STATUS
++EFIAPI
++GetRngGuid (
++  GUID  *RngGuid
++  )
++{
++  /* It is not possible to know beforehand which Rng algorithm will
++   * be used by this library.
++   * This API is mainly used by RngDxe. RngDxe relies on the RngLib.
++   * The RngLib|DxeRngLib.inf implementation locates and uses an installed
++   * EFI_RNG_PROTOCOL.
++   * It is thus not possible to have both RngDxe and RngLib|DxeRngLib.inf.
++   * and it is ok not to support this API.
++   */
++  return EFI_UNSUPPORTED;
++}
+-- 
+2.39.3
+

SOURCES/edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch

@@ -0,0 +1,63 @@
+From 634ee7a8cef2eac9f41cff4b42859d9d54b204bf Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 10:35:27 -0400
+Subject: [PATCH 29/31] MdePkg/X86UnitTestHost: set rdrand cpuid bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [29/31] 60851c6253df6f0114dc2c5598e0dde139d56c4c
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit 5e776299a2604b336a947e68593012ab2cc16eb4
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date:   Fri Jun 14 11:45:53 2024 +0200
+
+    MdePkg/X86UnitTestHost: set rdrand cpuid bit
+
+    Set the rdrand feature bit when faking cpuid for host test cases.
+    Needed to make the CryptoPkg test cases work.
+
+    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c
+index d0e428457e..abc092a990 100644
+--- a/MdePkg/Library/BaseLib/X86UnitTestHost.c
++++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c
+@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid (
+   OUT     UINT32                    *Edx   OPTIONAL
+   )
+ {
++  UINT32  RetEcx;
++
++  RetEcx = 0;
++  switch (Index) {
++    case 1:
++      RetEcx |= BIT30; /* RdRand */
++      break;
++  }
++
+   if (Eax != NULL) {
+     *Eax = 0;
+   }
+@@ -73,7 +82,7 @@ UnitTestHostBaseLibAsmCpuid (
+     *Ebx = 0;
+   }
+   if (Ecx != NULL) {
+-    *Ecx = 0;
++    *Ecx = RetEcx;
+   }
+   if (Edx != NULL) {
+     *Edx = 0;
+-- 
+2.39.3
+

SOURCES/edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch

@@ -0,0 +1,74 @@
+From 6eceae607639b46ea46ba26a288270bd1c97dc0f Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 13 Jun 2024 18:35:46 -0400
+Subject: [PATCH 31/31] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow
+ in iPXE environment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [31/31] 2088a79fef3d6dfec032f2f560ccf87ae42d786f
+
+JIRA: https://issues.redhat.com/browse/RHEL-21854
+Upstream: Merged
+CVE: CVE-2023-45236
+
+commit ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3
+Author: Sam <Sam_Tsai@wiwynn.com>
+Date:   Wed May 29 07:46:03 2024 +0800
+
+    NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in iPXE environment
+
+    This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH"
+    REF: 1904a64
+
+    Issue Description:
+    An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was:
+
+    NetworkPkg\TcpDxe\TcpDriver.c
+    Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, ​&mHash2ServiceHandle);
+
+    Root Cause Analysis:
+    The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle.
+
+    Implemented Solution:
+    To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly:
+
+    NetworkPkg\TcpDxe\TcpDriver.c
+    Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle);
+
+    This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error.
+
+    Verification:
+    Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment.
+
+    Cc: Doug Flick [MSFT] <doug.edk2@gmail.com>
+
+    Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com>
+    Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ NetworkPkg/TcpDxe/TcpDriver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
+index 34ae838ae0..1aec292501 100644
+--- a/NetworkPkg/TcpDxe/TcpDriver.c
++++ b/NetworkPkg/TcpDxe/TcpDriver.c
+@@ -509,7 +509,7 @@ TcpDestroyService (
+     //
+     // Destroy the instance of the hashing protocol for this controller.
+     //
+-    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
++    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle);
+     if (EFI_ERROR (Status)) {
+       return EFI_UNSUPPORTED;
+     }
+-- 
+2.39.3
+

