Date   

[Patch 3/3] Ext4Pkg: Add .DSC file.

Pedro Falcato
 

This file is required to build Ext4Pkg.

Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>

Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
---
Features/Ext4Pkg/Ext4Pkg.dsc | 68 ++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 Features/Ext4Pkg/Ext4Pkg.dsc

diff --git a/Features/Ext4Pkg/Ext4Pkg.dsc b/Features/Ext4Pkg/Ext4Pkg.dsc
new file mode 100644
index 0000000000..62cb4e69cf
--- /dev/null
+++ b/Features/Ext4Pkg/Ext4Pkg.dsc
@@ -0,0 +1,68 @@
+## @file=0D
+# Ext4 Package=0D
+#=0D
+# This package provides libraries and drivers related to the ext4 filesys=
tem implementation.=0D
+# More details are available at: https://www.kernel.org/doc/html/v5.4/fil=
esystems/ext4/index.html=0D
+#=0D
+# Copyright (c) 2021 Pedro Falcato=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+##=0D
+=0D
+=0D
+[Defines]=0D
+ PLATFORM_NAME =3D Ext4=0D
+ PLATFORM_GUID =3D 6B4BF998-668B-46D3-BCFA-971F99F8708C=
=0D
+ PLATFORM_VERSION =3D 0.1=0D
+ DSC_SPECIFICATION =3D 0x00010005=0D
+ SUPPORTED_ARCHITECTURES =3D IA32|X64|EBC|ARM|AARCH64|RISCV64=0D
+ OUTPUT_DIRECTORY =3D Build/Ext4Pkg=0D
+ BUILD_TARGETS =3D DEBUG|RELEASE|NOOPT=0D
+ SKUID_IDENTIFIER =3D DEFAULT=0D
+=0D
+[BuildOptions]=0D
+ *_*_*_CC_FLAGS =3D -D DISABLE_NEW_DEPRECATED_INTER=
FACES=0D
+=0D
+[LibraryClasses]=0D
+ #=0D
+ # Entry Point Libraries=0D
+ #=0D
+ UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntry=
Point.inf=0D
+ #=0D
+ # Common Libraries=0D
+ #=0D
+ BaseLib|MdePkg/Library/BaseLib/BaseLib.inf=0D
+ BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf=0D
+ UefiLib|MdePkg/Library/UefiLib/UefiLib.inf=0D
+ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf=0D
+ PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf=0D
+ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll=
ocationLib.inf=0D
+ UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBoo=
tServicesTableLib.inf=0D
+ UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/U=
efiRuntimeServicesTableLib.inf=0D
+ DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf=0D
+ DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD=
ebugPrintErrorLevelLib.inf=0D
+ DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf=0D
+ OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib=
/BaseOrderedCollectionRedBlackTreeLib.inf=0D
+ BaseUcs2Utf8Lib|RedfishPkg/Library/BaseUcs2Utf8Lib/BaseUcs2Utf8Lib.inf=0D
+=0D
+##########################################################################=
#########################=0D
+#=0D
+# Components Section - list of the modules and components that will be pro=
cessed by compilation=0D
+# tools and the EDK II tools to generate PE32/PE32+/C=
off image files.=0D
+#=0D
+# Note: The EDK II DSC file is not used to specify how compiled binary ima=
ges get placed=0D
+# into firmware volume images. This section is just a list of module=
s to compile from=0D
+# source into UEFI-compliant binaries.=0D
+# It is the FDF file that contains information on combining binary f=
iles into firmware=0D
+# volume images, whose concept is beyond UEFI and is described in PI=
specification.=0D
+# Binary modules do not need to be listed in this section, as they s=
hould be=0D
+# specified in the FDF file. For example: Shell binary (Shell_Full.e=
fi), FAT binary (Fat.efi),=0D
+# Logo (Logo.bmp), and etc.=0D
+# There may also be modules listed in this section that are not requ=
ired in the FDF file,=0D
+# When a module listed here is excluded from FDF file, then UEFI-com=
pliant binary will be=0D
+# generated for it, but the binary will not be put into any firmware=
volume.=0D
+#=0D
+##########################################################################=
#########################=0D
+=0D
+[Components]=0D
+ Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.inf=0D
--=20
2.32.0


[Patch 1/3] Ext4Pkg: Add Ext4Pkg.dec and Ext4Pkg.uni.

Pedro Falcato
 

These files are needed to build Ext4Pkg.

Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>

Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
---
Features/Ext4Pkg/Ext4Pkg.dec | 17 +++++++++++++++++
Features/Ext4Pkg/Ext4Pkg.uni | 14 ++++++++++++++
2 files changed, 31 insertions(+)
create mode 100644 Features/Ext4Pkg/Ext4Pkg.dec
create mode 100644 Features/Ext4Pkg/Ext4Pkg.uni

diff --git a/Features/Ext4Pkg/Ext4Pkg.dec b/Features/Ext4Pkg/Ext4Pkg.dec
new file mode 100644
index 0000000000..f1f8b39c3c
--- /dev/null
+++ b/Features/Ext4Pkg/Ext4Pkg.dec
@@ -0,0 +1,17 @@
+## @file=0D
+# Ext4 Package=0D
+#=0D
+# This package provides libraries and drivers related to the ext4 filesys=
tem implementation.=0D
+# More details are available at: https://www.kernel.org/doc/html/v5.4/fil=
esystems/ext4/index.html=0D
+#=0D
+# Copyright (c) 2021 Pedro Falcato=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+##=0D
+=0D
+[Defines]=0D
+ DEC_SPECIFICATION =3D 0x00010005=0D
+ PACKAGE_NAME =3D Ext4Pkg=0D
+ PACKAGE_UNI_FILE =3D Ext4Pkg.uni=0D
+ PACKAGE_GUID =3D 6B4BF998-668B-46D3-BCFA-971F99F8708C=
=0D
+ PACKAGE_VERSION =3D 0.1=0D
diff --git a/Features/Ext4Pkg/Ext4Pkg.uni b/Features/Ext4Pkg/Ext4Pkg.uni
new file mode 100644
index 0000000000..abeadd8fd9
--- /dev/null
+++ b/Features/Ext4Pkg/Ext4Pkg.uni
@@ -0,0 +1,14 @@
+## @file=0D
+# Ext4 Package=0D
+#=0D
+# This package provides libraries and drivers related to the ext4 filesys=
tem implementation.=0D
+# More details are available at: https://www.kernel.org/doc/html/v5.4/fil=
esystems/ext4/index.html=0D
+#=0D
+# Copyright (c) 2021 Pedro Falcato=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+#=0D
+##=0D
+=0D
+#string STR_PACKAGE_ABSTRACT #language en-US "Module implementa=
tions for the EXT4 file system"=0D
+=0D
+#string STR_PACKAGE_DESCRIPTION #language en-US "This package cont=
ains UEFI drivers and libraries for the EXT4 file system."=0D
--=20
2.32.0


[Patch 0/3] Ext4Pkg: Add Ext4Pkg

Pedro Falcato
 

This patch-set adds Ext4Pkg, a package designed to hold various drivers and
utilities related to the EXT4 filesystem.

Right now, it holds a single read-only UEFI EXT4 driver (Ext4Dxe), which consumes the
DISK_IO, BLOCK_IO and DISK_IO2 protocols and produce EFI_FILE_PROTOCOL and
EFI_SIMPLE_FILE_SYSTEM_PROTOCOL; this driver allows the mounting of EXT4 partitions and
the reading of their contents.

Relevant RFC discussion, which includes a more in-depth walkthrough of EXT4 internals and
driver limitations is available at https://edk2.groups.io/g/devel/topic/84368561.

Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>

Pedro Falcato (3):
Ext4Pkg: Add Ext4Pkg.dec and Ext4Pkg.uni.
Ext4Pkg: Add Ext4Dxe driver.
Ext4Pkg: Add .DSC file.

Features/Ext4Pkg/Ext4Dxe/BlockGroup.c | 208 ++++++
Features/Ext4Pkg/Ext4Dxe/Collation.c | 157 +++++
Features/Ext4Pkg/Ext4Dxe/Crc16.c | 75 ++
Features/Ext4Pkg/Ext4Dxe/Crc32c.c | 84 +++
Features/Ext4Pkg/Ext4Dxe/Directory.c | 492 ++++++++++++++
Features/Ext4Pkg/Ext4Dxe/DiskUtil.c | 83 +++
Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h | 450 ++++++++++++
Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.c | 454 +++++++++++++
Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h | 942 ++++++++++++++++++++++++++
Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.inf | 147 ++++
Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.uni | 15 +
Features/Ext4Pkg/Ext4Dxe/Extents.c | 616 +++++++++++++++++
Features/Ext4Pkg/Ext4Dxe/File.c | 583 ++++++++++++++++
Features/Ext4Pkg/Ext4Dxe/Inode.c | 468 +++++++++++++
Features/Ext4Pkg/Ext4Dxe/Partition.c | 120 ++++
Features/Ext4Pkg/Ext4Dxe/Superblock.c | 257 +++++++
Features/Ext4Pkg/Ext4Pkg.dec | 17 +
Features/Ext4Pkg/Ext4Pkg.dsc | 68 ++
Features/Ext4Pkg/Ext4Pkg.uni | 14 +
19 files changed, 5250 insertions(+)
create mode 100644 Features/Ext4Pkg/Ext4Dxe/BlockGroup.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Collation.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Crc16.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Crc32c.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Directory.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/DiskUtil.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Ext4Disk.h
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.h
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.inf
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Ext4Dxe.uni
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Extents.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/File.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Inode.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Partition.c
create mode 100644 Features/Ext4Pkg/Ext4Dxe/Superblock.c
create mode 100644 Features/Ext4Pkg/Ext4Pkg.dec
create mode 100644 Features/Ext4Pkg/Ext4Pkg.dsc
create mode 100644 Features/Ext4Pkg/Ext4Pkg.uni

--
2.32.0


Re: EmulatorPkg and the state of DlLoadImage()

Andrew Fish
 



On Jul 30, 2021, at 3:37 AM, Marvin Häuser <mhaeuser@...> wrote:

Good day everyone,

I'm currently refining the port of EmulatorPkg to my new PE/COFF loader library instance.
In the process, I found the function DlOpenImage() [1], which loads UEFI Images via the OS loader to utilise its symbol loading capability. Theoretically, this should e.g. allow arbitrary debuggers using the OS APIs to symbolise the backtrace.

macOS: The function seems to be unused entirely. [2]

Linux: On my system running Fedora 34, the function neither works out-of-the-box, nor after significant time of trying to fix it. The first issue is that it only proceeds if the Image has a PDB path with ".pdb" extension [3], while the GCC5 toolchain generates Images with ".dll" files for PDB paths (see errors below). Once this is resolved, there is an error message indicating insufficient Image section alignment:

[...]/Build/EmulatorX64/DEBUG_GCC5/X64/MdeModulePkg/Universal/EbcDxe/EbcDxe/DEBUG/EbcDxe.dll: ELF load command alignment not page-aligned


The requiring *.pdb seems like something that rotted out and could be fixed. 

