From aa7865006c84608a8ef68a808b82b990d77fb678 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 26 Dec 2024 03:25:08 +0300 Subject: [PATCH] import edk2-20240524-6.el9_5.3 --- ...-Fix-overflow-issue-in-BasePeCoffLib.patch | 50 +++ ...2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch | 350 ++++++++++++++++++ ...rmVirtPkg-Add-a-Fallback-RNG-RH-only.patch | 101 +++++ ...spatcher-after-initializing-virtio-r.patch | 45 +++ SPECS/edk2.spec | 28 +- 5 files changed, 572 insertions(+), 2 deletions(-) create mode 100644 SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch create mode 100644 SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch create mode 100644 SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch create mode 100644 SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch diff --git a/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch b/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch new file mode 100644 index 0000000..226d21b --- /dev/null +++ b/SOURCES/edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch @@ -0,0 +1,50 @@ +From 10d25d4d502e419476c3846e0243bbf6be24d8e4 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 1 Oct 2024 18:40:41 -0400 +Subject: [PATCH] MdePkg: Fix overflow issue in BasePeCoffLib + +RH-Author: Jon Maloy +RH-MergeRequest: 95: MdePkg: Fix overflow issue in BasePeCoffLib +RH-Jira: RHEL-60831 +RH-Acked-by: Oliver Steffen +RH-Commit: [1/1] 2f345a9e5f277598a78edc1aab33c6acc96c6caa + +JIRA: https://issues.redhat.com/browse/RHEL-60831 +CVE: CVE-2024-38796 +Upstream: Merged + +commit c95233b8525ca6828921affd1496146cff262e65 +Author: Doug Flick +Date: Fri Sep 27 12:08:55 2024 -0700 + + MdePkg: Fix overflow issue in BasePeCoffLib + + The RelocDir->Size is a UINT32 value, and RelocDir->VirtualAddress is + also a UINT32 value. The current code does not check for overflow when + adding RelocDir->Size to RelocDir->VirtualAddress. This patch adds a + check to ensure that the addition does not overflow. + + Signed-off-by: Doug Flick + Authored-by: sriraamx gobichettipalayam + +Signed-off-by: Jon Maloy +--- + MdePkg/Library/BasePeCoffLib/BasePeCoff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +index 86ff2e769b..128090d98e 100644 +--- a/MdePkg/Library/BasePeCoffLib/BasePeCoff.c ++++ b/MdePkg/Library/BasePeCoffLib/BasePeCoff.c +@@ -1054,7 +1054,7 @@ PeCoffLoaderRelocateImage ( + RelocDir = &Hdr.Te->DataDirectory[0]; + } + +- if ((RelocDir != NULL) && (RelocDir->Size > 0)) { ++ if ((RelocDir != NULL) && (RelocDir->Size > 0) && (RelocDir->Size - 1 < MAX_UINT32 - RelocDir->VirtualAddress)) { + RelocBase = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress (ImageContext, RelocDir->VirtualAddress, TeStrippedOffset); + RelocBaseEnd = (EFI_IMAGE_BASE_RELOCATION *)PeCoffLoaderImageAddress ( + ImageContext, +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch b/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000..747862e --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,350 @@ +From fb1162845ff2d0e5f7fc7bb890896a4a6bde2981 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Nov 2024 12:40:12 +0100 +Subject: [PATCH 1/2] OvmfPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 101: Add a Fallback RNG (RH only) +RH-Jira: RHEL-65735 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/2] d4aec962fd120ac2903b91403d87b86af944bd83 + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +Signed-off-by: Oliver Steffen +--- + .../PlatformBootManagerLib/BdsPlatform.c | 7 + + .../PlatformBootManagerLib/FallbackRng.c | 222 ++++++++++++++++++ + .../PlatformBootManagerLib/FallbackRng.h | 20 ++ + .../PlatformBootManagerLib.inf | 5 + + 4 files changed, 254 insertions(+) + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c + create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h + +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +index d9f61757cf..87d1ac3142 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c ++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +@@ -15,6 +15,8 @@ + #include + #include + ++#include "FallbackRng.h" ++ + // + // Global data + // +@@ -539,6 +541,9 @@ PlatformBootManagerBeforeConsole ( + ConnectVirtioPciRng, + NULL + ); ++ ++ FallbackRngCheckAndInstall (); ++ + } + + EFI_STATUS +@@ -1778,6 +1783,8 @@ PlatformBootManagerAfterConsole ( + + DEBUG ((DEBUG_INFO, "PlatformBootManagerAfterConsole\n")); + ++ FallbackRngPrintWarning (); ++ + if (PcdGetBool (PcdOvmfFlashVariablesEnable)) { + DEBUG (( + DEBUG_INFO, +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +new file mode 100644 +index 0000000000..bba60e29d5 +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c +@@ -0,0 +1,222 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "FallbackRng.h" ++ ++typedef struct { ++ EFI_RNG_PROTOCOL Rng; ++ EFI_HANDLE Handle; ++} FALLBACK_RNG_DEV; ++ ++/** ++ Returns information about the random number generation implementation. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in,out] RNGAlgorithmListSize On input, the size in bytes of ++ RNGAlgorithmList. ++ On output with a return code of ++ EFI_SUCCESS, the size in bytes of the ++ data returned in RNGAlgorithmList. On ++ output with a return code of ++ EFI_BUFFER_TOO_SMALL, the size of ++ RNGAlgorithmList required to obtain the ++ list. ++ @param[out] RNGAlgorithmList A caller-allocated memory buffer filled ++ by the driver with one EFI_RNG_ALGORITHM ++ element for each supported RNG algorithm. ++ The list must not change across multiple ++ calls to the same driver. The first ++ algorithm in the list is the default ++ algorithm for the driver. ++ ++ @retval EFI_SUCCESS The RNG algorithm list was returned ++ successfully. ++ @retval EFI_UNSUPPORTED The services is not supported by this ++ driver. ++ @retval EFI_DEVICE_ERROR The list of algorithms could not be ++ retrieved due to a hardware or firmware ++ error. ++ @retval EFI_INVALID_PARAMETER One or more of the parameters are ++ incorrect. ++ @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small ++ to hold the result. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetInfo ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN OUT UINTN *RNGAlgorithmListSize, ++ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList ++ ) ++{ ++ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ if (*RNGAlgorithmListSize < sizeof (EFI_RNG_ALGORITHM)) { ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ return EFI_BUFFER_TOO_SMALL; ++ } ++ ++ if (RNGAlgorithmList == NULL) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM); ++ CopyGuid (RNGAlgorithmList, &gEfiRngAlgorithmRaw); ++ ++ return EFI_SUCCESS; ++} ++ ++/** ++ Produces and returns an RNG value using either the default or specified RNG ++ algorithm. ++ ++ @param[in] This A pointer to the EFI_RNG_PROTOCOL ++ instance. ++ @param[in] RNGAlgorithm A pointer to the EFI_RNG_ALGORITHM that ++ identifies the RNG algorithm to use. May ++ be NULL in which case the function will ++ use its default RNG algorithm. ++ @param[in] RNGValueLength The length in bytes of the memory buffer ++ pointed to by RNGValue. The driver shall ++ return exactly this numbers of bytes. ++ @param[out] RNGValue A caller-allocated memory buffer filled ++ by the driver with the resulting RNG ++ value. ++ ++ @retval EFI_SUCCESS The RNG value was returned successfully. ++ @retval EFI_UNSUPPORTED The algorithm specified by RNGAlgorithm ++ is not supported by this driver. ++ @retval EFI_DEVICE_ERROR