diff --git a/.edk2.metadata b/.edk2.metadata
new file mode 100644
index 0000000..abc14ec
--- /dev/null
+++ b/.edk2.metadata
@@ -0,0 +1,2 @@
+b44cc7e0fda9dd4121d935975520b7cbd26ee4d0 SOURCES/edk2-ee3198e672e2.tar.xz
+906190b6a6a794da4c1ccb7fc1c05bf97ddde77a SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..21c5827
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/edk2-ee3198e672e2.tar.xz
+SOURCES/openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
diff --git a/SOURCES/0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch b/SOURCES/0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
new file mode 100644
index 0000000..d9d971b
--- /dev/null
+++ b/SOURCES/0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
@@ -0,0 +1,608 @@
+From 8e8ea8811e269cdb31103c70fcd91d2dcfb1755d Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 11 Jun 2014 23:33:33 +0200
+Subject: advertise OpenSSL on TianoCore splash screen / boot logo (RHEL only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- Adapted to upstream 25184ec33c36 ("MdeModulePkg/Logo.idf: Remove
+ incorrect comments.", 2018-02-28)
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- After picking previous downstream-only commit 32192c62e289, carry new
+ upstream commit e01e9ae28250 ("MdeModulePkg/LogoDxe: Add missing
+ dependency gEfiHiiImageExProtocolGuid", 2017-03-16) over to
+ "LogoOpenSSLDxe.inf".
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- For more fun, upstream completely changed the way logo bitmaps are
+ embedded in the firmware binary (see for example commit ab970515d2c6,
+ "OvmfPkg: Use the new LogoDxe driver", 2016-09-26). Therefore in this
+ rebase, we reimplement the previous downstream-only commit e775fb20c999,
+ as described below.
+
+- Beyond the new bitmap file (which we preserve intact from the last
+ downstream branch), we introduce:
+
+ - a new IDF (image description file) referencing the new BMP,
+
+ - a new driver INF file, referencing the new BMP and new IDF (same C
+ source code though),
+
+ - a new UNI (~description) file for the new driver INF file.
+
+- In the OVMF DSC and FDF files, we select the new driver INF for
+ inclusion if either SECURE_BOOT_ENABLE or TLS_ENABLE is set, as they
+ both make use of OpenSSL (although different subsets of it).
+
+- In the AAVMF DSC and FDF files, we only look at SECURE_BOOT_ENABLE,
+ because the ArmVirtQemu platform does not support TLS_ENABLE yet.
+
+- This patch is best displayed with "git show --find-copies-harder".
+
+Notes about the d7c0dfa -> 90bb4c5 rebase:
+
+- squash in the following downstream-only commits (made originally for
+ <https://bugzilla.redhat.com/show_bug.cgi?id=1308678>):
+
+ - eef9eb0 restore TianoCore splash logo without OpenSSL advertisment
+ (RHEL only)
+
+ - 25842f0 OvmfPkg, ArmVirtPkg: show OpenSSL-less logo without Secure
+ Boot (RH only)
+
+ The reason is that ideas keep changing when and where to include the
+ Secure Boot feature, so the logo must be controllable directly on the
+ build command line, from the RPM spec file. See the following
+ references:
+
+ - https://post-office.corp.redhat.com/mailman/private/virt-devel/2016-March/msg00253.html
+ - https://post-office.corp.redhat.com/mailman/private/virt-devel/2016-April/msg00118.html
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1323363
+
+- This squashed variant should remain the final version of this patch.
+
+Notes about the c9e5618 -> b9ffeab rebase:
+- AAVMF gained Secure Boot support, therefore the logo is again modified
+ in the common location, and no FDF changes are necessary.
+
+Notes about the 9ece15a -> c9e5618 rebase:
+- Logo.bmp is no longer modified in-place; instead a modified copy is
+ created. That's because AAVMF includes the logo too, but it doesn't
+ include OpenSSL / Secure Boot, so we need the original copy too.
+
+Because we may include the OpenSSL library in our OVMF and AAVMF builds
+now, we should advertise it as required by its license. This patch takes
+the original TianoCore logo, shifts it up by 20 pixels, and adds the
+horizontally centered message
+
+ This product includes software developed by the OpenSSL Project
+ for use in the OpenSSL Toolkit (http://www.openssl.org/)
+
+below.
+
+Logo-OpenSSL.bmp: PC bitmap, Windows 3.x format, 469 x 111 x 24
+Logo.bmp: PC bitmap, Windows 3.x format, 193 x 58 x 8
+
+Downstream only because upstream edk2 does not intend to release a
+secure-boot-enabled OVMF build. (However the advertising requirement in
+the OpenSSL license,
+"CryptoPkg/Library/OpensslLib/openssl-1.0.2*/LICENSE", has been discussed
+nonetheless, which is why I'm changing the logo.)
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 32192c62e289f261f5ce74acee48e5a94561f10b)
+(cherry picked from commit 33a710cd613c2ca7d534b8401e2f9f2178af05be)
+(cherry picked from commit 0b2d90347cb016cc71c2de62e941a2a4ab0f35a3)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 4 +++
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 4 +++
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 +++
+ MdeModulePkg/Logo/Logo-OpenSSL.bmp | Bin 0 -> 156342 bytes
+ MdeModulePkg/Logo/Logo-OpenSSL.idf | 15 +++++++++
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf | 61 +++++++++++++++++++++++++++++++++++
+ MdeModulePkg/Logo/LogoOpenSSLDxe.uni | 22 +++++++++++++
+ OvmfPkg/OvmfPkgIa32.dsc | 4 +++
+ OvmfPkg/OvmfPkgIa32.fdf | 4 +++
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 +++
+ OvmfPkg/OvmfPkgIa32X64.fdf | 4 +++
+ OvmfPkg/OvmfPkgX64.dsc | 4 +++
+ OvmfPkg/OvmfPkgX64.fdf | 4 +++
+ 13 files changed, 134 insertions(+)
+ create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.bmp
+ create mode 100644 MdeModulePkg/Logo/Logo-OpenSSL.idf
+ create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ create mode 100644 MdeModulePkg/Logo/LogoOpenSSLDxe.uni
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index d74feb7..7331597 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -329,7 +329,11 @@
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
++!if $(SECURE_BOOT_ENABLE) == TRUE
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ MdeModulePkg/Logo/LogoDxe.inf
++!endif
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 89f95b2..8941b7f 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -191,7 +191,11 @@ READ_LOCK_STATUS = TRUE
+ #
+ # TianoCore logo (splash screen)
+ #
++!if $(SECURE_BOOT_ENABLE) == TRUE
++ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ INF MdeModulePkg/Logo/LogoDxe.inf
++!endif
+
+ #
+ # Ramdisk support
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 1e823ae..1981aae 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -318,7 +318,11 @@
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
++!if $(SECURE_BOOT_ENABLE) == TRUE
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ MdeModulePkg/Logo/LogoDxe.inf
++!endif
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/MdeModulePkg/Logo/Logo-OpenSSL.bmp b/MdeModulePkg/Logo/Logo-OpenSSL.bmp
+new file mode 100644
+index 0000000000000000000000000000000000000000..4af5740232ce484a939a5852604e35711ea88a29
+GIT binary patch
+literal 156342
+zcmeI5d(>~$xW~&aw_M64<QfWz7#dP?t3($>NYZ7LkVerMIgB$pYT%5)88Oa?KguvP
+zI4QXdhfYMHh=?MQLQ0BCrP`(4zMRjyzxCbEZ>}}xTJLYa@9y1uKfkf|+RvQxna_OY
+zcg^)(&zft#YrS&!|2yzL>&^VO;olbgyJY?K);pa4*I#cF_W4_@5Lmu^`C8SVd%H7l
+zd)wQ-|NZYj=s^#f&XKk6aIEP)deoyH_4&_#{_lVP`%O39^p&rC<)truY4^x-xPS12
+zA8_cqMVXTbv=CU+PmfmLR(siwJMQ?$KmPI2kAC#jEw6otV@>bT_rCYN4}IuEk9fo*
+z9`Jw%JnwnW`{56N_@4K?r+a)K^O(n6am5v{dey7CMVXTbR1sLyPmgNHR(rvH?sK2t
+z{N^`rdefU$rRBBnaIEP)+Is7)?{~lZ`Iv68#THy*os7a;-tv}T|N7VKug`SBI`Auw
+z>$~3du0Q?hPm32XzWnmb4?g%{15l_rUji4jU;gr!cieHu#TQ?^!wx%KcinZIMHId8
+zg)jW^kAJ*q(W0AgzWJNq{N|IN{Nz{>pwXu-Zb?o%?X;&n<tedLa%?xslom<X-FfGo
+z|N7Uz;zQR$QEQ9?GD3Gi=7I|@pfCK+KmYs#4?Hjq5uDk6`|VNq*T4RC_0?DJzyJQK
+zsC})Wq6;y((@r~m>s#NVBjEGTfBy4FKl;%d-}uI8v#o%s?k`p^WRzo0Z5W`_D6$a?
+zvU$J(2b_EExet8c17m)1nB4m7UiZ3R{Nfi*BE(uTSy+fksx%IV4gTQ|e{hr?Ww-vE
+z=R5~xhBrCvk;!o>!l1&Sj-5fXjcubxvmIcy6SJ0&Z_&>v*L;pTROffdA%`%YZ@cZb
+zGtWE|{#~+UiSoP1LngcKx~odp@_mG9&pr2qcDLDP8zy2n62JT1?|jZjwJsve+I;xK
+zAAazIAN<_sKKHD%&VqxabIv*Ey!XBD-EhMVIrk1f{P45SKHGJ7*<}|lfG>O5%V_KI
+zkAM6}Kl)MV#-$cwyHQ4=NV*F2hx0h2oI=gXkq*en7r*#LxRv|jhdksVSmqi7p`3W)
+ziEeb+vSmN}+0U5OqLfQL(CxO{ZYpgwWM>Lj-}=_KUVr`d?|kPwH`!#9``-7y%$@DN
+z`|iK}?Qi$mYcFXIDioIOXHAIujbYFz!m^E6AoC4xcmv_gBOm$5sDNA?CUW!x)en5&
+z1NWq6{*TsTvak@7jl&TwoN&SkhBV4Et*-cSkBlh=BJ7dh{qA?)Q#kYgpu(Vzd)LOc
+z(W5B_Snb5D<<krM8Rdr0QJ*T%G?&$9Kl|Aaedt5q{N^`bbkRjt=pxTd#b-YA8EUQl
+zKchfbq0T+_*u#B>LCly@%?cI>&^Fp=BPF>?_bNldT>4z)+u#27YhLpjCu>496=n2`
+zq%9Qrwd6<#Fw4C#mkJZQ8rook4H!=ZYf93}YhU|X`v8nwlay>URP*iUKmR$=oUKWC
+z#xtIA)m2wX9#kkS7pA(&sNWa{jUsH?hy^C{fbL08dXidnepD`;;WG1r7rY>5##*sr
+zEnhmd!x1e*1U}EBY@Jh2J@qF)`H3#H?75jc<&;xgiZG}!QU|p`Y->H5Vt~ai6ep&O
+ziu?j?sWp5q^a*LXW3%!1z3+Wi=ps)D$Ti!_YqMY!=;Vzz-e?*niA;_<AJw{W#8P-F
+zCZ+ter#+36>Zd>bsq6mZAOCpR!ye{jO^BwVjDC@{g(AO}9O(dN&p6|Zcf8{rwr>Gm
+zcFayIJX>%P5$iSAT%%;8p_*^Ryf$TlM-$gxd##d#3Wa4GsR>cPF$@|-Shf*_BaS%Y
+z#V>v_F)6o1Zqy1<*`*SIi=M{JSSwbn<x8h_IHKi^H{SS?OD<7Pl&u5c1iZic)vw55
+zPYCS8DxE<E)W+zbHi&JlM^g+iInTa(VydW{U!X0uhR=omt+(FFeX!eo+~Xc+g)Z`x
+zdj8N=)=t4F&^=~kG;gb}a*}(FCaQITC`z4#i;q6~=*up<jJqdTY_rWab6qT>7Jr_#
+zunqzWPDZ&XvQ9U@R%@gK7-TBov5$RhY(g?)l=U={X(e*v{qKMOJMX+xMU94Pz7=gT
+zK$&oWDS9shD0dYK%Z0&iGV0@SZ5T9)uxTR*oS96Nzv30Ih;3ORDn|w6yY9LR^kQbL
+z6)V>ArBgc`(K0eOF`Vtnj50aTeC9KGGQs>99pRF|-5VhxgMk|n=?^N5F(Om!2eGa7
+zXo>+=J27kdxL2Spw;Mhe`W)6csCX6^6$<28Bf(=2BeOOO5d}tDyv8E)+)SNE?coo9
+zcnyeX1RW>8{N*n*xx=HXCqD6sMO`e%SeuE?E3dq=(21rbGd`rlvoE(&)GG2xa@ttO
+zr6V1nB10!Wy0xh|N-zrvx`?j*?Qefmve6K=YCQscrpy44<v6$8atncWoEpM%TfyD5
+zOKl<QH-<r@2>UjIu+>&u@o@F|&wqYw*9uWNDj@g9zr9B=S}P1vR686+b07cs$M@cQ
+zZ)HZA9HQN?fBowS=bd-nQAZucL<BNN<e-BNlK!B=7$Y*peh}MQkER%4wG*?Jk9!5$
+za=YO(`jIg>9U`|p;R#QO1`FiZ(fF4s%Qz?d>Q}#-r%VDGuz30;xx0^0QtBkc5pOzT
+zMP`<n_i+x3u2}-%qy?KI2ieQE8H)@%t3@GJQLXK^+fEA9!X?Qg9Y7gIU_L>$;+{w6
+zH{5W8a%j}gD#>B0jui_kYBW^q5l}N;zx1Uqap~gzJqA9qIjB&8pjwT6)Nc%fMiIts
+zL;~R<E6L(oPAf#^!mHl--`*n_trZ3-svVA^Ip*035tJEaa=!3|FC2E*VF<?^cN{an
+zpZw$}k$H$uzVrtb#u$+)_Ji2gdNjoVtDTs&eB3M0mfH=V(T|M5>A-VBcb3QU(O`l6
+zIy(Q$Di$8xzvx9TA}Aw%VZuw#mk2g_!UjJ+^{G$gxsyS(5TPW~N!DpGeTFqynDq~e
+zAXJM7`Yc8PcUBaz3W6s~uYBbzZP0>Ek#qa)w{yJVBdQ#G?6LfPl+~gTtB}u)3<H!}
+zOgDezBOgJQ@<<0zX6g9rU;p~pgk<J_zx&<qN?y8jDNh()@{*U}8|xq9T7^bKwH~n|
+zXWMPJ?Y8KgL4^VYSF8z9zcvi0+bE*cMlA5;4GMOE>HMf%xC9#(>mO=IFj^}NHV#Lj
+z$@Btox_pQ-IgClIHe-zhH`?@_%%?y7>Aq1LR2XAKO|x%f+vw301FUvp*79+$KwECt
+zeC{#^7{V<qOo9rSOuO{bOX-pOULeo<hfja{(=J^*1?~;O)IW6+y5!tu#Iq31@hO~3
+zI7SRYrl&O{C>ZHYZoc{E-}%mW2voVQLYHuQRNHUA{h)X_hzVlkSY+9jx!LDA1`EGb
+zg#`eGHC15}Sv~sHr#__|W)Fy(d7O&p)Q#&m$2fqIefHUh=5WAXA%F>lD`sK7lE(`y
+z{J8MK3u%RiPAnaZ%DoLWdPG>wn!IQMnYBB|AAh_u2NjH4VWgHU^m~Va>NbjO!~#{A
+zSpxPWk316D`Q5{0$CzeeHqc3g-XmC8h{?gjVK>wY5AiqMbkjm6)bI=vrBw0ib@-RH
+z>Vpax9HXOlwXb12*rVAFu-b`P%g4O}G`rpFb1!2Mze6DWl>m3uET-nfk2AvYC~#)Q
+z#U5^JZ4<b$t--qHc9p*$iO#Qj2f3KD%!onr@|V9{>wkHy#0}}mC!ZV}nnU^RZ+|=Y
+zYqY`)8dJ|u7}r83g1LuKD}xHN?e%Q+dpm0*7JAi`SsW&7f;JaRFUuvrX05PLByDg|
+zAllk@-+iSP<-v;UltS$&%oPYmp6Hm>!3=}Bvb><}5SbEG_RcCSXus>u@z*u6a8AYz
+z7izBaM8PwE{kCWk0uRUH)jPI0Co(scOxLgqhv<*VAC~SFF?CyEOs~<Y{if>z)>P3#
+z!%lISq9!v@kf~Rp)vOg3iexm{mYHq*+~+<gohY|!t!t&VqcB%E2zeG7{rS&-E|$&A
+zRTB%*&a<BNEN1AqDOiZk)nlLW-p=>98SlwjuW6_)6kV?67iuJ#*kP`pX+h-iwYql3
+z<ZvD3hF6+V9#ePS(OC^gfeB*%0MAbg)*WoKr-?u!kO(9Ki9jNd2qXfDKq8O`Bm#**
+zB9I8o3j*^!p))T|r_psDfqQG*va*mB>-vj~g?13`Eld^&4y-;r^w2{Wh%;l|SjUgq
+zSeR08fgx~jjawGs@)w~j^p1arwm`7Cw=h{C-RF%Qyl-TII5XCbb^Mr(g(>wG7y|e1
+zxc%S<KgjCC1qR8yFA-U2{Vn`qvGClFie8IFrjr)%tnm{2=r>hrZ`6<0RHgQodrAoh
+zSgFbiHWu-)l-PgPQu`<dRrqrq-s8s$rTEic{^Z79@#o0g;&op=SNPLN_FA@n!=*+?
