diff --git a/.edk2.metadata b/.edk2.metadata
index 8f67065..86e6e0f 100644
--- a/.edk2.metadata
+++ b/.edk2.metadata
@@ -1,3 +1,3 @@
fdcb04021414cdd5a7e286058ca36aca359d323d SOURCES/RedHatSecureBootPkKek1.pem
3a531b4e8864ee52b1e128ac9742b3e9dcec49bf SOURCES/edk2-ca407c7246bf.tar.xz
-cb385fc348395c187db3737e532de787ca2a17c9 SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz
+627633682f69c2c899fe6018d675faaf45e5bb33 SOURCES/openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
diff --git a/.gitignore b/.gitignore
index f1caf91..69ae551 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
SOURCES/RedHatSecureBootPkKek1.pem
SOURCES/edk2-ca407c7246bf.tar.xz
-SOURCES/openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz
+SOURCES/openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
diff --git a/SOURCES/edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch b/SOURCES/edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
new file mode 100644
index 0000000..7280197
--- /dev/null
+++ b/SOURCES/edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
@@ -0,0 +1,386 @@
+From e81751a1c303f5cd4bcae0ed1a38c60c38a0cf38 Mon Sep 17 00:00:00 2001
+From: Guomin Jiang <guomin.jiang@intel.com>
+Date: Fri, 10 Jul 2020 09:47:31 +0800
+Subject: [PATCH 4/5] CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1g
+
+RH-Author: Laszlo Ersek (lersek)
+RH-MergeRequest: 2: [RHEL-8.4.0] bump OpenSSL dist-git submodule to 1.1.1g
+RH-Commit: [1/2] 36d4bc34a3b5c421819e94c58ff84fd779a93bae (lersek/edk2)
+RH-Bugzilla: 1893806
+
+--v-- RHEL8 notes --v--
+
+- The "CryptoPkg/Library/OpensslLib/openssl" hunk, advancing upstream
+ edk2's OpenSSL submodule reference, has been stripped from this
+ backport. (Refer to downstream commit c5d729df70f8 ("remove upstream
+ edk2's openssl submodule (RH only)", 2020-06-05), as basis.) The
+ corresponding RHEL8 OpenSSL dist-git bump is implemented in a subsequent
+ patch in this series.
+
+ This cherry-pick and the RHEL8 OpenSSL dist-git submodule bump are kept
+ separate for easing the next rebase, even at the cost of introducing a
+ brief interval in the git history where the downstream exploded tree
+ does not build.
+
+- Contextual difference in "OpensslLib.inf" due to downstream commit
+ 56c4bb81b311 ("CryptoPkg/OpensslLib: list RHEL8-specific OpenSSL files
+ in the INFs (RH)", 2020-06-05); automatically resolved by
+ git-cherry-pick.
+
+--^-- RHEL8 notes --^--
+
+Upgrade openssl to 1.1.1g. the directory have been reorganized,
+openssl moved crypto/include/internal to include/crypto folder.
+So we change directory to match the re-organization.
+
+The dso_conf.h and opensslconf.h will generated in UNIX format,
+change process_files.pl to covent the EOL automatically.
+
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
+Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Tested-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
+(cherry picked from commit 8c30327debb28c0b6cfa2106b736774e0b20daac)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ CryptoPkg/CryptoPkg.dec | 1 -
+ .../Library/BaseCryptLib/Hash/CryptSm3.c | 2 +-
+ .../BaseCryptLib/Pk/CryptPkcs7VerifyEku.c | 4 +-
+ .../Include/{internal => crypto}/dso_conf.h | 32 +++++-----
+ .../Library/Include/openssl/opensslconf.h | 3 -
+ CryptoPkg/Library/OpensslLib/OpensslLib.inf | 58 +++++++++----------
+ .../Library/OpensslLib/OpensslLibCrypto.inf | 50 ++++++++--------
+ CryptoPkg/Library/OpensslLib/process_files.pl | 25 +++++---
+ CryptoPkg/Library/OpensslLib/rand_pool.c | 2 +-
+ 9 files changed, 90 insertions(+), 87 deletions(-)
+ rename CryptoPkg/Library/Include/{internal => crypto}/dso_conf.h (76%)
+
+diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
+index 4d1a1368a8..5888941bab 100644
+--- a/CryptoPkg/CryptoPkg.dec
++++ b/CryptoPkg/CryptoPkg.dec
+@@ -23,7 +23,6 @@
+ Private
+ Library/Include
+ Library/OpensslLib/openssl/include
+- Library/OpensslLib/openssl/crypto/include
+
+ [LibraryClasses]
+ ## @libraryclass Provides basic library functions for cryptographic primitives.
+diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c
+index eacf4826c4..235331c2a0 100644
+--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c
++++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptSm3.c
+@@ -7,7 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+ **/
+
+ #include "InternalCryptLib.h"
+-#include "internal/sm3.h"
++#include "crypto/sm3.h"
+
+ /**
+ Retrieves the size, in bytes, of the context buffer required for SM3 hash operations.
+diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
+index 229c244b26..c9fdb65b99 100644
+--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
++++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
+@@ -15,13 +15,13 @@
+ #include <openssl/asn1.h>
+ #include <openssl/x509.h>
+ #include <openssl/bio.h>
+-#include <internal/x509_int.h>
++#include <crypto/x509.h>
+ #include <openssl/pkcs7.h>
+ #include <openssl/bn.h>
+ #include <openssl/x509_vfy.h>
+ #include <openssl/pem.h>
+ #include <openssl/evp.h>
+-#include <internal/asn1_int.h>
++#include <crypto/asn1.h>
+
+ /**
+ This function will return the leaf signer certificate in a chain. This is
+diff --git a/CryptoPkg/Library/Include/internal/dso_conf.h b/CryptoPkg/Library/Include/crypto/dso_conf.h
+similarity index 76%
+rename from CryptoPkg/Library/Include/internal/dso_conf.h
+rename to CryptoPkg/Library/Include/crypto/dso_conf.h
+index 43c891588b..95f4db2b15 100644
+--- a/CryptoPkg/Library/Include/internal/dso_conf.h
++++ b/CryptoPkg/Library/Include/crypto/dso_conf.h
+@@ -1,16 +1,16 @@
+-/* WARNING: do not edit! */
+-/* Generated from crypto/include/internal/dso_conf.h.in */
+-/*
+- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+- *
+- * Licensed under the OpenSSL license (the "License"). You may not use
+- * this file except in compliance with the License. You can obtain a copy
+- * in the file LICENSE in the source distribution or at
+- * https://www.openssl.org/source/license.html
+- */
+-
+-#ifndef HEADER_DSO_CONF_H
+-# define HEADER_DSO_CONF_H
+-# define DSO_NONE
+-# define DSO_EXTENSION ".so"
+-#endif
++/* WARNING: do not edit! */
++/* Generated from include/crypto/dso_conf.h.in */
++/*
++ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef OSSL_CRYPTO_DSO_CONF_H
++# define OSSL_CRYPTO_DSO_CONF_H
++# define DSO_NONE
++# define DSO_EXTENSION ".so"
++#endif
+diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
+index 62c2736cb0..3a2544ea5c 100644
+--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
++++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
+@@ -247,9 +247,6 @@ extern "C" {
+ #ifndef OPENSSL_NO_DYNAMIC_ENGINE
+ # define OPENSSL_NO_DYNAMIC_ENGINE
+ #endif
+-#ifndef OPENSSL_NO_AFALGENG
+-# define OPENSSL_NO_AFALGENG
+-#endif
+
+
+ /*
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+index 24e790b538..4c21b11d0a 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+@@ -477,45 +477,45 @@
+ $(OPENSSL_PATH)/crypto/s390x_arch.h
+ $(OPENSSL_PATH)/crypto/sparc_arch.h
+ $(OPENSSL_PATH)/crypto/vms_rms.h
+- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
++ $(OPENSSL_PATH)/crypto/aes/aes_local.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
+- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
++ $(OPENSSL_PATH)/crypto/asn1/asn1_local.h
+ $(OPENSSL_PATH)/crypto/asn1/charmap.h
+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
+- $(OPENSSL_PATH)/crypto/async/async_locl.h
++ $(OPENSSL_PATH)/crypto/async/async_local.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h
+- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
+- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
++ $(OPENSSL_PATH)/crypto/bio/bio_local.h
++ $(OPENSSL_PATH)/crypto/bn/bn_local.h
+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h
+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
+- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
++ $(OPENSSL_PATH)/crypto/comp/comp_local.h