Resolving this yields an error that executable files cannot be loaded dynamically:

[...]/Build/EmulatorX64/DEBUG_GCC5/X64/MdeModulePkg/Core/Pei/PeiMain/DEBUG/PeiCore.dll: cannot dynamically load executable

With my very limited knowledge about Linux and ELF I tried the naive approach of building the Images as shared (hoping it would be similar to DLLs, which are built on Windows), but this just silently crashes.


This code is very very old. Notice the comment about gdb predates gdb Python support [1].

What happens if you comment out the DlLoadImage path? There seems to be some gdb scripts? The macOS path sets breakpoints on SecGdbScriptBreak() in an lldb script and loads symbols via that path. That his probably the best path forward for gdb too? 

It looks like if you `build.sh run` you should launch the emulator under gdb and source the symbol loading file.
EmulatorPkg/build.sh:221:  /usr/bin/gdb $BUILD_ROOT_ARCH/Host -q -cd=$BUILD_ROOT_ARCH -x $WORKSPACE/EmulatorPkg/Unix/GdbRun.sh

If you comment out the dlopen() path does it start working? Looks like breaking in with gdb should get symbols loaded? 

So my questions are:
1) Does this code currently work for anyone?
2) Does anyone use a debugging setup that is incompatible with Images loaded by EDK II rather than the OS?

Not a 100% sure what you are asking? In a lot of cases you are debugging what is compatible with the OS? For example on macOS we build a mach-O and convert that to PE/COFF. We point the PDB entry at the mach-O file and that is what the debugger sees. As long as the PE/COFF lines up with the mach-O it does not really matter, as at the end of the day the debugger is just processing the dwarf debug info associated with addresses in system memory. 

3) Are the issues above known and planned to be fixed?


Not likely please file a BZ. 

Note I’m working on getting a generic gdb debugging script into the edk2 [2] and that should also work with the Emulator. I think you could replace the ` -x $WORKSPACE/EmulatorPkg/Unix/GdbRun.sh` with `-ex efi_gdb.py’. There is not a break hook in those scripts so you would have to run the `efi` command the 1st time you attach to load symbols. The efi_gdb.py script works on stock EFI so it does not depend on any of the hooks in the EmulatorPkg to work. 

Thank you for your time!

Best regards,
Marvin


[1]
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1065-L1113

[2]
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1071-L1073

[3]
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1084-L1086
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1003-L1026



Thanks,

Andrew Fish


[PATCH edk2-platforms v3 6/6] Platform/ARM: Juno: Add JunoPkg.ci.yaml for CI support

PierreGondois
 

From: Pierre Gondois <Pierre.Gondois@arm.com>

Add a JunoPkg.ci.yaml file to enable the CI for the JunoPkg.

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
---
Platform/ARM/JunoPkg/JunoPkg.ci.yaml | 104 +++++++++++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 Platform/ARM/JunoPkg/JunoPkg.ci.yaml

diff --git a/Platform/ARM/JunoPkg/JunoPkg.ci.yaml b/Platform/ARM/JunoPkg/JunoPkg.ci.yaml
new file mode 100644
index 000000000000..7e7f201b40ec
--- /dev/null
+++ b/Platform/ARM/JunoPkg/JunoPkg.ci.yaml
@@ -0,0 +1,104 @@
+## @file
+# Core CI configuration for JunoPkg
+#
+# VExpressPkg is part of Platform CI for builds so this is only
+# used for code analysis.
+#
+# Copyright (c) Microsoft Corporation
+# Copyright (c) 2021, Arm Ltd. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+{
+ ## options defined .pytool/Plugin/LicenseCheck
+ "LicenseCheck": {
+ "IgnoreFiles": []
+ },
+ "EccCheck": {
+ ## Exception sample looks like below:
+ ## "ExceptionList": [
+ ## "<ErrorID>", "<KeyWord>"
+ ## ]
+ "ExceptionList": [
+ ],
+ ## Both file path and directory path are accepted.
+ "IgnoreFiles": [
+ ]
+ },
+ ## options defined .pytool/Plugin/CompilerPlugin
+ "CompilerPlugin": {
+ "DscPath": "" # Don't support this test
+ # Build the Package using a PlatformCI, similarly to ArmVirtPkg.
+ },
+
+ ## options defined .pytool/Plugin/HostUnitTestCompilerPlugin
+ "HostUnitTestCompilerPlugin": {
+ "DscPath": "" # Don't support this test
+ },
+
+ ## options defined .pytool/Plugin/CharEncodingCheck
+ "CharEncodingCheck": {
+ "IgnoreFiles": []
+ },
+
+ ## options defined .pytool/Plugin/DependencyCheck
+ "DependencyCheck": {
+ "AcceptableDependencies": [
+ "ArmPkg/ArmPkg.dec",
+ "ArmPlatformPkg/ArmPlatformPkg.dec",
+ "DynamicTablesPkg/DynamicTablesPkg.dec",
+ "EmbeddedPkg/EmbeddedPkg.dec",
+ "MdePkg/MdePkg.dec",
+ "MdeModulePkg/MdeModulePkg.dec",
+ "Platform/ARM/ARM.dec",
+ "Platform/ARM/Drivers/FdtPlatformDxe/FdtPlatformDxe.dec",
+ "Platform/ARM/JunoPkg/ArmJuno.dec",
+ ],
+ # For host based unit tests
+ "AcceptableDependencies-HOST_APPLICATION":[
+ "UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec"
+ ],
+ # For UEFI shell based apps
+ "AcceptableDependencies-UEFI_APPLICATION":[
+
+ ],
+ "IgnoreInf": []
+ },
+
+ ## options defined .pytool/Plugin/DscCompleteCheck
+ "DscCompleteCheck": {
+ "IgnoreInf": [""],
+ "DscPath": "" # Don't support this test
+ # "DscPath": "ArmJuno.dsc" # Don't support this test
+ },
+
+ ## options defined .pytool/Plugin/HostUnitTestDscCompleteCheck
+ "HostUnitTestDscCompleteCheck": {
+ "IgnoreInf": [""],
+ "DscPath": "" # Don't support this test
+ },
+
+ ## options defined .pytool/Plugin/GuidCheck
+ "GuidCheck": {
+ "IgnoreGuidName": [], # Expected duplication for gEfiFirmwareVolumeTopFileGuid
+ "IgnoreGuidValue": [
+ ],
+ "IgnoreFoldersAndFiles": [],
+ "IgnoreDuplicates": [],
+ },
+
+ ## options defined .pytool/Plugin/LibraryClassCheck
+ "LibraryClassCheck": {
+ "IgnoreHeaderFile": []
+ },
+
+ ## options defined .pytool/Plugin/SpellCheck
+ "SpellCheck": {
+ "AuditOnly": True,
+ "IgnoreFiles": [], # use gitignore syntax to ignore errors in matching files
+ "ExtendWords": [
+
+ ], # words to extend to the dictionary for this package
+ "IgnoreStandardPaths": [], # Standard Plugin defined paths that should be ignore
+ "AdditionalIncludePaths": [] # Additional paths to spell check (wildcards supported)
+ }
+}
--
2.17.1


[PATCH edk2-platforms v3 5/6] .mergify: Add Mergify YML pull request rules configuration file

PierreGondois
 

From: Pierre Gondois <Pierre.Gondois@arm.com>

These files are copies of the files from the tianocore/edk2
repository. Any modification to the tianocore/edk2 files must be
reflected on the tianocore/edk2-platforms copies.

Initial commid-id in the edk2 repository: ab060128768b
Initial message:

Add directory for the Mergify YML configuration files that
provides rules and actions used to process a pull request.