+zDB|xddq34N2I_`R4OKfVWC~c?-(29YpLt&li<Eg&*GVUx#G5Nv*-lcX3d@bIN#Fb0
+zQEpq{?RT^o-vc0nH9Vtx4RC7Xw(U%#3-Zc;X2wY7mi8}y`3rA*P?7iitvoODi?70Q
+zk%V}#Vs|Jlk~I(tgDi;yipIBBWO)iq3V&j<{dE;uY%5@@`z!i|LXlG>y9%`-LB*)t
+z0JfJO;vrk<L$v7JBGX9=Xf|GAZ#xK$H|j@gXg1z*&)??qN4GEne;CG_Rv;<Nsuk96
+z_I?zDn>hX;mA~d>btkWqVqn>;_z44NA{74Ak~PcLuen4MjgB<FFE9q`noa{%J1h_i
+zSlZuQ;BSZcQxUM`opT8MStqY4@S8si%Z;u@{HFs43mj<vnAm^aAe)Uw?Op?%#<*=*
+zZge5`RIgdkcTBiiGoIu7gV5yN6#O|1L=bC5IUX!`M+!07a5Y*(9{lzSI@4hi{lSQn
+zgI`w}RIsU{FEKf&Qz$fsM0CCZY>gk{AzSHT(Yy+ZOeZa@tiM7kUSc0hsS^LlI)1XD
+zu-16XJ)ss?51ZxhVqLfPQ4C%L5#O@rx(KctGrRePnv*rlR;al|6OE2EzAq5{Y(Q<b
+zsMA2z4y$63Y=3is8xgLBZjr+pt4A4~kzJb(99~t!i$vfrZfN2kST-89du?!P<F;YB
+z(FJ3LfCF)Qm&l!0GDZd7tn~i(zn}Ni#LOtW3$j)#YPcG!jQRG88kz!==xX$q36^+L
+z%bz*_{7TV!?6u@Vp)n+)^9^7J`C-C`qWNB*tYaaX=)S~0mQp3Yku!d>p|I9?%YE^}
+zI*hok1sdfQXioAP9eoWfIwRRSMNyGoOV%t~-$LOM$wo&S-xsi-ZK$PI=rmA`ep0tc
+z(oF(eLQ9I+7awKdm9>0KkF$k?%PW5P#p+R}`k1bvHXS&GicEk|{j;C_EWrzcevL-$
+zUK^a+xNTT&bm1PqX8y;4XdIcl2P^Puz~BG=_e@jpx6Zr{$@x)m7i6tg)NnOc8T0KG
+zH5A>B=W?T==xX$~`@U03=lt_4MeDKGk_&~#kciGV`a8%E6FwBp_xfZV3#dVMwXaUZ
+z2B;E&W>opzX3-i|8gIELz=^Lxh%fXhj5tY^-q)GakaeP;-TXq$$(m&=SdjggY;>gY
+zeStAh*K``FM#qZo4}NojNb{Iuj$sypfk>ygGmX}wjO9kx1d;aBfx`z$^%@;M!5Lrf
+z+-TJ9wZW;4+lJ*v7h+FwAdY8bDq4Z}&uQj?7ma@66Q6K?6x;<eqg*5#u10HPzP%#L
+zQ()3?FZ#e_HxmwX{`r-n_1L21LZLAvgn()_faOs3GEdRa-JbO3k~#P-fW}Mg?>4>S
+zKTO5P2=S8*6vcPfH{Np3Gm5CmMc8gzP@_&Vq*guth16s=KKiU#cGDILmq<1`()hl>
+z7^rJH4OAO`j``+-dZ#@M60IS}<JIU|G%^J^y!n^Qxjym7CvR!UZ{lw>YFFFf)W&VY
+za-$2er#KLe<3FBAfjbEXm_Akn+3^P3!IK$ly=N;18?Huw#(aAP{le{dE;kyYR_}R)
+zK~7|@Gz{JO`}_*6#~(K+ykd}PdUv1FI93}&LI|j0qrZdv;HGB;nx9CoNRT=BEr8-y
+zt7}9#n2J+f%pdua4HU&^);zX~Gqy})`@0yYpMHAO+;!Jo?Y0FsCxJJh*WPbbRI%qp
+zKFQt>Vbm<Ux`o0el8ugF)~`ZFGk&UL4AeE92C5A|$9!|axFPVI(;w*|iRE~_8eNM<
+zrT~ZUZ!%$LBfO}dN6$(&8g<9p;MB%#!*Zhwb`k*x;#3L49-C4iKYl>=t6%*pub_){
+zCA$l<)_b;6)NnQ0<R*s6gqR~aetU%+8l3_YYW1E+jF8pv`IQJ1UEuzkm!JLHil6$3
+zLL94&At3}*s{t%Uz06a1B0K&3O9+jX?$;cmiN;Ip?>4>SzuFu1i70ta6~A`DdXC=j
+zVqk`4D7>weC&k1#JZWL!jy<uUMxErF8jNEmD0xQD`W_yP*emNer>LuB?XwXz%QkDF
+zYqrr5PP5vlI>ta<(`lgE@N@8+3#<j?Z?p*F7|=WcW9@+^Vd--B$Tqqrh_s&q9InuO
+zW86ldW8TECWTR1cya7&a++w_8xzPnXiGXpYZWzgo=PkF~lEpbpo=D*v-}naPU}ath
+z`n9ip%}ERH0y(v_m7<2LHia<e+bgI|he_=`8vMG-ph5&8b|=ccI>4^wr`@sI7!sJZ
+zwFa<*{1Dw+X))&ZehVNrkKA~Py-jg));`(L`|f%k_;kOEA#2R>F-&>v&SO*N#SDZ6
+zsm0{}`|r=14;<iOB^)7z_z461*{#cMAoJ+84`K9LcGDKRX342_gd$=$o^&x@i%)fo
+zfx4m7MYa1;k_gL~?<w$<@03$cA?9VM@TCT(EHw#0FM5w`t!skF`&og*3*%t~F0rnT
+z%*32u>04_w9-uBbSZj=1wN<lBX`>7F69<S`8Ogv7dVc3J@g`)t#THvwlN$?i$afAx
+zJXj=aXRE3-T(wQ^$8m-+?;He<BY}?J(>NU_jq_;m>nei^@i<1$qui^bsVeoc`^}x+
+zAt9U5S_9ZFKNN>-rH9d?b9*ygx)6j_@o?%-7_>V+olDczYI`!KG(N+W{yf1l#+jPV
+zJb^P$W_x?l+g5L8Z}nPcJXou4jWBREe|v>~4Sro^P+?5R3mxu;`Kr^$KK3!bc3Q)B
+zp7K{7GJLB2)HbE_<iuQ=T@??f{)9o>`RQDmu2$QVk)=!-$B&ZC6D%X0=~bI2aOTPE
+z_%5uv1My(3x-~rK2`X_PQSi){S60inS7?;G_|^RR6>cv1OD?_>7#DK%9=JKrjE8K%
+zc<qSR@(0Y#L-BlgvWhmRt3F+=IYD%Rf0Tqi&J#HEWVZL9^tRQT*;{=~=G<Bv)8aa-
+zlTfd-hdw)=2qXfDKq8O`Bm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q
+z0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**
+zB9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`
+zBm#**B9I6q0*OE(kO(9Ki9jNd2qXfDKq8O`Bm#**B9I6q0*OE(P$0lJ{_>XytO^3f
+zh{|LlkO+)LU{y}MteXgcz}TUddWk?HP#};Dk_fCK0>y~RWFn9Vj77lb-f>49a@bDW
+zvK_w54ib*s{pCdx<x~Ir<7gg#)M1ScwTsR@`}C7e)OOZs|6@4{OP4Oa_R1?RyYPbc
+zhT5$+--ssL_19djJ;F`bU&mfKWG-E@<gUew?^tx3wma{*BMKyygEe<Kg*icB>`+U+
+zL?96;5bzlY?QXxpdau}UJ@!$syxXQ5q73aGyxmqJXzi(}&18)loO{B59Cgxv9?fRK
+zGC6E8Cd>;{dpqxp|BbSes6n+?U4Ch?snnTE?z(I7op-|2i*CK8u_ga<bby^J7Q&qT
+ziV>B`L?96ui-6BS*c0;IaijISoAXhIH_;?CZfvMU{uK+yJwdei7xpya)&%n}p|03g
+zVec{f?S)OK87d(k{zVgdCG2(Zi!3fyChT0}-(|~|8H%-D_{5<Ha3eBxHw&!B4z<)v
+z1QLM)0iT5MDWR^&*Mw_9`6v_rt|I?JzT#r&a#s9HMa_-C-Eb}>vhUWL{rld#LnSaW
+zdl(rV7+DHj1K8kV;$k8`8bucWQk^8VFrw)cWOAsE9fgM<J9r<8$mhZ!wxSe=iM!dP
+zzkCI2L+;e2U4coXRAG-AITXSB)TL3G;*tQ2m?D!L>ChaRR3Q`NWYVa52T-<54&6jk
+z&Cv=uR6zkZFhVQH*dZSr$fT4W(VQxhqq!!O$+t`R2|g(6prEYk>W&aoU2^1)_Qi<G
+zWFn9Vj77jF60B<e?S{bSU(U&q{LA^w#`!Fv*kech3sXP=jSV&Ui*ud{5GV=#y*A$j
+zvyce<i&^&Mvqy)y5fs=%A~XR{5f?98wv-~c+nt4X=mq2}@}lGDV-}V{P2@#gQ830K
+zBkEFwpR`C37D!^5e5jDtMSLW2OzyEKiCOqmb;+SojL;%7MOelZT~i0i#4&Q%C{<sO
+zvBQtLY`Dt)1AFdl9jaiHq|Cza)Wsk=>}i57aDByd`it`*14L?zOuC7O<Up?iP>`Zb
+zMM~LYoFcX8D~-GwJJeDy5l93I1au0qhakki#Jok=YdS`4B>zGjXmW1XHcBB@&gTa6
+zs!05+XpS?VO~e5&U>wSTeIObr16HCJ=3h$T8Xn3K^O7k}fl8n!+7)NPDOiU7AT<=|
+zAg0iv6iR|pQJ^_2tB8suu`CO^6X)`P8r~{yrBQUWrxs@M8M7#08Fr>RnN-mpQ<UNc
+zq=^DVi8ELrX`aOnKQTK3U7)Af!E<nsaazP}?9h<%k<Gs}ho2N-AG0)s9rUS=Sv*96
+z_!m<&jbpGj)#WgIoYW<RDl@KxUooOGnFu5TV-fIq#CawDHQN>fr!>mb@vk@wzKEOR
+zUl^giiGN`YjEEEA6vzVN5F<bqVl?a^Ll%l0QNY`odEuoq@h?SKfKwE5sxH(+5nY2{
+zsD*v<v4DLjTlypc2QFrh49#JLQZ$7gyoPZ~$su3Ni)9?ZAjWY_b@7wdQAUl6oOEaf
+zfgE&@+2fLZkg^&=4GWSXN@RS-INqwFWa_FG{*aFwvPP*Kzz$u2<*BFxs_wHVM_92(
+z2Ytwz9^sxaVb3K^K4?F7sHI*akO&kA_(bBgcjW8%*TU5E51hc-AOg!0X2rkI1QZON
+z5veIE#2{P%(ZCK+344-o4Q$9B>LCf^F!?L~r8=F3M#awb7i(l9P#3zPvj~*JI}jH6
+zvH&a53YyTC%;Eq!I3V;C|9bv`y0Dc<P_9y!4YSy!AzGmqSi?Ouu_F?MQZXVQs7^1?
+zN6mbPH8o0qb+telC(*%4O7RD5vB{o%TBIQupGHN^7^JRyhcznV8_KB3Np2~~CkKD%
+z8p`T5nV97wjVTWsgknTxG7(4w#v<SoiF3^J4@KnbB+6n65lU^38YeuO;#u}Ob+uO}
+zrL*E+g=R1UG$8_os-P0`B|uVe4L9c8M6*YRJ0v^)g{QCpPsth%u%V2@=z{<P_MslA
+z8G}?OhaW*Stb_oYlSwTlR}?O%A?O&ogbnE(eTM<9jDRu~RhMM3en3gwpcNTJUtv3$
+zw53e;Vq5k!M?=a-hiPbx$j*#)o(e9TnWGSK!@{_PGG=3sP(Y0z_^3Pbb0#ZPpHaA{
+zzu*RdGYa81cBrLZB9I6a2>3iAGIIQD!bNZhJgfN!PI&Qb?_NaASq*^_Otm-EAV*Ox
+z71_`i=aOjw!h&w#6gGH-O)`5(2Q@emuc)h1sN`<Kx(5PUL1d36lzLD0@c(#-S!%H%
+zU>V1TtIb}6UZ^3OpwW>AaE8mtNaaDbuBl=~Wik;+1jZuZ^Q{*DihtS9mVXuh#+bL@
+z;@R>q?8C{=X3m9KyurT&nC9F<fP!Zt$|Xw*&UN=wm>PkxLoM|ZfkdD{z-Jwk38Gqf
+zHpah7vXA`BO=$0i5#66E{x$h3ZiRo9qrLf;XpXS1wxOo@H_~pDMZs<UH63%W?JlP<
+zCkPZHDwByoA}|(#IXMHTH!?F*IkZi0J!`HG1jY`v)Jp^sfdT=apgiX0!48uK+ALcj
+zA7!FcG}(x7wMX!#9Mp(UiE6tWu_~F`6WF@-6xLh>iV>B`L?96ui-1pi)&}t0pQmuO
+zjkyJsVOUM<GMP{aPNG(uQqU7BO*JrM;MP-Ea}gLj)KV`INCXN5eA>gmwe@7qN10I9
+zJnQFaaaNa1)QE6v^SRD1_?K{4D-+mj;go%g0uR}&)}73yl*wXNFR*9xaw{yTA~}>Q
+z^yXO{Nm+}UZVorxR_(zZI&Klm=)3wD;a`iFUw_NQw&>0=^=5RKxw+-`m35JqR3^8{
+zrxeR<HJ#WhYSF8<OT~!FWFn9Vj77j_9rFxCzNXr)5Ff0Wd3yzHPQkx~%q;BHCK9)A
+zQGn}t5{MdWV43A`5d=ytLU>A9$jrv$M08l~3*$q$_%GvhQ_IVEC`YEO>5ms|O#*GH
+zA@<#MSL75e(kPl-$q4fcQ$-RIJm=Eod;Hh(Est8h-d+>i#s@Dy=!E5`oxgl>eR>8$
+zM1krkyE^g?$1Xqq%o*w|ezZlY+Pe6vqHrRKSz1RkS|&+b80r0u9crnU2qXdp0zRW)
+z4VIvFX*cGe+#CNEER5O|{0mEpG}#kk+p$8R2n9A4Y0!#FVNzIC)uCM}cn`xyUWQdw
+z3l@f;rKYP((H5Gr$(|rLmcp<mdN*WceBjS9dShygKx7c5d9x5qeCYIYCG^^;jy34A
+z;7VB4trSJ>6r6t4$t%^Y9|aV;zhXpXG7(4w#v<U;Y0l%{IMwSp2Md%I^AE(oS^x)&
+zwfPq{Ht5g%E27k2izosmhpPf4NTz7fi|S}dy@r3`Ww9rJBxWcq*ep6R{-qbRE;lH`
+z2v;wBhQ!sJ_Sh`?h-Iiy3~Qc6fKRnKQ>;g_pi8C^6vkSC$P`*s&}yzMDvEz)yfEm_
+z7UYXRGFxzcmx9L*wbV-l5`h8%pMLP~9LB%3=Wpg;go2x>0+)%o8vF~Zq89m=8Cd=C
+zh%$?Ne>j>DUY1daGYOG@d*ffVC6^rkGL@mInS2bQ<2aW&VtOG?S1le_8es(DS&^Xk
+zFeC9Su_qJ3Y**b-5;U4*`X`oDb(k?0LCujvDP6ka&x@(cq=c!tmw#h`jB%3jM^Y`y
+zNMWHEQJG8x5`nP@_%s{jUojMf0^?{?jOnBWY)-+yFfw#D$iGlCYHW^wp+8SPz>LgA
+zxKk3KPLxHL@UNLv{EI2rc`*KUEoNYRognNj+EU-$99$e9+{IXuxV83N3s#LmE}Hr=
+zBkX(#u{+O;T5Q5ZDS8!$I`eL$EB>Pi6EtMq{Y3^R){eiiLoM|ZfkdD{z$en+`~y)W
+z%9{V}WnN{nM~$enJ^#=f|B6^)w^_x%G{;MG9N{wOK<i8w#Q2)WYbaoUR{YBqMYY&_
+z{sGQaTM#;z83Pyv*j#-<$HWcsnd6{B!qvtvM#?B_A~;&;Wl0Q5M^x*%f*9U*`8UpK
+zK;OMT)>>c$Hz0j310?+`MpPyffka>|0zQid`L~FF3kr@&Y_87uSIrS}iWU{m5(sm_
+zfR~|it^|;>m=rY=;$ZwM{#8isTHt^wHkxpzVUz$GcE%h%7-JSj2s6#sVp|2F;#SzO
+z_ebn31?oCbZO6anda6(t)}~_IlT?l}i>Aj8wbV-l5`h8%pTqEPT<Xx3#lMaCx0rvJ
+zZTvfO{=qRROzP)v^a7gm!!+@u_b@UX%GMkIN^NldLGdq>zaT>uOf~q|a}+cx{*6-y
+z&|I9i^&uz(0##TKvO`&G(L4zNOLoIpRVO~J@vqptTM_#z8o4J%4&iUU|F<}$GMNaB
+zM!@I%$oLm#G0)ZnY{HE2X?u(F15{Z>{>1_l!5E<<Tq+<(2pX33R^wk3;8R^)jD`d{
+zsOl&<)EyuHs;>AqhNaBmwkID7H=H#8LX<@iYMn@?(6@eye;fR3%8nG=%~X!f%J}H9
+zmWqi$A~1=7&)c~bc<96*r?r1Yi|~}mZnpEk%p}10SYXp?1Oiq4EgX!@GebgS887A^
+zplJoOD0mrz9rH8-I^FqS42oN=Z$b0F3c5wy+~Y%S;x9i>v;Ihd(AE6tx!s~}q+095
+zOig9PT5<lDYXhyY;js1yY?1nHRz@ZVRHhPvL|`-mJ`b5LAhvC9DC@;KB0KgL#C=NY
+ztH8EAQWzQkcGo{(ABKfk;X8<uj&xfjD5eO7?)o$FGDSF0RP>`Z>N@_#zD%)aez~YZ
+z5<7N=$qFe%>YSQ?x$AdKia@Aa{8+&j*FV6U`iXy47lw^b&!j*|>&ruzpwW?n*q^?{
+z-{`THiitoXFo}RqBw{_Njg6ab36h;eKpBSh#I6J<;T_3@y*4{uSQY-oD<}^_giK*r
+zE(Z32Kp3w?h?ElWdfvn9e<5ELp{eC-=x`~bme@J2n&9f9Xj--4Xoto`+_4t^U{DA^
+zg<d)aMb=iH4Z;=UP{pbyQ<{k68(BWqf<q~SL)l<esF@#iBeSCqmFow~6Yx6jritP=
+zIiNC?2qXfd5%9SLahPzS+PG<L1ACOAHi)vlnfq*fjDTgx4pM`*@T67+$HcRcBeZKZ
+zswiJZ{4NW)QZy>damB9JKZs<hjwS?6U22J5DI!1CqD8uoCi$`nJFB_K%aq1m#K&U2
+zp{qO67NAAg(`<+U3zGvann1}cnuzlcu`V(di-&tsz$`^<zHD^O%GJ?hEfo`iL|_sD
+zpY8DvD<b(u8RhxoU&X(o!pL0qP=a_?+!y(m*;^(VM3>s5qfIuEVafQ{8IFHZ(DOQ1
+zL2xbpxXzOgb_Q=@TibU<H4QI=o0TO*-c;0CC=^M8Py$ah2~Hi2qC@N)X9Eg86{Qwa
+z6XsudInuQ1dOiWQZmI1n+%B9XIXR#*l?WsPqY?1wr1)2%Zsgo3qYUM>gI`Lgj(=e>
+zMU)Nx<vO9YaXjPljlX-r<pCB}%u85Gl**>~l!_3pH4%7MB!8D7Ym`!#`P^=;NZCbo
+zYOx$bt!NLA<3PMHxQa+n1P7P-kAtlc1qjqsh;qTF)Ya?(MW}frTqQq}wQSO~Vq}Qh
+z(-f*jPBe}T?|02&p|)mY^jJ&9L?98EM8M}fR1&GSE3cmU2gQ#K{<Xtx0jlLuAq36V
+zUD(j5%f*8#)Gf$*unM)>RlEdP#0v4%e#ImMtXlgq`3qxe(=<X&v&d&Ygj$U%Qb4Ch
+zyEZsEpfZ&RBm$!m@L5#M|MmvLD9=g!OGL>XJ#6JYIXtR@d=>u^LP`e(>mc9&@wKiE
+zc&HqAVc`n|ry^h7)I+R9qY#{9VVIYkI8%WpISctWdaR{lB9I77BH$Byb;iFCsAmRr
+zzpp*yt4)&zWELCVdj1!(?!C=-j~1rjIaU)fH~SDS;V>JF?D<v+=r8c!<bcXlB9I7-
+zM!@H`<KN!M7si~!`3J&VJ>c?VD+y4lwj$q2yfy#A(Q6|A(gmX6F3%RUOA>-!_~c7>
+zMvt{rOau~vNd(NlgYhpEjPjh!KVV9MEl;c1khOQTTV%Qv2e=GKpUn9EA$Mer5cK^a
+z0$zgOF7uMf$_Hj(*NETbfXY-NkO+)Mz-Ku8OK1r*D%6!w>``Ws028(CB@lz_AM`0q
+zf7)`qfCKTHn1c<ucMDcvF&WReh=>Vw*|W7Di!H#8j2>&Lm<S{SlL+{H9vT16-}+yB
+zlERvWz~q3+R3eZFj7GqxI<X{ws@vXB9;s%tDXjGfj2>&Lm<S{SlL(j{SPiDtvf8t>
+z3nA`FS~-P8zz9qZs7xgSiNI(Cd=~L6i)U-?&B`ex0!Co;SWCr3AQ6~Ez-LjxzeQ5K
+zY~>UZ0V6OupfZ&RBm$!m@L9z4LO1x0ER1aB6cPa=FnX+|Vj_?TOd{a3C{nG6SUEA@
+z$|)oQMqqM4WhxO!1V$s^v#1gOnu4vILLy)UMvt{rOau~vNd$ZrnPj`O5YDl33W<Ob
+zm>f`<N(2&t(Fph~>WzQnL<F*xQ%D4i!054-iitoXFo}TAq9XoPvdFY@3W<Obm>f`<
+zN(2&t(Fph~a{Oz~wUF}<Mk$3Z0;9)TDkcJnz$5}bog&*t+2l*6l~YIrjKJi8%2Xnd
+z2#iL+XOZJy6K+?qateun5g0wzQZW%o1SS#iS(Go<F%&7x3W3Q1m8nD^5g3iYtj@Gl
+zP6WCLj2>&Lm<S{SlL&NAr_4zNW`)4yfXY-NkO+)MU{+^ZDklP61V)dwRJ=D3_<z$H
+BLUI5A
+
+literal 0
+HcmV?d00001
+
+diff --git a/MdeModulePkg/Logo/Logo-OpenSSL.idf b/MdeModulePkg/Logo/Logo-OpenSSL.idf
+new file mode 100644
+index 0000000..a80de29
+--- /dev/null
++++ b/MdeModulePkg/Logo/Logo-OpenSSL.idf
+@@ -0,0 +1,15 @@
++// /** @file
++// Platform Logo image definition file.
++//
++// Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
++//
++// This program and the accompanying materials
++// are licensed and made available under the terms and conditions of the BSD License
++// which accompanies this distribution. The full text of the license may be found at
++// http://opensource.org/licenses/bsd-license.php
++// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++//
++// **/
++
++#image IMG_LOGO Logo-OpenSSL.bmp
+diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.inf b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+new file mode 100644
+index 0000000..2f79d87
+--- /dev/null
++++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+@@ -0,0 +1,61 @@
++## @file
++# The default logo bitmap picture shown on setup screen.
++#
++# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
++#
++# This program and the accompanying materials
++# are licensed and made available under the terms and conditions of the BSD License
++# which accompanies this distribution. The full text of the license may be found at
++# http://opensource.org/licenses/bsd-license.php
++# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++#
++#
++##
++
++[Defines]
++ INF_VERSION = 0x00010005
++ BASE_NAME = LogoOpenSSLDxe
++ MODULE_UNI_FILE = LogoOpenSSLDxe.uni
++ FILE_GUID = 9CAE7B89-D48D-4D68-BBC4-4C0F1D48CDFF
++ MODULE_TYPE = DXE_DRIVER
++ VERSION_STRING = 1.0
++
++ ENTRY_POINT = InitializeLogo
++#
++# This flag specifies whether HII resource section is generated into PE image.
++#
++ UEFI_HII_RESOURCE_SECTION = TRUE
++
++#
++# The following information is for reference only and not required by the build tools.
++#
++# VALID_ARCHITECTURES = IA32 X64
++#
++
++[Sources]
++ Logo-OpenSSL.bmp
++ Logo.c
++ Logo-OpenSSL.idf
++
++[Packages]
++ MdeModulePkg/MdeModulePkg.dec
++ MdePkg/MdePkg.dec
++
++[LibraryClasses]
++ UefiBootServicesTableLib
++ UefiDriverEntryPoint
++ DebugLib
++
++[Protocols]
++ gEfiHiiDatabaseProtocolGuid ## CONSUMES
++ gEfiHiiImageExProtocolGuid ## CONSUMES
++ gEfiHiiPackageListProtocolGuid ## PRODUCES CONSUMES
++ gEdkiiPlatformLogoProtocolGuid ## PRODUCES
++
++[Depex]
++ gEfiHiiDatabaseProtocolGuid AND
++ gEfiHiiImageExProtocolGuid
++
++[UserExtensions.TianoCore."ExtraFiles"]
++ LogoDxeExtra.uni
+diff --git a/MdeModulePkg/Logo/LogoOpenSSLDxe.uni b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
+new file mode 100644
+index 0000000..7227ac3
+--- /dev/null
++++ b/MdeModulePkg/Logo/LogoOpenSSLDxe.uni
+@@ -0,0 +1,22 @@
++// /** @file
++// The logo bitmap picture (with OpenSSL advertisment) shown on setup screen.
++//
++// This module provides the logo bitmap picture (with OpenSSL advertisment)
++// shown on setup screen, through EDKII Platform Logo protocol.