+ $(OPENSSL_PATH)/crypto/conf/conf_def.h
+- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
+- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
+- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
+- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
+- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
+- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
+- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
+- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
++ $(OPENSSL_PATH)/crypto/conf/conf_local.h
++ $(OPENSSL_PATH)/crypto/dh/dh_local.h
++ $(OPENSSL_PATH)/crypto/dso/dso_local.h
++ $(OPENSSL_PATH)/crypto/evp/evp_local.h
++ $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
++ $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
++ $(OPENSSL_PATH)/crypto/md5/md5_local.h
++ $(OPENSSL_PATH)/crypto/modes/modes_local.h
+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h
+- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
++ $(OPENSSL_PATH)/crypto/objects/obj_local.h
+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h
+- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
+- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
+- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
+- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
+- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
++ $(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h
++ $(OPENSSL_PATH)/crypto/pkcs12/p12_local.h
++ $(OPENSSL_PATH)/crypto/rand/rand_local.h
++ $(OPENSSL_PATH)/crypto/rsa/rsa_local.h
++ $(OPENSSL_PATH)/crypto/sha/sha_local.h
+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
+- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
+- $(OPENSSL_PATH)/crypto/store/store_locl.h
+- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
+- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
++ $(OPENSSL_PATH)/crypto/sm3/sm3_local.h
++ $(OPENSSL_PATH)/crypto/store/store_local.h
++ $(OPENSSL_PATH)/crypto/ui/ui_local.h
++ $(OPENSSL_PATH)/crypto/x509/x509_local.h
+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
+- $(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
++ $(OPENSSL_PATH)/crypto/x509v3/pcy_local.h
+ $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
+ $(OPENSSL_PATH)/ssl/bio_ssl.c
+@@ -562,13 +562,13 @@
+ $(OPENSSL_PATH)/ssl/t1_trce.c
+ $(OPENSSL_PATH)/ssl/tls13_enc.c
+ $(OPENSSL_PATH)/ssl/tls_srp.c
+- $(OPENSSL_PATH)/ssl/packet_locl.h
++ $(OPENSSL_PATH)/ssl/packet_local.h
+ $(OPENSSL_PATH)/ssl/ssl_cert_table.h
+- $(OPENSSL_PATH)/ssl/ssl_locl.h
++ $(OPENSSL_PATH)/ssl/ssl_local.h
+ $(OPENSSL_PATH)/ssl/record/record.h
+- $(OPENSSL_PATH)/ssl/record/record_locl.h
++ $(OPENSSL_PATH)/ssl/record/record_local.h
+ $(OPENSSL_PATH)/ssl/statem/statem.h
+- $(OPENSSL_PATH)/ssl/statem/statem_locl.h
++ $(OPENSSL_PATH)/ssl/statem/statem_local.h
+ # Autogenerated files list ends here
+ # RHEL8-specific OpenSSL file list starts here
+ $(OPENSSL_PATH)/crypto/evp/kdf_lib.c
+diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+index 52e70a2d03..0c3b210d6a 100644
+--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+@@ -477,45 +477,45 @@
+ $(OPENSSL_PATH)/crypto/s390x_arch.h
+ $(OPENSSL_PATH)/crypto/sparc_arch.h
+ $(OPENSSL_PATH)/crypto/vms_rms.h
+- $(OPENSSL_PATH)/crypto/aes/aes_locl.h
++ $(OPENSSL_PATH)/crypto/aes/aes_local.h
+ $(OPENSSL_PATH)/crypto/asn1/asn1_item_list.h
+- $(OPENSSL_PATH)/crypto/asn1/asn1_locl.h
++ $(OPENSSL_PATH)/crypto/asn1/asn1_local.h
+ $(OPENSSL_PATH)/crypto/asn1/charmap.h
+ $(OPENSSL_PATH)/crypto/asn1/standard_methods.h
+ $(OPENSSL_PATH)/crypto/asn1/tbl_standard.h
+- $(OPENSSL_PATH)/crypto/async/async_locl.h
++ $(OPENSSL_PATH)/crypto/async/async_local.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_null.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_posix.h
+ $(OPENSSL_PATH)/crypto/async/arch/async_win.h
+- $(OPENSSL_PATH)/crypto/bio/bio_lcl.h