SOURCES/edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch

@@ -0,0 +1,808 @@
+From 1e7f4034ddc0896e16c981d4220a1178813b4e86 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 11 Jun 2024 15:20:29 -0400
+Subject: [PATCH 30/31] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [30/31] 9ae15a2abf1d9bd0a0df1ff73a88446b9eb33602
+
+JIRA: https://issues.redhat.com/browse/RHEL-21854
+Upstream: Merged
+CVE: CVE-2023-45236
+Conflicts: Didn't add new file NetworkPkg/SecurityFixes.yaml
+
+commit 1904a64bcc18199738e5be183d28887ac5d837d7
+Author: Doug Flick <dougflick@microsoft.com>
+Date:   Wed May 8 22:56:29 2024 -0700
+
+    NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236
+
+    REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
+    REF: https://www.rfc-editor.org/rfc/rfc1948.txt
+    REF: https://www.rfc-editor.org/rfc/rfc6528.txt
+    REF: https://www.rfc-editor.org/rfc/rfc9293.txt
+
+    Bug Overview:
+    PixieFail Bug #8
+    CVE-2023-45236
+    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
+    CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
+
+    Updates TCP ISN generation to use a cryptographic hash of the
+    connection's identifying parameters and a secret key.
+    This prevents an attacker from guessing the ISN used for some other
+    connection.
+
+    This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.
+
+    RFC: 9293 Section 3.4.1.  Initial Sequence Number Selection
+
+       A TCP implementation MUST use the above type of "clock" for clock-
+       driven selection of initial sequence numbers (MUST-8), and SHOULD
+       generate its initial sequence numbers with the expression:
+
+       ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
+
+       where M is the 4 microsecond timer, and F() is a pseudorandom
+       function (PRF) of the connection's identifying parameters ("localip,
+       localport, remoteip, remoteport") and a secret key ("secretkey")
+       (SHLD-1).  F() MUST NOT be computable from the outside (MUST-9), or
+       an attacker could still guess at sequence numbers from the ISN used
+       for some other connection.  The PRF could be implemented as a
+       cryptographic hash of the concatenation of the TCP connection
+       parameters and some secret data.  For discussion of the selection of
+       a specific hash algorithm and management of the secret key data,
+       please see Section 3 of [42].
+
+       For each connection there is a send sequence number and a receive
+       sequence number.  The initial send sequence number (ISS) is chosen by
+       the data sending TCP peer, and the initial receive sequence number
+       (IRS) is learned during the connection-establishing procedure.
+
+       For a connection to be established or initialized, the two TCP peers
+       must synchronize on each other's initial sequence numbers.  This is
+       done in an exchange of connection-establishing segments carrying a
+       control bit called "SYN" (for synchronize) and the initial sequence
+       numbers.  As a shorthand, segments carrying the SYN bit are also
+       called "SYNs".  Hence, the solution requires a suitable mechanism for
+       picking an initial sequence number and a slightly involved handshake
+       to exchange the ISNs.
+
+    Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
+    Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
+
+    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+    Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ NetworkPkg/TcpDxe/TcpDriver.c |  92 ++++++++++++-
+ NetworkPkg/TcpDxe/TcpDxe.inf  |   8 +-
+ NetworkPkg/TcpDxe/TcpFunc.h   |  23 ++--
+ NetworkPkg/TcpDxe/TcpInput.c  |  13 +-
+ NetworkPkg/TcpDxe/TcpMain.h   |  59 ++++++--
+ NetworkPkg/TcpDxe/TcpMisc.c   | 244 ++++++++++++++++++++++++++++++++--
+ NetworkPkg/TcpDxe/TcpTimer.c  |   3 +-
+ 7 files changed, 394 insertions(+), 48 deletions(-)
+
+diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
+index 430911c2f4..34ae838ae0 100644
+--- a/NetworkPkg/TcpDxe/TcpDriver.c
++++ b/NetworkPkg/TcpDxe/TcpDriver.c
+@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL  gTcpServiceBinding = {
+   TcpServiceBindingDestroyChild
+ };
+ 
++//
++// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces
++// if the platform does not provide one.
++//
++EFI_HANDLE  mHash2ServiceHandle = NULL;
++
+ /**
+   Create and start the heartbeat timer for the TCP driver.
+ 
+@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
+   EFI_STATUS  Status;
+   UINT32      Random;
+ 
++  //
++  // Initialize the Secret used for hashing TCP sequence numbers
++  //
++  // Normally this should be regenerated periodically, but since
++  // this is only used for UEFI networking and not a general purpose
++  // operating system, it is not necessary to regenerate it.
++  //
++  Status = PseudoRandomU32 (&mTcpGlobalSecret);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
++    return Status;
++  }
++
++  //
++  // Get a random number used to generate a random port number
++  // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret
++  //
+   Status = PseudoRandomU32 (&Random);
+   if (EFI_ERROR (Status)) {
+     DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
+@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
+   }
+ 
+   //
+-  // Initialize ISS and random port.
++  // Initialize the random port.
+   //
+-  mTcpGlobalIss   = Random % mTcpGlobalIss;
+   mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
+   mTcp6RandomPort = mTcp4RandomPort;
+ 
+@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
+   @param[in]  IpVersion          IP_VERSION_4 or IP_VERSION_6.
+ 
+   @retval EFI_OUT_OF_RESOURCES   Failed to allocate some resources.
++  @retval EFI_UNSUPPORTED        Service Binding Protocols are unavailable.
++  @retval EFI_ALREADY_STARTED    The TCP driver is already started on the controller.
+   @retval EFI_SUCCESS            A new IP6 service binding private was created.
+ 
+ **/
+@@ -234,11 +258,13 @@ TcpCreateService (
+   IN UINT8       IpVersion
+   )
+ {
+-  EFI_STATUS        Status;
+-  EFI_GUID          *IpServiceBindingGuid;
+-  EFI_GUID          *TcpServiceBindingGuid;
+-  TCP_SERVICE_DATA  *TcpServiceData;
+-  IP_IO_OPEN_DATA   OpenData;
++  EFI_STATUS                    Status;
++  EFI_GUID                      *IpServiceBindingGuid;
++  EFI_GUID                      *TcpServiceBindingGuid;
++  TCP_SERVICE_DATA              *TcpServiceData;
++  IP_IO_OPEN_DATA               OpenData;
++  EFI_SERVICE_BINDING_PROTOCOL  *Hash2ServiceBinding;
++  EFI_HASH2_PROTOCOL            *Hash2Protocol;
+ 
+   if (IpVersion == IP_VERSION_4) {
+     IpServiceBindingGuid  = &gEfiIp4ServiceBindingProtocolGuid;
+@@ -272,6 +298,33 @@ TcpCreateService (
+     return EFI_UNSUPPORTED;
+   }
+ 
++  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
++  if (EFI_ERROR (Status)) {
++    //
++    // If we can't find the Hashing protocol, then we need to create one.
++    //
++
++    //
++    // Platform is expected to publish the hash service binding protocol to support TCP.
++    //
++    Status = gBS->LocateProtocol (
++                    &gEfiHash2ServiceBindingProtocolGuid,
++                    NULL,
++                    (VOID **)&Hash2ServiceBinding
++                    );
++    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) {
++      return EFI_UNSUPPORTED;
++    }
++
++    //
++    // Create an instance of the hash protocol for this controller.
++    //
++    Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle);
++    if (EFI_ERROR (Status)) {
++      return EFI_UNSUPPORTED;
++    }
++  }
++
+   //
+   // Create the TCP service data.
+   //
+@@ -423,6 +476,7 @@ TcpDestroyService (
+   EFI_STATUS                               Status;
+   LIST_ENTRY                               *List;
+   TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT  Context;
++  EFI_SERVICE_BINDING_PROTOCOL             *Hash2ServiceBinding;
+ 
+   ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
+ 
+@@ -439,6 +493,30 @@ TcpDestroyService (
+     return EFI_SUCCESS;
+   }
+ 
++  //
++  // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver.
++  //
++  if (mHash2ServiceHandle != NULL) {
++    Status = gBS->LocateProtocol (
++                    &gEfiHash2ServiceBindingProtocolGuid,
++                    NULL,
++                    (VOID **)&Hash2ServiceBinding
++                    );
++    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) {
++      return EFI_UNSUPPORTED;
++    }
++
++    //
++    // Destroy the instance of the hashing protocol for this controller.
++    //
++    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
++    if (EFI_ERROR (Status)) {
++      return EFI_UNSUPPORTED;
++    }
++
++    mHash2ServiceHandle = NULL;
++  }
++
+   Status = gBS->OpenProtocol (
+                   NicHandle,
+                   ServiceBindingGuid,
+diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
+index cf5423f4c5..76de4cf9ec 100644
+--- a/NetworkPkg/TcpDxe/TcpDxe.inf
++++ b/NetworkPkg/TcpDxe/TcpDxe.inf
+@@ -6,6 +6,7 @@
+ #  stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
+ #
+ #  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
++#  Copyright (c) Microsoft Corporation
+ #
+ #  SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+@@ -68,7 +69,6 @@
+   NetLib
+   IpIoLib
+ 
+-
+ [Protocols]
+   ## SOMETIMES_CONSUMES
+   ## SOMETIMES_PRODUCES
+@@ -81,6 +81,12 @@
+   gEfiIp6ServiceBindingProtocolGuid             ## TO_START
+   gEfiTcp6ProtocolGuid                          ## BY_START
+   gEfiTcp6ServiceBindingProtocolGuid            ## BY_START
++  gEfiHash2ProtocolGuid                         ## BY_START
++  gEfiHash2ServiceBindingProtocolGuid           ## BY_START
++
++[Guids]
++  gEfiHashAlgorithmMD5Guid                      ## CONSUMES
++  gEfiHashAlgorithmSha256Guid                   ## CONSUMES
+ 
+ [Depex]
+   gEfiHash2ServiceBindingProtocolGuid
+diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
+index 05cd3c75dc..e578b8bb29 100644
+--- a/NetworkPkg/TcpDxe/TcpFunc.h
++++ b/NetworkPkg/TcpDxe/TcpFunc.h
+@@ -2,7 +2,7 @@
+   Declaration of external functions shared in TCP driver.
+ 
+   Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+-
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -36,8 +36,11 @@ VOID
+ 
+   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
+ 
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpInitTcbLocal (
+   IN OUT TCP_CB *Tcb
+   );
+@@ -128,17 +131,6 @@ TcpCloneTcb (
+   IN TCP_CB *Tcb
+   );
+ 
+-/**
+-  Compute an ISS to be used by a new connection.
+-
+-  @return The result ISS.
+-
+-**/
+-TCP_SEQNO
+-TcpGetIss (
+-  VOID
+-  );
+-
+ /**
+   Get the local mss.
+ 
+@@ -202,8 +194,11 @@ TcpFormatNetbuf (
+   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
+                                 connection.
+ 
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpOnAppConnect (
+   IN OUT TCP_CB  *Tcb
+   );
+diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
+index 5e6c8c54ca..c0656ccd7d 100644
+--- a/NetworkPkg/TcpDxe/TcpInput.c
++++ b/NetworkPkg/TcpDxe/TcpInput.c
+@@ -759,6 +759,7 @@ TcpInput (
+   TCP_SEQNO   Urg;
+   UINT16      Checksum;
+   INT32       Usable;
++  EFI_STATUS  Status;
+ 
+   ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
+ 
+@@ -908,7 +909,17 @@ TcpInput (
+       Tcb->LocalEnd.Port  = Head->DstPort;
+       Tcb->RemoteEnd.Port = Head->SrcPort;
+ 
+-      TcpInitTcbLocal (Tcb);
++      Status = TcpInitTcbLocal (Tcb);
++      if (EFI_ERROR (Status)) {
++        DEBUG (
++          (DEBUG_ERROR,
++           "TcpInput: discard a segment because failed to init local end for TCB %p\n",
++           Tcb)
++          );
++
++        goto DISCARD;
++      }
++
+       TcpInitTcbPeer (Tcb, Seg, &Option);
+ 
+       TcpSetState (Tcb, TCP_SYN_RCVD);
+diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
+index 0709298bbf..3fa572d3d4 100644
+--- a/NetworkPkg/TcpDxe/TcpMain.h
++++ b/NetworkPkg/TcpDxe/TcpMain.h
+@@ -3,6 +3,7 @@
+   It is the common head file for all Tcp*.c in TCP driver.
+ 
+   Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -12,6 +13,7 @@
+ 
+ #include <Protocol/ServiceBinding.h>
+ #include <Protocol/DriverBinding.h>
++#include <Protocol/Hash2.h>
+ #include <Library/IpIoLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/PrintLib.h>
+@@ -30,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE      *gTcpControllerNameTable;
+ 
+ extern LIST_ENTRY  mTcpRunQue;
+ extern LIST_ENTRY  mTcpListenQue;
+-extern TCP_SEQNO   mTcpGlobalIss;
++extern TCP_SEQNO   mTcpGlobalSecret;
+ extern UINT32      mTcpTick;
+ 
+ ///
+@@ -44,15 +46,6 @@ extern UINT32      mTcpTick;
+ 
+ #define TCP_EXPIRE_TIME            65535
+ 
+-///
+-/// The implementation selects the initial send sequence number and the unit to
+-/// be added when it is increased.
+-///
+-#define TCP_BASE_ISS               0x4d7e980b
+-#define TCP_ISS_INCREMENT_1        2048
+-#define TCP_ISS_INCREMENT_2        100
+-
+-
+ typedef union {
+   EFI_TCP4_CONFIG_DATA    Tcp4CfgData;
+   EFI_TCP6_CONFIG_DATA    Tcp6CfgData;
+@@ -774,4 +767,50 @@ Tcp6Poll (
+   IN EFI_TCP6_PROTOCOL  *This
+   );
+ 
++/**
++  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
++  and remote IP addresses and ports.
++
++  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
++  Where the ISN is computed as follows:
++    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
++
++  Otherwise:
++    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
++
++    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
++    connection's identifying parameters ("localip, localport, remoteip, remoteport")
++    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
++    outside (MUST-9), or an attacker could still guess at sequence numbers from the
++    ISN used for some other connection. The PRF could be implemented as a
++    cryptographic hash of the concatenation of the TCP connection parameters and some
++    secret data. For discussion of the selection of a specific hash algorithm and
++    management of the secret key data."
++
++  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
++  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
++  @param[in]       LocalPort      The local port number of the TCP connection.
++  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
++  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
++  @param[in]       RemotePort     The remote port number of the TCP connection.
++  @param[out]      Isn            A pointer to the variable that will receive the Initial
++                                  Sequence Number (ISN).
++
++  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
++                                  retrieved.
++  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
++  @retval EFI_UNSUPPORTED         The operation is not supported.
++
++**/
++EFI_STATUS
++TcpGetIsn (
++  IN UINT8       *LocalIp,
++  IN UINTN       LocalIpSize,
++  IN UINT16      LocalPort,
++  IN UINT8       *RemoteIp,
++  IN UINTN       RemoteIpSize,
++  IN UINT16      RemotePort,
++  OUT TCP_SEQNO  *Isn
++  );
++
+ #endif
+diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
+index 3fa9d90d9f..42dc9fa941 100644
+--- a/NetworkPkg/TcpDxe/TcpMisc.c
++++ b/NetworkPkg/TcpDxe/TcpMisc.c
+@@ -3,6 +3,7 @@
+ 
+   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
+   Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -19,7 +20,34 @@ LIST_ENTRY  mTcpListenQue = {
+   &mTcpListenQue
+ };
+ 
+-TCP_SEQNO       mTcpGlobalIss = TCP_BASE_ISS;
++//
++// The Session secret
++// This must be initialized to a random value at boot time
++//
++TCP_SEQNO  mTcpGlobalSecret;
++
++//
++// Union to hold either an IPv4 or IPv6 address
++// This is used to simplify the ISN hash computation
++//
++typedef union {
++  UINT8    IPv4[4];
++  UINT8    IPv6[16];
++} NETWORK_ADDRESS;
++
++//
++// The ISN is computed by hashing this structure
++// It is initialized with the local and remote IP addresses and ports
++// and the secret
++//
++//
++typedef struct {
++  UINT16             LocalPort;
++  UINT16             RemotePort;
++  NETWORK_ADDRESS    LocalAddress;
++  NETWORK_ADDRESS    RemoteAddress;
++  TCP_SEQNO          Secret;
++} ISN_HASH_CTX;
+ 
+ CHAR16  *mTcpStateName[] = {
+   L"TCP_CLOSED",
+@@ -40,12 +68,18 @@ CHAR16  *mTcpStateName[] = {
+ 
+   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
+ 
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpInitTcbLocal (
+   IN OUT TCP_CB *Tcb
+   )
+ {
++  TCP_SEQNO   Isn;
++  EFI_STATUS  Status;
++
+   //
+   // Compute the checksum of the fixed parts of pseudo header
+   //
+@@ -56,6 +90,16 @@ TcpInitTcbLocal (
+                      0x06,
+                      0
+                      );
++
++    Status = TcpGetIsn (
++               Tcb->LocalEnd.Ip.v4.Addr,
++               sizeof (IPv4_ADDRESS),
++               Tcb->LocalEnd.Port,
++               Tcb->RemoteEnd.Ip.v4.Addr,
++               sizeof (IPv4_ADDRESS),
++               Tcb->RemoteEnd.Port,
++               &Isn
++               );
+   } else {
+     Tcb->HeadSum = NetIp6PseudoHeadChecksum (
+                      &Tcb->LocalEnd.Ip.v6,
+@@ -63,9 +107,25 @@ TcpInitTcbLocal (
+                      0x06,
+                      0
+                      );
++
++    Status = TcpGetIsn (
++               Tcb->LocalEnd.Ip.v6.Addr,
++               sizeof (IPv6_ADDRESS),
++               Tcb->LocalEnd.Port,
++               Tcb->RemoteEnd.Ip.v6.Addr,
++               sizeof (IPv6_ADDRESS),
++               Tcb->RemoteEnd.Port,
++               &Isn
++               );
++  }
++
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n"));
++    ASSERT (FALSE);
++    return Status;
+   }
+ 
+-  Tcb->Iss    = TcpGetIss ();
++  Tcb->Iss    = Isn;
+   Tcb->SndUna = Tcb->Iss;
+   Tcb->SndNxt = Tcb->Iss;
+ 
+@@ -81,6 +141,8 @@ TcpInitTcbLocal (
+   Tcb->RetxmitSeqMax = 0;
+ 
+   Tcb->ProbeTimerOn = FALSE;
++
++  return EFI_SUCCESS;
+ }
+ 
+ /**
+@@ -505,18 +567,162 @@ TcpCloneTcb (
+ }
+ 
+ /**
+-  Compute an ISS to be used by a new connection.
+-
+-  @return The resulting ISS.
++  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
++  and remote IP addresses and ports.
++
++  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
++  Where the ISN is computed as follows:
++    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
++
++  Otherwise:
++    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
++
++    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
++    connection's identifying parameters ("localip, localport, remoteip, remoteport")
++    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
++    outside (MUST-9), or an attacker could still guess at sequence numbers from the
++    ISN used for some other connection. The PRF could be implemented as a
++    cryptographic hash of the concatenation of the TCP connection parameters and some
++    secret data. For discussion of the selection of a specific hash algorithm and
++    management of the secret key data."
++
++  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
++  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
++  @param[in]       LocalPort      The local port number of the TCP connection.
++  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
++  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
++  @param[in]       RemotePort     The remote port number of the TCP connection.
++  @param[out]      Isn            A pointer to the variable that will receive the Initial
++                                  Sequence Number (ISN).
++
++  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
++                                  retrieved.
++  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
++  @retval EFI_UNSUPPORTED         The operation is not supported.
+ 
+ **/
+-TCP_SEQNO
+-TcpGetIss (
+-  VOID
++EFI_STATUS
++TcpGetIsn (
++  IN UINT8       *LocalIp,
++  IN UINTN       LocalIpSize,
++  IN UINT16      LocalPort,
++  IN UINT8       *RemoteIp,
++  IN UINTN       RemoteIpSize,
++  IN UINT16      RemotePort,
++  OUT TCP_SEQNO  *Isn
+   )
+ {
+-  mTcpGlobalIss += TCP_ISS_INCREMENT_1;
+-  return mTcpGlobalIss;
++  EFI_STATUS          Status;
++  EFI_HASH2_PROTOCOL  *Hash2Protocol;
++  EFI_HASH2_OUTPUT    HashResult;
++  ISN_HASH_CTX        IsnHashCtx;
++  EFI_TIME            TimeStamp;
++
++  //
++  // Check that the ISN pointer is valid
++  //
++  if (Isn == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // The local ip may be a v4 or v6 address and may not be NULL
++  //
++  if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // the local ip may be a v4 or v6 address
++  //
++  if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) {
++    return EFI_INVALID_PARAMETER;
++  }
++
++  //
++  // Locate the Hash Protocol
++  //
++  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status));
++
++    //
++    // TcpCreateService(..) is expected to be called prior to this function
++    //
++    ASSERT_EFI_ERROR (Status);
++    return Status;
++  }
++
++  //
++  // Initialize the hash algorithm
++  //
++  Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status));
++    return Status;
++  }
++
++  IsnHashCtx.LocalPort  = LocalPort;
++  IsnHashCtx.RemotePort = RemotePort;
++  IsnHashCtx.Secret     = mTcpGlobalSecret;
++
++  //
++  // Check the IP address family and copy accordingly
++  //
++  if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) {
++    CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);
++  } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) {
++    CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize);
++  } else {
++    return EFI_INVALID_PARAMETER; // Unsupported address size
++  }
++
++  //
++  // Repeat the process for the remote IP address
++  //
++  if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) {
++    CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);
++  } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) {
++    CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);
++  } else {
++    return EFI_INVALID_PARAMETER; // Unsupported address size
++  }
++
++  //
++  // Compute the hash
++  // Update the hash with the data
++  //
++  Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status));
++    return Status;
++  }
++
++  //
++  // Finalize the hash and retrieve the result
++  //
++  Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult);
++  if (EFI_ERROR (Status)) {
++    DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status));
++    return Status;
++  }
++
++  Status = gRT->GetTime (&TimeStamp, NULL);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  //
++  // copy the first 4 bytes of the hash result into the ISN
++  //
++  CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));
++
++  //
++  // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250)
++  //
++  *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250;
++
++  return Status;
+ }
+ 
+ /**
+@@ -719,17 +925,29 @@ TcpFormatNetbuf (
+ 
+   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
+                                 connection.
++
++  @retval EFI_SUCCESS             The operation completed successfully
++  @retval others                  The underlying functions failed and could not complete the operation
++
+ **/
+-VOID
++EFI_STATUS
+ TcpOnAppConnect (
+   IN OUT TCP_CB  *Tcb
+   )
+ {
+-  TcpInitTcbLocal (Tcb);
++  EFI_STATUS  Status;
++
++  Status = TcpInitTcbLocal (Tcb);
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
+   TcpSetState (Tcb, TCP_SYN_SENT);
+ 
+   TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout);
+   TcpToSendData (Tcb, 1);
++
++  return EFI_SUCCESS;
+ }
+ 
+ /**
+diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
+index 106d9470db..535d09d342 100644
+--- a/NetworkPkg/TcpDxe/TcpTimer.c
++++ b/NetworkPkg/TcpDxe/TcpTimer.c
+@@ -2,7 +2,7 @@
+   TCP timer related functions.
+ 
+   Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
+-
++  Copyright (c) Microsoft Corporation
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -497,7 +497,6 @@ TcpTickingDpc (
+   INT16           Index;
+ 
+   mTcpTick++;
+-  mTcpGlobalIss += TCP_ISS_INCREMENT_2;
+ 
+   //
+   // Don't use LIST_FOR_EACH, which isn't delete safe.
+-- 
+2.39.3
+