++//
++// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
++//
++// This program and the accompanying materials
++// are licensed and made available under the terms and conditions of the BSD License
++// which accompanies this distribution. The full text of the license may be found at
++// http://opensource.org/licenses/bsd-license.php
++// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++//
++// **/
++
++
++#string STR_MODULE_ABSTRACT #language en-US "Provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen."
++
++#string STR_MODULE_DESCRIPTION #language en-US "This module provides the logo bitmap picture (with OpenSSL advertisment) shown on setup screen, through EDKII Platform Logo protocol."
++
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 2d6c4c4..a5bb2b0 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -687,7 +687,11 @@
+ NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ MdeModulePkg/Logo/LogoDxe.inf
++!endif
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 0427ded..f552bc9 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -295,7 +295,11 @@ INF ShellPkg/Application/Shell/Shell.inf
+ INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
+
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ INF MdeModulePkg/Logo/LogoDxe.inf
++!endif
+
+ #
+ # Network modules
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 43158c5..be8fee9 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -696,7 +696,11 @@
+ NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ MdeModulePkg/Logo/LogoDxe.inf
++!endif
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 6df47f4..ee77ae1 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -296,7 +296,11 @@ INF ShellPkg/Application/Shell/Shell.inf
+ INF RuleOverride = BINARY USE = X64 EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
+
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ INF MdeModulePkg/Logo/LogoDxe.inf
++!endif
+
+ #
+ # Network modules
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index d1fdf7c..e224b0e 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -694,7 +694,11 @@
+ NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ MdeModulePkg/Logo/LogoDxe.inf
++!endif
+ MdeModulePkg/Application/UiApp/UiApp.inf {
+ <LibraryClasses>
+ NULL|MdeModulePkg/Library/DeviceManagerUiLib/DeviceManagerUiLib.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 2e2a174..505d25d 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -296,7 +296,11 @@ INF ShellPkg/Application/Shell/Shell.inf
+ INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
+
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
++!else
+ INF MdeModulePkg/Logo/LogoDxe.inf
++!endif
+
+ #
+ # Network modules
+--
+1.8.3.1
+
diff --git a/SOURCES/0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch b/SOURCES/0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
new file mode 100644
index 0000000..3b642b2
--- /dev/null
+++ b/SOURCES/0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
@@ -0,0 +1,56 @@
+From 22c9b4e971c70c69b4adf8eb93133824ccb6426a Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 20 Feb 2014 22:54:45 +0100
+Subject: OvmfPkg: increase max debug message length to 512 (RHEL only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Upstream prefers short debug messages (sometimes even limited to 80
+characters), but any line length under 512 characters is just unsuitable
+for effective debugging. (For example, config strings in HII routing,
+logged by the platform driver "OvmfPkg/PlatformDxe" on DEBUG_VERBOSE
+level, can be several hundred characters long.) 512 is an empirically good
+value.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit bfe568d18dba15602604f155982e3b73add63dfb)
+(cherry picked from commit 29435a32ec9428720c74c454ce9817662e601fb6)
+(cherry picked from commit 58e1d1ebb78bfdaf05f4c6e8abf8d4908dfa038a)
+(cherry picked from commit 1df2c822c996ad767f2f45570ab2686458f7604a)
+---
+ OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+index 36cde54..c0c4eae 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+@@ -27,7 +27,7 @@
+ //
+ // Define the maximum debug and assert message length that this library supports
+ //
+-#define MAX_DEBUG_MESSAGE_LENGTH 0x100
++#define MAX_DEBUG_MESSAGE_LENGTH 0x200
+
+ /**
+ Prints a debug message to the debug output device if the specified error level is enabled.
+--
+1.8.3.1
+
diff --git a/SOURCES/0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch b/SOURCES/0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
new file mode 100644
index 0000000..8b95726
--- /dev/null
+++ b/SOURCES/0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
@@ -0,0 +1,562 @@
+From 4dd1cc745bc9a8c8b32b5810b40743fed1e36d7e Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 12 Jun 2014 00:17:59 +0200
+Subject: OvmfPkg: QemuVideoDxe: enable debug messages in VbeShim (RHEL only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- update commit message as requested in
+ <https://bugzilla.redhat.com/show_bug.cgi?id=1503316#c0>
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+The Int10h VBE Shim is capable of emitting short debug messages when the
+win2k8r2 UEFI guest uses (emulates) the Video BIOS. In upstream the quiet
+version is preferred; for us debug messages are important as a default.
+
+For this patch, the DEBUG macro is enabled in the assembly file, and then
+the header file is regenerated from the assembly, by running
+"OvmfPkg/QemuVideoDxe/VbeShim.sh".
+
+"VbeShim.h" is not auto-generated; it is manually generated. The patch
+does not add "VbeShim.h", it just updates both "VbeShim.asm" and (the
+manually re-generated) "VbeShim.h" atomically. Doing so helps with local
+downstream builds, with bisection, and also keeps redhat/README a bit
+simpler.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit ccda46526bb2e573d9b54f0db75d27e442b4566f)
+(cherry picked from commit ed45b26dbeadd63dd8f2edf627290957d8bbb3b2)
+(cherry picked from commit 9a8a034ebc082f86fdbb54dc1303a5059508e14c)
+(cherry picked from commit 7046d6040181bb0f76a5ebd680e0dc701c895dba)
+---
+ OvmfPkg/QemuVideoDxe/VbeShim.asm | 2 +-
+ OvmfPkg/QemuVideoDxe/VbeShim.h | 481 +++++++++++++++++++++++++--------------
+ 2 files changed, 308 insertions(+), 175 deletions(-)
+
+diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.asm b/OvmfPkg/QemuVideoDxe/VbeShim.asm
+index 18fa920..f87ed5c 100644
+--- a/OvmfPkg/QemuVideoDxe/VbeShim.asm
++++ b/OvmfPkg/QemuVideoDxe/VbeShim.asm
+@@ -18,7 +18,7 @@
+ ;------------------------------------------------------------------------------
+
+ ; enable this macro for debug messages
+-;%define DEBUG
++%define DEBUG
+
+ %macro DebugLog 1
+ %ifdef DEBUG
+diff --git a/OvmfPkg/QemuVideoDxe/VbeShim.h b/OvmfPkg/QemuVideoDxe/VbeShim.h
+index cc9b6e1..325d647 100644
+--- a/OvmfPkg/QemuVideoDxe/VbeShim.h
++++ b/OvmfPkg/QemuVideoDxe/VbeShim.h
+@@ -517,185 +517,318 @@ STATIC CONST UINT8 mVbeShim[] = {
+ /* 000001FE nop */ 0x90,
+ /* 000001FF nop */ 0x90,
+ /* 00000200 cmp ax,0x4f00 */ 0x3D, 0x00, 0x4F,
+- /* 00000203 jz 0x22d */ 0x74, 0x28,
++ /* 00000203 jz 0x235 */ 0x74, 0x30,
+ /* 00000205 cmp ax,0x4f01 */ 0x3D, 0x01, 0x4F,
+- /* 00000208 jz 0x245 */ 0x74, 0x3B,
++ /* 00000208 jz 0x255 */ 0x74, 0x4B,
+ /* 0000020A cmp ax,0x4f02 */ 0x3D, 0x02, 0x4F,
+- /* 0000020D jz 0x269 */ 0x74, 0x5A,
++ /* 0000020D jz 0x289 */ 0x74, 0x7A,
+ /* 0000020F cmp ax,0x4f03 */ 0x3D, 0x03, 0x4F,
+- /* 00000212 jz word 0x331 */ 0x0F, 0x84, 0x1B, 0x01,
++ /* 00000212 jz word 0x361 */ 0x0F, 0x84, 0x4B, 0x01,
+ /* 00000216 cmp ax,0x4f10 */ 0x3D, 0x10, 0x4F,
+- /* 00000219 jz word 0x336 */ 0x0F, 0x84, 0x19, 0x01,
++ /* 00000219 jz word 0x36e */ 0x0F, 0x84, 0x51, 0x01,
+ /* 0000021D cmp ax,0x4f15 */ 0x3D, 0x15, 0x4F,
+- /* 00000220 jz word 0x338 */ 0x0F, 0x84, 0x14, 0x01,
++ /* 00000220 jz word 0x378 */ 0x0F, 0x84, 0x54, 0x01,
+ /* 00000224 cmp ah,0x0 */ 0x80, 0xFC, 0x00,
+- /* 00000227 jz word 0x33a */ 0x0F, 0x84, 0x0F, 0x01,
+- /* 0000022B jmp short 0x22b */ 0xEB, 0xFE,
+- /* 0000022D push es */ 0x06,
+- /* 0000022E push di */ 0x57,
+- /* 0000022F push ds */ 0x1E,
+- /* 00000230 push si */ 0x56,
+- /* 00000231 push cx */ 0x51,
+- /* 00000232 push cs */ 0x0E,
+- /* 00000233 pop ds */ 0x1F,
+- /* 00000234 mov si,0x0 */ 0xBE, 0x00, 0x00,
+- /* 00000237 mov cx,0x100 */ 0xB9, 0x00, 0x01,
+- /* 0000023A cld */ 0xFC,
+- /* 0000023B rep movsb */ 0xF3, 0xA4,
+- /* 0000023D pop cx */ 0x59,
+- /* 0000023E pop si */ 0x5E,
+- /* 0000023F pop ds */ 0x1F,
+- /* 00000240 pop di */ 0x5F,
+- /* 00000241 pop es */ 0x07,
+- /* 00000242 jmp word 0x34c */ 0xE9, 0x07, 0x01,
+- /* 00000245 push es */ 0x06,
+- /* 00000246 push di */ 0x57,
+- /* 00000247 push ds */ 0x1E,
+- /* 00000248 push si */ 0x56,
+- /* 00000249 push cx */ 0x51,
+- /* 0000024A and cx,0xbfff */ 0x81, 0xE1, 0xFF, 0xBF,
+- /* 0000024E cmp cx,0xf1 */ 0x81, 0xF9, 0xF1, 0x00,
+- /* 00000252 jz 0x256 */ 0x74, 0x02,
+- /* 00000254 jmp short 0x22b */ 0xEB, 0xD5,
+- /* 00000256 push cs */ 0x0E,
+- /* 00000257 pop ds */ 0x1F,
+- /* 00000258 mov si,0x100 */ 0xBE, 0x00, 0x01,
+- /* 0000025B mov cx,0x100 */ 0xB9, 0x00, 0x01,
+- /* 0000025E cld */ 0xFC,
+- /* 0000025F rep movsb */ 0xF3, 0xA4,
+- /* 00000261 pop cx */ 0x59,
+- /* 00000262 pop si */ 0x5E,
+- /* 00000263 pop ds */ 0x1F,
+- /* 00000264 pop di */ 0x5F,
+- /* 00000265 pop es */ 0x07,
+- /* 00000266 jmp word 0x34c */ 0xE9, 0xE3, 0x00,
+- /* 00000269 push dx */ 0x52,
+- /* 0000026A push ax */ 0x50,
+- /* 0000026B cmp bx,0x40f1 */ 0x81, 0xFB, 0xF1, 0x40,
+- /* 0000026F jz 0x273 */ 0x74, 0x02,
+- /* 00000271 jmp short 0x22b */ 0xEB, 0xB8,
+- /* 00000273 mov dx,0x3c0 */ 0xBA, 0xC0, 0x03,
+- /* 00000276 mov al,0x20 */ 0xB0, 0x20,
+- /* 00000278 out dx,al */ 0xEE,
+- /* 00000279 push dx */ 0x52,
+- /* 0000027A push ax */ 0x50,
+- /* 0000027B mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 0000027E mov ax,0x4 */ 0xB8, 0x04, 0x00,
+- /* 00000281 out dx,ax */ 0xEF,
+- /* 00000282 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 00000285 mov ax,0x0 */ 0xB8, 0x00, 0x00,
+- /* 00000288 out dx,ax */ 0xEF,
+- /* 00000289 pop ax */ 0x58,
+- /* 0000028A pop dx */ 0x5A,
+- /* 0000028B push dx */ 0x52,
+- /* 0000028C push ax */ 0x50,
+- /* 0000028D mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 00000290 mov ax,0x5 */ 0xB8, 0x05, 0x00,
+- /* 00000293 out dx,ax */ 0xEF,
+- /* 00000294 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 00000297 mov ax,0x0 */ 0xB8, 0x00, 0x00,
+- /* 0000029A out dx,ax */ 0xEF,
+- /* 0000029B pop ax */ 0x58,
+- /* 0000029C pop dx */ 0x5A,
+- /* 0000029D push dx */ 0x52,
+- /* 0000029E push ax */ 0x50,
+- /* 0000029F mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 000002A2 mov ax,0x8 */ 0xB8, 0x08, 0x00,
+- /* 000002A5 out dx,ax */ 0xEF,
+- /* 000002A6 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 000002A9 mov ax,0x0 */ 0xB8, 0x00, 0x00,
+- /* 000002AC out dx,ax */ 0xEF,
+- /* 000002AD pop ax */ 0x58,
+- /* 000002AE pop dx */ 0x5A,
+- /* 000002AF push dx */ 0x52,
+- /* 000002B0 push ax */ 0x50,
+- /* 000002B1 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 000002B4 mov ax,0x9 */ 0xB8, 0x09, 0x00,
+- /* 000002B7 out dx,ax */ 0xEF,
+- /* 000002B8 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 000002BB mov ax,0x0 */ 0xB8, 0x00, 0x00,
+- /* 000002BE out dx,ax */ 0xEF,
+- /* 000002BF pop ax */ 0x58,
+- /* 000002C0 pop dx */ 0x5A,
+- /* 000002C1 push dx */ 0x52,
+- /* 000002C2 push ax */ 0x50,
+- /* 000002C3 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 000002C6 mov ax,0x3 */ 0xB8, 0x03, 0x00,
+- /* 000002C9 out dx,ax */ 0xEF,
+- /* 000002CA mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 000002CD mov ax,0x20 */ 0xB8, 0x20, 0x00,
+- /* 000002D0 out dx,ax */ 0xEF,
+- /* 000002D1 pop ax */ 0x58,
+- /* 000002D2 pop dx */ 0x5A,
+- /* 000002D3 push dx */ 0x52,
+- /* 000002D4 push ax */ 0x50,
+- /* 000002D5 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 000002D8 mov ax,0x1 */ 0xB8, 0x01, 0x00,
+- /* 000002DB out dx,ax */ 0xEF,
+- /* 000002DC mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 000002DF mov ax,0x400 */ 0xB8, 0x00, 0x04,
+- /* 000002E2 out dx,ax */ 0xEF,
+- /* 000002E3 pop ax */ 0x58,
+- /* 000002E4 pop dx */ 0x5A,
+- /* 000002E5 push dx */ 0x52,
+- /* 000002E6 push ax */ 0x50,
+- /* 000002E7 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 000002EA mov ax,0x6 */ 0xB8, 0x06, 0x00,
+- /* 000002ED out dx,ax */ 0xEF,
+- /* 000002EE mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 000002F1 mov ax,0x400 */ 0xB8, 0x00, 0x04,
+- /* 000002F4 out dx,ax */ 0xEF,
+- /* 000002F5 pop ax */ 0x58,
+- /* 000002F6 pop dx */ 0x5A,
+- /* 000002F7 push dx */ 0x52,
+- /* 000002F8 push ax */ 0x50,
+- /* 000002F9 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 000002FC mov ax,0x2 */ 0xB8, 0x02, 0x00,
+- /* 000002FF out dx,ax */ 0xEF,
+- /* 00000300 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 00000303 mov ax,0x300 */ 0xB8, 0x00, 0x03,
+- /* 00000306 out dx,ax */ 0xEF,
+- /* 00000307 pop ax */ 0x58,
+- /* 00000308 pop dx */ 0x5A,
+- /* 00000309 push dx */ 0x52,
+- /* 0000030A push ax */ 0x50,
+- /* 0000030B mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 0000030E mov ax,0x7 */ 0xB8, 0x07, 0x00,
+- /* 00000311 out dx,ax */ 0xEF,
+- /* 00000312 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 00000315 mov ax,0x300 */ 0xB8, 0x00, 0x03,
+- /* 00000318 out dx,ax */ 0xEF,
+- /* 00000319 pop ax */ 0x58,
+- /* 0000031A pop dx */ 0x5A,
+- /* 0000031B push dx */ 0x52,
+- /* 0000031C push ax */ 0x50,
+- /* 0000031D mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
+- /* 00000320 mov ax,0x4 */ 0xB8, 0x04, 0x00,
+- /* 00000323 out dx,ax */ 0xEF,
+- /* 00000324 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
+- /* 00000327 mov ax,0x41 */ 0xB8, 0x41, 0x00,
+- /* 0000032A out dx,ax */ 0xEF,
+- /* 0000032B pop ax */ 0x58,
+- /* 0000032C pop dx */ 0x5A,
+- /* 0000032D pop ax */ 0x58,
+- /* 0000032E pop dx */ 0x5A,
+- /* 0000032F jmp short 0x34c */ 0xEB, 0x1B,
+- /* 00000331 mov bx,0x40f1 */ 0xBB, 0xF1, 0x40,
+- /* 00000334 jmp short 0x34c */ 0xEB, 0x16,
+- /* 00000336 jmp short 0x350 */ 0xEB, 0x18,
+- /* 00000338 jmp short 0x350 */ 0xEB, 0x16,
+- /* 0000033A cmp al,0x3 */ 0x3C, 0x03,
+- /* 0000033C jz 0x345 */ 0x74, 0x07,
+- /* 0000033E cmp al,0x12 */ 0x3C, 0x12,
+- /* 00000340 jz 0x349 */ 0x74, 0x07,
+- /* 00000342 jmp word 0x22b */ 0xE9, 0xE6, 0xFE,
+- /* 00000345 mov al,0x30 */ 0xB0, 0x30,
+- /* 00000347 jmp short 0x34b */ 0xEB, 0x02,
+- /* 00000349 mov al,0x20 */ 0xB0, 0x20,
+- /* 0000034B iretw */ 0xCF,
+- /* 0000034C mov ax,0x4f */ 0xB8, 0x4F, 0x00,
+- /* 0000034F iretw */ 0xCF,
+- /* 00000350 mov ax,0x14f */ 0xB8, 0x4F, 0x01,
+- /* 00000353 iretw */ 0xCF,
++ /* 00000227 jz word 0x382 */ 0x0F, 0x84, 0x57, 0x01,
++ /* 0000022B push si */ 0x56,
++ /* 0000022C mov si,0x3e9 */ 0xBE, 0xE9, 0x03,
++ /* 0000022F call word 0x3c4 */ 0xE8, 0x92, 0x01,
++ /* 00000232 pop si */ 0x5E,
++ /* 00000233 jmp short 0x233 */ 0xEB, 0xFE,
++ /* 00000235 push es */ 0x06,
++ /* 00000236 push di */ 0x57,
++ /* 00000237 push ds */ 0x1E,
++ /* 00000238 push si */ 0x56,
++ /* 00000239 push cx */ 0x51,
++ /* 0000023A push si */ 0x56,
++ /* 0000023B mov si,0x3fb */ 0xBE, 0xFB, 0x03,
++ /* 0000023E call word 0x3c4 */ 0xE8, 0x83, 0x01,
++ /* 00000241 pop si */ 0x5E,
++ /* 00000242 push cs */ 0x0E,
++ /* 00000243 pop ds */ 0x1F,
++ /* 00000244 mov si,0x0 */ 0xBE, 0x00, 0x00,
++ /* 00000247 mov cx,0x100 */ 0xB9, 0x00, 0x01,
++ /* 0000024A cld */ 0xFC,
++ /* 0000024B rep movsb */ 0xF3, 0xA4,
++ /* 0000024D pop cx */ 0x59,
++ /* 0000024E pop si */ 0x5E,
++ /* 0000024F pop ds */ 0x1F,
++ /* 00000250 pop di */ 0x5F,
++ /* 00000251 pop es */ 0x07,
++ /* 00000252 jmp word 0x3ac */ 0xE9, 0x57, 0x01,
++ /* 00000255 push es */ 0x06,
++ /* 00000256 push di */ 0x57,
++ /* 00000257 push ds */ 0x1E,
++ /* 00000258 push si */ 0x56,
++ /* 00000259 push cx */ 0x51,
++ /* 0000025A push si */ 0x56,
++ /* 0000025B mov si,0x404 */ 0xBE, 0x04, 0x04,
++ /* 0000025E call word 0x3c4 */ 0xE8, 0x63, 0x01,
++ /* 00000261 pop si */ 0x5E,
++ /* 00000262 and cx,0xbfff */ 0x81, 0xE1, 0xFF, 0xBF,
++ /* 00000266 cmp cx,0xf1 */ 0x81, 0xF9, 0xF1, 0x00,
++ /* 0000026A jz 0x276 */ 0x74, 0x0A,
++ /* 0000026C push si */ 0x56,
++ /* 0000026D mov si,0x432 */ 0xBE, 0x32, 0x04,
++ /* 00000270 call word 0x3c4 */ 0xE8, 0x51, 0x01,
++ /* 00000273 pop si */ 0x5E,
++ /* 00000274 jmp short 0x233 */ 0xEB, 0xBD,
++ /* 00000276 push cs */ 0x0E,
++ /* 00000277 pop ds */ 0x1F,
++ /* 00000278 mov si,0x100 */ 0xBE, 0x00, 0x01,
++ /* 0000027B mov cx,0x100 */ 0xB9, 0x00, 0x01,
++ /* 0000027E cld */ 0xFC,
