Releases: microsoft/mu_basecore
v2023110008.1.0
What's Changed
-
[Rebase \& FF] Adding support for CLANGPDB build @kuqin12 (#848)
Change Details
# Preface
Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.Description
This change added the tools_def section for building AARCH64 target with CLANGPDB.
A few assembly files are fixed up to remove unsupported directives.
Lastly, an issue of uninitialized variable that might be used is fixed from DevicesPathLib.
For each item, place an "x" in between
[and]if true. Example:[x].
(you can also check items in the GitHub UI)- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
This change is tested on QEMU SBSA platform and booted to UEFI shell.
Integration Instructions
Platforms that would like to build with CLANGPDB should specify
TOOL_CHAIN_TAG=CLANGPDBto build with CLANGPDB.</blockquote> <hr> </details> - Impacts functionality?
-
[CHERRY-PICK] Pull in fixes in UefiCpuPkg where we can dereference a NULL pointer for mCpuHotPlugData.SmBase @kenlautner (#887)
Change Details
## Description
Cherry-pick the following two commits that fix some issues with previously cherry-picked UefiCpuPkg commits. This mainly fixes a NULL dereference bug.
tianocore/edk2@72c441d
tianocore/edk2@edc6681For each item, place an "x" in between
[and]if true. Example:[x].
(you can also check items in the GitHub UI)- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested on Smm based intel physical platforms.
Integration Instructions
N/A
</blockquote> <hr> </details> - Impacts functionality?
-
Added MockPciIoProtocol and MockLocalApicLib @v-bhavanisu (#890)
Change Details
# Preface
Please ensure you have read the contribution docs prior
to submitting the pull request. In particular,
pull request guidelines.Description
Added MockPciIoProtocol and MockLocalApicLib to be used in GoogleTests
For each item, place an "x" in between
[and]if true. Example:[x].
(you can also check items in the GitHub UI)- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Integrated these into Intel Gen 11 for a GoogleTest and ensured no build errors
Integration Instructions
N/A
</blockquote> <hr> </details> - Impacts functionality?
-
MuCodeQlQueries.qls: Pin to the 0.9.12 codeq/cpp-queries pack @makubacki (#882)
Change Details
## Description
The
codeql/cpp-queriespack used in MuCodeQlQueries.qls was versioned
0.9.12 for the CodeQL CLI v2.17.3 release currently used.https://github.com/github/codeql/blob/codeql-cli/v2.17.3/cpp/ql/src/qlpack.yml
This change pins that pack version to prevent the CodeQL CLI and
pack from getting out of sync until explicitly updated.- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Verified the CodeQL query pack version listed is pulled.
Integration Instructions
- N/A - No change to queries used. Should prevent breaks in the future where
the latest queries are no longer compatible with the current CodeQL CLI used.
🚀 Features & ✨ Enhancements
-
Add RNG PPI Support @makubacki (#881)
Change Details
## Description
MdePkg: Add Random Number Generator (RNG) PPI
Adds a new PPI that serves the same purpose as EFI_RNG_PROTOCOL in
DXE. This PPI can be produced by a PEIM to provide a dynamic interface
to RNG services in PEI.This PPI is called
EFI_RNG_PPIbecause it shares the exact same
interface withEFI_RNG_PROTOCOLwhich is described in the UEFI
Speficiation.
MdePkg: Add PeiRngLib
Adds a new PEI library instance for RngLib that uses the RNG services
provided by the RNG PPI.This library instance will add a DEPEX on gEfiRngPpiGuid on modules
it links against. It can be used to allow PEIMs to get RNG support
over a dynamic interface.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- MdePkg CI
- Verify the RNG PPI can be successfully produced and consumed
Integration Instructions
If a platform needs to share RNG support across a dynamic interface
between PEIMs, the RNG PPI can be used.PeiRngLibprovides aRngLib
instance that use the RNG PPI. It will include a dependency ongEfiRngPpiGuid.
🐛 Bug Fixes
-
Set EFI\_MEMORY\_SP as System Memory @os-d (#886)
Change Details
## Description
When supplying DxeCore with a resource descriptor HOB, a platform can choose which memory type to specify. For EFI_MEMORY_SP resource descriptor HOBs, instead of blindly setting GcdReserved as the memory type, respect what the resource descriptor HOB specified. Closes #884.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples:...
- Impacts functionality?