+- $(OPENSSL_PATH)/crypto/bn/bn_lcl.h
++ $(OPENSSL_PATH)/crypto/bio/bio_local.h
++ $(OPENSSL_PATH)/crypto/bn/bn_local.h
+ $(OPENSSL_PATH)/crypto/bn/bn_prime.h
+ $(OPENSSL_PATH)/crypto/bn/rsaz_exp.h
+- $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
++ $(OPENSSL_PATH)/crypto/comp/comp_local.h
+ $(OPENSSL_PATH)/crypto/conf/conf_def.h
+- $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
+- $(OPENSSL_PATH)/crypto/dh/dh_locl.h
+- $(OPENSSL_PATH)/crypto/dso/dso_locl.h
+- $(OPENSSL_PATH)/crypto/evp/evp_locl.h
+- $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
+- $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
+- $(OPENSSL_PATH)/crypto/md5/md5_locl.h
+- $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
++ $(OPENSSL_PATH)/crypto/conf/conf_local.h
++ $(OPENSSL_PATH)/crypto/dh/dh_local.h
++ $(OPENSSL_PATH)/crypto/dso/dso_local.h
++ $(OPENSSL_PATH)/crypto/evp/evp_local.h
++ $(OPENSSL_PATH)/crypto/hmac/hmac_local.h
++ $(OPENSSL_PATH)/crypto/lhash/lhash_local.h
++ $(OPENSSL_PATH)/crypto/md5/md5_local.h
++ $(OPENSSL_PATH)/crypto/modes/modes_local.h
+ $(OPENSSL_PATH)/crypto/objects/obj_dat.h
+- $(OPENSSL_PATH)/crypto/objects/obj_lcl.h
++ $(OPENSSL_PATH)/crypto/objects/obj_local.h
+ $(OPENSSL_PATH)/crypto/objects/obj_xref.h
+- $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
+- $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
+- $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
+- $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
+- $(OPENSSL_PATH)/crypto/sha/sha_locl.h
++ $(OPENSSL_PATH)/crypto/ocsp/ocsp_local.h
++ $(OPENSSL_PATH)/crypto/pkcs12/p12_local.h
++ $(OPENSSL_PATH)/crypto/rand/rand_local.h
++ $(OPENSSL_PATH)/crypto/rsa/rsa_local.h
++ $(OPENSSL_PATH)/crypto/sha/sha_local.h
+ $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
+- $(OPENSSL_PATH)/crypto/sm3/sm3_locl.h
+- $(OPENSSL_PATH)/crypto/store/store_locl.h
+- $(OPENSSL_PATH)/crypto/ui/ui_locl.h
+- $(OPENSSL_PATH)/crypto/x509/x509_lcl.h
++ $(OPENSSL_PATH)/crypto/sm3/sm3_local.h
++ $(OPENSSL_PATH)/crypto/store/store_local.h
++ $(OPENSSL_PATH)/crypto/ui/ui_local.h
++ $(OPENSSL_PATH)/crypto/x509/x509_local.h
+ $(OPENSSL_PATH)/crypto/x509v3/ext_dat.h
+- $(OPENSSL_PATH)/crypto/x509v3/pcy_int.h
++ $(OPENSSL_PATH)/crypto/x509v3/pcy_local.h
+ $(OPENSSL_PATH)/crypto/x509v3/standard_exts.h
+ $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
+ # Autogenerated files list ends here
+diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
+index 65d07a2aed..57ce195394 100755
+--- a/CryptoPkg/Library/OpensslLib/process_files.pl
++++ b/CryptoPkg/Library/OpensslLib/process_files.pl
+@@ -111,8 +111,8 @@ BEGIN {
+ # Generate dso_conf.h per config data
+ system(
+ "perl -I. -Mconfigdata util/dofile.pl " .
+- "crypto/include/internal/dso_conf.h.in " .
+- "> include/internal/dso_conf.h"
++ "include/crypto/dso_conf.h.in " .
++ "> include/crypto/dso_conf.h"
+ ) == 0 ||
+ die "Failed to generate dso_conf.h!\n";
+
+@@ -263,14 +263,21 @@ print "Done!";
+ # Copy opensslconf.h and dso_conf.h generated from OpenSSL Configuration
+ #
+ print "\n--> Duplicating opensslconf.h into Include/openssl ... ";
+-copy($OPENSSL_PATH . "/include/openssl/opensslconf.h",
+- $OPENSSL_PATH . "/../../Include/openssl/") ||
+- die "Cannot copy opensslconf.h!";
++system(
++ "perl -pe 's/\\n/\\r\\n/' " .
++ "< " . $OPENSSL_PATH . "/include/openssl/opensslconf.h " .
++ "> " . $OPENSSL_PATH . "/../../Include/openssl/opensslconf.h"
++ ) == 0 ||
++ die "Cannot copy opensslconf.h!";
+ print "Done!";
+-print "\n--> Duplicating dso_conf.h into Include/internal ... ";
+-copy($OPENSSL_PATH . "/include/internal/dso_conf.h",
+- $OPENSSL_PATH . "/../../Include/internal/") ||
+- die "Cannot copy dso_conf.h!";
++
++print "\n--> Duplicating dso_conf.h into Include/crypto ... ";
++system(
++ "perl -pe 's/\\n/\\r\\n/' " .
++ "< " . $OPENSSL_PATH . "/include/crypto/dso_conf.h" .
