Import edk2-20240524-5.el9_5.inferit.1

.edk2.metadata

@@ -0,0 +1,2 @@
+703fd1d0fad7fc0d2e815a6e293e5d53e4c62bf6  SOURCES/openssl-rhel-8e5beb77088bfec064d60506b1e76ddb0ac417fe.tar.xz
+6da44cf37c27ab03f2940769c58515b07271e047  SOURCES/edk2-3e722403cd.tar.xz

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/openssl-rhel-8e5beb77088bfec064d60506b1e76ddb0ac417fe.tar.xz
+SOURCES/edk2-3e722403cd.tar.xz

SOURCES/0003-Remove-paths-leading-to-submodules.patch

@@ -0,0 +1,65 @@
+From de9f92d118c1374243d9d3f006088a29ec7dcf8d Mon Sep 17 00:00:00 2001
+From: Miroslav Rezanina <mrezanin@redhat.com>
+Date: Thu, 24 Mar 2022 03:23:02 -0400
+Subject: [PATCH] Remove paths leading to submodules
+
+We removed submodules used upstream. However, edk2 build system requires
+such include paths to resolve successfully, regardless of the firmware
+platform being built.
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ BaseTools/Source/C/GNUmakefile | 1 -
+ MdeModulePkg/MdeModulePkg.dec  | 3 ---
+ MdePkg/MdePkg.dec              | 5 -----
+ 3 files changed, 9 deletions(-)
+
+diff --git a/BaseTools/Source/C/GNUmakefile b/BaseTools/Source/C/GNUmakefile
+index 5275f657ef..39d7199753 100644
+--- a/BaseTools/Source/C/GNUmakefile
++++ b/BaseTools/Source/C/GNUmakefile
+@@ -51,7 +51,6 @@ all: makerootdir subdirs
+ LIBRARIES = Common
+ VFRAUTOGEN = VfrCompile/VfrLexer.h
+ APPLICATIONS = \
+-  BrotliCompress \
+   VfrCompile \
+   EfiRom \
+   GenFfs \
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
+index f7339f0aec..badb93238f 100644
+--- a/MdeModulePkg/MdeModulePkg.dec
++++ b/MdeModulePkg/MdeModulePkg.dec
+@@ -26,9 +26,6 @@
+   Include
+   Test/Mock/Include
+ 
+-[Includes.Common.Private]
+-  Library/BrotliCustomDecompressLib/brotli/c/include
+-
+ [LibraryClasses]
+   ##  @libraryclass  Defines a set of methods to reset whole system.
+   ResetSystemLib|Include/Library/ResetSystemLib.h
+diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
+index bf94549cbf..605b0f1be8 100644
+--- a/MdePkg/MdePkg.dec
++++ b/MdePkg/MdePkg.dec
+@@ -29,7 +29,6 @@
+   Include
+   Test/UnitTest/Include
+   Test/Mock/Include
+-  Library/MipiSysTLib/mipisyst/library/include
+ 
+ [Includes.IA32]
+   Include/Ia32
+@@ -295,10 +294,6 @@
+   #
+   FdtLib|Include/Library/FdtLib.h
+ 
+-  ##  @libraryclass  Provides general mipi sys-T services.
+-  #
+-  MipiSysTLib|Include/Library/MipiSysTLib.h
+-
+   ##  @libraryclass  Provides API to output Trace Hub debug message.
+   #
+   TraceHubDebugSysTLib|Include/Library/TraceHubDebugSysTLib.h

SOURCES/0004-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch

@@ -0,0 +1,190 @@
+From 5c48211bdce4b30c86e92636e852e9da4ede4c1e Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 25 Feb 2014 22:40:01 +0100
+Subject: [PATCH] MdeModulePkg: TerminalDxe: set xterm resolution on mode
+ change (RH only)
+
+Notes for rebase to edk2-stable202311:
+
+- Minor context changes due to new PCDs (for USB Networking) being added.
+
+Notes for rebase to edk2-stable202205:
+
+- Minor context changes due to fd306d1dbc MdeModulePkg: Add PcdTdxSharedBitMask
+
+Notes for rebase to edk2-stable202202:
+
+- Minor context changes due to 1436aea4d MdeModulePkg: Apply uncrustify changes
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Resolve harmless conflict in "MdeModulePkg/MdeModulePkg.dec",
+  originating from new upstream commits
+  - 45bc28172fbf ("MdeModulePkg.dec: Change PCDs for status code.",
+                  2020-06-18),
+  - 0785c619a58a ("MdeModulePkg/Bus/Pci/PciBusDxe: Support PCIe Resizable
+                  BAR Capability", 2021-01-04),
+  - ef23012e5439 ("MdeModulePkg: Change default value of
+                  PcdPcieResizableBarSupport to FALSE", 2021-01-14).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- Resolve trivial conflict in "MdeModulePkg/MdeModulePkg.dec", arising
+  from upstream commit 166830d8f7ca ("MdeModulePkg/dec: add
+  PcdTcgPfpMeasurementRevision PCD", 2020-01-06).
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- Conflict in "MdeModulePkg/MdeModulePkg.dec" due to upstream commits
+  - 1103ba946aee ("MdeModulePkg: Add Capsule On Disk related definition.",
+    2019-06-26),
+  - 1c7b3eb84631 ("MdeModulePkg/DxeIpl: Introduce PCD
+    PcdUse5LevelPageTable", 2019-08-09),
+  with easy manual resolution.
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+  a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- Refresh downstream-only commit 2909e025db68 against "MdeModulePkg.dec"
+  context change from upstream commits e043f7895b83 ("MdeModulePkg: Add
+  PCD PcdPteMemoryEncryptionAddressOrMask", 2017-02-27) and 76081dfcc5b2
+  ("MdeModulePkg: Add PROMPT&HELP string of pcd to UNI file", 2017-03-03).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- refresh commit 519b9751573e against various context changes
+
+The
+
+  CSI Ps ; Ps ; Ps t
+
+escape sequence serves for window manipulation. We can use the
+
+  CSI 8 ; <rows> ; <columns> t
+
+sequence to adapt eg. the xterm window size to the selected console mode.
+
+Reference: <http://rtfm.etla.org/xterm/ctlseq.html>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 2909e025db6878723b49644a8a0cf160d07e6444)
+(cherry picked from commit b9c5c901f25e48d68eef6e78a4abca00e153f574)
+(cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90)
+(cherry picked from commit 67415982afdc77922aa37496c981adeb4351acdb)
+(cherry picked from commit cfccb98d13e955beb0b93b4a75a973f30c273ffc)
+(cherry picked from commit a11602f5e2ef930be5b693ddfd0c789a1bd4c60c)
+(cherry picked from commit bc2266f20de5db1636e09a07e4a72c8dbf505f5a)
+---
+ MdeModulePkg/MdeModulePkg.dec                 |  4 +++
+ .../Console/TerminalDxe/TerminalConOut.c      | 30 +++++++++++++++++++
+ .../Console/TerminalDxe/TerminalDxe.inf       |  2 ++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
+index badb93238f..3a67acc090 100644
+--- a/MdeModulePkg/MdeModulePkg.dec
++++ b/MdeModulePkg/MdeModulePkg.dec
+@@ -2222,6 +2222,10 @@
+   # @Prompt The value is use for Usb Network rate limiting supported.
+   gEfiMdeModulePkgTokenSpaceGuid.PcdUsbNetworkRateLimitingFactor|100|UINT32|0x10000028
+ 
++  ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal
++  #  mode change.
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE|BOOLEAN|0x00010080
++
+ [PcdsPatchableInModule]
+   ## Specify memory size with page number for PEI code when
+   #  Loading Module at Fixed Address feature is enabled.
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+index 7809869e7d..3be801039b 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+@@ -7,6 +7,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+ 
++#include <Library/PrintLib.h>
++
+ #include "Terminal.h"
+ 
+ //
+@@ -80,6 +82,16 @@ CHAR16  mSetCursorPositionString[] = { ESC, '[', '0', '0', ';', '0', '0', 'H', 0
+ CHAR16  mCursorForwardString[]     = { ESC, '[', '0', '0', 'C', 0 };
+ CHAR16  mCursorBackwardString[]    = { ESC, '[', '0', '0', 'D', 0 };
+ 
++//
++// Note that this is an ASCII format string, taking two INT32 arguments:
++// rows, columns.
++//
++// A %d (INT32) format specification can expand to at most 11 characters.
++//
++CHAR8 mResizeTextAreaFormatString[] = "\x1B[8;%d;%dt";
++#define RESIZE_SEQ_SIZE (sizeof mResizeTextAreaFormatString + 2 * (11 - 2))
++
++
+ //
+ // Body of the ConOut functions
+ //
+@@ -498,6 +510,24 @@ TerminalConOutSetMode (
+     return EFI_DEVICE_ERROR;
+   }
+ 
++  if (PcdGetBool (PcdResizeXterm)) {
++    CHAR16 ResizeSequence[RESIZE_SEQ_SIZE];
++
++    UnicodeSPrintAsciiFormat (
++      ResizeSequence,
++      sizeof ResizeSequence,
++      mResizeTextAreaFormatString,
++      (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Rows,
++      (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Columns
++      );
++    TerminalDevice->OutputEscChar = TRUE;
++    Status                        = This->OutputString (This, ResizeSequence);
++    TerminalDevice->OutputEscChar = FALSE;
++    if (EFI_ERROR (Status)) {
++      return EFI_DEVICE_ERROR;
++    }
++  }
++
+   This->Mode->Mode = (INT32)ModeNumber;
+ 
+   Status = This->ClearScreen (This);
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+index b2a8aeba85..96810f337c 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+@@ -55,6 +55,7 @@
+   DebugLib
+   PcdLib
+   BaseLib
++  PrintLib
+ 
+ [Guids]
+   ## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
+@@ -87,6 +88,7 @@
+ [Pcd]
+   gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType           ## SOMETIMES_CONSUMES
+   gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable    ## CONSUMES
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm             ## CONSUMES
+ 
+ # [Event]
+ # # Relative timer event set by UnicodeToEfiKey(), used to be one 2 seconds input timeout.

SOURCES/0005-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch

@@ -0,0 +1,212 @@
+From 0976965c3dd6ac841f59dc09220a6637060ba901 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 15:59:06 +0200
+Subject: [PATCH] OvmfPkg: take PcdResizeXterm from the QEMU command line (RH
+ only)
+
+Notes about edk2-stable202205 rebase
+
+- Necessary minor fixes for upstream changes
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+  We've always patched all those DSC/FDF files in OvmfPkg down-stream that
+  made sense at least in theory on QEMU. (For example, we've always
+  patched "OvmfPkgIa32.dsc" and "OvmfPkgIa32.fdf", even though we never
+  build or ship the pure IA32 firmware platform.) Follow suit with
+  "AmdSevX64.dsc".
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- Resolve contextual conflict in the DSC files, from upstream commit
+  b0ed7ebdebd1 ("OvmfPkg: set fixed FlashNvStorage base addresses with -D
+  SMM_REQUIRE", 2020-03-12).
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+  a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- refresh downstream-only commit 8abc2a6ddad2 against context differences
+  in the DSC files from upstream commit 5e167d7e784c
+  ("OvmfPkg/PlatformPei: don't allocate reserved mem varstore if
+  SMM_REQUIRE", 2017-03-12).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 6fa0c4d67c0bb8bde2ddd6db41c19eb0c40b2721)
+(cherry picked from commit 8abc2a6ddad25af7e88dc0cf57d55dfb75fbf92d)
+(cherry picked from commit b311932d3841c017a0f0fec553edcac365cc2038)
+(cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3)
+(cherry picked from commit 2ebf3cc2ae99275d63bb6efd3c22dec76251a853)
+(cherry picked from commit f9b73437b9b231773c1a20e0c516168817a930a2)
+(cherry picked from commit 2cc462ee963d0be119bc97bfc9c70d292a40516f)
+(cherry picked from commit 51e0de961029af84b5bdbfddcc9762b1819d500f)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc        |  1 +
+ OvmfPkg/CloudHv/CloudHvX64.dsc      |  1 +
+ OvmfPkg/IntelTdx/IntelTdxX64.dsc    |  1 +
+ OvmfPkg/Microvm/MicrovmX64.dsc      |  2 +-
+ OvmfPkg/OvmfPkgIa32.dsc             |  1 +
+ OvmfPkg/OvmfPkgIa32X64.dsc          |  1 +
+ OvmfPkg/OvmfPkgX64.dsc              |  1 +
+ OvmfPkg/PlatformPei/Platform.c      | 13 +++++++++++++
+ OvmfPkg/PlatformPei/PlatformPei.inf |  1 +
+ 9 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 8eb6f4f24f..627fded641 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -484,6 +484,7 @@
+ [PcdsDynamicDefault]
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ 
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
+diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc
+index 4996885301..51a49c09ad 100644
+--- a/OvmfPkg/CloudHv/CloudHvX64.dsc
++++ b/OvmfPkg/CloudHv/CloudHvX64.dsc
+@@ -581,6 +581,7 @@
+   #   ($(SMM_REQUIRE) == FALSE)
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ 
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ !if $(SMM_REQUIRE) == FALSE
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
+diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+index 0931ce061a..9f49b60ff0 100644
+--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+@@ -477,6 +477,7 @@
+   #   ($(SMM_REQUIRE) == FALSE)
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ 
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
+diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
+index 69de4dd3f1..fb73f2e089 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.dsc
++++ b/OvmfPkg/Microvm/MicrovmX64.dsc
+@@ -590,7 +590,7 @@
+   # only set when
+   #   ($(SMM_REQUIRE) == FALSE)
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+-
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase64|0
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 2ca005d768..dddef5ed0e 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -599,6 +599,7 @@
+   #   ($(SMM_REQUIRE) == FALSE)
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ 
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ !if $(SMM_REQUIRE) == FALSE
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index a39070a626..933abb258f 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -611,6 +611,7 @@
+   #   ($(SMM_REQUIRE) == FALSE)
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ 
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ !if $(SMM_REQUIRE) == FALSE
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 1b90aa8f57..04157ab14b 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -629,6 +629,7 @@
+   #   ($(SMM_REQUIRE) == FALSE)
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+ 
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ !if $(SMM_REQUIRE) == FALSE
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase64|0
+diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
+index df35726ff6..6c786bfc1e 100644
+--- a/OvmfPkg/PlatformPei/Platform.c
++++ b/OvmfPkg/PlatformPei/Platform.c
+@@ -41,6 +41,18 @@
+ 
+ #include "Platform.h"
+ 
++#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName)                   \
++          do {                                                      \
++            BOOLEAN       Setting;                                  \
++            RETURN_STATUS PcdStatus;                                \
++                                                                    \
++            if (!RETURN_ERROR (QemuFwCfgParseBool (                 \
++                              "opt/ovmf/" #TokenName, &Setting))) { \
++              PcdStatus = PcdSetBoolS (TokenName, Setting);         \
++              ASSERT_RETURN_ERROR (PcdStatus);                      \
++            }                                                       \
++          } while (0)
++
+ EFI_PEI_PPI_DESCRIPTOR  mPpiBootMode[] = {
+   {
+     EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
+@@ -355,6 +367,7 @@ InitializePlatform (
+     MemTypeInfoInitialization (PlatformInfoHob);
+     MemMapInitialization (PlatformInfoHob);
+     NoexecDxeInitialization (PlatformInfoHob);
++    UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
+   }
+ 
+   InstallClearCacheCallback ();
+diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
+index e036018eab..a2f59e8fc8 100644
+--- a/OvmfPkg/PlatformPei/PlatformPei.inf
++++ b/OvmfPkg/PlatformPei/PlatformPei.inf
+@@ -103,6 +103,7 @@
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareSize
+   gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
+   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
+   gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
+   gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
+   gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack

SOURCES/0006-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch

@@ -0,0 +1,201 @@
+From 4c45a397402f58a67b1d4ea1348bb79f3716c7a5 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Sun, 26 Jul 2015 08:02:50 +0000
+Subject: [PATCH] ArmVirtPkg: take PcdResizeXterm from the QEMU command line
+ (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- Resolve leading context divergence in "ArmVirtPkg/ArmVirtQemu.dsc",
+  arising from upstream commits:
+
+  - 82662a3b5f56 ("ArmVirtPkg/PlatformPeiLib: discover the TPM base
+                  address from the DT", 2020-03-04)
+
+  - ddd34a818315 ("ArmVirtPkg/ArmVirtQemu: enable TPM2 support in the PEI
+                  phase", 2020-03-04)
+
+  - cdc3fa54184a ("ArmVirtPkg: control PXEv4 / PXEv6 boot support from the
+                  QEMU command line", 2020-04-28)
+
+- Rework the downstream patch quite a bit, paralleling the upstream work
+  done for <https://bugzilla.tianocore.org/show_bug.cgi?id=2681> in commit
+  range 64ab457d1f21..cdc3fa54184a:
+
+  - Refresh copyright year in TerminalPcdProducerLib.{inf,c}. Also replace
+    open-coded BSDL with "SPDX-License-Identifier: BSD-2-Clause-Patent".
+
+  - Simplify LIBRARY_CLASS: this lib instance is meant to be consumed only
+    via NULL class resolution (basically: as a plugin), so use NULL for
+    LIBRARY_CLASS, not "TerminalPcdProducerLib|DXE_DRIVER".
+
+  - Sort the [Packages] section alphabetically in the INF file.
+
+  - Replace the open-coded GetNamedFwCfgBoolean() function with a call to
+    QemuFwCfgParseBool(), from QemuFwCfgSimpleParserLib.
+
+  - Add the SOMETIMES_PRODUCES usage comment in the [Pcd] section of the
+    INF file.
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+  a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- Refresh downstream-only commit d4564d39dfdb against context changes in
+  "ArmVirtPkg/ArmVirtQemu.dsc" from upstream commit 7e5f1b673870
+  ("ArmVirtPkg/PlatformHasAcpiDtDxe: allow guest level ACPI disable
+  override", 2017-03-29).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- Adapt commit 6b97969096a3 to the fact that upstream has deprecated such
+  setter functions for dynamic PCDs that don't return a status code (such
+  as PcdSetBool()). Employ PcdSetBoolS(), and assert that it succeeds --
+  there's really no circumstance in this case when it could fail.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit d4564d39dfdbf74e762af43314005a2c026cb262)
+(cherry picked from commit c9081ebe3bcd28e5cce4bf58bd8d4fca12f9af7c)
+(cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65)
+(cherry picked from commit 9448b6b46267d8d807fac0c648e693171bb34806)
+(cherry picked from commit 232fcf06f6b3048b7c2ebd6931f23186b3852f04)
+(cherry picked from commit 8338545260fbb423f796d5196faaaf8ff6e1ed99)
+(cherry picked from commit a5f7a57bf390f1f340ff1d1f1884a73716817ef1)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc                    |  7 +++-
+ .../TerminalPcdProducerLib.c                  | 34 +++++++++++++++++++
+ .../TerminalPcdProducerLib.inf                | 33 ++++++++++++++++++
+ 3 files changed, 73 insertions(+), 1 deletion(-)
+ create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+ create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 64aa4e96e5..c37c4ba61e 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -311,6 +311,8 @@
+   gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0x0
+ !endif
+ 
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
++
+ [PcdsDynamicHii]
+   gUefiOvmfPkgTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gOvmfVariableGuid|0x0|FALSE|NV,BS
+ 
+@@ -416,7 +418,10 @@
+   MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
+   MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
+   MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
+-  MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
++  MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf {
++    <LibraryClasses>
++      NULL|ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
++  }
+   MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
+ 
+   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+new file mode 100644
+index 0000000000..37f71c5e4c
+--- /dev/null
++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+@@ -0,0 +1,34 @@
++/** @file
++*  Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
++*
++*  Copyright (C) 2015-2020, Red Hat, Inc.
++*  Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
++*
++*  SPDX-License-Identifier: BSD-2-Clause-Patent
++**/
++
++#include <Library/DebugLib.h>
++#include <Library/PcdLib.h>
++#include <Library/QemuFwCfgSimpleParserLib.h>
++
++#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName)                             \
++          do {                                                                \
++            BOOLEAN       Setting;                                            \
++            RETURN_STATUS PcdStatus;                                          \
++                                                                              \
++            if (!RETURN_ERROR (QemuFwCfgParseBool (                           \
++                    "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \
++              PcdStatus = PcdSetBoolS (TokenName, Setting);                   \
++              ASSERT_RETURN_ERROR (PcdStatus);                                \
++            }                                                                 \
++          } while (0)
++
++RETURN_STATUS
++EFIAPI
++TerminalPcdProducerLibConstructor (
++  VOID
++  )
++{
++  UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
++  return RETURN_SUCCESS;
++}
+diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+new file mode 100644
+index 0000000000..c840f6f97a
+--- /dev/null
++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+@@ -0,0 +1,33 @@
++## @file
++#  Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
++#
++#  Copyright (C) 2015-2020, Red Hat, Inc.
++#  Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
++#
++#  SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++[Defines]
++  INF_VERSION                    = 0x00010005
++  BASE_NAME                      = TerminalPcdProducerLib
++  FILE_GUID                      = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96
++  MODULE_TYPE                    = BASE
++  VERSION_STRING                 = 1.0
++  LIBRARY_CLASS                  = NULL
++  CONSTRUCTOR                    = TerminalPcdProducerLibConstructor
++
++[Sources]
++  TerminalPcdProducerLib.c
++
++[Packages]
++  MdeModulePkg/MdeModulePkg.dec
++  MdePkg/MdePkg.dec
++  OvmfPkg/OvmfPkg.dec
++
++[LibraryClasses]
++  DebugLib
++  PcdLib
++  QemuFwCfgSimpleParserLib
++
++[Pcd]
++  gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## SOMETIMES_PRODUCES

SOURCES/0007-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch

@@ -0,0 +1,118 @@
+From 3dbb4913b3e1c0413dd3016681aca3a3d12edd0d Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:45 +0100
+Subject: [PATCH] OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+- Remove obsolete commit message tags related to downstream patch
+  management: Message-id, Patchwork-id, O-Subject, Acked-by, From
+  (RHBZ#1846481).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- context difference from upstream commit 46bb81200742 ("OvmfPkg: Make
+  SOURCE_DEBUG_ENABLE actually need to be set to TRUE", 2019-10-22)
+  resolved automatically
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+  a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Bugzilla: 1488247
+
+Set the DEBUG_VERBOSE bit (0x00400000) in the log mask. We want detailed
+debug messages, and code in OvmfPkg logs many messages on the
+DEBUG_VERBOSE level.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 78d3ed73172b5738e32d2b0bc03f7984b9584117)
+(cherry picked from commit 7aeeaabc9871f657e65d2b99d81011b4964a1ce9)
+(cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76)
+(cherry picked from commit 759bd3f591e2db699bdef4c7ea4e97c908e7f027)
+(cherry picked from commit 7e6d5dc4078c64be6d55d8fc3317c59a91507a50)
+(cherry picked from commit 3cb92f9ba18ac79911bd5258ff4f949cc617ae89)
+(cherry picked from commit 5ecc18badaabe774d9d0806b027ab63a30c6a2d7)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32.dsc      | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.dsc   | 2 +-
+ OvmfPkg/OvmfPkgX64.dsc       | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 627fded641..cef43b34b7 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -429,7 +429,7 @@
+   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
+   #                             // significantly impact boot performance
+   # DEBUG_ERROR     0x80000000  // Error
+-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ 
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index dddef5ed0e..270bd612e5 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -535,7 +535,7 @@
+   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
+   #                             // significantly impact boot performance
+   # DEBUG_ERROR     0x80000000  // Error
+-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ 
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 933abb258f..269a4b2b21 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -542,7 +542,7 @@
+   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
+   #                             // significantly impact boot performance
+   # DEBUG_ERROR     0x80000000  // Error
+-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ 
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 04157ab14b..9614cc1c56 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -561,7 +561,7 @@
+   # DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
+   #                             // significantly impact boot performance
+   # DEBUG_ERROR     0x80000000  // Error
+-  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+ 
+ !if $(SOURCE_DEBUG_ENABLE) == TRUE
+   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17

SOURCES/0008-OvmfPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuVide.patch

@@ -0,0 +1,171 @@
+From ac8f2a85bad100eaf42d3537b6fcb37fa3db5fd9 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:46 +0100
+Subject: [PATCH] OvmfPkg: silence DEBUG_VERBOSE (0x00400000) in
+ QemuVideoDxe/QemuRamfbDxe (RH)
+
+edk2-stable202402 rebase:
+
+- context changes due to CSM support removal.
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+- Remove obsolete commit message tags related to downstream patch
+  management: Message-id, Patchwork-id, O-Subject, Acked-by, From
+  (RHBZ#1846481).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- Due to upstream commit 4b04d9d73604 ("OvmfPkg: Don't build in
+  QemuVideoDxe when we have CSM", 2019-06-26), the contexts of
+  "QemuVideoDxe.inf" / "QemuRamfbDxe.inf" have changed in the DSC files.
+  Resolve the conflict manually.
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- Upstream commit 1d25ff51af5c ("OvmfPkg: add QemuRamfbDxe", 2018-06-14)
+  introduced another GOP driver that consumes FrameBufferBltLib, and
+  thereby produces a large number of (mostly useless) debug messages at
+  the DEBUG_VERBOSE level. Extend the patch to suppress those messages in
+  both QemuVideoDxe and QemuRamfbDxe; update the subject accordingly.
+  QemuRamfbDxe itself doesn't log anything at the VERBOSE level (see also
+  the original commit message at the bottom of this downstream patch).
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+  a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Bugzilla: 1488247
+
+In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses
+MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to
+FrameBufferBltLib.
+
+The FrameBufferBltLib instance added in commit b1ca386074bd
+("MdeModulePkg: Add FrameBufferBltLib library instance") logs many
+messages on the VERBOSE level; for example, a normal boot with OVMF can
+produce 500+ "VideoFill" messages, dependent on the progress bar, when the
+VERBOSE bit is set in PcdDebugPrintErrorLevel.
+
+QemuVideoDxe itself doesn't log anything at the VERBOSE level, so we lose
+none of its messages this way.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 9b0d031dee7e823f6717bab73e422fbc6f0a6c52)
+(cherry picked from commit 9122d5f2e8d8d289064d1e1700cb61964d9931f3)
+(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0)
+(cherry picked from commit bd650684712fb840dbcda5d6eaee065bd9e91fa1)
+(cherry picked from commit b06b87f8ffd4fed4ef7eacb13689a9b6d111f850)
+(cherry picked from commit c8c3f893e7c3710afe45c46839e97954871536e4)
+(cherry picked from commit 1355849ad97c1e4a5c430597a377165a5cc118f7)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 10 ++++++++--
+ OvmfPkg/OvmfPkgIa32.dsc      | 10 ++++++++--
+ OvmfPkg/OvmfPkgIa32X64.dsc   | 10 ++++++++--
+ OvmfPkg/OvmfPkgX64.dsc       | 10 ++++++++--
+ 4 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index cef43b34b7..f53380aca2 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -691,8 +691,14 @@
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ 
+-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ 
+   #
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 270bd612e5..d942c7354a 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -828,8 +828,14 @@
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ 
+-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 269a4b2b21..d915b847cb 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -842,8 +842,14 @@
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ 
+-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 9614cc1c56..12ee5510bd 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -910,8 +910,14 @@
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ 
+-  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+ 

SOURCES/0009-ArmVirtPkg-silence-DEBUG_VERBOSE-0x00400000-in-QemuR.patch

@@ -0,0 +1,94 @@
+From 511531fe074c28dd8139f722b25979df1995e492 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 27 Jan 2016 03:05:18 +0100
+Subject: [PATCH] ArmVirtPkg: silence DEBUG_VERBOSE (0x00400000) in
+ QemuRamfbDxe (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- The previous version of this patch (downstream commit 76b4ac28e975)
+  caused a regression (RHBZ#1714446), which was fixed up in downstream
+  commit 5a216abaa737 ("ArmVirtPkg: silence DEBUG_VERBOSE masking
+  ~0x00400000 in QemuRamfbDxe (RH only)", 2019-08-05).
+
+  Squash the fixup into the original patch. Fuse the commit messages.
+  (Acked-by tags are not preserved, lest we confuse ourselves while
+  reviewing this rebase.)
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- new patch, due to upstream commit c64688f36a8b ("ArmVirtPkg: add
+  QemuRamfbDxe", 2018-06-14)
+
+QemuRamfbDxe uses FrameBufferLib. The FrameBufferBltLib instance added in
+commit b1ca386074bd ("MdeModulePkg: Add FrameBufferBltLib library
+instance") logs many messages on the VERBOSE level; for example, a normal
+boot with ArmVirtQemu[Kernel] can produce 500+ "VideoFill" messages,
+dependent on the progress bar, when the VERBOSE bit is set in
+PcdDebugPrintErrorLevel.
+
+Clear the VERBOSE bit without touching other bits -- those other bits
+differ between the "silent" and "verbose" builds, so we can't set them as
+constants.
+
+QemuRamfbDxe itself doesn't log anything at the VERBOSE level, so we lose
+none of its messages, with the VERBOSE bit clear.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 76b4ac28e975bd63c25db903a1d42c47b38cc756)
+Reported-by: Andrew Jones <drjones@redhat.com>
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+(cherry picked from commit 5a216abaa737195327235e37563b18a6bf2a74dc)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit e5b8152bced2364a1ded0926dbba4d65e23e3f84)
+(cherry picked from commit e7f57f154439c1c18ea5030b01f8d7bc492698b2)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc       | 5 ++++-
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index c37c4ba61e..00e656d0c9 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -546,7 +546,10 @@
+   #
+   # Video support
+   #
+-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF
++  }
+   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/PlatformDxe/Platform.inf
+ 
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 2cf96accbd..c7918c8cf3 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -450,7 +450,10 @@
+   #
+   # Video support
+   #
+-  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|($(DEBUG_PRINT_ERROR_LEVEL)) & 0xFFBFFFFF
++  }
+   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/PlatformDxe/Platform.inf
+ 