Contributors
Assets 4
v2023110008.0.0
What's Changed
-
NetworkPkg TcpDxe: Fixed system stuck on PXE boot flow in iPXE enviro… @Flickdm (#879)
Change Details
## Description
This bug fix is based on the following commit "NetworkPkg TcpDxe: SECURITY PATCH"
REF: 1904a64Issue Description:
An "Invalid handle" error was detected during runtime when attempting to destroy a child instance of the hashing protocol. The problematic code segment was:NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, &mHash2ServiceHandle);Root Cause Analysis:
The root cause of the error was the passing of an incorrect parameter type, a pointer to an EFI_HANDLE instead of an EFI_HANDLE itself, to the DestroyChild function. This mismatch resulted in the function receiving an invalid handle.Implemented Solution:
To resolve this issue, the function call was corrected to pass mHash2ServiceHandle directly:NetworkPkg\TcpDxe\TcpDriver.c
Status = Hash2ServiceBinding->DestroyChild(Hash2ServiceBinding, mHash2ServiceHandle);This modification ensures the correct handle type is used, effectively rectifying the "Invalid handle" error.
Verification:
Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment.Cc: Doug Flick [MSFT] [email protected]
Reviewed-by: Saloni Kasbekar [email protected]
- [ X] Impacts functionality?
- Corrects handle passed to DestroyChild(..)
- Impacts security?
- N/A
- Breaking change?
- N/A
- Includes tests?
- N/A
- Includes documentation?
- N/A
How This Was Tested
"Testing has been conducted, confirming the efficacy of the fix. Additionally, the BIOS can boot into the OS in an iPXE environment."
iPXE booted successfully
Integration Instructions
N/A
- [ X] Impacts functionality?
-
[CHERRY-PICK] MdePkg/SmBios.h: Add New ProcessorUpgrade definitions for SMBIOS Type4 @srilathasridharan (#858)
Change Details
## Description
The patch adds new ProcessorUpgrade definitions for SMBIOS Type4 based on SMBIOS 3.8.0.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Builds and boots on intel platforms.
Integration Instructions
N/A
- Impacts functionality?
-
[CHERRY\_PICK] UefiCpuPkg changes [Rebase \& FF] @srilathasridharan (#839)
Change Details
## Description
Cherry-pick commits to support latest intel platforms. Below is a summary of the commits included.
- Support for CPUID_EXTEND_TOPOLOGY
- Support for Customized FV Migration
- Create gMpInformationHobGuid2
- Support for choosing Non SMM BSP in SMM.
- Get processor extended information in SmmAddProcessor
- [x ] Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Verified on Intel platform. (Testing on older platforms pending).
Integration Instructions
N/A
-
BinToPcd.py: Remove xdrlib import @antklein (#852)
Change Details
## Description
- Run Python sort on imports
- Remove xdrlib import as it is not used and will be deprecated in Python 3.13
- This change was missed as part of implementing Python updates between release/202302 and release/202311 branches.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Validated this change does not impact the functionality of the BinToPcd.py script.
Integration Instructions
N/A
⚠️ Breaking Changes
-
[CHERRY-PICK] UefiCpuPkg: change name of gMpInformationHobGuid2 @srilathasridharan (#875)
Change Details
## Description
Change name of gMpInformationHobGuid2 to
gMpInformation2HobGuid. It's to align with
the file name MpInformation2.h and the
structure name MP_INFORMATION2_HOB_DATA.- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested on Intel platform
Integration Instructions
N/A
- Impacts functionality?
🚀 Features & ✨ Enhancements
-
Fixing an edge case in AutoGen script where BUILDMODULE might fail @kuqin12 (#878)
Change Details
## Description
This change fixed an edge case when invoking the build process with "BUILDMODULE" and no stack cookie is involved (i.e. pure assembly code), the build might fail.
The existing code path is written to handle such case, b...
Contributors
Assets 4
v2023020016.1.1
What's Changed
🔐 Security Impacting
-
Supports ARM Platforms without needing to disable PcdEnforceSecureRngAlgorithms @Flickdm (#855)
Change Details
## Description
This adds two additional options for "Secure RNG Algorithms"
&gEfiRngAlgorithmArmRndr, // unspecified SP800-90A DRBG via ARM RNDR register &gEfiRngAlgorithmRaw // Raw data from a NRBG (or a TRNG)
gEfiRngAlgorithmRaw takes data from the Hardware or CPU instruction
gEfiRngAlgorithmArmRndr is a newly proposed (and accepted) Guid that gets a "unspecified" SP800-90A algorithm from the CPU-
Impacts functionality?