++ /* 0000027F rep movsb */ 0xF3, 0xA4,
++ /* 00000281 pop cx */ 0x59,
++ /* 00000282 pop si */ 0x5E,
++ /* 00000283 pop ds */ 0x1F,
++ /* 00000284 pop di */ 0x5F,
++ /* 00000285 pop es */ 0x07,
++ /* 00000286 jmp word 0x3ac */ 0xE9, 0x23, 0x01,
++ /* 00000289 push dx */ 0x52,
++ /* 0000028A push ax */ 0x50,
++ /* 0000028B push si */ 0x56,
++ /* 0000028C mov si,0x41a */ 0xBE, 0x1A, 0x04,
++ /* 0000028F call word 0x3c4 */ 0xE8, 0x32, 0x01,
++ /* 00000292 pop si */ 0x5E,
++ /* 00000293 cmp bx,0x40f1 */ 0x81, 0xFB, 0xF1, 0x40,
++ /* 00000297 jz 0x2a3 */ 0x74, 0x0A,
++ /* 00000299 push si */ 0x56,
++ /* 0000029A mov si,0x432 */ 0xBE, 0x32, 0x04,
++ /* 0000029D call word 0x3c4 */ 0xE8, 0x24, 0x01,
++ /* 000002A0 pop si */ 0x5E,
++ /* 000002A1 jmp short 0x233 */ 0xEB, 0x90,
++ /* 000002A3 mov dx,0x3c0 */ 0xBA, 0xC0, 0x03,
++ /* 000002A6 mov al,0x20 */ 0xB0, 0x20,
++ /* 000002A8 out dx,al */ 0xEE,
++ /* 000002A9 push dx */ 0x52,
++ /* 000002AA push ax */ 0x50,
++ /* 000002AB mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 000002AE mov ax,0x4 */ 0xB8, 0x04, 0x00,
++ /* 000002B1 out dx,ax */ 0xEF,
++ /* 000002B2 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 000002B5 mov ax,0x0 */ 0xB8, 0x00, 0x00,
++ /* 000002B8 out dx,ax */ 0xEF,
++ /* 000002B9 pop ax */ 0x58,
++ /* 000002BA pop dx */ 0x5A,
++ /* 000002BB push dx */ 0x52,
++ /* 000002BC push ax */ 0x50,
++ /* 000002BD mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 000002C0 mov ax,0x5 */ 0xB8, 0x05, 0x00,
++ /* 000002C3 out dx,ax */ 0xEF,
++ /* 000002C4 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 000002C7 mov ax,0x0 */ 0xB8, 0x00, 0x00,
++ /* 000002CA out dx,ax */ 0xEF,
++ /* 000002CB pop ax */ 0x58,
++ /* 000002CC pop dx */ 0x5A,
++ /* 000002CD push dx */ 0x52,
++ /* 000002CE push ax */ 0x50,
++ /* 000002CF mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 000002D2 mov ax,0x8 */ 0xB8, 0x08, 0x00,
++ /* 000002D5 out dx,ax */ 0xEF,
++ /* 000002D6 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 000002D9 mov ax,0x0 */ 0xB8, 0x00, 0x00,
++ /* 000002DC out dx,ax */ 0xEF,
++ /* 000002DD pop ax */ 0x58,
++ /* 000002DE pop dx */ 0x5A,
++ /* 000002DF push dx */ 0x52,
++ /* 000002E0 push ax */ 0x50,
++ /* 000002E1 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 000002E4 mov ax,0x9 */ 0xB8, 0x09, 0x00,
++ /* 000002E7 out dx,ax */ 0xEF,
++ /* 000002E8 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 000002EB mov ax,0x0 */ 0xB8, 0x00, 0x00,
++ /* 000002EE out dx,ax */ 0xEF,
++ /* 000002EF pop ax */ 0x58,
++ /* 000002F0 pop dx */ 0x5A,
++ /* 000002F1 push dx */ 0x52,
++ /* 000002F2 push ax */ 0x50,
++ /* 000002F3 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 000002F6 mov ax,0x3 */ 0xB8, 0x03, 0x00,
++ /* 000002F9 out dx,ax */ 0xEF,
++ /* 000002FA mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 000002FD mov ax,0x20 */ 0xB8, 0x20, 0x00,
++ /* 00000300 out dx,ax */ 0xEF,
++ /* 00000301 pop ax */ 0x58,
++ /* 00000302 pop dx */ 0x5A,
++ /* 00000303 push dx */ 0x52,
++ /* 00000304 push ax */ 0x50,
++ /* 00000305 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 00000308 mov ax,0x1 */ 0xB8, 0x01, 0x00,
++ /* 0000030B out dx,ax */ 0xEF,
++ /* 0000030C mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 0000030F mov ax,0x400 */ 0xB8, 0x00, 0x04,
++ /* 00000312 out dx,ax */ 0xEF,
++ /* 00000313 pop ax */ 0x58,
++ /* 00000314 pop dx */ 0x5A,
++ /* 00000315 push dx */ 0x52,
++ /* 00000316 push ax */ 0x50,
++ /* 00000317 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 0000031A mov ax,0x6 */ 0xB8, 0x06, 0x00,
++ /* 0000031D out dx,ax */ 0xEF,
++ /* 0000031E mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 00000321 mov ax,0x400 */ 0xB8, 0x00, 0x04,
++ /* 00000324 out dx,ax */ 0xEF,
++ /* 00000325 pop ax */ 0x58,
++ /* 00000326 pop dx */ 0x5A,
++ /* 00000327 push dx */ 0x52,
++ /* 00000328 push ax */ 0x50,
++ /* 00000329 mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 0000032C mov ax,0x2 */ 0xB8, 0x02, 0x00,
++ /* 0000032F out dx,ax */ 0xEF,
++ /* 00000330 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 00000333 mov ax,0x300 */ 0xB8, 0x00, 0x03,
++ /* 00000336 out dx,ax */ 0xEF,
++ /* 00000337 pop ax */ 0x58,
++ /* 00000338 pop dx */ 0x5A,
++ /* 00000339 push dx */ 0x52,
++ /* 0000033A push ax */ 0x50,
++ /* 0000033B mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 0000033E mov ax,0x7 */ 0xB8, 0x07, 0x00,
++ /* 00000341 out dx,ax */ 0xEF,
++ /* 00000342 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 00000345 mov ax,0x300 */ 0xB8, 0x00, 0x03,
++ /* 00000348 out dx,ax */ 0xEF,
++ /* 00000349 pop ax */ 0x58,
++ /* 0000034A pop dx */ 0x5A,
++ /* 0000034B push dx */ 0x52,
++ /* 0000034C push ax */ 0x50,
++ /* 0000034D mov dx,0x1ce */ 0xBA, 0xCE, 0x01,
++ /* 00000350 mov ax,0x4 */ 0xB8, 0x04, 0x00,
++ /* 00000353 out dx,ax */ 0xEF,
++ /* 00000354 mov dx,0x1d0 */ 0xBA, 0xD0, 0x01,
++ /* 00000357 mov ax,0x41 */ 0xB8, 0x41, 0x00,
++ /* 0000035A out dx,ax */ 0xEF,
++ /* 0000035B pop ax */ 0x58,
++ /* 0000035C pop dx */ 0x5A,
++ /* 0000035D pop ax */ 0x58,
++ /* 0000035E pop dx */ 0x5A,
++ /* 0000035F jmp short 0x3ac */ 0xEB, 0x4B,
++ /* 00000361 push si */ 0x56,
++ /* 00000362 mov si,0x411 */ 0xBE, 0x11, 0x04,
++ /* 00000365 call word 0x3c4 */ 0xE8, 0x5C, 0x00,
++ /* 00000368 pop si */ 0x5E,
++ /* 00000369 mov bx,0x40f1 */ 0xBB, 0xF1, 0x40,
++ /* 0000036C jmp short 0x3ac */ 0xEB, 0x3E,
++ /* 0000036E push si */ 0x56,
++ /* 0000036F mov si,0x43f */ 0xBE, 0x3F, 0x04,
++ /* 00000372 call word 0x3c4 */ 0xE8, 0x4F, 0x00,
++ /* 00000375 pop si */ 0x5E,
++ /* 00000376 jmp short 0x3b8 */ 0xEB, 0x40,
++ /* 00000378 push si */ 0x56,
++ /* 00000379 mov si,0x452 */ 0xBE, 0x52, 0x04,
++ /* 0000037C call word 0x3c4 */ 0xE8, 0x45, 0x00,
++ /* 0000037F pop si */ 0x5E,
++ /* 00000380 jmp short 0x3b8 */ 0xEB, 0x36,
++ /* 00000382 push si */ 0x56,
++ /* 00000383 mov si,0x423 */ 0xBE, 0x23, 0x04,
++ /* 00000386 call word 0x3c4 */ 0xE8, 0x3B, 0x00,
++ /* 00000389 pop si */ 0x5E,
++ /* 0000038A cmp al,0x3 */ 0x3C, 0x03,
++ /* 0000038C jz 0x39d */ 0x74, 0x0F,
++ /* 0000038E cmp al,0x12 */ 0x3C, 0x12,
++ /* 00000390 jz 0x3a1 */ 0x74, 0x0F,
++ /* 00000392 push si */ 0x56,
++ /* 00000393 mov si,0x432 */ 0xBE, 0x32, 0x04,
++ /* 00000396 call word 0x3c4 */ 0xE8, 0x2B, 0x00,
++ /* 00000399 pop si */ 0x5E,
++ /* 0000039A jmp word 0x233 */ 0xE9, 0x96, 0xFE,
++ /* 0000039D mov al,0x30 */ 0xB0, 0x30,
++ /* 0000039F jmp short 0x3a3 */ 0xEB, 0x02,
++ /* 000003A1 mov al,0x20 */ 0xB0, 0x20,
++ /* 000003A3 push si */ 0x56,
++ /* 000003A4 mov si,0x3d6 */ 0xBE, 0xD6, 0x03,
++ /* 000003A7 call word 0x3c4 */ 0xE8, 0x1A, 0x00,
++ /* 000003AA pop si */ 0x5E,
++ /* 000003AB iretw */ 0xCF,
++ /* 000003AC push si */ 0x56,
++ /* 000003AD mov si,0x3d6 */ 0xBE, 0xD6, 0x03,
++ /* 000003B0 call word 0x3c4 */ 0xE8, 0x11, 0x00,
++ /* 000003B3 pop si */ 0x5E,
++ /* 000003B4 mov ax,0x4f */ 0xB8, 0x4F, 0x00,
++ /* 000003B7 iretw */ 0xCF,
++ /* 000003B8 push si */ 0x56,
++ /* 000003B9 mov si,0x3dc */ 0xBE, 0xDC, 0x03,
++ /* 000003BC call word 0x3c4 */ 0xE8, 0x05, 0x00,
++ /* 000003BF pop si */ 0x5E,
++ /* 000003C0 mov ax,0x14f */ 0xB8, 0x4F, 0x01,
++ /* 000003C3 iretw */ 0xCF,
++ /* 000003C4 pushaw */ 0x60,
++ /* 000003C5 push ds */ 0x1E,
++ /* 000003C6 push cs */ 0x0E,
++ /* 000003C7 pop ds */ 0x1F,
++ /* 000003C8 mov dx,0x402 */ 0xBA, 0x02, 0x04,
++ /* 000003CB lodsb */ 0xAC,
++ /* 000003CC cmp al,0x0 */ 0x3C, 0x00,
++ /* 000003CE jz 0x3d3 */ 0x74, 0x03,
++ /* 000003D0 out dx,al */ 0xEE,
++ /* 000003D1 jmp short 0x3cb */ 0xEB, 0xF8,
++ /* 000003D3 pop ds */ 0x1F,
++ /* 000003D4 popaw */ 0x61,
++ /* 000003D5 ret */ 0xC3,
++ /* 000003D6 inc bp */ 0x45,
++ /* 000003D7 js 0x442 */ 0x78, 0x69,
++ /* 000003D9 jz 0x3e5 */ 0x74, 0x0A,
++ /* 000003DB add [di+0x6e],dl */ 0x00, 0x55, 0x6E,
++ /* 000003DE jnc 0x455 */ 0x73, 0x75,
++ /* 000003E0 jo 0x452 */ 0x70, 0x70,
++ /* 000003E2 outsw */ 0x6F,
++ /* 000003E3 jc 0x459 */ 0x72, 0x74,
++ /* 000003E5 or al,[fs:bx+si] */ 0x65, 0x64, 0x0A, 0x00,
++ /* 000003E9 push bp */ 0x55,
++ /* 000003EA outsb */ 0x6E,
++ /* 000003EB imul bp,[bp+0x6f],byte +0x77 */ 0x6B, 0x6E, 0x6F, 0x77,
++ /* 000003EF outsb */ 0x6E,
++ /* 000003F0 and [bp+0x75],al */ 0x20, 0x46, 0x75,
++ /* 000003F3 outsb */ 0x6E,
++ /* 000003F4 arpl [si+0x69],si */ 0x63, 0x74, 0x69,
++ /* 000003F7 outsw */ 0x6F,
++ /* 000003F8 outsb */ 0x6E,
++ /* 000003F9 or al,[bx+si] */ 0x0A, 0x00,
++ /* 000003FB inc di */ 0x47,
++ /* 000003FC gs jz 0x448 */ 0x65, 0x74, 0x49,
++ /* 000003FF outsb */ 0x6E,
++ /* 00000400 outsd */ 0x66, 0x6F,
++ /* 00000402 or al,[bx+si] */ 0x0A, 0x00,
++ /* 00000404 inc di */ 0x47,
++ /* 00000405 gs jz 0x455 */ 0x65, 0x74, 0x4D,
++ /* 00000408 outsw */ 0x6F,
++ /* 00000409 gs dec cx */ 0x64, 0x65, 0x49,
++ /* 0000040C outsb */ 0x6E,
++ /* 0000040D outsd */ 0x66, 0x6F,
++ /* 0000040F or al,[bx+si] */ 0x0A, 0x00,
++ /* 00000411 inc di */ 0x47,
++ /* 00000412 gs jz 0x462 */ 0x65, 0x74, 0x4D,
++ /* 00000415 outsw */ 0x6F,
++ /* 00000416 or al,[gs:bx+si] */ 0x64, 0x65, 0x0A, 0x00,
++ /* 0000041A push bx */ 0x53,
++ /* 0000041B gs jz 0x46b */ 0x65, 0x74, 0x4D,
++ /* 0000041E outsw */ 0x6F,
++ /* 0000041F or al,[gs:bx+si] */ 0x64, 0x65, 0x0A, 0x00,
++ /* 00000423 push bx */ 0x53,
++ /* 00000424 gs jz 0x474 */ 0x65, 0x74, 0x4D,
++ /* 00000427 outsw */ 0x6F,
++ /* 00000428 gs dec sp */ 0x64, 0x65, 0x4C,
++ /* 0000042B gs a32 popaw */ 0x65, 0x67, 0x61,
++ /* 0000042E arpl [bx+di+0xa],di */ 0x63, 0x79, 0x0A,
++ /* 00000431 add [di+0x6e],dl */ 0x00, 0x55, 0x6E,
++ /* 00000434 imul bp,[bx+0x77],byte +0x6e */ 0x6B, 0x6F, 0x77, 0x6E,
++ /* 00000438 and [di+0x6f],cl */ 0x20, 0x4D, 0x6F,
++ /* 0000043B or al,[gs:bx+si] */ 0x64, 0x65, 0x0A, 0x00,
++ /* 0000043F inc di */ 0x47,
++ /* 00000440 gs jz 0x493 */ 0x65, 0x74, 0x50,
++ /* 00000443 insw */ 0x6D,
++ /* 00000444 inc bx */ 0x43,
++ /* 00000445 popaw */ 0x61,
++ /* 00000446 jo 0x4a9 */ 0x70, 0x61,
++ /* 00000448 bound bp,[bx+di+0x6c] */ 0x62, 0x69, 0x6C,
++ /* 0000044B imul si,[si+0x69],word 0x7365 */ 0x69, 0x74, 0x69, 0x65, 0x73,
++ /* 00000450 or al,[bx+si] */ 0x0A, 0x00,
++ /* 00000452 push dx */ 0x52,
++ /* 00000453 gs popaw */ 0x65, 0x61,
++ /* 00000455 fs inc bp */ 0x64, 0x45,
++ /* 00000457 fs */ 0x64,
++ /* 00000458 db 0x69 */ 0x69,
++ /* 00000459 or al,[fs:bx+si] */ 0x64, 0x0A, 0x00,
+ };
+ #endif
+--
+1.8.3.1
+
diff --git a/SOURCES/0006-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch b/SOURCES/0006-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
new file mode 100644
index 0000000..ab6086a
--- /dev/null
+++ b/SOURCES/0006-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
@@ -0,0 +1,144 @@
+From 28faeb5f94b4866b9da16cf2a1e4e0fc09a26e37 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 25 Feb 2014 18:40:35 +0100
+Subject: MdeModulePkg: TerminalDxe: add other text resolutions (RHEL only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- update commit message as requested in
+ <https://bugzilla.redhat.com/show_bug.cgi?id=1503316#c0>
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- adapt commit 0bc77c63de03 (code and commit message) to upstream commit
+ 390b95a49c14 ("MdeModulePkg/TerminalDxe: Refine
+ InitializeTerminalConsoleTextMode", 2017-01-10).
+
+When the console output is multiplexed to several devices by
+ConSplitterDxe, then ConSplitterDxe builds an intersection of text modes
+supported by all console output devices.
+
+Two notable output devices are provided by:
+(1) MdeModulePkg/Universal/Console/GraphicsConsoleDxe,
+(2) MdeModulePkg/Universal/Console/TerminalDxe.
+
+GraphicsConsoleDxe supports four modes at most -- see
+InitializeGraphicsConsoleTextMode() and "mGraphicsConsoleModeData":
+
+(1a) 80x25 (required by the UEFI spec as mode 0),
+(1b) 80x50 (not necessarily supported, but if it is, then the UEFI spec
+ requires the driver to provide it as mode 1),
+(1c) 100x31 (corresponding to graphics resolution 800x600, which the UEFI
+ spec requires from all plug-in graphics devices),
+(1d) "full screen" resolution, derived form the underlying GOP's
+ horizontal and vertical resolutions with division by EFI_GLYPH_WIDTH
+ (8) and EFI_GLYPH_HEIGHT (19), respectively.
+
+The automatic "full screen resolution" makes GraphicsConsoleDxe's
+character console very flexible. However, TerminalDxe (which runs on
+serial ports) only provides the following fixed resolutions -- see
+InitializeTerminalConsoleTextMode() and "mTerminalConsoleModeData":
+
+(2a) 80x25 (required by the UEFI spec as mode 0),
+(2b) 80x50 (since the character resolution of a serial device cannot be
+ interrogated easily, this is added unconditionally as mode 1),
+(2c) 100x31 (since the character resolution of a serial device cannot be
+ interrogated easily, this is added unconditionally as mode 2).
+
+When ConSplitterDxe combines (1) and (2), multiplexing console output to
+both video output and serial terminal, the list of commonly supported text
+modes (ie. the "intersection") comprises:
+
+(3a) 80x25, unconditionally, from (1a) and (2a),
+(3b) 80x50, if the graphics console provides at least 640x950 pixel
+ resolution, from (1b) and (2b)
+(3c) 100x31, if the graphics device is a plug-in one (because in that case
+ 800x600 is a mandated pixel resolution), from (1c) and (2c).
+
+Unfortunately, the "full screen resolution" (1d) of the GOP-based text
+console is not available in general.
+
+Mitigate this problem by extending "mTerminalConsoleModeData" with a
+handful of text resolutions that are derived from widespread maximal pixel
+resolutions. This way TerminalDxe won't cause ConSplitterDxe to filter out
+the most frequent (1d) values from the intersection, and eg. the MODE
+command in the UEFI shell will offer the "best" (ie. full screen)
+resolution too.
+
+Upstreaming efforts for this patch have been discontinued; it was clear
+from the off-list thread that consensus was impossible to reach.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 99dc3720ac86059f60156197328cc433603c536e)
+(cherry picked from commit d2066c1748f885043026c51dec1bc8d6d406ae8f)
+(cherry picked from commit 1facdd58e946c584a3dc1e5be8f2f837b5a7c621)
+---
+ .../Universal/Console/TerminalDxe/Terminal.c | 41 ++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
+index 66dd3ad..78a1983 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/Terminal.c
+@@ -113,9 +113,44 @@ TERMINAL_DEV mTerminalDevTemplate = {
+ };
+
+ TERMINAL_CONSOLE_MODE_DATA mTerminalConsoleModeData[] = {
+- {80, 25},
+- {80, 50},
+- {100, 31},
++ { 80, 25 }, // from graphics resolution 640 x 480
++ { 80, 50 }, // from graphics resolution 640 x 960
++ { 100, 25 }, // from graphics resolution 800 x 480
++ { 100, 31 }, // from graphics resolution 800 x 600
++ { 104, 32 }, // from graphics resolution 832 x 624
++ { 120, 33 }, // from graphics resolution 960 x 640
++ { 128, 31 }, // from graphics resolution 1024 x 600
++ { 128, 40 }, // from graphics resolution 1024 x 768
++ { 144, 45 }, // from graphics resolution 1152 x 864
++ { 144, 45 }, // from graphics resolution 1152 x 870
++ { 160, 37 }, // from graphics resolution 1280 x 720
++ { 160, 40 }, // from graphics resolution 1280 x 760
++ { 160, 40 }, // from graphics resolution 1280 x 768
++ { 160, 42 }, // from graphics resolution 1280 x 800
++ { 160, 50 }, // from graphics resolution 1280 x 960
++ { 160, 53 }, // from graphics resolution 1280 x 1024
++ { 170, 40 }, // from graphics resolution 1360 x 768
++ { 170, 40 }, // from graphics resolution 1366 x 768
++ { 175, 55 }, // from graphics resolution 1400 x 1050
++ { 180, 47 }, // from graphics resolution 1440 x 900
++ { 200, 47 }, // from graphics resolution 1600 x 900
++ { 200, 63 }, // from graphics resolution 1600 x 1200
++ { 210, 55 }, // from graphics resolution 1680 x 1050
++ { 240, 56 }, // from graphics resolution 1920 x 1080
++ { 240, 63 }, // from graphics resolution 1920 x 1200
++ { 240, 75 }, // from graphics resolution 1920 x 1440
++ { 250, 105 }, // from graphics resolution 2000 x 2000
++ { 256, 80 }, // from graphics resolution 2048 x 1536
++ { 256, 107 }, // from graphics resolution 2048 x 2048
++ { 320, 75 }, // from graphics resolution 2560 x 1440
++ { 320, 84 }, // from graphics resolution 2560 x 1600
++ { 320, 107 }, // from graphics resolution 2560 x 2048
++ { 350, 110 }, // from graphics resolution 2800 x 2100
++ { 400, 126 }, // from graphics resolution 3200 x 2400
++ { 480, 113 }, // from graphics resolution 3840 x 2160
++ { 512, 113 }, // from graphics resolution 4096 x 2160
++ { 960, 227 }, // from graphics resolution 7680 x 4320
++ { 1024, 227 }, // from graphics resolution 8192 x 4320
+ //
+ // New modes can be added here.