SOURCES/0010-OvmfPkg-QemuRamfbDxe-Do-not-report-DXE-failure-on-Aa.patch

@@ -0,0 +1,92 @@
+From 3bf394bd43a4cf00c2b52b965b47b8194a406166 Mon Sep 17 00:00:00 2001
+From: Philippe Mathieu-Daude <philmd@redhat.com>
+Date: Thu, 1 Aug 2019 20:43:48 +0200
+Subject: [PATCH] OvmfPkg: QemuRamfbDxe: Do not report DXE failure on Aarch64
+ silent builds (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- no change
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- We have to carry this downstream-only patch -- committed originally as
+  aaaedc1e2cfd -- indefinitely.
+
+- To avoid confusion, remove the tags from the commit message that had
+  been added by the downstream maintainer scripts, such as: Message-id,
+  Patchwork-id, O-Subject, Acked-by. These remain available on the
+  original downstream commit. The Bugzilla line is preserved, as it
+  doesn't relate to a specific posting, but to the problem.
+
+Bugzilla: 1714446
+
+To suppress an error message on the silent build when ramfb is
+not configured, change QemuRamfbDxe to return EFI_SUCCESS even
+when it fails.
+Some memory is wasted (driver stays resident without
+any good use), but it is mostly harmless, as the memory
+is released by the OS after ExitBootServices().
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daude <philmd@redhat.com>
+(cherry picked from commit aaaedc1e2cfd55ef003fb1b5a37c73a196b26dc7)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit aa2b66b18a62d652bdbefae7b5732297294306ca)
+(cherry picked from commit deb3451034326b75fd760aba47a5171493ff055e)
+---
+ OvmfPkg/QemuRamfbDxe/QemuRamfb.c      | 14 ++++++++++++++
+ OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf |  1 +
+ 2 files changed, 15 insertions(+)
+
+diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c
+index 5a1044f0dc..83c6d26c74 100644
+--- a/OvmfPkg/QemuRamfbDxe/QemuRamfb.c
++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfb.c
+@@ -13,6 +13,7 @@
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/DebugLib.h>
++#include <Library/DebugPrintErrorLevelLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/FrameBufferBltLib.h>
+ #include <Library/MemoryAllocationLib.h>
+@@ -259,6 +260,19 @@ InitializeQemuRamfb (
+ 
+   Status = QemuFwCfgFindFile ("etc/ramfb", &mRamfbFwCfgItem, &FwCfgSize);
+   if (EFI_ERROR (Status)) {
++#if defined (MDE_CPU_AARCH64)
++    //
++    // RHBZ#1714446
++    // If no ramfb device was configured, this platform DXE driver should
++    // returns EFI_NOT_FOUND, so the DXE Core can unload it. However, even
++    // using a silent build, an error message is issued to the guest console.
++    // Since this confuse users, return success and stay resident. The wasted
++    // guest RAM still gets freed later after ExitBootServices().
++    //
++    if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
++      return EFI_SUCCESS;
++    }
++#endif
+     return EFI_NOT_FOUND;
+   }
+ 
+diff --git a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+index e3890b8c20..f79a4bc987 100644
+--- a/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
++++ b/OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+@@ -29,6 +29,7 @@
+   BaseLib
+   BaseMemoryLib
+   DebugLib
++  DebugPrintErrorLevelLib
+   DevicePathLib
+   FrameBufferBltLib
+   MemoryAllocationLib

SOURCES/0011-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch

@@ -0,0 +1,128 @@
+From b9ac7e96d76caa161d1689c0436551e95728ac0e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:47 +0100
+Subject: [PATCH] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe
+ (RH only)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Extend the DSC change to the new OvmfPkg/AmdSev platform, which has been
+  introduced upstream in commit 30d277ed7a82 ("OvmfPkg/Amdsev: Base commit
+  to build encrypted boot specific OVMF", 2020-12-14), for TianoCore#3077.
+
+- Remove obsolete commit message tags related to downstream patch
+  management: Message-id, Patchwork-id, O-Subject, Acked-by, From
+  (RHBZ#1846481).
+
+Notes about the RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] ->
+RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] rebase:
+
+- no change
+
+Notes about the RHEL-8.1/20190308-89910a39dcfd [edk2-stable201903] ->
+RHEL-8.2/20190904-37eef91017ad [edk2-stable201908] rebase:
+
+- no change
+
+Notes about the RHEL-8.0/20180508-ee3198e672e2 ->
+RHEL-8.1/20190308-89910a39dcfd rebase:
+
+- no change
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+  a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Bugzilla: 1488247
+
+NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE
+level.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 5f432837b9c60c2929b13dda1a1b488d5c3a6d2f)
+(cherry picked from commit 33e00146eb878588ad1395d7b1ae38f401729da4)
+(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8)
+(cherry picked from commit 5a27af700f49e00608f232f618dedd7bf5e9b3e6)
+(cherry picked from commit 58bba429b9ec7b78109940ef945d0dc93f3cd958)
+(cherry picked from commit b8d0ebded8c2cf5b266c807519e2d8ccfd66fee6)
+(cherry picked from commit ed89844b47f46cfe911f1bf2bda40e537a908502)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgIa32.dsc      | 5 ++++-
+ OvmfPkg/OvmfPkgIa32X64.dsc   | 5 ++++-
+ OvmfPkg/OvmfPkgX64.dsc       | 5 ++++-
+ 4 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index f53380aca2..32f47704bc 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -686,7 +686,10 @@
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index d942c7354a..49540d54d0 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -823,7 +823,10 @@
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index d915b847cb..1c4e0514ed 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -837,7 +837,10 @@
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 12ee5510bd..e50e63b3f6 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -905,7 +905,10 @@
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+   MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+   MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+-  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++  MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++    <PcdsFixedAtBuild>
++      gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++  }
+   MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+   MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+   MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf

SOURCES/0012-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch

@@ -0,0 +1,80 @@
+From 8c67b1b96e42c39a3562c8790ae5985a240edfce Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Jun 2020 11:31:36 +0200
+Subject: [PATCH] OvmfPkg/QemuKernelLoaderFsDxe: suppress error on no "-kernel"
+ in silent aa64 build (RH)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Remove obsolete commit message tags related to downstream patch
+  management: Message-id, Patchwork-id, O-Subject, Acked-by, From,
+  RH-Acked-by, RH-Author (RHBZ#1846481).
+
+Bugzilla: 1844682
+
+If the "-kernel" QEMU option is not used, then QemuKernelLoaderFsDxe
+should return EFI_NOT_FOUND, so that the DXE Core can unload it. However,
+the associated error message, logged by the DXE Core to the serial
+console, is not desired in the silent edk2-aarch64 build, given that the
+absence of "-kernel" is nothing out of the ordinary. Therefore, return
+success and stay resident. The wasted guest RAM still gets freed after
+ExitBootServices().
+
+(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+(cherry picked from commit 9adcdf493ebbd11efb74e2905ab5f6c8996e096d)
+---
+ .../QemuKernelLoaderFsDxe.c                     | 17 +++++++++++++++++
+ .../QemuKernelLoaderFsDxe.inf                   |  1 +
+ 2 files changed, 18 insertions(+)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 3c12085f6c..e192809198 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -19,6 +19,7 @@
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/BlobVerifierLib.h>
+ #include <Library/DebugLib.h>
++#include <Library/DebugPrintErrorLevelLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/QemuFwCfgLib.h>
+@@ -1081,6 +1082,22 @@ QemuKernelLoaderFsDxeEntrypoint (
+ 
+   if (KernelBlob->Data == NULL) {
+     Status = EFI_NOT_FOUND;
++#if defined (MDE_CPU_AARCH64)
++    //
++    // RHBZ#1844682
++    //
++    // If the "-kernel" QEMU option is not being used, this platform DXE driver
++    // should return EFI_NOT_FOUND, so that the DXE Core can unload it.
++    // However, the associated error message, logged by the DXE Core to the
++    // serial console, is not desired in the silent edk2-aarch64 build, given
++    // that the absence of "-kernel" is nothing out of the ordinary. Therefore,
++    // return success and stay resident. The wasted guest RAM still gets freed
++    // after ExitBootServices().
++    //
++    if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
++      Status = EFI_SUCCESS;
++    }
++#endif
+     goto FreeBlobs;
+   }
+ 
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+index 7b35adb8e0..23d9f5fca1 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+@@ -28,6 +28,7 @@
+   BaseLib
+   BaseMemoryLib
+   DebugLib
++  DebugPrintErrorLevelLib
+   DevicePathLib
+   MemoryAllocationLib
+   QemuFwCfgLib

SOURCES/0013-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch

@@ -0,0 +1,79 @@
+From de3d6fb999bd464f08c11b879cb4587295f3c0b1 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Jun 2020 11:40:09 +0200
+Subject: [PATCH] SecurityPkg/Tcg2Dxe: suppress error on no swtpm in silent
+ aa64 build (RH)
+
+Notes about the RHEL-8.3/20200603-ca407c7246bf [edk2-stable202005] ->
+RHEL-8.5/20210520-e1999b264f1f [edk2-stable202105] rebase:
+
+- Remove obsolete commit message tags related to downstream patch
+  management: Message-id, Patchwork-id, O-Subject, Acked-by, From,
+  RH-Acked-by, RH-Author (RHBZ#1846481).
+
+Bugzilla: 1844682
+
+If swtpm / vTPM2 is not being used, Tcg2Dxe should return EFI_UNSUPPORTED,
+so that the DXE Core can unload it. However, the associated error message,
+logged by the DXE Core to the serial console, is not desired in the silent
+edk2-aarch64 build, given that the absence of swtpm / vTPM2 is nothing out
+of the ordinary. Therefore, return success and stay resident. The wasted
+guest RAM still gets freed after ExitBootServices().
+
+(Inspired by RHEL-8.1.0 commit aaaedc1e2cfd.)
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+(cherry picked from commit cbce29f7749477e271f9764fed82de94724af5df)
+---
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c   | 17 +++++++++++++++++
+ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf |  1 +
+ 2 files changed, 18 insertions(+)
+
+diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+index b55b6c12d2..0be885c391 100644
+--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+@@ -29,6 +29,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #include <Protocol/ResetNotification.h>
+ 
+ #include <Library/DebugLib.h>
++#include <Library/DebugPrintErrorLevelLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/UefiRuntimeServicesTableLib.h>
+ #include <Library/UefiDriverEntryPoint.h>
+@@ -2743,6 +2744,22 @@ DriverEntry (
+       CompareGuid (PcdGetPtr (PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid))
+   {
+     DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n"));
++#if defined (MDE_CPU_AARCH64)
++    //
++    // RHBZ#1844682
++    //
++    // If swtpm / vTPM2 is not being used, this driver should return
++    // EFI_UNSUPPORTED, so that the DXE Core can unload it. However, the
++    // associated error message, logged by the DXE Core to the serial console,
++    // is not desired in the silent edk2-aarch64 build, given that the absence
++    // of swtpm / vTPM2 is nothing out of the ordinary. Therefore, return
++    // success and stay resident. The wasted guest RAM still gets freed after
++    // ExitBootServices().
++    //
++    if (GetDebugPrintErrorLevel () == DEBUG_ERROR) {
++      return EFI_SUCCESS;
++    }
++#endif
+     return EFI_UNSUPPORTED;
+   }
+ 
+diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+index a645474bf3..dbb7a52f33 100644
+--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
++++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+@@ -55,6 +55,7 @@
+   UefiRuntimeServicesTableLib
+   BaseMemoryLib
+   DebugLib
++  DebugPrintErrorLevelLib
+   Tpm2CommandLib
+   PrintLib
+   UefiLib

SOURCES/0014-OvmfPkg-Remove-EbcDxe-RHEL-only.patch

@@ -0,0 +1,126 @@
+From 3208551a4a7934a905ba33dde70bfea37c9a95af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:28:49 +0200
+Subject: [PATCH] OvmfPkg: Remove EbcDxe (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [2/19] 6777c3dc453e4aecddc20216f783ba2a5acccaa0
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove EFI Byte Code interpreter.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 -
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc      | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf      | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc   | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf   | 1 -
+ OvmfPkg/OvmfPkgX64.dsc       | 1 -
+ OvmfPkg/OvmfPkgX64.fdf       | 1 -
+ 8 files changed, 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 32f47704bc..6b6e108d11 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -611,7 +611,6 @@
+ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
+   }
+ 
+-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+   UefiCpuPkg/CpuDxe/CpuDxe.inf
+   OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 595945181c..c176043482 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -212,7 +212,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+ 
+ INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ INF  UefiCpuPkg/CpuDxe/CpuDxe.inf
+ INF  OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 49540d54d0..d368aa11fe 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -746,7 +746,6 @@
+ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
+   }
+ 
+-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+   UefiCpuPkg/CpuDxe/CpuDxe.inf
+   OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 0d4abb50a8..ef933def99 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -216,7 +216,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+ 
+ INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ INF  UefiCpuPkg/CpuDxe/CpuDxe.inf
+ INF  OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 1c4e0514ed..cf09bdf785 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -760,7 +760,6 @@
+ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
+   }
+ 
+-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+   UefiCpuPkg/CpuDxe/CpuDxe.inf
+   OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 23a825a012..0cd98ada5a 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -217,7 +217,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+ 
+ INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ INF  UefiCpuPkg/CpuDxe/CpuDxe.inf
+ INF  OvmfPkg/LocalApicTimerDxe/LocalApicTimerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index e50e63b3f6..098d569381 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -805,7 +805,6 @@
+ !include OvmfPkg/Include/Dsc/OvmfTpmSecurityStub.dsc.inc
+   }
+ 
+-  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+   UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ 
+   UefiCpuPkg/CpuDxe/CpuDxe.inf {
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 4dcd6a033c..b201505214 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -245,7 +245,6 @@ INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
+ 
+ INF  MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
+ INF  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+-INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF  UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf
+ 
+ INF  UefiCpuPkg/CpuDxe/CpuDxe.inf

SOURCES/0015-OvmfPkg-Remove-VirtioGpu-device-driver-RHEL-only.patch

@@ -0,0 +1,126 @@
+From 42becc4c97abe443d06bb128a4b7d5e279842715 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:28:59 +0200
+Subject: [PATCH] OvmfPkg: Remove VirtioGpu device driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [4/19] f0a41317291f2e9e3b5bd3125149c3866f23ab08
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+QemuVideoDxe binds virtio-vga, so VirtioGpu is not needed.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 -
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc      | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf      | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc   | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf   | 1 -
+ OvmfPkg/OvmfPkgX64.dsc       | 1 -
+ OvmfPkg/OvmfPkgX64.fdf       | 1 -
+ 8 files changed, 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 6b6e108d11..5461c1290d 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -701,7 +701,6 @@
+     <PcdsFixedAtBuild>
+       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+   }
+-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ 
+   #
+   # ISA Support
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index c176043482..10538a0465 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -300,7 +300,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ 
+ INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF  OvmfPkg/PlatformDxe/Platform.inf
+ INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index d368aa11fe..40e78014c4 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -838,7 +838,6 @@
+     <PcdsFixedAtBuild>
+       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+   }
+-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+ 
+   #
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index ef933def99..68d59968ec 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -317,7 +317,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF  OvmfPkg/PlatformDxe/Platform.inf
+ INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+ INF  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index cf09bdf785..6ade9aa0ef 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -852,7 +852,6 @@
+     <PcdsFixedAtBuild>
+       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+   }
+-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+ 
+   #
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 0cd98ada5a..8891d96422 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -323,7 +323,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF  OvmfPkg/PlatformDxe/Platform.inf
+ INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 098d569381..8563835ae5 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -920,7 +920,6 @@
+     <PcdsFixedAtBuild>
+       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+   }
+-  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+   OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
+ 
+   #
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index b201505214..06ac4423da 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -356,7 +356,6 @@ INF  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ INF  OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
+ INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
+-INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF  OvmfPkg/PlatformDxe/Platform.inf
+ INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+ INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf

SOURCES/0016-OvmfPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL-on.patch

@@ -0,0 +1,100 @@
+From 67e5739ca9ba906914aade6b5ad84c420ad9af29 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:13 +0200
+Subject: [PATCH] OvmfPkg: Remove VirtioFsDxe filesystem driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [9/19] b40d8a6b9c38568a74fb922b12bbae9f0e721f95
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the virtio-fs driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc    | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf    | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf | 1 -
+ OvmfPkg/OvmfPkgX64.dsc     | 1 -
+ OvmfPkg/OvmfPkgX64.fdf     | 1 -
+ 6 files changed, 6 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 40e78014c4..afd2a3c5c0 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -816,7 +816,6 @@
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 68d59968ec..c392b96470 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -290,7 +290,6 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+ INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 6ade9aa0ef..f5a4c57c8e 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -830,7 +830,6 @@
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 8891d96422..6278daeeee 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -291,7 +291,6 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+ INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 8563835ae5..08b73a64c9 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -898,7 +898,6 @@
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 06ac4423da..fc4b6dd3a4 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -322,7 +322,6 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+ INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 

SOURCES/0017-ArmVirtPkg-Remove-VirtioFsDxe-filesystem-driver-RHEL.patch

@@ -0,0 +1,61 @@
+From 9827ce562f432da36410ef0e9ce6d7971e502b99 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:16 +0200
+Subject: [PATCH] ArmVirtPkg: Remove VirtioFsDxe filesystem driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [10/19] 808ad4385c24fbf34fb0ba359808e6d364e1d030
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the virtio-fs driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc           | 1 -
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ ArmVirtPkg/ArmVirtQemuKernel.dsc     | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 00e656d0c9..d1deccaadc 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -464,7 +464,6 @@
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ 
+   #
+   # Bds
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 38906004d7..7205274bed 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -85,7 +85,6 @@ READ_LOCK_STATUS   = TRUE
+   INF FatPkg/EnhancedFatDxe/Fat.inf
+   INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-  INF OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ 
+   #
+   # Status Code Routing
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index c7918c8cf3..9643fd5427 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -368,7 +368,6 @@
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+   MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+-  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
+ 
+   #
+   # Bds

SOURCES/0018-OvmfPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch

@@ -0,0 +1,126 @@
+From 98e35df340a8a5cd18cb386361c7da6350c54800 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:19 +0200
+Subject: [PATCH] OvmfPkg: Remove UdfDxe filesystem driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [11/19] 21614de37221fca27d4eec0f03c5c8bce5911af3
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the UDF driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc | 1 -
+ OvmfPkg/AmdSev/AmdSevX64.fdf | 1 -
+ OvmfPkg/OvmfPkgIa32.dsc      | 1 -
+ OvmfPkg/OvmfPkgIa32.fdf      | 1 -
+ OvmfPkg/OvmfPkgIa32X64.dsc   | 1 -
+ OvmfPkg/OvmfPkgIa32X64.fdf   | 1 -
+ OvmfPkg/OvmfPkgX64.dsc       | 1 -
+ OvmfPkg/OvmfPkgX64.fdf       | 1 -
+ 8 files changed, 8 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index 5461c1290d..cf1ad83e09 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -679,7 +679,6 @@
+   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index 10538a0465..c56c98dc85 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -280,7 +280,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
+ INF OvmfPkg/AmdSev/SecretDxe/SecretDxe.inf
+ INF  OvmfPkg/AmdSev/Grub/Grub.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index afd2a3c5c0..d8ae542686 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -815,7 +815,6 @@
+   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index c392b96470..0ffa3be750 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -289,7 +289,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index f5a4c57c8e..52ac2c96fc 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -829,7 +829,6 @@
+   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 6278daeeee..c4f3ec0735 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -290,7 +290,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 08b73a64c9..f76d0ef7bc 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -897,7 +897,6 @@
+   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf
+   MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf
+   MdeModulePkg/Bus/Pci/SataControllerDxe/SataControllerDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index fc4b6dd3a4..bedd85ef7a 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -321,7 +321,6 @@ INF  MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
+ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
+ 
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+-INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
+ INF MdeModulePkg/Logo/LogoDxe.inf
+ 

SOURCES/0019-ArmVirtPkg-Remove-UdfDxe-filesystem-driver-RHEL-only.patch

@@ -0,0 +1,61 @@
+From 9b039f2eb195f37b724f86efc31c8a4d6abd217d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:22 +0200
+Subject: [PATCH] ArmVirtPkg: Remove UdfDxe filesystem driver (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [12/19] fcadb6a747b65e4d449d48131c9a2eeed4bd3c9a
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the UDF driver.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc           | 1 -
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ ArmVirtPkg/ArmVirtQemuKernel.dsc     | 1 -
+ 3 files changed, 3 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index d1deccaadc..f91bb09fa3 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -463,7 +463,6 @@
+   MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
+   #
+   # Bds
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 7205274bed..24a9dac2fd 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -84,7 +84,6 @@ READ_LOCK_STATUS   = TRUE
+   INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+   INF FatPkg/EnhancedFatDxe/Fat.inf
+   INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+-  INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
+   #
+   # Status Code Routing
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 9643fd5427..c2825aa4c2 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -367,7 +367,6 @@
+   MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
+   MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf
+   FatPkg/EnhancedFatDxe/Fat.inf
+-  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
+   #
+   # Bds

SOURCES/0020-OvmfPkg-Remove-TftpDynamicCommand-from-shell-RHEL-on.patch

@@ -0,0 +1,55 @@
+From d417cfeb0ed76b3187b44e2491611f55d6de33b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:25 +0200
+Subject: [PATCH] OvmfPkg: Remove TftpDynamicCommand from shell (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+rebase to edk2-stable202405:
+
+rewrite due to shell build config being moved to an include file
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [13/19] cf9ef346386ac89fa05b29d429d8d1b27cf0e3b0
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via TFTP.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 4 ----
+ OvmfPkg/Include/Fdf/ShellDxe.fdf.inc        | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+index 4075688e41..3663938054 100644
+--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+@@ -6,10 +6,6 @@
+ 
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+ !if $(NETWORK_ENABLE) == TRUE
+-  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
+-    <PcdsFixedAtBuild>
+-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+-  }
+   ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+     <PcdsFixedAtBuild>
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+index 38f69747b0..1637083ff1 100644
+--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+@@ -6,7 +6,6 @@
+ 
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+ !if $(NETWORK_ENABLE) == TRUE
+-INF  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+ !endif
+ INF  ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf

SOURCES/0021-ArmVirtPkg-Remove-TftpDynamicCommand-from-shell-RHEL.patch

@@ -0,0 +1,54 @@
+From b548dd4acf23412e9266be15d65d7f8cfccbf028 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:28 +0200
+Subject: [PATCH] ArmVirtPkg: Remove TftpDynamicCommand from shell (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [14/19] 12436014941bd4a7c99a26d779ebdcd75f169403
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via TFTP.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc           | 7 +++----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 7044790a1e..ee98673e98 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -391,10 +391,9 @@
+   #
+   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+ 
+-  ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf {
+-    <PcdsFixedAtBuild>
+-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+-  }
++  #
++  # UEFI application (Shell Embedded Boot Loader)
++  #
+   ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+     <PcdsFixedAtBuild>
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 24a9dac2fd..1341de0a2f 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -100,7 +100,6 @@ READ_LOCK_STATUS   = TRUE
+   INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ 
+   INF ShellPkg/Application/Shell/Shell.inf
+-  INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+   INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+   INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
+   INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf

SOURCES/0022-OvmfPkg-Remove-HttpDynamicCommand-from-shell-RHEL-on.patch

@@ -0,0 +1,63 @@
+From 8a68c775e8ba00da3d725396fd8c78f67fbc8697 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:31 +0200
+Subject: [PATCH] OvmfPkg: Remove HttpDynamicCommand from shell (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+rebase to edk2-stable202405:
+
+rewrite due to shell build config being moved to an include file
+
+Rebase to edk2-stable202311:
+
+Minor update, context change due to new variable policy shell command.
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [15/19] 1911cf04f27467ef1175b1976864c1111d93d19e
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via HTTP(S).
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 6 ------
+ OvmfPkg/Include/Fdf/ShellDxe.fdf.inc        | 3 ---
+ 2 files changed, 9 deletions(-)
+
+diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+index 3663938054..a568f1ecc5 100644
+--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+@@ -5,12 +5,6 @@
+ !if $(BUILD_SHELL) == TRUE
+ 
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-!if $(NETWORK_ENABLE) == TRUE
+-  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+-    <PcdsFixedAtBuild>
+-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+-  }
+-!endif
+   ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf {
+     <PcdsFixedAtBuild>
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+index 1637083ff1..c0118a46e2 100644
+--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+@@ -5,9 +5,6 @@
+ !if $(BUILD_SHELL) == TRUE && $(SECURE_BOOT_ENABLE) == FALSE
+ 
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+-!if $(NETWORK_ENABLE) == TRUE
+-INF  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+-!endif
+ INF  ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
+ INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif

SOURCES/0023-ArmVirtPkg-Remove-HttpDynamicCommand-from-shell-RHEL.patch

@@ -0,0 +1,55 @@
+From 1f15cf34691e2f9604ee6efe142c2d710aad579c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:34 +0200
+Subject: [PATCH] ArmVirtPkg: Remove HttpDynamicCommand from shell (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rebase to edk2-stable202311:
+
+Minor update, context change due to new variable policy shell command.
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [16/19] 07a74f1fdcdbb9a31d25ce9760edcd852e9574c3
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to download files in the shell via HTTP(S).
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc           | 4 ----
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index ee98673e98..996b4ddfc4 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -394,10 +394,6 @@
+   #
+   # UEFI application (Shell Embedded Boot Loader)
+   #
+-  ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf {
+-    <PcdsFixedAtBuild>
+-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+-  }
+   ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf {
+     <PcdsFixedAtBuild>
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 1341de0a2f..b49bf7ad4e 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -100,7 +100,6 @@ READ_LOCK_STATUS   = TRUE
+   INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ 
+   INF ShellPkg/Application/Shell/Shell.inf
+-  INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+   INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
+   INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ 

SOURCES/0024-OvmfPkg-Remove-LinuxInitrdDynamicShellCommand-RHEL-o.patch

@@ -0,0 +1,64 @@
+From cd1746c9920e93bf40994172881bc13cf185991c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:39 +0200
+Subject: [PATCH] OvmfPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+rebase to edk2-stable202405:
+
+rewrite due to shell build config being moved to an include file
+
+Rebase to edk2-stable202311:
+
+Minor update, context change due to new variable policy shell command.
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [17/19] 491fe1301ea29c7cb56c20272e45614d5fcb6f14
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to register a file in the shell as the
+initial ramdisk for a UEFI stubbed kernel, to be booted next.
+
+Note: as further dynamic shell commands might show up upstream,
+we intentionally preserve the empty !ifdef'ry context to ease
+future downstream rebases.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ OvmfPkg/Include/Dsc/ShellComponents.dsc.inc | 4 ----
+ OvmfPkg/Include/Fdf/ShellDxe.fdf.inc        | 1 -
+ 2 files changed, 5 deletions(-)
+
+diff --git a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+index a568f1ecc5..f7e0f5e90e 100644
+--- a/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++++ b/OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+@@ -9,10 +9,6 @@
+     <PcdsFixedAtBuild>
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+   }
+-  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+-    <PcdsFixedAtBuild>
+-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+-  }
+ !endif
+ 
+   ShellPkg/Application/Shell/Shell.inf {
+diff --git a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+index c0118a46e2..dced75e388 100644
+--- a/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++++ b/OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+@@ -6,7 +6,6 @@
+ 
+ !if $(TOOL_CHAIN_TAG) != "XCODE5"
+ INF  ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
+-INF  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ !endif
+ 
+ INF  ShellPkg/Application/Shell/Shell.inf

SOURCES/0025-ArmVirtPkg-Remove-LinuxInitrdDynamicShellCommand-RHE.patch

@@ -0,0 +1,66 @@
+From ec9c5e512252964f28c493d10b9f484b88c87c13 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Thu, 1 Jul 2021 20:29:46 +0200
+Subject: [PATCH] ArmVirtPkg: Remove LinuxInitrdDynamicShellCommand (RHEL only)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rebase to edk2-stable202311:
+
+Minor update, context change due to new variable policy shell command.
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-MergeRequest: 3: Disable features for RHEL9
+RH-Commit: [18/19] 8f4e4007108462533e3d2050b84d8830073a7c0d
+RH-Bugzilla: 1967747
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+Remove the command to register a file in the shell as the initial
+ramdisk for a UEFI stubbed kernel, to be booted next.
+
+Suggested-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ ArmVirtPkg/ArmVirt.dsc.inc           | 10 +++-------
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc |  1 -
+ 2 files changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 996b4ddfc4..2561e10ff5 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -391,17 +391,13 @@
+   #
+   MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf
+ 
+-  #
+-  # UEFI application (Shell Embedded Boot Loader)
+-  #
++  #
++  # UEFI application (Shell Embedded Boot Loader)
++  #
+   ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf {
+     <PcdsFixedAtBuild>
+       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+   }
+-  OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
+-    <PcdsFixedAtBuild>
+-      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+-  }
+   ShellPkg/Application/Shell/Shell.inf {
+     <LibraryClasses>
+       ShellCommandLib|ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index b49bf7ad4e..753afd799b 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -101,7 +101,6 @@ READ_LOCK_STATUS   = TRUE
+ 
+   INF ShellPkg/Application/Shell/Shell.inf
+   INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
+-  INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
+ 
+   #
+   # Bds