An RNG value could not be retrieved due ++ to a hardware or firmware error. ++ @retval EFI_NOT_READY There is not enough random data available ++ to satisfy the length requested by ++ RNGValueLength. ++ @retval EFI_INVALID_PARAMETER RNGValue is NULL or RNGValueLength is ++ zero. ++ ++**/ ++STATIC ++EFI_STATUS ++EFIAPI ++FallbackRngGetRNG ( ++ IN EFI_RNG_PROTOCOL *This, ++ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL, ++ IN UINTN RNGValueLength, ++ OUT UINT8 *RNGValue ++ ) ++{ ++ UINT64 RandomData; ++ EFI_STATUS Status; ++ UINTN i; ++ ++ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) { ++ return EFI_INVALID_PARAMETER; ++ } ++ ++ // ++ // We only support the raw algorithm, so reject requests for anything else ++ // ++ if ((RNGAlgorithm != NULL) && ++ !CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) ++ { ++ return EFI_UNSUPPORTED; ++ } ++ ++ for (i = 0; i < RNGValueLength; ++i) { ++ if (i % 4 == 0) { ++ Status = GetRandomNumber64 (&RandomData); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ } ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++static FALLBACK_RNG_DEV Dev = { ++ .Rng.GetInfo = FallbackRngGetInfo, ++ .Rng.GetRNG = FallbackRngGetRNG, ++ .Handle = NULL, ++}; ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ) ++{ ++ EFI_STATUS Status; ++ EFI_HANDLE *HandleBuffer = NULL; ++ UINTN HandleCount = 0; ++ ++ if (Dev.Handle != NULL) { ++ DEBUG ((DEBUG_INFO, "Fallback RNG already installed.\n")); ++ return EFI_ALREADY_STARTED; ++ } ++ ++ Status = gBS->LocateHandleBuffer ( ++ ByProtocol, ++ &gEfiRngProtocolGuid, ++ NULL, ++ &HandleCount, ++ &HandleBuffer ++ ); ++ ++ gBS->FreePool (HandleBuffer); ++ ++ if (Status == EFI_NOT_FOUND) { ++ HandleCount = 0; ++ } else if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Error locating RNG protocol instances: %r\n", Status)); ++ return Status; ++ } ++ ++ DEBUG ((DEBUG_INFO, "Found %u RNGs\n", HandleCount)); ++ ++ if (HandleCount == 0) { ++ // Install RNG ++ Status = gBS->InstallProtocolInterface ( ++ &Dev.Handle, ++ &gEfiRngProtocolGuid, ++ EFI_NATIVE_INTERFACE, ++ &Dev.Rng ++ ); ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Failed to install fallback RNG: %r\n", Status)); ++ return Status; ++ } ++ ++ gDS->Dispatch (); ++ } ++ ++ return EFI_SUCCESS; ++} ++ ++VOID ++FallbackRngPrintWarning ( ++ ) ++{ ++ if (Dev.Handle != NULL) { ++ Print (L"WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n"); ++ DEBUG ((DEBUG_WARN, "WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n")); ++ gBS->Stall (2000000); ++ } ++} +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +new file mode 100644 +index 0000000000..77332bc51c +--- /dev/null ++++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h +@@ -0,0 +1,20 @@ ++/** @file ++ Copyright (C) 2024, Red Hat, Inc. ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++ ++#ifndef _FALLBACK_RNG_H_ ++#define _FALLBACK_RNG_H_ ++ ++#include ++#include ++ ++EFI_STATUS ++FallbackRngCheckAndInstall ( ++ ); ++ ++VOID ++FallbackRngPrintWarning ( ++ ); ++ ++#endif +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +index c6ffc1ed9e..211716e30d 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf ++++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +@@ -25,6 +25,8 @@ + PlatformData.c + QemuKernel.c + BdsPlatform.h ++ FallbackRng.c ++ FallbackRng.h + + [Packages] + MdePkg/MdePkg.dec +@@ -56,6 +58,7 @@ + PlatformBmPrintScLib + Tcg2PhysicalPresenceLib + XenPlatformLib ++ RngLib + + [Pcd] + gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent +@@ -80,6 +83,7 @@ + gEfiDxeSmmReadyToLockProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiLoadedImageProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiFirmwareVolume2ProtocolGuid # PROTOCOL SOMETIMES_CONSUMED ++ gEfiRngProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + + [Guids] + gEfiEndOfDxeEventGroupGuid +@@ -87,3 +91,4 @@ + gRootBridgesConnectedEventGroupGuid + gUefiShellFileGuid + gGrubFileGuid ++ gEfiRngAlgorithmRaw +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch b/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch new file mode 100644 index 0000000..6d2588d --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch @@ -0,0 +1,101 @@ +From 194fa0cc8ba8c0c2b8ca4e478ce80f17e25812d9 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Thu, 7 Nov 2024 11:36:22 +0100 +Subject: [PATCH 2/2] OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only) + +RH-Author: Oliver Steffen +RH-MergeRequest: 101: Add a Fallback RNG (RH only) +RH-Jira: RHEL-65735 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [2/2] 8bf84d42332ab54f6d1f768c8abe62485e7a12c9 + +Since the pixiefail CVE fix, the network stack requires a random number +generator. +In case there is no hardware random number generator available, +have the Platform Boot Manager install a pseudo RNG to ensure +the network can be used. + +This patch adds the fallback RNG which was introduced in a +previous commit also to the ArmVirtPkg PlatformBootManagerLib. + +Signed-off-by: Oliver Steffen +--- + OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c | 6 ++++++ + .../PlatformBootManagerLibLight/PlatformBootManagerLib.inf | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c +index 8e93f3cfed..8aa1e8e2df 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c ++++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBm.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include "FallbackRng.h" + + #include "PlatformBm.h" + +@@ -1029,6 +1030,7 @@ PlatformBootManagerBeforeConsole ( + // + FilterAndProcess (&gEfiGraphicsOutputProtocolGuid, NULL, AddOutput); + ++ + // + // Add the hardcoded short-form USB keyboard device path to ConIn. + // +@@ -1110,6 +1112,8 @@ PlatformBootManagerBeforeConsole ( + // + FilterAndProcess (&gVirtioDeviceProtocolGuid, IsVirtioSerial, SetupVirtioSerial); + FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciSerial, SetupVirtioSerial); ++ ++ FallbackRngCheckAndInstall (); + } + + /** +@@ -1175,6 +1179,8 @@ PlatformBootManagerAfterConsole ( + RETURN_STATUS Status; + BOOLEAN Uninstall; + ++ FallbackRngPrintWarning (); ++ + // + // Show the splash screen. + // +diff --git a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf +index 8e7cd5605f..4583c05ef4 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf ++++ b/OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf +@@ -27,6 +27,8 @@ + PlatformBm.c + PlatformBm.h + QemuKernel.c ++ ../PlatformBootManagerLib/FallbackRng.h ++ ../PlatformBootManagerLib/FallbackRng.c + + [Packages] + MdeModulePkg/MdeModulePkg.dec +@@ -53,6 +55,7 @@ + UefiBootServicesTableLib + UefiLib + UefiRuntimeServicesTableLib ++ RngLib + + [FixedPcd] + gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate +@@ -70,6 +73,7 @@ + gEfiGlobalVariableGuid + gRootBridgesConnectedEventGroupGuid + gUefiShellFileGuid ++ gEfiRngAlgorithmRaw + + [Protocols] + gEfiFirmwareVolume2ProtocolGuid +@@ -77,3 +81,4 @@ + gEfiMemoryAttributeProtocolGuid + gEfiPciRootBridgeIoProtocolGuid + gVirtioDeviceProtocolGuid ++ gEfiRngProtocolGuid +-- +2.39.3 + diff --git a/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch b/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch new file mode 100644 index 0000000..5ab493b --- /dev/null +++ b/SOURCES/edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch @@ -0,0 +1,45 @@ +From 203d30bedd01e953a2f5962877c87da7a1d6fcc3 Mon Sep 17 00:00:00 2001 +From: Oliver Steffen +Date: Mon, 4 Nov 2024 