v2023110002.0.0
What's Changed
-
Update Shared Crypto to version 2023.2.12 @apop5 (#757)
Change Details
## Description
See the following release notes for updates
v2023.2.12.- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
- The crypto release was tested per the test description in the release.
Integration Instructions
N/A
- Impacts functionality?
-
[CHERRY-PICK] Pull CpuPageTableLib Changes from EDK2 @TaylorBeebe (#758)
Change Details
## Description
Fixes made to CpuPageTableLib since 202311 must be cherry-picked to resolve booting issues caused by other cherry-picks updating code to use the library.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested on Q35
Integration Instructions
N/A
- Impacts functionality?
-
[CHERRY-PICK] Unit Test Unexpected Exception @VivianNK (#756)
Change Details
## Description Cherry pick from: https://github.com/tianocore/edk2/pull/5345
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Local builds and CI tests ran.
Integration Instructions
N/A
- Impacts functionality?
-
Codeql update from 2.15.4 to 2.16.1 @apop5 (#743)
Change Details
## Description
Updating CodeQl ext_dep to version 2.16.1
When running 2.15.4 version, VS2022 ado pipelines were sometimes showing:
INFO - Not using precompiled PointerOverflow.qlx: This QLX (written by CodeQL 2.16.2) is too new for this CodeQL engine. INFO - Compiling query plan for C:\Users\VssAdministrator\.codeql\packages\codeql\cpp-queries\0.9.4\Likely Bugs\Memory Management\PointerOverflow.ql. INFO - [1/25] Compiled C:\Users\VssAdministrator\.codeql\packages\codeql\cpp-queries\0.9.4\Likely Bugs\Memory Management\PointerOverflow.ql.- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Ran local CodeQl over existing mu_basecore to see if new issues were reported on VS2022.
Local run was completed with additional build parameter --codeql during stuart_update, and stuart_ci_build
Verified that correct version of codeql existed in BaseTools\Plugin\CodeQL\codeql_windows_cli_extdep after update process.Integration Instructions
No changes necessary, codeql ext_dep will be downloaded automatically.
- Impacts functionality?
-
CryptoPkg: Update to Shared Crypto 2023.2.11 @makubacki (#751)
Change Details
## Description
See the following release notes for updates v2023.2.11.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
- The crypto release was tested per the test description in the release.
Integration Instructions
Platforms no longer have to explicitly specify that
a crypto service is"NONE". If a crypto service, is not used,
the arch no longer needs to be explicitly set to"NONE"either.For example, a platform that only uses Standalone MM can now entirely
omit the following lines from the platform DSC file:SMM_CRYPTO_SERVICES = NONESMM_CRYPTO_ARCH = NONE
- Impacts functionality?
⚠️ Breaking Changes
-
[CHERRY-PICK] Stack Cookie Updates @TaylorBeebe (#754)
Change Details
This update changes the following:
Fix NULL lib parsing
When parsing INF files, Basetools treats both libraries and modules the same. When the library dependencies are being collected for a module/library, libraries linked via:
NULL|Path/To/Librarywould be included in the list of dependencies for libraries which does not match how these expressions are expected to be interpreted. This update changes the evaluation loop to skip NULL links when collecting dependencies for libraries.
Add GCC ARM, AARCH64, IA32 support and MSVC IA32 support for StackCheckLibNull
MSVC IA32 requires the __security_check_cookie function to specify byte size (@__security_check_cookie@4). This change also declares __stack_chk_fail() in StackCheckLibNull.c to support GCC.
Implement Stack Cookie Support for MSVC IA32 and GCC IA32, ARM, and AARCH64
This update replaces StackCheckLib with StackCheckLibStaticInit and StackCheckLibDynamicInit. The new libraries have GCC support for ARM, AARCH64, IA32 and X64 builds. The libraries have MSVC support for IA32 and X64 builds.
StackCheckLibStaticInit does not have a library constructor and should be used whenever the stack cookie value cannot be updated during driver execution (i.e. when the stack cookie is not in a writable or no RNG library is available). The value of the stack cookie is generated at buildtime via a Basetools update.
StackCheckLibDynamicInit has a library constructor and should be used whenever the stack cookie value can be updated at runtime (i.e. for DXE modules and shadowed PEIMs).
Update StackCheckFailureLib to StackCheckFailureHookLib
To clarify the purpose of StackCheckFailureLib, this PR renames it to StackCheckFailureHookLib. Also, the failure address is passed as an argument to the hook function to allow the hook to trace the fault. An interrupt will still be called after the hook returns.
How This Was Tested
Tested on a Q35 GCC and MSVC builds by purposefully performing a stack overflow and verifying the stack check failure hook was called followed by the stack check failure interrupt.
Integration Instructions
Platforms will need to explicitly declare the StackCheckLib and StackCheckFailureLib instances for their platforms.
StackCheckFailureHookLib|MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf [LibraryClasses.common.SEC, LibraryClasses.common.PEI_CORE] NULL|MdePkg/Library/StackCheckLibNull/StackCheckLibNull.inf [LibraryClasses.common.PEIM, LibraryClasses.common.MM_CORE_STANDALONE, LibraryClasses.common.MM_STANDALONE] NULL|MdePkg/Library/StackCheckLib/StackCheckLibStaticInit.inf [LibraryClasses.common.DXE_CORE, LibraryClasses.common.SMM_CORE, LibraryClasses.common.DXE_SMM_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.DXE_SAL_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] NULL|MdePkg/Library/StackCheckLib/StackCheckLibDynamicInit.infAs shown in the example above.