SOURCES/0026-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch

@@ -0,0 +1,49 @@
+From 3d02fb6da82331176952e480160223136679ce74 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 28 Feb 2023 15:47:00 +0100
+Subject: [PATCH] UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 42: UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug
+RH-Bugzilla: 2124143
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [1/1] 5168501c31541a57aaeb3b3bd7c3602205eb7cdf (kraxel/centos-edk2)
+
+In case the number of CPUs can in increase beyond 255
+due to CPU hotplug choose x2apic mode.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+patch_name: edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch
+present_in_specfile: true
+location_in_specfile: 38
+---
+ UefiCpuPkg/Library/MpInitLib/MpLib.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
+index d724456502..c478878bb0 100644
+--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
++++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
+@@ -534,7 +534,9 @@ CollectProcessorCount (
+   //
+   // Enable x2APIC mode if
+   //  1. Number of CPU is greater than 255; or
+-  //  2. There are any logical processors reporting an Initial APIC ID of 255 or greater.
++  //  2. The platform exposed the exact *boot* CPU count to us in advance, and
++  //     more than 255 logical processors are possible later, with hotplug; or
++  //  3. There are any logical processors reporting an Initial APIC ID of 255 or greater.
+   //
+   X2Apic = FALSE;
+   if (CpuMpData->CpuCount > 255) {
+@@ -542,6 +544,10 @@ CollectProcessorCount (
+     // If there are more than 255 processor found, force to enable X2APIC
+     //
+     X2Apic = TRUE;
++  } else if ((PcdGet32 (PcdCpuBootLogicalProcessorNumber) > 0) &&
++             (PcdGet32 (PcdCpuMaxLogicalProcessorNumber) > 255))
++  {
++    X2Apic = TRUE;
+   } else {
+     CpuInfoInHob = (CPU_INFO_IN_HOB *)(UINTN)CpuMpData->CpuInfoInHob;
+     for (Index = 0; Index < CpuMpData->CpuCount; Index++) {

SOURCES/0027-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch

@@ -0,0 +1,121 @@
+From c916516d37fb50c187020bd01da21cca85c8e83a Mon Sep 17 00:00:00 2001
+From: Oliver Steffen <osteffen@redhat.com>
+Date: Wed, 16 Aug 2023 12:09:40 +0200
+Subject: [PATCH] OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 46: OvmfPkg/AmdSevDxe: Shim Reboot workaround (RHEL only)
+RH-Bugzilla: 2218196
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [1/1] 9bf3bb989e36253aa34bf82ecfe8faa7312e8d22 (osteffen/edk2)
+
+Add a callback at the end of the Dxe phase that sets the
+"FB_NO_REBOOT" variable under the Shim GUID.
+This is a workaround for a boot loop in case a confidential
+guest that uses shim is booted with a vtpm device present.
+
+BZ 2218196
+
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+
+patch_name: edk2-OvmfPkg-AmdSevDxe-Shim-Reboot-workaround-RHEL-only.patch
+present_in_specfile: true
+location_in_specfile: 44
+---
+ OvmfPkg/AmdSevDxe/AmdSevDxe.c   | 42 +++++++++++++++++++++++++++++++++
+ OvmfPkg/AmdSevDxe/AmdSevDxe.inf |  2 ++
+ 2 files changed, 44 insertions(+)
+
+diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+index d497a343d3..0eb88e50ff 100644
+--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+@@ -19,6 +19,7 @@
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Guid/ConfidentialComputingSevSnpBlob.h>
++#include <Guid/GlobalVariable.h>
+ #include <Library/PcdLib.h>
+ #include <Pi/PiDxeCis.h>
+ #include <Protocol/SevMemoryAcceptance.h>
+@@ -28,6 +29,10 @@
+ // Present, initialized, tested bits defined in MdeModulePkg/Core/Dxe/DxeMain.h
+ #define EFI_MEMORY_INTERNAL_MASK  0x0700000000000000ULL
+ 
++static EFI_GUID  ShimLockGuid = {
++  0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 }
++};
++
+ STATIC
+ EFI_STATUS
+ AllocateConfidentialComputingBlob (
+@@ -191,6 +196,32 @@ STATIC EDKII_MEMORY_ACCEPT_PROTOCOL  mMemoryAcceptProtocol = {
+   AmdSevMemoryAccept
+ };
+ 
++VOID
++EFIAPI
++PopulateVarstore (
++  EFI_EVENT  Event,
++  VOID       *Context
++  )
++{
++  EFI_SYSTEM_TABLE  *SystemTable = (EFI_SYSTEM_TABLE *)Context;
++  EFI_STATUS        Status;
++
++  DEBUG ((DEBUG_INFO, "Populating Varstore\n"));
++  UINT32  data = 1;
++
++  Status = SystemTable->RuntimeServices->SetVariable (
++                                           L"FB_NO_REBOOT",
++                                           &ShimLockGuid,
++                                           EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++                                           sizeof (data),
++                                           &data
++                                           );
++  ASSERT_EFI_ERROR (Status);
++
++  Status = SystemTable->BootServices->CloseEvent (Event);
++  ASSERT_EFI_ERROR (Status);
++}
++
+ EFI_STATUS
+ EFIAPI
+ AmdSevDxeEntryPoint (
+@@ -203,6 +234,7 @@ AmdSevDxeEntryPoint (
+   UINTN                                     NumEntries;
+   UINTN                                     Index;
+   CONFIDENTIAL_COMPUTING_SNP_BLOB_LOCATION  *SnpBootDxeTable;
++  EFI_EVENT                                 PopulateVarstoreEvent;
+ 
+   //
+   // Do nothing when SEV is not enabled
+@@ -361,5 +393,15 @@ AmdSevDxeEntryPoint (
+                   );
+   }
+ 
++  Status = gBS->CreateEventEx (
++                  EVT_NOTIFY_SIGNAL,
++                  TPL_CALLBACK,
++                  PopulateVarstore,
++                  SystemTable,
++                  &gEfiEndOfDxeEventGroupGuid,
++                  &PopulateVarstoreEvent
++                  );
++  ASSERT_EFI_ERROR (Status);
++
+   return EFI_SUCCESS;
+ }
+diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+index e7c7d526c9..09cbd2b0ca 100644
+--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.inf
+@@ -54,6 +54,8 @@
+ [Guids]
+   gConfidentialComputingSevSnpBlobGuid
+   gEfiEventBeforeExitBootServicesGuid
++  gEfiEndOfDxeEventGroupGuid              ## CONSUMES ## Event
++
+ 
+ [Pcd]
+   gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId

SOURCES/0028-CryptoPkg-CrtLib-add-stat.h-include-file.patch

@@ -0,0 +1,28 @@
+From 7a07b2f16eabf460891a21c05b30cd9c2f875a2a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 28 Aug 2023 13:11:02 +0200
+Subject: [PATCH] CryptoPkg/CrtLib: add stat.h include file.
+
+Needed by rhel downstream openssl patches.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ CryptoPkg/Library/Include/sys/stat.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+ create mode 100644 CryptoPkg/Library/Include/sys/stat.h
+
+diff --git a/CryptoPkg/Library/Include/sys/stat.h b/CryptoPkg/Library/Include/sys/stat.h
+new file mode 100644
+index 0000000000..22247bb2db
+--- /dev/null
++++ b/CryptoPkg/Library/Include/sys/stat.h
+@@ -0,0 +1,9 @@
++/** @file
++  Include file to support building the third-party cryptographic library.
++
++Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
++SPDX-License-Identifier: BSD-2-Clause-Patent
++
++**/
++
++#include <CrtLibSupport.h>

SOURCES/0029-CryptoPkg-CrtLib-add-access-open-read-write-close-sy.patch

@@ -0,0 +1,139 @@
+From 168cfe83b250d3166817549c1e96e6b1f02bcab4 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 28 Aug 2023 13:27:09 +0200
+Subject: [PATCH] CryptoPkg/CrtLib: add access/open/read/write/close syscalls
+
+Needed by rhel downstream openssl patches, they use unix syscalls
+for file access (instead of fopen + friends like the rest of the
+code base).  No actual file access is needed for edk2, so just
+add stubs to make linking work.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ .../Library/BaseCryptLib/SysCall/CrtWrapper.c | 46 +++++++++++++++++++
+ CryptoPkg/Library/Include/CrtLibSupport.h     | 41 +++++++++++++++++
+ 2 files changed, 87 insertions(+)
+
+diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+index 37cdecc9bd..dfdb635536 100644
+--- a/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
++++ b/CryptoPkg/Library/BaseCryptLib/SysCall/CrtWrapper.c
+@@ -550,6 +550,52 @@ fread (
+   return 0;
+ }
+ 
++int
++access(
++  const char*,
++  int
++  )
++{
++  return -1;
++}
++
++int
++open (
++  const char *,
++  int
++  )
++{
++  return -1;
++}
++
++ssize_t
++read (
++  int,
++  void*,
++  size_t
++  )
++{
++  return -1;
++}
++
++ssize_t
++write (
++  int,
++  const void*,
++  size_t
++  )
++{
++  return -1;
++}
++
++int
++close (
++  int
++  )
++{
++  return -1;
++}
++
+ uid_t
+ getuid (
+   void
+diff --git a/CryptoPkg/Library/Include/CrtLibSupport.h b/CryptoPkg/Library/Include/CrtLibSupport.h
+index f36fe08f0c..7d98496af8 100644
+--- a/CryptoPkg/Library/Include/CrtLibSupport.h
++++ b/CryptoPkg/Library/Include/CrtLibSupport.h
+@@ -78,6 +78,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ //
+ // Definitions for global constants used by CRT library routines
+ //
++#define EINTR         4
+ #define EINVAL        22              /* Invalid argument */
+ #define EAFNOSUPPORT  47              /* Address family not supported by protocol family */
+ #define INT_MAX       0x7FFFFFFF      /* Maximum (signed) int value */
+@@ -102,6 +103,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ #define NS_INADDRSZ   4   /*%< IPv4 T_A */
+ #define NS_IN6ADDRSZ  16  /*%< IPv6 T_AAAA */
+ 
++#define O_RDONLY        00000000
++#define O_WRONLY        00000001
++#define O_RDWR          00000002
++
++#define R_OK  4
++#define W_OK  2
++#define X_OK  1
++#define F_OK  0
++
+ //
+ // Basic types mapping
+ //
+@@ -324,6 +334,37 @@ fprintf     (
+   ...
+   );
+ 
++int
++access(
++  const char*,
++  int
++  );
++
++int
++open (
++  const char *,
++  int
++  );
++
++ssize_t
++read (
++  int,
++  void*,
++  size_t
++  );
++
++ssize_t
++write (
++  int,
++  const void*,
++  size_t
++  );
++
++int
++close (
++  int
++  );
++
+ time_t
+ time        (
+   time_t *

SOURCES/0030-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch

@@ -0,0 +1,194 @@
+From 4c49c1bcb2db128cc4d2ebb29b1ac53fe3ef6b18 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:38 +0100
+Subject: [PATCH] OvmfPkg/Sec: Setup MTRR early in the boot process.
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [1/4] c4061788d34f409944898b48642d610c259161f3 (kraxel.rh/centos-src-edk2)
+
+Specifically before running lzma uncompress of the main firmware volume.
+This is needed to make sure caching is enabled, otherwise the uncompress
+can be extremely slow.
+
+Adapt the ASSERTs and MTRR setup in PlatformInitLib to the changes.
+
+Background:  Depending on virtual machine configuration kvm may uses EPT
+memory types to apply guest MTRR settings.  In case MTRRs are disabled
+kvm will use the uncachable memory type for all mappings.  The
+vmx_get_mt_mask() function in the linux kernel handles this and can be
+found here:
+
+https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/kvm/vmx/vmx.c?h=v6.7.1#n7580
+
+In most VM configurations kvm uses MTRR_TYPE_WRBACK unconditionally.  In
+case the VM has a mdev device assigned that is not the case though.
+
+Before commit e8aa4c6546ad ("UefiCpuPkg/ResetVector: Cache Disable
+should not be set by default in CR0") kvm also ended up using
+MTRR_TYPE_WRBACK due to KVM_X86_QUIRK_CD_NW_CLEARED.  After that commit
+kvm evaluates guest mtrr settings, which why setting up MTRRs early is
+important now.
+
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-2-kraxel@redhat.com>
+
+[ kraxel: Downstream-only for now.  Timely upstream merge is unlikely
+          due to chinese holidays and rhel-9.4 deadlines are close.
+          QE regression testing passed.  So go with upstream posted
+          series v3 ]
+
+patch_name: edk2-OvmfPkg-Sec-Setup-MTRR-early-in-the-boot-process.patch
+present_in_specfile: true
+location_in_specfile: 49
+---
+ OvmfPkg/IntelTdx/Sec/SecMain.c              | 32 +++++++++++++++++++++
+ OvmfPkg/Library/PlatformInitLib/MemDetect.c | 10 +++----
+ OvmfPkg/Sec/SecMain.c                       | 32 +++++++++++++++++++++
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+
+diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c
+index 4e750755bf..7094d86159 100644
+--- a/OvmfPkg/IntelTdx/Sec/SecMain.c
++++ b/OvmfPkg/IntelTdx/Sec/SecMain.c
+@@ -26,6 +26,8 @@
+ #include <Library/TdxHelperLib.h>
+ #include <Library/CcProbeLib.h>
+ #include <Library/PeilessStartupLib.h>
++#include <Register/Intel/ArchitecturalMsr.h>
++#include <Register/Intel/Cpuid.h>
+ 
+ #define SEC_IDT_ENTRY_COUNT  34
+ 
+@@ -47,6 +49,31 @@ IA32_IDT_GATE_DESCRIPTOR  mIdtEntryTemplate = {
+   }
+ };
+ 
++//
++// Enable MTRR early, set default type to write back.
++// Needed to make sure caching is enabled,
++// without this lzma decompress can be very slow.
++//
++STATIC
++VOID
++SecMtrrSetup (
++  VOID
++  )
++{
++  CPUID_VERSION_INFO_EDX           Edx;
++  MSR_IA32_MTRR_DEF_TYPE_REGISTER  DefType;
++
++  AsmCpuid (CPUID_VERSION_INFO, NULL, NULL, NULL, &Edx.Uint32);
++  if (!Edx.Bits.MTRR) {
++    return;
++  }
++
++  DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
++  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.E    = 1; /* enable */
++  AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
++}
++
+ VOID
+ EFIAPI
+ SecCoreStartupWithStack (
+@@ -203,6 +230,11 @@ SecCoreStartupWithStack (
+   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
+   DisableApicTimerInterrupt ();
+ 
++  //
++  // Initialize MTRR
++  //
++  SecMtrrSetup ();
++
+   PeilessStartup (&SecCoreData);
+ 
+   ASSERT (FALSE);
+diff --git a/OvmfPkg/Library/PlatformInitLib/MemDetect.c b/OvmfPkg/Library/PlatformInitLib/MemDetect.c
+index e64c0ee324..b6ba63ef95 100644
+--- a/OvmfPkg/Library/PlatformInitLib/MemDetect.c
++++ b/OvmfPkg/Library/PlatformInitLib/MemDetect.c
+@@ -1164,18 +1164,18 @@ PlatformQemuInitializeRam (
+     MtrrGetAllMtrrs (&MtrrSettings);
+ 
+     //
+-    // MTRRs disabled, fixed MTRRs disabled, default type is uncached
++    // See SecMtrrSetup(), default type should be write back
+     //
+-    ASSERT ((MtrrSettings.MtrrDefType & BIT11) == 0);
++    ASSERT ((MtrrSettings.MtrrDefType & BIT11) != 0);
+     ASSERT ((MtrrSettings.MtrrDefType & BIT10) == 0);
+-    ASSERT ((MtrrSettings.MtrrDefType & 0xFF) == 0);
++    ASSERT ((MtrrSettings.MtrrDefType & 0xFF) == MTRR_CACHE_WRITE_BACK);
+ 
+     //
+     // flip default type to writeback
+     //
+-    SetMem (&MtrrSettings.Fixed, sizeof MtrrSettings.Fixed, 0x06);
++    SetMem (&MtrrSettings.Fixed, sizeof MtrrSettings.Fixed, MTRR_CACHE_WRITE_BACK);
+     ZeroMem (&MtrrSettings.Variables, sizeof MtrrSettings.Variables);
+-    MtrrSettings.MtrrDefType |= BIT11 | BIT10 | 6;
++    MtrrSettings.MtrrDefType |= BIT10;
+     MtrrSetAllMtrrs (&MtrrSettings);
+ 
+     //
+diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
+index 60dfa61842..725b57e2fa 100644
+--- a/OvmfPkg/Sec/SecMain.c
++++ b/OvmfPkg/Sec/SecMain.c
+@@ -29,6 +29,8 @@
+ #include <Ppi/MpInitLibDep.h>
+ #include <Library/TdxHelperLib.h>
+ #include <Library/CcProbeLib.h>
++#include <Register/Intel/ArchitecturalMsr.h>
++#include <Register/Intel/Cpuid.h>
+ #include "AmdSev.h"
+ 
+ #define SEC_IDT_ENTRY_COUNT  34
+@@ -743,6 +745,31 @@ FindAndReportEntryPoints (
+   return;
+ }
+ 
++//
++// Enable MTRR early, set default type to write back.
++// Needed to make sure caching is enabled,
++// without this lzma decompress can be very slow.
++//
++STATIC
++VOID
++SecMtrrSetup (
++  VOID
++  )
++{
++  CPUID_VERSION_INFO_EDX           Edx;
++  MSR_IA32_MTRR_DEF_TYPE_REGISTER  DefType;
++
++  AsmCpuid (CPUID_VERSION_INFO, NULL, NULL, NULL, &Edx.Uint32);
++  if (!Edx.Bits.MTRR) {
++    return;
++  }
++
++  DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
++  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.E    = 1; /* enable */
++  AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
++}
++
+ VOID
+ EFIAPI
+ SecCoreStartupWithStack (
+@@ -942,6 +969,11 @@ SecCoreStartupWithStack (
+   InitializeApicTimer (0, MAX_UINT32, TRUE, 5);
+   DisableApicTimerInterrupt ();
+ 
++  //
++  // Initialize MTRR
++  //
++  SecMtrrSetup ();
++
+   //
+   // Initialize Debug Agent to support source level debug in SEC/PEI phases before memory ready.
+   //

SOURCES/0031-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch

@@ -0,0 +1,41 @@
+From 3124da27dc460926f40477d247e021ceeabe0be3 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:39 +0100
+Subject: [PATCH] MdePkg/ArchitecturalMsr.h: add #defines for MTRR cache types
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [2/4] a568bc2793d677462a2971aae9566a9bbc64b063 (kraxel.rh/centos-src-edk2)
+
+Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-3-kraxel@redhat.com>
+
+patch_name: edk2-MdePkg-ArchitecturalMsr.h-add-defines-for-MTRR-cache.patch
+present_in_specfile: true
+location_in_specfile: 50
+---
+ MdePkg/Include/Register/Intel/ArchitecturalMsr.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h
+index 756e7c86ec..08ba949cf7 100644
+--- a/MdePkg/Include/Register/Intel/ArchitecturalMsr.h
++++ b/MdePkg/Include/Register/Intel/ArchitecturalMsr.h
+@@ -2103,6 +2103,13 @@ typedef union {
+ #define MSR_IA32_MTRR_PHYSBASE9  0x00000212
+ /// @}
+ 
++#define MSR_IA32_MTRR_CACHE_UNCACHEABLE      0
++#define MSR_IA32_MTRR_CACHE_WRITE_COMBINING  1
++#define MSR_IA32_MTRR_CACHE_WRITE_THROUGH    4
++#define MSR_IA32_MTRR_CACHE_WRITE_PROTECTED  5
++#define MSR_IA32_MTRR_CACHE_WRITE_BACK       6
++#define MSR_IA32_MTRR_CACHE_INVALID_TYPE     7
++
+ /**
+   MSR information returned for MSR indexes #MSR_IA32_MTRR_PHYSBASE0 to
+   #MSR_IA32_MTRR_PHYSBASE9

SOURCES/0032-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch

@@ -0,0 +1,70 @@
+From f015a541308b2d752c399b9ef9597c4585218032 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:40 +0100
+Subject: [PATCH] UefiCpuPkg/MtrrLib.h: use cache type #defines from
+ ArchitecturalMsr.h
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [3/4] 8b766c97b247a8665662697534455c19423ff23c (kraxel.rh/centos-src-edk2)
+
+Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-4-kraxel@redhat.com>
+
+patch_name: edk2-UefiCpuPkg-MtrrLib.h-use-cache-type-defines-from-Arc.patch
+present_in_specfile: true
+location_in_specfile: 51
+---
+ UefiCpuPkg/Include/Library/MtrrLib.h | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/UefiCpuPkg/Include/Library/MtrrLib.h b/UefiCpuPkg/Include/Library/MtrrLib.h
+index 86cc1aab3b..287d249a99 100644
+--- a/UefiCpuPkg/Include/Library/MtrrLib.h
++++ b/UefiCpuPkg/Include/Library/MtrrLib.h
+@@ -9,6 +9,8 @@
+ #ifndef  _MTRR_LIB_H_
+ #define  _MTRR_LIB_H_
+ 
++#include <Register/Intel/ArchitecturalMsr.h>
++
+ //
+ // According to IA32 SDM, MTRRs number and MSR offset are always consistent
+ // for IA32 processor family
+@@ -82,20 +84,20 @@ typedef struct _MTRR_SETTINGS_ {
+ // Memory cache types
+ //
+ typedef enum {
+-  CacheUncacheable    = 0,
+-  CacheWriteCombining = 1,
+-  CacheWriteThrough   = 4,
+-  CacheWriteProtected = 5,
+-  CacheWriteBack      = 6,
+-  CacheInvalid        = 7
++  CacheUncacheable    = MSR_IA32_MTRR_CACHE_UNCACHEABLE,
++  CacheWriteCombining = MSR_IA32_MTRR_CACHE_WRITE_COMBINING,
++  CacheWriteThrough   = MSR_IA32_MTRR_CACHE_WRITE_THROUGH,
++  CacheWriteProtected = MSR_IA32_MTRR_CACHE_WRITE_PROTECTED,
++  CacheWriteBack      = MSR_IA32_MTRR_CACHE_WRITE_BACK,
++  CacheInvalid        = MSR_IA32_MTRR_CACHE_INVALID_TYPE,
+ } MTRR_MEMORY_CACHE_TYPE;
+ 
+-#define  MTRR_CACHE_UNCACHEABLE      0
+-#define  MTRR_CACHE_WRITE_COMBINING  1
+-#define  MTRR_CACHE_WRITE_THROUGH    4
+-#define  MTRR_CACHE_WRITE_PROTECTED  5
+-#define  MTRR_CACHE_WRITE_BACK       6
+-#define  MTRR_CACHE_INVALID_TYPE     7
++#define  MTRR_CACHE_UNCACHEABLE      MSR_IA32_MTRR_CACHE_UNCACHEABLE
++#define  MTRR_CACHE_WRITE_COMBINING  MSR_IA32_MTRR_CACHE_WRITE_COMBINING
++#define  MTRR_CACHE_WRITE_THROUGH    MSR_IA32_MTRR_CACHE_WRITE_THROUGH
++#define  MTRR_CACHE_WRITE_PROTECTED  MSR_IA32_MTRR_CACHE_WRITE_PROTECTED
++#define  MTRR_CACHE_WRITE_BACK       MSR_IA32_MTRR_CACHE_WRITE_BACK
++#define  MTRR_CACHE_INVALID_TYPE     MSR_IA32_MTRR_CACHE_INVALID_TYPE
+ 
+ typedef struct {
+   UINT64                    BaseAddress;

SOURCES/0033-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch

@@ -0,0 +1,49 @@
+From dd543686c34fc3c6ddfafc0104066889ad9d1813 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 30 Jan 2024 14:04:41 +0100
+Subject: [PATCH] OvmfPkg/Sec: use cache type #defines from ArchitecturalMsr.h
+
+RH-Author: Gerd Hoffmann <None>
+RH-MergeRequest: 55: OvmfPkg/Sec: Setup MTRR early in the boot process.
+RH-Jira: RHEL-21704
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Commit: [4/4] 55f00e3e153ca945ca458e7abc26780a8d83ac85 (kraxel.rh/centos-src-edk2)
+
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-ID: <20240130130441.772484-5-kraxel@redhat.com>
+
+patch_name: edk2-OvmfPkg-Sec-use-cache-type-defines-from-Architectura.patch
+present_in_specfile: true
+location_in_specfile: 52
+---
+ OvmfPkg/IntelTdx/Sec/SecMain.c | 2 +-
+ OvmfPkg/Sec/SecMain.c          | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/IntelTdx/Sec/SecMain.c b/OvmfPkg/IntelTdx/Sec/SecMain.c
+index 7094d86159..1a19f26178 100644
+--- a/OvmfPkg/IntelTdx/Sec/SecMain.c
++++ b/OvmfPkg/IntelTdx/Sec/SecMain.c
+@@ -69,7 +69,7 @@ SecMtrrSetup (
+   }
+ 
+   DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
+-  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.Type = MSR_IA32_MTRR_CACHE_WRITE_BACK;
+   DefType.Bits.E    = 1; /* enable */
+   AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
+ }
+diff --git a/OvmfPkg/Sec/SecMain.c b/OvmfPkg/Sec/SecMain.c
+index 725b57e2fa..26963b924d 100644
+--- a/OvmfPkg/Sec/SecMain.c
++++ b/OvmfPkg/Sec/SecMain.c
+@@ -765,7 +765,7 @@ SecMtrrSetup (
+   }
+ 
+   DefType.Uint64    = AsmReadMsr64 (MSR_IA32_MTRR_DEF_TYPE);
+-  DefType.Bits.Type = 6; /* write back */
++  DefType.Bits.Type = MSR_IA32_MTRR_CACHE_WRITE_BACK;
+   DefType.Bits.E    = 1; /* enable */
+   AsmWriteMsr64 (MSR_IA32_MTRR_DEF_TYPE, DefType.Uint64);
+ }

SOURCES/0034-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch

@@ -0,0 +1,54 @@
+From bbd537bc6560494b0b08886364c38406b1e8107a Mon Sep 17 00:00:00 2001
+From: Sam <Sam_Tsai@wiwynn.com>
+Date: Wed, 29 May 2024 07:46:03 +0800
+Subject: [PATCH] NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in
+ iPXE environment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH"
+REF: 1904a64
+
+Issue Description:
+An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was:
+
+NetworkPkg\TcpDxe\TcpDriver.c
+Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, ​&mHash2ServiceHandle);
+
+Root Cause Analysis:
+The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle.
+
+Implemented Solution:
+To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly:
+
+NetworkPkg\TcpDxe\TcpDriver.c
+Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle);
+
+This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error.
+
+Verification:
+Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment.
+
+Cc: Doug Flick [MSFT] <doug.edk2@gmail.com>
+
+Signed-off-by: Sam Tsai [Wiwynn] <sam_tsai@wiwynn.com>
+Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
+(cherry picked from commit ced13b93afea87a8a1fe6ddbb67240a84cb2e3d3)
+---
+ NetworkPkg/TcpDxe/TcpDriver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
+index 40bba4080c..c6e7c0df54 100644
+--- a/NetworkPkg/TcpDxe/TcpDriver.c
++++ b/NetworkPkg/TcpDxe/TcpDriver.c
+@@ -509,7 +509,7 @@ TcpDestroyService (
+     //
+     // Destroy the instance of the hashing protocol for this controller.
+     //
+-    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
++    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, mHash2ServiceHandle);
+     if (EFI_ERROR (Status)) {
+       return EFI_UNSUPPORTED;
+     }

SOURCES/0035-OvmfPkg-add-morlock-support.patch

@@ -0,0 +1,127 @@
+From 3f8eab199430de18c1c6a98d1d0772499b17cc86 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 8 May 2024 13:14:26 +0200
+Subject: [PATCH] OvmfPkg: add morlock support
+
+Add dsc + fdf include files to add the MorLock drivers to the build.
+Add the include files to OVMF build configurations.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit b45aff0dc9cb87f316eb17a11e5d4438175d9cca)
+---
+ OvmfPkg/Include/Dsc/MorLock.dsc.inc | 10 ++++++++++
+ OvmfPkg/Include/Fdf/MorLock.fdf.inc | 10 ++++++++++
+ OvmfPkg/OvmfPkgIa32.dsc             |  1 +
+ OvmfPkg/OvmfPkgIa32.fdf             |  1 +
+ OvmfPkg/OvmfPkgIa32X64.dsc          |  1 +
+ OvmfPkg/OvmfPkgIa32X64.fdf          |  1 +
+ OvmfPkg/OvmfPkgX64.dsc              |  1 +
+ OvmfPkg/OvmfPkgX64.fdf              |  1 +
+ 8 files changed, 26 insertions(+)
+ create mode 100644 OvmfPkg/Include/Dsc/MorLock.dsc.inc
+ create mode 100644 OvmfPkg/Include/Fdf/MorLock.fdf.inc
+
+diff --git a/OvmfPkg/Include/Dsc/MorLock.dsc.inc b/OvmfPkg/Include/Dsc/MorLock.dsc.inc
+new file mode 100644
+index 0000000000..a8c5fb24b8
+--- /dev/null
++++ b/OvmfPkg/Include/Dsc/MorLock.dsc.inc
+@@ -0,0 +1,10 @@
++##
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++# MorLock support
++##
++
++  SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
++!if $(SMM_REQUIRE) == TRUE
++  SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf
++!endif
+diff --git a/OvmfPkg/Include/Fdf/MorLock.fdf.inc b/OvmfPkg/Include/Fdf/MorLock.fdf.inc
+new file mode 100644
+index 0000000000..20b7d6619a
+--- /dev/null
++++ b/OvmfPkg/Include/Fdf/MorLock.fdf.inc
+@@ -0,0 +1,10 @@
++##
++# SPDX-License-Identifier: BSD-2-Clause-Patent
++#
++# MorLock support
++##
++
++INF SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
++!if $(SMM_REQUIRE) == TRUE
++INF SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf
++!endif
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index d8ae542686..65a866ae0c 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -887,6 +887,7 @@
+   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 0ffa3be750..10eb6fe72b 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -355,6 +355,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc
+ 
+ !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
+ INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 52ac2c96fc..679e25501b 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -901,6 +901,7 @@
+   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index c4f3ec0735..ff06bbfc6f 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -362,6 +362,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index f76d0ef7bc..d294fd4625 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -969,6 +969,7 @@
+   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++!include OvmfPkg/Include/Dsc/MorLock.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index bedd85ef7a..f3b787201f 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -402,6 +402,7 @@ INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
+ !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++!include OvmfPkg/Include/Fdf/MorLock.fdf.inc
+ 
+ ################################################################################
+ 

