import edk2-20231122-6.el9_4.3

SOURCES/edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch

@@ -0,0 +1,43 @@
+From 07d8292cce31630859b9e3138078d8cc8412a72f Mon Sep 17 00:00:00 2001
+From: Oliver Steffen <osteffen@redhat.com>
+Date: Wed, 14 Aug 2024 09:53:49 +0200
+Subject: [PATCH 3/3] NetworkPkg/DxeNetLib: Reword PseudoRandom error logging
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 82: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging
+RH-Jira: RHEL-54188
+RH-Commit: [2/2] acea6a5fd931cdb6854c69a4e3c6e49caed83e68
+
+The word "Failed" is used when logging tired Rng algorithms.
+These mostly non-critical messages confused some users.
+
+Reword it and also add a message confirming eventual success to
+deescalate the importance somewhat.
+
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+---
+ NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+index 4dfbe91a55..905a944975 100644
+--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+@@ -946,12 +946,13 @@ PseudoRandom (
+         //
+         // Secure Algorithm was supported on this platform
+         //
++        DEBUG ((DEBUG_VERBOSE, "Generated random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
+         return EFI_SUCCESS;
+       } else if (Status == EFI_UNSUPPORTED) {
+         //
+         // Secure Algorithm was not supported on this platform
+         //
+-        DEBUG ((DEBUG_VERBOSE, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
++        DEBUG ((DEBUG_VERBOSE, "Unable to generate random data using secure algorithm %d not available: %r\n", AlgorithmIndex, Status));
+ 
+         //
+         // Try the next secure algorithm
+-- 
+2.39.3
+

SOURCES/edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch

@@ -0,0 +1,48 @@
+From 537128fa22e410dac59b149ed11264731f09765b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 19 Jun 2024 09:07:56 +0200
+Subject: [PATCH 2/3] NetworkPkg/DxeNetLib: adjust PseudoRandom error logging
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 82: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging
+RH-Jira: RHEL-54188
+RH-Commit: [1/2] 5c4699fd88b0ebcf7fe8b7e3a3895bf772aebdb3
+
+There is a list of allowed rng algorithms, if /one/ of them is not
+supported this is not a problem, only /all/ of them failing is an
+error condition.
+
+Downgrade the message for a single unsupported algorithm from ERROR to
+VERBOSE.  Add an error message in case we finish the loop without
+finding a supported algorithm.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 6862b9d538d96363635677198899e1669e591259)
+---
+ NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+index 01c13c08d2..4dfbe91a55 100644
+--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+@@ -951,7 +951,7 @@ PseudoRandom (
+         //
+         // Secure Algorithm was not supported on this platform
+         //
+-        DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
++        DEBUG ((DEBUG_VERBOSE, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
+ 
+         //
+         // Try the next secure algorithm
+@@ -971,6 +971,7 @@ PseudoRandom (
+     // If we get here, we failed to generate random data using any secure algorithm
+     // Platform owner should ensure that at least one secure algorithm is supported
+     //
++    DEBUG ((DEBUG_ERROR, "Failed to generate random data, no supported secure algorithm found\n"));
+     ASSERT_EFI_ERROR (Status);
+     return Status;
+   }
+-- 
+2.39.3
+