++ "> " . $OPENSSL_PATH . "/../../Include/crypto/dso_conf.h"
++ ) == 0 ||
++ die "Cannot copy dso_conf.h!";
+ print "Done!\n";
+
+ print "\nProcessing Files Done!\n";
+diff --git a/CryptoPkg/Library/OpensslLib/rand_pool.c b/CryptoPkg/Library/OpensslLib/rand_pool.c
+index 9f3983f7c3..9e0179b034 100644
+--- a/CryptoPkg/Library/OpensslLib/rand_pool.c
++++ b/CryptoPkg/Library/OpensslLib/rand_pool.c
+@@ -7,7 +7,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ **/
+
+-#include "internal/rand_int.h"
++#include "crypto/rand.h"
+ #include <openssl/aes.h>
+
+ #include <Uefi.h>
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch b/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
new file mode 100644
index 0000000..761077b
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
@@ -0,0 +1,120 @@
+From 08a95c3541cbe2b3a1c671fa683bd6214ad996f0 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 27 Aug 2020 00:21:29 +0200
+Subject: [PATCH 3/5] OvmfPkg/CpuHotplugSmm: fix CPU hotplug race just after
+ SMI broadcast
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek (lersek)
+RH-MergeRequest: 1: [RHEL-8.4.0] complete the "VCPU hotplug with SMI" OVMF feature
+RH-Commit: [3/3] 40521ea89725b8b0ff8ca3f0a610ff45431e610e (lersek/edk2)
+RH-Bugzilla: 1849177
+
+The "virsh setvcpus" (plural) command may hot-plug several VCPUs in quick
+succession -- it means a series of "device_add" QEMU monitor commands,
+back-to-back.
+
+If a "device_add" occurs *just after* ACPI raises the broadcast SMI, then:
+
+- the CPU_FOREACH() loop in QEMU's ich9_apm_ctrl_changed() cannot make the
+ SMI pending for the new CPU -- at that time, the new CPU doesn't even
+ exist yet,
+
+- OVMF will find the new CPU however (in the CPU hotplug register block),
+ in QemuCpuhpCollectApicIds().
+
+As a result, when the firmware sends an INIT-SIPI-SIPI to the new CPU in
+SmbaseRelocate(), expecting it to boot into SMM (due to the pending SMI),
+the new CPU instead boots straight into the post-RSM (normal mode) "pen",
+skipping its initial SMI handler.
+
+The CPU halts nicely in the pen, but its SMBASE is never relocated, and
+the SMRAM message exchange with the BSP falls apart -- the BSP gets stuck
+in the following loop:
+
+ //
+ // Wait until the hot-added CPU is just about to execute RSM.
+ //
+ while (Context->AboutToLeaveSmm == 0) {
+ CpuPause ();
+ }
+
+because the new CPU's initial SMI handler never sets the flag to nonzero.
+
+Fix this by sending a directed SMI to the new CPU just before sending it
+the INIT-SIPI-SIPI. The various scenarios are documented in the code --
+the cases affected by the patch are documented under point (2).
+
+Note that this is not considered a security patch, as for a malicious
+guest OS, the issue is not exploitable -- the symptom is a hang on the
+BSP, in the above-noted loop in SmbaseRelocate(). Instead, the patch fixes
+behavior for a benign guest OS.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Cc: Igor Mammedov <imammedo@redhat.com>
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Fixes: 51a6fb41181529e4b50ea13377425bda6bb69ba6
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2929
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200826222129.25798-3-lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
+(cherry picked from commit cbccf995920a28071f5403b847f29ebf8b732fa9)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ OvmfPkg/CpuHotplugSmm/Smbase.c | 35 ++++++++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/OvmfPkg/CpuHotplugSmm/Smbase.c b/OvmfPkg/CpuHotplugSmm/Smbase.c
+index 170571221d..d8f45c4313 100644
+--- a/OvmfPkg/CpuHotplugSmm/Smbase.c
++++ b/OvmfPkg/CpuHotplugSmm/Smbase.c
+@@ -220,14 +220,37 @@ SmbaseRelocate (
+ //
+ // Boot the hot-added CPU.
+ //
+- // If the OS is benign, and so the hot-added CPU is still in RESET state,
+- // then the broadcast SMI is still pending for it; it will now launch
+- // directly into SMM.
++ // There are 2*2 cases to consider:
+ //
+- // If the OS is malicious, the hot-added CPU has been booted already, and so
+- // it is already spinning on the APIC ID gate. In that case, the
+- // INIT-SIPI-SIPI below will be ignored.
++ // (1) The CPU was hot-added before the SMI was broadcast.