SOURCES/0036-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch

@@ -0,0 +1,192 @@
+From 3899f089b8197f52ca63fe1561f8e5e1341f8198 Mon Sep 17 00:00:00 2001
+From: Pedro Falcato <pedro.falcato@gmail.com>
+Date: Tue, 22 Nov 2022 22:31:03 +0000
+Subject: [PATCH] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID
+
+RDRAND has notoriously been broken many times over its lifespan.
+Add a smoketest to RDRAND, in order to better sniff out potential
+security concerns.
+
+Also add a proper CPUID test in order to support older CPUs which may
+not have it; it was previously being tested but then promptly ignored.
+
+Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c
+:x86_init_rdrand() per commit 049f9ae9..
+
+Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection
+code to MIT and the public domain.
+
+>On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
+  <..>
+>    I (re)wrote that function in Linux. I hereby relicense it as MIT, and
+>    also place it into public domain. Do with it what you will now.
+>
+>    Jason
+
+BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163
+
+Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
+Cc: Michael D Kinney <michael.d.kinney@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+Cc: Zhiguang Liu <zhiguang.liu@intel.com>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+(cherry picked from commit c3a8ca7b54a9fd17acdf16c6282a92cc989fa92a)
+---
+ MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++--
+ 1 file changed, 91 insertions(+), 8 deletions(-)
+
+diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+index 9bd68352f9..06d2a6f12d 100644
+--- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c
++++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c
+@@ -3,6 +3,7 @@
+   to provide high-quality random numbers.
+ 
+ Copyright (c) 2023, Arm Limited. All rights reserved.<BR>
++Copyright (c) 2022, Pedro Falcato. All rights reserved.<BR>
+ Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
+ Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+ 
+@@ -24,6 +25,88 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ STATIC BOOLEAN  mRdRandSupported;
+ 
++//
++// Intel SDM says 10 tries is good enough for reliable RDRAND usage.
++//
++#define RDRAND_RETRIES  10
++
++#define RDRAND_TEST_SAMPLES  8
++
++#define RDRAND_MIN_CHANGE  5
++
++//
++// Add a define for native-word RDRAND, just for the test.
++//
++#ifdef MDE_CPU_X64
++#define ASM_RDRAND  AsmRdRand64
++#else
++#define ASM_RDRAND  AsmRdRand32
++#endif
++
++/**
++  Tests RDRAND for broken implementations.
++
++  @retval TRUE         RDRAND is reliable (and hopefully safe).
++  @retval FALSE        RDRAND is unreliable and should be disabled, despite CPUID.
++
++**/
++STATIC
++BOOLEAN
++TestRdRand (
++  VOID
++  )
++{
++  //
++  // Test for notoriously broken rdrand implementations that always return the same
++  // value, like the Zen 3 uarch (all-1s) or other several AMD families on suspend/resume (also all-1s).
++  // Note that this should be expanded to extensively test for other sorts of possible errata.
++  //
++
++  //
++  // Our algorithm samples rdrand $RDRAND_TEST_SAMPLES times and expects
++  // a different result $RDRAND_MIN_CHANGE times for reliable RDRAND usage.
++  //
++  UINTN   Prev;
++  UINT8   Idx;
++  UINT8   TestIteration;
++  UINT32  Changed;
++
++  Changed = 0;
++
++  for (TestIteration = 0; TestIteration < RDRAND_TEST_SAMPLES; TestIteration++) {
++    UINTN  Sample;
++    //
++    // Note: We use a retry loop for rdrand. Normal users get this in BaseRng.c
++    // Any failure to get a random number will assume RDRAND does not work.
++    //
++    for (Idx = 0; Idx < RDRAND_RETRIES; Idx++) {
++      if (ASM_RDRAND (&Sample)) {
++        break;
++      }
++    }
++
++    if (Idx == RDRAND_RETRIES) {
++      DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: Failed to get an RDRAND random number - disabling\n"));
++      return FALSE;
++    }
++
++    if (TestIteration != 0) {
++      Changed += Sample != Prev;
++    }
++
++    Prev = Sample;
++  }
++
++  if (Changed < RDRAND_MIN_CHANGE) {
++    DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: RDRAND not reliable - disabling\n"));
++    return FALSE;
++  }
++
++  return TRUE;
++}
++
++#undef ASM_RDRAND
++
+ /**
+   The constructor function checks whether or not RDRAND instruction is supported
+   by the host hardware.
+@@ -48,10 +131,13 @@ BaseRngLibConstructor (
+   // CPUID. A value of 1 indicates that processor support RDRAND instruction.
+   //
+   AsmCpuid (1, 0, 0, &RegEcx, 0);
+-  ASSERT ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
+ 
+   mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK);
+ 
++  if (mRdRandSupported) {
++    mRdRandSupported = TestRdRand ();
++  }
++
+   return EFI_SUCCESS;
+ }
+ 
+@@ -70,6 +156,7 @@ ArchGetRandomNumber16 (
+   OUT     UINT16  *Rand
+   )
+ {
++  ASSERT (mRdRandSupported);
+   return AsmRdRand16 (Rand);
+ }
+ 
+@@ -88,6 +175,7 @@ ArchGetRandomNumber32 (
+   OUT     UINT32  *Rand
+   )
+ {
++  ASSERT (mRdRandSupported);
+   return AsmRdRand32 (Rand);
+ }
+ 
+@@ -106,6 +194,7 @@ ArchGetRandomNumber64 (
+   OUT     UINT64  *Rand
+   )
+ {
++  ASSERT (mRdRandSupported);
+   return AsmRdRand64 (Rand);
+ }
+ 
+@@ -122,13 +211,7 @@ ArchIsRngSupported (
+   VOID
+   )
+ {
+-  /*
+-     Existing software depends on this always returning TRUE, so for
+-     now hard-code it.
+-
+-     return mRdRandSupported;
+-  */
+-  return TRUE;
++  return mRdRandSupported;
+ }
+ 
+ /**

SOURCES/0037-SecurityPkg-RngDxe-add-rng-test.patch

@@ -0,0 +1,43 @@
+From 4947d363211159647e9266fa20ad9d4c8bc52f71 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 31 May 2024 09:49:13 +0200
+Subject: [PATCH] SecurityPkg/RngDxe: add rng test
+
+Check whenever RngLib actually returns random numbers, only return
+a non-zero number of Algorithms if that is the case.
+
+This has the effect that RndDxe loads and installs EFI_RNG_PROTOCOL
+only in case it can actually deliver random numbers.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit a61bc0accb8a76edba4f073fdc7bafc908df045d)
+---
+ SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+index 5723ed6957..8b0742bab6 100644
+--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
++++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+@@ -23,6 +23,7 @@
+ 
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
++#include <Library/RngLib.h>
+ 
+ #include "RngDxeInternals.h"
+ 
+@@ -43,7 +44,12 @@ GetAvailableAlgorithms (
+   VOID
+   )
+ {
+-  mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
++  UINT64  RngTest;
++
++  if (GetRandomNumber64 (&RngTest)) {
++    mAvailableAlgoArrayCount = RNG_ALGORITHM_COUNT;
++  }
++
+   return EFI_SUCCESS;
+ }
+ 

SOURCES/0038-OvmfPkg-wire-up-RngDxe.patch

@@ -0,0 +1,301 @@
+From 0aa96c512c689426838ec1cf4aa78ff088c03a1e Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 24 May 2024 12:51:17 +0200
+Subject: [PATCH] OvmfPkg: wire up RngDxe
+
+Add OvmfRng include snippets with the random number generator
+configuration for OVMF.  Include RngDxe, build with BaseRngLib,
+so the rdrand instruction is used (if available).
+
+Also move VirtioRng to the include snippets.
+
+Use the new include snippets for OVMF builds.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 712797cf19acd292bf203522a79e40e7e13d268b)
+---
+ OvmfPkg/AmdSev/AmdSevX64.dsc                  | 2 +-
+ OvmfPkg/AmdSev/AmdSevX64.fdf                  | 2 +-
+ OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc | 9 +++++++++
+ OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc        | 6 ++++++
+ OvmfPkg/IntelTdx/IntelTdxX64.dsc              | 2 +-
+ OvmfPkg/IntelTdx/IntelTdxX64.fdf              | 2 +-
+ OvmfPkg/Microvm/MicrovmX64.dsc                | 2 +-
+ OvmfPkg/Microvm/MicrovmX64.fdf                | 2 +-
+ OvmfPkg/OvmfPkgIa32.dsc                       | 2 +-
+ OvmfPkg/OvmfPkgIa32.fdf                       | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.dsc                    | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.fdf                    | 2 +-
+ OvmfPkg/OvmfPkgX64.dsc                        | 2 +-
+ OvmfPkg/OvmfPkgX64.fdf                        | 2 +-
+ 14 files changed, 27 insertions(+), 12 deletions(-)
+ create mode 100644 OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+ create mode 100644 OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
+index cf1ad83e09..4edc2a9069 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
++++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
+@@ -649,7 +649,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -740,6 +739,7 @@
+   OvmfPkg/AmdSev/Grub/Grub.inf
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+ 
+   OvmfPkg/PlatformDxe/Platform.inf
+   OvmfPkg/AmdSevDxe/AmdSevDxe.inf {
+diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
+index c56c98dc85..480837b0fa 100644
+--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
++++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
+@@ -227,7 +227,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -318,6 +317,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+new file mode 100644
+index 0000000000..68839a0caa
+--- /dev/null
++++ b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+@@ -0,0 +1,9 @@
++##
++#    SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf {
++    <LibraryClasses>
++      RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
++  }
++  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+diff --git a/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+new file mode 100644
+index 0000000000..99cb4a32b1
+--- /dev/null
++++ b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+@@ -0,0 +1,6 @@
++##
++#    SPDX-License-Identifier: BSD-2-Clause-Patent
++##
++
++INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
++INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+index 9f49b60ff0..4b7e1596fc 100644
+--- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc
++++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc
+@@ -636,7 +636,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -719,6 +718,7 @@
+   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+index ce5d542048..88d0f75ae2 100644
+--- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf
++++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf
+@@ -285,7 +285,6 @@ READ_LOCK_STATUS   = TRUE
+ #
+ INF  MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+ !endif
+@@ -326,6 +325,7 @@ INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+ INF  OvmfPkg/PlatformDxe/Platform.inf
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc
+index fb73f2e089..9206f01816 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.dsc
++++ b/OvmfPkg/Microvm/MicrovmX64.dsc
+@@ -760,7 +760,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+   MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
+@@ -846,6 +845,7 @@
+   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf
+index 055e659a35..c8268d7e8c 100644
+--- a/OvmfPkg/Microvm/MicrovmX64.fdf
++++ b/OvmfPkg/Microvm/MicrovmX64.fdf
+@@ -207,7 +207,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+@@ -299,6 +298,7 @@ INF  MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
+ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 65a866ae0c..b64c215585 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -784,7 +784,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+@@ -888,6 +887,7 @@
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+ !include OvmfPkg/Include/Dsc/MorLock.dsc.inc
++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 10eb6fe72b..c31276e4a3 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -231,7 +231,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+@@ -356,6 +355,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+ !include OvmfPkg/Include/Fdf/MorLock.fdf.inc
++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+ 
+ !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE
+ INF  OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 679e25501b..ececac3757 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -798,7 +798,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+@@ -902,6 +901,7 @@
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+ !include OvmfPkg/Include/Dsc/MorLock.dsc.inc
++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index ff06bbfc6f..a7b4aeac08 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -232,7 +232,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+@@ -363,6 +362,7 @@ INF  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+ !include OvmfPkg/Include/Fdf/MorLock.fdf.inc
++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+ 
+ ################################################################################
+ 
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index d294fd4625..0ab4d3df06 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -866,7 +866,6 @@
+   OvmfPkg/Virtio10Dxe/Virtio10.inf
+   OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+   OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+   OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+   OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+@@ -970,6 +969,7 @@
+ 
+ !include OvmfPkg/Include/Dsc/ShellComponents.dsc.inc
+ !include OvmfPkg/Include/Dsc/MorLock.dsc.inc
++!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc
+ 
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index f3b787201f..ae08ac4fe9 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -263,7 +263,6 @@ INF  OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf
+ INF  OvmfPkg/Virtio10Dxe/Virtio10.inf
+ INF  OvmfPkg/VirtioBlkDxe/VirtioBlk.inf
+ INF  OvmfPkg/VirtioScsiDxe/VirtioScsi.inf
+-INF  OvmfPkg/VirtioRngDxe/VirtioRng.inf
+ INF  OvmfPkg/VirtioSerialDxe/VirtioSerial.inf
+ !if $(PVSCSI_ENABLE) == TRUE
+ INF  OvmfPkg/PvScsiDxe/PvScsiDxe.inf
+@@ -403,6 +402,7 @@ INF OvmfPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf
+ 
+ !include OvmfPkg/Include/Fdf/ShellDxe.fdf.inc
+ !include OvmfPkg/Include/Fdf/MorLock.fdf.inc
++!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc
+ 
+ ################################################################################
+ 

SOURCES/0039-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch

@@ -0,0 +1,37 @@
+From d5d19043e62a268a492f9a1ef6a11380d8f7e784 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 14 Jun 2024 11:45:49 +0200
+Subject: [PATCH] CryptoPkg/Test: call ProcessLibraryConstructorList
+
+Needed to properly initialize BaseRngLib.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 94961b8817eec6f8d0434555ac50a7aa51c22201)
+---
+ .../Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c      | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
+index d0c1c7a4f7..48d463b8ad 100644
+--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
++++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/UnitTestMain.c
+@@ -8,6 +8,12 @@
+ **/
+ #include "TestBaseCryptLib.h"
+ 
++VOID
++EFIAPI
++ProcessLibraryConstructorList (
++  VOID
++  );
++
+ /**
+   Initialize the unit test framework, suite, and unit tests for the
+   sample unit tests and run the unit tests.
+@@ -76,5 +82,6 @@ main (
+   char  *argv[]
+   )
+ {
++  ProcessLibraryConstructorList ();
+   return UefiTestMain ();
+ }

SOURCES/0040-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch

@@ -0,0 +1,43 @@
+From 320207a3df995771af36639c7bdf89c4203cf1c2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 14 Jun 2024 11:45:53 +0200
+Subject: [PATCH] MdePkg/X86UnitTestHost: set rdrand cpuid bit
+
+Set the rdrand feature bit when faking cpuid for host test cases.
+Needed to make the CryptoPkg test cases work.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 5e776299a2604b336a947e68593012ab2cc16eb4)
+---
+ MdePkg/Library/BaseLib/X86UnitTestHost.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/MdePkg/Library/BaseLib/X86UnitTestHost.c b/MdePkg/Library/BaseLib/X86UnitTestHost.c
+index 8ba4f54a38..7f7276f7f4 100644
+--- a/MdePkg/Library/BaseLib/X86UnitTestHost.c
++++ b/MdePkg/Library/BaseLib/X86UnitTestHost.c
+@@ -66,6 +66,15 @@ UnitTestHostBaseLibAsmCpuid (
+   OUT     UINT32  *Edx   OPTIONAL
+   )
+ {
++  UINT32  RetEcx;
++
++  RetEcx = 0;
++  switch (Index) {
++    case 1:
++      RetEcx |= BIT30; /* RdRand */
++      break;
++  }
++
+   if (Eax != NULL) {
+     *Eax = 0;
+   }
+@@ -75,7 +84,7 @@ UnitTestHostBaseLibAsmCpuid (
+   }
+ 
+   if (Ecx != NULL) {
+-    *Ecx = 0;
++    *Ecx = RetEcx;
+   }
+ 
+   if (Edx != NULL) {

SOURCES/30-edk2-ovmf-x64-sb-enrolled.json

@@ -0,0 +1,36 @@
+{
+    "description": "OVMF with SB+SMM, SB enabled, MS certs enrolled",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "split",
+        "executable": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.secboot.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "enrolled-keys",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/40-edk2-ovmf-x64-sb.json

@@ -0,0 +1,35 @@
+{
+    "description": "OVMF with SB+SMM, empty varstore",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "split",
+        "executable": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "requires-smm",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/50-edk2-aarch64-qcow2.json

@@ -0,0 +1,32 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "split",
+        "executable": {
+            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.qcow2",
+            "format": "qcow2"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2",
+            "format": "qcow2"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/50-edk2-ovmf-x64-nosb.json

@@ -0,0 +1,35 @@
+{
+    "description": "OVMF without SB+SMM, empty varstore",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "split",
+        "executable": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_CODE.fd",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/ovmf/OVMF_VARS.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "acpi-s3",
+        "amd-sev",
+        "amd-sev-es",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/51-edk2-aarch64-raw.json

@@ -0,0 +1,32 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "split",
+        "executable": {
+            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-silent-pflash.raw",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/52-edk2-aarch64-verbose-qcow2.json

@@ -0,0 +1,32 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines, verbose logs",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "split",
+        "executable": {
+            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.qcow2",
+            "format": "qcow2"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.qcow2",
+            "format": "qcow2"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+        "verbose-static"
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/53-edk2-aarch64-verbose-raw.json

@@ -0,0 +1,32 @@
+{
+    "description": "UEFI firmware for ARM64 virtual machines, verbose logs",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "split",
+        "executable": {
+            "filename": "/usr/share/edk2/aarch64/QEMU_EFI-pflash.raw",
+            "format": "raw"
+        },
+        "nvram-template": {
+            "filename": "/usr/share/edk2/aarch64/vars-template-pflash.raw",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "aarch64",
+            "machines": [
+                "virt-*"
+            ]
+        }
+    ],
+    "features": [
+        "verbose-static"
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/60-edk2-ovmf-x64-amdsev.json

@@ -0,0 +1,31 @@
+{
+    "description": "OVMF with SEV-ES support",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "flash",
+        "mode": "stateless",
+        "executable": {
+            "filename": "/usr/share/edk2/ovmf/OVMF.amdsev.fd",
+            "format": "raw"
+        }
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "amd-sev",
+        "amd-sev-es",
+        "amd-sev-snp",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/60-edk2-ovmf-x64-inteltdx.json

@@ -0,0 +1,27 @@
+{
+    "description": "OVMF with TDX support",
+    "interface-types": [
+        "uefi"
+    ],
+    "mapping": {
+        "device": "memory",
+        "filename": "/usr/share/edk2/ovmf/OVMF.inteltdx.secboot.fd"
+    },
+    "targets": [
+        {
+            "architecture": "x86_64",
+            "machines": [
+                "pc-q35-*"
+            ]
+        }
+    ],
+    "features": [
+        "enrolled-keys",
+        "intel-tdx",
+        "secure-boot",
+        "verbose-dynamic"
+    ],
+    "tags": [
+
+    ]
+}

SOURCES/certs_add.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+IMAGE="$1"
+
+[ -f "$IMAGE" ] || { echo "File $IMAGE is not found!"; exit 1; }
+
+GUID=$(virt-fw-vars -i $IMAGE -p -v 2>/dev/null | awk '{if($1 ~ /name=db$/){sub(/guid=guid:/,"",$2);print $2}}')
+
+[ -n "$GUID" ] || { echo "GUID is not set!"; exit 1; }
+
+for F in `ls ./*.pem`; do
+	echo "virt-fw-vars --add-db $GUID $F -i $IMAGE -o $IMAGE";
+	virt-fw-vars --add-db $GUID $F -i $IMAGE -o $IMAGE;
+done

SOURCES/edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch

@@ -0,0 +1,63 @@
+From 481310a21104aba17bc0cddd236ecdf69d4ba662 Mon Sep 17 00:00:00 2001
+From: Oliver Steffen <osteffen@redhat.com>
+Date: Mon, 26 Aug 2024 19:25:52 +0200
+Subject: [PATCH] AmdSevDxe: Fix the shim fallback reboot workaround for SNP
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 68: AmdSevDxe: Fix the shim fallback reboot workaround for SNP
+RH-Jira: RHEL-56081
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [1/1] ab8678b61d171f9c19459e034483437b29037b4b (osteffen/edk2)
+
+The shim fallback reboot workaround (introduced for SEV-ES) does
+not always work for SEV-SNP, due to a conditional early return.
+
+Let's just register the workaround earlier in this function to
+fix that.
+
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+---
+ OvmfPkg/AmdSevDxe/AmdSevDxe.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/OvmfPkg/AmdSevDxe/AmdSevDxe.c b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+index 0eb88e50ff..ca345e95da 100644
+--- a/OvmfPkg/AmdSevDxe/AmdSevDxe.c
++++ b/OvmfPkg/AmdSevDxe/AmdSevDxe.c
+@@ -243,6 +243,17 @@ AmdSevDxeEntryPoint (
+     return EFI_UNSUPPORTED;
+   }
+ 
++  // Shim fallback reboot workaround
++  Status = gBS->CreateEventEx (
++                  EVT_NOTIFY_SIGNAL,
++                  TPL_CALLBACK,
++                  PopulateVarstore,
++                  SystemTable,
++                  &gEfiEndOfDxeEventGroupGuid,
++                  &PopulateVarstoreEvent
++                  );
++  ASSERT_EFI_ERROR (Status);
++
+   //
+   // Iterate through the GCD map and clear the C-bit from MMIO and NonExistent
+   // memory space. The NonExistent memory space will be used for mapping the
+@@ -393,15 +404,5 @@ AmdSevDxeEntryPoint (
+                   );
+   }
+ 
+-  Status = gBS->CreateEventEx (
+-                  EVT_NOTIFY_SIGNAL,
+-                  TPL_CALLBACK,
+-                  PopulateVarstore,
+-                  SystemTable,
+-                  &gEfiEndOfDxeEventGroupGuid,
+-                  &PopulateVarstoreEvent
+-                  );
+-  ASSERT_EFI_ERROR (Status);
+-
+   return EFI_SUCCESS;
+ }
+-- 
+2.39.3
+

SOURCES/edk2-MdeModulePkg-Warn-if-out-of-flash-space-when-writing.patch

@@ -0,0 +1,43 @@
+From 880c1ca7420b873c5f81563b122d7bd1ebad72cb Mon Sep 17 00:00:00 2001
+From: Oliver Steffen <osteffen@redhat.com>
+Date: Mon, 4 Mar 2024 15:32:58 +0100
+Subject: [PATCH] MdeModulePkg: Warn if out of flash space when writing
+ variables
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 64: MdeModulePkg: Warn if out of flash space when writing variables
+RH-Jira: RHEL-43442
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [1/1] b65130800090192f47f13d67ff14f902a4f5bfb5 (osteffen/edk2)
+
+Emit a DEBUG_WARN message if there is not enough flash space left to
+write/update a variable. This condition is currently not logged
+appropriately in all cases, given that full variable store can easily
+render the system unbootable.
+This new message helps identifying this condition.
+
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 80b59ff8320d1bd134bf689fe9c0ddf4e0473b88)
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+---
+ MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+index d394d237a5..1c7659031d 100644
+--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+@@ -2364,6 +2364,8 @@ Done:
+                   );
+       ASSERT_EFI_ERROR (Status);
+     }
++  } else if (Status == EFI_OUT_OF_RESOURCES) {
++    DEBUG ((DEBUG_WARN, "UpdateVariable failed: Out of flash space\n"));
+   }
+ 
+   return Status;
+-- 
+2.39.3
+

SOURCES/edk2-NetworkPkg-DxeNetLib-Reword-PseudoRandom-error-loggi.patch

@@ -0,0 +1,43 @@
+From c5f142e26ea5e892a63ed35ca952c8b583a9f8c1 Mon Sep 17 00:00:00 2001
+From: Oliver Steffen <osteffen@redhat.com>
+Date: Wed, 14 Aug 2024 09:53:49 +0200
+Subject: [PATCH 2/2] NetworkPkg/DxeNetLib: Reword PseudoRandom error logging
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 67: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging
+RH-Jira: RHEL-45899
+RH-Commit: [2/2] 0d465ca0ea00598e6826446cd08e890c2ae4bea7 (osteffen/edk2)
+
+The word "Failed" is used when logging tired Rng algorithms.
+These mostly non-critical messages confused some users.
+
+Reword it and also add a message confirming eventual success to
+deescalate the importance somewhat.
+
+Signed-off-by: Oliver Steffen <osteffen@redhat.com>
+---
+ NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+index 4dfbe91a55..905a944975 100644
+--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+@@ -946,12 +946,13 @@ PseudoRandom (
+         //
+         // Secure Algorithm was supported on this platform
+         //
++        DEBUG ((DEBUG_VERBOSE, "Generated random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
+         return EFI_SUCCESS;
+       } else if (Status == EFI_UNSUPPORTED) {
+         //
+         // Secure Algorithm was not supported on this platform
+         //
+-        DEBUG ((DEBUG_VERBOSE, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
++        DEBUG ((DEBUG_VERBOSE, "Unable to generate random data using secure algorithm %d not available: %r\n", AlgorithmIndex, Status));
+ 
+         //
+         // Try the next secure algorithm
+-- 
+2.39.3
+

SOURCES/edk2-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch

@@ -0,0 +1,48 @@
+From 7cbd00792445ad50e861e4835cdb5ba60466aae3 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 19 Jun 2024 09:07:56 +0200
+Subject: [PATCH 1/2] NetworkPkg/DxeNetLib: adjust PseudoRandom error logging
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 67: NetworkPkg/DxeNetLib: adjust PseudoRandom error logging
+RH-Jira: RHEL-45899
+RH-Commit: [1/2] 15135d672cef4310cb29f8a55146f36b2ee1f15d (osteffen/edk2)
+
+There is a list of allowed rng algorithms, if /one/ of them is not
+supported this is not a problem, only /all/ of them failing is an
+error condition.
+
+Downgrade the message for a single unsupported algorithm from ERROR to
+VERBOSE.  Add an error message in case we finish the loop without
+finding a supported algorithm.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 6862b9d538d96363635677198899e1669e591259)
+---
+ NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+index 01c13c08d2..4dfbe91a55 100644
+--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
++++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+@@ -951,7 +951,7 @@ PseudoRandom (
+         //
+         // Secure Algorithm was not supported on this platform
+         //
+-        DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
++        DEBUG ((DEBUG_VERBOSE, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
+ 
+         //
+         // Try the next secure algorithm
+@@ -971,6 +971,7 @@ PseudoRandom (
+     // If we get here, we failed to generate random data using any secure algorithm
+     // Platform owner should ensure that at least one secure algorithm is supported
+     //
++    DEBUG ((DEBUG_ERROR, "Failed to generate random data, no supported secure algorithm found\n"));
+     ASSERT_EFI_ERROR (Status);
+     return Status;
+   }
+-- 
+2.39.3
+