+ //
+--
+1.8.3.1
+
diff --git a/SOURCES/0007-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch b/SOURCES/0007-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
new file mode 100644
index 0000000..1ba3a2e
--- /dev/null
+++ b/SOURCES/0007-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
@@ -0,0 +1,143 @@
+From 67415982afdc77922aa37496c981adeb4351acdb Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 25 Feb 2014 22:40:01 +0100
+Subject: MdeModulePkg: TerminalDxe: set xterm resolution on mode change (RH
+ only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- Refresh downstream-only commit 2909e025db68 against "MdeModulePkg.dec"
+ context change from upstream commits e043f7895b83 ("MdeModulePkg: Add
+ PCD PcdPteMemoryEncryptionAddressOrMask", 2017-02-27) and 76081dfcc5b2
+ ("MdeModulePkg: Add PROMPT&HELP string of pcd to UNI file", 2017-03-03).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- refresh commit 519b9751573e against various context changes
+
+The
+
+ CSI Ps ; Ps ; Ps t
+
+escape sequence serves for window manipulation. We can use the
+
+ CSI 8 ; <rows> ; <columns> t
+
+sequence to adapt eg. the xterm window size to the selected console mode.
+
+Reference: <http://rtfm.etla.org/xterm/ctlseq.html>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 2909e025db6878723b49644a8a0cf160d07e6444)
+(cherry picked from commit b9c5c901f25e48d68eef6e78a4abca00e153f574)
+(cherry picked from commit b7f6115b745de8cbc5214b6ede33c9a8558beb90)
+---
+ MdeModulePkg/MdeModulePkg.dec | 4 +++
+ .../Universal/Console/TerminalDxe/TerminalConOut.c | 30 ++++++++++++++++++++++
+ .../Universal/Console/TerminalDxe/TerminalDxe.inf | 2 ++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
+index cc39718..384d901 100644
+--- a/MdeModulePkg/MdeModulePkg.dec
++++ b/MdeModulePkg/MdeModulePkg.dec
+@@ -1914,6 +1914,10 @@
+ # @Prompt The address mask when memory encryption is enabled.
+ gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask|0x0|UINT64|0x30001047
+
++ ## Controls whether TerminalDxe outputs an XTerm resize sequence on terminal
++ # mode change.
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE|BOOLEAN|0x00010080
++
+ [PcdsPatchableInModule]
+ ## Specify memory size with page number for PEI code when
+ # Loading Module at Fixed Address feature is enabled.
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+index 5a83431..fbc1e0a 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConOut.c
+@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+ **/
+
++#include <Library/PrintLib.h>
++
+ #include "Terminal.h"
+
+ //
+@@ -87,6 +89,16 @@ CHAR16 mCursorForwardString[] = { ESC, '[', '0', '0', 'C', 0 };
+ CHAR16 mCursorBackwardString[] = { ESC, '[', '0', '0', 'D', 0 };
+
+ //
++// Note that this is an ASCII format string, taking two INT32 arguments:
++// rows, columns.
++//
++// A %d (INT32) format specification can expand to at most 11 characters.
++//
++CHAR8 mResizeTextAreaFormatString[] = "\x1B[8;%d;%dt";
++#define RESIZE_SEQ_SIZE (sizeof mResizeTextAreaFormatString + 2 * (11 - 2))
++
++
++//
+ // Body of the ConOut functions
+ //
+
+@@ -508,6 +520,24 @@ TerminalConOutSetMode (
+ return EFI_DEVICE_ERROR;
+ }
+
++ if (PcdGetBool (PcdResizeXterm)) {
++ CHAR16 ResizeSequence[RESIZE_SEQ_SIZE];
++
++ UnicodeSPrintAsciiFormat (
++ ResizeSequence,
++ sizeof ResizeSequence,
++ mResizeTextAreaFormatString,
++ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Rows,
++ (INT32) TerminalDevice->TerminalConsoleModeData[ModeNumber].Columns
++ );
++ TerminalDevice->OutputEscChar = TRUE;
++ Status = This->OutputString (This, ResizeSequence);
++ TerminalDevice->OutputEscChar = FALSE;
++ if (EFI_ERROR (Status)) {
++ return EFI_DEVICE_ERROR;
++ }
++ }
++
+ This->Mode->Mode = (INT32) ModeNumber;
+
+ Status = This->ClearScreen (This);
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+index 0780296..bd2ba82 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
+@@ -60,6 +60,7 @@
+ DebugLib
+ PcdLib
+ BaseLib
++ PrintLib
+
+ [Guids]
+ ## SOMETIMES_PRODUCES ## Variable:L"ConInDev"
+@@ -88,6 +89,7 @@
+ [Pcd]
+ gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType ## SOMETIMES_CONSUMES
+ gEfiMdeModulePkgTokenSpaceGuid.PcdErrorCodeSetVariable ## CONSUMES
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm ## CONSUMES
+
+ # [Event]
+ # # Relative timer event set by UnicodeToEfiKey(), used to be one 2 seconds input timeout.
+--
+1.8.3.1
+
diff --git a/SOURCES/0008-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch b/SOURCES/0008-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
new file mode 100644
index 0000000..a168378
--- /dev/null
+++ b/SOURCES/0008-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
@@ -0,0 +1,104 @@
+From 2ebf3cc2ae99275d63bb6efd3c22dec76251a853 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 15:59:06 +0200
+Subject: OvmfPkg: take PcdResizeXterm from the QEMU command line (RH only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- refresh downstream-only commit 8abc2a6ddad2 against context differences
+ in the DSC files from upstream commit 5e167d7e784c
+ ("OvmfPkg/PlatformPei: don't allocate reserved mem varstore if
+ SMM_REQUIRE", 2017-03-12).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 6fa0c4d67c0bb8bde2ddd6db41c19eb0c40b2721)
+(cherry picked from commit 8abc2a6ddad25af7e88dc0cf57d55dfb75fbf92d)
+(cherry picked from commit b311932d3841c017a0f0fec553edcac365cc2038)
+(cherry picked from commit 61914fb81cf624c9028d015533b400b2794e52d3)
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 1 +
+ OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
+ OvmfPkg/OvmfPkgX64.dsc | 1 +
+ OvmfPkg/PlatformPei/Platform.c | 1 +
+ OvmfPkg/PlatformPei/PlatformPei.inf | 1 +
+ 5 files changed, 5 insertions(+)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index a5bb2b0..b577767 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -530,6 +530,7 @@
+ # ($(SMM_REQUIRE) == FALSE)
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index be8fee9..a6a40be 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -536,6 +536,7 @@
+ # ($(SMM_REQUIRE) == FALSE)
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index e224b0e..8bd3754 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -535,6 +535,7 @@
+ # ($(SMM_REQUIRE) == FALSE)
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved|0
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0
+diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c
+index 5a78668..544ac54 100644
+--- a/OvmfPkg/PlatformPei/Platform.c
++++ b/OvmfPkg/PlatformPei/Platform.c
+@@ -670,6 +670,7 @@ InitializePlatform (
+ PeiFvInitialization ();
+ MemMapInitialization ();
+ NoexecDxeInitialization ();
++ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
+ }
+
+ AmdSevInitialize ();
+diff --git a/OvmfPkg/PlatformPei/PlatformPei.inf b/OvmfPkg/PlatformPei/PlatformPei.inf
+index 30ceb4b..016c067 100644
+--- a/OvmfPkg/PlatformPei/PlatformPei.inf
++++ b/OvmfPkg/PlatformPei/PlatformPei.inf
+@@ -94,6 +94,7 @@
+ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
+ gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
+ gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode
+ gEfiMdeModulePkgTokenSpaceGuid.PcdUse1GPageTable
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
+--
+1.8.3.1
+
diff --git a/SOURCES/0009-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch b/SOURCES/0009-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
new file mode 100644
index 0000000..e527385
--- /dev/null
+++ b/SOURCES/0009-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
@@ -0,0 +1,50 @@
+From 762595334aa7ce88412cc77e136db9b41577a699 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 12 Apr 2016 20:50:25 +0200
+Subject: ArmVirtPkg: QemuFwCfgLib: allow UEFI_DRIVER client modules (RH only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 8e2153358aa2bba2c91faa87a70beadcaae03fd8)
+(cherry picked from commit 5af259a93f4bbee5515ae18638068125e170f2cd)
+(cherry picked from commit 22b073005af491eef177ef5f80ffe71c1ebabb03)
+(cherry picked from commit f77f1e7dd6013f918c70e089c95b8f4166085fb9)
+---
+ ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
+index eff4a21..adf1ff6 100644
+--- a/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
++++ b/ArmVirtPkg/Library/QemuFwCfgLib/QemuFwCfgLib.inf
+@@ -22,7 +22,7 @@
+ FILE_GUID = B271F41F-B841-48A9-BA8D-545B4BC2E2BF
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+- LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER
++ LIBRARY_CLASS = QemuFwCfgLib|DXE_DRIVER UEFI_DRIVER
+
+ CONSTRUCTOR = QemuFwCfgInitialize
+
+--
+1.8.3.1
+
diff --git a/SOURCES/0010-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch b/SOURCES/0010-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
new file mode 100644
index 0000000..2d3ab45
--- /dev/null
+++ b/SOURCES/0010-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
@@ -0,0 +1,211 @@
+From 9448b6b46267d8d807fac0c648e693171bb34806 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Sun, 26 Jul 2015 08:02:50 +0000
+Subject: ArmVirtPkg: take PcdResizeXterm from the QEMU command line (RH only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- Refresh downstream-only commit d4564d39dfdb against context changes in
+ "ArmVirtPkg/ArmVirtQemu.dsc" from upstream commit 7e5f1b673870
+ ("ArmVirtPkg/PlatformHasAcpiDtDxe: allow guest level ACPI disable
+ override", 2017-03-29).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- Adapt commit 6b97969096a3 to the fact that upstream has deprecated such
+ setter functions for dynamic PCDs that don't return a status code (such
+ as PcdSetBool()). Employ PcdSetBoolS(), and assert that it succeeds --
+ there's really no circumstance in this case when it could fail.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit d4564d39dfdbf74e762af43314005a2c026cb262)
+(cherry picked from commit c9081ebe3bcd28e5cce4bf58bd8d4fca12f9af7c)
+(cherry picked from commit 8e92730c8e1cdb642b3b3e680e643ff774a90c65)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 7 +-
+ .../TerminalPcdProducerLib.c | 87 ++++++++++++++++++++++
+ .../TerminalPcdProducerLib.inf | 41 ++++++++++
+ 3 files changed, 134 insertions(+), 1 deletion(-)
+ create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+ create mode 100644 ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 7331597..4bf94ce 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -208,6 +208,8 @@
+ gEfiMdeModulePkgTokenSpaceGuid.PcdSmbiosDocRev|0x0
+ gUefiOvmfPkgTokenSpaceGuid.PcdQemuSmbiosValidated|FALSE
+
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm|FALSE
++
+ [PcdsDynamicHii]
+ gArmVirtTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gArmVirtVariableGuid|0x0|FALSE|NV,BS
+
+@@ -284,7 +286,10 @@
+ MdeModulePkg/Universal/Console/ConPlatformDxe/ConPlatformDxe.inf
+ MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf
+ MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf
+- MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf
++ MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf {
++ <LibraryClasses>
++ NULL|ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
++ }
+ MdeModulePkg/Universal/SerialDxe/SerialDxe.inf
+
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+new file mode 100644
+index 0000000..814ad48
+--- /dev/null
++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.c
+@@ -0,0 +1,87 @@
++/** @file
++* Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
++*
++* Copyright (C) 2015-2016, Red Hat, Inc.
++* Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
++*
++* This program and the accompanying materials are licensed and made available
++* under the terms and conditions of the BSD License which accompanies this
++* distribution. The full text of the license may be found at
++* http://opensource.org/licenses/bsd-license.php
++*
++* THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++* WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
++* IMPLIED.
++*
++**/
++
++#include <Library/DebugLib.h>
++#include <Library/PcdLib.h>
++#include <Library/QemuFwCfgLib.h>
++
++STATIC
++RETURN_STATUS
++GetNamedFwCfgBoolean (
++ IN CONST CHAR8 *FwCfgFileName,
++ OUT BOOLEAN *Setting
++ )
++{
++ RETURN_STATUS Status;
++ FIRMWARE_CONFIG_ITEM FwCfgItem;
++ UINTN FwCfgSize;
++ UINT8 Value[3];
++
++ Status = QemuFwCfgFindFile (FwCfgFileName, &FwCfgItem, &FwCfgSize);
++ if (RETURN_ERROR (Status)) {
++ return Status;
++ }
++ if (FwCfgSize > sizeof Value) {
++ return RETURN_BAD_BUFFER_SIZE;
++ }
++ QemuFwCfgSelectItem (FwCfgItem);
++ QemuFwCfgReadBytes (FwCfgSize, Value);
++
++ if ((FwCfgSize == 1) ||
++ (FwCfgSize == 2 && Value[1] == '\n') ||
++ (FwCfgSize == 3 && Value[1] == '\r' && Value[2] == '\n')) {
++ switch (Value[0]) {
++ case '0':
++ case 'n':
++ case 'N':
++ *Setting = FALSE;
++ return RETURN_SUCCESS;
++
++ case '1':
++ case 'y':
++ case 'Y':
++ *Setting = TRUE;
++ return RETURN_SUCCESS;
++
++ default:
++ break;
++ }
++ }
++ return RETURN_PROTOCOL_ERROR;
++}
++
++#define UPDATE_BOOLEAN_PCD_FROM_FW_CFG(TokenName) \
++ do { \
++ BOOLEAN Setting; \
++ RETURN_STATUS PcdStatus; \
++ \
++ if (!RETURN_ERROR (GetNamedFwCfgBoolean ( \
++ "opt/org.tianocore.edk2.aavmf/" #TokenName, &Setting))) { \
++ PcdStatus = PcdSetBoolS (TokenName, Setting); \
++ ASSERT_RETURN_ERROR (PcdStatus); \
++ } \
++ } while (0)
++
++RETURN_STATUS
++EFIAPI
++TerminalPcdProducerLibConstructor (
++ VOID
++ )
++{
++ UPDATE_BOOLEAN_PCD_FROM_FW_CFG (PcdResizeXterm);
++ return RETURN_SUCCESS;
++}
+diff --git a/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+new file mode 100644
+index 0000000..fecb37b
+--- /dev/null
++++ b/ArmVirtPkg/Library/TerminalPcdProducerLib/TerminalPcdProducerLib.inf
+@@ -0,0 +1,41 @@
++## @file
++# Plugin library for setting up dynamic PCDs for TerminalDxe, from fw_cfg
++#
++# Copyright (C) 2015-2016, Red Hat, Inc.
++# Copyright (c) 2014, Linaro Ltd. All rights reserved.<BR>
++#
++# This program and the accompanying materials are licensed and made available
++# under the terms and conditions of the BSD License which accompanies this
++# distribution. The full text of the license may be found at
++# http://opensource.org/licenses/bsd-license.php
++#
++# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
++# IMPLIED.
++#
++##
++
++[Defines]
++ INF_VERSION = 0x00010005
++ BASE_NAME = TerminalPcdProducerLib
++ FILE_GUID = 4a0c5ed7-8c42-4c01-8f4c-7bf258316a96
++ MODULE_TYPE = BASE
++ VERSION_STRING = 1.0
++ LIBRARY_CLASS = TerminalPcdProducerLib|DXE_DRIVER
++ CONSTRUCTOR = TerminalPcdProducerLibConstructor
++
++[Sources]
++ TerminalPcdProducerLib.c
++
++[Packages]
++ MdePkg/MdePkg.dec
++ OvmfPkg/OvmfPkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++
++[LibraryClasses]
++ DebugLib
++ PcdLib
++ QemuFwCfgLib
++
++[Pcd]
++ gEfiMdeModulePkgTokenSpaceGuid.PcdResizeXterm
+--
+1.8.3.1
+
diff --git a/SOURCES/0011-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch b/SOURCES/0011-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
new file mode 100644
index 0000000..14b18d3
--- /dev/null
+++ b/SOURCES/0011-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
@@ -0,0 +1,138 @@
+From bbd64eb8658e9a33eab4227d9f4e51ad78d9f687 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 4 Nov 2014 23:02:53 +0100
+Subject: OvmfPkg: allow exclusion of the shell from the firmware image (RH
+ only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no change
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Message-id: <1415138578-27173-14-git-send-email-lersek@redhat.com>
+Patchwork-id: 62119
+O-Subject: [RHEL-7.1 ovmf PATCH v2 13/18] OvmfPkg: allow exclusion of the shell
+ from the firmware image (RH only)
+Bugzilla: 1147592
+Acked-by: Andrew Jones <drjones@redhat.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+When '-D EXCLUDE_SHELL_FROM_FD' is passed to 'build', exclude the shell
+binary from the firmware image.
+
+Peter Jones advised us that firmware vendors for physical systems disable
+the memory-mapped, firmware image-contained UEFI shell in
+SecureBoot-enabled builds. The reason being that the memory-mapped shell
+can always load, it may have direct access to various hardware in the
+system, and it can run UEFI shell scripts (which cannot be signed at all).
+
+Intended use of the new build option:
+
+- In-tree builds: don't pass '-D EXCLUDE_SHELL_FROM_FD'. The resultant
+ firmware image will contain a shell binary, independently of SecureBoot
+ enablement, which is flexible for interactive development. (Ie. no
+ change for in-tree builds.)
+
+- RPM builds: pass both '-D SECURE_BOOT_ENABLE' and
+ '-D EXCLUDE_SHELL_FROM_FD'. The resultant RPM will provide:
+
+ - OVMF_CODE.fd: SecureBoot-enabled firmware, without builtin UEFI shell,
+
+ - OVMF_VARS.fd: variable store template matching OVMF_CODE.fd,
+
+ - UefiShell.iso: a bootable ISO image with the shell on it as default
+ boot loader. The shell binary will load when SecureBoot is turned off,
+ and won't load when SecureBoot is turned on (because it is not
+ signed).
+
+ UefiShell.iso is the reason we're not excluding the shell from the DSC
+ files as well, only the FDF files -- when '-D EXCLUDE_SHELL_FROM_FD'
+ is specified, the shell binary needs to be built the same, only it
+ will be included in UefiShell.iso.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 9c391def70366cabae08e6008814299c3372fafd)
+(cherry picked from commit d9dd9ee42937b2611fe37183cc9ec7f62d946933)
+(cherry picked from commit 23df46ebbe7b09451d3a05034acd4d3a25e7177b)
+(cherry picked from commit f0303f71d576c51b01c4ff961b429d0e0e707245)
+---
+ OvmfPkg/OvmfPkgIa32.fdf | 2 ++
+ OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
+ OvmfPkg/OvmfPkgX64.fdf | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index f552bc9..73007dd 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -288,12 +288,14 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !ifndef $(USE_OLD_SHELL)
+ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/Application/Shell/Shell.inf
+ !else
+ INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
++!endif
+
+ !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index ee77ae1..116b3c6 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -289,12 +289,14 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !ifndef $(USE_OLD_SHELL)
+ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/Application/Shell/Shell.inf
+ !else
+ INF RuleOverride = BINARY USE = X64 EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
++!endif
+
+ !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 505d25d..84d5845 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -289,12 +289,14 @@ INF MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ INF FatPkg/EnhancedFatDxe/Fat.inf
+ INF MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !ifndef $(USE_OLD_SHELL)
+ INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
+ INF ShellPkg/Application/Shell/Shell.inf
+ !else
+ INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
++!endif
+
+ !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+--
+1.8.3.1
+
diff --git a/SOURCES/0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch b/SOURCES/0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
new file mode 100644
index 0000000..496c697
--- /dev/null
+++ b/SOURCES/0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
@@ -0,0 +1,1353 @@
+From b59ee7769814e207c917615af78c7428bdf3b450 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 4 Nov 2014 23:02:55 +0100
+Subject: OvmfPkg: EnrollDefaultKeys: application for enrolling default keys
+ (RH only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- This patch now squashes the following commits:
+ - c0b2615a9c0b OvmfPkg: EnrollDefaultKeys: application for enrolling
+ default keys (RH only)
+ - 22f4d33d0168 OvmfPkg/EnrollDefaultKeys: update SignatureOwner GUID for
+ Windows HCK (RH)
+ - ff7f2c1d870d OvmfPkg/EnrollDefaultKeys: expose CertType parameter of
+ EnrollListOfCerts (RH)
+ - aee7b5ba60b4 OvmfPkg/EnrollDefaultKeys: blacklist empty file in dbx
+ for Windows HCK (RH)
+
+- Consequently, OvmfPkg/EnrollDefaultKeys/ is identical to the same
+ directory at the "RHEL-7.4" tag (49d06d386736).
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- This patch now squashes the following commits:
+ - 014f459c197b OvmfPkg: EnrollDefaultKeys: application for enrolling
+ default keys (RH only)
+ - 18422a18d0e9 OvmfPkg/EnrollDefaultKeys: assign Status before reading
+ it (RH only)
+ - ddb90568e874 OvmfPkg/EnrollDefaultKeys: silence VS2015x86 warning (RH
+ only)
+
+Notes about the c9e5618 -> b9ffeab rebase:
+- Guid/VariableFormat.h now lives under MdeModulePkg.
+
+Notes about the 9ece15a -> c9e5618 rebase:
+- resolved conflicts in:
+ OvmfPkg/OvmfPkgIa32.dsc
+ OvmfPkg/OvmfPkgIa32X64.dsc
+ OvmfPkg/OvmfPkgX64.dsc
+ due to OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf having
+ disappeared in upstream (commit 57446bb9).
+
+Message-id: <1415138578-27173-16-git-send-email-lersek@redhat.com>
+Patchwork-id: 62121
+O-Subject: [RHEL-7.1 ovmf PATCH v2 15/18] OvmfPkg: EnrollDefaultKeys:
+ application for enrolling default keys (RH only)
+Bugzilla: 1148296
+1160400
+Acked-by: Andrew Jones <drjones@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+This application is meant to be invoked by the management layer, after
+booting the UEFI shell and getting a shell prompt on the serial console.
+The app enrolls a number of certificates (see below), and then reports
+status to the serial console as well. The expected output is "info:
+success":
+
+> Shell> EnrollDefaultKeys.efi
+> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
+> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0
+> info: success
+> Shell>
+
+In case of success, the management layer can force off or reboot the VM
+(for example with the "reset -s" or "reset -c" UEFI shell commands,
+respectively), and start the guest installation with SecureBoot enabled.