-
[Cherry-Pick]: UefiCpuPkg/CpuMpPei. Use CpuPageTableLib to set memory attribute. Parallel get stack base for better performance. @apop5 (#744)
Change Details
## Description
Cherry picking two changes
[Parallel get stack base for better performance.] tianocore/edk2@e8166a8)
Use CpuPageTableLib to set memory attribute.Cherry-picks originate for performance improvement recommended by Silicon Vendor.
Added a Status check on new functionality to prevent codeql error.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Local CI runs
Test on local hardwareIntegration Instructions
N/A
- Impacts functionality?
🔐 Security Impacting
-
[CHERRY-PICK] Stack Cookie Updates @TaylorBeebe (#754)
Change Details
This update changes the following:
Fix NULL lib parsing
When parsing INF files, Basetools treats both libraries and modules the same. When the library dependencies are being collected for a module/library, libraries linked via:
NULL|Path/To/Librarywould be included in the list of dependencies for libraries which does not match how these expressions are expected to be interpreted. This update changes the evaluation loop to skip NULL links when collecting dependencies for libraries.
Add GCC ARM, AARCH64, IA32 support and MSVC IA32 support for StackCheckLibNull
MSVC IA32 requires the __security_check_cookie function to specify byte size (@__security_check_cookie@4). This change also declares __stack_chk_fail() in StackCheckLibNull.c to support GCC.
Implement Stack Cookie Support for MSVC IA32 and GCC IA32, ARM, and AARCH64
This update replaces StackCheckLib with StackCheckLibStaticInit and StackCheckLibDynamicInit. The new libraries have GCC support for ARM, AARCH64, IA32 and X64 builds. The libraries have MSVC support for IA32 and X64 builds.
StackCheckLibStaticInit does not have a library constructor and should be used whenever the stack cookie value cannot be updated during driver execution (i.e. when the stack cookie is not in a writable or no RNG library is available). The value of the stack cookie is generated at buildtime via a Basetools update.
StackCheckLibDynamicInit has a library constructor and should be used whenever the stack cookie value can be updated at runtime (i.e. for DXE modules and shadowed PEIMs).
Update StackCheckFailureLib to StackCheckFailureHookLib
To clarify the purpose of StackCheckFailureLib, this PR renames it to StackCheckFailureHookLib. Also, the failure address is passed as an argument to the hook function to allow the hook to trace the fault. An interrupt will still be called after the hook returns.
How This Was Tested
Tested on a Q35 GCC and MSVC builds by purposefully performing a stack overflow and verifying the stack check failure hook was called followed by the stack check failure interrupt.
Integration Instructions
Platforms will need to explicitly declare the StackCheckLib and StackCheckFailureLib instances for their platforms.
StackCheckFailureHookLib|MdePkg/Library/StackCheckFailureHookLibNull/StackCheckFailureHookLibNull.inf [LibraryClasses.common.SEC, LibraryClasses.common.PEI_CORE] NULL|MdePkg/Library/StackCheckLibNull/StackCheckLibNull.inf [LibraryClasses.common.PEIM, LibraryClasses.common.MM_CORE_STANDALONE, LibraryClasses.common.MM_STANDALONE] NULL|MdePkg/Library/StackCheckLib/StackCheckLibStaticInit.inf [LibraryClasses.common.DXE_CORE, LibraryClasses.common.SMM_CORE, LibraryClasses.common.DXE_SMM_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.DXE_SAL_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] NULL|MdePkg/Library/StackCheckLib/StackCheckLibDynamicInit.infAs shown in the example above.
🐛 Bug Fixes
-
ImageValidation: Pass build vars to fdf parser @Javagedes (#747)
Change Details
## Description
Updates the ImageValidation plugin to pass the locally (to the DSC) defined variables and the build variables to the fdf parser. The previous implementation only passed the variables defined in the DSC, which is a bug.
This bug currently impacts any platform that actively uses the ImageValidation plugin, and consumes the new crypto binaries in the FDF. In this scenario,
SHARED_CRYPTO_PATHis passed to the dsc parser, but not passed to the fdf parser, which results in the fdf parser failing due to paths not existing (as they contain$(SHARED_CRYPTO_PATH))error example:
FileNotFoundError: $(SHARED_CRYPTO_PATH)/Driver/Bin/CryptoDriver.DXE.inc.fdf- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Verified that build variables (such as BLD_*_) that are ultimetely passed to
build.pyare correctly passed to both the dsc parser and the fdf parser, rather than just the dsc parser, for the ImageValidatio plugin.Integration Instructions
N/A
- Impacts functionality?
-
Fix section data length always 4 bytes larger than real data @kuqin12 (#752)
Change Details
## Description
This change fixed an issue where the returned section data length is always 4 bytes larger than the real section. This would cause an issue where the caller could read into the final 4 bytes which is invalid data region.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
This is verified on QEMU Q35 platform and booted to UEFI shell.
Integration Instructions
N/A
- Impacts functionality?
Full Changelog: v2023110001.1.0...v2023110002.0.0