* Auto commit a PR from EDK II Maintainer with 'push' label
set and all CI checks pass
* Auto close a PR from any developers without 'push' label
set and all CI checks pass.
* Auto close a PR from a non EDK II Maintainer that has
the 'push' label set.
* Post a comment to a PR that has a merge conflict.
Submitter can resolved conflicts and reopen the PR.
* Post a comment to a PR that fails PatchCheck.py
Submitter can resolve PatchCheck.py issues and
reopen the PR.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3509

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
---

Notes:
v3:
- Align with the latest version in the edk2 repository. [Michael]

.mergify/config.yml | 50 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 .mergify/config.yml

diff --git a/.mergify/config.yml b/.mergify/config.yml
new file mode 100644
index 000000000000..bd6da4c77937
--- /dev/null
+++ b/.mergify/config.yml
@@ -0,0 +1,50 @@
+## @file
+# Mergify YML file that automatically merges a GitHub pull request against
+# edk2-ci if all of the GitHub branch protections have passed. It also
+# contains rules to:
+# * auto close branches that are not from an EDK II Maintainer
+# * post a comment on pull requests that have merge conflicts.
+# * post a comment on pull requests that have PatchCheck.py errors.
+#
+# Configuration Notes:
+# * Update the 'base=edk2-ci' statements with the name of the branch to merge
+# pull requests.
+#
+# * Update the 'status-failure' statement with the name of the name of the Azure
+# Pipelines Build that performs the EDK II Maintainer check.
+#
+# * This file must be checked into the 'default' branch of a repo. Copies
+# of this file on other branches of a repo are ignored by Mergify.
+#
+# Copyright (c) 2019 - 2021, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+# https://github.com/apps/mergify
+# https://doc.mergify.io/
+#
+##
+
+queue_rules:
+ - name: default
+ conditions:
+ - base~=(^main|^master|^stable/)
+ - label=push
+
+pull_request_rules:
+ - name: Automatically merge a PR when all required checks pass and 'push' label is present
+ conditions:
+ - base~=(^main|^master|^stable/)
+ - label=push
+ actions:
+ queue:
+ method: rebase
+ rebase_fallback: none
+ name: default
+
+ - name: Post a comment on a PR that can not be merged due to a merge conflict
+ conditions:
+ - base~=(^main|^master|^stable/)
+ - conflict
+ actions:
+ comment:
+ message: PR can not be merged due to conflict. Please rebase and resubmit
--
2.17.1


[PATCH edk2-platforms v3 4/6] .azurepipelines: Add Azure Pipelines YML configuration files

PierreGondois
 

From: Pierre Gondois <Pierre.Gondois@arm.com>

To enable CI support of the tianocore/edk2-platforms repository,
add YML configuration files used to run Continuous Integration (CI)
checks on Azure Pipelines agents.

These files are copies of the files from the tianocore/edk2
repository. Any modification to the tianocore/edk2 files must be
reflected on the tianocore/edk2-platforms copies.

The following files have been modified:
- .azurepipelines/templates/platform-build-run-steps.yml
- .azurepipelines/templates/pr-gate-build-job.yml
- .azurepipelines/templates/pr-gate-steps.yml

The sections modified are marked with the following comments:
-EDK2_PLATFORMS_MODIF_START
-EDK2_PLATFORMS_MODIF_END

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3509

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
---

Notes:
v3:
- Align with the latest version in the edk2 repository. [Sean]
- Replace Readme(s)'s content with a reference to the
edk2 repository. [Sean]
- Add step to checkout edk2's latest master in the CI. [Pierre]

.azurepipelines/ReadMe.md | 5 +
.azurepipelines/Ubuntu-GCC5.yml | 20 +++
.azurepipelines/Ubuntu-PatchCheck.yml | 36 +++++
.azurepipelines/Windows-VS2019.yml | 20 +++
.azurepipelines/templates/ReadMe.md | 5 +
.../templates/basetools-build-steps.yml | 37 +++++
.../templates/platform-build-run-steps.yml | 151 ++++++++++++++++++
.../templates/pr-gate-build-job.yml | 43 +++++
.azurepipelines/templates/pr-gate-steps.yml | 149 +++++++++++++++++
.../templates/spell-check-prereq-steps.yml | 22 +++
.pytool/Readme.md | 9 ++
11 files changed, 497 insertions(+)
create mode 100644 .azurepipelines/ReadMe.md
create mode 100644 .azurepipelines/Ubuntu-GCC5.yml
create mode 100644 .azurepipelines/Ubuntu-PatchCheck.yml
create mode 100644 .azurepipelines/Windows-VS2019.yml
create mode 100644 .azurepipelines/templates/ReadMe.md
create mode 100644 .azurepipelines/templates/basetools-build-steps.yml
create mode 100644 .azurepipelines/templates/platform-build-run-steps.yml
create mode 100644 .azurepipelines/templates/pr-gate-build-job.yml
create mode 100644 .azurepipelines/templates/pr-gate-steps.yml
create mode 100644 .azurepipelines/templates/spell-check-prereq-steps.yml