+
+PK:
+- A unique, static, ad-hoc certificate whose private half has been
+ destroyed (more precisely, never saved) and is therefore unusable for
+ signing. (The command for creating this certificate is saved in the
+ source code.) Background:
+
+On 09/30/14 20:00, Peter Jones wrote:
+> We should generate a special key that's not in our normal signing chains
+> for PK and KEK. The reason for this is that [in practice] PK gets
+> treated as part of DB (*).
+>
+> [Shipping a key in our normal signing chains] as PK means you can run
+> grub directly, in which case it won't have access to the shim protocol.
+> When grub is run without the shim protocol registered, it assumes SB is
+> disabled and boots without verifying the kernel. We don't want that to
+> be a thing you can do, but allowing that is the inevitable result of
+> shipping with any of our normal signing chain in PK or KEK.
+>
+> (* USRT has actually agreed that since you can escalate to this behavior
+> if you have the secret half of a key in KEK or PK anyway, and many
+> vendors had already shipped it this way, that it is fine and I think
+> even *expected* at this point, even though it wasn't formally in the
+> UEFI 2.3.1 Spec that introduced Secure Boot. I'll try and make sure the
+> language reflects that in an upcoming spec revision.)
+>
+> So let me get SRT to issue a special key to use for PK and KEK. We can
+> use it just for those operations, and make sure it's protected with the
+> same processes and controls as our other signing keys.
+
+ Until SRT generates such a key for us, this ad-hoc key should be a good
+ placeholder.
+
+KEK:
+- same ad-hoc certificate as used for the PK,
+- "Microsoft Corporation KEK CA 2011" -- the dbx data in Fedora's dbxtool
+ package is signed (indirectly, through a chain) with this; enrolling
+ such a KEK should allow guests to install those updates.
+
+DB:
+- "Microsoft Windows Production PCA 2011" -- to load Windows 8 and Windows
+ Server 2012 R2,
+- "Microsoft Corporation UEFI CA 2011" -- to load Linux and signed PCI
+ oproms.
+
+*UPDATE*
+
+OvmfPkg: EnrollDefaultKeys: pick up official Red Hat PK/KEK (RHEL only)
+
+Replace the placeholder ExampleCert with a certificate generated and
+managed by the Red Hat Security Response Team.
+
+> Certificate:
+> Data:
+> Version: 3 (0x2)
+> Serial Number: 18371740789028339953 (0xfef588e8f396c0f1)
+> Signature Algorithm: sha256WithRSAEncryption
+> Issuer: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
+> Validity
+> Not Before: Oct 31 11:15:37 2014 GMT
+> Not After : Oct 25 11:15:37 2037 GMT
+> Subject: CN=Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com
+> Subject Public Key Info:
+> Public Key Algorithm: rsaEncryption
+> Public-Key: (2048 bit)
+> Modulus:
+> 00:90:1f:84:7b:8d:bc:eb:97:26:82:6d:88:ab:8a:
+> c9:8c:68:70:f9:df:4b:07:b2:37:83:0b:02:c8:67:
+> 68:30:9e:e3:f0:f0:99:4a:b8:59:57:c6:41:f6:38:
+> 8b:fe:66:4c:49:e9:37:37:92:2e:98:01:1e:5b:14:
+> 50:e6:a8:8d:25:0d:f5:86:e6:ab:30:cb:40:16:ea:
+> 8d:8b:16:86:70:43:37:f2:ce:c0:91:df:71:14:8e:
+> 99:0e:89:b6:4c:6d:24:1e:8c:e4:2f:4f:25:d0:ba:
+> 06:f8:c6:e8:19:18:76:73:1d:81:6d:a8:d8:05:cf:
+> 3a:c8:7b:28:c8:36:a3:16:0d:29:8c:99:9a:68:dc:
+> ab:c0:4d:8d:bf:5a:bb:2b:a9:39:4b:04:97:1c:f9:
+> 36:bb:c5:3a:86:04:ae:af:d4:82:7b:e0:ab:de:49:
+> 05:68:fc:f6:ae:68:1a:6c:90:4d:57:19:3c:64:66:
+> 03:f6:c7:52:9b:f7:94:cf:93:6a:a1:68:c9:aa:cf:
+> 99:6b:bc:aa:5e:08:e7:39:1c:f7:f8:0f:ba:06:7e:
+> f1:cb:e8:76:dd:fe:22:da:ad:3a:5e:5b:34:ea:b3:
+> c9:e0:4d:04:29:7e:b8:60:b9:05:ef:b5:d9:17:58:
+> 56:16:60:b9:30:32:f0:36:4a:c3:f2:79:8d:12:40:
+> 70:f3
+> Exponent: 65537 (0x10001)
+> X509v3 extensions:
+> X509v3 Basic Constraints:
+> CA:FALSE
+> Netscape Comment:
+> OpenSSL Generated Certificate
+> X509v3 Subject Key Identifier:
+> 3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
+> X509v3 Authority Key Identifier:
+> keyid:3C:E9:60:E3:FF:19:A1:0A:7B:A3:42:F4:8D:42:2E:B4:D5:9C:72:EC
+>
+> Signature Algorithm: sha256WithRSAEncryption
+> 5c:4d:92:88:b4:82:5f:1d:ad:8b:11:ec:df:06:a6:7a:a5:2b:
+> 9f:37:55:0c:8d:6e:05:00:ad:b7:0c:41:89:69:cf:d6:65:06:
+> 9b:51:78:d2:ad:c7:bf:9c:dc:05:73:7f:e7:1e:39:13:b4:ea:
+> b6:30:7d:40:75:ab:9c:43:0b:df:b0:c2:1b:bf:30:e0:f4:fe:
+> c0:db:62:21:98:f6:c5:af:de:3b:4f:49:0a:e6:1e:f9:86:b0:
+> 3f:0d:d6:d4:46:37:db:54:74:5e:ff:11:c2:60:c6:70:58:c5:
+> 1c:6f:ec:b2:d8:6e:6f:c3:bc:33:87:38:a4:f3:44:64:9c:34:
+> 3b:28:94:26:78:27:9f:16:17:e8:3b:69:0a:25:a9:73:36:7e:
+> 9e:37:5c:ec:e8:3f:db:91:f9:12:b3:3d:ce:e7:dd:15:c3:ae:
+> 8c:05:20:61:9b:95:de:9b:af:fa:b1:5c:1c:e5:97:e7:c3:34:
+> 11:85:f5:8a:27:26:a4:70:36:ec:0c:f6:83:3d:90:f7:36:f3:
+> f9:f3:15:d4:90:62:be:53:b4:af:d3:49:af:ef:f4:73:e8:7b:
+> 76:e4:44:2a:37:ba:81:a4:99:0c:3a:31:24:71:a0:e4:e4:b7:
+> 1a:cb:47:e4:aa:22:cf:ef:75:61:80:e3:43:b7:48:57:73:11:
+> 3d:78:9b:69
+> -----BEGIN CERTIFICATE-----
+> MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
+> BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
+> 9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
+> MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
+> RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
+> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
+> +d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
+> huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
+> bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
+> 3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
+> y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
+> AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
+> YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
+> HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
+> ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
+> 3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
+> 1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
+> qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
+> NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
+> R+SqIs/vdWGA40O3SFdzET14m2k=
+> -----END CERTIFICATE-----
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit c0b2615a9c0b4a4be1bffe45681a32915449279d)
+(cherry picked from commit 92424de98ffaf1fa81e6346949b1d2b5f9a637ca)
+(cherry picked from commit 98c91b36997e3afc4192449263182fbdcc771a1a)
+---
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 1015 +++++++++++++++++++++++
+ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++
+ OvmfPkg/OvmfPkgIa32.dsc | 4 +
+ OvmfPkg/OvmfPkgIa32X64.dsc | 4 +
+ OvmfPkg/OvmfPkgX64.dsc | 4 +
+ 5 files changed, 1079 insertions(+)
+ create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+ create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+new file mode 100644
+index 0000000..dd413df
+--- /dev/null
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+@@ -0,0 +1,1015 @@
++/** @file
++ Enroll default PK, KEK, DB.
++
++ Copyright (C) 2014, Red Hat, Inc.
++
++ This program and the accompanying materials are licensed and made available
++ under the terms and conditions of the BSD License which accompanies this
++ distribution. The full text of the license may be found at
++ http://opensource.org/licenses/bsd-license.
++
++ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
++ WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++**/
++#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
++#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
++#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
++#include <Library/BaseMemoryLib.h> // CopyGuid()
++#include <Library/DebugLib.h> // ASSERT()
++#include <Library/MemoryAllocationLib.h> // FreePool()
++#include <Library/ShellCEntryLib.h> // ShellAppMain()
++#include <Library/UefiLib.h> // AsciiPrint()
++#include <Library/UefiRuntimeServicesTableLib.h> // gRT
++
++//
++// We'll use the certificate below as both Platform Key and as first Key
++// Exchange Key.
++//
++// "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
++// SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
++//
++STATIC CONST UINT8 RedHatPkKek1[] = {
++ 0x30, 0x82, 0x03, 0xa0, 0x30, 0x82, 0x02, 0x88, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x09, 0x00, 0xfe, 0xf5, 0x88, 0xe8, 0xf3, 0x96, 0xc0, 0xf1, 0x30, 0x0d,
++ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
++ 0x30, 0x51, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22,
++ 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
++ 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45,
++ 0x4b, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06,
++ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73,
++ 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61,
++ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30,
++ 0x33, 0x31, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x37,
++ 0x31, 0x30, 0x32, 0x35, 0x31, 0x31, 0x31, 0x35, 0x33, 0x37, 0x5a, 0x30, 0x51,
++ 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x52, 0x65,
++ 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20,
++ 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x28, 0x50, 0x4b, 0x2f, 0x4b, 0x45, 0x4b, 0x20,
++ 0x6b, 0x65, 0x79, 0x20, 0x31, 0x29, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a,
++ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,
++ 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, 0x2e,
++ 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f,
++ 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0x90, 0x1f, 0x84,
++ 0x7b, 0x8d, 0xbc, 0xeb, 0x97, 0x26, 0x82, 0x6d, 0x88, 0xab, 0x8a, 0xc9, 0x8c,
++ 0x68, 0x70, 0xf9, 0xdf, 0x4b, 0x07, 0xb2, 0x37, 0x83, 0x0b, 0x02, 0xc8, 0x67,
++ 0x68, 0x30, 0x9e, 0xe3, 0xf0, 0xf0, 0x99, 0x4a, 0xb8, 0x59, 0x57, 0xc6, 0x41,
++ 0xf6, 0x38, 0x8b, 0xfe, 0x66, 0x4c, 0x49, 0xe9, 0x37, 0x37, 0x92, 0x2e, 0x98,
++ 0x01, 0x1e, 0x5b, 0x14, 0x50, 0xe6, 0xa8, 0x8d, 0x25, 0x0d, 0xf5, 0x86, 0xe6,
++ 0xab, 0x30, 0xcb, 0x40, 0x16, 0xea, 0x8d, 0x8b, 0x16, 0x86, 0x70, 0x43, 0x37,
++ 0xf2, 0xce, 0xc0, 0x91, 0xdf, 0x71, 0x14, 0x8e, 0x99, 0x0e, 0x89, 0xb6, 0x4c,
++ 0x6d, 0x24, 0x1e, 0x8c, 0xe4, 0x2f, 0x4f, 0x25, 0xd0, 0xba, 0x06, 0xf8, 0xc6,
++ 0xe8, 0x19, 0x18, 0x76, 0x73, 0x1d, 0x81, 0x6d, 0xa8, 0xd8, 0x05, 0xcf, 0x3a,
++ 0xc8, 0x7b, 0x28, 0xc8, 0x36, 0xa3, 0x16, 0x0d, 0x29, 0x8c, 0x99, 0x9a, 0x68,
++ 0xdc, 0xab, 0xc0, 0x4d, 0x8d, 0xbf, 0x5a, 0xbb, 0x2b, 0xa9, 0x39, 0x4b, 0x04,
++ 0x97, 0x1c, 0xf9, 0x36, 0xbb, 0xc5, 0x3a, 0x86, 0x04, 0xae, 0xaf, 0xd4, 0x82,
++ 0x7b, 0xe0, 0xab, 0xde, 0x49, 0x05, 0x68, 0xfc, 0xf6, 0xae, 0x68, 0x1a, 0x6c,
++ 0x90, 0x4d, 0x57, 0x19, 0x3c, 0x64, 0x66, 0x03, 0xf6, 0xc7, 0x52, 0x9b, 0xf7,
++ 0x94, 0xcf, 0x93, 0x6a, 0xa1, 0x68, 0xc9, 0xaa, 0xcf, 0x99, 0x6b, 0xbc, 0xaa,
++ 0x5e, 0x08, 0xe7, 0x39, 0x1c, 0xf7, 0xf8, 0x0f, 0xba, 0x06, 0x7e, 0xf1, 0xcb,
++ 0xe8, 0x76, 0xdd, 0xfe, 0x22, 0xda, 0xad, 0x3a, 0x5e, 0x5b, 0x34, 0xea, 0xb3,
++ 0xc9, 0xe0, 0x4d, 0x04, 0x29, 0x7e, 0xb8, 0x60, 0xb9, 0x05, 0xef, 0xb5, 0xd9,
++ 0x17, 0x58, 0x56, 0x16, 0x60, 0xb9, 0x30, 0x32, 0xf0, 0x36, 0x4a, 0xc3, 0xf2,
++ 0x79, 0x8d, 0x12, 0x40, 0x70, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x7b,
++ 0x30, 0x79, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00,
++ 0x30, 0x2c, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x0d,
++ 0x04, 0x1f, 0x16, 0x1d, 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, 0x4c, 0x20, 0x47,
++ 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
++ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d,
++ 0x0e, 0x04, 0x16, 0x04, 0x14, 0x3c, 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a,
++ 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42, 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30,
++ 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x3c,
++ 0xe9, 0x60, 0xe3, 0xff, 0x19, 0xa1, 0x0a, 0x7b, 0xa3, 0x42, 0xf4, 0x8d, 0x42,
++ 0x2e, 0xb4, 0xd5, 0x9c, 0x72, 0xec, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
++ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
++ 0x5c, 0x4d, 0x92, 0x88, 0xb4, 0x82, 0x5f, 0x1d, 0xad, 0x8b, 0x11, 0xec, 0xdf,
++ 0x06, 0xa6, 0x7a, 0xa5, 0x2b, 0x9f, 0x37, 0x55, 0x0c, 0x8d, 0x6e, 0x05, 0x00,
++ 0xad, 0xb7, 0x0c, 0x41, 0x89, 0x69, 0xcf, 0xd6, 0x65, 0x06, 0x9b, 0x51, 0x78,
++ 0xd2, 0xad, 0xc7, 0xbf, 0x9c, 0xdc, 0x05, 0x73, 0x7f, 0xe7, 0x1e, 0x39, 0x13,
++ 0xb4, 0xea, 0xb6, 0x30, 0x7d, 0x40, 0x75, 0xab, 0x9c, 0x43, 0x0b, 0xdf, 0xb0,
++ 0xc2, 0x1b, 0xbf, 0x30, 0xe0, 0xf4, 0xfe, 0xc0, 0xdb, 0x62, 0x21, 0x98, 0xf6,
++ 0xc5, 0xaf, 0xde, 0x3b, 0x4f, 0x49, 0x0a, 0xe6, 0x1e, 0xf9, 0x86, 0xb0, 0x3f,
++ 0x0d, 0xd6, 0xd4, 0x46, 0x37, 0xdb, 0x54, 0x74, 0x5e, 0xff, 0x11, 0xc2, 0x60,
++ 0xc6, 0x70, 0x58, 0xc5, 0x1c, 0x6f, 0xec, 0xb2, 0xd8, 0x6e, 0x6f, 0xc3, 0xbc,
++ 0x33, 0x87, 0x38, 0xa4, 0xf3, 0x44, 0x64, 0x9c, 0x34, 0x3b, 0x28, 0x94, 0x26,
++ 0x78, 0x27, 0x9f, 0x16, 0x17, 0xe8, 0x3b, 0x69, 0x0a, 0x25, 0xa9, 0x73, 0x36,
++ 0x7e, 0x9e, 0x37, 0x5c, 0xec, 0xe8, 0x3f, 0xdb, 0x91, 0xf9, 0x12, 0xb3, 0x3d,
++ 0xce, 0xe7, 0xdd, 0x15, 0xc3, 0xae, 0x8c, 0x05, 0x20, 0x61, 0x9b, 0x95, 0xde,
++ 0x9b, 0xaf, 0xfa, 0xb1, 0x5c, 0x1c, 0xe5, 0x97, 0xe7, 0xc3, 0x34, 0x11, 0x85,
++ 0xf5, 0x8a, 0x27, 0x26, 0xa4, 0x70, 0x36, 0xec, 0x0c, 0xf6, 0x83, 0x3d, 0x90,
++ 0xf7, 0x36, 0xf3, 0xf9, 0xf3, 0x15, 0xd4, 0x90, 0x62, 0xbe, 0x53, 0xb4, 0xaf,
++ 0xd3, 0x49, 0xaf, 0xef, 0xf4, 0x73, 0xe8, 0x7b, 0x76, 0xe4, 0x44, 0x2a, 0x37,
++ 0xba, 0x81, 0xa4, 0x99, 0x0c, 0x3a, 0x31, 0x24, 0x71, 0xa0, 0xe4, 0xe4, 0xb7,
++ 0x1a, 0xcb, 0x47, 0xe4, 0xaa, 0x22, 0xcf, 0xef, 0x75, 0x61, 0x80, 0xe3, 0x43,
++ 0xb7, 0x48, 0x57, 0x73, 0x11, 0x3d, 0x78, 0x9b, 0x69
++};
++
++//
++// Second KEK: "Microsoft Corporation KEK CA 2011".
++// SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
++//
++// "dbx" updates in "dbxtool" are signed with a key derived from this KEK.