- Adds two new acceptable algorithms to NetworkPkg Secure list
-
Impacts security?
- Allows for additional ARM specific algorithm and RAW
-
Breaking change?
-
Includes tests?
-
Includes documentation?
How This Was Tested
Tested on ARM platform
Integration Instructions
N/A
-
Full Changelog: v2023020016.1.0...v2023020016.1.1
Contributors
Assets 4
v2023020016.1.0
What's Changed
🚀 Features & ✨ Enhancements
-
Add the EFI\_RESOURCE\_ATTRIBUTE\_SPECIAL\_PURPOSE attribute [Rebase \& FF] @makubacki (#856)
Change Details
## Description
Cherry-pick of the changes in #851 to release/202302.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
stuart_ci_build passed clean.
Manual testing using UEFI firmware on a device showed the expected behavior when HOBs are marked with EFI_RESOURCE_ATTRIBUTE_SPECIAL_PURPOSE.
Integration Instructions
N/A
- Impacts functionality?
📖 Documentation Updates
-
[Release/202302] Updates NetworkPkg/SecurityFixes.yaml to reflect the current state of CVE patche @Flickdm (#824)
Change Details
## Description
Cherry-Picked : #823
This updates the SecurityFixes.yaml file to indicate which CVE's have been patched in this repo. This commit makes the repo current with the state of NetworkPkg CVEs patched
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
- This updates the documentation
How This Was Tested
N/A
Integration Instructions
N/A
Full Changelog: v2023020016.0.1...v2023020016.1.0
Contributors
Assets 4
v2023110007.1.0
What's Changed
🚀 Features & ✨ Enhancements
-
Add the EFI\_RESOURCE\_ATTRIBUTE\_SPECIAL\_PURPOSE attribute. @Patrick-Payne (#851)
Change Details
## Description
Add the EFI_RESOURCE_ATTRIBUTE_SPECIAL_PURPOSE resource attribute as per the PI 1.8 spec. This flag is used to indicate that the memory should be treated as special purpose memory (SPM).
Also adds GCD code that marks the SPM with the EFI_MEMORY_SP bit in the memory map and sets the GCD memory type to EfiGcdMemoryTypeSystemMemory.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- This change impacts how special purpose memory is represented in HOBs and in the memory map.
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
stuart_ci_build passed clean.
Manual testing using UEFI firmware on a device showed the expected behavior when HOBs are marked with EFI_RESOURCE_ATTRIBUTE_SPECIAL_PURPOSE.
Integration Instructions
N/A
- Impacts functionality?
Full Changelog: v2023110007.0.0...v2023110007.1.0
Contributors
Assets 4
v2023020016.0.1
What's Changed
-
CodeQL: Update from 2.15.4 to 2.17.3 @makubacki (#854)
Change Details
## Description
Update to pick up functional and security fixes. See the following
comparison for detailed differences:github/codeql-cli-binaries@v2.15.4...v2.17.3
This update provides compatibility with the latest query files.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- CodeQL CI plugin
Integration Instructions
N/A
-
[REBASE \&\& FF] Cherry-Pick Compatibility Mode Changes from 202311 @TaylorBeebe (#833)
-
[CHERRY-PICK] Cherry-pick Changes/Fixes from 202311 to 202302 @TaylorBeebe (#827)
🐛 Bug Fixes
-
CryptoPkg: Update shared crypto to 2023.2.9 @makubacki (#850)
Change Details
## Description
Includes the STANDARD crypto binary flavor that includes SHA384
and SHA512.- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- QemuQ35Pkg boot
- Crypto shell tests
Integration Instructions
No additional integration is needed. The shared crypto external
dependency in your workspace will be updated to the 2023.2.9
release when you include this commit.Note: This is labeled as a bug fix because SHA384 and SHA512 support
was previously missing.https://github.com/microsoft/mu_crypto_release/releases/tag/v2023.2.9
Full Changelog: v2023020016.0.0...v2023020016.0.1
Contributors
Assets 4
v2023110007.0.0
What's Changed
-
CodeQL: Update from 2.16.1 to 2.17.3 @makubacki (#853)
Change Details
## Description
Update to pick up functional and security fixes. See the following
comparison for detailed differences:github/codeql-cli-binaries@v2.16.1...v2.17.3
This update provides compatibility with the latest query files.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- CodeQL CI plugin
Integration Instructions
N/A
-
[CHERRY-PICK] MdePkg/IndustryStandard: Add \_PSD/\_CPC/Coord types definitions @apop5 (#844)
Change Details
## Description
Additional defines for dealing with Cstates and Pstate dependencies.