SOURCES/edk2-OvmfPkg-wire-up-RngDxe.patch

@@ -0,0 +1,318 @@
+From c74cced5adaab44edf1bbfae63010b3fa31d4c69 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sun, 23 Jun 2024 19:20:44 -0400
+Subject: [PATCH 27/31] OvmfPkg: wire up RngDxe
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [27/31] 90226f6630261d2823bed33c4e2f6c96a4125027
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+Conflicts: - Needed to apply 9 earlier commits from Pierre Gondois
+             to make this one apply and build.
+	   - Cherry pick wanted to add include files from the
+             missing 'add ShellComponents' (commit 2cb466cc2cbf...)
+             series. This had to be handled manually.
+           - There are no Dsc and Fdf subdirectories under
+             OvmfPkg/Include/ in this version. We adjust includes
+             and move files to OvmfPkg/ where needed.
+
+commit 712797cf19acd292bf203522a79e40e7e13d268b
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date:   Fri May 24 12:51:17 2024 +0200
+
+    OvmfPkg: wire up RngDxe
+
+    Add OvmfRng include snippets with the random number generator
+    configuration for OVMF.  Include RngDxe, build with BaseRngLib,
+    so the rdrand instruction is used (if available).
+
+    Also move VirtioRng to the include snippets.
+
+    Use the new include snippets for OVMF builds.
+
+    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc      | 2 +-
+ OvmfPkg/AmdSev/AmdSevX64.fdf      | 3 ++-
+ OvmfPkg/IntelTdx/IntelTdxX64.dsc  | 2 +-
+ OvmfPkg/Microvm/MicrovmX64.dsc    | 2 +-
+ OvmfPkg/Microvm/MicrovmX64.fdf    | 3 ++-
+ OvmfPkg/OvmfPkgIa32.dsc           | 2 +-
+ OvmfPkg/OvmfPkgIa32.fdf           | 3 ++-
+ OvmfPkg/OvmfPkgIa32X64.dsc        | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.fdf        | 2 +-
+ OvmfPkg/OvmfPkgX64.dsc            | 2 +-
+ OvmfPkg/OvmfPkgX64.fdf            | 2 +-
+ OvmfPkg/OvmfRngComponents.dsc.inc | 9 +++++++++
+ OvmfPkg/OvmfRngDxe.fdf.inc        | 6 ++++++
+ 13 files changed, 29 insertions(+), 11 deletions(-)
+ create mode 100644 OvmfPkg/OvmfRngComponents.dsc.inc
+ create mode 100644 OvmfPkg/OvmfRngDxe.fdf.inc
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index a1a6897bc2..499ad2e6e8 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -707,7 +707,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -824,6 +823,7 @@
+       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
+   }
+ !endif
++!include OvmfPkg/OvmfRngComponents.dsc.inc
+ 
+   OvmfPkg/PlatformDxe/Platform.inf
+   OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 5662609886..06ff2f1d30 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -222,7 +222,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -327,6 +326,8 @@ INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+ !endif
+ !endif
+ 
++!include OvmfPkg/OvmfRngDxe.fdf.inc
++
+ ################################################################################
+ 
+ [FV.FVMAIN_COMPACT]
+diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+index d08b77ff25..4f2909b76e 100644
+--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+@@ -635,7 +635,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -744,6 +743,7 @@
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
+   }
++!include OvmfPkg/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
+index afd4bf3e98..0efb0b456d 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.dsc
++++ b/OvmfPkg/Microvm/MicrovmX64.dsc
+@@ -694,7 +694,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+   MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
+   MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
+@@ -820,6 +819,7 @@
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
+   }
++!include OvmfPkg/OvmfRngComponents.dsc.inc
+ 
+   OvmfPkg/PlatformDxe/Platform.inf
+   OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf
+index 6314014f3d..bd5afdafe0 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.fdf
++++ b/OvmfPkg/Microvm/MicrovmX64.fdf
+@@ -230,7 +230,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ 
+ INF  MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+ INF  MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
+@@ -322,6 +321,8 @@ INF  OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf
+ INF  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ 
++!include OvmfPkg/OvmfRngDxe.fdf.inc
++
+ ################################################################################
+ 
+ [FV.FVMAIN_COMPACT]
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 47426c5cd2..f03906a9ff 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -801,7 +801,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -958,6 +957,7 @@
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
+   }
++!include OvmfPkg/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 00ea14adf0..050148948c 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -228,7 +228,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -363,6 +362,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ #
+ # TPM support
+ #
++
+ !if $(TPM_ENABLE) == TRUE
+ INF  SecurityPkg/Tcg/TcgDxe/TcgDxe.inf
+ INF  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+@@ -371,6 +371,7 @@ INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+ INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+ !endif
+ !endif
++!include OvmfPkg/OvmfRngDxe.fdf.inc
+ 
+ !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
+ INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index d4b30e8133..81145050c3 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -815,7 +815,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -972,6 +971,7 @@
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
+   }
++!include OvmfPkg/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index e33a40c44e..3e2373f225 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -232,7 +232,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -381,6 +380,7 @@ INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+ INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+ !endif
+ !endif
++!include OvmfPkg/OvmfRngDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 5b0f6c8747..1cb169b447 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -813,7 +813,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -970,6 +969,7 @@
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+       gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000
+   }
++!include OvmfPkg/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 85b4b23857..8ba0ca437a 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -248,7 +248,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -397,6 +396,7 @@ INF  SecurityPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+ INF  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf
+ !endif
+ !endif
++!include OvmfPkg/OvmfRngDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfRngComponents.dsc.inc b/OvmfPkg/OvmfRngComponents.dsc.inc
+new file mode 100644
+index 0000000000..68839a0caa
+--- /dev/null
++++ b/OvmfPkg/OvmfRngComponents.dsc.inc
+@@ -0,0 +1,9 @@
++##
++#    SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf {
++    <LibraryClasses>
++      RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
++  }
++  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+diff --git a/OvmfPkg/OvmfRngDxe.fdf.inc b/OvmfPkg/OvmfRngDxe.fdf.inc
+new file mode 100644
+index 0000000000..99cb4a32b1
+--- /dev/null
++++ b/OvmfPkg/OvmfRngDxe.fdf.inc
+@@ -0,0 +1,6 @@
++##
++#    SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Add-AArch64-RawAlgorithm-support-.patch

@@ -0,0 +1,246 @@
+From 660ffc1753c84e89281d54059c0cb73eef7200d0 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:27:16 -0400
+Subject: [PATCH 09/31] SecurityPkg/RngDxe: Add AArch64 RawAlgorithm support
+ through ArmTrngLib
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [9/31] 34f5db557b893a686c382a09ceacda728dbd4ad9
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit 863fe9e191fb3d90c3283062183692c04cd71975
+Author: Sami Mujawar <sami.mujawar@arm.com>
+Date:   Fri Oct 28 17:32:55 2022 +0200
+
+    SecurityPkg/RngDxe: Add AArch64 RawAlgorithm support through ArmTrngLib
+
+    Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
+
+    RawAlgorithm is used to provide access to entropy that is suitable
+    for cryptographic applications. Therefore, add RawAlgorithm support
+    that provides access to entropy using the ArmTrngLib.
+
+    Also remove unused UefiBootServicesTableLib library inclusion
+    and Status variable.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RngDxe/AArch64/RngDxe.c                   | 28 ++++++--
+ .../RandomNumberGenerator/RngDxe/ArmTrng.c    | 71 +++++++++++++++++++
+ .../RandomNumberGenerator/RngDxe/RngDxe.inf   |  5 ++
+ SecurityPkg/SecurityPkg.dsc                   |  4 ++
+ 4 files changed, 104 insertions(+), 4 deletions(-)
+ create mode 100644 SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+index c9d66d9777..c0b0d28d48 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+@@ -1,11 +1,13 @@
+ /** @file
+   RNG Driver to produce the UEFI Random Number Generator protocol.
+ 
+-  The driver will use the RNDR instruction to produce random numbers.
++  The driver can use RNDR instruction (through the RngLib and if FEAT_RNG is
++  present) to produce random numbers. It also uses the Arm FW-TRNG interface
++  to implement EFI_RNG_ALGORITHM_RAW.
+ 
+   RNG Algorithms defined in UEFI 2.4:
+    - EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID
+-   - EFI_RNG_ALGORITHM_RAW                    - Unsupported
++   - EFI_RNG_ALGORITHM_RAW
+    - EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID
+    - EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID
+    - EFI_RNG_ALGORITHM_X9_31_3DES_GUID        - Unsupported
+@@ -26,12 +28,14 @@
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/RngLib.h>
++#include <Library/DebugLib.h>
++#include <Library/ArmTrngLib.h>
+ #include <Protocol/Rng.h>
+ 
+ #include "RngDxeInternals.h"
+ 
+ // Maximum number of Rng algorithms.
+-#define RNG_AVAILABLE_ALGO_MAX  1
++#define RNG_AVAILABLE_ALGO_MAX  2
+ 
+ /** Allocate and initialize mAvailableAlgoArray with the available
+     Rng algorithms. Also update mAvailableAlgoArrayCount.
+@@ -46,8 +50,9 @@ GetAvailableAlgorithms (
+   )
+ {
+   UINT64  DummyRand;
++  UINT16  MajorRevision;
++  UINT16  MinorRevision;
+ 
+-  // Allocate RNG_AVAILABLE_ALGO_MAX entries to avoid evaluating
+   // Rng algorithms 2 times, one for the allocation, one to populate.
+   mAvailableAlgoArray = AllocateZeroPool (RNG_AVAILABLE_ALGO_MAX);
+   if (mAvailableAlgoArray == NULL) {
+@@ -64,6 +69,16 @@ GetAvailableAlgorithms (
+     mAvailableAlgoArrayCount++;
+   }
+ 
++  // Raw algorithm (Trng)
++  if (!EFI_ERROR (GetArmTrngVersion (&MajorRevision, &MinorRevision))) {
++    CopyMem (
++      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
++      &gEfiRngAlgorithmRaw,
++      sizeof (EFI_RNG_ALGORITHM)
++      );
++    mAvailableAlgoArrayCount++;
++  }
++
+   return EFI_SUCCESS;
+ }
+ 
+@@ -141,6 +156,11 @@ FoundAlgo:
+     return Status;
+   }
+ 
++  // Raw algorithm (Trng)
++  if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) {
++    return GenerateEntropy (RNGValueLength, RNGValue);
++  }
++
+   //
+   // Other algorithms are unsupported by this driver.
+   //
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
+new file mode 100644
+index 0000000000..ffe557b692
+--- /dev/null
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
+@@ -0,0 +1,71 @@
++/** @file
++  RNG Driver to produce the UEFI Random Number Generator protocol.
++
++  The driver implements the EFI_RNG_ALGORITHM_RAW using the FW-TRNG
++  interface to provide entropy.
++
++  Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.<BR>
++
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/ArmTrngLib.h>
++#include <Protocol/Rng.h>
++
++#include "RngDxeInternals.h"
++
++/**
++  Generate high-quality entropy source using a TRNG or through RDRAND.
++
++  @param[in]   Length        Size of the buffer, in bytes, to fill with.
++  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
++
++  @retval  RETURN_SUCCESS            The function completed successfully.
++  @retval  RETURN_INVALID_PARAMETER  Invalid parameter.
++  @retval  RETURN_UNSUPPORTED        Function not implemented.
++  @retval  RETURN_BAD_BUFFER_SIZE    Buffer size is too small.
++  @retval  RETURN_NOT_READY          No Entropy available.
++**/
++EFI_STATUS
++EFIAPI
++GenerateEntropy (
++  IN  UINTN  Length,
++  OUT UINT8  *Entropy
++  )
++{
++  EFI_STATUS  Status;
++  UINTN       CollectedEntropyBits;
++  UINTN       RequiredEntropyBits;
++  UINTN       EntropyBits;
++  UINTN       Index;
++  UINTN       MaxBits;
++
++  ZeroMem (Entropy, Length);
++
++  RequiredEntropyBits  = (Length << 3);
++  Index                = 0;
++  CollectedEntropyBits = 0;
++  MaxBits              = GetArmTrngMaxSupportedEntropyBits ();
++  while (CollectedEntropyBits < RequiredEntropyBits) {
++    EntropyBits = MIN ((RequiredEntropyBits - CollectedEntropyBits), MaxBits);
++    Status      = GetArmTrngEntropy (
++                    EntropyBits,
++                    (Length - Index),
++                    &Entropy[Index]
++                    );
++    if (EFI_ERROR (Status)) {
++      // Discard the collected bits.
++      ZeroMem (Entropy, Length);
++      return Status;
++    }
++
++    CollectedEntropyBits += EntropyBits;
++    Index                += (EntropyBits >> 3);
++  } // while
++
++  return Status;
++}
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+index 1985dfbb46..e0e767cbf3 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+@@ -43,8 +43,10 @@
+ 
+ [Sources.AARCH64]
+   AArch64/RngDxe.c
++  ArmTrng.c
+ 
+ [Packages]
++  MdeModulePkg/MdeModulePkg.dec
+   MdePkg/MdePkg.dec
+   SecurityPkg/SecurityPkg.dec
+ 
+@@ -57,6 +59,9 @@
+   TimerLib
+   RngLib
+ 
++[LibraryClasses.AARCH64]
++  ArmTrngLib
++
+ [Guids]
+   gEfiRngAlgorithmSp80090Hash256Guid  ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
+   gEfiRngAlgorithmSp80090Hmac256Guid  ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
+diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
+index 73a93c2285..9f58cc2333 100644
+--- a/SecurityPkg/SecurityPkg.dsc
++++ b/SecurityPkg/SecurityPkg.dsc
+@@ -3,6 +3,8 @@
+ #
+ # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.<BR>
+ # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP<BR>
++# Copyright (c) 2022, Loongson Technology Corporation Limited. All rights reserved.<BR>
++# Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.<BR>
+ # SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -86,6 +88,8 @@
+ 
+   ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf
+ 
++  ArmTrngLib|MdePkg/Library/BaseArmTrngLibNull/BaseArmTrngLibNull.inf
++
+ [LibraryClasses.ARM]
+   RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+ 
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Add-Arm-support-of-RngDxe.patch