++//
++STATIC CONST UINT8 MicrosoftKEK[] = {
++ 0x30, 0x82, 0x05, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x0a, 0x61, 0x0a, 0xd1, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
++ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
++ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
++ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
++ 0x36, 0x32, 0x34, 0x32, 0x30, 0x34, 0x31, 0x32, 0x39, 0x5a, 0x17, 0x0d, 0x32,
++ 0x36, 0x30, 0x36, 0x32, 0x34, 0x32, 0x30, 0x35, 0x31, 0x32, 0x39, 0x5a, 0x30,
++ 0x81, 0x80, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
++ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
++ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
++ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
++ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
++ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
++ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2a, 0x30, 0x28, 0x06,
++ 0x03, 0x55, 0x04, 0x03, 0x13, 0x21, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
++ 0x6e, 0x20, 0x4b, 0x45, 0x4b, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31,
++ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
++ 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
++ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc4, 0xe8, 0xb5, 0x8a, 0xbf, 0xad,
++ 0x57, 0x26, 0xb0, 0x26, 0xc3, 0xea, 0xe7, 0xfb, 0x57, 0x7a, 0x44, 0x02, 0x5d,
++ 0x07, 0x0d, 0xda, 0x4a, 0xe5, 0x74, 0x2a, 0xe6, 0xb0, 0x0f, 0xec, 0x6d, 0xeb,
++ 0xec, 0x7f, 0xb9, 0xe3, 0x5a, 0x63, 0x32, 0x7c, 0x11, 0x17, 0x4f, 0x0e, 0xe3,
++ 0x0b, 0xa7, 0x38, 0x15, 0x93, 0x8e, 0xc6, 0xf5, 0xe0, 0x84, 0xb1, 0x9a, 0x9b,
++ 0x2c, 0xe7, 0xf5, 0xb7, 0x91, 0xd6, 0x09, 0xe1, 0xe2, 0xc0, 0x04, 0xa8, 0xac,
++ 0x30, 0x1c, 0xdf, 0x48, 0xf3, 0x06, 0x50, 0x9a, 0x64, 0xa7, 0x51, 0x7f, 0xc8,
++ 0x85, 0x4f, 0x8f, 0x20, 0x86, 0xce, 0xfe, 0x2f, 0xe1, 0x9f, 0xff, 0x82, 0xc0,
++ 0xed, 0xe9, 0xcd, 0xce, 0xf4, 0x53, 0x6a, 0x62, 0x3a, 0x0b, 0x43, 0xb9, 0xe2,
++ 0x25, 0xfd, 0xfe, 0x05, 0xf9, 0xd4, 0xc4, 0x14, 0xab, 0x11, 0xe2, 0x23, 0x89,
++ 0x8d, 0x70, 0xb7, 0xa4, 0x1d, 0x4d, 0xec, 0xae, 0xe5, 0x9c, 0xfa, 0x16, 0xc2,
++ 0xd7, 0xc1, 0xcb, 0xd4, 0xe8, 0xc4, 0x2f, 0xe5, 0x99, 0xee, 0x24, 0x8b, 0x03,
++ 0xec, 0x8d, 0xf2, 0x8b, 0xea, 0xc3, 0x4a, 0xfb, 0x43, 0x11, 0x12, 0x0b, 0x7e,
++ 0xb5, 0x47, 0x92, 0x6c, 0xdc, 0xe6, 0x04, 0x89, 0xeb, 0xf5, 0x33, 0x04, 0xeb,
++ 0x10, 0x01, 0x2a, 0x71, 0xe5, 0xf9, 0x83, 0x13, 0x3c, 0xff, 0x25, 0x09, 0x2f,
++ 0x68, 0x76, 0x46, 0xff, 0xba, 0x4f, 0xbe, 0xdc, 0xad, 0x71, 0x2a, 0x58, 0xaa,
++ 0xfb, 0x0e, 0xd2, 0x79, 0x3d, 0xe4, 0x9b, 0x65, 0x3b, 0xcc, 0x29, 0x2a, 0x9f,
++ 0xfc, 0x72, 0x59, 0xa2, 0xeb, 0xae, 0x92, 0xef, 0xf6, 0x35, 0x13, 0x80, 0xc6,
++ 0x02, 0xec, 0xe4, 0x5f, 0xcc, 0x9d, 0x76, 0xcd, 0xef, 0x63, 0x92, 0xc1, 0xaf,
++ 0x79, 0x40, 0x84, 0x79, 0x87, 0x7f, 0xe3, 0x52, 0xa8, 0xe8, 0x9d, 0x7b, 0x07,
++ 0x69, 0x8f, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x4f, 0x30,
++ 0x82, 0x01, 0x4b, 0x30, 0x10, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
++ 0x37, 0x15, 0x01, 0x04, 0x03, 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
++ 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x62, 0xfc, 0x43, 0xcd, 0xa0, 0x3e, 0xa4,
++ 0xcb, 0x67, 0x12, 0xd2, 0x5b, 0xd9, 0x55, 0xac, 0x7b, 0xcc, 0xb6, 0x8a, 0x5f,
++ 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02,
++ 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00,
++ 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01,
++ 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05,
++ 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
++ 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58, 0x11,
++ 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8, 0x30,
++ 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51, 0xa0,
++ 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63,
++ 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e,
++ 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70,
++ 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f,
++ 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f,
++ 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63,
++ 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01,
++ 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
++ 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++ 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72, 0x74,
++ 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61,
++ 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d,
++ 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09,
++ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
++ 0x02, 0x01, 0x00, 0xd4, 0x84, 0x88, 0xf5, 0x14, 0x94, 0x18, 0x02, 0xca, 0x2a,
++ 0x3c, 0xfb, 0x2a, 0x92, 0x1c, 0x0c, 0xd7, 0xa0, 0xd1, 0xf1, 0xe8, 0x52, 0x66,
++ 0xa8, 0xee, 0xa2, 0xb5, 0x75, 0x7a, 0x90, 0x00, 0xaa, 0x2d, 0xa4, 0x76, 0x5a,
++ 0xea, 0x79, 0xb7, 0xb9, 0x37, 0x6a, 0x51, 0x7b, 0x10, 0x64, 0xf6, 0xe1, 0x64,
++ 0xf2, 0x02, 0x67, 0xbe, 0xf7, 0xa8, 0x1b, 0x78, 0xbd, 0xba, 0xce, 0x88, 0x58,
++ 0x64, 0x0c, 0xd6, 0x57, 0xc8, 0x19, 0xa3, 0x5f, 0x05, 0xd6, 0xdb, 0xc6, 0xd0,
++ 0x69, 0xce, 0x48, 0x4b, 0x32, 0xb7, 0xeb, 0x5d, 0xd2, 0x30, 0xf5, 0xc0, 0xf5,
++ 0xb8, 0xba, 0x78, 0x07, 0xa3, 0x2b, 0xfe, 0x9b, 0xdb, 0x34, 0x56, 0x84, 0xec,
++ 0x82, 0xca, 0xae, 0x41, 0x25, 0x70, 0x9c, 0x6b, 0xe9, 0xfe, 0x90, 0x0f, 0xd7,
++ 0x96, 0x1f, 0xe5, 0xe7, 0x94, 0x1f, 0xb2, 0x2a, 0x0c, 0x8d, 0x4b, 0xff, 0x28,
++ 0x29, 0x10, 0x7b, 0xf7, 0xd7, 0x7c, 0xa5, 0xd1, 0x76, 0xb9, 0x05, 0xc8, 0x79,
++ 0xed, 0x0f, 0x90, 0x92, 0x9c, 0xc2, 0xfe, 0xdf, 0x6f, 0x7e, 0x6c, 0x0f, 0x7b,
++ 0xd4, 0xc1, 0x45, 0xdd, 0x34, 0x51, 0x96, 0x39, 0x0f, 0xe5, 0x5e, 0x56, 0xd8,
++ 0x18, 0x05, 0x96, 0xf4, 0x07, 0xa6, 0x42, 0xb3, 0xa0, 0x77, 0xfd, 0x08, 0x19,
++ 0xf2, 0x71, 0x56, 0xcc, 0x9f, 0x86, 0x23, 0xa4, 0x87, 0xcb, 0xa6, 0xfd, 0x58,
++ 0x7e, 0xd4, 0x69, 0x67, 0x15, 0x91, 0x7e, 0x81, 0xf2, 0x7f, 0x13, 0xe5, 0x0d,
++ 0x8b, 0x8a, 0x3c, 0x87, 0x84, 0xeb, 0xe3, 0xce, 0xbd, 0x43, 0xe5, 0xad, 0x2d,
++ 0x84, 0x93, 0x8e, 0x6a, 0x2b, 0x5a, 0x7c, 0x44, 0xfa, 0x52, 0xaa, 0x81, 0xc8,
++ 0x2d, 0x1c, 0xbb, 0xe0, 0x52, 0xdf, 0x00, 0x11, 0xf8, 0x9a, 0x3d, 0xc1, 0x60,
++ 0xb0, 0xe1, 0x33, 0xb5, 0xa3, 0x88, 0xd1, 0x65, 0x19, 0x0a, 0x1a, 0xe7, 0xac,
++ 0x7c, 0xa4, 0xc1, 0x82, 0x87, 0x4e, 0x38, 0xb1, 0x2f, 0x0d, 0xc5, 0x14, 0x87,
++ 0x6f, 0xfd, 0x8d, 0x2e, 0xbc, 0x39, 0xb6, 0xe7, 0xe6, 0xc3, 0xe0, 0xe4, 0xcd,
++ 0x27, 0x84, 0xef, 0x94, 0x42, 0xef, 0x29, 0x8b, 0x90, 0x46, 0x41, 0x3b, 0x81,
++ 0x1b, 0x67, 0xd8, 0xf9, 0x43, 0x59, 0x65, 0xcb, 0x0d, 0xbc, 0xfd, 0x00, 0x92,
++ 0x4f, 0xf4, 0x75, 0x3b, 0xa7, 0xa9, 0x24, 0xfc, 0x50, 0x41, 0x40, 0x79, 0xe0,
++ 0x2d, 0x4f, 0x0a, 0x6a, 0x27, 0x76, 0x6e, 0x52, 0xed, 0x96, 0x69, 0x7b, 0xaf,
++ 0x0f, 0xf7, 0x87, 0x05, 0xd0, 0x45, 0xc2, 0xad, 0x53, 0x14, 0x81, 0x1f, 0xfb,
++ 0x30, 0x04, 0xaa, 0x37, 0x36, 0x61, 0xda, 0x4a, 0x69, 0x1b, 0x34, 0xd8, 0x68,
++ 0xed, 0xd6, 0x02, 0xcf, 0x6c, 0x94, 0x0c, 0xd3, 0xcf, 0x6c, 0x22, 0x79, 0xad,
++ 0xb1, 0xf0, 0xbc, 0x03, 0xa2, 0x46, 0x60, 0xa9, 0xc4, 0x07, 0xc2, 0x21, 0x82,
++ 0xf1, 0xfd, 0xf2, 0xe8, 0x79, 0x32, 0x60, 0xbf, 0xd8, 0xac, 0xa5, 0x22, 0x14,
++ 0x4b, 0xca, 0xc1, 0xd8, 0x4b, 0xeb, 0x7d, 0x3f, 0x57, 0x35, 0xb2, 0xe6, 0x4f,
++ 0x75, 0xb4, 0xb0, 0x60, 0x03, 0x22, 0x53, 0xae, 0x91, 0x79, 0x1d, 0xd6, 0x9b,
++ 0x41, 0x1f, 0x15, 0x86, 0x54, 0x70, 0xb2, 0xde, 0x0d, 0x35, 0x0f, 0x7c, 0xb0,
++ 0x34, 0x72, 0xba, 0x97, 0x60, 0x3b, 0xf0, 0x79, 0xeb, 0xa2, 0xb2, 0x1c, 0x5d,
++ 0xa2, 0x16, 0xb8, 0x87, 0xc5, 0xe9, 0x1b, 0xf6, 0xb5, 0x97, 0x25, 0x6f, 0x38,
++ 0x9f, 0xe3, 0x91, 0xfa, 0x8a, 0x79, 0x98, 0xc3, 0x69, 0x0e, 0xb7, 0xa3, 0x1c,
++ 0x20, 0x05, 0x97, 0xf8, 0xca, 0x14, 0xae, 0x00, 0xd7, 0xc4, 0xf3, 0xc0, 0x14,
++ 0x10, 0x75, 0x6b, 0x34, 0xa0, 0x1b, 0xb5, 0x99, 0x60, 0xf3, 0x5c, 0xb0, 0xc5,
++ 0x57, 0x4e, 0x36, 0xd2, 0x32, 0x84, 0xbf, 0x9e
++};
++
++//
++// First DB entry: "Microsoft Windows Production PCA 2011"
++// SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
++//
++// Windows 8 and Windows Server 2012 R2 boot loaders are signed with a chain
++// rooted in this certificate.
++//
++STATIC CONST UINT8 MicrosoftPCA[] = {
++ 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x0a, 0x61, 0x07, 0x76, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x81, 0x88, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x32, 0x30,
++ 0x30, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72,
++ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68,
++ 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x32, 0x30, 0x31, 0x30, 0x30, 0x1e, 0x17,
++ 0x0d, 0x31, 0x31, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x34, 0x31, 0x34, 0x32,
++ 0x5a, 0x17, 0x0d, 0x32, 0x36, 0x31, 0x30, 0x31, 0x39, 0x31, 0x38, 0x35, 0x31,
++ 0x34, 0x32, 0x5a, 0x30, 0x81, 0x84, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
++ 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
++ 0x04, 0x08, 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f,
++ 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52,
++ 0x65, 0x64, 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55,
++ 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31,
++ 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x25, 0x4d, 0x69, 0x63,
++ 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77,
++ 0x73, 0x20, 0x50, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20,
++ 0x50, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
++ 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,
++ 0x01, 0x00, 0xdd, 0x0c, 0xbb, 0xa2, 0xe4, 0x2e, 0x09, 0xe3, 0xe7, 0xc5, 0xf7,
++ 0x96, 0x69, 0xbc, 0x00, 0x21, 0xbd, 0x69, 0x33, 0x33, 0xef, 0xad, 0x04, 0xcb,
++ 0x54, 0x80, 0xee, 0x06, 0x83, 0xbb, 0xc5, 0x20, 0x84, 0xd9, 0xf7, 0xd2, 0x8b,
++ 0xf3, 0x38, 0xb0, 0xab, 0xa4, 0xad, 0x2d, 0x7c, 0x62, 0x79, 0x05, 0xff, 0xe3,
++ 0x4a, 0x3f, 0x04, 0x35, 0x20, 0x70, 0xe3, 0xc4, 0xe7, 0x6b, 0xe0, 0x9c, 0xc0,
++ 0x36, 0x75, 0xe9, 0x8a, 0x31, 0xdd, 0x8d, 0x70, 0xe5, 0xdc, 0x37, 0xb5, 0x74,
++ 0x46, 0x96, 0x28, 0x5b, 0x87, 0x60, 0x23, 0x2c, 0xbf, 0xdc, 0x47, 0xa5, 0x67,
++ 0xf7, 0x51, 0x27, 0x9e, 0x72, 0xeb, 0x07, 0xa6, 0xc9, 0xb9, 0x1e, 0x3b, 0x53,
++ 0x35, 0x7c, 0xe5, 0xd3, 0xec, 0x27, 0xb9, 0x87, 0x1c, 0xfe, 0xb9, 0xc9, 0x23,
++ 0x09, 0x6f, 0xa8, 0x46, 0x91, 0xc1, 0x6e, 0x96, 0x3c, 0x41, 0xd3, 0xcb, 0xa3,
++ 0x3f, 0x5d, 0x02, 0x6a, 0x4d, 0xec, 0x69, 0x1f, 0x25, 0x28, 0x5c, 0x36, 0xff,
++ 0xfd, 0x43, 0x15, 0x0a, 0x94, 0xe0, 0x19, 0xb4, 0xcf, 0xdf, 0xc2, 0x12, 0xe2,
++ 0xc2, 0x5b, 0x27, 0xee, 0x27, 0x78, 0x30, 0x8b, 0x5b, 0x2a, 0x09, 0x6b, 0x22,
++ 0x89, 0x53, 0x60, 0x16, 0x2c, 0xc0, 0x68, 0x1d, 0x53, 0xba, 0xec, 0x49, 0xf3,
++ 0x9d, 0x61, 0x8c, 0x85, 0x68, 0x09, 0x73, 0x44, 0x5d, 0x7d, 0xa2, 0x54, 0x2b,
++ 0xdd, 0x79, 0xf7, 0x15, 0xcf, 0x35, 0x5d, 0x6c, 0x1c, 0x2b, 0x5c, 0xce, 0xbc,
++ 0x9c, 0x23, 0x8b, 0x6f, 0x6e, 0xb5, 0x26, 0xd9, 0x36, 0x13, 0xc3, 0x4f, 0xd6,
++ 0x27, 0xae, 0xb9, 0x32, 0x3b, 0x41, 0x92, 0x2c, 0xe1, 0xc7, 0xcd, 0x77, 0xe8,
++ 0xaa, 0x54, 0x4e, 0xf7, 0x5c, 0x0b, 0x04, 0x87, 0x65, 0xb4, 0x43, 0x18, 0xa8,
++ 0xb2, 0xe0, 0x6d, 0x19, 0x77, 0xec, 0x5a, 0x24, 0xfa, 0x48, 0x03, 0x02, 0x03,
++ 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x43, 0x30, 0x82, 0x01, 0x3f, 0x30, 0x10,
++ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, 0x04, 0x03,
++ 0x02, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
++ 0x14, 0xa9, 0x29, 0x02, 0x39, 0x8e, 0x16, 0xc4, 0x97, 0x78, 0xcd, 0x90, 0xf9,
++ 0x9e, 0x4f, 0x9a, 0xe1, 0x7c, 0x55, 0xaf, 0x53, 0x30, 0x19, 0x06, 0x09, 0x2b,
++ 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00,
++ 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43, 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03,
++ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03,
++ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,
++ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
++ 0xd5, 0xf6, 0x56, 0xcb, 0x8f, 0xe8, 0xa2, 0x5c, 0x62, 0x68, 0xd1, 0x3d, 0x94,
++ 0x90, 0x5b, 0xd7, 0xce, 0x9a, 0x18, 0xc4, 0x30, 0x56, 0x06, 0x03, 0x55, 0x1d,
++ 0x1f, 0x04, 0x4f, 0x30, 0x4d, 0x30, 0x4b, 0xa0, 0x49, 0xa0, 0x47, 0x86, 0x45,
++ 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69,
++ 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70,
++ 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63,
++ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72, 0x41,
++ 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32, 0x33,
++ 0x2e, 0x63, 0x72, 0x6c, 0x30, 0x5a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
++ 0x07, 0x01, 0x01, 0x04, 0x4e, 0x30, 0x4c, 0x30, 0x4a, 0x06, 0x08, 0x2b, 0x06,
++ 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68, 0x74, 0x74, 0x70, 0x3a,
++ 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++ 0x66, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65,
++ 0x72, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x52, 0x6f, 0x6f, 0x43, 0x65, 0x72,
++ 0x41, 0x75, 0x74, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x30, 0x36, 0x2d, 0x32,
++ 0x33, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x14,
++ 0xfc, 0x7c, 0x71, 0x51, 0xa5, 0x79, 0xc2, 0x6e, 0xb2, 0xef, 0x39, 0x3e, 0xbc,
++ 0x3c, 0x52, 0x0f, 0x6e, 0x2b, 0x3f, 0x10, 0x13, 0x73, 0xfe, 0xa8, 0x68, 0xd0,
++ 0x48, 0xa6, 0x34, 0x4d, 0x8a, 0x96, 0x05, 0x26, 0xee, 0x31, 0x46, 0x90, 0x61,
++ 0x79, 0xd6, 0xff, 0x38, 0x2e, 0x45, 0x6b, 0xf4, 0xc0, 0xe5, 0x28, 0xb8, 0xda,
++ 0x1d, 0x8f, 0x8a, 0xdb, 0x09, 0xd7, 0x1a, 0xc7, 0x4c, 0x0a, 0x36, 0x66, 0x6a,
++ 0x8c, 0xec, 0x1b, 0xd7, 0x04, 0x90, 0xa8, 0x18, 0x17, 0xa4, 0x9b, 0xb9, 0xe2,
++ 0x40, 0x32, 0x36, 0x76, 0xc4, 0xc1, 0x5a, 0xc6, 0xbf, 0xe4, 0x04, 0xc0, 0xea,
++ 0x16, 0xd3, 0xac, 0xc3, 0x68, 0xef, 0x62, 0xac, 0xdd, 0x54, 0x6c, 0x50, 0x30,
++ 0x58, 0xa6, 0xeb, 0x7c, 0xfe, 0x94, 0xa7, 0x4e, 0x8e, 0xf4, 0xec, 0x7c, 0x86,
++ 0x73, 0x57, 0xc2, 0x52, 0x21, 0x73, 0x34, 0x5a, 0xf3, 0xa3, 0x8a, 0x56, 0xc8,
++ 0x04, 0xda, 0x07, 0x09, 0xed, 0xf8, 0x8b, 0xe3, 0xce, 0xf4, 0x7e, 0x8e, 0xae,
++ 0xf0, 0xf6, 0x0b, 0x8a, 0x08, 0xfb, 0x3f, 0xc9, 0x1d, 0x72, 0x7f, 0x53, 0xb8,
++ 0xeb, 0xbe, 0x63, 0xe0, 0xe3, 0x3d, 0x31, 0x65, 0xb0, 0x81, 0xe5, 0xf2, 0xac,
++ 0xcd, 0x16, 0xa4, 0x9f, 0x3d, 0xa8, 0xb1, 0x9b, 0xc2, 0x42, 0xd0, 0x90, 0x84,
++ 0x5f, 0x54, 0x1d, 0xff, 0x89, 0xea, 0xba, 0x1d, 0x47, 0x90, 0x6f, 0xb0, 0x73,
++ 0x4e, 0x41, 0x9f, 0x40, 0x9f, 0x5f, 0xe5, 0xa1, 0x2a, 0xb2, 0x11, 0x91, 0x73,
++ 0x8a, 0x21, 0x28, 0xf0, 0xce, 0xde, 0x73, 0x39, 0x5f, 0x3e, 0xab, 0x5c, 0x60,
++ 0xec, 0xdf, 0x03, 0x10, 0xa8, 0xd3, 0x09, 0xe9, 0xf4, 0xf6, 0x96, 0x85, 0xb6,
++ 0x7f, 0x51, 0x88, 0x66, 0x47, 0x19, 0x8d, 0xa2, 0xb0, 0x12, 0x3d, 0x81, 0x2a,
++ 0x68, 0x05, 0x77, 0xbb, 0x91, 0x4c, 0x62, 0x7b, 0xb6, 0xc1, 0x07, 0xc7, 0xba,
++ 0x7a, 0x87, 0x34, 0x03, 0x0e, 0x4b, 0x62, 0x7a, 0x99, 0xe9, 0xca, 0xfc, 0xce,
++ 0x4a, 0x37, 0xc9, 0x2d, 0xa4, 0x57, 0x7c, 0x1c, 0xfe, 0x3d, 0xdc, 0xb8, 0x0f,
++ 0x5a, 0xfa, 0xd6, 0xc4, 0xb3, 0x02, 0x85, 0x02, 0x3a, 0xea, 0xb3, 0xd9, 0x6e,
++ 0xe4, 0x69, 0x21, 0x37, 0xde, 0x81, 0xd1, 0xf6, 0x75, 0x19, 0x05, 0x67, 0xd3,
++ 0x93, 0x57, 0x5e, 0x29, 0x1b, 0x39, 0xc8, 0xee, 0x2d, 0xe1, 0xcd, 0xe4, 0x45,
++ 0x73, 0x5b, 0xd0, 0xd2, 0xce, 0x7a, 0xab, 0x16, 0x19, 0x82, 0x46, 0x58, 0xd0,
++ 0x5e, 0x9d, 0x81, 0xb3, 0x67, 0xaf, 0x6c, 0x35, 0xf2, 0xbc, 0xe5, 0x3f, 0x24,
++ 0xe2, 0x35, 0xa2, 0x0a, 0x75, 0x06, 0xf6, 0x18, 0x56, 0x99, 0xd4, 0x78, 0x2c,
++ 0xd1, 0x05, 0x1b, 0xeb, 0xd0, 0x88, 0x01, 0x9d, 0xaa, 0x10, 0xf1, 0x05, 0xdf,
++ 0xba, 0x7e, 0x2c, 0x63, 0xb7, 0x06, 0x9b, 0x23, 0x21, 0xc4, 0xf9, 0x78, 0x6c,
++ 0xe2, 0x58, 0x17, 0x06, 0x36, 0x2b, 0x91, 0x12, 0x03, 0xcc, 0xa4, 0xd9, 0xf2,
++ 0x2d, 0xba, 0xf9, 0x94, 0x9d, 0x40, 0xed, 0x18, 0x45, 0xf1, 0xce, 0x8a, 0x5c,
++ 0x6b, 0x3e, 0xab, 0x03, 0xd3, 0x70, 0x18, 0x2a, 0x0a, 0x6a, 0xe0, 0x5f, 0x47,
++ 0xd1, 0xd5, 0x63, 0x0a, 0x32, 0xf2, 0xaf, 0xd7, 0x36, 0x1f, 0x2a, 0x70, 0x5a,
++ 0xe5, 0x42, 0x59, 0x08, 0x71, 0x4b, 0x57, 0xba, 0x7e, 0x83, 0x81, 0xf0, 0x21,
++ 0x3c, 0xf4, 0x1c, 0xc1, 0xc5, 0xb9, 0x90, 0x93, 0x0e, 0x88, 0x45, 0x93, 0x86,
++ 0xe9, 0xb1, 0x20, 0x99, 0xbe, 0x98, 0xcb, 0xc5, 0x95, 0xa4, 0x5d, 0x62, 0xd6,
++ 0xa0, 0x63, 0x08, 0x20, 0xbd, 0x75, 0x10, 0x77, 0x7d, 0x3d, 0xf3, 0x45, 0xb9,
++ 0x9f, 0x97, 0x9f, 0xcb, 0x57, 0x80, 0x6f, 0x33, 0xa9, 0x04, 0xcf, 0x77, 0xa4,
++ 0x62, 0x1c, 0x59, 0x7e
++};
++
++//
++// Second DB entry: "Microsoft Corporation UEFI CA 2011"
++// SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
++//
++// To verify the "shim" binary and PCI expansion ROMs with.