diff --git a/.azurepipelines/ReadMe.md b/.azurepipelines/ReadMe.md
new file mode 100644
index 000000000000..de69a4ca220d
--- /dev/null
+++ b/.azurepipelines/ReadMe.md
@@ -0,0 +1,5 @@
+EDK2_PLATFORMS_MODIF_START
+As the content of this folder has been imported from the tianocore repository at:
+https://github.com/tianocore/edk2
+Please use the Readme.md that can be found there.
+EDK2_PLATFORMS_MODIF_END
diff --git a/.azurepipelines/Ubuntu-GCC5.yml b/.azurepipelines/Ubuntu-GCC5.yml
new file mode 100644
index 000000000000..69ef68a3a195
--- /dev/null
+++ b/.azurepipelines/Ubuntu-GCC5.yml
@@ -0,0 +1,20 @@
+## @file
+# Azure Pipeline build file for a build using ubuntu and GCC5
+#
+# Copyright (c) Microsoft Corporation.
+# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+trigger:
+- master
+- stable/*
+pr:
+- master
+- stable/*
+
+jobs:
+- template: templates/pr-gate-build-job.yml
+ parameters:
+ tool_chain_tag: 'GCC5'
+ vm_image: 'ubuntu-latest'
+ arch_list: "IA32,X64,ARM,AARCH64,RISCV64"
diff --git a/.azurepipelines/Ubuntu-PatchCheck.yml b/.azurepipelines/Ubuntu-PatchCheck.yml
new file mode 100644
index 000000000000..4de453bf9db8
--- /dev/null
+++ b/.azurepipelines/Ubuntu-PatchCheck.yml
@@ -0,0 +1,36 @@
+## @file
+# Azure Pipielines YML file that evalues the patch series in a PR using the
+# python script BaseTools/Scripts/PatchCheck.py.
+#
+# NOTE: This example monitors pull requests against the edk2-ci branch. Most
+# environments would replace 'edk2-ci' with 'master'.
+#
+# Copyright (c) 2019 - 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+# https://github.com/tianocore
+#
+##
+
+trigger: none
+
+pr:
+- master
+- stable/*
+
+pool:
+ vmImage: 'ubuntu-latest'
+
+steps:
+- checkout: self
+ clean: true
+
+- task: UsePythonVersion@0
+ inputs:
+ versionSpec: '3.7.x'
+ architecture: 'x64'
+
+- script: |
+ git fetch origin $(System.PullRequest.TargetBranch):$(System.PullRequest.TargetBranch)
+ python BaseTools/Scripts/PatchCheck.py $(System.PullRequest.TargetBranch)..$(System.PullRequest.SourceCommitId)
+ displayName: 'Use PatchCheck.py to verify patch series in pull request'
diff --git a/.azurepipelines/Windows-VS2019.yml b/.azurepipelines/Windows-VS2019.yml
new file mode 100644
index 000000000000..22f2d88c2c6a
--- /dev/null
+++ b/.azurepipelines/Windows-VS2019.yml
@@ -0,0 +1,20 @@
+## @file
+# Azure Pipeline build file for a build using Windows and VS2019
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+trigger:
+- master
+- stable/*
+
+pr:
+- master
+- stable/*
+
+jobs:
+- template: templates/pr-gate-build-job.yml
+ parameters:
+ tool_chain_tag: 'VS2019'
+ vm_image: 'windows-latest'
+ arch_list: "IA32,X64"
diff --git a/.azurepipelines/templates/ReadMe.md b/.azurepipelines/templates/ReadMe.md
new file mode 100644
index 000000000000..de69a4ca220d
--- /dev/null
+++ b/.azurepipelines/templates/ReadMe.md
@@ -0,0 +1,5 @@
+EDK2_PLATFORMS_MODIF_START
+As the content of this folder has been imported from the tianocore repository at:
+https://github.com/tianocore/edk2
+Please use the Readme.md that can be found there.
+EDK2_PLATFORMS_MODIF_END
diff --git a/.azurepipelines/templates/basetools-build-steps.yml b/.azurepipelines/templates/basetools-build-steps.yml
new file mode 100644
index 000000000000..d8c108c6e212
--- /dev/null
+++ b/.azurepipelines/templates/basetools-build-steps.yml
@@ -0,0 +1,37 @@
+## @file
+# File templates/basetools-build-job.yml
+#
+# template file to build basetools
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+parameters:
+ tool_chain_tag: ''
+
+steps:
+- ${{ if contains(parameters.tool_chain_tag, 'GCC') }}:
+ - bash: sudo apt-get update
+ displayName: Update apt
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+ - bash: sudo apt-get install gcc g++ make uuid-dev
+ displayName: Install required tools
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+- task: CmdLine@1
+ displayName: Build Base Tools from source
+ inputs:
+ filename: python
+ arguments: BaseTools/Edk2ToolsBuild.py -t ${{ parameters.tool_chain_tag }}
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+- task: CopyFiles@2
+ displayName: "Copy base tools build log"
+ inputs:
+ targetFolder: '$(Build.ArtifactStagingDirectory)'
+ SourceFolder: 'BaseTools/BaseToolsBuild'
+ contents: |
+ BASETOOLS_BUILD*.*
+ flattenFolders: true
+ condition: and(gt(variables.pkg_count, 0), succeededOrFailed())
diff --git a/.azurepipelines/templates/platform-build-run-steps.yml b/.azurepipelines/templates/platform-build-run-steps.yml
new file mode 100644
index 000000000000..960a11ced5ee
--- /dev/null
+++ b/.azurepipelines/templates/platform-build-run-steps.yml
@@ -0,0 +1,151 @@
+
+## @file
+# File steps.yml
+#
+# template file containing the steps to build
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+parameters:
+- name: tool_chain_tag
+ type: string
+ default: ''
+- name: build_pkg
+ type: string
+ default: ''
+- name: build_target
+ type: string
+ default: ''
+- name: build_arch
+ type: string
+ default: ''
+- name: build_file
+ type: string
+ default: ''
+- name: build_flags
+ type: string
+ default: ''
+- name: run_flags
+ type: string
+ default: ''
+
+- name: extra_install_step
+ type: stepList
+ default: []
+
+steps:
+- checkout: self
+ clean: true
+ fetchDepth: 1
+
+- task: UsePythonVersion@0
+ inputs:
+ versionSpec: "3.8.x"
+ architecture: "x64"
+
+- script: pip install -r pip-requirements.txt --upgrade
+ displayName: 'Install/Upgrade pip modules'
+
+# Set default
+- bash: echo "##vso[task.setvariable variable=pkg_count]${{ 1 }}"
+
+# Fetch the target branch so that pr_eval can diff them.
+# Seems like azure pipelines/github changed checkout process in nov 2020.
+- script: git fetch origin $(System.PullRequest.targetBranch)
+ displayName: fetch target branch
+ condition: eq(variables['Build.Reason'], 'PullRequest')
+
+# trim the package list if this is a PR
+- task: CmdLine@1
+ displayName: Check if ${{ parameters.build_pkg }} need testing
+ inputs:
+ filename: stuart_pr_eval
+ arguments: -c ${{ parameters.build_file }} -t ${{ parameters.build_target}} -a ${{ parameters.build_arch}} --pr-target origin/$(System.PullRequest.targetBranch) --output-count-format-string "##vso[task.setvariable variable=pkg_count;isOutpout=true]{pkgcount}"
+ condition: eq(variables['Build.Reason'], 'PullRequest')
+
+ # Setup repo
+- task: CmdLine@1
+ displayName: Setup
+ inputs:
+ filename: stuart_setup
+ arguments: -c ${{ parameters.build_file }} TOOL_CHAIN_TAG=${{ parameters.tool_chain_tag}} -t ${{ parameters.build_target}} -a ${{ parameters.build_arch}} ${{ parameters.build_flags}}
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+# EDK2_PLATFORMS_MODIF_START:
+ # As edk2-platforms may rely on new edk2 modifications, checkout edk2's latest master
+- script: git submodule update --remote --checkout edk2
+ displayName: Checkout edk2's latest master
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+# EDK2_PLATFORMS_MODIF_END
+
+# Stuart Update
+- task: CmdLine@1
+ displayName: Update
+ inputs:
+ filename: stuart_update
+ arguments: -c ${{ parameters.build_file }} TOOL_CHAIN_TAG=${{ parameters.tool_chain_tag}} -t ${{ parameters.build_target}} -a ${{ parameters.build_arch}} ${{ parameters.build_flags}}
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+# EDK2_PLATFORMS_MODIF_START:
+# The base tools are imported in .pytool/CISettings.py via the 'edk2basetools' python module.
+# # build basetools
+# # do this after setup and update so that code base dependencies
+# # are all resolved.
+# - template: basetools-build-steps.yml
+# parameters:
+# tool_chain_tag: ${{ parameters.tool_chain_tag }}
+# EDK2_PLATFORMS_MODIF_END
+
+# Potential Extra steps
+- ${{ parameters.extra_install_step }}
+
+# Build
+- task: CmdLine@1
+ displayName: Build
+ inputs:
+ filename: stuart_build
+ arguments: -c ${{ parameters.build_file }} TOOL_CHAIN_TAG=${{ parameters.tool_chain_tag}} TARGET=${{ parameters.build_target}} -a ${{ parameters.build_arch}} ${{ parameters.build_flags}}
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+# Run
+- task: CmdLine@1
+ displayName: Run to shell
+ inputs:
+ filename: stuart_build
+ arguments: -c ${{ parameters.build_file }} TOOL_CHAIN_TAG=${{ parameters.tool_chain_tag}} TARGET=${{ parameters.build_target}} -a ${{ parameters.build_arch}} ${{ parameters.build_flags}} ${{ parameters.run_flags }} --FlashOnly
+ condition: and(and(gt(variables.pkg_count, 0), succeeded()), eq(variables['Run'], true))
+ timeoutInMinutes: 1
+
+# Copy the build logs to the artifact staging directory
+- task: CopyFiles@2
+ displayName: "Copy build logs"
+ inputs:
+ targetFolder: "$(Build.ArtifactStagingDirectory)"
+ SourceFolder: "Build"
+ contents: |
+ BUILDLOG_*.txt
+ BUILDLOG_*.md
+ CI_*.txt
+ CI_*.md
+ CISETUP.txt
+ SETUPLOG.txt
+ UPDATE_LOG.txt
+ PREVALLOG.txt
+ TestSuites.xml
+ **/BUILD_TOOLS_REPORT.html
+ **/OVERRIDELOG.TXT
+ BASETOOLS_BUILD*.*
+ flattenFolders: true
+ condition: succeededOrFailed()
+
+# Publish build artifacts to Azure Artifacts/TFS or a file share
+- task: PublishBuildArtifacts@1
+ continueOnError: true
+ displayName: "Publish build logs"
+ inputs:
+ pathtoPublish: "$(Build.ArtifactStagingDirectory)"
+ artifactName: "Build Logs $(System.JobName)"
+ condition: succeededOrFailed()
diff --git a/.azurepipelines/templates/pr-gate-build-job.yml b/.azurepipelines/templates/pr-gate-build-job.yml
new file mode 100644
index 000000000000..9bb8e2819793
--- /dev/null
+++ b/.azurepipelines/templates/pr-gate-build-job.yml
@@ -0,0 +1,43 @@
+## @file
+# File templates/pr-gate-build-job.yml
+#
+# template file used to build supported packages.
+#
+# Copyright (c) Microsoft Corporation.
+# Copyright (c) 2020 - 2021, ARM Limited. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+parameters:
+ tool_chain_tag: ''
+ vm_image: ''
+ arch_list: ''
+
+# Build step
+jobs:
+
+- job: Build_${{ parameters.tool_chain_tag }}
+
+# EDK2_PLATFORMS_MODIF_START:
+# Build edk2-platforms packages
+ #Use matrix to speed up the build process
+ strategy:
+ matrix:
+ TARGET_ARM_PLATFORMS:
+ Build.Pkgs: 'JunoPkg'
+ Build.Targets: 'DEBUG,RELEASE,NO-TARGET,NOOPT'
+# EDK2_PLATFORMS_MODIF_END
+
+ workspace:
+ clean: all
+
+ pool:
+ vmImage: ${{ parameters.vm_image }}
+
+ steps:
+ - template: pr-gate-steps.yml
+ parameters:
+ tool_chain_tag: ${{ parameters.tool_chain_tag }}
+ build_pkgs: $(Build.Pkgs)
+ build_targets: $(Build.Targets)
+ build_archs: ${{ parameters.arch_list }}
diff --git a/.azurepipelines/templates/pr-gate-steps.yml b/.azurepipelines/templates/pr-gate-steps.yml
new file mode 100644
index 000000000000..1936d5a10780
--- /dev/null
+++ b/.azurepipelines/templates/pr-gate-steps.yml
@@ -0,0 +1,149 @@
+## @file
+# File templates/pr-gate-steps.yml
+#
+# template file containing the steps to build
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+parameters:
+ tool_chain_tag: ''
+ build_pkgs: ''
+ build_targets: ''
+ build_archs: ''
+
+steps:
+- checkout: self
+ clean: true
+ fetchDepth: 1
+
+- task: UsePythonVersion@0
+ inputs:
+ versionSpec: '3.8.x'
+ architecture: 'x64'
+
+- script: pip install -r pip-requirements.txt --upgrade
+ displayName: 'Install/Upgrade pip modules'
+
+# Set default
+- bash: |
+ echo "##vso[task.setvariable variable=pkgs_to_build]${{ parameters.build_pkgs }}"
+ echo "##vso[task.setvariable variable=pkg_count]${{ 1 }}"
+
+# Fetch the target branch so that pr_eval can diff them.
+# Seems like azure pipelines/github changed checkout process in nov 2020.
+- script: git fetch origin $(System.PullRequest.targetBranch)
+ displayName: fetch target branch
+ condition: eq(variables['Build.Reason'], 'PullRequest')
+
+# trim the package list if this is a PR
+- task: CmdLine@1
+ displayName: Check if ${{ parameters.build_pkgs }} need testing
+ inputs:
+ filename: stuart_pr_eval
+ arguments: -c .pytool/CISettings.py -p ${{ parameters.build_pkgs }} --pr-target origin/$(System.PullRequest.targetBranch) --output-csv-format-string "##vso[task.setvariable variable=pkgs_to_build;isOutpout=true]{pkgcsv}" --output-count-format-string "##vso[task.setvariable variable=pkg_count;isOutpout=true]{pkgcount}"
+ condition: eq(variables['Build.Reason'], 'PullRequest')
+
+# install spell check prereqs
+- template: spell-check-prereq-steps.yml
+
+# Build repo
+- task: CmdLine@1
+ displayName: Setup ${{ parameters.build_pkgs }} ${{ parameters.build_archs}}
+ inputs:
+ filename: stuart_setup
+ arguments: -c .pytool/CISettings.py -p $(pkgs_to_build) -t ${{ parameters.build_targets}} -a ${{ parameters.build_archs}} TOOL_CHAIN_TAG=${{ parameters.tool_chain_tag}}
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+# EDK2_PLATFORMS_MODIF_START:
+ # As edk2-platforms may rely on new edk2 modifications, checkout edk2's latest master
+- script: git submodule update --remote --checkout edk2
+ displayName: Checkout edk2's latest master
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+# EDK2_PLATFORMS_MODIF_END
+
+- task: CmdLine@1
+ displayName: Update ${{ parameters.build_pkgs }} ${{ parameters.build_archs}}
+ inputs:
+ filename: stuart_update
+ arguments: -c .pytool/CISettings.py -p $(pkgs_to_build) -t ${{ parameters.build_targets}} -a ${{ parameters.build_archs}} TOOL_CHAIN_TAG=${{ parameters.tool_chain_tag}}
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+# build basetools
+# do this after setup and update so that code base dependencies
+# are all resolved.
+# EDK2_PLATFORMS_MODIF_START:
+# The base tools are imported in .pytool/CISettings.py via the 'edk2basetools' python module.
+# - template: basetools-build-steps.yml
+# parameters:
+# tool_chain_tag: ${{ parameters.tool_chain_tag }}
+# EDK2_PLATFORMS_MODIF_END
+
+- task: CmdLine@1
+ displayName: Build and Test ${{ parameters.build_pkgs }} ${{ parameters.build_archs}}
+ inputs:
+ filename: stuart_ci_build
+ arguments: -c .pytool/CISettings.py -p $(pkgs_to_build) -t ${{ parameters.build_targets}} -a ${{ parameters.build_archs}} TOOL_CHAIN_TAG=${{ parameters.tool_chain_tag}}
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+# Publish Test Results to Azure Pipelines/TFS
+- task: PublishTestResults@2
+ displayName: 'Publish junit test results'
+ continueOnError: true
+ condition: and( succeededOrFailed(),gt(variables.pkg_count, 0))
+ inputs:
+ testResultsFormat: 'JUnit' # Options: JUnit, NUnit, VSTest, xUnit
+ testResultsFiles: 'Build/TestSuites.xml'
+ #searchFolder: '$(System.DefaultWorkingDirectory)' # Optional
+ mergeTestResults: true # Optional
+ testRunTitle: $(System.JobName) # Optional
+ #buildPlatform: # Optional
+ #buildConfiguration: # Optional
+ publishRunAttachments: true # Optional
+
+# Publish Test Results to Azure Pipelines/TFS
+- task: PublishTestResults@2
+ displayName: 'Publish host based test results for $(System.JobName)'
+ continueOnError: true
+ condition: and( succeededOrFailed(), gt(variables.pkg_count, 0))
+ inputs:
+ testResultsFormat: 'JUnit' # Options: JUnit, NUnit, VSTest, xUnit
+ testResultsFiles: 'Build/**/*.result.xml'
+ #searchFolder: '$(System.DefaultWorkingDirectory)' # Optional
+ mergeTestResults: false # Optional
+ testRunTitle: ${{ parameters.build_pkgs }} # Optional
+ #buildPlatform: # Optional
+ #buildConfiguration: # Optional
+ publishRunAttachments: true # Optional
+
+# Copy the build logs to the artifact staging directory
+- task: CopyFiles@2
+ displayName: "Copy build logs"
+ inputs:
+ targetFolder: '$(Build.ArtifactStagingDirectory)'
+ SourceFolder: 'Build'
+ contents: |
+ BUILDLOG_*.txt
+ BUILDLOG_*.md
+ CI_*.txt
+ CI_*.md
+ CISETUP.txt
+ SETUPLOG.txt
+ UPDATE_LOG.txt
+ PREVALLOG.txt
+ TestSuites.xml
+ **/BUILD_TOOLS_REPORT.html
+ **/OVERRIDELOG.TXT
+ flattenFolders: true
+ condition: succeededOrFailed()
+
+# Publish build artifacts to Azure Artifacts/TFS or a file share
+- task: PublishBuildArtifacts@1
+ continueOnError: true
+ displayName: "Publish build logs"
+ inputs:
+ pathtoPublish: '$(Build.ArtifactStagingDirectory)'
+ artifactName: 'Build Logs $(System.JobName)'
+ condition: succeededOrFailed()
diff --git a/.azurepipelines/templates/spell-check-prereq-steps.yml b/.azurepipelines/templates/spell-check-prereq-steps.yml
new file mode 100644
index 000000000000..98ee3cfa6bc6
--- /dev/null
+++ b/.azurepipelines/templates/spell-check-prereq-steps.yml
@@ -0,0 +1,22 @@
+## @file
+# File templates/spell-check-prereq-steps.yml
+#
+# template file used to install spell checking prerequisits
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+parameters:
+ none: ''
+
+steps:
+- task: NodeTool@0
+ inputs:
+ versionSpec: '14.x'
+ #checkLatest: false # Optional
+ condition: and(gt(variables.pkg_count, 0), succeeded())
+
+- script: npm install -g cspell
+ displayName: 'Install cspell npm'
+ condition: and(gt(variables.pkg_count, 0), succeeded())
diff --git a/.pytool/Readme.md b/.pytool/Readme.md
index 9e59b30043fc..0d740caa40a8 100644
--- a/.pytool/Readme.md
+++ b/.pytool/Readme.md
@@ -9,6 +9,15 @@
For more detailed status look at the test results of the latest CI run on the
repo readme.