Comes from Acpi specification.
Add definitions for:
- _PSD version: added in ACPI 3.0
- C-state Coordination Types: added in ACPI 3.0
- _CPC version: added in ACPI 5.0
Reviewed-by: Sami Mujawar [email protected]
Reviewed-by: Liming Gao [email protected]- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
N/A
Integration Instructions
N/A
-
[REBASE \& FF] Add GoogleTest Mocks and STATIC Testing Ability @os-d (#830)
Change Details
## Description
This PR adds GoogleTest mocks needed for some AdvancedLogger GoogleTests. It also adds the capability to test STATIC functions by undefining the STATIC keyword if a HOST_APPLICATION is being built. The statement is that a HOST_APPLICATION is running with the minimal set of dependencies and should not run into symbol collision.
These will be sent to edk2, but feedback is wanted first, as well as getting the dependent Advanced Logger PR in. If this patch is approved, UnitTestFrameworkPkg's README will also be updated in edk2. This is not done here as that would create a lot of conflicts.
For each item, place an "x" in between
[and]if true. Example:[x].
(you can also check items in the GitHub UI)- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested with the Advanced Logger GoogleTests
Integration Instructions
Follow the UnitTestFrameworkPkg README.md for instructions on using GoogleTest mocks. To test STATIC functions, compile the relevant C files with your GoogleTest C++ files and you will be able to access the formerly STATIC functions in your test.
Interface tests (that load a library instead of compiling the C files) will still not be able to access STATIC functions. This is intentional as interface tests should be testing a library interface (the class itself) not an instance.
- Impacts functionality?
-
Make DEBUG\_ERROR Messages on Memory Protection Hob Mismatch More Explicit @TaylorBeebe (#838)
Change Details
## Description
To reduce the deluge of questions whenever the memory protection settings version is rolled, this PR adds extra prints when it detects a version mismatch to make it more clear what the cause of the ASSERT was.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested by setting the version incorrectly
Integration Instructions
N/A
- Impacts functionality?
-
[REBASE \&\& FF] Add StackCheckLib Readme and Add Function Address Printing on Stack Check Failure @TaylorBeebe (#829)
Change Details
This PR has two changes: 1. Print the return address when a stack check failure occurs to make debugging easier. 2. Add a readme for StackCheckLib
⚠️ Breaking Changes
-
[REBASE \&\& FF] Apply EFI\_MEMORY\_RP on Free Memory and Fix Unsafe Allocation Checking @TaylorBeebe (#768)
Change Details
This PR: 1. Adds the ability to apply EFI_MEMORY_RP on free memory 2. Fixes an unsafe allocation check so the logic branches if the allocation failed instead of just ASSERTing
🚀 Features & ✨ Enhancements
-
[CHERRY-PICK] Device Security Support Changes [Rebase \& FF] @makubacki (#846)
Change Details
## Description
This cherry-pick series includes the MdePkg and MdeModulePkg patches to support SPDM device authentication and measurement. A similar PR will be created in Mu Tiano Plus to bring in the changes needed to SecurityPkg.
Specs
- Trusted Computing Group (TCG)
- Defines the Device Security feature in the TCG PC Client Platform Firmware Profile Specification 1.06
- Distributed Management Task Force (DMTF)
- UEFI Forum
Changes
- Adds UEFI 2.10 Device Authentication definitions
MdePkg/Include/Guid/DeviceAuthentication.h
- Adds
gEfiDeviceSignatureDatabaseGuidto MdePkg.dec- Used by code later in the series.
- Adds SPDM 1.2 support - Updates Spdm.h to ...
- Trusted Computing Group (TCG)
Contributors
Assets 4
v2023110006.0.0
What's Changed
⚠️ Breaking Changes
-
Set RO/XP On EfiRuntimeServicesCode Regions Outside of Loaded Image Memory @TaylorBeebe (#822)
Change Details
## Description
The Memory Attributes Table is generated by fetching the EFI memory map and splitting entries which contain loaded images so DATA and CODE sections have separate descriptors. The splitting is done via a call to SplitTable() which
marks image DATA sections with the EFI_MEMORY_XP attribute and CODE sections with the EFI_MEMORY_RO attribute when
splitting. After this process, there may still be EfiRuntimeServicesCode regions which did not have their attributes set because they are not part of loaded images.This patch updates the MAT EnforceMemoryMapAttribute logic to set the access attributes of runtime memory regions which are not part of loaded images (have not had their access attributes set). The attributes of the code regions will be read-only and no-execute because the UEFI spec dictates that runtime code regions should only contain loaded EFI modules.