+ //
++ // (1.1) The OS is benign.
++ //
++ // The hot-added CPU is in RESET state, with the broadcast SMI pending
++ // for it. The directed SMI below will be ignored (it's idempotent),
++ // and the INIT-SIPI-SIPI will launch the CPU directly into SMM.
++ //
++ // (1.2) The OS is malicious.
++ //
++ // The hot-added CPU has been booted, by the OS. Thus, the hot-added
++ // CPU is spinning on the APIC ID gate. In that case, both the SMI and
++ // the INIT-SIPI-SIPI below will be ignored.
++ //
++ // (2) The CPU was hot-added after the SMI was broadcast.
++ //
++ // (2.1) The OS is benign.
++ //
++ // The hot-added CPU is in RESET state, with no SMI pending for it. The
++ // directed SMI will latch the SMI for the CPU. Then the INIT-SIPI-SIPI
++ // will launch the CPU into SMM.
++ //
++ // (2.2) The OS is malicious.
++ //
++ // The hot-added CPU is executing OS code. The directed SMI will pull
++ // the hot-added CPU into SMM, where it will start spinning on the APIC
++ // ID gate. The INIT-SIPI-SIPI will be ignored.
++ //
++ SendSmiIpi (ApicId);
+ SendInitSipiSipi (ApicId, PenAddress);
+
+ //
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch b/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
new file mode 100644
index 0000000..c35df49
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
@@ -0,0 +1,91 @@
+From 4e5edfcdf5986d9e0801a976a3aa558b5f370099 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 27 Aug 2020 00:21:28 +0200
+Subject: [PATCH 2/5] OvmfPkg/CpuHotplugSmm: fix CPU hotplug race just before
+ SMI broadcast
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek (lersek)
+RH-MergeRequest: 1: [RHEL-8.4.0] complete the "VCPU hotplug with SMI" OVMF feature
+RH-Commit: [2/3] ea3ff703dfb7bd4f77b6807f06c89e754cc9d980 (lersek/edk2)
+RH-Bugzilla: 1849177
+
+The "virsh setvcpus" (plural) command may hot-plug several VCPUs in quick
+succession -- it means a series of "device_add" QEMU monitor commands,
+back-to-back.
+
+If a "device_add" occurs *just before* ACPI raises the broadcast SMI,
+then:
+
+- OVMF processes the hot-added CPU well.
+
+- However, QEMU's post-SMI ACPI loop -- which clears the pending events
+ for the hot-added CPUs that were collected before raising the SMI -- is
+ unaware of the stray CPU. Thus, the pending event is not cleared for it.
+
+As a result of the stuck event, at the next hot-plug, OVMF tries to re-add
+(relocate for the 2nd time) the already-known CPU. At that time, the AP is
+already in the normal edk2 SMM busy-wait however, so it doesn't respond to
+the exchange that the BSP intends to do in SmbaseRelocate(). Thus the VM
+gets stuck in SMM.
+
+(Because of the above symptom, this is not considered a security patch; it
+doesn't seem exploitable by a malicious guest OS.)
+
+In CpuHotplugMmi(), skip the supposedly hot-added CPU if it's already
+known. The post-SMI ACPI loop will clear the pending event for it this
+time.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Cc: Igor Mammedov <imammedo@redhat.com>
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Fixes: bc498ac4ca7590479cfd91ad1bb8a36286b0dc21
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2929
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200826222129.25798-2-lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
+(cherry picked from commit 020bb4b46d6f6708bb3358e1c738109b7908f0de)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ OvmfPkg/CpuHotplugSmm/CpuHotplug.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c b/OvmfPkg/CpuHotplugSmm/CpuHotplug.c
+index 20e6bec04f..cfe698ed2b 100644
+--- a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c
++++ b/OvmfPkg/CpuHotplugSmm/CpuHotplug.c
+@@ -193,9 +193,28 @@ CpuHotplugMmi (
+ NewSlot = 0;
+ while (PluggedIdx < PluggedCount) {
+ APIC_ID NewApicId;
++ UINT32 CheckSlot;
+ UINTN NewProcessorNumberByProtocol;
+
+ NewApicId = mPluggedApicIds[PluggedIdx];
++
++ //
++ // Check if the supposedly hot-added CPU is already known to us.