+## edk2 submodule
+
+It is possible that the edk2-platforms repository relies on new modifications
+in the edk2 repository. The edk2-platforms CI uses the edk2 submodule. Thus,
+the edk2 submodule might need to be updated to run the CI properly.
+
+To rebase the edk2 submodule on the latest master, run:
+* `git submodule update --remote --rebase edk2`
+
## Readme

As the content of the .pytool folder has been imported from the tianocore repository at:
--
2.17.1


[PATCH edk2-platforms v3 3/6] .pytool/Plugin: Add CI plugins

PierreGondois
 

From: Pierre Gondois <Pierre.Gondois@arm.com>

To enable CI support of the tianocore/edk2-platforms repository,
add a .pytool directory containing the following files:
- .pytool/CISettings.py
- .pytool/Readme.md

These files are largely inspired from the same files available in
the edk2 repository. The .pytool/Plugin/* files containing the
CI tests to run are not copied. edk2-platforms will rely on the
edk2basetools python package and on the edk2 python files, as
edk2 is imported as a submodule of edk2-platforms.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3509

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
---

Notes:
v3:
- Remove edk2-platforms's path from $PACKAGES_PATH. [Sean]
- Replace Readme's content with a reference to the
edk2 repository. [Sean]

.pytool/CISettings.py | 184 ++++++++++++++++++++++++++++++++++++++++++
.pytool/Readme.md | 16 ++++
2 files changed, 200 insertions(+)
create mode 100644 .pytool/CISettings.py
create mode 100644 .pytool/Readme.md