@@ -0,0 +1,311 @@
+From 0c6e925403e5aa50a77797af59308e6fee4be6b1 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:31:58 -0400
+Subject: [PATCH 12/31] SecurityPkg/RngDxe: Add Arm support of RngDxe
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [12/31] 11b72f6d69392c7b2e8565025a576e76877fe7ed
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit 9eb5ccda505917f6ee80284ed6fb5b51aa7152f9
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Oct 28 17:32:58 2022 +0200
+
+    SecurityPkg/RngDxe: Add Arm support of RngDxe
+
+    Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
+
+    Add RngDxe support for Arm. This implementation uses the ArmTrngLib
+    to support the RawAlgorithm and doens't support the RNDR instruction.
+
+    To re-use the RngGetRNG(), RngGetInfo() and FreeAvailableAlgorithms()
+    functions, create Arm/AArch64 files which implement the arch specific
+    function GetAvailableAlgorithms(). Indeed, FEAT_RNG instruction is not
+    supported on Arm.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RngDxe/AArch64/AArch64Algo.c              | 72 +++++++++++++++++++
+ .../RngDxe/Arm/ArmAlgo.c                      | 51 +++++++++++++
+ .../RandomNumberGenerator/RngDxe/ArmRngDxe.c  | 60 ----------------
+ .../RandomNumberGenerator/RngDxe/RngDxe.inf   | 12 +++-
+ SecurityPkg/SecurityPkg.dsc                   |  2 +-
+ 5 files changed, 133 insertions(+), 64 deletions(-)
+ create mode 100644 SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c
+ create mode 100644 SecurityPkg/RandomNumberGenerator/RngDxe/Arm/ArmAlgo.c
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c
+new file mode 100644
+index 0000000000..e8be217f8a
+--- /dev/null
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c
+@@ -0,0 +1,72 @@
++/** @file
++  Aarch64 specific code.
++
++  Copyright (c) 2022, Arm Limited. All rights reserved.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/ArmTrngLib.h>
++
++#include "RngDxeInternals.h"
++
++// Maximum number of Rng algorithms.
++#define RNG_AVAILABLE_ALGO_MAX  2
++
++/** Allocate and initialize mAvailableAlgoArray with the available
++    Rng algorithms. Also update mAvailableAlgoArrayCount.
++
++  @retval EFI_SUCCESS             The function completed successfully.
++  @retval EFI_OUT_OF_RESOURCES    Could not allocate memory.
++**/
++EFI_STATUS
++EFIAPI
++GetAvailableAlgorithms (
++  VOID
++  )
++{
++  UINT64  DummyRand;
++  UINT16  MajorRevision;
++  UINT16  MinorRevision;
++
++  // Rng algorithms 2 times, one for the allocation, one to populate.
++  mAvailableAlgoArray = AllocateZeroPool (RNG_AVAILABLE_ALGO_MAX);
++  if (mAvailableAlgoArray == NULL) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++
++  // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
++  if (!EFI_ERROR (RngGetBytes (sizeof (DummyRand), (UINT8 *)&DummyRand))) {
++    CopyMem (
++      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
++      PcdGetPtr (PcdCpuRngSupportedAlgorithm),
++      sizeof (EFI_RNG_ALGORITHM)
++      );
++    mAvailableAlgoArrayCount++;
++
++    DEBUG_CODE_BEGIN ();
++    if (IsZeroGuid (PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
++      DEBUG ((
++        DEBUG_WARN,
++        "PcdCpuRngSupportedAlgorithm should be a non-zero GUID\n"
++        ));
++    }
++
++    DEBUG_CODE_END ();
++  }
++
++  // Raw algorithm (Trng)
++  if (!EFI_ERROR (GetArmTrngVersion (&MajorRevision, &MinorRevision))) {
++    CopyMem (
++      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
++      &gEfiRngAlgorithmRaw,
++      sizeof (EFI_RNG_ALGORITHM)
++      );
++    mAvailableAlgoArrayCount++;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/ArmAlgo.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/ArmAlgo.c
+new file mode 100644
+index 0000000000..4b24f5c4a6
+--- /dev/null
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/ArmAlgo.c
+@@ -0,0 +1,51 @@
++/** @file
++  Arm specific code.
++
++  Copyright (c) 2022, Arm Limited. All rights reserved.<BR>
++  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/MemoryAllocationLib.h>
++#include <Library/ArmTrngLib.h>
++
++#include "RngDxeInternals.h"
++
++// Maximum number of Rng algorithms.
++#define RNG_AVAILABLE_ALGO_MAX  1
++
++/** Allocate and initialize mAvailableAlgoArray with the available
++    Rng algorithms. Also update mAvailableAlgoArrayCount.
++
++  @retval EFI_SUCCESS             The function completed successfully.
++  @retval EFI_OUT_OF_RESOURCES    Could not allocate memory.
++**/
++EFI_STATUS
++EFIAPI
++GetAvailableAlgorithms (
++  VOID
++  )
++{
++  UINT16  MajorRevision;
++  UINT16  MinorRevision;
++
++  // Rng algorithms 2 times, one for the allocation, one to populate.
++  mAvailableAlgoArray = AllocateZeroPool (RNG_AVAILABLE_ALGO_MAX);
++  if (mAvailableAlgoArray == NULL) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++
++  // Raw algorithm (Trng)
++  if (!EFI_ERROR (GetArmTrngVersion (&MajorRevision, &MinorRevision))) {
++    CopyMem (
++      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
++      &gEfiRngAlgorithmRaw,
++      sizeof (EFI_RNG_ALGORITHM)
++      );
++    mAvailableAlgoArrayCount++;
++  }
++
++  return EFI_SUCCESS;
++}
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+index a800a85792..5e7d9ef681 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+@@ -28,70 +28,10 @@
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/RngLib.h>
+-#include <Library/DebugLib.h>
+-#include <Library/ArmTrngLib.h>
+ #include <Protocol/Rng.h>
+ 
+ #include "RngDxeInternals.h"
+ 
+-// Maximum number of Rng algorithms.
+-#define RNG_AVAILABLE_ALGO_MAX  2
+-
+-/** Allocate and initialize mAvailableAlgoArray with the available
+-    Rng algorithms. Also update mAvailableAlgoArrayCount.
+-
+-  @retval EFI_SUCCESS             The function completed successfully.
+-  @retval EFI_OUT_OF_RESOURCES    Could not allocate memory.
+-**/
+-EFI_STATUS
+-EFIAPI
+-GetAvailableAlgorithms (
+-  VOID
+-  )
+-{
+-  UINT64  DummyRand;
+-  UINT16  MajorRevision;
+-  UINT16  MinorRevision;
+-
+-  // Rng algorithms 2 times, one for the allocation, one to populate.
+-  mAvailableAlgoArray = AllocateZeroPool (RNG_AVAILABLE_ALGO_MAX);
+-  if (mAvailableAlgoArray == NULL) {
+-    return EFI_OUT_OF_RESOURCES;
+-  }
+-
+-  // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
+-  if (!EFI_ERROR (RngGetBytes (sizeof (DummyRand), (UINT8 *)&DummyRand))) {
+-    CopyMem (
+-      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+-      PcdGetPtr (PcdCpuRngSupportedAlgorithm),
+-      sizeof (EFI_RNG_ALGORITHM)
+-      );
+-    mAvailableAlgoArrayCount++;
+-
+-    DEBUG_CODE_BEGIN ();
+-    if (IsZeroGuid (PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
+-      DEBUG ((
+-        DEBUG_WARN,
+-        "PcdCpuRngSupportedAlgorithm should be a non-zero GUID\n"
+-        ));
+-    }
+-
+-    DEBUG_CODE_END ();
+-  }
+-
+-  // Raw algorithm (Trng)
+-  if (!EFI_ERROR (GetArmTrngVersion (&MajorRevision, &MinorRevision))) {
+-    CopyMem (
+-      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+-      &gEfiRngAlgorithmRaw,
+-      sizeof (EFI_RNG_ALGORITHM)
+-      );
+-    mAvailableAlgoArrayCount++;
+-  }
+-
+-  return EFI_SUCCESS;
+-}
+-
+ /** Free mAvailableAlgoArray.
+ **/
+ VOID
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+index 1d0bdef57d..c8e0ee4ae5 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+@@ -28,7 +28,7 @@
+ #
+ # The following information is for reference only and not required by the build tools.
+ #
+-#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
++#  VALID_ARCHITECTURES           = IA32 X64 AARCH64 ARM
+ #
+ 
+ [Sources.common]
+@@ -41,10 +41,16 @@
+   Rand/AesCore.c
+   Rand/AesCore.h
+ 
+-[Sources.AARCH64]
++[Sources.AARCH64, Sources.ARM]
+   ArmRngDxe.c
+   ArmTrng.c
+ 
++[Sources.AARCH64]
++  AArch64/AArch64Algo.c
++
++[Sources.ARM]
++  Arm/ArmAlgo.c
++
+ [Packages]
+   MdeModulePkg/MdeModulePkg.dec
+   MdePkg/MdePkg.dec
+@@ -59,7 +65,7 @@
+   TimerLib
+   RngLib
+ 
+-[LibraryClasses.AARCH64]
++[LibraryClasses.AARCH64, LibraryClasses.ARM]
+   ArmTrngLib
+ 
+ [Guids]
+diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
+index 9f58cc2333..36493f04ee 100644
+--- a/SecurityPkg/SecurityPkg.dsc
++++ b/SecurityPkg/SecurityPkg.dsc
+@@ -281,7 +281,7 @@
+   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+   SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
+ 
+-[Components.IA32, Components.X64, Components.AARCH64]
++[Components.IA32, Components.X64, Components.AARCH64, Components.ARM]
+   #
+   # Random Number Generator
+   #
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Add-debug-warning-for-NULL-PcdCpu.patch

@@ -0,0 +1,58 @@
+From 8b78800fed2a4af7c08eebd20d1bf764e8e10c84 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:28:58 -0400
+Subject: [PATCH 10/31] SecurityPkg/RngDxe: Add debug warning for NULL
+ PcdCpuRngSupportedAlgorithm
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [10/31] 66b888e9b1e2be0c79784e02b4821854bd80432d
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit 6cdddccf0085cf2929f8ae710515e4e53663dfb2
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Oct 28 17:32:56 2022 +0200
+
+    SecurityPkg/RngDxe: Add debug warning for NULL PcdCpuRngSupportedAlgorithm
+
+    PcdCpuRngSupportedAlgorithm should allow to identify the the algorithm
+    used by the RNDR CPU instruction to generate a random number.
+    Add a debug warning if the Pcd is not set.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RandomNumberGenerator/RngDxe/AArch64/RngDxe.c      | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+index c0b0d28d48..a800a85792 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+@@ -67,6 +67,16 @@ GetAvailableAlgorithms (
+       sizeof (EFI_RNG_ALGORITHM)
+       );
+     mAvailableAlgoArrayCount++;
++
++    DEBUG_CODE_BEGIN ();
++    if (IsZeroGuid (PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
++      DEBUG ((
++        DEBUG_WARN,
++        "PcdCpuRngSupportedAlgorithm should be a non-zero GUID\n"
++        ));
++    }
++
++    DEBUG_CODE_END ();
+   }
+ 
+   // Raw algorithm (Trng)
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Check-before-advertising-Cpu-Rng-.patch