++ //
++ for (CheckSlot = 0;
++ CheckSlot < mCpuHotPlugData->ArrayLength;
++ CheckSlot++) {
++ if (mCpuHotPlugData->ApicId[CheckSlot] == NewApicId) {
++ break;
++ }
++ }
++ if (CheckSlot < mCpuHotPlugData->ArrayLength) {
++ DEBUG ((DEBUG_VERBOSE, "%a: APIC ID " FMT_APIC_ID " was hot-plugged "
++ "before; ignoring it\n", __FUNCTION__, NewApicId));
++ PluggedIdx++;
++ continue;
++ }
++
+ //
+ // Find the first empty slot in CPU_HOT_PLUG_DATA.
+ //
+--
+2.27.0
+
diff --git a/SOURCES/edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch b/SOURCES/edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch
new file mode 100644
index 0000000..73d05b4
--- /dev/null
+++ b/SOURCES/edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch
@@ -0,0 +1,140 @@
+From a5efebddb858c739d4a67865a4f8d836ba989d30 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 14 Jul 2020 20:43:05 +0200
+Subject: [PATCH 1/5] OvmfPkg/SmmControl2Dxe: negotiate
+ ICH9_LPC_SMI_F_CPU_HOTPLUG
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek (lersek)
+RH-MergeRequest: 1: [RHEL-8.4.0] complete the "VCPU hotplug with SMI" OVMF feature
+RH-Commit: [1/3] 33d820d43a1be2ece09044b0cf105275f3fcc9ce (lersek/edk2)
+RH-Bugzilla: 1849177
+
+The ICH9_LPC_SMI_F_BROADCAST and ICH9_LPC_SMI_F_CPU_HOTPLUG feature flags
+cause QEMU to behave as follows:
+
+ BROADCAST CPU_HOTPLUG use case / behavior
+ --------- ----------- ------------------------------------------------
+ clear clear OVMF built without SMM_REQUIRE; or very old OVMF
+ (from before commit a316d7ac91d3 / 2017-02-07).
+ QEMU permits CPU hotplug operations, and does
+ not cause the OS to inject an SMI upon hotplug.
+ Firmware is not expected to be aware of hotplug
+ events.
+
+ clear set Invalid feature set; QEMU rejects the feature
+ negotiation.
+
+ set clear OVMF after a316d7ac91d3 / 2017-02-07, built with
+ SMM_REQUIRE, but no support for CPU hotplug.
+ QEMU gracefully refuses hotplug operations.
+
+ set set OVMF after a316d7ac91d3 / 2017-02-07, built with
+ SMM_REQUIRE, and supporting CPU hotplug. QEMU
+ permits CPU hotplug operations, and causes the
+ OS to inject an SMI upon hotplug. Firmware is
+ expected to deal with hotplug events.
+
+Negotiate ICH9_LPC_SMI_F_CPU_HOTPLUG -- but only if SEV is disabled, as
+OvmfPkg/CpuHotplugSmm can't deal with SEV yet.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Igor Mammedov <imammedo@redhat.com>
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Cc: Liran Alon <liran.alon@oracle.com>
+Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Message-Id: <20200714184305.9814-1-lersek@redhat.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit 5ba203b54e5953572e279e5505cd65e4cc360e34)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ OvmfPkg/SmmControl2Dxe/SmiFeatures.c | 26 +++++++++++++++++++++--
+ OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf | 1 +
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/SmmControl2Dxe/SmiFeatures.c b/OvmfPkg/SmmControl2Dxe/SmiFeatures.c
+index 6210b7515e..c9d8755432 100644
+--- a/OvmfPkg/SmmControl2Dxe/SmiFeatures.c
++++ b/OvmfPkg/SmmControl2Dxe/SmiFeatures.c
+@@ -9,6 +9,7 @@
+
+ #include <Library/BaseLib.h>
+ #include <Library/DebugLib.h>
++#include <Library/MemEncryptSevLib.h>
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/PcdLib.h>
+ #include <Library/QemuFwCfgLib.h>
+@@ -21,6 +22,12 @@
+ // "etc/smi/supported-features" and "etc/smi/requested-features" fw_cfg files.
+ //
+ #define ICH9_LPC_SMI_F_BROADCAST BIT0
++//
++// The following bit value stands for "enable CPU hotplug, and inject an SMI
++// with control value ICH9_APM_CNT_CPU_HOTPLUG upon hotplug", in the
++// "etc/smi/supported-features" and "etc/smi/requested-features" fw_cfg files.