19:00:11 +0100 +Subject: [PATCH] OvmfPkg: Rerun dispatcher after initializing virtio-rng + +RH-Author: Oliver Steffen +RH-MergeRequest: 105: OvmfPkg: Rerun dispatcher after initializing virtio-rng +RH-Jira: RHEL-63094 +RH-Acked-by: Gerd Hoffmann +RH-Commit: [1/1] 87d0a3f9392d3b7788193148ee74f6edfe719a3e + +Since the pixiefail CVE fix the network stack requires a hardware +random number generator. This can currently be a modern CPU supporting +the RDRAND instruction or a virtio-rng device. +The latter is initialized during the BDS phase. +To ensure all depending (network) modules are also started, we need to +run the dispatcher once more after the device was initialized. +Without this, network boot is not available under certain hardware +configurations. + +Fixes: 4c4ceb2ceb ("NetworkPkg: SECURITY PATCH CVE-2023-45237") + +Analysed-by: Stefano Garzarella +Suggested-by: Gerd Hoffmann +Signed-off-by: Oliver Steffen +--- + OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +index 87d1ac3142..1f1298eb0b 100644 +--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c ++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +@@ -675,6 +675,8 @@ ConnectVirtioPciRng ( + if (EFI_ERROR (Status)) { + goto Error; + } ++ ++ gDS->Dispatch (); + } + + return EFI_SUCCESS; +-- +2.45.1 + diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec index 0b4fbb6..bd0ce68 100644 --- a/SPECS/edk2.spec +++ b/SPECS/edk2.spec @@ -21,7 +21,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE} -Release: 6%{?dist} +Release: 6%{?dist}.3 Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and Apache-2.0 and MIT URL: http://www.tianocore.org @@ -101,6 +101,14 @@ Patch42: edk2-AmdSevDxe-Fix-the-shim-fallback-reboot-workaround-fo.patch Patch43: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-skip-PatchInstructionX86-c.patch # For RHEL-56974 - qemu-kvm: warning: Blocked re-entrant IO on MemoryRegion: acpi-cpu-hotplug at addr: 0x0 [rhel-9] Patch44: edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch +# For RHEL-60831 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.5] +Patch45: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch +# For RHEL-65735 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.5.z] +Patch46: edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch +# For RHEL-65735 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.5.z] +Patch47: edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch +# For RHEL-63094 - [Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater [rhel-9.5] +Patch48: edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -435,9 +443,25 @@ install -m 0644 \ %changelog -* Fri Nov 08 2024 Dmitriy Samoylik - 20240524-6 +* Fri Nov 22 2024 Jon Maloy - 20240524-6.el9_5.3 +- edk2-OvmfPkg-Rerun-dispatcher-after-initializing-virtio-r.patch [RHEL-63094] +- Resolves: RHEL-63094 + ([Regression] HTTP Boot fails to work with edk2-ovmf-20231122-6.el9_4.2 and greater [rhel-9.5]) + +* Mon Nov 11 2024 Miroslav Rezanina - 20240524-6.el9_5.2 +- edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-65735] +- edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-65735] +- Resolves: RHEL-65735 + ([Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-9.5.z]) + +* Fri Nov 08 2024 Dmitriy Samoylik - 20240524-6.el9_5.1 - Added msvsphere certificates for secure boot +* Wed Oct 16 2024 Miroslav Rezanina - 20240524-6.el9_5.1 +- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60831] +- Resolves: RHEL-60831 + (CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-9.5]) + * Fri Sep 13 2024 Miroslav Rezanina - 20240524-6 - edk2-OvmfPkg-CpuHotplugSmm-delay-SMM-exit.patch [RHEL-56974] - edk2-Bumped-openssl-submodule-version-to-0205b5898872.patch [RHEL-55336]