SOURCES/edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch

@@ -0,0 +1,142 @@
+From c4aa4797fafa3a627205eaa346401e399d4a7146 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 27 Aug 2024 12:06:15 +0200
+Subject: [PATCH] UefiCpuPkg/PiSmmCpuDxeSmm: skip PatchInstructionX86 calls if
+ not needed.
+
+RH-Author: Oliver Steffen <osteffen@redhat.com>
+RH-MergeRequest: 71: UefiCpuPkg/PiSmmCpuDxeSmm: skip PatchInstructionX86 calls if not needed.
+RH-Jira: RHEL-45847
+RH-Acked-by: Gerd Hoffmann <None>
+RH-Commit: [1/1] 70ceffb2c1e695276af87d3aa334fe9be8e2e90e (osteffen/edk2)
+
+Add the new global mMsrIa32MiscEnableSupported variable to track
+whenever support for the IA32_MISC_ENABLE MSR is present or not.
+
+Add new local PatchingNeeded variable to CheckFeatureSupported()
+to track if patching the SMM setup code is needed or not.
+
+Issue PatchInstructionX86() calls only if needed, i.e. if one of
+the *Supported variables has been updated.
+
+Result is that on a typical SMP machine where all processors are
+identical the PatchInstructionX86() calls are issued only once,
+when checking the first processor.  Specifically this avoids
+PatchInstructionX86() being called in OVMF on CPU hotplug.  That
+is important because instruction patching at runtime does not not
+work and leads to page faults.
+
+This fixes CPU hotplug on OVMF not working with AMD cpus.
+
+Fixes: 6b3a89a9fdb5 ("OvmfPkg/PlatformPei: Relocate SmBases in PEI phase")
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 17ff8960848b2cb2e49fffb3dfbacd08865786a4)
+---
+ UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c | 49 +++++++++++++++++++++-----
+ 1 file changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
+index 8142d3ceac..8e299fd29a 100644
+--- a/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
++++ b/UefiCpuPkg/PiSmmCpuDxeSmm/SmmProfile.c
+@@ -40,6 +40,11 @@ BOOLEAN  mXdEnabled = FALSE;
+ //
+ BOOLEAN  mBtsSupported = TRUE;
+ 
++//
++// The flag indicates if MSR_IA32_MISC_ENABLE is supported by processor
++//
++BOOLEAN  mMsrIa32MiscEnableSupported = TRUE;
++
+ //
+ // The flag indicates if SMM profile starts to record data.
+ //
+@@ -904,18 +909,23 @@ CheckFeatureSupported (
+   UINT32                         RegEcx;
+   UINT32                         RegEdx;
+   MSR_IA32_MISC_ENABLE_REGISTER  MiscEnableMsr;
++  BOOLEAN                        PatchingNeeded = FALSE;
+ 
+   if ((PcdGet32 (PcdControlFlowEnforcementPropertyMask) != 0) && mCetSupported) {
+     AsmCpuid (CPUID_SIGNATURE, &RegEax, NULL, NULL, NULL);
+     if (RegEax >= CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS) {
+       AsmCpuidEx (CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS, CPUID_STRUCTURED_EXTENDED_FEATURE_FLAGS_SUB_LEAF_INFO, NULL, NULL, &RegEcx, NULL);
+       if ((RegEcx & CPUID_CET_SS) == 0) {
+-        mCetSupported = FALSE;
+-        PatchInstructionX86 (mPatchCetSupported, mCetSupported, 1);
++        if (mCetSupported) {
++          mCetSupported  = FALSE;
++          PatchingNeeded = TRUE;
++        }
+       }
+     } else {
+-      mCetSupported = FALSE;
+-      PatchInstructionX86 (mPatchCetSupported, mCetSupported, 1);
++      if (mCetSupported) {
++        mCetSupported  = FALSE;
++        PatchingNeeded = TRUE;
++      }
+     }
+   }
+ 
+@@ -925,8 +935,10 @@ CheckFeatureSupported (
+       //
+       // Extended CPUID functions are not supported on this processor.
+       //
+-      mXdSupported = FALSE;
+-      PatchInstructionX86 (gPatchXdSupported, mXdSupported, 1);
++      if (mXdSupported) {
++        mXdSupported   = FALSE;
++        PatchingNeeded = TRUE;
++      }
+     }
+ 
+     AsmCpuid (CPUID_EXTENDED_CPU_SIG, NULL, NULL, NULL, &RegEdx);
+@@ -934,15 +946,20 @@ CheckFeatureSupported (
+       //
+       // Execute Disable Bit feature is not supported on this processor.
+       //
+-      mXdSupported = FALSE;
+-      PatchInstructionX86 (gPatchXdSupported, mXdSupported, 1);
++      if (mXdSupported) {
++        mXdSupported   = FALSE;
++        PatchingNeeded = TRUE;
++      }
+     }
+ 
+     if (StandardSignatureIsAuthenticAMD ()) {
+       //
+       // AMD processors do not support MSR_IA32_MISC_ENABLE
+       //
+-      PatchInstructionX86 (gPatchMsrIa32MiscEnableSupported, FALSE, 1);
++      if (mMsrIa32MiscEnableSupported) {
++        mMsrIa32MiscEnableSupported = FALSE;
++        PatchingNeeded              = TRUE;
++      }
+     }
+   }
+ 
+@@ -966,6 +983,20 @@ CheckFeatureSupported (
+       }
+     }
+   }
++
++  if (PatchingNeeded) {
++    if (!mCetSupported) {
++      PatchInstructionX86 (mPatchCetSupported, mCetSupported, 1);
++    }
++
++    if (!mXdSupported) {
++      PatchInstructionX86 (gPatchXdSupported, mXdSupported, 1);
++    }
++
++    if (!mMsrIa32MiscEnableSupported) {
++      PatchInstructionX86 (gPatchMsrIa32MiscEnableSupported, FALSE, 1);
++    }
++  }
+ }
+ 
+ /**
+-- 
+2.39.3
+

SOURCES/edk2-build.py

@@ -0,0 +1,447 @@
+#!/usr/bin/python3
+"""
+build helper script for edk2, see
+https://gitlab.com/kraxel/edk2-build-config
+
+"""
+import os
+import sys
+import time
+import shutil
+import argparse
+import subprocess
+import configparser
+
+rebase_prefix    = ""
+version_override = None
+release_date     = None
+
+# pylint: disable=unused-variable
+def check_rebase():
+    """ detect 'git rebase -x edk2-build.py master' testbuilds """
+    global rebase_prefix
+    global version_override
+    gitdir = '.git'
+
+    if os.path.isfile(gitdir):
+        with open(gitdir, 'r', encoding = 'utf-8') as f:
+            (unused, gitdir) = f.read().split()
+
+    if not os.path.exists(f'{gitdir}/rebase-merge/msgnum'):
+        return
+    with open(f'{gitdir}/rebase-merge/msgnum', 'r', encoding = 'utf-8') as f:
+        msgnum = int(f.read())
+    with open(f'{gitdir}/rebase-merge/end', 'r', encoding = 'utf-8') as f:
+        end = int(f.read())
+    with open(f'{gitdir}/rebase-merge/head-name', 'r', encoding = 'utf-8') as f:
+        head = f.read().strip().split('/')
+
+    rebase_prefix = f'[ {int(msgnum/2)} / {int(end/2)} - {head[-1]} ] '
+    if msgnum != end and not version_override:
+        # fixed version speeds up builds
+        version_override = "test-build-patch-series"
+
+def get_coredir(cfg):
+    if cfg.has_option('global', 'core'):
+        return os.path.abspath(cfg['global']['core'])
+    return os.getcwd()
+
+def get_toolchain(cfg, build):
+    if cfg.has_option(build, 'tool'):
+        return cfg[build]['tool']
+    if cfg.has_option('global', 'tool'):
+        return cfg['global']['tool']
+    return 'GCC5'
+
+def get_hostarch():
+    mach = os.uname().machine
+    if mach == 'x86_64':
+        return 'X64'
+    if mach == 'aarch64':
+        return 'AARCH64'
+    if mach == 'riscv64':
+        return 'RISCV64'
+    return 'UNKNOWN'
+
+def get_version(cfg, silent = False):
+    coredir = get_coredir(cfg)
+    if version_override:
+        version = version_override
+        if not silent:
+            print('')
+            print(f'### version [override]: {version}')
+        return version
+    if os.environ.get('RPM_PACKAGE_NAME'):
+        version = os.environ.get('RPM_PACKAGE_NAME')
+        version += '-' + os.environ.get('RPM_PACKAGE_VERSION')
+        version += '-' + os.environ.get('RPM_PACKAGE_RELEASE')
+        if not silent:
+            print('')
+            print(f'### version [rpmbuild]: {version}')
+        return version
+    if os.path.exists(coredir + '/.git'):
+        cmdline = [ 'git', 'describe', '--tags', '--abbrev=8',
+                    '--match=edk2-stable*' ]
+        result = subprocess.run(cmdline, cwd = coredir,
+                                stdout = subprocess.PIPE,
+                                check = True)
+        version = result.stdout.decode().strip()
+        if not silent:
+            print('')
+            print(f'### version [git]: {version}')
+        return version
+    return None
+
+def pcd_string(name, value):
+    return f'{name}=L{value}\\0'
+
+def pcd_version(cfg, silent = False):
+    version = get_version(cfg, silent)
+    if version is None:
+        return []
+    return [ '--pcd', pcd_string('PcdFirmwareVersionString', version) ]
+
+def pcd_release_date():
+    if release_date is None:
+        return []
+    return [ '--pcd', pcd_string('PcdFirmwareReleaseDateString', release_date) ]
+
+def build_message(line, line2 = None, silent = False):
+    if os.environ.get('TERM') in [ 'xterm', 'xterm-256color' ]:
+        # setxterm  title
+        start  = '\x1b]2;'
+        end    = '\x07'
+        print(f'{start}{rebase_prefix}{line}{end}', end = '')
+
+    if silent:
+        print(f'### {rebase_prefix}{line}', flush = True)
+    else:
+        print('')
+        print('###')
+        print(f'### {rebase_prefix}{line}')
+        if line2:
+            print(f'### {line2}')
+        print('###', flush = True)
+
+def build_run(cmdline, name, section, silent = False, nologs = False):
+    if silent:
+        logfile = f'{section}.log'
+        if nologs:
+            print(f'### building in silent mode [no log] ...', flush = True)
+        else:
+            print(f'### building in silent mode [{logfile}] ...', flush = True)
+        start = time.time()
+        result = subprocess.run(cmdline, check = False,
+                                stdout = subprocess.PIPE,
+                                stderr = subprocess.STDOUT)
+        if not nologs:
+            with open(logfile, 'wb') as f:
+                f.write(result.stdout)
+
+        if result.returncode:
+            print('### BUILD FAILURE')
+            print('### cmdline')
+            print(cmdline)
+            print('### output')
+            print(result.stdout.decode())
+            print(f'### exit code: {result.returncode}')
+        else:
+            secs = int(time.time() - start)
+            print(f'### OK ({int(secs/60)}:{secs%60:02d})')
+    else:
+        print(cmdline, flush = True)
+        result = subprocess.run(cmdline, check = False)
+    if result.returncode:
+        print(f'ERROR: {cmdline[0]} exited with {result.returncode}'
+              f' while building {name}')
+        sys.exit(result.returncode)
+
+def build_copy(plat, tgt, toolchain, dstdir, copy):
+    srcdir = f'Build/{plat}/{tgt}_{toolchain}'
+    names = copy.split()
+    srcfile = names[0]
+    if len(names) > 1:
+        dstfile = names[1]
+    else:
+        dstfile = os.path.basename(srcfile)
+    print(f'# copy: {srcdir} / {srcfile}  =>  {dstdir} / {dstfile}')
+
+    src = srcdir + '/' + srcfile
+    dst = dstdir + '/' + dstfile
+    os.makedirs(os.path.dirname(dst), exist_ok = True)
+    shutil.copy(src, dst)
+
+def pad_file(dstdir, pad):
+    args = pad.split()
+    if len(args) < 2:
+        raise RuntimeError(f'missing arg for pad ({args})')
+    name = args[0]
+    size = args[1]
+    cmdline = [
+        'truncate',
+        '--size', size,
+        dstdir + '/' + name,
+    ]
+    print(f'# padding: {dstdir} / {name}  =>  {size}')
+    subprocess.run(cmdline, check = True)
+
+# pylint: disable=too-many-branches
+def build_one(cfg, build, jobs = None, silent = False, nologs = False):
+    b = cfg[build]
+
+    cmdline  = [ 'build' ]
+    cmdline += [ '-t', get_toolchain(cfg, build) ]
+    cmdline += [ '-p', b['conf'] ]
+
+    if (b['conf'].startswith('OvmfPkg/') or
+        b['conf'].startswith('ArmVirtPkg/')):
+        cmdline += pcd_version(cfg, silent)
+        cmdline += pcd_release_date()
+
+    if jobs:
+        cmdline += [ '-n', jobs ]
+    for arch in b['arch'].split():
+        if arch == 'HOST':
+            cmdline += [ '-a', get_hostarch() ]
+        else:
+            cmdline += [ '-a', arch ]
+    if 'opts' in b:
+        for name in b['opts'].split():
+            section = 'opts.' + name
+            for opt in cfg[section]:
+                cmdline += [ '-D', opt + '=' + cfg[section][opt] ]
+    if 'pcds' in b:
+        for name in b['pcds'].split():
+            section = 'pcds.' + name
+            for pcd in cfg[section]:
+                cmdline += [ '--pcd', pcd + '=' + cfg[section][pcd] ]
+    if 'tgts' in b:
+        tgts = b['tgts'].split()
+    else:
+        tgts = [ 'DEBUG' ]
+    for tgt in tgts:
+        desc = None
+        if 'desc' in b:
+            desc = b['desc']
+        build_message(f'building: {b["conf"]} ({b["arch"]}, {tgt})',
+                      f'description: {desc}',
+                      silent = silent)
+        build_run(cmdline + [ '-b', tgt ],
+                  b['conf'],
+                  build + '.' + tgt,
+                  silent,
+                  nologs)
+
+        if 'plat' in b:
+            # copy files
+            for cpy in b:
+                if not cpy.startswith('cpy'):
+                    continue
+                build_copy(b['plat'], tgt,
+                           get_toolchain(cfg, build),
+                           b['dest'], b[cpy])
+            # pad builds
+            for pad in b:
+                if not pad.startswith('pad'):
+                    continue
+                pad_file(b['dest'], b[pad])
+
+def build_basetools(silent = False, nologs = False):
+    build_message('building: BaseTools', silent = silent)
+    basedir = os.environ['EDK_TOOLS_PATH']
+    cmdline = [ 'make', '-C', basedir ]
+    build_run(cmdline, 'BaseTools', 'build.basetools', silent, nologs)
+
+def binary_exists(name):
+    for pdir in os.environ['PATH'].split(':'):
+        if os.path.exists(pdir + '/' + name):
+            return True
+    return False
+
+def prepare_env(cfg, silent = False):
+    """ mimic Conf/BuildEnv.sh """
+    workspace = os.getcwd()
+    packages = [ workspace, ]
+    path = os.environ['PATH'].split(':')
+    dirs = [
+        'BaseTools/Bin/Linux-x86_64',
+        'BaseTools/BinWrappers/PosixLike'
+    ]
+
+    if cfg.has_option('global', 'pkgs'):
+        for pkgdir in cfg['global']['pkgs'].split():
+            packages.append(os.path.abspath(pkgdir))
+    coredir = get_coredir(cfg)
+    if coredir != workspace:
+        packages.append(coredir)
+
+    # add basetools to path
+    for pdir in dirs:
+        p = coredir + '/' + pdir
+        if not os.path.exists(p):
+            continue
+        if p in path:
+            continue
+        path.insert(0, p)
+
+    # run edksetup if needed
+    toolsdef = coredir + '/Conf/tools_def.txt'
+    if not os.path.exists(toolsdef):
+        os.makedirs(os.path.dirname(toolsdef), exist_ok = True)
+        build_message('running BaseTools/BuildEnv', silent = silent)
+        cmdline = [ 'bash', 'BaseTools/BuildEnv' ]
+        subprocess.run(cmdline, cwd = coredir, check = True)
+
+    # set variables
+    os.environ['PATH'] = ':'.join(path)
+    os.environ['PACKAGES_PATH'] = ':'.join(packages)
+    os.environ['WORKSPACE'] = workspace
+    os.environ['EDK_TOOLS_PATH'] = coredir + '/BaseTools'
+    os.environ['CONF_PATH'] = coredir + '/Conf'
+    os.environ['PYTHON_COMMAND'] = '/usr/bin/python3'
+    os.environ['PYTHONHASHSEED'] = '1'
+
+    # for cross builds
+    if binary_exists('arm-linux-gnueabi-gcc'):
+        # ubuntu
+        os.environ['GCC5_ARM_PREFIX'] = 'arm-linux-gnueabi-'
+        os.environ['GCC_ARM_PREFIX'] = 'arm-linux-gnueabi-'
+    elif binary_exists('arm-linux-gnu-gcc'):
+        # fedora
+        os.environ['GCC5_ARM_PREFIX'] = 'arm-linux-gnu-'
+        os.environ['GCC_ARM_PREFIX'] = 'arm-linux-gnu-'
+    if binary_exists('loongarch64-linux-gnu-gcc'):
+        os.environ['GCC5_LOONGARCH64_PREFIX'] = 'loongarch64-linux-gnu-'
+        os.environ['GCC_LOONGARCH64_PREFIX'] = 'loongarch64-linux-gnu-'
+
+    hostarch = os.uname().machine
+    if binary_exists('aarch64-linux-gnu-gcc') and hostarch != 'aarch64':
+        os.environ['GCC5_AARCH64_PREFIX'] = 'aarch64-linux-gnu-'
+        os.environ['GCC_AARCH64_PREFIX'] = 'aarch64-linux-gnu-'
+    if binary_exists('riscv64-linux-gnu-gcc') and hostarch != 'riscv64':
+        os.environ['GCC5_RISCV64_PREFIX'] = 'riscv64-linux-gnu-'
+        os.environ['GCC_RISCV64_PREFIX'] = 'riscv64-linux-gnu-'
+    if binary_exists('x86_64-linux-gnu-gcc') and hostarch != 'x86_64':
+        os.environ['GCC5_IA32_PREFIX'] = 'x86_64-linux-gnu-'
+        os.environ['GCC5_X64_PREFIX'] = 'x86_64-linux-gnu-'
+        os.environ['GCC5_BIN'] = 'x86_64-linux-gnu-'
+        os.environ['GCC_IA32_PREFIX'] = 'x86_64-linux-gnu-'
+        os.environ['GCC_X64_PREFIX'] = 'x86_64-linux-gnu-'
+        os.environ['GCC_BIN'] = 'x86_64-linux-gnu-'
+
+def build_list(cfg):
+    for build in cfg.sections():
+        if not build.startswith('build.'):
+            continue
+        name = build.lstrip('build.')
+        desc = 'no description'
+        if 'desc' in cfg[build]:
+            desc = cfg[build]['desc']
+        print(f'# {name:20s} - {desc}')
+
+def main():
+    parser = argparse.ArgumentParser(prog = 'edk2-build',
+                                     description = 'edk2 build helper script')
+    parser.add_argument('-c', '--config', dest = 'configfile',
+                        type = str, default = '.edk2.builds', metavar = 'FILE',
+                        help = 'read configuration from FILE (default: .edk2.builds)')
+    parser.add_argument('-C', '--directory', dest = 'directory', type = str,
+                        help = 'change to DIR before building', metavar = 'DIR')
+    parser.add_argument('-j', '--jobs', dest = 'jobs', type = str,
+                        help = 'allow up to JOBS parallel build jobs',
+                        metavar = 'JOBS')
+    parser.add_argument('-m', '--match', dest = 'match',
+                        type = str, action = 'append',
+                        help = 'only run builds matching INCLUDE (substring)',
+                        metavar = 'INCLUDE')
+    parser.add_argument('-x', '--exclude', dest = 'exclude',
+                        type = str, action = 'append',
+                        help = 'skip builds matching EXCLUDE (substring)',
+                        metavar = 'EXCLUDE')
+    parser.add_argument('-l', '--list', dest = 'list',
+                        action = 'store_true', default = False,
+                        help = 'list build configs available')
+    parser.add_argument('--silent', dest = 'silent',
+                        action = 'store_true', default = False,
+                        help = 'write build output to logfiles, '
+                        'write to console only on errors')
+    parser.add_argument('--no-logs', dest = 'nologs',
+                        action = 'store_true', default = False,
+                        help = 'do not write build log files (with --silent)')
+    parser.add_argument('--core', dest = 'core', type = str, metavar = 'DIR',
+                        help = 'location of the core edk2 repository '
+                        '(i.e. where BuildTools are located)')
+    parser.add_argument('--pkg', '--package', dest = 'pkgs',
+                        type = str, action = 'append', metavar = 'DIR',
+                        help = 'location(s) of additional packages '
+                        '(can be specified multiple times)')
+    parser.add_argument('-t', '--toolchain', dest = 'toolchain',
+                        type = str, metavar = 'NAME',
+                        help = 'tool chain to be used to build edk2')
+    parser.add_argument('--version-override', dest = 'version_override',
+                        type = str, metavar = 'VERSION',
+                        help = 'set firmware build version')
+    parser.add_argument('--release-date', dest = 'release_date',
+                        type = str, metavar = 'DATE',
+                        help = 'set firmware build release date (in MM/DD/YYYY format)')
+    options = parser.parse_args()
+
+    if options.directory:
+        os.chdir(options.directory)
+
+    if not os.path.exists(options.configfile):
+        print(f'config file "{options.configfile}" not found')
+        return 1
+
+    cfg = configparser.ConfigParser()
+    cfg.optionxform = str
+    cfg.read(options.configfile)
+
+    if options.list:
+        build_list(cfg)
+        return 0
+
+    if not cfg.has_section('global'):
+        cfg.add_section('global')
+    if options.core:
+        cfg.set('global', 'core', options.core)
+    if options.pkgs:
+        cfg.set('global', 'pkgs', ' '.join(options.pkgs))
+    if options.toolchain:
+        cfg.set('global', 'tool', options.toolchain)
+
+    global version_override
+    global release_date
+    check_rebase()
+    if options.version_override:
+        version_override = options.version_override
+    if options.release_date:
+        release_date = options.release_date
+
+    prepare_env(cfg, options.silent)
+    build_basetools(options.silent, options.nologs)
+    for build in cfg.sections():
+        if not build.startswith('build.'):
+            continue
+        if options.match:
+            matching = False
+            for item in options.match:
+                if item in build:
+                    matching = True
+            if not matching:
+                print(f'# skipping "{build}" (not matching "{"|".join(options.match)}")')
+                continue
+        if options.exclude:
+            exclude = False
+            for item in options.exclude:
+                if item in build:
+                    print(f'# skipping "{build}" (matching "{item}")')
+                    exclude = True
+            if exclude:
+                continue
+        build_one(cfg, build, options.jobs, options.silent, options.nologs)
+
+    return 0
+
+if __name__ == '__main__':
+    sys.exit(main())

SOURCES/edk2-build.rhel-9

@@ -0,0 +1,129 @@
+
+[opts.ovmf.common]
+NETWORK_HTTP_BOOT_ENABLE = TRUE
+NETWORK_IP6_ENABLE       = TRUE
+NETWORK_TLS_ENABLE       = TRUE
+NETWORK_ISCSI_ENABLE     = TRUE
+NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
+TPM2_ENABLE              = TRUE
+TPM2_CONFIG_ENABLE       = TRUE
+TPM1_ENABLE              = FALSE
+CAVIUM_ERRATUM_27456     = TRUE
+
+[opts.ovmf.4m]
+FD_SIZE_4MB              = TRUE
+
+[opts.ovmf.sb.smm]
+SECURE_BOOT_ENABLE       = TRUE
+SMM_REQUIRE              = TRUE
+# old downstream
+EXCLUDE_SHELL_FROM_FD    = TRUE
+# new upstream
+BUILD_SHELL              = FALSE
+
+[opts.ovmf.sb.stateless]
+SECURE_BOOT_ENABLE       = TRUE
+SMM_REQUIRE              = FALSE
+
+[opts.armvirt.verbose]
+DEBUG_PRINT_ERROR_LEVEL  = 0x8040004F
+
+[opts.armvirt.silent]
+DEBUG_PRINT_ERROR_LEVEL  = 0x80000000
+
+
+[pcds.nx.strict]
+PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD5
+PcdUninstallMemAttrProtocol    = FALSE
+
+[pcds.nx.broken.shim.grub]
+# grub.efi uses EfiLoaderData for code
+PcdDxeNxMemoryProtectionPolicy = 0xC000000000007FD1
+# shim.efi has broken MemAttr code
+PcdUninstallMemAttrProtocol    = TRUE
+
+
+#####################################################################
+# stateful ovmf builds (with vars in flash)
+
+[build.ovmf.4m.default]
+desc = ovmf build (64-bit, 4MB)
+conf = OvmfPkg/OvmfPkgX64.dsc
+arch = X64
+opts = ovmf.common
+       ovmf.4m
+plat = OvmfX64
+dest = RHEL-9/ovmf
+cpy1 = FV/OVMF_CODE.fd OVMF_CODE.fd
+cpy2 = FV/OVMF_VARS.fd
+cpy3 = X64/Shell.efi
+
+[build.ovmf.4m.sb.smm]
+desc = ovmf build (64-bit, 4MB, q35 only, needs smm, secure boot)
+conf = OvmfPkg/OvmfPkgX64.dsc
+arch = X64
+opts = ovmf.common
+       ovmf.4m
+       ovmf.sb.smm
+plat = OvmfX64
+dest = RHEL-9/ovmf
+cpy1 = FV/OVMF_CODE.fd OVMF_CODE.secboot.fd
+cpy2 = X64/EnrollDefaultKeys.efi
+
+
+#####################################################################
+# stateless ovmf builds (firmware in rom or r/o flash)
+
+[build.ovmf.amdsev]
+desc = ovmf build for AmdSev (4MB)
+conf = OvmfPkg/AmdSev/AmdSevX64.dsc
+arch = X64
+opts = ovmf.common
+       ovmf.4m
+plat = AmdSev
+dest = RHEL-9/ovmf
+cpy1 = FV/OVMF.fd OVMF.amdsev.fd
+
+[build.ovmf.inteltdx]
+desc = ovmf build for IntelTdx (4MB)
+conf = OvmfPkg/IntelTdx/IntelTdxX64.dsc
+arch = X64
+opts = ovmf.common
+       ovmf.4m
+       ovmf.sb.stateless
+plat = IntelTdx
+dest = RHEL-9/ovmf
+cpy1 = FV/OVMF.fd OVMF.inteltdx.fd
+
+
+#####################################################################
+# armvirt builds
+
+[build.armvirt.aa64.verbose]
+desc = ArmVirt build for qemu, 64-bit (arm v8), verbose
+conf = ArmVirtPkg/ArmVirtQemu.dsc
+arch = AARCH64
+opts = ovmf.common
+       armvirt.verbose
+pcds = nx.broken.shim.grub
+plat = ArmVirtQemu-AARCH64
+dest = RHEL-9/aarch64
+cpy1 = FV/QEMU_EFI.fd
+cpy2 = FV/QEMU_VARS.fd
+cpy3 = FV/QEMU_EFI.fd  QEMU_EFI-pflash.raw
+cpy4 = FV/QEMU_VARS.fd vars-template-pflash.raw
+pad3 = QEMU_EFI-pflash.raw      64m
+pad4 = vars-template-pflash.raw 64m
+
+[build.armvirt.aa64.silent]
+desc = ArmVirt build for qemu, 64-bit (arm v8), silent
+conf = ArmVirtPkg/ArmVirtQemu.dsc
+arch = AARCH64
+opts = ovmf.common
+       armvirt.silent
+pcds = nx.broken.shim.grub
+plat = ArmVirtQemu-AARCH64
+dest = RHEL-9/aarch64
+cpy1 = FV/QEMU_EFI.fd  QEMU_EFI.silent.fd
+cpy2 = FV/QEMU_EFI.fd  QEMU_EFI-silent-pflash.raw
+pad2 = QEMU_EFI-silent-pflash.raw 64m