@@ -0,0 +1,336 @@
+From 5bd27a5a923c8880a06d52fca48e304becbbb8f6 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:25:23 -0400
+Subject: [PATCH 08/31] SecurityPkg/RngDxe: Check before advertising Cpu Rng
+ algo
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [8/31] 5417b276749a2d1b1afa9465b5b7a501def26a12
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit 4b3e9d80bedf5909a4ec901425ed9c0a738fc76f
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Oct 28 17:32:54 2022 +0200
+
+    SecurityPkg/RngDxe: Check before advertising Cpu Rng algo
+
+    RngGetBytes() relies on the RngLib. The RngLib might use the RNDR
+    instruction if the FEAT_RNG feature is present. RngGetInfo and
+    RngGetRNG both must check that RngGetBytes() is working before
+    advertising/using it.
+
+    To do so, allocate an array storing the available algorithms.
+    The Rng algorithm at the lowest index will be the default Rng
+    algorithm. The array is shared between RngGetInfo and RngGetRNG.
+
+    This array is allocated when the driver is loaded, and freed
+    when unloaded.
+
+    This patch also prevents from having PcdCpuRngSupportedAlgorithm
+    let to a zero GUID, but let the possibility to have no valid Rng
+    algorithm in such case.
+
+    Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RngDxe/AArch64/RngDxe.c                   | 87 +++++++++++++++++--
+ .../RngDxe/Rand/RngDxe.c                      | 26 ++++++
+ .../RandomNumberGenerator/RngDxe/RngDxe.c     | 40 ++++++++-
+ .../RandomNumberGenerator/RngDxe/RngDxe.inf   |  1 +
+ .../RngDxe/RngDxeInternals.h                  | 27 ++++++
+ 5 files changed, 172 insertions(+), 9 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+index 8c6ad4ed43..c9d66d9777 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+@@ -22,11 +22,63 @@
+ 
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
++#include <Library/DebugLib.h>
++#include <Library/MemoryAllocationLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
++#include <Library/RngLib.h>
+ #include <Protocol/Rng.h>
+ 
+ #include "RngDxeInternals.h"
+ 
++// Maximum number of Rng algorithms.
++#define RNG_AVAILABLE_ALGO_MAX  1
++
++/** Allocate and initialize mAvailableAlgoArray with the available
++    Rng algorithms. Also update mAvailableAlgoArrayCount.
++
++  @retval EFI_SUCCESS             The function completed successfully.
++  @retval EFI_OUT_OF_RESOURCES    Could not allocate memory.
++**/
++EFI_STATUS
++EFIAPI
++GetAvailableAlgorithms (
++  VOID
++  )
++{
++  UINT64  DummyRand;
++
++  // Allocate RNG_AVAILABLE_ALGO_MAX entries to avoid evaluating
++  // Rng algorithms 2 times, one for the allocation, one to populate.
++  mAvailableAlgoArray = AllocateZeroPool (RNG_AVAILABLE_ALGO_MAX);
++  if (mAvailableAlgoArray == NULL) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++
++  // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
++  if (!EFI_ERROR (RngGetBytes (sizeof (DummyRand), (UINT8 *)&DummyRand))) {
++    CopyMem (
++      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
++      PcdGetPtr (PcdCpuRngSupportedAlgorithm),
++      sizeof (EFI_RNG_ALGORITHM)
++      );
++    mAvailableAlgoArrayCount++;
++  }
++
++  return EFI_SUCCESS;
++}
++
++/** Free mAvailableAlgoArray.
++**/
++VOID
++EFIAPI
++FreeAvailableAlgorithms (
++  VOID
++  )
++{
++  FreePool (mAvailableAlgoArray);
++  return;
++}
++
+ /**
+   Produces and returns an RNG value using either the default or specified RNG algorithm.
+ 
+@@ -59,6 +111,7 @@ RngGetRNG (
+   )
+ {
+   EFI_STATUS    Status;
++  UINTN       Index;
+ 
+   if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
+     return EFI_INVALID_PARAMETER;
+@@ -68,9 +121,21 @@ RngGetRNG (
+     //
+     // Use the default RNG algorithm if RNGAlgorithm is NULL.
+     //
+-    RNGAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
++    for (Index = 0; Index < mAvailableAlgoArrayCount; Index++) {
++      if (!IsZeroGuid (&mAvailableAlgoArray[Index])) {
++        RNGAlgorithm = &mAvailableAlgoArray[Index];
++        goto FoundAlgo;
++      }
++    }
++
++    if (Index == mAvailableAlgoArrayCount) {
++      // No algorithm available.
++      ASSERT (Index != mAvailableAlgoArrayCount);
++      return EFI_DEVICE_ERROR;
++    }
+   }
+ 
++FoundAlgo:
+   if (CompareGuid (RNGAlgorithm, PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
+     Status = RngGetBytes (RNGValueLength, RNGValue);
+     return Status;
+@@ -113,24 +178,30 @@ RngGetInfo (
+   OUT EFI_RNG_ALGORITHM  *RNGAlgorithmList
+   )
+ {
+-  UINTN RequiredSize;
+-  EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
+-
+-  RequiredSize = sizeof (EFI_RNG_ALGORITHM);
++  UINTN  RequiredSize;
+ 
+   if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
+     return EFI_INVALID_PARAMETER;
+   }
+ 
++  RequiredSize = mAvailableAlgoArrayCount * sizeof (EFI_RNG_ALGORITHM);
++
++  if (RequiredSize == 0) {
++    // No supported algorithms found.
++    return EFI_UNSUPPORTED;
++  }
++
+   if (*RNGAlgorithmListSize < RequiredSize) {
+     *RNGAlgorithmListSize = RequiredSize;
+     return EFI_BUFFER_TOO_SMALL;
+   }
+ 
+-  CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
+-
+-  CopyMem(&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof (EFI_RNG_ALGORITHM));
++  if (RNGAlgorithmList == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
+ 
++  // There is no gap in the array, so copy the block.
++  CopyMem (RNGAlgorithmList, mAvailableAlgoArray, RequiredSize);
+   *RNGAlgorithmListSize = RequiredSize;
+   return EFI_SUCCESS;
+ }
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+index 70b6ac20c9..7caa64a4ff 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+@@ -26,6 +26,32 @@
+ 
+ #include "RngDxeInternals.h"
+ 
++/** Allocate and initialize mAvailableAlgoArray with the available
++    Rng algorithms. Also update mAvailableAlgoArrayCount.
++
++  @retval EFI_SUCCESS             The function completed successfully.
++  @retval EFI_OUT_OF_RESOURCES    Could not allocate memory.
++**/
++EFI_STATUS
++EFIAPI
++GetAvailableAlgorithms (
++  VOID
++  )
++{
++  return EFI_SUCCESS;
++}
++
++/** Free mAvailableAlgoArray.
++**/
++VOID
++EFIAPI
++FreeAvailableAlgorithms (
++  VOID
++  )
++{
++  return;
++}
++
+ /**
+   Produces and returns an RNG value using either the default or specified RNG algorithm.
+ 
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+index 4599728889..cc2ddfcc06 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+@@ -27,6 +27,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ #include "RngDxeInternals.h"
+ 
++//
++// Array containing the validated Rng algorithm.
++// The entry with the lowest index will be the default algorithm.
++//
++UINTN              mAvailableAlgoArrayCount;
++EFI_RNG_ALGORITHM  *mAvailableAlgoArray;
++
+ //
+ // The Random Number Generator (RNG) protocol
+ //
+@@ -66,8 +73,39 @@ RngDriverEntry (
+                   &mRngRdRand,
+                   NULL
+                   );
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  //
++  // Get the list of available algorithm.
++  //
++  return GetAvailableAlgorithms ();
++}
++
++/**
++  This is the unload handle for RndgDxe module.
++
++  Disconnect the driver specified by ImageHandle from all the devices in the handle database.
++  Uninstall all the protocols installed in the driver entry point.
+ 
+-  return Status;
++  @param[in] ImageHandle           The drivers' driver image.
++
++  @retval    EFI_SUCCESS           The image is unloaded.
++  @retval    Others                Failed to unload the image.
++
++**/
++EFI_STATUS
++EFIAPI
++RngDriverUnLoad (
++  IN EFI_HANDLE  ImageHandle
++  )
++{
++  //
++  // Free the list of available algorithm.
++  //
++  FreeAvailableAlgorithms ();
++  return EFI_SUCCESS;
+ }
+ 
+ 
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+index 60efb5562e..1985dfbb46 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+@@ -22,6 +22,7 @@
+   MODULE_TYPE                    = DXE_DRIVER
+   VERSION_STRING                 = 1.0
+   ENTRY_POINT                    = RngDriverEntry
++  UNLOAD_IMAGE                   = RngDriverUnLoad
+   MODULE_UNI_FILE                = RngDxe.uni
+ 
+ #
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+index f17adb83fb..0ef5e6522f 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+@@ -12,6 +12,33 @@
+ 
+ #include <Protocol/Rng.h>
+ 
++//
++// Array containing the validated Rng algorithm.
++// The entry with the lowest index will be the default algorithm.
++//
++extern UINTN              mAvailableAlgoArrayCount;
++extern EFI_RNG_ALGORITHM  *mAvailableAlgoArray;
++
++/** Allocate and initialize mAvailableAlgoArray with the available
++    Rng algorithms. Also update mAvailableAlgoArrayCount.
++
++  @retval EFI_SUCCESS             The function completed successfully.
++  @retval EFI_OUT_OF_RESOURCES    Could not allocate memory.
++**/
++EFI_STATUS
++EFIAPI
++GetAvailableAlgorithms (
++  VOID
++  );
++
++/** Free mAvailableAlgoArray.
++**/
++VOID
++EFIAPI
++FreeAvailableAlgorithms (
++  VOID
++  );
++
+ /**
+   Returns information about the random number generation implementation.
+ 
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Conditionally-install-EFI_RNG_PRO.patch

@@ -0,0 +1,79 @@
+From e7444d0b84a8fd41aa63ecb083e65fd56b32fd38 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sun, 23 Jun 2024 14:21:01 -0400
+Subject: [PATCH 14/31] SecurityPkg/RngDxe: Conditionally install
+ EFI_RNG_PROTOCOL
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [14/31] bc64d4cad6c30353723d674ef9f10eb10aeb1cac
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit 75fb0cfc82376906243386514be0e4067d702117
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Thu Nov 24 17:17:55 2022 +0100
+
+    SecurityPkg/RngDxe: Conditionally install EFI_RNG_PROTOCOL
+
+    On Arm platforms, the number of available RNG algorithms is
+    dynamically detected and can be 0 in the absence of FEAT_RNG
+    and firmware TRNG.
+    In this case, the EFI_RNG_PROTOCOL should not be installed to
+    prevent from installing an empty protocol.
+
+    Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
+    [ardb: return EFI_REQUEST_UNLOAD_IMAGE instead of an error]
+    Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RandomNumberGenerator/RngDxe/RngDxe.c     | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+index cc2ddfcc06..55e8dd49d0 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+@@ -63,6 +63,18 @@ RngDriverEntry (
+   EFI_STATUS    Status;
+   EFI_HANDLE    Handle;
+ 
++  //
++  // Get the list of available algorithm.
++  //
++  Status = GetAvailableAlgorithms ();
++  if (EFI_ERROR (Status)) {
++    return Status;
++  }
++
++  if (mAvailableAlgoArrayCount == 0) {
++    return EFI_REQUEST_UNLOAD_IMAGE;
++  }
++
+   //
+   // Install UEFI RNG (Random Number Generator) Protocol
+   //
+@@ -74,13 +86,10 @@ RngDriverEntry (
+                   NULL
+                   );
+   if (EFI_ERROR (Status)) {
+-    return Status;
++    FreeAvailableAlgorithms ();
+   }
+ 
+-  //
+-  // Get the list of available algorithm.
+-  //
+-  return GetAvailableAlgorithms ();
++  return Status;
+ }
+ 
+ /**
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Correctly-update-mAvailableAlgoAr.patch