diff --git a/.pytool/CISettings.py b/.pytool/CISettings.py
new file mode 100644
index 000000000000..551ec3954058
--- /dev/null
+++ b/.pytool/CISettings.py
@@ -0,0 +1,184 @@
+# @file
+#
+# Copyright (c) Microsoft Corporation.
+# Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
+# Copyright (c) 2020 - 2021, ARM Limited. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+import os
+import logging
+import edk2basetools
+
+from edk2toolext.environment import shell_environment
+from edk2toolext.invocables.edk2_ci_build import CiBuildSettingsManager
+from edk2toolext.invocables.edk2_setup import SetupSettingsManager, RequiredSubmodule
+from edk2toolext.invocables.edk2_update import UpdateSettingsManager
+from edk2toolext.invocables.edk2_pr_eval import PrEvalSettingsManager
+from edk2toollib.utility_functions import GetHostInfo
+
+
+class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManager, PrEvalSettingsManager):
+
+ def __init__(self):
+ self.ActualPackages = []
+ self.ActualTargets = []
+ self.ActualArchitectures = []
+ self.ActualToolChainTag = ""
+ self.ActualScopes = None
+
+ # ####################################################################################### #
+ # Extra CmdLine configuration #
+ # ####################################################################################### #
+
+ def AddCommandLineOptions(self, parserObj):
+ pass
+ def RetrieveCommandLineOptions(self, args):
+ pass
+
+ # ####################################################################################### #
+ # Default Support for this Ci Build #
+ # ####################################################################################### #
+
+ def GetPackagesSupported(self):
+ ''' return iterable of edk2 packages supported by this build.
+ These should be edk2 workspace relative paths '''
+ return (
+ "JunoPkg",
+ "VExpressPkg"
+ )
+
+ def GetArchitecturesSupported(self):
+ ''' return iterable of edk2 architectures supported by this build '''
+ return (
+ "IA32",
+ "X64",
+ "ARM",
+ "AARCH64",
+ "RISCV64")
+
+ def GetTargetsSupported(self):
+ ''' return iterable of edk2 target tags supported by this build '''
+ return ("DEBUG", "RELEASE", "NO-TARGET", "NOOPT")
+
+ # ####################################################################################### #
+ # Verify and Save requested Ci Build Config #
+ # ####################################################################################### #
+
+ def SetPackages(self, list_of_requested_packages):
+ ''' Confirm the requested package list is valid and configure SettingsManager
+ to build the requested packages.
+
+ Raise UnsupportedException if a requested_package is not supported
+ '''
+ unsupported = set(list_of_requested_packages) - \
+ set(self.GetPackagesSupported())
+ if(len(unsupported) > 0):
+ logging.critical(
+ "Unsupported Package Requested: " + " ".join(unsupported))
+ raise Exception("Unsupported Package Requested: " +
+ " ".join(unsupported))
+ self.ActualPackages = list_of_requested_packages
+
+ def SetArchitectures(self, list_of_requested_architectures):
+ ''' Confirm the requests architecture list is valid and configure SettingsManager
+ to run only the requested architectures.
+
+ Raise Exception if a list_of_requested_architectures is not supported
+ '''
+ unsupported = set(list_of_requested_architectures) - \
+ set(self.GetArchitecturesSupported())
+ if(len(unsupported) > 0):
+ logging.critical(
+ "Unsupported Architecture Requested: " + " ".join(unsupported))
+ raise Exception(
+ "Unsupported Architecture Requested: " + " ".join(unsupported))
+ self.ActualArchitectures = list_of_requested_architectures
+
+ def SetTargets(self, list_of_requested_target):
+ ''' Confirm the request target list is valid and configure SettingsManager
+ to run only the requested targets.
+
+ Raise UnsupportedException if a requested_target is not supported
+ '''
+ unsupported = set(list_of_requested_target) - \
+ set(self.GetTargetsSupported())
+ if(len(unsupported) > 0):
+ logging.critical(
+ "Unsupported Targets Requested: " + " ".join(unsupported))
+ raise Exception("Unsupported Targets Requested: " +
+ " ".join(unsupported))
+ self.ActualTargets = list_of_requested_target
+
+ # ####################################################################################### #
+ # Actual Configuration for Ci Build #
+ # ####################################################################################### #
+
+ def GetActiveScopes(self):
+ ''' return tuple containing scopes that should be active for this process '''
+ if self.ActualScopes is None:
+ scopes = ("cibuild", "edk2-build", "host-based-test")
+
+ self.ActualToolChainTag = shell_environment.GetBuildVars().GetValue("TOOL_CHAIN_TAG", "")
+
+ is_linux = GetHostInfo().os.upper() == "LINUX"
+ scopes += ('pipbuild-unix',) if is_linux else ('pipbuild-win',)
+
+ if is_linux and self.ActualToolChainTag.upper().startswith("GCC"):
+ if "AARCH64" in self.ActualArchitectures:
+ scopes += ("gcc_aarch64_linux",)
+ if "ARM" in self.ActualArchitectures:
+ scopes += ("gcc_arm_linux",)
+ if "RISCV64" in self.ActualArchitectures:
+ scopes += ("gcc_riscv64_unknown",)
+ self.ActualScopes = scopes
+ return self.ActualScopes
+
+ def GetRequiredSubmodules(self):
+ ''' return iterable containing RequiredSubmodule objects.
+ If no RequiredSubmodules return an empty iterable
+ '''
+ rs = []
+ rs.append(RequiredSubmodule(
+ "edk2", True))
+ rs.append(RequiredSubmodule(
+ "Silicon/RISC-V/ProcessorPkg/Library/RiscVOpensbiLib/opensbi", False))
+ return rs
+
+ def GetName(self):
+ return "Edk2-platforms"
+
+ def GetDependencies(self):
+ return [
+ ]
+
+ def GetPackagesPath(self):
+ ''' Return a list of workspace relative paths that should be mapped as edk2 PackagesPath '''
+ edk2_platforms_path = self.GetWorkspaceRoot()
+ return [
+ os.path.join(edk2_platforms_path, "Platform", "ARM"),
+ os.path.join(edk2_platforms_path, "edk2")
+ ]
+
+ def GetWorkspaceRoot(self):
+ ''' get WorkspacePath '''
+ return os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+ def FilterPackagesToTest(self, changedFilesList: list, potentialPackagesList: list) -> list:
+ ''' Filter potential packages to test based on changed files. '''
+ build_these_packages = []
+ possible_packages = potentialPackagesList.copy()
+ for f in changedFilesList:
+ # split each part of path for comparison later
+ nodes = f.split("/")
+
+ # python file change in .pytool folder causes building all
+ if f.endswith(".py") and ".pytool" in nodes:
+ build_these_packages = possible_packages
+ break
+
+ # BaseTools files that might change the build
+ if "BaseTools" in nodes:
+ if os.path.splitext(f) not in [".txt", ".md"]:
+ build_these_packages = possible_packages
+ break
+ return build_these_packages
diff --git a/.pytool/Readme.md b/.pytool/Readme.md
new file mode 100644
index 000000000000..9e59b30043fc
--- /dev/null
+++ b/.pytool/Readme.md
@@ -0,0 +1,16 @@
+# Edk2-platforms Continuous Integration
+
+## Basic Status
+
+| Package | Windows VS2019 (IA32/X64)| Ubuntu GCC (IA32/X64/ARM/AARCH64) | Known Issues |
+| :---- | :----- | :---- | :--- |
+| Platfrom/ARM/JunoPkg | | :heavy_check_mark: | Spell checking in audit mode. CompilerCheck disabled (need a PlatformCI).
+
+For more detailed status look at the test results of the latest CI run on the
+repo readme.
+
+## Readme
+
+As the content of the .pytool folder has been imported from the tianocore repository at:
+https://github.com/tianocore/edk2
+Please use the Readme.md that can be found there.
--
2.17.1


[PATCH edk2-platforms v3 2/6] pip-requirements.txt: Add python pip requirements file

PierreGondois
 

From: Pierre Gondois <Pierre.Gondois@arm.com>

To enable CI support of the tianocore/edk2-platforms repository,
add pip requirements file to install the python modules
required to perform EDK II Continuous Integration (CI) builds.

This file is a copy of the file from the tianocore/edk2
repository. Any modification to the tianocore/edk2 file must be
reflected on the tianocore/edk2-platforms copy.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3509

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
---
pip-requirements.txt | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 pip-requirements.txt

diff --git a/pip-requirements.txt b/pip-requirements.txt
new file mode 100644
index 000000000000..aea2e6ece431
--- /dev/null
+++ b/pip-requirements.txt
@@ -0,0 +1,18 @@
+## @file
+# EDK II Python PIP requirements file
+#
+# This file provides the list of python components to install using PIP.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+# https://pypi.org/project/pip/
+# https://pip.pypa.io/en/stable/user_guide/#requirements-files
+# https://pip.pypa.io/en/stable/reference/pip_install/#requirements-file-format
+# https://www.python.org/dev/peps/pep-0440/#version-specifiers
+##
+
+edk2-pytool-library==0.10.*
+edk2-pytool-extensions~=0.13.3
+edk2-basetools==0.1.2
+antlr4-python3-runtime==4.7.1
--
2.17.1


[PATCH edk2-platforms v3 1/6] edk2-platforms: add edk2 repository as a submodule

PierreGondois
 

From: Pierre Gondois <Pierre.Gondois@arm.com>

Add the edk2 repository as a submodule:
https://github.com/tianocore/edk2

Platforms in edk2-platforms often relies on modules available
in the edk2 repository. In order to enable an upstream CI
for edk2-platforms, adding edk2 as a submodule is a convenient
way to advertise this dependency.

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3509

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
---

Notes:
v2:
- Use tianocore repository instead of personal repository [Pierre]

.gitmodules | 3 +++
edk2 | 1 +
2 files changed, 4 insertions(+)
create mode 160000 edk2

diff --git a/.gitmodules b/.gitmodules
index 88aafaf15820..ed4b2d436cdb 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,6 @@
[submodule "Silicon/RISC-V/ProcessorPkg/Library/RiscVOpensbiLib/opensbi"]
path = Silicon/RISC-V/ProcessorPkg/Library/RiscVOpensbiLib/opensbi
url = https://github.com/riscv/opensbi
+[submodule "edk2"]
+ path = edk2
+ url = https://github.com/tianocore/edk2/
diff --git a/edk2 b/edk2
new file mode 160000
index 000000000000..3c81382742fd
--- /dev/null
+++ b/edk2
@@ -0,0 +1 @@
+Subproject commit 3c81382742fdde028b4c23e822f6a6b11f2ab586
--
2.17.1


[PATCH edk2-platforms v3 0/6] Enable edk2-platforms CI for JunoPkg

PierreGondois
 

From: Pierre Gondois <Pierre.Gondois@arm.com>

v3:
- Replace Readme(s)'s by a reference to the initial Readmed(s) in
tianocore repository. [Sean]
- Align CI files with the latest version in the edk2 repository.
[Sean/Michael]
- Add additional step to checkout edk2's latest master in the CI.
[Pierre]
v2:
- Use tianocore repository instead of personal repository
for edk2 submodule [Pierre]
- Bugzilla associated to the topic:
https://bugzilla.tianocore.org/show_bug.cgi?id=3509

This patch-set is dependent on the following patch-set:
edk2-platforms:
[PATCH v1 0/2] Fix duplicated GUID
https://edk2.groups.io/g/devel/message/76910

It provides the configuration files necessary to run an upstream CI
similar to the one currently used for the main edk2 repository. The
configuration is mostly similar aswel.
Enabling the CI requires administrator rights on the edk2-platforms
repository. This configuration was tested on a private repository,
but will require additional configuration from the administrator.

Compared to edk2's CI, an additional step has been added to checkout
edk2's latest master. Indeed, some changes in the edk2-platforms
repository might rely on modifications in the edk2 repository.
The policy here would be to have edk2's repository's modifications
accepted first so edk2-platforms's CI can complete successfully.

As the new edk2 submodule is updated to the latest master when running
the CI, this still raises the question of when to update this new edk2
submodule.