++//
++#define ICH9_LPC_SMI_F_CPU_HOTPLUG BIT1
+
+ //
+ // Provides a scratch buffer (allocated in EfiReservedMemoryType type memory)
+@@ -67,6 +74,7 @@ NegotiateSmiFeatures (
+ UINTN SupportedFeaturesSize;
+ UINTN RequestedFeaturesSize;
+ UINTN FeaturesOkSize;
++ UINT64 RequestedFeaturesMask;
+
+ //
+ // Look up the fw_cfg files used for feature negotiation. The selector keys
+@@ -104,9 +112,16 @@ NegotiateSmiFeatures (
+ QemuFwCfgReadBytes (sizeof mSmiFeatures, &mSmiFeatures);
+
+ //
+- // We want broadcast SMI and nothing else.
++ // We want broadcast SMI, SMI on CPU hotplug, and nothing else.
+ //
+- mSmiFeatures &= ICH9_LPC_SMI_F_BROADCAST;
++ RequestedFeaturesMask = ICH9_LPC_SMI_F_BROADCAST;
++ if (!MemEncryptSevIsEnabled ()) {
++ //
++ // For now, we only support hotplug with SEV disabled.
++ //
++ RequestedFeaturesMask |= ICH9_LPC_SMI_F_CPU_HOTPLUG;
++ }
++ mSmiFeatures &= RequestedFeaturesMask;
+ QemuFwCfgSelectItem (mRequestedFeaturesItem);
+ QemuFwCfgWriteBytes (sizeof mSmiFeatures, &mSmiFeatures);
+
+@@ -144,6 +159,13 @@ NegotiateSmiFeatures (
+ DEBUG ((DEBUG_INFO, "%a: using SMI broadcast\n", __FUNCTION__));
+ }
+
++ if ((mSmiFeatures & ICH9_LPC_SMI_F_CPU_HOTPLUG) == 0) {
++ DEBUG ((DEBUG_INFO, "%a: CPU hotplug not negotiated\n", __FUNCTION__));
++ } else {
++ DEBUG ((DEBUG_INFO, "%a: CPU hotplug with SMI negotiated\n",
++ __FUNCTION__));
++ }
++
+ //
+ // Negotiation successful (although we may not have gotten the optimal
+ // feature set).
+diff --git a/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf b/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
+index 3abed141e6..b8fdea8deb 100644
+--- a/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
++++ b/OvmfPkg/SmmControl2Dxe/SmmControl2Dxe.inf
+@@ -46,6 +46,7 @@
+ BaseLib
+ DebugLib
+ IoLib
++ MemEncryptSevLib
+ MemoryAllocationLib
+ PcdLib
+ PciLib
+--
+2.27.0
+
diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec
index b64298f..3231b35 100644
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@@ -3,11 +3,11 @@ ExclusiveArch: x86_64 aarch64
%define GITDATE 20200602
%define GITCOMMIT ca407c7246bf
%define TOOLCHAIN GCC5
-%define OPENSSL_VER 1.1.1c
+%define OPENSSL_VER 1.1.1g
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT
@@ -19,7 +19,7 @@ URL: http://www.tianocore.org
# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
Source1: ovmf-whitepaper-c770f8c.txt
-Source2: openssl-rhel-d6c0e6e28ddc793474a3f9234eed50018f6c94ba.tar.xz
+Source2: openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
Source3: ovmf-vars-generator
Source4: LICENSE.qosb
Source5: RedHatSecureBootPkKek1.pem
@@ -58,6 +58,14 @@ Patch29: edk2-OvmfPkg-GenericQemuLoadImageLib-log-Not-Found-at-INF.patch
Patch30: edk2-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
# For bz#1861718 - Very slow boot when overcommitting CPU
Patch31: edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch
+# For bz#1849177 - OVMF: negotiate "SMI on VCPU hotplug" with QEMU
+Patch32: edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch
+# For bz#1849177 - OVMF: negotiate "SMI on VCPU hotplug" with QEMU
+Patch33: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
+# For bz#1849177 - OVMF: negotiate "SMI on VCPU hotplug" with QEMU
+Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
+# For bz#1893806 - attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later)
+Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
# python3-devel and libuuid-devel are required for building tools.
@@ -507,6 +515,17 @@ true
%endif
%changelog
+* Mon Nov 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8
+- edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177]
+- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]
+- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch [bz#1849177]
+- edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch [bz#1893806]
+- edk2-redhat-bump-OpenSSL-dist-git-submodule-to-1.1.1g-RHE.patch [bz#1893806]
+- Resolves: bz#1849177
+ (OVMF: negotiate "SMI on VCPU hotplug" with QEMU)
+- Resolves: bz#1893806
+ (attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later))
+
* Mon Aug 10 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-3.el8
- edk2-UefiCpuPkg-PiSmmCpuDxeSmm-pause-in-WaitForSemaphore-.patch [bz#1861718]
- Resolves: bz#1861718