@@ -0,0 +1,105 @@
+From b9a937603080bfada6c224a6e9da046a8a33f868 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sun, 23 Jun 2024 14:18:18 -0400
+Subject: [PATCH 13/31] SecurityPkg/RngDxe: Correctly update
+ mAvailableAlgoArrayCount
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [13/31] 3e06e270cad90038537305a4cb7828fcc45251fb
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit bfb574db110899471fe09db819587b3151c7b7b5
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Thu Nov 24 17:17:54 2022 +0100
+
+    SecurityPkg/RngDxe: Correctly update mAvailableAlgoArrayCount
+
+    mAvailableAlgoArrayCount holds the count of available RNG algorithms.
+    In a following patch, its value will be used to prevent the
+    EFI_RNG_PROTOCOL to be installed if no RNG algorithm is available.
+
+    Correctly set/reset the value for all implementations.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RandomNumberGenerator/RngDxe/ArmRngDxe.c     |  1 +
+ .../RandomNumberGenerator/RngDxe/Rand/RngDxe.c   | 16 ++++++++++++++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+index 5e7d9ef681..0e44d0c931 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+@@ -40,6 +40,7 @@ FreeAvailableAlgorithms (
+   VOID
+   )
+ {
++  mAvailableAlgoArrayCount = 0;
+   FreePool (mAvailableAlgoArray);
+   return;
+ }
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+index 7caa64a4ff..149de875ce 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+@@ -26,6 +26,11 @@
+ 
+ #include "RngDxeInternals.h"
+ 
++//
++// Count of Rng algorithms.
++//
++#define RNG_ALGORITHM_COUNT  2
++
+ /** Allocate and initialize mAvailableAlgoArray with the available
+     Rng algorithms. Also update mAvailableAlgoArrayCount.
+ 
+@@ -38,6 +43,13 @@ GetAvailableAlgorithms (
+   VOID
+   )
+ {
++
++  UINT64  RngTest;
++
++  if (GetRandomNumber64 (&RngTest)) {
++    mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
++  }
++
+   return EFI_SUCCESS;
+ }
+ 
+@@ -49,6 +61,7 @@ FreeAvailableAlgorithms (
+   VOID
+   )
+ {
++  mAvailableAlgoArrayCount = 0;
+   return;
+ }
+ 
+@@ -159,13 +172,12 @@ RngGetInfo (
+   )
+ {
+   UINTN RequiredSize;
+-  EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
+ 
+   if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
+     return EFI_INVALID_PARAMETER;
+   }
+ 
+-  RequiredSize = 2 * sizeof (EFI_RNG_ALGORITHM);
++  RequiredSize = RNG_ALGORITHM_COUNT * sizeof (EFI_RNG_ALGORITHM);
+ 
+   if (*RNGAlgorithmListSize < RequiredSize) {
+     *RNGAlgorithmListSize = RequiredSize;
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Documentation-include-parameter-c.patch

@@ -0,0 +1,98 @@
+From 0f8890578f46bc791d007b19dbbfa0dd2805032d Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:23:42 -0400
+Subject: [PATCH 07/31] SecurityPkg/RngDxe: Documentation/include/parameter
+ cleanup
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [7/31] 19a0a13d18fc7f92c7b05e8da08f4d83df77ea6c
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit 199031b2b0233652ad5d5fdf73f0f44c0f264d55
+Author: Pierre Gondois <Pierre.Gondois@arm.com>
+Date:   Fri Oct 28 17:32:53 2022 +0200
+
+    SecurityPkg/RngDxe: Documentation/include/parameter cleanup
+
+    This patch:
+    -Update RngGetBytes() documentation to align the function
+     definition and declaration.
+    -Improve input parameter checking. Even though 'This'
+     it is not used, the parameter should always point to the
+     current EFI_RNG_PROTOCOL.
+    -Removes TimerLib inclusion as unused.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 3 +--
+ SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c    | 2 +-
+ SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c         | 3 +--
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+index f6a0bf7b2b..8c6ad4ed43 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+@@ -23,7 +23,6 @@
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+-#include <Library/TimerLib.h>
+ #include <Protocol/Rng.h>
+ 
+ #include "RngDxeInternals.h"
+@@ -61,7 +60,7 @@ RngGetRNG (
+ {
+   EFI_STATUS    Status;
+ 
+-  if ((RNGValueLength == 0) || (RNGValue == NULL)) {
++  if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
+     return EFI_INVALID_PARAMETER;
+   }
+ 
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+index 5a649ecf24..70b6ac20c9 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+@@ -59,7 +59,7 @@ RngGetRNG (
+ {
+   EFI_STATUS    Status;
+ 
+-  if ((RNGValueLength == 0) || (RNGValue == NULL)) {
++  if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
+     return EFI_INVALID_PARAMETER;
+   }
+ 
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+index 7b8ecfc70d..4599728889 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+@@ -23,7 +23,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/RngLib.h>
+-#include <Library/TimerLib.h>
+ #include <Protocol/Rng.h>
+ 
+ #include "RngDxeInternals.h"
+@@ -73,7 +72,7 @@ RngDriverEntry (
+ 
+ 
+ /**
+-  Calls RDRAND to fill a buffer of arbitrary size with random bytes.
++  Runs CPU RNG instruction to fill a buffer of arbitrary size with random bytes.
+ 
+   @param[in]   Length        Size of the buffer, in bytes,  to fill with.
+   @param[out]  RandBuffer    Pointer to the buffer to store the random result.
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Remove-ArchGetSupportedRngAlgorit.patch

@@ -0,0 +1,258 @@
+From df912b4c93cd848991d9a9439d3aba441bae1d67 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:21:09 -0400
+Subject: [PATCH 06/31] SecurityPkg/RngDxe: Remove
+ ArchGetSupportedRngAlgorithms()
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [6/31] 4066cb1503b5c5a29b6d45a4b671d0829f2671ae
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit 922bf317f1731554b3e77a0a48033a38fdc75a77
+Author: Pierre Gondois <Pierre.Gondois@arm.com>
+Date:   Fri Oct 28 17:32:52 2022 +0200
+
+    SecurityPkg/RngDxe: Remove ArchGetSupportedRngAlgorithms()
+
+    RngGetInfo() is one of the 2 functions of the EFI_RNG_PROTOCOL.
+    RngGetInfo() is currently a mere wrapper around
+    ArchGetSupportedRngAlgorithms() which is implemented differently
+    depending on the architecture used.
+
+    RngGetInfo() does nothing more than calling
+    ArchGetSupportedRngAlgorithms(). So remove it, and let RngGetInfo()
+    be implemented differently according to the architecture.
+
+    This follows the implementation of the other function of the
+    EFI_RNG_PROTOCOL, RngGetRNG().
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RngDxe/AArch64/RngDxe.c                   | 19 +++++--
+ .../RngDxe/Rand/RngDxe.c                      | 24 ++++++---
+ .../RandomNumberGenerator/RngDxe/RngDxe.c     | 49 -------------------
+ .../RngDxe/RngDxeInternals.h                  | 25 ----------
+ 4 files changed, 33 insertions(+), 84 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+index 1cdc842966..f6a0bf7b2b 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+@@ -14,6 +14,7 @@
+   Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
+   Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+   (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
++  Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.<BR>
+ 
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+@@ -85,6 +86,7 @@ RngGetRNG (
+ /**
+   Returns information about the random number generation implementation.
+ 
++  @param[in]     This                 A pointer to the EFI_RNG_PROTOCOL instance.
+   @param[in,out] RNGAlgorithmListSize On input, the size in bytes of RNGAlgorithmList.
+                                       On output with a return code of EFI_SUCCESS, the size
+                                       in bytes of the data returned in RNGAlgorithmList. On output
+@@ -97,14 +99,19 @@ RngGetRNG (
+                                       is the default algorithm for the driver.
+ 
+   @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
++  @retval EFI_UNSUPPORTED             The services is not supported by this driver.
++  @retval EFI_DEVICE_ERROR            The list of algorithms could not be retrieved due to a
++                                      hardware or firmware error.
++  @retval EFI_INVALID_PARAMETER       One or more of the parameters are incorrect.
+   @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small to hold the result.
+ 
+ **/
+-UINTN
++EFI_STATUS
+ EFIAPI
+-ArchGetSupportedRngAlgorithms (
+-  IN OUT UINTN                     *RNGAlgorithmListSize,
+-  OUT    EFI_RNG_ALGORITHM         *RNGAlgorithmList
++RngGetInfo (
++  IN EFI_RNG_PROTOCOL    *This,
++  IN OUT UINTN           *RNGAlgorithmListSize,
++  OUT EFI_RNG_ALGORITHM  *RNGAlgorithmList
+   )
+ {
+   UINTN RequiredSize;
+@@ -112,6 +119,10 @@ ArchGetSupportedRngAlgorithms (
+ 
+   RequiredSize = sizeof (EFI_RNG_ALGORITHM);
+ 
++  if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
++    return EFI_INVALID_PARAMETER;
++  }
++
+   if (*RNGAlgorithmListSize < RequiredSize) {
+     *RNGAlgorithmListSize = RequiredSize;
+     return EFI_BUFFER_TOO_SMALL;
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+index 19755b3bfd..5a649ecf24 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+@@ -104,6 +104,7 @@ RngGetRNG (
+ /**
+   Returns information about the random number generation implementation.
+ 
++  @param[in]     This                 A pointer to the EFI_RNG_PROTOCOL instance.
+   @param[in,out] RNGAlgorithmListSize On input, the size in bytes of RNGAlgorithmList.
+                                       On output with a return code of EFI_SUCCESS, the size
+                                       in bytes of the data returned in RNGAlgorithmList. On output
+@@ -116,19 +117,28 @@ RngGetRNG (
+                                       is the default algorithm for the driver.
+ 
+   @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
++  @retval EFI_UNSUPPORTED             No supported algorithms found.
++  @retval EFI_DEVICE_ERROR            The list of algorithms could not be retrieved due to a
++                                      hardware or firmware error.
++  @retval EFI_INVALID_PARAMETER       One or more of the parameters are incorrect.
+   @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small to hold the result.
+ 
+ **/
+-UINTN
++EFI_STATUS
+ EFIAPI
+-ArchGetSupportedRngAlgorithms (
+-  IN OUT UINTN                     *RNGAlgorithmListSize,
+-  OUT    EFI_RNG_ALGORITHM         *RNGAlgorithmList
++RngGetInfo (
++  IN EFI_RNG_PROTOCOL    *This,
++  IN OUT UINTN           *RNGAlgorithmListSize,
++  OUT EFI_RNG_ALGORITHM  *RNGAlgorithmList
+   )
+ {
+   UINTN RequiredSize;
+   EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
+ 
++  if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
++    return EFI_INVALID_PARAMETER;
++  }
++
+   RequiredSize = 2 * sizeof (EFI_RNG_ALGORITHM);
+ 
+   if (*RNGAlgorithmListSize < RequiredSize) {
+@@ -136,9 +146,11 @@ ArchGetSupportedRngAlgorithms (
+     return EFI_BUFFER_TOO_SMALL;
+   }
+ 
+-  CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
++  if (RNGAlgorithmList == NULL) {
++    return EFI_INVALID_PARAMETER;
++  }
+ 
+-  CopyMem(&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof (EFI_RNG_ALGORITHM));
++  CopyMem (&RNGAlgorithmList[0], &gEfiRngAlgorithmSp80090Ctr256Guid, sizeof (EFI_RNG_ALGORITHM));
+ 
+   // x86 platforms also support EFI_RNG_ALGORITHM_RAW via RDSEED
+   CopyMem(&RNGAlgorithmList[1], &gEfiRngAlgorithmRaw, sizeof (EFI_RNG_ALGORITHM));
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+index b959c70536..7b8ecfc70d 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+@@ -28,55 +28,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ #include "RngDxeInternals.h"
+ 
+-/**
+-  Returns information about the random number generation implementation.
+-
+-  @param[in]     This                 A pointer to the EFI_RNG_PROTOCOL instance.
+-  @param[in,out] RNGAlgorithmListSize On input, the size in bytes of RNGAlgorithmList.
+-                                      On output with a return code of EFI_SUCCESS, the size
+-                                      in bytes of the data returned in RNGAlgorithmList. On output
+-                                      with a return code of EFI_BUFFER_TOO_SMALL,
+-                                      the size of RNGAlgorithmList required to obtain the list.
+-  @param[out] RNGAlgorithmList        A caller-allocated memory buffer filled by the driver
+-                                      with one EFI_RNG_ALGORITHM element for each supported
+-                                      RNG algorithm. The list must not change across multiple
+-                                      calls to the same driver. The first algorithm in the list
+-                                      is the default algorithm for the driver.
+-
+-  @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
+-  @retval EFI_UNSUPPORTED             The services is not supported by this driver.
+-  @retval EFI_DEVICE_ERROR            The list of algorithms could not be retrieved due to a
+-                                      hardware or firmware error.
+-  @retval EFI_INVALID_PARAMETER       One or more of the parameters are incorrect.
+-  @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small to hold the result.
+-
+-**/
+-EFI_STATUS
+-EFIAPI
+-RngGetInfo (
+-  IN EFI_RNG_PROTOCOL             *This,
+-  IN OUT UINTN                    *RNGAlgorithmListSize,
+-  OUT EFI_RNG_ALGORITHM           *RNGAlgorithmList
+-  )
+-{
+-  EFI_STATUS    Status;
+-
+-  if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
+-    return EFI_INVALID_PARAMETER;
+-  }
+-
+-  //
+-  // Return algorithm list supported by driver.
+-  //
+-  if (RNGAlgorithmList != NULL) {
+-    Status = ArchGetSupportedRngAlgorithms (RNGAlgorithmListSize, RNGAlgorithmList);
+-  } else {
+-    Status = EFI_INVALID_PARAMETER;
+-  }
+-
+-  return Status;
+-}
+-
+ //
+ // The Random Number Generator (RNG) protocol
+ //
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+index fcb8b69153..f17adb83fb 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+@@ -74,31 +74,6 @@ RngGetRNG (
+   OUT UINT8                      *RNGValue
+   );
+ 
+-/**
+-  Returns information about the random number generation implementation.
+-
+-  @param[in,out] RNGAlgorithmListSize On input, the size in bytes of RNGAlgorithmList.
+-                                      On output with a return code of EFI_SUCCESS, the size
+-                                      in bytes of the data returned in RNGAlgorithmList. On output
+-                                      with a return code of EFI_BUFFER_TOO_SMALL,
+-                                      the size of RNGAlgorithmList required to obtain the list.
+-  @param[out] RNGAlgorithmList        A caller-allocated memory buffer filled by the driver
+-                                      with one EFI_RNG_ALGORITHM element for each supported
+-                                      RNG algorithm. The list must not change across multiple
+-                                      calls to the same driver. The first algorithm in the list
+-                                      is the default algorithm for the driver.
+-
+-  @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
+-  @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small to hold the result.
+-
+-**/
+-UINTN
+-EFIAPI
+-ArchGetSupportedRngAlgorithms (
+-  IN OUT UINTN                     *RNGAlgorithmListSize,
+-  OUT    EFI_RNG_ALGORITHM         *RNGAlgorithmList
+-  );
+-
+ /**
+   Runs CPU RNG instruction to fill a buffer of arbitrary size with random bytes.
+ 
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Rename-AArch64-RngDxe.c.patch