Refs:
- https://edk2.groups.io/g/devel/topic/patch_v1_mdemodulepkg/105570114?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,105570114
- https://edk2.groups.io/g/devel/topic/mdemodulepkg_fix_mat/105477564?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,105477564
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested by Intel EDK2 consumers and on Q35
Integration Instructions
Project Mu consumers which allocate EfiRuntimeServicesCode regions outside of the PE loader may experience a break. If runtime executable code is necessary, this should be done via a loaded EFI module and not a random allocated buffer. If the EfiRuntimeServicesCode buffer only needs to be writable, then a buffer of type EfiRuntimeServicesData should be used instead.
</blockquote> <hr> </details>
🐛 Bug Fixes
-
Generate Random Stack Cookie Values in Module Build Path @TaylorBeebe (#825)
Change Details
## Description
If only a single module was being built instead of a platform DSC, the build scripts would not generate the random stack cookie values. On clean builds, this causes an error to be reported during the autogen process.
This PR updates build.py so the code path taken on module builds will generate the random stack cookie values.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested by specifying a build module on Q35.
Integration Instructions
N/A
- Impacts functionality?
🔐 Security Impacting
-
Set RO/XP On EfiRuntimeServicesCode Regions Outside of Loaded Image Memory @TaylorBeebe (#822)
Change Details
## Description
The Memory Attributes Table is generated by fetching the EFI memory map and splitting entries which contain loaded images so DATA and CODE sections have separate descriptors. The splitting is done via a call to SplitTable() which
marks image DATA sections with the EFI_MEMORY_XP attribute and CODE sections with the EFI_MEMORY_RO attribute when
splitting. After this process, there may still be EfiRuntimeServicesCode regions which did not have their attributes set because they are not part of loaded images.This patch updates the MAT EnforceMemoryMapAttribute logic to set the access attributes of runtime memory regions which are not part of loaded images (have not had their access attributes set). The attributes of the code regions will be read-only and no-execute because the UEFI spec dictates that runtime code regions should only contain loaded EFI modules.
Refs:
- https://edk2.groups.io/g/devel/topic/patch_v1_mdemodulepkg/105570114?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,105570114
- https://edk2.groups.io/g/devel/topic/mdemodulepkg_fix_mat/105477564?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,105477564
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested by Intel EDK2 consumers and on Q35
Integration Instructions
Project Mu consumers which allocate EfiRuntimeServicesCode regions outside of the PE loader may experience a break. If runtime executable code is necessary, this should be done via a loaded EFI module and not a random allocated buffer. If the EfiRuntimeServicesCode buffer only needs to be writable, then a buffer of type EfiRuntimeServicesData should be used instead.
</blockquote> <hr> </details>
📖 Documentation Updates
-
[Release/202311] Updates NetworkPkg/SecurityFixes.yaml to reflect the current state of CVE patches @Flickdm (#823)
Change Details
## Description
This updates the SecurityFixes.yaml file to indicate which CVE's have been patched in this repo. This commit makes the repo current with the state of NetworkPkg CVEs patched
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
- This updates the documentation
How This Was Tested
N/A
Integration Instructions
N/A
</blockquote> <hr> </details>
Full Changelog: v2023110005.0.1...v2023110006.0.0
Contributors
Assets 4
v2023110005.0.1
What's Changed
🐛 Bug Fixes
-
Bug: Fix incorrect CodeQL fix - REBASE with PR 6024 @spbrogan (#818)
Change Details
## Description
In commit 2998774 an unintentional code change in BmBoot BmExpandFileDevicePath was introduced. The change intended to fix a CodeQL error but introduced a failure with the boot managers ability to expand a "short" file device path boot option.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested on an x64 vm platform
Integration Instructions
n/a
- Impacts functionality?
Full Changelog: v2023110005.0.0...v2023110005.0.1
Contributors
Assets 4
v2023020016.0.0
What's Changed
-
Bug: Fix incorrect CodeQL Fix - REBASE with PR 6024 @spbrogan (#819)
Change Details
(cherry picked from commit f26f86d)
Description
In commit 2998774 an unintentional code change in BmBoot BmExpandFileDevicePath was introduced. The change intended to fix a CodeQL error but introduced a failure with the boot managers ability to expand a "short" file device path boot option.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested on VM
Integration Instructions
NA
- Impacts functionality?