The changes can be seen at:
https://github.com/PierreARM/edk2-platforms/tree/1628_Enable_edk2_platforms_ci_for_JunoPkg_v3

Pierre Gondois (6):
edk2-platforms: add edk2 repository as a submodule
pip-requirements.txt: Add python pip requirements file
.pytool/Plugin: Add CI plugins
.azurepipelines: Add Azure Pipelines YML configuration files
.mergify: Add Mergify YML pull request rules configuration file
Platform/ARM: Juno: Add JunoPkg.ci.yaml for CI support

.azurepipelines/ReadMe.md | 5 +
.azurepipelines/Ubuntu-GCC5.yml | 20 ++
.azurepipelines/Ubuntu-PatchCheck.yml | 36 ++++
.azurepipelines/Windows-VS2019.yml | 20 ++
.azurepipelines/templates/ReadMe.md | 5 +
.../templates/basetools-build-steps.yml | 37 ++++
.../templates/platform-build-run-steps.yml | 151 ++++++++++++++
.../templates/pr-gate-build-job.yml | 43 ++++
.azurepipelines/templates/pr-gate-steps.yml | 149 ++++++++++++++
.../templates/spell-check-prereq-steps.yml | 22 +++
.gitmodules | 3 +
.mergify/config.yml | 50 +++++
.pytool/CISettings.py | 184 ++++++++++++++++++
.pytool/Readme.md | 25 +++
Platform/ARM/JunoPkg/JunoPkg.ci.yaml | 104 ++++++++++
edk2 | 1 +
pip-requirements.txt | 18 ++
17 files changed, 873 insertions(+)
create mode 100644 .azurepipelines/ReadMe.md
create mode 100644 .azurepipelines/Ubuntu-GCC5.yml
create mode 100644 .azurepipelines/Ubuntu-PatchCheck.yml
create mode 100644 .azurepipelines/Windows-VS2019.yml
create mode 100644 .azurepipelines/templates/ReadMe.md
create mode 100644 .azurepipelines/templates/basetools-build-steps.yml
create mode 100644 .azurepipelines/templates/platform-build-run-steps.yml
create mode 100644 .azurepipelines/templates/pr-gate-build-job.yml
create mode 100644 .azurepipelines/templates/pr-gate-steps.yml
create mode 100644 .azurepipelines/templates/spell-check-prereq-steps.yml
create mode 100644 .mergify/config.yml
create mode 100644 .pytool/CISettings.py
create mode 100644 .pytool/Readme.md
create mode 100644 Platform/ARM/JunoPkg/JunoPkg.ci.yaml
create mode 160000 edk2
create mode 100644 pip-requirements.txt

--
2.17.1


EmulatorPkg and the state of DlLoadImage()

Marvin Häuser
 

Good day everyone,

I'm currently refining the port of EmulatorPkg to my new PE/COFF loader library instance.
In the process, I found the function DlOpenImage() [1], which loads UEFI Images via the OS loader to utilise its symbol loading capability. Theoretically, this should e.g. allow arbitrary debuggers using the OS APIs to symbolise the backtrace.

macOS: The function seems to be unused entirely. [2]

Linux: On my system running Fedora 34, the function neither works out-of-the-box, nor after significant time of trying to fix it. The first issue is that it only proceeds if the Image has a PDB path with ".pdb" extension [3], while the GCC5 toolchain generates Images with ".dll" files for PDB paths (see errors below). Once this is resolved, there is an error message indicating insufficient Image section alignment:

[...]/Build/EmulatorX64/DEBUG_GCC5/X64/MdeModulePkg/Universal/EbcDxe/EbcDxe/DEBUG/EbcDxe.dll: ELF load command alignment not page-aligned

Resolving this yields an error that executable files cannot be loaded dynamically:

[...]/Build/EmulatorX64/DEBUG_GCC5/X64/MdeModulePkg/Core/Pei/PeiMain/DEBUG/PeiCore.dll: cannot dynamically load executable

With my very limited knowledge about Linux and ELF I tried the naive approach of building the Images as shared (hoping it would be similar to DLLs, which are built on Windows), but this just silently crashes.

So my questions are:
1) Does this code currently work for anyone?
2) Does anyone use a debugging setup that is incompatible with Images loaded by EDK II rather than the OS?
3) Are the issues above known and planned to be fixed?

Thank you for your time!

Best regards,
Marvin


[1]
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1065-L1113

[2]
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1071-L1073

[3]
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1084-L1086
https://github.com/tianocore/edk2/blob/be282b14938846960cce30825a9fe762e14ca8c9/EmulatorPkg/Unix/Host/Host.c#L1003-L1026


[PATCH v7 11/11] SecurityPkg: Add option to reset secure boot keys.

Grzegorz Bernacki
 

This commit add option which allows reset content of Secure Boot
keys and databases to default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 154 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
5 files changed, 167 insertions(+)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 14c7311b08..420687a211 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -110,6 +110,7 @@
[Protocols]
gEfiHiiConfigAccessProtocolGuid ## PRODUCES
gEfiDevicePathProtocolGuid ## PRODUCES
+ gEfiHiiPopupProtocolGuid

[Depex]
gEfiHiiConfigRoutingProtocolGuid AND
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
index 6e54a4b0f2..4ecc25efc3 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
@@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

#define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f

+#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010
+
#define KEY_SECURE_BOOT_OPTION 0x1100
#define KEY_SECURE_BOOT_PK_OPTION 0x1101
#define KEY_SECURE_BOOT_KEK_OPTION 0x1102
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index fa7e11848c..e4560c592c 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -69,6 +69,12 @@ formset
endif;
endif;

+ text
+ help = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP),
+ text = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS),
+ flags = INTERACTIVE,
+ key = KEY_SECURE_BOOT_RESET_TO_DEFAULT;
+
endform;

//
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index f527aa32e6..f102607a27 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/

#include "SecureBootConfigImpl.h"
+#include <Protocol/HiiPopup.h>
#include <Library/BaseCryptLib.h>
#include <Library/SecureBootVariableLib.h>
#include <Library/SecureBootVariableProvisionLib.h>
@@ -4155,6 +4156,132 @@ ON_EXIT:
return Status;
}

+/**
+ This function reinitializes Secure Boot variables with default values.
+
+ @retval EFI_SUCCESS Success to update the signature list page
+ @retval others Fail to delete or enroll signature data.
+**/
+
+STATIC EFI_STATUS
+EFIAPI
+KeyEnrollReset (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = EFI_SUCCESS;
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR(Status)) {
+ return Status;
+ }
+
+ // Clear all the keys and databases
+ Status = DeleteDb ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteDbx ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteDbt ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteKEK ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeletePlatformKey ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
+ return Status;
+ }
+
+ // After PK clear, Setup Mode shall be enabled
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n",
+ Status));
+ return Status;
+ }
+
+ if (SetupMode == USER_MODE) {
+ DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n"));
+ return EFI_SUCCESS;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n",
+ Status));
+ return EFI_SUCCESS;
+ }
+
+ // Enroll all the keys from default variables
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"));
+ }
+
+ return Status;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) {
+ DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
+ }
+ return Status;
+}
+
/**
This function is called to provide results data to the driver.

@@ -4206,6 +4333,8 @@ SecureBootCallback (
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
BOOLEAN GetBrowserDataResult;
ENROLL_KEY_ERROR EnrollKeyErrorCode;
+ EFI_HII_POPUP_PROTOCOL *HiiPopup;
+ EFI_HII_POPUP_SELECTION UserSelection;

Status = EFI_SUCCESS;
SecureBootEnable = NULL;
@@ -4756,6 +4885,31 @@ SecureBootCallback (
FreePool (SetupMode);
}
break;
+ case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
+ {
+ Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ Status = HiiPopup->CreatePopup (
+ HiiPopup,
+ EfiHiiPopupStyleInfo,
+ EfiHiiPopupTypeYesNo,
+ Private->HiiHandle,
+ STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
+ &UserSelection
+ );
+ if (UserSelection == EfiHiiPopupSelectionYes) {
+ Status = KeyEnrollReset ();
+ }
+ //
+ // Update secure boot strings after key reset
+ //
+ if (Status == EFI_SUCCESS) {
+ Status = UpdateSecureBootString (Private);
+ SecureBootExtractConfigFromVariable (Private, IfrNvData);
+ }
+ }
default:
break;
}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index ac783453cc..0d01701de7 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot"
#string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset"

+#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys with data from default variables"
+#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure Boot Keys"
+#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Keys & databases will be initialized from defaults.\n Are you sure?"
+
#string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature"
#string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature"
#string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signature List Form"
--
2.25.1


[PATCH v7 10/11] SecurityPkg: Add new modules to Security package.

Grzegorz Bernacki
 

This commits adds modules and dependencies related
to initialization and usage of default Secure Boot
key variables to SecurityPkg.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
SecurityPkg/SecurityPkg.dsc | 7 ++++++-
2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index e30c39f321..d5ace6f654 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -198,6 +198,20 @@
## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
gTcg2MmSwSmiRegisteredGuid = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }

+ ## GUID used to specify section with default PK content
+ gDefaultPKFileGuid = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
+
+ ## GUID used to specify section with default KEK content
+ gDefaultKEKFileGuid = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
+
+ ## GUID used to specify section with default db content
+ gDefaultdbFileGuid = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
+
+ ## GUID used to specify section with default dbx content
+ gDefaultdbxFileGuid = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
+
+ ## GUID used to specify section with default dbt content
+ gDefaultdbtFileGuid = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }

[Ppis]
## The PPI GUID for that TPM physical presence should be locked.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 99c227dad2..64157e20f9 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -73,7 +73,7 @@
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf

-[LibraryClasses.ARM]
+[LibraryClasses.ARM, LibraryClasses.AARCH64]
#
# It is not possible to prevent the ARM compiler for generic intrinsic functions.
# This library provides the intrinsic functions generate by a given compiler.
@@ -149,6 +149,7 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
!endif
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf

@@ -260,6 +261,10 @@

[Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+ SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf

[Components.IA32, Components.X64, Components.AARCH64]
#
--
2.25.1


[PATCH v7 09/11] SecurityPkg: Add EnrollFromDefaultKeys application.