@@ -0,0 +1,55 @@
+From 05ffe3749d73942cf4df7ed8f53ae239e62d5376 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:30:19 -0400
+Subject: [PATCH 11/31] SecurityPkg/RngDxe: Rename AArch64/RngDxe.c
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [11/31] 39c8a7a1e45c7c26f5d16f79d81abac1fbae4f22
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit ff29cdb968a1a4d7bd7ab4eba2597a77c0748dc2
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Oct 28 17:32:57 2022 +0200
+
+    SecurityPkg/RngDxe: Rename AArch64/RngDxe.c
+
+    To re-use the AArch64/RngDxe.c for an Arm implementation,
+    rename AArch64/RngDxe.c to ArmRngDxe.c.
+
+    Acked-by: Leif Lindholm <quic_llindhol@quicinc.com>
+    Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RngDxe/{AArch64/RngDxe.c => ArmRngDxe.c}                    | 0
+ SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf             | 2 +-
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+ rename SecurityPkg/RandomNumberGenerator/RngDxe/{AArch64/RngDxe.c => ArmRngDxe.c} (100%)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+similarity index 100%
+rename from SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+rename to SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+index e0e767cbf3..1d0bdef57d 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+@@ -42,7 +42,7 @@
+   Rand/AesCore.h
+ 
+ [Sources.AARCH64]
+-  AArch64/RngDxe.c
++  ArmRngDxe.c
+   ArmTrng.c
+ 
+ [Packages]
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Rename-RdRandGenerateEntropy-to-g.patch

@@ -0,0 +1,176 @@
+From 2a5e4e144cbea46784fde638765a9c9068ed2869 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 25 Jun 2024 22:19:10 -0400
+Subject: [PATCH 05/31] SecurityPkg/RngDxe: Rename RdRandGenerateEntropy to
+ generic name
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [5/31] 12b8646964435f1a70def57afb9f4565b11c5dc8
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+CVE: CVE-2022-45237
+Upstream: Merged
+
+commit 8a89747844a5061791e55a25daedcf895180a794
+Author: Sami Mujawar <sami.mujawar@arm.com>
+Date:   Fri Oct 28 17:32:50 2022 +0200
+
+    SecurityPkg/RngDxe: Rename RdRandGenerateEntropy to generic name
+
+    Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
+
+    Rename RdRandGenerateEntropy() to GenerateEntropy() to provide a
+    common interface to generate entropy on other architectures.
+    GenerateEntropy() is intended to generate high quality entropy.
+
+    Also move the definition to RngDxeInternals.h
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Acked-by: Jiewen Yao <jiewen.yao@intel.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RngDxe/Rand/RdRand.c                      | 20 ++++++++++++-----
+ .../RngDxe/Rand/RngDxe.c                      |  7 ++++--
+ .../RandomNumberGenerator/RngDxe/RngDxe.inf   |  2 +-
+ .../RngDxe/RngDxeInternals.h                  | 22 ++++++++++++++++++-
+ 4 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c
+index 83025a47d4..853bf43148 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c
+@@ -1,15 +1,23 @@
+ /** @file
+-  Support routines for RDRAND instruction access.
+-
++  Support routines for RDRAND instruction access, which will leverage
++  Intel Secure Key technology to provide high-quality random numbers for use
++  in applications, or entropy for seeding other random number generators.
++  Refer to http://software.intel.com/en-us/articles/intel-digital-random-number
++  -generator-drng-software-implementation-guide/ for more information about Intel
++  Secure Key technology.
++
++Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.<BR>
+ Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+ (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
++#include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
+ #include <Library/RngLib.h>
++#include <Library/TimerLib.h>
+ 
+ #include "AesCore.h"
+-#include "RdRand.h"
+ #include "RngDxeInternals.h"
+ 
+ /**
+@@ -87,9 +95,9 @@ RdRandGetSeed128 (
+ **/
+ EFI_STATUS
+ EFIAPI
+-RdRandGenerateEntropy (
+-  IN UINTN         Length,
+-  OUT UINT8        *Entropy
++GenerateEntropy (
++  IN UINTN   Length,
++  OUT UINT8  *Entropy
+   )
+ {
+   EFI_STATUS  Status;
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+index 834123b945..19755b3bfd 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+@@ -14,13 +14,16 @@
+    - EFI_RNG_ALGORITHM_X9_31_3DES_GUID        - Unsupported
+    - EFI_RNG_ALGORITHM_X9_31_AES_GUID         - Unsupported
+ 
++  Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.<BR>
+   Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+   (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
+   SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+ 
+-#include "RdRand.h"
++#include <Library/BaseLib.h>
++#include <Library/BaseMemoryLib.h>
++
+ #include "RngDxeInternals.h"
+ 
+ /**
+@@ -88,7 +91,7 @@ RngGetRNG (
+       return EFI_INVALID_PARAMETER;
+     }
+ 
+-    Status = RdRandGenerateEntropy (RNGValueLength, RNGValue);
++    Status = GenerateEntropy (RNGValueLength, RNGValue);
+     return Status;
+   }
+ 
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+index f330097199..60efb5562e 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+@@ -10,6 +10,7 @@
+ #
+ #  Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+ #  (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
++#  Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.<BR>
+ #  SPDX-License-Identifier: BSD-2-Clause-Patent
+ #
+ ##
+@@ -36,7 +37,6 @@
+ [Sources.IA32, Sources.X64]
+   Rand/RngDxe.c
+   Rand/RdRand.c
+-  Rand/RdRand.h
+   Rand/AesCore.c
+   Rand/AesCore.h
+ 
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+index 25cccbe92c..fcb8b69153 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+@@ -10,6 +10,8 @@
+ #ifndef RNGDXE_INTERNALS_H_
+ #define RNGDXE_INTERNALS_H_
+ 
++#include <Protocol/Rng.h>
++
+ /**
+   Returns information about the random number generation implementation.
+ 
+@@ -114,4 +116,22 @@ RngGetBytes (
+   OUT UINT8        *RandBuffer
+   );
+ 
+-#endif  // RNGDXE_INTERNALS_H_
++/**
++  Generate high-quality entropy source using a TRNG or through RDRAND.
++
++  @param[in]   Length        Size of the buffer, in bytes, to fill with.
++  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
++
++  @retval EFI_SUCCESS        Entropy generation succeeded.
++  @retval EFI_NOT_READY      Failed to request random data.
++
++**/
++EFI_STATUS
++EFIAPI
++GenerateEntropy (
++  IN UINTN   Length,
++  OUT UINT8  *Entropy
++  );
++
++#endif // RNGDXE_INTERNALS_H_
++
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Simplify-Rng-algorithm-selection-.patch

@@ -0,0 +1,78 @@
+From 1a0bf45b088e05f6eb7edaa0d24aec894ea3491b Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 16:11:16 -0400
+Subject: [PATCH 23/31] SecurityPkg/RngDxe: Simplify Rng algorithm selection
+ for Arm
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [23/31] 21b2854eed63bf5d406cfec5ac03b9ae3901a679
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit ff7ddc02b273f9159ef46fdb67d99062f8e598d9
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:10 2023 +0200
+
+    SecurityPkg/RngDxe: Simplify Rng algorithm selection for Arm
+
+    The first element of mAvailableAlgoArray is defined as the default
+    Rng algorithm to use. Don't go through the array at each RngGetRNG()
+    call and just return the first element of the array.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RandomNumberGenerator/RngDxe/ArmRngDxe.c    | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+index 2fc36fc186..7249904413 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+@@ -77,7 +77,6 @@ RngGetRNG (
+   )
+ {
+   EFI_STATUS  Status;
+-  UINTN       Index;
+   GUID        RngGuid;
+ 
+   if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
+@@ -88,21 +87,13 @@ RngGetRNG (
+     //
+     // Use the default RNG algorithm if RNGAlgorithm is NULL.
+     //
+-    for (Index = 0; Index < mAvailableAlgoArrayCount; Index++) {
+-      if (!IsZeroGuid (&mAvailableAlgoArray[Index])) {
+-        RNGAlgorithm = &mAvailableAlgoArray[Index];
+-        goto FoundAlgo;
+-      }
+-    }
+-
+-    if (Index == mAvailableAlgoArrayCount) {
+-      // No algorithm available.
+-      ASSERT (Index != mAvailableAlgoArrayCount);
+-      return EFI_DEVICE_ERROR;
++    if (mAvailableAlgoArrayCount != 0) {
++      RNGAlgorithm = &mAvailableAlgoArray[0];
++    } else {
++      return EFI_UNSUPPORTED;
+     }
+   }
+ 
+-FoundAlgo:
+   Status = GetRngGuid (&RngGuid);
+   if (!EFI_ERROR (Status) &&
+       CompareGuid (RNGAlgorithm, &RngGuid))
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-Use-GetRngGuid-when-probing-RngLi.patch