-
Fix Possible Allocation of Pages While They Are Being Freed @TaylorBeebe (#814)
Change Details
## Description
FreeMemoryMapStack() within CoreConvertPagesEx() may allocate pages which, if the converted memory is being freed (implied by the new type being EfiConventionalMemory), could cause the memory currently being freed to be allocated during the convert process it if CoreFreeMemoryMapStack() is called after AddRange(). So, if the convert is being done due to a free pages call, free the memory map stack before adding memory to the free list.
- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested on Q35
Integration Instructions
N/A
- Impacts functionality?
-
Add a Deprecated Build Option To Allow Incompatible AARCH64 Platforms To Opt Out of 64k Runtime Granularity @os-d (#798)
Change Details
## Description
Some AARCH64 platforms are incompatible with 64k runtime granularity. This PR adds a build option that is consumed to enable a deprecated option to set the runtime page allocation granularity to 4k. This option should not be used except for old platforms that cannot be updated to comply with 64k runtime granularity. Using this option breaks compatibility with the UEFI spec.
For each item, place an "x" in between
[and]if true. Example:[x].
(you can also check items in the GitHub UI)- Impacts functionality?
- Functionality - Does the change ultimately impact how firmware functions?
- Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
- Security - Does the change have a direct security impact on an application,
flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter
validation improvement, ...
- Security - Does the change have a direct security impact on an application,
- Breaking change?
- Breaking change - Will anyone consuming this change experience a break
in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call
a function in a new library class in a pre-existing module, ...
- Breaking change - Will anyone consuming this change experience a break
- Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
- Documentation - Does the change contain explicit documentation additions
outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation
on an a separate Web page, ...
- Documentation - Does the change contain explicit documentation additions
How This Was Tested
Tested with setting flag and unsetting.
Integration Instructions
Do not use this option without an old platform that cannot support 64k.
MSFT:*_*_*_CC_FLAGS = /D __DEPRECATED_AARCH64_4K_RUNTIME_GRANULARITY GCC:*_*_*_CC_FLAGS = -D __DEPRECATED_AARCH64_4K_RUNTIME_GRANULARITY
For those platforms, set the above in the platform DSC.
- Impacts functionality?
⚠️ Breaking Changes
-
[Cherry-Pick] PixieFail Security Patches for TCBZ451 and TCB4542 @Flickdm (#801)
Change Details
## Description
Cherry-picked from release/202311
This fixes the remaining two issues from PixieFail.
See https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
for more detailed information on:- CVE 2023-45236 (TCBZ4541)
- CVE 2023-45237 (TCBZ4542)
- Impacts functionality?
- Impacts security?
- Fixes vulnerabilities identified by Pixie Fail
- Updates the ISN generation to follow the specification
- Replaces all instances of NET_RANDOM with the random number generator provided by the platform.
- Breaking change?
- Yes this depends on the Hash2ServiceProtocol. A platform must publish these in order for these patches to work.
- Includes tests?
- Includes documentation?
How This Was Tested
This was tested on a physical platform by PXEBooting and performing TCP Connections through DFCI
Integration Instructions
Ensure the platform publishes the HASH 2 Protocol.
🔐 Security Impacting
-
[Cherry-Pick] PixieFail Security Patches for TCBZ451 and TCB4542 @Flickdm (#801)
Change Details
## Description
Cherry-picked from release/202311
This fixes the remaining two issues from PixieFail.
See https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
for more detailed information on:- CVE 2023-45236 (TCBZ4541)
- CVE 2023-45237 (TCBZ4542)
- Impacts functionality?
- Impacts security?
- Fixes vulnerabilities identified by Pixie Fail
- Updates the ISN generation to follow the specification
- Replaces all instances of NET_RANDOM with the random number generator provided by the platform.
- Breaking change?
- Yes this depends on the Hash2ServiceProtocol. A platform must publish these in order for these patches to work.
- Includes tests?
- Includes documentation?
How This Was Tested
This was tested on a physical platform by PXEBooting and performing TCP Connections through DFCI
Integration Instructions
Ensure the platform publishes the HASH 2 Protocol.
-
[CHERRY-PICK] Add NO\_STACK\_COOKIE to Module Entry Points @TaylorBeebe (#796)
Change Details
## Description
When the DXE dispatcher dispatches an EFI module, execution starts with the ModuleEntryPoint of the EFI. If the stack cookie value is randomized during the library constructor process and the ModuleEntryPoint includes a stack cookie check, then the value of the stack cookie will change between the start an...