SOURCES/msvsphereca1.pem

@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            52:17:7c:cc:f0:fd:5d:71:2f:84:89:87:48:d3:d9:07:71:f5:c3:c1
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = MSVSphere IMA CA, O = NCSD LLC, C = RU, ST = Moscow, L = Moscow, emailAddress = security@msvsphere-os.ru, OU = MSVSphere Certification Authority
+        Validity
+            Not Before: Oct 17 14:50:46 2023 GMT
+            Not After : May 31 14:50:46 2040 GMT
+        Subject: CN = MSVSphere IMA CA, O = NCSD LLC, C = RU, ST = Moscow, L = Moscow, emailAddress = security@msvsphere-os.ru, OU = MSVSphere Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:a7:93:2f:b8:68:02:6e:4c:a8:ec:d4:b5:5c:24:
+                    f9:30:e9:ef:4a:16:2e:d6:19:f8:44:0f:b8:f1:7d:
+                    32:74:2a:05:d4:2d:3b:36:89:70:d7:59:f9:c8:b1:
+                    9c:7e:71:c5:61:72:59:b6:c5:c8:d1:a2:d6:57:f4:
+                    14:f2:c1:67:bd:a3:aa:75:df:f2:f9:48:cb:13:f2:
+                    b9:f0:94:02:a5:3c:cf:9b:43:f1:a1:b2:8c:ff:c7:
+                    20:3b:1e:75:14:d6:e6:0c:01:04:6d:82:f7:56:25:
+                    9a:d8:e3:72:b2:1b:17:87:3a:3c:da:6f:5d:06:c2:
+                    8c:b9:de:ef:e1:f5:38:ae:d4:c9:26:3c:57:be:af:
+                    b2:57:5d:ec:ce:cd:14:98:39:77:cd:b8:f5:ad:a4:
+                    3c:a7:1c:c3:2b:80:d2:89:b8:7e:22:9a:67:00:91:
+                    d8:c1:52:e7:b3:61:21:3c:8c:80:39:68:8c:1e:ee:
+                    23:a5:86:6a:80:16:e1:4a:27:fa:37:fd:69:62:89:
+                    28:d6:5c:cd:cb:3e:d4:d7:f4:23:57:ce:cb:c2:ec:
+                    ca:ff:4a:04:ec:98:b4:cd:b9:f6:81:3c:fd:ab:bc:
+                    83:b1:ed:47:be:65:8e:93:14:13:d3:bd:df:99:8b:
+                    fa:93:ca:55:9c:c1:2e:74:54:f5:ae:86:a1:20:29:
+                    b2:d9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                77:00:6F:8D:E0:2B:DC:27:EA:D8:DB:F4:C1:DA:12:AD:BF:6E:05:EC
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier: 
+                77:00:6F:8D:E0:2B:DC:27:EA:D8:DB:F4:C1:DA:12:AD:BF:6E:05:EC
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        a3:d4:fc:8d:25:5c:d9:3a:60:c3:6d:41:e1:c1:d9:7b:aa:bf:
+        13:97:71:9f:8f:c1:a6:c9:fe:8d:50:49:cb:14:cc:03:76:80:
+        69:8a:9a:af:84:e0:b8:9b:ef:8e:03:04:ea:38:01:5c:c0:cd:
+        f0:af:85:e0:de:9f:f8:05:1e:6c:36:13:c5:24:f3:57:4d:0d:
+        97:ef:f2:ef:18:e9:82:c0:ce:1f:4a:b5:55:94:1b:c5:06:33:
+        29:de:c8:45:1a:c3:10:2b:c9:ba:9f:8e:66:50:24:b8:78:a8:
+        42:72:28:54:2e:67:1c:4f:74:d2:bf:45:cc:cb:f2:b9:44:86:
+        01:1a:54:e0:58:19:e7:dc:00:15:80:0a:47:6e:5a:25:9a:21:
+        7c:47:c6:de:c4:73:82:7a:0e:2c:3b:4a:e8:1a:4d:32:33:b1:
+        f2:02:1f:dc:f3:b2:45:79:db:5f:3d:67:a7:b5:b3:90:41:e4:
+        49:e6:40:29:39:d3:b6:72:06:17:d5:96:80:c1:20:29:4b:f1:
+        51:03:18:60:66:e3:b3:14:50:b3:0e:72:ad:d7:d6:a2:eb:94:
+        8f:2f:7f:db:02:1f:a6:a9:f5:a4:2e:fc:73:43:8f:0e:84:96:
+        8b:d5:c5:60:f1:2d:9f:e4:ca:07:ea:af:5f:68:93:9f:41:73:
+        31:8b:b6:a7
+-----BEGIN CERTIFICATE-----
+MIIEVzCCAz+gAwIBAgIUUhd8zPD9XXEvhImHSNPZB3H1w8EwDQYJKoZIhvcNAQEL
+BQAwgbIxGTAXBgNVBAMMEE1TVlNwaGVyZSBJTUEgQ0ExETAPBgNVBAoMCE5DU0Qg
+TExDMQswCQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ8wDQYDVQQHDAZNb3Nj
+b3cxJzAlBgkqhkiG9w0BCQEWGHNlY3VyaXR5QG1zdnNwaGVyZS1vcy5ydTEqMCgG
+A1UECwwhTVNWU3BoZXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMTAx
+NzE0NTA0NloXDTQwMDUzMTE0NTA0NlowgbIxGTAXBgNVBAMMEE1TVlNwaGVyZSBJ
+TUEgQ0ExETAPBgNVBAoMCE5DU0QgTExDMQswCQYDVQQGEwJSVTEPMA0GA1UECAwG
+TW9zY293MQ8wDQYDVQQHDAZNb3Njb3cxJzAlBgkqhkiG9w0BCQEWGHNlY3VyaXR5
+QG1zdnNwaGVyZS1vcy5ydTEqMCgGA1UECwwhTVNWU3BoZXJlIENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp5Mv
+uGgCbkyo7NS1XCT5MOnvShYu1hn4RA+48X0ydCoF1C07Nolw11n5yLGcfnHFYXJZ
+tsXI0aLWV/QU8sFnvaOqdd/y+UjLE/K58JQCpTzPm0PxobKM/8cgOx51FNbmDAEE
+bYL3ViWa2ONyshsXhzo82m9dBsKMud7v4fU4rtTJJjxXvq+yV13szs0UmDl3zbj1
+raQ8pxzDK4DSibh+IppnAJHYwVLns2EhPIyAOWiMHu4jpYZqgBbhSif6N/1pYoko
+1lzNyz7U1/QjV87LwuzK/0oE7Ji0zbn2gTz9q7yDse1HvmWOkxQT073fmYv6k8pV
+nMEudFT1roahICmy2QIDAQABo2MwYTAdBgNVHQ4EFgQUdwBvjeAr3Cfq2Nv0wdoS
+rb9uBewwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBR3AG+N4CvcJ+rY2/TB
+2hKtv24F7DAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKPU/I0l
+XNk6YMNtQeHB2XuqvxOXcZ+PwabJ/o1QScsUzAN2gGmKmq+E4Lib744DBOo4AVzA
+zfCvheDen/gFHmw2E8Uk81dNDZfv8u8Y6YLAzh9KtVWUG8UGMyneyEUawxArybqf
+jmZQJLh4qEJyKFQuZxxPdNK/RczL8rlEhgEaVOBYGefcABWACkduWiWaIXxHxt7E
+c4J6Diw7SugaTTIzsfICH9zzskV52189Z6e1s5BB5EnmQCk507ZyBhfVloDBIClL
+8VEDGGBm47MUULMOcq3X1qLrlI8vf9sCH6ap9aQu/HNDjw6ElovVxWDxLZ/kygfq
+r19ok59BczGLtqc=
+-----END CERTIFICATE-----

SOURCES/msvspheredup1.pem

@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            d6:39:17:e7:e5:6a:47:54:b8:56:f2:eb:47:6b:f8:c3
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere Secure Boot CA
+        Validity
+            Not Before: Mar 22 16:42:54 2023 GMT
+            Not After : Mar 22 16:42:54 2053 GMT
+        Subject: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere Driver update signing key
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ba:09:cd:1d:80:9c:00:59:96:07:ce:1f:69:a2:
+                    d7:8b:29:2e:68:13:6f:87:42:5e:ff:42:58:19:b1:
+                    75:b2:ba:af:5d:84:37:74:50:0e:dd:5a:1d:45:f2:
+                    f1:e0:9b:b5:f3:9c:d5:a8:29:5a:cd:8c:85:8a:13:
+                    d4:60:b9:52:ad:c9:fe:0c:4f:fe:af:08:25:ec:a7:
+                    c6:2a:e3:ff:66:b8:b0:89:69:5a:fe:b1:a8:68:8a:
+                    de:79:1e:68:e7:a8:14:01:c8:45:5b:0e:00:54:98:
+                    32:40:4a:5d:e7:18:55:ce:bd:bc:77:3d:94:38:ac:
+                    db:e8:5e:71:d2:be:e4:38:60:39:f8:e1:9a:ee:1a:
+                    84:df:14:33:ce:ce:db:c4:57:c8:cf:d1:3e:72:a9:
+                    eb:b5:7e:50:57:a1:51:06:d5:07:9c:e2:57:1a:1c:
+                    66:8c:ba:05:aa:50:dc:e2:19:d5:04:fd:a8:bd:83:
+                    eb:70:06:19:81:f0:ab:2a:3f:ec:cd:f3:0f:ce:ee:
+                    75:87:87:93:1b:0e:44:e1:f9:ba:e5:53:91:ef:09:
+                    6e:d8:63:8e:69:00:6e:37:1d:90:83:99:3f:23:c7:
+                    33:d7:ae:13:cb:c8:fa:76:d8:5d:26:b5:9f:5a:5e:
+                    18:22:b1:3a:c5:84:6c:67:20:e3:72:98:07:02:43:
+                    83:55
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                49:59:67:B5:13:6C:C8:DF:7E:64:B9:22:E3:A9:35:50:6B:95:84:D5
+            X509v3 Extended Key Usage: 
+                Code Signing, 1.3.6.1.4.1.2312.16.1.2
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                20:11:38:3B:AE:1E:E8:65:DE:29:6E:C4:7B:90:7F:4D:38:27:EB:DE
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        82:29:45:3f:f4:79:e2:b5:d4:4a:a3:22:1e:16:75:68:38:44:
+        46:61:0d:4c:74:cc:7d:11:f5:e2:db:c3:a3:ba:5f:03:77:95:
+        9e:37:b8:72:68:ea:ee:a9:f2:09:a9:d6:07:d7:45:27:6c:fa:
+        a1:b8:20:77:fb:22:f1:59:26:70:fa:4c:2f:1c:6e:fc:ec:4a:
+        15:91:c2:90:d6:89:b8:50:9e:c6:56:e3:1f:4a:e2:20:e5:90:
+        09:16:80:a2:89:a9:90:a8:f2:37:e8:6e:29:d8:9a:61:31:d2:
+        2b:2a:23:2f:69:1a:7c:9f:7f:66:e0:93:29:1f:5f:9b:78:0b:
+        ec:74:5b:58:33:6f:bc:62:9e:98:87:9b:ae:38:b5:ed:4f:f3:
+        b6:48:24:16:da:18:72:09:a0:b1:01:ee:d7:6e:e4:b4:c3:eb:
+        b8:06:5f:38:69:78:c8:bb:40:6d:c7:8a:e9:82:69:fa:db:28:
+        54:2d:8c:c0:83:4c:4f:d7:8f:a5:fd:a0:96:b7:e9:c7:b1:78:
+        e7:09:72:e7:62:37:44:67:3f:53:b8:4c:17:17:c8:a8:1f:ec:
+        a5:5f:2a:18:4d:3d:aa:1a:f5:7d:c3:17:5b:42:ba:28:68:f8:
+        36:ad:6a:28:6b:a8:a9:aa:be:82:96:11:a8:0e:88:b5:20:52:
+        c1:23:aa:15
+-----BEGIN CERTIFICATE-----
+MIIEeTCCA2GgAwIBAgIRANY5F+flakdUuFby60dr+MMwDQYJKoZIhvcNAQELBQAw
+gbcxKjAoBgNVBAsTIU1TVlNwaGVyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEk
+MCIGCSqGSIb3DQEJARYVc2VjdXJpdHlAbXN2c3BoZXJlLnJ1MQ8wDQYDVQQHEwZN
+b3Njb3cxDzANBgNVBAgTBk1vc2NvdzELMAkGA1UEBhMCUlUxETAPBgNVBAoTCE5D
+U0QgTExDMSEwHwYDVQQDExhNU1ZTcGhlcmUgU2VjdXJlIEJvb3QgQ0EwIBcNMjMw
+MzIyMTY0MjU0WhgPMjA1MzAzMjIxNjQyNTRaMIHCMSowKAYDVQQLEyFNU1ZTcGhl
+cmUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFXNlY3Vy
+aXR5QG1zdnNwaGVyZS5ydTEPMA0GA1UEBxMGTW9zY293MQ8wDQYDVQQIEwZNb3Nj
+b3cxCzAJBgNVBAYTAlJVMREwDwYDVQQKEwhOQ1NEIExMQzEsMCoGA1UEAxMjTVNW
+U3BoZXJlIERyaXZlciB1cGRhdGUgc2lnbmluZyBrZXkwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC6Cc0dgJwAWZYHzh9poteLKS5oE2+HQl7/QlgZsXWy
+uq9dhDd0UA7dWh1F8vHgm7XznNWoKVrNjIWKE9RguVKtyf4MT/6vCCXsp8Yq4/9m
+uLCJaVr+sahoit55HmjnqBQByEVbDgBUmDJASl3nGFXOvbx3PZQ4rNvoXnHSvuQ4
+YDn44ZruGoTfFDPOztvEV8jP0T5yqeu1flBXoVEG1Qec4lcaHGaMugWqUNziGdUE
+/ai9g+twBhmB8KsqP+zN8w/O7nWHh5MbDkTh+brlU5HvCW7YY45pAG43HZCDmT8j
+xzPXrhPLyPp22F0mtZ9aXhgisTrFhGxnIONymAcCQ4NVAgMBAAGjcTBvMB8GA1Ud
+IwQYMBaAFElZZ7UTbMjffmS5IuOpNVBrlYTVMB8GA1UdJQQYMBYGCCsGAQUFBwMD
+BgorBgEEAZIIEAECMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCARODuuHuhl3ilu
+xHuQf004J+veMA0GCSqGSIb3DQEBCwUAA4IBAQCCKUU/9HnitdRKoyIeFnVoOERG
+YQ1MdMx9EfXi28Ojul8Dd5WeN7hyaOruqfIJqdYH10UnbPqhuCB3+yLxWSZw+kwv
+HG787EoVkcKQ1om4UJ7GVuMfSuIg5ZAJFoCiiamQqPI36G4p2JphMdIrKiMvaRp8
+n39m4JMpH1+beAvsdFtYM2+8Yp6Yh5uuOLXtT/O2SCQW2hhyCaCxAe7XbuS0w+u4
+Bl84aXjIu0Btx4rpgmn62yhULYzAg0xP14+l/aCWt+nHsXjnCXLnYjdEZz9TuEwX
+F8ioH+ylXyoYTT2qGvV9wxdbQrooaPg2rWooa6ipqr6ClhGoDoi1IFLBI6oV
+-----END CERTIFICATE-----

SOURCES/msvsphereima.pem

@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            71:a3:0f:db:5d:68:ba:11:ad:0d:d7:a2:bb:f2:9b:33:69:22:69:1b
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = MSVSphere IMA CA, O = NCSD LLC, C = RU, ST = Moscow, L = Moscow, emailAddress = security@msvsphere-os.ru, OU = MSVSphere Certification Authority
+        Validity
+            Not Before: Oct 17 14:52:34 2023 GMT
+            Not After : May 31 14:52:34 2040 GMT
+        Subject: CN = MSVSphere 9 IMA release key, O = NCSD LLC, C = RU, ST = Moscow, L = Moscow, emailAddress = security@msvsphere-os.ru, OU = MSVSphere Certification Authority
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:8f:3a:c4:74:50:a0:dd:2b:7c:eb:48:63:06:f9:
+                    ec:a5:f9:c2:ef:1a:5a:64:79:95:14:9c:2a:da:3a:
+                    f7:bb:50:36:16:51:ca:2d:e4:0f:2e:a1:a5:16:9a:
+                    63:a6:f0:ce:c2:69:2a:aa:08:ce:40:17:8f:db:de:
+                    16:08:47:02:6d:0b:39:36:80:bd:0d:12:f5:aa:9e:
+                    80:8d:ae:c9:90:d6:d3:5e:a4:c0:26:a6:78:83:04:
+                    ce:9e:09:17:b7:3e:52
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                90:88:18:27:43:0F:80:32:F8:AB:35:AC:DE:28:6D:3B:B9:F5:55:E0
+            X509v3 Authority Key Identifier: 
+                77:00:6F:8D:E0:2B:DC:27:EA:D8:DB:F4:C1:DA:12:AD:BF:6E:05:EC
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        18:6a:36:58:96:ad:13:f2:48:97:e6:87:14:ec:00:43:2d:a4:
+        9a:43:80:5a:92:06:fb:cb:26:62:fe:04:23:b2:11:e8:d4:7a:
+        25:6e:14:e4:2b:c0:8d:27:2e:92:b1:19:41:2d:ce:e4:e5:30:
+        99:72:d5:fd:86:b2:d6:15:32:86:91:20:5f:02:da:be:fe:2d:
+        b0:24:60:48:7b:df:41:11:36:0e:df:97:d0:a3:36:4a:0b:88:
+        ec:7c:32:b7:9e:a0:72:6f:f5:4f:b4:bb:c0:71:1d:6c:38:22:
+        3c:e8:e8:9d:58:40:54:7d:86:1d:43:f3:02:df:16:07:89:1b:
+        5b:d0:d5:ea:9c:4d:b5:04:5d:99:f1:64:42:67:ab:d7:15:e6:
+        44:3f:2e:a8:03:51:ae:3a:df:7e:9c:8b:3d:91:5c:ce:a1:b2:
+        b7:69:81:43:ed:a1:f7:63:93:e8:f7:b7:0f:7d:5d:94:55:18:
+        f4:0a:35:13:01:d6:4b:06:57:50:ca:7c:ea:23:b3:e5:9c:ed:
+        87:80:23:7e:0b:64:09:49:98:a2:22:51:83:3c:b8:e4:0b:8b:
+        16:c2:3a:11:ee:78:6a:f2:a4:c7:13:de:b0:3d:97:c6:d5:84:
+        f5:6a:8e:4a:5e:1d:c1:f3:d8:80:b6:71:f5:8f:3b:fd:ad:15:
+        d6:c9:78:d6
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIUcaMP211ouhGtDdeiu/KbM2kiaRswDQYJKoZIhvcNAQEL
+BQAwgbIxGTAXBgNVBAMMEE1TVlNwaGVyZSBJTUEgQ0ExETAPBgNVBAoMCE5DU0Qg
+TExDMQswCQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ8wDQYDVQQHDAZNb3Nj
+b3cxJzAlBgkqhkiG9w0BCQEWGHNlY3VyaXR5QG1zdnNwaGVyZS1vcy5ydTEqMCgG
+A1UECwwhTVNWU3BoZXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMTAx
+NzE0NTIzNFoXDTQwMDUzMTE0NTIzNFowgb0xJDAiBgNVBAMMG01TVlNwaGVyZSA5
+IElNQSByZWxlYXNlIGtleTERMA8GA1UECgwITkNTRCBMTEMxCzAJBgNVBAYTAlJV
+MQ8wDQYDVQQIDAZNb3Njb3cxDzANBgNVBAcMBk1vc2NvdzEnMCUGCSqGSIb3DQEJ
+ARYYc2VjdXJpdHlAbXN2c3BoZXJlLW9zLnJ1MSowKAYDVQQLDCFNU1ZTcGhlcmUg
+Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASP
+OsR0UKDdK3zrSGMG+eyl+cLvGlpkeZUUnCraOve7UDYWUcot5A8uoaUWmmOm8M7C
+aSqqCM5AF4/b3hYIRwJtCzk2gL0NEvWqnoCNrsmQ1tNepMAmpniDBM6eCRe3PlKj
+eDB2MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoG
+CCsGAQUFBwMDMB0GA1UdDgQWBBSQiBgnQw+AMvirNazeKG07ufVV4DAfBgNVHSME
+GDAWgBR3AG+N4CvcJ+rY2/TB2hKtv24F7DANBgkqhkiG9w0BAQsFAAOCAQEAGGo2
+WJatE/JIl+aHFOwAQy2kmkOAWpIG+8smYv4EI7IR6NR6JW4U5CvAjScukrEZQS3O
+5OUwmXLV/Yay1hUyhpEgXwLavv4tsCRgSHvfQRE2Dt+X0KM2SguI7Hwyt56gcm/1
+T7S7wHEdbDgiPOjonVhAVH2GHUPzAt8WB4kbW9DV6pxNtQRdmfFkQmer1xXmRD8u
+qANRrjrffpyLPZFczqGyt2mBQ+2h92OT6Pe3D31dlFUY9Ao1EwHWSwZXUMp86iOz
+5Zzth4AjfgtkCUmYoiJRgzy45AuLFsI6Ee54avKkxxPesD2XxtWE9WqOSl4dwfPY
+gLZx9Y87/a0V1sl41g==
+-----END CERTIFICATE-----

SOURCES/msvspherepatch1.pem

@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f3:41:d2:7d:2e:b9:42:05:b5:8d:9a:39:b4:a8:dd:cf
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere Secure Boot CA
+        Validity
+            Not Before: Mar 22 16:42:54 2023 GMT
+            Not After : Mar 22 16:42:54 2053 GMT
+        Subject: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere kpatch signing key
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e1:8d:77:fe:7c:63:d5:a8:03:20:d3:ce:f0:96:
+                    2a:84:1b:9c:e3:8f:01:f7:a0:76:c3:f8:ee:17:44:
+                    10:cc:0d:58:df:65:73:2c:30:78:55:13:80:f9:9f:
+                    af:88:87:4b:ef:98:cd:06:ff:62:37:f9:2d:ce:1c:
+                    5e:7d:e9:b0:ac:4e:0f:08:70:45:ff:a3:a4:d8:f8:
+                    d4:65:ed:1a:93:ab:bc:31:a6:de:ea:9c:81:f6:e6:
+                    5b:c7:5c:d1:47:8d:e2:4f:3d:e9:17:c8:3e:c8:66:
+                    51:4d:a8:df:14:f8:1f:55:df:31:2c:f4:a0:fb:8d:
+                    39:3b:79:f7:3d:4e:cc:5f:e5:56:59:6a:77:0c:bf:
+                    eb:fc:84:7d:ea:5b:51:34:fc:bc:4e:7a:be:7d:a3:
+                    af:79:e0:9f:29:49:dc:f5:11:c8:3d:9e:39:89:25:
+                    bb:63:57:7c:23:b0:e0:f8:ec:7b:4c:cb:bc:c9:92:
+                    fb:f0:8f:8f:13:b0:ba:5f:65:68:78:f5:6e:dc:e1:
+                    57:3d:50:c0:94:b1:41:63:23:ff:07:c9:c1:2a:e3:
+                    68:94:c9:42:a4:52:4f:1f:dd:e0:9a:d9:c4:91:73:
+                    ba:2e:29:24:67:e8:9c:92:3e:82:46:d8:f3:15:08:
+                    f1:85:07:17:c8:f9:9b:ba:9c:87:ed:0f:d1:88:dc:
+                    71:05
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                49:59:67:B5:13:6C:C8:DF:7E:64:B9:22:E3:A9:35:50:6B:95:84:D5
+            X509v3 Extended Key Usage: 
+                Code Signing, 1.3.6.1.4.1.2312.16.1.2
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                E0:DA:A8:81:5B:FF:F2:CC:A3:53:F9:46:E2:33:E2:E7:AC:2A:E0:FA
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        7e:95:d0:2f:4f:e6:6b:e6:9b:ad:b2:a4:72:4e:bd:f1:c9:68:
+        23:cd:c6:31:35:ab:34:15:c2:ed:8d:ef:0f:82:f3:8a:12:16:
+        16:82:a9:d9:5a:b5:98:20:b6:f5:d2:24:53:58:c3:b9:ec:79:
+        40:ca:b4:4a:7b:9c:74:b9:1e:2b:a9:66:5c:b3:57:46:f2:98:
+        9b:96:23:48:a2:4f:0b:86:96:a2:30:0d:b7:8f:fb:83:95:3a:
+        29:96:24:80:d3:23:78:05:a9:ee:6f:af:e6:5c:70:61:4f:15:
+        5d:2c:75:22:a8:22:9a:6f:cf:86:52:01:03:73:ce:8c:86:67:
+        90:3c:f5:38:50:04:59:70:f0:25:35:da:34:cc:3e:84:e7:4f:
+        93:4c:01:33:34:3d:6c:e7:ea:d8:1e:63:43:1d:6a:b1:bf:01:
+        1b:20:a8:27:df:62:9e:af:7c:bd:52:95:fe:ad:0c:68:a5:1a:
+        b0:fc:59:b0:f9:c0:38:b0:5f:b2:3c:7d:ec:32:3a:a2:73:53:
+        c8:91:7e:cb:3b:cb:7f:85:de:d8:5d:f1:92:80:e6:61:7d:6d:
+        c3:8f:e8:a7:ce:14:33:d2:22:c1:7e:f6:ab:c1:75:8c:c3:70:
+        dd:ab:fd:c4:e9:db:9e:1a:bb:98:32:94:2b:56:d7:e1:31:99:
+        84:5e:c6:4d
+-----BEGIN CERTIFICATE-----
+MIIEcjCCA1qgAwIBAgIRAPNB0n0uuUIFtY2aObSo3c8wDQYJKoZIhvcNAQELBQAw
+gbcxKjAoBgNVBAsTIU1TVlNwaGVyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEk
+MCIGCSqGSIb3DQEJARYVc2VjdXJpdHlAbXN2c3BoZXJlLnJ1MQ8wDQYDVQQHEwZN
+b3Njb3cxDzANBgNVBAgTBk1vc2NvdzELMAkGA1UEBhMCUlUxETAPBgNVBAoTCE5D
+U0QgTExDMSEwHwYDVQQDExhNU1ZTcGhlcmUgU2VjdXJlIEJvb3QgQ0EwIBcNMjMw
+MzIyMTY0MjU0WhgPMjA1MzAzMjIxNjQyNTRaMIG7MSowKAYDVQQLEyFNU1ZTcGhl
+cmUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFXNlY3Vy
+aXR5QG1zdnNwaGVyZS5ydTEPMA0GA1UEBxMGTW9zY293MQ8wDQYDVQQIEwZNb3Nj
+b3cxCzAJBgNVBAYTAlJVMREwDwYDVQQKEwhOQ1NEIExMQzElMCMGA1UEAxMcTVNW
+U3BoZXJlIGtwYXRjaCBzaWduaW5nIGtleTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAOGNd/58Y9WoAyDTzvCWKoQbnOOPAfegdsP47hdEEMwNWN9lcyww
+eFUTgPmfr4iHS++YzQb/Yjf5Lc4cXn3psKxODwhwRf+jpNj41GXtGpOrvDGm3uqc
+gfbmW8dc0UeN4k896RfIPshmUU2o3xT4H1XfMSz0oPuNOTt59z1OzF/lVllqdwy/
+6/yEfepbUTT8vE56vn2jr3ngnylJ3PURyD2eOYklu2NXfCOw4Pjse0zLvMmS+/CP
+jxOwul9laHj1btzhVz1QwJSxQWMj/wfJwSrjaJTJQqRSTx/d4JrZxJFzui4pJGfo
+nJI+gkbY8xUI8YUHF8j5m7qch+0P0YjccQUCAwEAAaNxMG8wHwYDVR0jBBgwFoAU
+SVlntRNsyN9+ZLki46k1UGuVhNUwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQB
+kggQAQIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU4NqogVv/8syjU/lG4jPi56wq
+4PowDQYJKoZIhvcNAQELBQADggEBAH6V0C9P5mvmm62ypHJOvfHJaCPNxjE1qzQV
+wu2N7w+C84oSFhaCqdlatZggtvXSJFNYw7nseUDKtEp7nHS5HiupZlyzV0bymJuW
+I0iiTwuGlqIwDbeP+4OVOimWJIDTI3gFqe5vr+ZccGFPFV0sdSKoIppvz4ZSAQNz
+zoyGZ5A89ThQBFlw8CU12jTMPoTnT5NMATM0PWzn6tgeY0MdarG/ARsgqCffYp6v
+fL1Slf6tDGilGrD8WbD5wDiwX7I8fewyOqJzU8iRfss7y3+F3thd8ZKA5mF9bcOP
+6KfOFDPSIsF+9qvBdYzDcN2r/cTp254au5gylCtW1+ExmYRexk0=
+-----END CERTIFICATE-----