@@ -0,0 +1,195 @@
+From 6b3795dcecf31b0d8aa7edabeffccf37b7259ff0 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 16:09:46 -0400
+Subject: [PATCH 22/31] SecurityPkg/RngDxe: Use GetRngGuid() when probing
+ RngLib
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [22/31] 17b40bc3daeba2ba8407826e17f3096c4a5151c6
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit 19438cff973bfb35a1ef12fab45fabb28b63fe64
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:09 2023 +0200
+
+    SecurityPkg/RngDxe: Use GetRngGuid() when probing RngLib
+
+    BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4151
+
+    The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
+    implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
+    To allow the RngDxe to detect when such implementation is used,
+    a GetRngGuid() function was added in a previous patch.
+
+    The EFI_RNG_PROTOCOL can advertise multiple algorithms through
+    Guids. The PcdCpuRngSupportedAlgorithm is currently used to
+    advertise the RngLib in the Arm implementation.
+
+    The issues of doing that are:
+    - the RngLib implementation might not use CPU instructions,
+      cf. the BaseRngLibTimerLib
+    - most platforms don't set PcdCpuRngSupportedAlgorithm
+
+    A GetRngGuid() was added to the RngLib in a previous patch,
+    allowing to identify the algorithm implemented by the RngLib.
+    Make use of this function and place the unsage algorithm
+    at the last position in the mAvailableAlgoArray.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../RngDxe/AArch64/AArch64Algo.c              | 55 +++++++++++++------
+ .../RandomNumberGenerator/RngDxe/ArmRngDxe.c  |  8 ++-
+ .../RandomNumberGenerator/RngDxe/RngDxe.inf   |  4 +-
+ 3 files changed, 45 insertions(+), 22 deletions(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c
+index e8be217f8a..a270441ebb 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/AArch64Algo.c
+@@ -10,6 +10,8 @@
+ #include <Library/DebugLib.h>
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/ArmTrngLib.h>
++#include <Library/RngLib.h>
++#include <Guid/RngAlgorithm.h>
+ 
+ #include "RngDxeInternals.h"
+ 
+@@ -28,9 +30,13 @@ GetAvailableAlgorithms (
+   VOID
+   )
+ {
+-  UINT64  DummyRand;
+-  UINT16  MajorRevision;
+-  UINT16  MinorRevision;
++  EFI_STATUS  Status;
++  UINT16      MajorRevision;
++  UINT16      MinorRevision;
++  GUID        RngGuid;
++  BOOLEAN     UnSafeAlgo;
++
++  UnSafeAlgo = FALSE;
+ 
+   // Rng algorithms 2 times, one for the allocation, one to populate.
+   mAvailableAlgoArray = AllocateZeroPool (RNG_AVAILABLE_ALGO_MAX);
+@@ -38,24 +44,29 @@ GetAvailableAlgorithms (
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+-  // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
+-  if (!EFI_ERROR (RngGetBytes (sizeof (DummyRand), (UINT8 *)&DummyRand))) {
+-    CopyMem (
+-      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+-      PcdGetPtr (PcdCpuRngSupportedAlgorithm),
+-      sizeof (EFI_RNG_ALGORITHM)
+-      );
+-    mAvailableAlgoArrayCount++;
+-
+-    DEBUG_CODE_BEGIN ();
+-    if (IsZeroGuid (PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
++  // Identify RngLib algorithm.
++  Status = GetRngGuid (&RngGuid);
++  if (!EFI_ERROR (Status)) {
++    if (IsZeroGuid (&RngGuid) ||
++        CompareGuid (&RngGuid, &gEdkiiRngAlgorithmUnSafe))
++    {
++      // Treat zero GUID as an unsafe algorithm
+       DEBUG ((
+         DEBUG_WARN,
+-        "PcdCpuRngSupportedAlgorithm should be a non-zero GUID\n"
++        "RngLib uses an Unsafe algorithm and "
++        "must not be used for production builds.\n"
+         ));
++      // Set the UnSafeAlgo flag to indicate an unsafe algorithm was found
++      // so that it can be added at the end of the algorithm list.
++      UnSafeAlgo = TRUE;
++    } else {
++      CopyMem (
++        &mAvailableAlgoArray[mAvailableAlgoArrayCount],
++        &RngGuid,
++        sizeof (RngGuid)
++        );
++      mAvailableAlgoArrayCount++;
+     }
+-
+-    DEBUG_CODE_END ();
+   }
+ 
+   // Raw algorithm (Trng)
+@@ -68,5 +79,15 @@ GetAvailableAlgorithms (
+     mAvailableAlgoArrayCount++;
+   }
+ 
++  // Add unsafe algorithm at the end of the list.
++  if (UnSafeAlgo) {
++    CopyMem (
++      &mAvailableAlgoArray[mAvailableAlgoArrayCount],
++      &gEdkiiRngAlgorithmUnSafe,
++      sizeof (EFI_RNG_ALGORITHM)
++      );
++    mAvailableAlgoArrayCount++;
++  }
++
+   return EFI_SUCCESS;
+ }
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+index 0e44d0c931..2fc36fc186 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+@@ -76,8 +76,9 @@ RngGetRNG (
+   OUT UINT8                      *RNGValue
+   )
+ {
+-  EFI_STATUS    Status;
++  EFI_STATUS  Status;
+   UINTN       Index;
++  GUID        RngGuid;
+ 
+   if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
+     return EFI_INVALID_PARAMETER;
+@@ -102,7 +103,10 @@ RngGetRNG (
+   }
+ 
+ FoundAlgo:
+-  if (CompareGuid (RNGAlgorithm, PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
++  Status = GetRngGuid (&RngGuid);
++  if (!EFI_ERROR (Status) &&
++      CompareGuid (RNGAlgorithm, &RngGuid))
++  {
+     Status = RngGetBytes (RNGValueLength, RNGValue);
+     return Status;
+   }
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+index d6c2d30195..8704a64441 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+@@ -75,13 +75,11 @@
+   gEfiRngAlgorithmX9313DesGuid        ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
+   gEfiRngAlgorithmX931AesGuid         ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
+   gEfiRngAlgorithmRaw                 ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
++  gEdkiiRngAlgorithmUnSafe            ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
+ 
+ [Protocols]
+   gEfiRngProtocolGuid                ## PRODUCES
+ 
+-[Pcd.AARCH64]
+-  gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm      ## CONSUMES
+-
+ [Depex]
+   TRUE
+ 
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-RngDxe-add-rng-test.patch

@@ -0,0 +1,57 @@
+From 5022087de4a4bcd113ef0325e657bd78b798d5f6 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 10:33:43 -0400
+Subject: [PATCH 26/31] SecurityPkg/RngDxe: add rng test
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [26/31] 97c8deefd351f2755cf458f10679dd1d859fb321
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit a61bc0accb8a76edba4f073fdc7bafc908df045d
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Date:   Fri May 31 09:49:13 2024 +0200
+
+    SecurityPkg/RngDxe: add rng test
+
+    Check whenever RngLib actually returns random numbers, only return
+    a non-zero number of Algorithms if that is the case.
+
+    This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL
+    only in case it can actually deliver random numbers.
+
+    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Check whenever RngLib actually returns random numbers, only return
+a non-zero number of Algorithms if that is the case.
+
+This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL
+only in case it can actually deliver random numbers.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+index 149de875ce..e374b62208 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+@@ -23,6 +23,7 @@
+ 
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
++#include <Library/RngLib.h>
+ 
+ #include "RngDxeInternals.h"
+ 
+-- 
+2.39.3
+

SOURCES/edk2-SecurityPkg-SecurityPkg.dec-Move-PcdCpuRngSupportedA.patch

@@ -0,0 +1,104 @@
+From 1548ea758f7d9d58fd61110f5719cc12786380d3 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 20 Jun 2024 16:01:08 -0400
+Subject: [PATCH 17/31] SecurityPkg/SecurityPkg.dec: Move
+ PcdCpuRngSupportedAlgorithm to MdePkg
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
+RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [17/31] 01f31c97f800f3451072762c0e9a9eb59f1cc2ab
+
+JIRA: https://issues.redhat.com/browse/RHEL-21856
+Upstream: Merged
+CVE: CVE-2023-45237
+
+commit 65b5dd828ef2ea5056031b239a4e7a6642f771a3
+Author: Pierre Gondois <pierre.gondois@arm.com>
+Date:   Fri Aug 11 16:33:04 2023 +0200
+
+    SecurityPkg/SecurityPkg.dec: Move PcdCpuRngSupportedAlgorithm to MdePkg
+
+    In order to use PcdCpuRngSupportedAlgorithm in the MdePkg in a
+    following patch and to avoid making the MdePkg dependent on another
+    package, move PcdCpuRngSupportedAlgorithm to the MdePkg.
+
+    As the Pcd is only used for AARCH64, place it in an AARCH64
+    specific sections.
+
+    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
+    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
+    Acked-by: Ard Biesheuvel <ardb@kernel.org>
+    Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
+    Tested-by: Kun Qin <kun.qin@microsoft.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ .../Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf        | 2 +-
+ MdePkg/MdePkg.dec                                            | 5 +++++
+ SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf          | 4 ++--
+ SecurityPkg/SecurityPkg.dec                                  | 2 --
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+index f857290e82..f729001060 100644
+--- a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
++++ b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+@@ -19,7 +19,7 @@
+   INF_VERSION                    = 1.27
+   BASE_NAME                      = BaseRngLibTimerLib
+   MODULE_UNI_FILE                = BaseRngLibTimerLib.uni
+-  FILE_GUID                      = 74950C45-10FC-4AB5-B114-49C87C17409B
++  FILE_GUID                      = B3E66B05-D218-4B9A-AC33-EF0F83D6A513
+   MODULE_TYPE                    = BASE
+   VERSION_STRING                 = 1.0
+   LIBRARY_CLASS                  = RngLib
+diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
+index 6389a48338..8f05e822ac 100644
+--- a/MdePkg/MdePkg.dec
++++ b/MdePkg/MdePkg.dec
+@@ -2306,6 +2306,11 @@
+   # @Prompt Memory Address of GuidedExtractHandler Table.
+   gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress|0x1000000|UINT64|0x30001015
+ 
++[PcdsFixedAtBuild.AARCH64, PcdsPatchableInModule.AARCH64]
++  ## GUID identifying the Rng algorithm implemented by CPU instruction.
++  # @Prompt CPU Rng algorithm's GUID.
++  gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00000037
++
+ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+   ## This value is used to set the base address of PCI express hierarchy.
+   # @Prompt PCI Express Base Address.
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+index c8e0ee4ae5..d6c2d30195 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+@@ -79,8 +79,8 @@
+ [Protocols]
+   gEfiRngProtocolGuid                ## PRODUCES
+ 
+-[Pcd]
+-  gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm      ## CONSUMES
++[Pcd.AARCH64]
++  gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm      ## CONSUMES
+ 
+ [Depex]
+   TRUE
+diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
+index 9f7a032d60..8cf80b1e84 100644
+--- a/SecurityPkg/SecurityPkg.dec
++++ b/SecurityPkg/SecurityPkg.dec
+@@ -323,8 +323,6 @@
+   gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationPass|0x0303100A|UINT32|0x00010030
+   gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationFail|0x0303100B|UINT32|0x00010031
+ 
+-  gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00010032
+-
+ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+   ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>
+   #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
+-- 
+2.39.3
+

SPECS/edk2.spec

@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    13%{?dist}
+Release:    13%{?dist}.2
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
@@ -260,6 +260,130 @@ Patch82: edk2-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch
 Patch83: edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch
 # For RHEL-21158 - CVE-2022-36765 edk2: integer overflow in CreateHob() could lead to HOB OOB R/W [rhel-8]
 Patch84: edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch85: edk2-MdeModulePkg-Change-use-of-EFI_D_-to-DEBUG_.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch86: edk2-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch87: edk2-MdePkg-Apply-uncrustify-changes.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch88: edk2-NetworkPkg-Apply-uncrustify-changes.p2.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch89: edk2-SecurityPkg-RngDxe-Rename-RdRandGenerateEntropy-to-g.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch90: edk2-SecurityPkg-RngDxe-Remove-ArchGetSupportedRngAlgorit.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch91: edk2-SecurityPkg-RngDxe-Documentation-include-parameter-c.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch92: edk2-SecurityPkg-RngDxe-Check-before-advertising-Cpu-Rng-.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch93: edk2-SecurityPkg-RngDxe-Add-AArch64-RawAlgorithm-support-.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch94: edk2-SecurityPkg-RngDxe-Add-debug-warning-for-NULL-PcdCpu.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch95: edk2-SecurityPkg-RngDxe-Rename-AArch64-RngDxe.c.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch96: edk2-SecurityPkg-RngDxe-Add-Arm-support-of-RngDxe.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch97: edk2-SecurityPkg-RngDxe-Correctly-update-mAvailableAlgoAr.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch98: edk2-SecurityPkg-RngDxe-Conditionally-install-EFI_RNG_PRO.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch99: edk2-MdeModulePkg-Duplicate-BaseRngLibTimerLib-to-MdeModu.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch100: edk2-MdePkg-Add-deprecated-warning-to-BaseRngLibTimer.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch101: edk2-SecurityPkg-SecurityPkg.dec-Move-PcdCpuRngSupportedA.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch102: edk2-MdePkg-DxeRngLib-Request-raw-algorithm-instead-of-de.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch103: edk2-MdePkg-Rng-Add-GUID-to-describe-Arm-Rndr-Rng-algorit.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch104: edk2-MdeModulePkg-Rng-Add-GUID-to-describe-unsafe-Rng-alg.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch105: edk2-MdePkg-Rng-Add-GetRngGuid-to-RngLib.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch106: edk2-SecurityPkg-RngDxe-Use-GetRngGuid-when-probing-RngLi.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch107: edk2-SecurityPkg-RngDxe-Simplify-Rng-algorithm-selection-.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch108: edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch109: edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch110: edk2-SecurityPkg-RngDxe-add-rng-test.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch111: edk2-OvmfPkg-wire-up-RngDxe.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch112: edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch113: edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch114: edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch
+# For RHEL-21854 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]
+# For RHEL-21856 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]
+# For RHEL-40099 - CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]
+Patch115: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch
 
 
 # python3-devel and libuuid-devel are required for building tools.
@@ -706,6 +830,47 @@ true
 %endif
 
 %changelog
+* Wed Jul 10 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-13.el8_10.2
+
+* Wed Jul 03 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-13.el8_10.1
+- edk2-MdeModulePkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdePkg-Apply-uncrustify-changes.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-NetworkPkg-Apply-uncrustify-changes.p2.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Rename-RdRandGenerateEntropy-to-g.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Remove-ArchGetSupportedRngAlgorit.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Documentation-include-parameter-c.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Check-before-advertising-Cpu-Rng-.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Add-AArch64-RawAlgorithm-support-.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Add-debug-warning-for-NULL-PcdCpu.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Rename-AArch64-RngDxe.c.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Add-Arm-support-of-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Correctly-update-mAvailableAlgoAr.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Conditionally-install-EFI_RNG_PRO.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdeModulePkg-Duplicate-BaseRngLibTimerLib-to-MdeModu.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdePkg-Add-deprecated-warning-to-BaseRngLibTimer.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-SecurityPkg.dec-Move-PcdCpuRngSupportedA.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdePkg-DxeRngLib-Request-raw-algorithm-instead-of-de.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdePkg-Rng-Add-GUID-to-describe-Arm-Rndr-Rng-algorit.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdeModulePkg-Rng-Add-GUID-to-describe-unsafe-Rng-alg.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdePkg-Rng-Add-GetRngGuid-to-RngLib.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Use-GetRngGuid-when-probing-RngLi.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-Simplify-Rng-algorithm-selection-.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-SecurityPkg-RngDxe-add-rng-test.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-OvmfPkg-wire-up-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch [RHEL-21854 RHEL-21856 RHEL-40099]
+- Resolves: RHEL-21854
+  (CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8])
+- Resolves: RHEL-21856
+  (CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8])
+- Resolves: RHEL-40099
+  (CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z])
+
 * Thu Mar 14 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-13
 - edk2-EmbeddedPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-21158]
 - edk2-StandaloneMmPkg-Hob-Integer-Overflow-in-CreateHob.patch [RHEL-21158]