SOURCES/edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch

@@ -0,0 +1,201 @@
+From 1b48c27469c9867c69e6f2b35aa7cd5562b5cf39 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Wed, 8 May 2024 22:56:24 -0700
+Subject: [PATCH 1/3] OvmfPkg: Add Hash2DxeCrypto to OvmfPkg
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 79: OvmfPkg: Add Hash2DxeCrypto to OvmfPkg
+RH-Jira: RHEL-46976
+RH-Commit: [1/1] 71f16261937c2fe2ff6fa434db6f300ff7f4fef0
+
+JIRA: https://issues.redhat.com/browse/RHEL-46976
+Upstream: Merged
+
+Upstream commit 4c4ceb2ceb80 ("NetworkPkg: SECURITY PATCH CVE-2023-45237")
+broke HTTP boot in OVMF. This fixes it.
+
+commit cb9d71189134e78efb00759eb9649ce92bf5b29a
+Author: Doug Flick <dougflick@microsoft.com>
+Date:   Wed May 8 22:56:24 2024 -0700
+
+    OvmfPkg: Add Hash2DxeCrypto to OvmfPkg
+
+    This patch adds Hash2DxeCrypto to OvmfPkg. The Hash2DxeCrypto is
+    used to provide the hashing protocol services.
+
+    Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
+    Cc: Jiewen Yao <jiewen.yao@intel.com>
+    Cc: Gerd Hoffmann <kraxel@redhat.com>
+
+    Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
+    Tested-by: Gerd Hoffmann <kraxel@redhat.com>
+    Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+    Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc    | 6 +++++-
+ OvmfPkg/OvmfPkgIa32.fdf    | 5 +++++
+ OvmfPkg/OvmfPkgIa32X64.dsc | 6 +++++-
+ OvmfPkg/OvmfPkgIa32X64.fdf | 5 +++++
+ OvmfPkg/OvmfPkgX64.dsc     | 6 +++++-
+ OvmfPkg/OvmfPkgX64.fdf     | 5 +++++
+ OvmfPkg/OvmfXen.dsc        | 5 +++++
+ OvmfPkg/OvmfXen.fdf        | 5 +++++
+ 8 files changed, 40 insertions(+), 3 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 4074aa382d..bd15bb30fe 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -226,7 +226,6 @@
+   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
+ 
+-
+   #
+   # Network libraries
+   #
+@@ -884,6 +883,11 @@
+   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
++  #
++  # Hash2 Protocol producer
++  #
++  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+   #
+   # Network Support
+   #
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 20cfd2788e..2df265982b 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -303,6 +303,11 @@ INF  ShellPkg/Application/Shell/Shell.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
++#
++# Hash2 Protocol producer
++#
++INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+ #
+ # Network modules
+ #
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 75ef19bc85..358f510ef8 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -231,7 +231,6 @@
+   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
+ 
+-
+   #
+   # Network libraries
+   #
+@@ -902,6 +901,11 @@
+   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
++  #
++  # Hash2 Protocol producer
++  #
++  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+   #
+   # Network Support
+   #
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 8517c79ba2..4a73d67238 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -304,6 +304,11 @@ INF  ShellPkg/Application/Shell/Shell.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
++#
++# Hash2 Protocol producer
++#
++INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+ #
+ # Network modules
+ #
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 631ff0c788..266d77e15c 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -247,7 +247,6 @@
+   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
+   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
+ 
+-
+   #
+   # Network libraries
+   #
+@@ -970,6 +969,11 @@
+   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
++  #
++  # Hash2 Protocol producer
++  #
++  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+   #
+   # Network Support
+   #
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 7ecde357ce..cedc362d04 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -331,6 +331,11 @@ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
+ INF OvmfPkg/TdxDxe/TdxDxe.inf
+ 
++#
++# Hash2 Protocol producer
++#
++INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+ #
+ # Network modules
+ #
+diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
+index 0063245b56..021558423d 100644
+--- a/OvmfPkg/OvmfXen.dsc
++++ b/OvmfPkg/OvmfXen.dsc
+@@ -682,6 +682,11 @@
+   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
++  #
++  # Hash2 Protocol producer
++  #
++  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+   #
+   # Network Support
+   #
+diff --git a/OvmfPkg/OvmfXen.fdf b/OvmfPkg/OvmfXen.fdf
+index bdff7c52d8..e970b91652 100644
+--- a/OvmfPkg/OvmfXen.fdf
++++ b/OvmfPkg/OvmfXen.fdf
+@@ -315,6 +315,11 @@ INF  ShellPkg/Application/Shell/Shell.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
++#
++# Hash2 Protocol producer
++#
++INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
++
+ #
+ # Network modules
+ #
+-- 
+2.39.3
+

SPECS/edk2.spec

@@ -20,7 +20,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}
-Release:    6%{?dist}.2
+Release:    6%{?dist}.3
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and Apache-2.0 and MIT
 URL:        http://www.tianocore.org
@@ -292,6 +292,12 @@ Patch79: edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch
 # For RHEL-40270 - CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-9.4.z]
 # For RHEL-40272 - CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-9.4.z]
 Patch80: edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch
+# For RHEL-46976 - No http boot support on edk2-ovmf-20231122-6.el9_4.2
+Patch81: edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch
+# For RHEL-54188 - [RHEL-9.4.z] edk2 hit Failed to generate random data
+Patch82: edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch
+# For RHEL-54188 - [RHEL-9.4.z] edk2 hit Failed to generate random data
+Patch83: edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -625,6 +631,15 @@ install -m 0644 \
 
 
 %changelog
+* Tue Aug 20 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6.el9_4.3
+- edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch [RHEL-46976]
+- edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch [RHEL-54188]
+- edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch [RHEL-54188]
+- Resolves: RHEL-46976
+  (No http boot support on edk2-ovmf-20231122-6.el9_4.2)
+- Resolves: RHEL-54188
+  ([RHEL-9.4.z] edk2 hit Failed to generate random data)
+
 * Mon Jul 01 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20231122-6.el9_4.2
 - edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch [RHEL-40270 RHEL-40272]
 - edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch [RHEL-40270 RHEL-40272]