SOURCES/nvidiagpuoot001.pem

@@ -0,0 +1,125 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            c5:2a:b8:18:9b:cc:bb:16
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Nvidia GPU OOT CA, emailAddress = secalert@redhat.com
+        Validity
+            Not Before: Nov 28 17:57:33 2023 GMT
+            Not After : Jan 18 17:57:33 2038 GMT
+        Subject: CN = Nvidia GPU OOT signing 001, emailAddress = secalert@redhat.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:aa:e7:0f:55:10:c8:19:46:a2:de:ec:0a:54:88:
+                    f3:72:72:47:2b:0d:f9:13:28:e8:db:c8:76:17:51:
+                    26:ab:da:31:e9:2f:f4:ec:a1:08:df:72:6a:e0:86:
+                    1e:27:00:4f:a2:00:e7:14:c1:92:2a:0b:b5:6f:38:
+                    f1:79:8b:0b:f3:7d:bb:e4:31:2f:34:12:9e:f5:8f:
+                    fb:e4:f6:06:b4:92:1f:b4:11:21:bf:e4:bc:1f:93:
+                    d6:88:d4:b5:f5:a1:a4:1c:a1:1f:15:40:ef:ff:b6:
+                    2e:bf:b9:a9:10:a5:fe:0c:4b:a0:1d:7c:98:ea:2c:
+                    12:8b:3c:f2:b0:5f:f6:22:89:c8:ca:d1:ec:3d:cb:
+                    9c:e7:7c:d9:af:02:d5:69:77:6e:e4:98:a9:dd:92:
+                    bd:62:1e:a6:2f:03:69:e5:3b:53:93:8d:88:54:c0:
+                    db:d7:63:ad:82:3b:5b:74:90:6b:4e:91:2b:e4:9f:
+                    5b:23:fc:8b:28:a5:68:01:88:b1:e1:90:a2:4b:e6:
+                    ff:e0:e4:16:ae:a2:f6:64:57:4b:c7:a9:68:a8:c4:
+                    45:fb:54:3c:cf:ef:fd:4e:b1:c6:08:4e:da:ae:51:
+                    f8:5f:2a:b4:12:06:b1:03:60:1a:e7:45:22:f9:cd:
+                    59:a1:91:36:2d:dd:6f:ec:42:35:98:2e:92:d9:31:
+                    9b:4d:c3:00:4b:ea:8b:70:d6:dc:34:da:b3:66:2a:
+                    f3:5e:00:4e:83:14:21:24:71:7a:ed:ea:09:c7:57:
+                    2c:58:39:32:1e:24:1f:ef:52:7b:bc:8d:18:47:ba:
+                    b3:16:a4:56:65:e3:9d:fe:ae:44:59:93:a1:c4:c6:
+                    ec:64:03:71:ed:35:54:9e:2d:dc:b3:ad:2b:cc:74:
+                    1f:db:66:8f:73:19:47:5d:19:bf:e3:5c:48:bd:5d:
+                    3b:10:b3:9c:a2:ed:30:af:a0:2e:ac:cc:6a:bf:d6:
+                    1b:83:c2:98:86:bb:92:26:f3:ce:57:41:d2:68:74:
+                    57:f3:3a:f4:71:e4:52:8f:26:9b:60:65:cd:c3:87:
+                    3d:af:dd:06:99:30:70:08:ba:39:91:47:18:ea:c6:
+                    68:aa:ad:f4:e7:6f:26:bf:51:ff:be:1a:3c:52:45:
+                    9c:a0:03:7a:f5:e8:cc:55:89:ac:16:1a:6c:c2:18:
+                    75:3a:51:68:3d:8a:9c:b3:8e:ce:ed:00:a9:ac:47:
+                    a1:1e:04:14:b7:fd:d3:75:ca:97:52:90:6e:d0:96:
+                    94:bf:44:2c:75:63:7b:78:3c:40:cc:13:bc:52:dd:
+                    71:14:ef:ee:d8:45:6c:37:85:bd:a8:01:df:ce:e6:
+                    b1:fb:9c:4d:72:e7:47:fd:cb:a4:6e:cd:a7:4e:cb:
+                    01:b9:11
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                55:E1:CE:F8:81:93:E6:04:19:F0:B0:EC:37:9C:49:F7:75:45:AC:F0
+            X509v3 Authority Key Identifier: 
+                5E:D6:FB:11:3F:AB:FD:E7:63:F0:13:73:E9:E2:D1:51:FB:B3:85:12
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        45:40:c8:30:a9:1a:1a:94:82:1c:65:49:99:1e:82:34:2d:bd:
+        8b:ee:f9:93:a3:5d:89:b1:57:68:ec:d2:c7:3c:ea:2c:6a:14:
+        6d:44:39:7e:63:b5:e5:38:0e:7e:a9:25:2d:5e:69:b0:18:8a:
+        c0:80:f7:0e:99:4c:26:f9:74:54:95:ad:08:46:5a:c5:ee:0c:
+        24:7a:07:75:cc:26:41:ff:c0:69:46:d2:08:08:7f:2b:2f:0c:
+        37:50:7a:7e:59:09:7d:00:26:fe:e8:1b:3b:92:62:f4:62:5a:
+        c2:b1:30:8d:12:12:07:ce:4f:a9:78:09:f8:a6:6e:26:24:b4:
+        e8:a7:ac:ac:b8:ba:62:f1:79:b9:71:34:0b:45:f5:c0:32:f3:
+        fa:d6:7c:05:4d:94:b3:c3:19:61:6f:0e:af:d3:90:29:aa:29:
+        70:bf:90:bd:8b:53:d6:7f:5b:ac:f9:41:9b:39:b8:55:1e:0b:
+        65:cd:2e:96:1c:1b:f9:65:1e:30:7b:ab:04:d8:44:f1:41:5d:
+        13:3c:e1:c4:cf:fc:be:0c:75:dc:a8:47:e3:d6:3f:cf:c1:15:
+        d4:e4:e3:db:aa:9d:70:7b:13:10:4d:46:de:63:57:28:3a:70:
+        f9:3e:e6:d3:a6:52:dd:8f:fe:1f:97:e5:03:63:d1:7e:c4:9a:
+        f7:11:ea:6c:06:ee:58:4e:e5:a8:fb:d5:ff:46:b0:f6:13:a7:
+        aa:f2:7b:df:32:80:73:27:0f:4a:55:0c:e6:b9:f3:a7:0d:61:
+        2e:20:6b:d9:b1:d2:07:9a:d3:89:af:99:89:87:90:ab:b0:1f:
+        89:74:19:bd:7a:24:66:ef:ab:55:34:d5:f5:9a:74:62:02:81:
+        22:67:71:ae:c2:bf:9d:b6:08:7c:88:83:df:42:35:95:5e:75:
+        82:bc:40:83:ca:11:96:01:e1:1a:f1:c6:f0:36:fa:57:3f:4f:
+        ce:87:6a:3d:92:52:a9:bf:13:cd:92:a9:8f:b2:02:32:1d:94:
+        b3:ba:af:58:e7:0d:d4:a2:03:69:ac:b4:af:d9:b3:ae:57:01:
+        24:60:7a:bc:27:7d:37:89:e6:d8:7b:27:b1:ea:0f:97:3e:bc:
+        7b:e8:6d:ad:5e:7c:6f:9b:ed:65:f0:86:2b:28:9c:50:a6:43:
+        e6:2c:4c:03:31:70:64:25:4e:60:25:b3:27:4e:1a:59:8e:7a:
+        cd:c2:28:c9:e0:a4:e0:31:12:39:8f:c0:f1:f6:cd:e5:8e:69:
+        c4:ca:0e:d7:37:50:7b:3d:cd:51:cd:4b:ac:02:50:bf:8c:5e:
+        78:15:0a:eb:79:73:21:da:bb:e0:2f:36:ae:7f:d4:98:f4:0d:
+        ad:f3:c7:72:0d:e9:6f:94
+-----BEGIN CERTIFICATE-----
+MIIFhDCCA2ygAwIBAgIJAMUquBibzLsWMA0GCSqGSIb3DQEBCwUAMEAxGjAYBgNV
+BAMMEU52aWRpYSBHUFUgT09UIENBMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEBy
+ZWRoYXQuY29tMB4XDTIzMTEyODE3NTczM1oXDTM4MDExODE3NTczM1owSTEjMCEG
+A1UEAwwaTnZpZGlhIEdQVSBPT1Qgc2lnbmluZyAwMDExIjAgBgkqhkiG9w0BCQEW
+E3NlY2FsZXJ0QHJlZGhhdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCq5w9VEMgZRqLe7ApUiPNyckcrDfkTKOjbyHYXUSar2jHpL/TsoQjfcmrg
+hh4nAE+iAOcUwZIqC7VvOPF5iwvzfbvkMS80Ep71j/vk9ga0kh+0ESG/5Lwfk9aI
+1LX1oaQcoR8VQO//ti6/uakQpf4MS6AdfJjqLBKLPPKwX/YiicjK0ew9y5znfNmv
+AtVpd27kmKndkr1iHqYvA2nlO1OTjYhUwNvXY62CO1t0kGtOkSvkn1sj/IsopWgB
+iLHhkKJL5v/g5BauovZkV0vHqWioxEX7VDzP7/1OscYITtquUfhfKrQSBrEDYBrn
+RSL5zVmhkTYt3W/sQjWYLpLZMZtNwwBL6otw1tw02rNmKvNeAE6DFCEkcXrt6gnH
+VyxYOTIeJB/vUnu8jRhHurMWpFZl453+rkRZk6HExuxkA3HtNVSeLdyzrSvMdB/b
+Zo9zGUddGb/jXEi9XTsQs5yi7TCvoC6szGq/1huDwpiGu5Im885XQdJodFfzOvRx
+5FKPJptgZc3Dhz2v3QaZMHAIujmRRxjqxmiqrfTnbya/Uf++GjxSRZygA3r16MxV
+iawWGmzCGHU6UWg9ipyzjs7tAKmsR6EeBBS3/dN1ypdSkG7QlpS/RCx1Y3t4PEDM
+E7xS3XEU7+7YRWw3hb2oAd/O5rH7nE1y50f9y6RuzadOywG5EQIDAQABo3gwdjAM
+BgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEF
+BQcDAzAdBgNVHQ4EFgQUVeHO+IGT5gQZ8LDsN5xJ93VFrPAwHwYDVR0jBBgwFoAU
+Xtb7ET+r/edj8BNz6eLRUfuzhRIwDQYJKoZIhvcNAQELBQADggIBAEVAyDCpGhqU
+ghxlSZkegjQtvYvu+ZOjXYmxV2js0sc86ixqFG1EOX5jteU4Dn6pJS1eabAYisCA
+9w6ZTCb5dFSVrQhGWsXuDCR6B3XMJkH/wGlG0ggIfysvDDdQen5ZCX0AJv7oGzuS
+YvRiWsKxMI0SEgfOT6l4CfimbiYktOinrKy4umLxeblxNAtF9cAy8/rWfAVNlLPD
+GWFvDq/TkCmqKXC/kL2LU9Z/W6z5QZs5uFUeC2XNLpYcG/llHjB7qwTYRPFBXRM8
+4cTP/L4MddyoR+PWP8/BFdTk49uqnXB7ExBNRt5jVyg6cPk+5tOmUt2P/h+X5QNj
+0X7EmvcR6mwG7lhO5aj71f9GsPYTp6rye98ygHMnD0pVDOa586cNYS4ga9mx0gea
+04mvmYmHkKuwH4l0Gb16JGbvq1U01fWadGICgSJnca7Cv522CHyIg99CNZVedYK8
+QIPKEZYB4RrxxvA2+lc/T86Haj2SUqm/E82SqY+yAjIdlLO6r1jnDdSiA2mstK/Z
+s65XASRgerwnfTeJ5th7J7HqD5c+vHvoba1efG+b7WXwhisonFCmQ+YsTAMxcGQl
+TmAlsydOGlmOes3CKMngpOAxEjmPwPH2zeWOacTKDtc3UHs9zVHNS6wCUL+MXngV
+Cut5cyHau+AvNq5/1Jj0Da3zx3IN6W+U
+-----END CERTIFICATE-----

SOURCES/rheldup3.pem

@@ -0,0 +1,102 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            df:05:cc:0a:a1:21:9e:3e
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Red Hat Enterprise Linux Driver Update Program (key 3), emailAddress = secalert@redhat.com
+        Validity
+            Not Before: Mar 31 08:40:36 2014 GMT
+            Not After : Mar 25 08:40:36 2037 GMT
+        Subject: CN = Red Hat Enterprise Linux Driver Update Program (key 3), emailAddress = secalert@redhat.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:a6:6a:c6:0a:73:d6:e0:67:ab:09:21:b7:8e:61:
+                    bb:e2:80:96:55:fd:be:35:5c:7a:9f:c8:9e:2a:1f:
+                    41:b1:54:25:8b:c1:6b:7a:75:83:8d:df:6b:c8:20:
+                    4d:94:31:f0:c6:ed:d6:66:6e:e5:cc:6e:20:5f:17:
+                    3f:e0:d4:5a:41:cf:de:ff:31:70:44:a5:fe:79:8d:
+                    14:d9:04:2e:66:08:ac:cb:14:6e:75:53:38:f5:85:
+                    44:99:43:f6:b1:03:bc:7c:d6:bd:9d:1b:e2:3c:8d:
+                    a4:f0:1c:97:ff:0e:37:61:cc:a1:c7:51:2a:44:69:
+                    9f:88:f9:1a:62:d5:dd:f7:bf:04:66:90:57:6e:83:
+                    d8:07:cc:fe:eb:61:99:fb:3b:3e:97:c7:5b:8f:e5:
+                    8c:eb:01:ab:a1:99:95:5c:1c:cf:8d:2b:6e:74:82:
+                    80:6c:14:be:bd:81:d8:9a:ba:57:aa:49:26:fd:c8:
+                    3d:06:8e:35:77:bf:56:f8:53:10:69:1b:da:93:41:
+                    05:cd:51:65:ca:3b:40:82:f5:4f:dd:df:1d:be:db:
+                    96:ed:c0:e5:d7:03:f1:39:53:3c:fc:4a:c6:af:3b:
+                    36:ab:3d:9f:c9:19:c4:67:f5:41:b0:bd:93:98:38:
+                    bc:4f:fe:c6:64:05:ec:a5:cb:9a:fb:c3:72:90:da:
+                    b7:9d:91:68:8b:00:b6:b0:83:62:8c:5b:e0:bd:1c:
+                    b0:a5:3b:49:be:77:37:be:54:37:0a:a5:2b:7a:05:
+                    ef:61:97:68:a3:5d:e1:90:5e:d6:d6:22:bf:50:d1:
+                    2b:22:be:7d:f2:30:bd:5a:0d:6e:91:6a:8e:89:56:
+                    97:30:7d:14:93:a4:05:69:e5:0d:8f:be:39:6d:17:
+                    02:66:7f:a6:05:db:5f:f6:b2:39:43:04:1e:44:fc:
+                    ae:f2:de:12:02:d7:e4:e0:eb:08:a6:1f:b9:cd:d4:
+                    8b:75:40:b3:bb:4f:92:15:78:a1:2e:4b:c4:8f:2f:
+                    7d:ad:34:be:6b:2a:29:18:d5:e9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Key Identifier: 
+                BF:57:F3:E8:73:62:BC:72:29:D9:F4:65:32:17:73:DF:D1:F7:7A:80
+            X509v3 Authority Key Identifier: 
+                BF:57:F3:E8:73:62:BC:72:29:D9:F4:65:32:17:73:DF:D1:F7:7A:80
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        62:a8:a3:1c:39:5a:69:fa:a6:c6:ff:ab:6c:f6:9e:9a:f5:6b:
+        84:72:c8:18:6f:15:2d:07:9f:ac:b4:a0:49:fb:20:02:32:b8:
+        25:80:98:fb:d7:57:7f:9c:78:a9:19:dd:f5:b8:bd:c7:59:03:
+        a0:06:85:a9:18:7a:35:df:9f:53:f0:22:61:bf:0a:bb:1c:f3:
+        a6:9e:db:8e:2c:1c:25:b2:86:a3:0d:97:ce:0d:f4:d0:28:39:
+        76:00:38:07:f2:02:f5:e0:a8:01:20:30:a8:18:7c:1f:0e:91:
+        41:a6:cc:0a:a7:2e:78:c2:32:de:ae:f6:2d:9d:b1:43:17:31:
+        f1:ff:74:b1:f5:ef:bd:a2:53:bf:17:20:1a:da:bd:5e:7b:db:
+        79:43:c7:7b:79:a7:31:ca:3e:54:28:e4:44:2b:ac:41:b9:c0:
+        03:44:ce:e9:56:13:0b:87:f9:82:e6:1e:82:75:23:c2:2c:cf:
+        8d:8e:ad:47:40:16:b4:86:82:92:4d:77:8c:02:27:7a:cf:93:
+        ed:21:4a:fa:d8:fb:e9:30:d4:b9:c8:e2:05:a7:2e:5d:4b:80:
+        db:ec:aa:4f:e2:4e:5d:94:13:ad:73:65:26:7e:4d:0e:44:49:
+        03:8f:42:e5:4e:e8:43:4b:1f:76:fc:18:d1:c1:c1:ac:85:de:
+        ec:97:13:e1:de:e6:fa:75:c6:f0:fd:c2:15:7e:23:72:f2:28:
+        fa:b6:6f:a3:96:e5:d4:b5:b2:a5:6b:e3:b6:cf:47:46:6b:a6:
+        93:7c:7d:28:5d:ba:ce:da:19:e9:4c:a8:a4:9a:1e:77:fc:5a:
+        b5:43:ad:9f:f7:bb:be:5f:85:9e:c9:0e:4c:a1:01:54:01:a1:
+        6e:ae:67:13:84:ee:ad:e9:20:77:66:be:6d:06:73:80:18:dc:
+        c8:d5:16:c4:7f:8a:b5:63:b8:37:fa:be:95:8b:5d:46:2d:a9:
+        69:71:bc:d4:44:38:68:e4:11:8d:8e:8d:99:a2:9a:4b:07:ae:
+        11:cf:05:d8:b7:ff
+-----BEGIN CERTIFICATE-----
+MIIEqjCCAxKgAwIBAgIJAN8FzAqhIZ4+MA0GCSqGSIb3DQEBCwUAMGUxPzA9BgNV
+BAMTNlJlZCBIYXQgRW50ZXJwcmlzZSBMaW51eCBEcml2ZXIgVXBkYXRlIFByb2dy
+YW0gKGtleSAzKTEiMCAGCSqGSIb3DQEJARYTc2VjYWxlcnRAcmVkaGF0LmNvbTAe
+Fw0xNDAzMzEwODQwMzZaFw0zNzAzMjUwODQwMzZaMGUxPzA9BgNVBAMTNlJlZCBI
+YXQgRW50ZXJwcmlzZSBMaW51eCBEcml2ZXIgVXBkYXRlIFByb2dyYW0gKGtleSAz
+KTEiMCAGCSqGSIb3DQEJARYTc2VjYWxlcnRAcmVkaGF0LmNvbTCCAaIwDQYJKoZI
+hvcNAQEBBQADggGPADCCAYoCggGBAKZqxgpz1uBnqwkht45hu+KAllX9vjVcep/I
+niofQbFUJYvBa3p1g43fa8ggTZQx8Mbt1mZu5cxuIF8XP+DUWkHP3v8xcESl/nmN
+FNkELmYIrMsUbnVTOPWFRJlD9rEDvHzWvZ0b4jyNpPAcl/8ON2HMocdRKkRpn4j5
+GmLV3fe/BGaQV26D2AfM/uthmfs7PpfHW4/ljOsBq6GZlVwcz40rbnSCgGwUvr2B
+2Jq6V6pJJv3IPQaONXe/VvhTEGkb2pNBBc1RZco7QIL1T93fHb7blu3A5dcD8TlT
+PPxKxq87Nqs9n8kZxGf1QbC9k5g4vE/+xmQF7KXLmvvDcpDat52RaIsAtrCDYoxb
+4L0csKU7Sb53N75UNwqlK3oF72GXaKNd4ZBe1tYiv1DRKyK+ffIwvVoNbpFqjolW
+lzB9FJOkBWnlDY++OW0XAmZ/pgXbX/ayOUMEHkT8rvLeEgLX5ODrCKYfuc3Ui3VA
+s7tPkhV4oS5LxI8vfa00vmsqKRjV6QIDAQABo10wWzAMBgNVHRMBAf8EAjAAMAsG
+A1UdDwQEAwIHgDAdBgNVHQ4EFgQUv1fz6HNivHIp2fRlMhdz39H3eoAwHwYDVR0j
+BBgwFoAUv1fz6HNivHIp2fRlMhdz39H3eoAwDQYJKoZIhvcNAQELBQADggGBAGKo
+oxw5Wmn6psb/q2z2npr1a4RyyBhvFS0Hn6y0oEn7IAIyuCWAmPvXV3+ceKkZ3fW4
+vcdZA6AGhakYejXfn1PwImG/Crsc86ae244sHCWyhqMNl84N9NAoOXYAOAfyAvXg
+qAEgMKgYfB8OkUGmzAqnLnjCMt6u9i2dsUMXMfH/dLH1772iU78XIBravV5723lD
+x3t5pzHKPlQo5EQrrEG5wANEzulWEwuH+YLmHoJ1I8Isz42OrUdAFrSGgpJNd4wC
+J3rPk+0hSvrY++kw1LnI4gWnLl1LgNvsqk/iTl2UE61zZSZ+TQ5ESQOPQuVO6ENL
+H3b8GNHBwayF3uyXE+He5vp1xvD9whV+I3LyKPq2b6OW5dS1sqVr47bPR0ZrppN8
+fShdus7aGelMqKSaHnf8WrVDrZ/3u75fhZ7JDkyhAVQBoW6uZxOE7q3pIHdmvm0G
+c4AY3MjVFsR/irVjuDf6vpWLXUYtqWlxvNREOGjkEY2OjZmimksHrhHPBdi3/w==
+-----END CERTIFICATE-----

SOURCES/rhelima.pem

@@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            d6:78:a4:e3:e7:d3:c5:a9
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O = RH-IMA-CA, CN = Red Hat IMA CA, emailAddress = secalert@redhat.com
+        Validity
+            Not Before: Jul  1 16:14:04 2023 GMT
+            Not After : Jan 18 16:14:04 2038 GMT
+        Subject: CN = Red Hat IMA release key (for verification)
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:4f:0e:ef:bf:e2:23:89:91:27:4e:7c:32:a1:d0:
+                    c0:26:92:de:37:8d:b0:5d:ea:7f:d6:27:18:9b:b4:
+                    62:be:06:85:3d:f9:cc:47:7e:c7:bd:91:54:53:62:
+                    b4:c0:8a:43:48:c2:59:07:2b:88:d7:3d:4b:30:8d:
+                    6c:32:fb:a5:da:dc:8a:85:e9:61:44:18:fc:d9:8b:
+                    f5:5e:38:c8:85:77:ca:73:68:ce:48:df:af:3d:06:
+                    43:2f:4b:6c:0c:cd:88
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                22:FA:01:DC:0E:A0:26:9F:69:A8:67:E5:CF:E4:9C:FB:D3:32:04:49
+            X509v3 Authority Key Identifier: 
+                FB:31:82:5D:D0:E0:73:68:5B:26:4E:30:38:96:36:73:F7:53:95:9A
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        1a:1e:c1:2d:65:ad:f0:24:ec:9e:a7:fd:d4:ea:e1:54:dc:31:
+        1c:62:8c:29:0b:7a:56:6e:f7:b4:87:92:3e:ff:d5:40:4b:24:
+        a1:68:6e:ee:9c:35:65:a1:3f:8e:f3:8b:9b:18:b1:03:ed:fb:
+        50:2e:a3:23:d1:93:1d:d6:82:0a:10:6f:34:be:d6:3a:bd:76:
+        8c:44:0e:ad:a7:2a:c4:8e:8d:c4:e4:8d:51:d8:26:b7:38:89:
+        d1:23:a0:23:88:76:fa:f1:27:91:57:3e:b2:0f:cf:73:53:db:
+        20:40:5d:82:b9:e9:bc:a2:94:09:57:fb:85:0d:56:4b:dc:19:
+        65:12:2f:6d:6a:3b:be:35:1f:d4:52:ea:e4:72:36:f9:fe:cb:
+        d4:1b:0f:e3:0e:88:7c:68:58:28:c3:06:5f:bd:d2:f9:2e:1a:
+        30:f0:63:65:2d:55:e1:a4:fd:97:cf:ff:c0:52:22:1c:24:a3:
+        6e:de:7a:c9:9d:75:d2:d0:82:b0:7f:6f:db:21:01:69:f0:54:
+        76:04:19:68:2c:22:72:dd:3b:0d:04:d5:ad:5a:80:30:68:90:
+        6e:c2:27:f4:28:af:1b:78:f6:0a:70:74:5c:3a:61:42:f5:63:
+        7c:83:12:5a:1b:43:bc:d4:1b:28:b5:ef:98:c5:14:04:42:80:
+        dd:54:30:a4
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIJANZ4pOPn08WpMA0GCSqGSIb3DQEBCwUAMFExEjAQBgNV
+BAoMCVJILUlNQS1DQTEXMBUGA1UEAwwOUmVkIEhhdCBJTUEgQ0ExIjAgBgkqhkiG
+9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMjMwNzAxMTYxNDA0WhcNMzgw
+MTE4MTYxNDA0WjA1MTMwMQYDVQQDDCpSZWQgSGF0IElNQSByZWxlYXNlIGtleSAo
+Zm9yIHZlcmlmaWNhdGlvbikwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARPDu+/4iOJ
+kSdOfDKh0MAmkt43jbBd6n/WJxibtGK+BoU9+cxHfse9kVRTYrTAikNIwlkHK4jX
+PUswjWwy+6Xa3IqF6WFEGPzZi/VeOMiFd8pzaM5I3689BkMvS2wMzYijeDB2MAwG
+A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUF
+BwMDMB0GA1UdDgQWBBQi+gHcDqAmn2moZ+XP5Jz70zIESTAfBgNVHSMEGDAWgBT7
+MYJd0OBzaFsmTjA4ljZz91OVmjANBgkqhkiG9w0BAQsFAAOCAQEAGh7BLWWt8CTs
+nqf91OrhVNwxHGKMKQt6Vm73tIeSPv/VQEskoWhu7pw1ZaE/jvOLmxixA+37UC6j
+I9GTHdaCChBvNL7WOr12jEQOracqxI6NxOSNUdgmtziJ0SOgI4h2+vEnkVc+sg/P
+c1PbIEBdgrnpvKKUCVf7hQ1WS9wZZRIvbWo7vjUf1FLq5HI2+f7L1BsP4w6IfGhY
+KMMGX73S+S4aMPBjZS1V4aT9l8//wFIiHCSjbt56yZ110tCCsH9v2yEBafBUdgQZ
+aCwict07DQTVrVqAMGiQbsIn9CivG3j2CnB0XDphQvVjfIMSWhtDvNQbKLXvmMUU
+BEKA3VQwpA==
+-----END CERTIFICATE-----

SOURCES/rhelima_centos.pem

@@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            d6:78:a4:e3:e7:d3:c5:ab
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O = RH-IMA-CA, CN = Red Hat IMA CA, emailAddress = secalert@redhat.com
+        Validity
+            Not Before: Jul  1 16:14:51 2023 GMT
+            Not After : Jan 18 16:14:51 2038 GMT
+        Subject: CN = CentOS IMA release key (for verification)
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:d4:d0:31:08:09:0d:97:d0:5c:c8:49:ff:90:f4:
+                    3a:16:85:a3:73:a1:d9:c4:28:4c:f7:aa:a8:22:c2:
+                    cf:0e:8b:d7:9a:ed:e6:f0:89:f8:85:95:72:c3:38:
+                    27:2a:29:97:6a:6b:2b:01:04:a3:32:ba:f4:75:f9:
+                    e4:c8:48:2f:f5:36:69:44:27:f9:35:b3:0c:c3:22:
+                    24:67:51:06:d3:73:f1:56:94:20:a8:8c:82:34:c0:
+                    10:ef:ce:f9:b4:7a:42
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                54:E5:A3:4F:16:2B:32:B7:77:FF:E3:4F:1E:8B:66:12:7C:43:5B:B5
+            X509v3 Authority Key Identifier: 
+                FB:31:82:5D:D0:E0:73:68:5B:26:4E:30:38:96:36:73:F7:53:95:9A
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        c6:1d:92:0e:92:40:d6:ae:a5:5d:4e:5d:2a:e1:0f:92:42:20:
+        89:e1:a9:82:87:35:42:c9:7f:77:dd:19:e3:cf:ef:be:8b:39:
+        4f:99:2e:cd:cc:a3:18:23:7f:81:4b:7d:63:5d:71:b4:4b:9c:
+        ea:dc:2f:1d:16:da:4c:ed:98:bf:df:88:11:d0:8b:af:01:55:
+        71:05:fe:d7:ac:78:4e:46:de:48:9f:04:74:42:c2:c8:1a:fc:
+        c5:46:6a:99:3e:9a:b0:e4:04:07:48:e2:4c:65:e5:01:a8:ad:
+        3c:8d:c0:ca:c5:73:23:36:88:27:54:8b:90:f8:ea:55:fc:eb:
+        b8:69:a5:8b:a0:1d:8b:f1:93:dd:71:9e:e9:88:f0:2d:0e:7d:
+        86:a4:8d:0b:fd:00:c9:c0:73:aa:b1:65:b1:60:6e:a4:09:1b:
+        3e:30:d9:62:2a:15:d6:50:2a:6a:fd:24:e7:8c:93:78:4a:28:
+        d5:b1:d9:ba:1b:8d:ef:48:0d:f4:8c:79:90:0f:95:8d:79:39:
+        8d:41:a5:fc:6f:e4:ef:5c:ee:3b:f4:c3:2c:c3:a0:b7:61:ac:
+        7e:e9:eb:a0:3a:ba:05:2c:bd:aa:a9:1f:c5:b9:ee:72:f6:c4:
+        54:1f:71:3b:e1:70:1a:30:f4:04:18:50:60:c4:5a:da:93:cd:
+        b6:f6:67:c8
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAbqgAwIBAgIJANZ4pOPn08WrMA0GCSqGSIb3DQEBCwUAMFExEjAQBgNV
+BAoMCVJILUlNQS1DQTEXMBUGA1UEAwwOUmVkIEhhdCBJTUEgQ0ExIjAgBgkqhkiG
+9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMjMwNzAxMTYxNDUxWhcNMzgw
+MTE4MTYxNDUxWjA0MTIwMAYDVQQDDClDZW50T1MgSU1BIHJlbGVhc2Uga2V5IChm
+b3IgdmVyaWZpY2F0aW9uKTB2MBAGByqGSM49AgEGBSuBBAAiA2IABNTQMQgJDZfQ
+XMhJ/5D0OhaFo3Oh2cQoTPeqqCLCzw6L15rt5vCJ+IWVcsM4Jyopl2prKwEEozK6
+9HX55MhIL/U2aUQn+TWzDMMiJGdRBtNz8VaUIKiMgjTAEO/O+bR6QqN4MHYwDAYD
+VR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUH
+AwMwHQYDVR0OBBYEFFTlo08WKzK3d//jTx6LZhJ8Q1u1MB8GA1UdIwQYMBaAFPsx
+gl3Q4HNoWyZOMDiWNnP3U5WaMA0GCSqGSIb3DQEBCwUAA4IBAQDGHZIOkkDWrqVd
+Tl0q4Q+SQiCJ4amChzVCyX933Rnjz+++izlPmS7NzKMYI3+BS31jXXG0S5zq3C8d
+FtpM7Zi/34gR0IuvAVVxBf7XrHhORt5InwR0QsLIGvzFRmqZPpqw5AQHSOJMZeUB
+qK08jcDKxXMjNognVIuQ+OpV/Ou4aaWLoB2L8ZPdcZ7piPAtDn2GpI0L/QDJwHOq
+sWWxYG6kCRs+MNliKhXWUCpq/STnjJN4SijVsdm6G43vSA30jHmQD5WNeTmNQaX8
+b+TvXO479MMsw6C3Yax+6eugOroFLL2qqR/Fue5y9sRUH3E74XAaMPQEGFBgxFra
+k8229mfI
+-----END CERTIFICATE-----