Grzegorz Bernacki
 

This application allows user to force key enrollment from
Secure Boot default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
---
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 48 ++++++++
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 115 ++++++++++++++++++++
2 files changed, 163 insertions(+)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c

diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..8675b30291
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,48 @@
+## @file
+# Enroll PK, KEK, db, dbx from Default variables
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 1.28
+ BASE_NAME = EnrollFromDefaultKeysApp
+ FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+ MODULE_TYPE = UEFI_APPLICATION
+ VERSION_STRING = 0.1
+ ENTRY_POINT = UefiMain
+
+[Sources]
+ EnrollFromDefaultKeysApp.c
+
+[Packages]
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[Guids]
+ gEfiCertPkcs7Guid
+ gEfiCertSha256Guid
+ gEfiCertX509Guid
+ gEfiCustomModeEnableGuid
+ gEfiGlobalVariableGuid
+ gEfiImageSecurityDatabaseGuid
+ gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+ gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ PrintLib
+ UefiApplicationEntryPoint
+ UefiBootServicesTableLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+ SecureBootVariableLib
+ SecureBootVariableProvisionLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..0e4b06551a
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,115 @@
+/** @file
+ Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h> // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h> // CopyGuid()
+#include <Library/DebugLib.h> // ASSERT()
+#include <Library/MemoryAllocationLib.h> // FreePool()
+#include <Library/PrintLib.h> // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/UefiLib.h> // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+#include <Library/SecureBootVariableProvisionLib.h>
+
+/**
+ Entry point function of this shell application.
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval 0 The entry point is executed successfully.
+ @retval other Some error occurs when executing this entry point.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);
+ return 1;
+ }
+
+ if (SetupMode == USER_MODE) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");
+ return 1;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+ return 1;
+ }
+
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint (
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"
+ );
+ }
+ return 0;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint (
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"
+ );
+ }
+
+ return 1;
+}
--
2.25.1


[PATCH v7 08/11] SecurityPkg: Add SecureBootDefaultKeysDxe driver

Grzegorz Bernacki
 

This driver initializes default Secure Boot keys and databases
based on keys embedded in flash.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
---
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 +++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 69 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 16 +++++
3 files changed, 131 insertions(+)
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
new file mode 100644
index 0000000000..3ed45fa497
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
@@ -0,0 +1,46 @@
+## @file
+# Initializes Secure Boot default keys
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = SecureBootDefaultKeysDxe
+ FILE_GUID = C937FCB7-25AC-4376-89A2-4EA8B317DE83
+ MODULE_TYPE = DXE_DRIVER
+ ENTRY_POINT = SecureBootDefaultKeysEntryPoint
+
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+[Sources]
+ SecureBootDefaultKeysDxe.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ MemoryAllocationLib
+ UefiDriverEntryPoint
+ DebugLib
+ SecureBootVariableLib
+ SecureBootVariableProvisionLib
+
+[Guids]
+ ## SOMETIMES_PRODUCES ## Variable:L"PKDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"dbDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault"
+ gEfiGlobalVariableGuid
+
+[Depex]
+ gEfiVariableArchProtocolGuid AND
+ gEfiVariableWriteArchProtocolGuid
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
new file mode 100644
index 0000000000..f51d5243b7
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
@@ -0,0 +1,69 @@
+/** @file
+ This driver init default Secure Boot variables
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include <Library/SecureBootVariableProvisionLib.h>
+
+/**
+ The entry point for SecureBootDefaultKeys driver.
+
+ @param[in] ImageHandle The image handle of the driver.
+ @param[in] SystemTable The system table.
+
+ @retval EFI_ALREADY_STARTED The driver already exists in system.
+ @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources.
+ @retval EFI_SUCCESS All the related protocols are installed on the driver.
+ @retval Others Fail to get the SecureBootEnable variable.
+
+**/
+EFI_STATUS
+EFIAPI
+SecureBootDefaultKeysEntryPoint (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+
+ Status = SecureBootInitPKDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status));
+ return Status;
+ }
+
+ Status = SecureBootInitKEKDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status));
+ return Status;
+ }
+ Status = SecureBootInitDbDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status));
+ return Status;
+ }
+
+ Status = SecureBootInitDbtDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
+ }
+
+ Status = SecureBootInitDbxDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
+ }
+
+ return Status;
+}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
new file mode 100644
index 0000000000..2b6cb7f950
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides the capability to intialize Secure Boot default variables
+//
+// Module which initializes Secure boot default variables.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Module which initializes Secure boot default variables"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This module reads embedded keys and initializes Secure Boot default variables."
--
2.25.1


[PATCH v7 07/11] ArmPlatformPkg: Create include file for default key content.

Grzegorz Bernacki
 

This commits add file which can be included by platform Flash
Description File. It allows to specify certificate files, which
will be embedded into binary file. The content of these files
can be used to initialize Secure Boot default keys and databases.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
---
ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc

diff --git a/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc b/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
new file mode 100644
index 0000000000..bf4f2d42de
--- /dev/null
+++ b/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
@@ -0,0 +1,70 @@
+## @file
+# FDF include file which allows to embed Secure Boot keys
+#
+# Copyright (c) 2021, ARM Limited. All rights reserved.
+# Copyright (c) 2021, Semihalf. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+
+!if $(DEFAULT_KEYS) == TRUE
+ FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
+ !ifdef $(PK_DEFAULT_FILE)
+ SECTION RAW = $(PK_DEFAULT_FILE)
+ !endif
+ SECTION UI = "PK Default"
+ }
+
+ FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
+ !ifdef $(KEK_DEFAULT_FILE1)
+ SECTION RAW = $(KEK_DEFAULT_FILE1)
+ !endif
+ !ifdef $(KEK_DEFAULT_FILE2)
+ SECTION RAW = $(KEK_DEFAULT_FILE2)
+ !endif
+ !ifdef $(KEK_DEFAULT_FILE3)
+ SECTION RAW = $(KEK_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "KEK Default"
+ }
+
+ FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
+ !ifdef $(DB_DEFAULT_FILE1)
+ SECTION RAW = $(DB_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DB_DEFAULT_FILE2)
+ SECTION RAW = $(DB_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DB_DEFAULT_FILE3)
+ SECTION RAW = $(DB_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DB Default"
+ }
+
+ FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
+ !ifdef $(DBT_DEFAULT_FILE1)
+ SECTION RAW = $(DBT_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DBT_DEFAULT_FILE2)
+ SECTION RAW = $(DBT_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DBT_DEFAULT_FILE3)
+ SECTION RAW = $(DBT_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DBT Default"
+ }
+
+ FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
+ !ifdef $(DBX_DEFAULT_FILE1)
+ SECTION RAW = $(DBX_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DBX_DEFAULT_FILE2)
+ SECTION RAW = $(DBX_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DBX_DEFAULT_FILE3)
+ SECTION RAW = $(DBX_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DBX Default"
+ }
+
+!endif
--
2.25.1


[PATCH v7 06/11] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.

Grzegorz Bernacki
 

This commit removes functions which were added
to SecureBootVariableLib. It also adds dependecy
on that library.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
eviewed-by: Sunny Wang <sunny.wang@arm.com>
---
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 190 +-------------------
2 files changed, 4 insertions(+), 188 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 573efa6379..14c7311b08 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -54,6 +54,8 @@
DevicePathLib
FileExplorerLib
PeCoffLib
+ SecureBootVariableLib
+ SecureBootVariableProvisionLib

[Guids]
## SOMETIMES_CONSUMES ## Variable:L"CustomMode"
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index e82bfe7757..f527aa32e6 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -9,6 +9,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

#include "SecureBootConfigImpl.h"
#include <Library/BaseCryptLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include <Library/SecureBootVariableProvisionLib.h>

CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";

@@ -237,168 +239,6 @@ SaveSecureBootVariable (
return Status;
}

-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory when finish using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // In Setup mode or Custom mode, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool(NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool(Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
-/**
- Internal helper function to delete a Variable given its name and GUID, NO authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Variable deleted successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
- FreePool (Variable);
-
- Data = NULL;
- DataSize = 0;
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- Status = CreateTimeBasedPayload (&DataSize, &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- Data
- );
- if (Data != NULL) {
- FreePool (Data);
- }
- return Status;
-}
-
-/**
-
- Set the platform secure boot mode into "Custom" or "Standard" mode.
-
- @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
- CUSTOM_SECURE_BOOT_MODE.
-
- @return EFI_SUCCESS The platform has switched to the special mode successfully.
- @return other Fail to operate the secure boot mode.
-
-**/
-EFI_STATUS
-SetSecureBootMode (
- IN UINT8 SecureBootMode
- )
-{
- return gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootMode
- );
-}
-
/**
This code checks if the encode type and key strength of X.509
certificate is qualified.
@@ -646,32 +486,6 @@ ON_EXIT:
return Status;
}

-/**
- Remove the PK variable.
-
- @retval EFI_SUCCESS Delete PK successfully.
- @retval Others Could not allow to delete PK.
-
-**/
-EFI_STATUS
-DeletePlatformKey (
- VOID
-)
-{
- EFI_STATUS Status;
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = DeleteVariable (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid
- );
- return Status;
-}
-
/**
Enroll a new KEK item from public key storing file (*.pbk).

--
2.25.1


[PATCH v7 05/11] EmulatorPkg: add SecureBootVariableLib class resolution

Grzegorz Bernacki
 

The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.

moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for EmulatorPkg.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
---
EmulatorPkg/EmulatorPkg.dsc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 20e5468398..554c13ddb5 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -132,6 +132,8 @@
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
--
2.25.1


[PATCH v7 04/11] OvmfPkg: add SecureBootVariableLib class resolution

Grzegorz Bernacki
 

The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.

moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for OvmfPkg.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 2 ++
OvmfPkg/OvmfPkgIa32.dsc | 2 ++
OvmfPkg/OvmfPkgIa32X64.dsc | 2 ++
OvmfPkg/OvmfPkgX64.dsc | 2 ++
4 files changed, 8 insertions(+)

diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index 0068314495..d8fe607d1c 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -197,6 +197,8 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 799a974cf2..d1d92c97ba 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -204,6 +204,8 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 66ad5dc70c..a467ab7090 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -208,6 +208,8 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 180565a100..e56b83d95e 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -208,6 +208,8 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
--
2.25.1

5661 - 5680 of 84031