SOURCES/rhelimaca1.pem

@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            aa:05:bd:59:88:e4:fe:ba
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O = RH-IMA-CA, CN = Red Hat IMA CA, emailAddress = secalert@redhat.com
+        Validity
+            Not Before: Jul  1 15:22:50 2023 GMT
+            Not After : Jan 18 15:22:50 2038 GMT
+        Subject: O = RH-IMA-CA, CN = Red Hat IMA CA, emailAddress = secalert@redhat.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ca:74:5e:05:ee:bd:00:33:4a:49:92:6d:b9:2e:
+                    4b:1a:b5:3d:05:49:68:50:70:9e:39:28:a0:58:87:
+                    55:b7:b0:54:8e:21:cc:1a:b3:0f:1c:bc:11:76:1c:
+                    9a:0f:de:56:97:79:41:83:2d:5d:c6:b8:32:36:dd:
+                    20:f4:0f:b1:28:9a:e7:fd:ff:27:cd:f6:57:30:0d:
+                    b1:dd:4c:2f:71:be:49:d1:57:06:5a:6d:4b:59:ca:
+                    87:fb:25:0d:ac:f1:41:c7:8e:10:e8:18:8b:40:ae:
+                    c3:fe:1f:9a:0d:da:ee:4f:6d:da:f2:c0:27:f8:cb:
+                    ae:6e:84:bb:49:b8:9a:e2:c2:9d:de:81:e9:e2:d6:
+                    03:6f:ee:eb:17:b3:2d:da:50:51:1e:da:f6:12:54:
+                    f7:89:c3:bc:5a:90:fb:1d:ba:21:a4:25:07:87:3e:
+                    d4:12:c1:d6:f8:3f:c1:80:65:c0:15:81:6a:51:92:
+                    36:af:63:39:7a:83:4e:48:3e:19:5d:a5:a3:48:e1:
+                    7c:5c:ff:e3:ed:bb:59:7b:c3:93:5d:d5:1f:c2:97:
+                    df:6d:c5:ff:73:c3:66:64:4b:0f:6c:72:43:e2:65:
+                    60:03:38:b8:c0:51:b6:ae:5a:f8:8e:f9:c2:8f:55:
+                    9c:d0:d2:db:94:ac:75:c8:0f:85:49:b1:96:82:01:
+                    4b:67
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                FB:31:82:5D:D0:E0:73:68:5B:26:4E:30:38:96:36:73:F7:53:95:9A
+            X509v3 Authority Key Identifier: 
+                FB:31:82:5D:D0:E0:73:68:5B:26:4E:30:38:96:36:73:F7:53:95:9A
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        52:71:86:bc:05:f4:08:dc:0b:8b:b2:b6:95:a9:04:a3:f8:19:
+        e9:0a:a9:6d:4b:b7:1e:f5:7d:ff:d8:1a:0b:4f:1e:cb:07:94:
+        09:b0:93:16:3d:20:61:03:5b:15:b9:60:f0:c1:5f:28:70:59:
+        b5:59:de:c1:1e:76:92:1c:bb:43:d9:53:ae:2b:ad:7c:09:20:
+        7a:ac:29:b8:1e:17:48:b6:54:d4:11:60:72:2b:44:3e:2e:f2:
+        48:35:73:05:81:51:5e:b5:0c:a5:cc:35:15:de:29:1b:f0:75:
+        4e:af:b8:46:51:96:98:6a:ac:75:08:d8:90:5d:d0:1a:eb:a3:
+        95:58:d2:8b:03:bf:f2:37:fc:85:20:49:7c:f6:16:67:31:eb:
+        40:11:65:94:1a:cf:9e:6e:6d:f0:83:17:84:63:05:e5:08:97:
+        31:dc:e2:75:46:52:8b:a9:57:95:0f:41:df:37:1e:fa:18:35:
+        19:57:23:0a:c1:fa:79:da:62:85:85:7c:68:c1:bb:6f:78:96:
+        02:8c:0e:be:53:fb:97:15:d3:bb:d7:fe:90:99:6f:0e:c1:5d:
+        3a:ec:ac:07:b5:69:e9:86:04:25:29:36:9f:48:e0:3d:a1:aa:
+        8c:71:66:85:30:f3:2e:e6:cb:91:8e:76:24:ab:4e:3e:2d:de:
+        5a:d1:43:c6
+-----BEGIN CERTIFICATE-----
+MIIDiDCCAnCgAwIBAgIJAKoFvVmI5P66MA0GCSqGSIb3DQEBCwUAMFExEjAQBgNV
+BAoMCVJILUlNQS1DQTEXMBUGA1UEAwwOUmVkIEhhdCBJTUEgQ0ExIjAgBgkqhkiG
+9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMjMwNzAxMTUyMjUwWhcNMzgw
+MTE4MTUyMjUwWjBRMRIwEAYDVQQKDAlSSC1JTUEtQ0ExFzAVBgNVBAMMDlJlZCBI
+YXQgSU1BIENBMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynReBe69ADNKSZJtuS5LGrU9
+BUloUHCeOSigWIdVt7BUjiHMGrMPHLwRdhyaD95Wl3lBgy1dxrgyNt0g9A+xKJrn
+/f8nzfZXMA2x3Uwvcb5J0VcGWm1LWcqH+yUNrPFBx44Q6BiLQK7D/h+aDdruT23a
+8sAn+MuuboS7Sbia4sKd3oHp4tYDb+7rF7Mt2lBRHtr2ElT3icO8WpD7HbohpCUH
+hz7UEsHW+D/BgGXAFYFqUZI2r2M5eoNOSD4ZXaWjSOF8XP/j7btZe8OTXdUfwpff
+bcX/c8NmZEsPbHJD4mVgAzi4wFG2rlr4jvnCj1Wc0NLblKx1yA+FSbGWggFLZwID
+AQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT7MYJd0OBzaFsmTjA4
+ljZz91OVmjAfBgNVHSMEGDAWgBT7MYJd0OBzaFsmTjA4ljZz91OVmjAOBgNVHQ8B
+Af8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAFJxhrwF9AjcC4uytpWpBKP4GekK
+qW1Ltx71ff/YGgtPHssHlAmwkxY9IGEDWxW5YPDBXyhwWbVZ3sEedpIcu0PZU64r
+rXwJIHqsKbgeF0i2VNQRYHIrRD4u8kg1cwWBUV61DKXMNRXeKRvwdU6vuEZRlphq
+rHUI2JBd0Brro5VY0osDv/I3/IUgSXz2Fmcx60ARZZQaz55ubfCDF4RjBeUIlzHc
+4nVGUoupV5UPQd83HvoYNRlXIwrB+nnaYoWFfGjBu294lgKMDr5T+5cV07vX/pCZ
+bw7BXTrsrAe1aemGBCUpNp9I4D2hqoxxZoUw8y7my5GOdiSrTj4t3lrRQ8Y=
+-----END CERTIFICATE-----

SOURCES/rhelkpatch1.pem

@@ -0,0 +1,102 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            91:5d:16:42:f6:60:09:e4
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Red Hat Enterprise Linux kpatch signing key, emailAddress = secalert@redhat.com
+        Validity
+            Not Before: Mar 31 08:34:47 2014 GMT
+            Not After : Mar 25 08:34:47 2037 GMT
+        Subject: CN = Red Hat Enterprise Linux kpatch signing key, emailAddress = secalert@redhat.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (3072 bit)
+                Modulus:
+                    00:a6:ad:de:2d:77:ee:76:a9:29:30:fc:f2:b7:11:
+                    ac:41:94:72:68:52:6b:08:54:68:8a:c7:0a:a5:b2:
+                    10:b6:b4:83:6f:3c:ff:4f:fe:9b:1e:a6:e4:a7:78:
+                    78:7a:d1:06:30:b2:2c:f5:b3:68:1a:1d:28:b9:24:
+                    4f:75:aa:e2:76:00:8b:dd:06:e3:24:52:a5:14:e2:
+                    42:17:17:4f:01:5a:6a:97:bf:60:08:ad:e0:17:60:
+                    20:bc:59:11:e2:87:3d:6c:c7:b8:8a:f1:44:87:09:
+                    13:71:fd:76:7d:ef:e5:2b:ca:78:61:4d:16:8e:68:
+                    e0:0a:85:d2:e3:de:37:e1:d1:e6:d8:a0:f7:30:d3:
+                    62:fa:c4:20:81:97:9a:d7:c2:4e:a2:49:80:00:d0:
+                    6d:ac:c6:3e:99:5a:48:70:cf:5b:52:e5:8c:88:51:
+                    02:89:0f:0a:3f:b8:12:85:1a:cb:2f:72:32:97:ce:
+                    fa:fe:04:47:f6:1d:81:4a:01:65:8f:17:20:20:6d:
+                    c5:16:91:be:cb:92:cc:ad:1f:a6:d6:2c:8e:d9:48:
+                    58:7d:8d:fe:08:a7:54:f4:c3:a5:e6:ae:25:da:e7:
+                    7b:b1:20:06:3b:6c:b7:91:e5:93:41:95:95:bf:9a:
+                    cc:5c:20:4f:0b:96:55:90:fe:40:5c:99:59:fe:0e:
+                    1b:fa:b7:78:b5:dd:b7:ff:d0:49:97:e8:bf:5a:34:
+                    d2:02:05:90:36:c5:c9:2e:8d:27:1d:5c:7b:97:fc:
+                    ca:22:b4:01:00:36:7c:6d:0f:a6:35:0e:34:3f:07:
+                    59:8a:39:09:77:47:09:6f:0a:45:e4:e2:e6:0c:99:
+                    f3:01:c8:3d:d8:f9:2e:f5:fa:2c:61:a1:6a:58:43:
+                    06:72:84:b0:a4:bb:5a:8c:2c:27:b6:2d:e2:b8:13:
+                    f0:15:69:f7:23:05:4f:23:5c:df:95:7a:06:a4:98:
+                    bb:39:34:c7:eb:01:61:a8:c4:7c:cc:0d:fb:56:8d:
+                    1a:da:e1:94:c5:a7:e9:28:1a:35
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Key Identifier: 
+                4D:38:FD:86:4E:BE:18:C5:F0:B7:2E:38:52:E2:01:4C:3A:67:6F:C8
+            X509v3 Authority Key Identifier: 
+                4D:38:FD:86:4E:BE:18:C5:F0:B7:2E:38:52:E2:01:4C:3A:67:6F:C8
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        17:d2:03:8c:49:cd:13:e9:2b:99:91:c9:0f:46:1d:91:5c:a9:
+        ef:17:46:3f:ee:d1:05:10:72:90:09:55:1b:94:a6:c8:34:8d:
+        89:fb:96:cf:b5:7b:08:38:ba:77:6b:e5:69:d7:1e:71:ea:ad:
+        34:e5:b3:1f:1d:cb:d7:c7:6d:f6:45:a8:c0:74:79:2d:ca:e5:
+        06:af:3e:b7:40:af:66:98:81:e0:45:d5:04:f3:a6:2b:ff:55:
+        b1:4e:6d:29:da:ea:a5:ab:27:82:9c:d7:78:6e:56:4d:82:b0:
+        6d:de:bf:60:e9:5a:a7:c4:8d:8b:c3:6a:f0:c5:8c:f3:ce:2f:
+        6e:3f:d9:7f:8d:ce:9e:8e:6f:9c:95:79:dc:95:9f:b2:10:97:
+        57:ae:3b:6b:e0:72:18:32:cb:b2:08:8b:34:cb:f0:51:db:ea:
+        07:96:32:a0:0b:79:d4:f7:63:99:c9:77:58:71:6e:77:03:e9:
+        7d:52:90:d2:26:a2:6d:0a:11:32:29:84:b0:2c:52:d9:fe:6b:
+        d9:6a:9c:aa:49:4c:87:6a:8b:5b:84:51:f7:9f:23:2a:b9:f8:
+        9c:eb:ff:9d:ff:8d:23:09:00:df:77:f8:e3:17:8d:06:35:bc:
+        7e:8f:bf:a6:23:b5:51:2b:c7:5f:2d:77:13:43:47:8f:62:40:
+        a7:9c:9f:ab:34:3a:87:96:83:de:00:a7:60:4b:09:60:49:ab:
+        39:f1:d5:a2:3f:ce:77:5e:19:d5:19:81:8b:0c:71:01:5d:e7:
+        2f:99:d4:16:b4:05:3d:56:c1:90:cb:de:4b:0d:c7:d5:0b:9e:
+        4b:95:74:35:cb:6b:1e:0e:1f:15:39:74:f8:6c:25:e5:de:d6:
+        f4:e6:6f:98:a5:df:83:44:97:ee:2e:f6:f8:fc:ba:43:69:9c:
+        03:2d:96:ff:c6:5a:32:1c:b1:99:fe:aa:ec:e6:04:5e:21:c5:
+        ef:10:e4:bd:95:d7:0b:42:5d:90:d0:56:1e:32:f3:44:16:be:
+        ad:9a:f8:c9:0c:b6
+-----BEGIN CERTIFICATE-----
+MIIElDCCAvygAwIBAgIJAJFdFkL2YAnkMA0GCSqGSIb3DQEBCwUAMFoxNDAyBgNV
+BAMTK1JlZCBIYXQgRW50ZXJwcmlzZSBMaW51eCBrcGF0Y2ggc2lnbmluZyBrZXkx
+IjAgBgkqhkiG9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQwMzMxMDgz
+NDQ3WhcNMzcwMzI1MDgzNDQ3WjBaMTQwMgYDVQQDEytSZWQgSGF0IEVudGVycHJp
+c2UgTGludXgga3BhdGNoIHNpZ25pbmcga2V5MSIwIAYJKoZIhvcNAQkBFhNzZWNh
+bGVydEByZWRoYXQuY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA
+pq3eLXfudqkpMPzytxGsQZRyaFJrCFRoiscKpbIQtrSDbzz/T/6bHqbkp3h4etEG
+MLIs9bNoGh0ouSRPdaridgCL3QbjJFKlFOJCFxdPAVpql79gCK3gF2AgvFkR4oc9
+bMe4ivFEhwkTcf12fe/lK8p4YU0WjmjgCoXS49434dHm2KD3MNNi+sQggZea18JO
+okmAANBtrMY+mVpIcM9bUuWMiFECiQ8KP7gShRrLL3Iyl876/gRH9h2BSgFljxcg
+IG3FFpG+y5LMrR+m1iyO2UhYfY3+CKdU9MOl5q4l2ud7sSAGO2y3keWTQZWVv5rM
+XCBPC5ZVkP5AXJlZ/g4b+rd4td23/9BJl+i/WjTSAgWQNsXJLo0nHVx7l/zKIrQB
+ADZ8bQ+mNQ40PwdZijkJd0cJbwpF5OLmDJnzAcg92Pku9fosYaFqWEMGcoSwpLta
+jCwnti3iuBPwFWn3IwVPI1zflXoGpJi7OTTH6wFhqMR8zA37Vo0a2uGUxafpKBo1
+AgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBRN
+OP2GTr4YxfC3LjhS4gFMOmdvyDAfBgNVHSMEGDAWgBRNOP2GTr4YxfC3LjhS4gFM
+OmdvyDANBgkqhkiG9w0BAQsFAAOCAYEAF9IDjEnNE+krmZHJD0YdkVyp7xdGP+7R
+BRBykAlVG5SmyDSNifuWz7V7CDi6d2vladceceqtNOWzHx3L18dt9kWowHR5Lcrl
+Bq8+t0CvZpiB4EXVBPOmK/9VsU5tKdrqpasngpzXeG5WTYKwbd6/YOlap8SNi8Nq
+8MWM884vbj/Zf43Ono5vnJV53JWfshCXV647a+ByGDLLsgiLNMvwUdvqB5YyoAt5
+1Pdjmcl3WHFudwPpfVKQ0iaibQoRMimEsCxS2f5r2WqcqklMh2qLW4RR958jKrn4
+nOv/nf+NIwkA33f44xeNBjW8fo+/piO1USvHXy13E0NHj2JAp5yfqzQ6h5aD3gCn
+YEsJYEmrOfHVoj/Od14Z1RmBiwxxAV3nL5nUFrQFPVbBkMveSw3H1QueS5V0Nctr
+Hg4fFTl0+Gwl5d7W9OZvmKXfg0SX7i72+Py6Q2mcAy2W/8ZaMhyxmf6q7OYEXiHF
+7xDkvZXXC0JdkNBWHjLzRBa+rZr4yQy2
+-----END CERTIFICATE-----

SOURCES/spheresecureboot001.pem

@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            08:60:56:42:47:85:4c:fe:ba:bd:cb:99:d3:6b:c4:a8
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere Secure Boot CA
+        Validity
+            Not Before: Mar 22 16:42:54 2023 GMT
+            Not After : Mar 22 16:42:54 2053 GMT
+        Subject: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere Secure Boot Signing
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:d4:66:e0:18:8a:79:c1:61:3b:f7:48:c6:41:86:
+                    21:82:a4:00:59:e7:61:10:75:c5:fd:34:14:e1:44:
+                    86:bc:12:87:6d:9e:5c:f6:54:65:8f:31:c4:a3:62:
+                    65:15:40:70:f5:f2:cf:09:52:ca:c7:94:51:62:d0:
+                    fb:fc:1e:3d:21:7e:a8:10:40:9d:c1:8c:f9:0b:89:
+                    41:0c:5a:7e:2c:bd:cc:15:aa:6c:28:4b:94:03:a0:
+                    3f:16:5b:e5:b3:c7:05:3a:a7:f4:08:3f:18:d5:2d:
+                    a5:13:57:97:e7:0a:00:7e:59:43:73:c5:9c:e4:4d:
+                    dc:c6:ad:8b:37:6b:b9:78:62:4c:11:49:4e:ad:30:
+                    9c:3d:89:59:0e:a4:41:12:d8:fb:31:22:3c:57:75:
+                    ee:a5:45:55:d6:dc:4b:96:1c:f5:a9:95:9d:09:76:
+                    48:3b:15:5a:02:e6:23:2b:62:d7:51:f5:67:3a:32:
+                    d4:b8:21:b5:3c:34:82:5c:2b:70:52:32:cd:17:39:
+                    78:fd:a0:d8:99:d0:62:68:4b:b9:b3:8d:fd:f4:2e:
+                    34:5f:d8:48:c9:66:f5:91:cf:ee:34:87:68:a8:ca:
+                    ae:da:35:45:5c:4c:a9:40:f0:e1:a2:bd:33:88:8c:
+                    53:8a:cd:63:95:05:5d:48:1d:ce:ce:cb:cb:bb:7e:
+                    cb:5d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                49:59:67:B5:13:6C:C8:DF:7E:64:B9:22:E3:A9:35:50:6B:95:84:D5
+            X509v3 Extended Key Usage: 
+                Code Signing
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                E9:5A:22:76:4E:CE:34:C9:69:BD:42:5C:7C:6A:9F:5A:BE:AC:97:50
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        4b:5a:c8:7a:83:75:c0:02:e0:08:15:dd:e0:f6:0f:33:3c:8f:
+        84:d7:04:39:13:05:99:3d:5b:da:c3:45:d2:1d:2c:7a:1f:fd:
+        8c:ae:75:71:23:0a:11:43:a1:1c:90:83:70:a3:02:93:c9:27:
+        6b:dd:eb:2b:56:c5:7c:fb:8c:71:b3:e9:83:c8:a3:99:9d:9c:
+        d2:c1:2b:15:f3:c5:6e:22:30:e6:63:4f:50:1b:d0:f8:3b:e8:
+        c1:3f:9c:d0:a7:59:f5:5c:68:ce:2e:ae:79:94:8f:14:47:1c:
+        92:0c:72:3a:7f:fa:85:39:a1:9a:19:32:ab:7a:0a:4f:fe:ae:
+        bc:af:0c:5a:f0:0d:f2:ea:49:f6:53:4d:e1:aa:d7:2e:1e:aa:
+        e6:c8:5e:3c:91:b0:59:6d:e8:60:f7:af:34:47:c6:50:5b:90:
+        92:46:15:02:c4:d3:ed:3f:d2:c3:05:6e:78:cd:9b:84:b1:43:
+        84:d2:4a:9d:8e:db:d4:a9:90:5c:b8:8e:78:a0:5f:00:dd:b3:
+        f5:98:29:72:58:ab:99:5e:c8:ba:7f:21:72:ba:a3:c4:31:aa:
+        e7:b3:cd:02:aa:ae:54:77:4f:9c:73:68:60:a6:af:c4:b3:7a:
+        6e:64:94:9e:01:1b:c0:f9:b8:f1:5c:fd:de:cb:00:d7:ed:4d:
+        46:a9:4c:1f
+-----BEGIN CERTIFICATE-----
+MIIEZjCCA06gAwIBAgIQCGBWQkeFTP66vcuZ02vEqDANBgkqhkiG9w0BAQsFADCB
+tzEqMCgGA1UECxMhTVNWU3BoZXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSQw
+IgYJKoZIhvcNAQkBFhVzZWN1cml0eUBtc3ZzcGhlcmUucnUxDzANBgNVBAcTBk1v
+c2NvdzEPMA0GA1UECBMGTW9zY293MQswCQYDVQQGEwJSVTERMA8GA1UEChMITkNT
+RCBMTEMxITAfBgNVBAMTGE1TVlNwaGVyZSBTZWN1cmUgQm9vdCBDQTAgFw0yMzAz
+MjIxNjQyNTRaGA8yMDUzMDMyMjE2NDI1NFowgbwxKjAoBgNVBAsTIU1TVlNwaGVy
+ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIGCSqGSIb3DQEJARYVc2VjdXJp
+dHlAbXN2c3BoZXJlLnJ1MQ8wDQYDVQQHEwZNb3Njb3cxDzANBgNVBAgTBk1vc2Nv
+dzELMAkGA1UEBhMCUlUxETAPBgNVBAoTCE5DU0QgTExDMSYwJAYDVQQDEx1NU1ZT
+cGhlcmUgU2VjdXJlIEJvb3QgU2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBANRm4BiKecFhO/dIxkGGIYKkAFnnYRB1xf00FOFEhrwSh22eXPZU
+ZY8xxKNiZRVAcPXyzwlSyseUUWLQ+/wePSF+qBBAncGM+QuJQQxafiy9zBWqbChL
+lAOgPxZb5bPHBTqn9Ag/GNUtpRNXl+cKAH5ZQ3PFnORN3MatizdruXhiTBFJTq0w
+nD2JWQ6kQRLY+zEiPFd17qVFVdbcS5Yc9amVnQl2SDsVWgLmIyti11H1Zzoy1Lgh
+tTw0glwrcFIyzRc5eP2g2JnQYmhLubON/fQuNF/YSMlm9ZHP7jSHaKjKrto1RVxM
+qUDw4aK9M4iMU4rNY5UFXUgdzs7Ly7t+y10CAwEAAaNlMGMwHwYDVR0jBBgwFoAU
+SVlntRNsyN9+ZLki46k1UGuVhNUwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0T
+AQH/BAIwADAdBgNVHQ4EFgQU6Voidk7ONMlpvUJcfGqfWr6sl1AwDQYJKoZIhvcN
+AQELBQADggEBAEtayHqDdcAC4AgV3eD2DzM8j4TXBDkTBZk9W9rDRdIdLHof/Yyu
+dXEjChFDoRyQg3CjApPJJ2vd6ytWxXz7jHGz6YPIo5mdnNLBKxXzxW4iMOZjT1Ab
+0Pg76ME/nNCnWfVcaM4urnmUjxRHHJIMcjp/+oU5oZoZMqt6Ck/+rryvDFrwDfLq
+SfZTTeGq1y4equbIXjyRsFlt6GD3rzRHxlBbkJJGFQLE0+0/0sMFbnjNm4SxQ4TS
+Sp2O29SpkFy4jnigXwDds/WYKXJYq5leyLp/IXK6o8QxquezzQKqrlR3T5xzaGCm
+r8Szem5klJ4BG8D5uPFc/d7LANftTUapTB8=
+-----END CERTIFICATE-----

SOURCES/spheresecurebootca.pem

@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            86:2f:3e:4c:b2:26:42:00:b8:3a:f1:25:79:9e:4e:41
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere Secure Boot CA
+        Validity
+            Not Before: Mar 22 16:42:54 2023 GMT
+            Not After : Mar 22 16:42:54 2053 GMT
+        Subject: OU = MSVSphere Certification Authority, emailAddress = security@msvsphere.ru, L = Moscow, ST = Moscow, C = RU, O = NCSD LLC, CN = MSVSphere Secure Boot CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cc:19:da:af:e7:7c:fa:a6:b7:3e:9d:83:8c:70:
+                    30:53:96:9c:94:94:2f:92:0d:b7:d0:ae:ee:6a:2e:
+                    06:0b:2f:0a:43:a9:a2:ba:63:1d:f7:7d:7b:8e:b2:
+                    cd:f4:4b:1f:e7:8a:41:b2:4c:82:cb:b0:40:aa:fa:
+                    03:71:63:5a:b7:5b:d0:01:37:4f:88:4d:6e:a4:dd:
+                    af:e0:87:ce:95:86:6e:5f:a9:cf:90:23:7c:1e:b4:
+                    73:28:13:40:4d:95:07:ef:46:cf:c5:41:e6:5d:a7:
+                    e1:56:6f:30:8d:73:a6:4b:f7:57:09:01:af:98:c4:
+                    ee:d8:62:b0:aa:d9:be:6b:d3:58:17:9d:01:14:e8:
+                    7c:59:f1:64:de:4b:b9:e1:71:0c:ef:13:0e:9e:d9:
+                    f8:f9:60:62:96:0e:4c:fa:5f:0b:5c:e2:f4:9d:7f:
+                    49:24:3c:f4:c8:0d:14:2b:cb:1f:b1:92:dc:88:a8:
+                    e2:c7:86:21:c9:50:a9:9b:12:3f:dc:17:06:42:56:
+                    c0:6f:98:26:06:e1:19:3d:de:cf:a2:c8:b1:f7:80:
+                    86:3e:f7:33:d1:ca:f8:98:fd:3f:e0:03:10:25:b8:
+                    7f:5e:7c:cb:16:ed:e7:29:6d:9b:55:75:6d:aa:8f:
+                    95:19:ca:86:49:41:e1:ba:22:c1:86:a2:28:72:f8:
+                    9a:79
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                49:59:67:B5:13:6C:C8:DF:7E:64:B9:22:E3:A9:35:50:6B:95:84:D5
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                49:59:67:B5:13:6C:C8:DF:7E:64:B9:22:E3:A9:35:50:6B:95:84:D5
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        7b:50:33:73:3e:5f:6c:b9:1c:27:4f:68:cb:57:38:7a:f7:57:
+        c3:6c:cb:c1:5e:7a:3b:a6:d0:b1:b1:c9:7d:19:f1:40:3f:09:
+        24:fb:f2:08:a7:bb:94:40:4d:5d:cd:70:26:1f:d9:9f:9d:b7:
+        6e:7d:8c:bc:aa:7f:8a:be:42:c0:8c:db:82:6b:ad:08:38:2b:
+        b1:a1:c4:8c:f4:08:b9:eb:7d:e8:a1:df:03:47:e5:1e:4b:95:
+        4f:4f:a4:05:42:bd:9c:6f:f0:bd:ed:4f:bf:f7:d4:ad:a5:ef:
+        6e:1c:ad:9e:66:dd:4d:eb:3e:b4:d0:e0:39:2b:9d:72:8c:c0:
+        a8:8e:82:cd:23:f4:47:63:51:78:4a:cd:e8:54:47:09:a1:cd:
+        ef:b7:bf:c5:30:e6:24:0e:c3:f5:65:4b:59:ff:74:86:13:06:
+        a9:2a:2a:38:bd:05:4a:f7:12:eb:da:ed:e1:a1:7b:24:b2:53:
+        22:c9:49:a5:57:e0:2c:89:fe:62:95:b2:8c:4a:07:8d:c8:b1:
+        d2:22:8f:09:bd:a9:4e:01:88:cd:54:93:7c:22:98:51:a2:c4:
+        d5:f9:60:8d:2f:b8:b3:0d:01:47:c0:b0:34:01:12:c0:c3:46:
+        6b:4a:fc:6a:71:97:73:64:80:f9:82:ee:bd:6e:00:8d:cf:55:
+        f7:7d:d2:e6
+-----BEGIN CERTIFICATE-----
+MIIEYDCCA0igAwIBAgIRAIYvPkyyJkIAuDrxJXmeTkEwDQYJKoZIhvcNAQELBQAw
+gbcxKjAoBgNVBAsTIU1TVlNwaGVyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEk
+MCIGCSqGSIb3DQEJARYVc2VjdXJpdHlAbXN2c3BoZXJlLnJ1MQ8wDQYDVQQHEwZN
+b3Njb3cxDzANBgNVBAgTBk1vc2NvdzELMAkGA1UEBhMCUlUxETAPBgNVBAoTCE5D
+U0QgTExDMSEwHwYDVQQDExhNU1ZTcGhlcmUgU2VjdXJlIEJvb3QgQ0EwIBcNMjMw
+MzIyMTY0MjU0WhgPMjA1MzAzMjIxNjQyNTRaMIG3MSowKAYDVQQLEyFNU1ZTcGhl
+cmUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJDAiBgkqhkiG9w0BCQEWFXNlY3Vy
+aXR5QG1zdnNwaGVyZS5ydTEPMA0GA1UEBxMGTW9zY293MQ8wDQYDVQQIEwZNb3Nj
+b3cxCzAJBgNVBAYTAlJVMREwDwYDVQQKEwhOQ1NEIExMQzEhMB8GA1UEAxMYTVNW
+U3BoZXJlIFNlY3VyZSBCb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAzBnar+d8+qa3Pp2DjHAwU5aclJQvkg230K7uai4GCy8KQ6miumMd9317
+jrLN9Esf54pBskyCy7BAqvoDcWNat1vQATdPiE1upN2v4IfOlYZuX6nPkCN8HrRz
+KBNATZUH70bPxUHmXafhVm8wjXOmS/dXCQGvmMTu2GKwqtm+a9NYF50BFOh8WfFk
+3ku54XEM7xMOntn4+WBilg5M+l8LXOL0nX9JJDz0yA0UK8sfsZLciKjix4YhyVCp
+mxI/3BcGQlbAb5gmBuEZPd7Posix94CGPvcz0cr4mP0/4AMQJbh/XnzLFu3nKW2b
+VXVtqo+VGcqGSUHhuiLBhqIocviaeQIDAQABo2MwYTAfBgNVHSMEGDAWgBRJWWe1
+E2zI335kuSLjqTVQa5WE1TAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQUSVlntRNsyN9+ZLki46k1UGuVhNUwDQYJKoZIhvcNAQELBQAD
+ggEBAHtQM3M+X2y5HCdPaMtXOHr3V8Nsy8Feejum0LGxyX0Z8UA/CST78ginu5RA
+TV3NcCYf2Z+dt259jLyqf4q+QsCM24JrrQg4K7GhxIz0CLnrfeih3wNH5R5LlU9P
+pAVCvZxv8L3tT7/31K2l724crZ5m3U3rPrTQ4DkrnXKMwKiOgs0j9EdjUXhKzehU
+Rwmhze+3v8Uw5iQOw/VlS1n/dIYTBqkqKji9BUr3Euva7eGheySyUyLJSaVX4CyJ
+/mKVsoxKB43IsdIijwm9qU4BiM1Uk3wimFGixNX5YI0vuLMNAUfAsDQBEsDDRmtK
+/Gpxl3NkgPmC7r1uAI3PVfd90uY=
+-----END CERTIFICATE-----