++//
++STATIC CONST UINT8 MicrosoftUefiCA[] = {
++ 0x30, 0x82, 0x06, 0x10, 0x30, 0x82, 0x03, 0xf8, 0xa0, 0x03, 0x02, 0x01, 0x02,
++ 0x02, 0x0a, 0x61, 0x08, 0xd3, 0xc4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30,
++ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
++ 0x00, 0x30, 0x81, 0x91, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
++ 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
++ 0x13, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31,
++ 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64,
++ 0x6d, 0x6f, 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a,
++ 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43,
++ 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x3b, 0x30,
++ 0x39, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x32, 0x4d, 0x69, 0x63, 0x72, 0x6f,
++ 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74,
++ 0x69, 0x6f, 0x6e, 0x20, 0x54, 0x68, 0x69, 0x72, 0x64, 0x20, 0x50, 0x61, 0x72,
++ 0x74, 0x79, 0x20, 0x4d, 0x61, 0x72, 0x6b, 0x65, 0x74, 0x70, 0x6c, 0x61, 0x63,
++ 0x65, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30,
++ 0x36, 0x32, 0x37, 0x32, 0x31, 0x32, 0x32, 0x34, 0x35, 0x5a, 0x17, 0x0d, 0x32,
++ 0x36, 0x30, 0x36, 0x32, 0x37, 0x32, 0x31, 0x33, 0x32, 0x34, 0x35, 0x5a, 0x30,
++ 0x81, 0x81, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
++ 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a,
++ 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
++ 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x52, 0x65, 0x64, 0x6d, 0x6f,
++ 0x6e, 0x64, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
++ 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72,
++ 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x2b, 0x30, 0x29, 0x06,
++ 0x03, 0x55, 0x04, 0x03, 0x13, 0x22, 0x4d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f,
++ 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f,
++ 0x6e, 0x20, 0x55, 0x45, 0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x31,
++ 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
++ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
++ 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xa5, 0x08, 0x6c, 0x4c, 0xc7,
++ 0x45, 0x09, 0x6a, 0x4b, 0x0c, 0xa4, 0xc0, 0x87, 0x7f, 0x06, 0x75, 0x0c, 0x43,
++ 0x01, 0x54, 0x64, 0xe0, 0x16, 0x7f, 0x07, 0xed, 0x92, 0x7d, 0x0b, 0xb2, 0x73,
++ 0xbf, 0x0c, 0x0a, 0xc6, 0x4a, 0x45, 0x61, 0xa0, 0xc5, 0x16, 0x2d, 0x96, 0xd3,
++ 0xf5, 0x2b, 0xa0, 0xfb, 0x4d, 0x49, 0x9b, 0x41, 0x80, 0x90, 0x3c, 0xb9, 0x54,
++ 0xfd, 0xe6, 0xbc, 0xd1, 0x9d, 0xc4, 0xa4, 0x18, 0x8a, 0x7f, 0x41, 0x8a, 0x5c,
++ 0x59, 0x83, 0x68, 0x32, 0xbb, 0x8c, 0x47, 0xc9, 0xee, 0x71, 0xbc, 0x21, 0x4f,
++ 0x9a, 0x8a, 0x7c, 0xff, 0x44, 0x3f, 0x8d, 0x8f, 0x32, 0xb2, 0x26, 0x48, 0xae,
++ 0x75, 0xb5, 0xee, 0xc9, 0x4c, 0x1e, 0x4a, 0x19, 0x7e, 0xe4, 0x82, 0x9a, 0x1d,
++ 0x78, 0x77, 0x4d, 0x0c, 0xb0, 0xbd, 0xf6, 0x0f, 0xd3, 0x16, 0xd3, 0xbc, 0xfa,
++ 0x2b, 0xa5, 0x51, 0x38, 0x5d, 0xf5, 0xfb, 0xba, 0xdb, 0x78, 0x02, 0xdb, 0xff,
++ 0xec, 0x0a, 0x1b, 0x96, 0xd5, 0x83, 0xb8, 0x19, 0x13, 0xe9, 0xb6, 0xc0, 0x7b,
++ 0x40, 0x7b, 0xe1, 0x1f, 0x28, 0x27, 0xc9, 0xfa, 0xef, 0x56, 0x5e, 0x1c, 0xe6,
++ 0x7e, 0x94, 0x7e, 0xc0, 0xf0, 0x44, 0xb2, 0x79, 0x39, 0xe5, 0xda, 0xb2, 0x62,
++ 0x8b, 0x4d, 0xbf, 0x38, 0x70, 0xe2, 0x68, 0x24, 0x14, 0xc9, 0x33, 0xa4, 0x08,
++ 0x37, 0xd5, 0x58, 0x69, 0x5e, 0xd3, 0x7c, 0xed, 0xc1, 0x04, 0x53, 0x08, 0xe7,
++ 0x4e, 0xb0, 0x2a, 0x87, 0x63, 0x08, 0x61, 0x6f, 0x63, 0x15, 0x59, 0xea, 0xb2,
++ 0x2b, 0x79, 0xd7, 0x0c, 0x61, 0x67, 0x8a, 0x5b, 0xfd, 0x5e, 0xad, 0x87, 0x7f,
++ 0xba, 0x86, 0x67, 0x4f, 0x71, 0x58, 0x12, 0x22, 0x04, 0x22, 0x22, 0xce, 0x8b,
++ 0xef, 0x54, 0x71, 0x00, 0xce, 0x50, 0x35, 0x58, 0x76, 0x95, 0x08, 0xee, 0x6a,
++ 0xb1, 0xa2, 0x01, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x76,
++ 0x30, 0x82, 0x01, 0x72, 0x30, 0x12, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01,
++ 0x82, 0x37, 0x15, 0x01, 0x04, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x23,
++ 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x02, 0x04, 0x16,
++ 0x04, 0x14, 0xf8, 0xc1, 0x6b, 0xb7, 0x7f, 0x77, 0x53, 0x4a, 0xf3, 0x25, 0x37,
++ 0x1d, 0x4e, 0xa1, 0x26, 0x7b, 0x0f, 0x20, 0x70, 0x80, 0x30, 0x1d, 0x06, 0x03,
++ 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x13, 0xad, 0xbf, 0x43, 0x09, 0xbd,
++ 0x82, 0x70, 0x9c, 0x8c, 0xd5, 0x4f, 0x31, 0x6e, 0xd5, 0x22, 0x98, 0x8a, 0x1b,
++ 0xd4, 0x30, 0x19, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14,
++ 0x02, 0x04, 0x0c, 0x1e, 0x0a, 0x00, 0x53, 0x00, 0x75, 0x00, 0x62, 0x00, 0x43,
++ 0x00, 0x41, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
++ 0x01, 0x86, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
++ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23,
++ 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x45, 0x66, 0x52, 0x43, 0xe1, 0x7e, 0x58,
++ 0x11, 0xbf, 0xd6, 0x4e, 0x9e, 0x23, 0x55, 0x08, 0x3b, 0x3a, 0x22, 0x6a, 0xa8,
++ 0x30, 0x5c, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x55, 0x30, 0x53, 0x30, 0x51,
++ 0xa0, 0x4f, 0xa0, 0x4d, 0x86, 0x4b, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
++ 0x63, 0x72, 0x6c, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74,
++ 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x72, 0x6c, 0x2f,
++ 0x70, 0x72, 0x6f, 0x64, 0x75, 0x63, 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43,
++ 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50, 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f,
++ 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30, 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e,
++ 0x63, 0x72, 0x6c, 0x30, 0x60, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
++ 0x01, 0x01, 0x04, 0x54, 0x30, 0x52, 0x30, 0x50, 0x06, 0x08, 0x2b, 0x06, 0x01,
++ 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x44, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
++ 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x69, 0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66,
++ 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6b, 0x69, 0x2f, 0x63, 0x65, 0x72,
++ 0x74, 0x73, 0x2f, 0x4d, 0x69, 0x63, 0x43, 0x6f, 0x72, 0x54, 0x68, 0x69, 0x50,
++ 0x61, 0x72, 0x4d, 0x61, 0x72, 0x52, 0x6f, 0x6f, 0x5f, 0x32, 0x30, 0x31, 0x30,
++ 0x2d, 0x31, 0x30, 0x2d, 0x30, 0x35, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0d, 0x06,
++ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
++ 0x82, 0x02, 0x01, 0x00, 0x35, 0x08, 0x42, 0xff, 0x30, 0xcc, 0xce, 0xf7, 0x76,
++ 0x0c, 0xad, 0x10, 0x68, 0x58, 0x35, 0x29, 0x46, 0x32, 0x76, 0x27, 0x7c, 0xef,
++ 0x12, 0x41, 0x27, 0x42, 0x1b, 0x4a, 0xaa, 0x6d, 0x81, 0x38, 0x48, 0x59, 0x13,
++ 0x55, 0xf3, 0xe9, 0x58, 0x34, 0xa6, 0x16, 0x0b, 0x82, 0xaa, 0x5d, 0xad, 0x82,
++ 0xda, 0x80, 0x83, 0x41, 0x06, 0x8f, 0xb4, 0x1d, 0xf2, 0x03, 0xb9, 0xf3, 0x1a,
++ 0x5d, 0x1b, 0xf1, 0x50, 0x90, 0xf9, 0xb3, 0x55, 0x84, 0x42, 0x28, 0x1c, 0x20,
++ 0xbd, 0xb2, 0xae, 0x51, 0x14, 0xc5, 0xc0, 0xac, 0x97, 0x95, 0x21, 0x1c, 0x90,
++ 0xdb, 0x0f, 0xfc, 0x77, 0x9e, 0x95, 0x73, 0x91, 0x88, 0xca, 0xbd, 0xbd, 0x52,
++ 0xb9, 0x05, 0x50, 0x0d, 0xdf, 0x57, 0x9e, 0xa0, 0x61, 0xed, 0x0d, 0xe5, 0x6d,
++ 0x25, 0xd9, 0x40, 0x0f, 0x17, 0x40, 0xc8, 0xce, 0xa3, 0x4a, 0xc2, 0x4d, 0xaf,
++ 0x9a, 0x12, 0x1d, 0x08, 0x54, 0x8f, 0xbd, 0xc7, 0xbc, 0xb9, 0x2b, 0x3d, 0x49,
++ 0x2b, 0x1f, 0x32, 0xfc, 0x6a, 0x21, 0x69, 0x4f, 0x9b, 0xc8, 0x7e, 0x42, 0x34,
++ 0xfc, 0x36, 0x06, 0x17, 0x8b, 0x8f, 0x20, 0x40, 0xc0, 0xb3, 0x9a, 0x25, 0x75,
++ 0x27, 0xcd, 0xc9, 0x03, 0xa3, 0xf6, 0x5d, 0xd1, 0xe7, 0x36, 0x54, 0x7a, 0xb9,
++ 0x50, 0xb5, 0xd3, 0x12, 0xd1, 0x07, 0xbf, 0xbb, 0x74, 0xdf, 0xdc, 0x1e, 0x8f,
++ 0x80, 0xd5, 0xed, 0x18, 0xf4, 0x2f, 0x14, 0x16, 0x6b, 0x2f, 0xde, 0x66, 0x8c,
++ 0xb0, 0x23, 0xe5, 0xc7, 0x84, 0xd8, 0xed, 0xea, 0xc1, 0x33, 0x82, 0xad, 0x56,
++ 0x4b, 0x18, 0x2d, 0xf1, 0x68, 0x95, 0x07, 0xcd, 0xcf, 0xf0, 0x72, 0xf0, 0xae,
++ 0xbb, 0xdd, 0x86, 0x85, 0x98, 0x2c, 0x21, 0x4c, 0x33, 0x2b, 0xf0, 0x0f, 0x4a,
++ 0xf0, 0x68, 0x87, 0xb5, 0x92, 0x55, 0x32, 0x75, 0xa1, 0x6a, 0x82, 0x6a, 0x3c,
++ 0xa3, 0x25, 0x11, 0xa4, 0xed, 0xad, 0xd7, 0x04, 0xae, 0xcb, 0xd8, 0x40, 0x59,
++ 0xa0, 0x84, 0xd1, 0x95, 0x4c, 0x62, 0x91, 0x22, 0x1a, 0x74, 0x1d, 0x8c, 0x3d,
++ 0x47, 0x0e, 0x44, 0xa6, 0xe4, 0xb0, 0x9b, 0x34, 0x35, 0xb1, 0xfa, 0xb6, 0x53,
++ 0xa8, 0x2c, 0x81, 0xec, 0xa4, 0x05, 0x71, 0xc8, 0x9d, 0xb8, 0xba, 0xe8, 0x1b,
++ 0x44, 0x66, 0xe4, 0x47, 0x54, 0x0e, 0x8e, 0x56, 0x7f, 0xb3, 0x9f, 0x16, 0x98,
++ 0xb2, 0x86, 0xd0, 0x68, 0x3e, 0x90, 0x23, 0xb5, 0x2f, 0x5e, 0x8f, 0x50, 0x85,
++ 0x8d, 0xc6, 0x8d, 0x82, 0x5f, 0x41, 0xa1, 0xf4, 0x2e, 0x0d, 0xe0, 0x99, 0xd2,
++ 0x6c, 0x75, 0xe4, 0xb6, 0x69, 0xb5, 0x21, 0x86, 0xfa, 0x07, 0xd1, 0xf6, 0xe2,
++ 0x4d, 0xd1, 0xda, 0xad, 0x2c, 0x77, 0x53, 0x1e, 0x25, 0x32, 0x37, 0xc7, 0x6c,
++ 0x52, 0x72, 0x95, 0x86, 0xb0, 0xf1, 0x35, 0x61, 0x6a, 0x19, 0xf5, 0xb2, 0x3b,
++ 0x81, 0x50, 0x56, 0xa6, 0x32, 0x2d, 0xfe, 0xa2, 0x89, 0xf9, 0x42, 0x86, 0x27,
++ 0x18, 0x55, 0xa1, 0x82, 0xca, 0x5a, 0x9b, 0xf8, 0x30, 0x98, 0x54, 0x14, 0xa6,
++ 0x47, 0x96, 0x25, 0x2f, 0xc8, 0x26, 0xe4, 0x41, 0x94, 0x1a, 0x5c, 0x02, 0x3f,
++ 0xe5, 0x96, 0xe3, 0x85, 0x5b, 0x3c, 0x3e, 0x3f, 0xbb, 0x47, 0x16, 0x72, 0x55,
++ 0xe2, 0x25, 0x22, 0xb1, 0xd9, 0x7b, 0xe7, 0x03, 0x06, 0x2a, 0xa3, 0xf7, 0x1e,
++ 0x90, 0x46, 0xc3, 0x00, 0x0d, 0xd6, 0x19, 0x89, 0xe3, 0x0e, 0x35, 0x27, 0x62,
++ 0x03, 0x71, 0x15, 0xa6, 0xef, 0xd0, 0x27, 0xa0, 0xa0, 0x59, 0x37, 0x60, 0xf8,
++ 0x38, 0x94, 0xb8, 0xe0, 0x78, 0x70, 0xf8, 0xba, 0x4c, 0x86, 0x87, 0x94, 0xf6,
++ 0xe0, 0xae, 0x02, 0x45, 0xee, 0x65, 0xc2, 0xb6, 0xa3, 0x7e, 0x69, 0x16, 0x75,
++ 0x07, 0x92, 0x9b, 0xf5, 0xa6, 0xbc, 0x59, 0x83, 0x58
++};
++
++//
++// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
++// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
++// expects that the "dbx" variable exist.
++//
++// The article at <https://technet.microsoft.com/en-us/library/dn747883.aspx>
++// writes (excerpt):
++//
++// Windows 8.1 Secure Boot Key Creation and Management Guidance
++// 1. Secure Boot, Windows 8.1 and Key Management
++// 1.4 Signature Databases (Db and Dbx)
++// 1.4.3 Forbidden Signature Database (dbx)
++//
++// The contents of EFI_IMAGE_SIGNATURE_DATABASE1 dbx must be checked when
++// verifying images before checking db and any matches must prevent the
++// image from executing. The database may contain multiple certificates,
++// keys, and hashes in order to identify forbidden images. The Windows
++// Hardware Certification Requirements state that a dbx must be present, so
++// any dummy value, such as the SHA-256 hash of 0, may be used as a safe
++// placeholder until such time as Microsoft begins delivering dbx updates.
++//
++// The byte array below captures the SHA256 checksum of the empty file,
++// blacklisting it for loading & execution. This qualifies as a dummy, since
++// the empty file is not a valid UEFI binary anyway.
++//
++// Technically speaking, we could also capture an official (although soon to be
++// obsolete) dbx update from <http://www.uefi.org/revocationlistfile>. However,
++// the terms and conditions on distributing that binary aren't exactly light
++// reading, so let's best steer clear of it, and follow the "dummy entry"
++// practice recommended -- in natural English langauge -- in the
++// above-referenced TechNet article.
++//
++STATIC CONST UINT8 mSha256OfDevNull[] = {
++ 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99,
++ 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95,
++ 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
++};
++
++//
++// The following test cases of the Secure Boot Logo Test in the Microsoft
++// Hardware Certification Kit:
++//
++// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
++// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
++//
++// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
++// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
++// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
++// certificates:
++//
++// - "Microsoft Corporation KEK CA 2011" (in KEK)
++// - "Microsoft Windows Production PCA 2011" (in db)
++// - "Microsoft Corporation UEFI CA 2011" (in db)
++//
++// This is despite the fact that the UEFI specification requires
++// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
++// application or driver) that enrolled and therefore owns
++// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
++// EFI_SIGNATURE_DATA.SignatureData.
++//
++STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
++ 0x77fa9abd, 0x0359, 0x4d32,
++ { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
++};
++
++//
++// The most important thing about the variable payload is that it is a list of
++// lists, where the element size of any given *inner* list is constant.
++//
++// Since X509 certificates vary in size, each of our *inner* lists will contain
++// one element only (one X.509 certificate). This is explicitly mentioned in
++// the UEFI specification, in "28.4.1 Signature Database", in a Note.
++//
++// The list structure looks as follows:
++//
++// struct EFI_VARIABLE_AUTHENTICATION_2 { |
++// struct EFI_TIME { |
++// UINT16 Year; |
++// UINT8 Month; |
++// UINT8 Day; |
++// UINT8 Hour; |
++// UINT8 Minute; |
++// UINT8 Second; |
++// UINT8 Pad1; |
++// UINT32 Nanosecond; |
++// INT16 TimeZone; |
++// UINT8 Daylight; |
++// UINT8 Pad2; |
++// } TimeStamp; |
++// |
++// struct WIN_CERTIFICATE_UEFI_GUID { | |
++// struct WIN_CERTIFICATE { | |
++// UINT32 dwLength; ----------------------------------------+ |
++// UINT16 wRevision; | |
++// UINT16 wCertificateType; | |
++// } Hdr; | +- DataSize
++// | |
++// EFI_GUID CertType; | |
++// UINT8 CertData[1] = { <--- "struct hack" | |
++// struct EFI_SIGNATURE_LIST { | | |
++// EFI_GUID SignatureType; | | |
++// UINT32 SignatureListSize; -------------------------+ | |
++// UINT32 SignatureHeaderSize; | | |
++// UINT32 SignatureSize; ---------------------------+ | | |
++// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
++// v | | |
++// struct EFI_SIGNATURE_DATA { | | | |
++// EFI_GUID SignatureOwner; | | | |
++// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
++// X.509 payload | | | |
++// } | | | |
++// } Signatures[]; | | |
++// } SigLists[]; | |
++// }; | |
++// } AuthInfo; | |
++// }; |
++//
++// Given that the "struct hack" invokes undefined behavior (which is why C99
++// introduced the flexible array member), and because subtracting those pesky
++// sizes of 1 is annoying, and because the format is fully specified in the
++// UEFI specification, we'll introduce two matching convenience structures that
++// are customized for our X.509 purposes.
++//
++#pragma pack(1)
++typedef struct {
++ EFI_TIME TimeStamp;
++
++ //
++ // dwLength covers data below
++ //
++ UINT32 dwLength;
++ UINT16 wRevision;
++ UINT16 wCertificateType;
++ EFI_GUID CertType;
++} SINGLE_HEADER;
++
++typedef struct {
++ //
++ // SignatureListSize covers data below
++ //
++ EFI_GUID SignatureType;
++ UINT32 SignatureListSize;
++ UINT32 SignatureHeaderSize; // constant 0
++ UINT32 SignatureSize;
++
++ //
++ // SignatureSize covers data below
++ //
++ EFI_GUID SignatureOwner;
++
++ //
++ // X.509 certificate follows
++ //
++} REPEATING_HEADER;
++#pragma pack()
++
++/**
++ Enroll a set of certificates in a global variable, overwriting it.
++
++ The variable will be rewritten with NV+BS+RT+AT attributes.
++
++ @param[in] VariableName The name of the variable to overwrite.
++
++ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to
++ overwrite.
++
++ @param[in] CertType The GUID determining the type of all the
++ certificates in the set that is passed in. For
++ example, gEfiCertX509Guid stands for DER-encoded
++ X.509 certificates, while gEfiCertSha256Guid stands
++ for SHA256 image hashes.
++
++ @param[in] ... A list of
++
++ IN CONST UINT8 *Cert,
++ IN UINTN CertSize,
++ IN CONST EFI_GUID *OwnerGuid
++
++ triplets. If the first component of a triplet is
++ NULL, then the other two components are not
++ accessed, and processing is terminated. The list of
++ certificates is enrolled in the variable specified,
++ overwriting it. The OwnerGuid component identifies
++ the agent installing the certificate.
++
++ @retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert
++ value is NULL), or one of the CertSize values
++ is 0, or one of the CertSize values would
++ overflow the accumulated UINT32 data size.
++
++ @retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable
++ payload.
++
++ @retval EFI_SUCCESS Enrollment successful; the variable has been
++ overwritten (or created).
++
++ @return Error codes from gRT->GetTime() and
++ gRT->SetVariable().
++**/
++STATIC
++EFI_STATUS
++EFIAPI
++EnrollListOfCerts (
++ IN CHAR16 *VariableName,
++ IN EFI_GUID *VendorGuid,
++ IN EFI_GUID *CertType,
++ ...
++ )
++{
++ UINTN DataSize;
++ SINGLE_HEADER *SingleHeader;
++ REPEATING_HEADER *RepeatingHeader;
++ VA_LIST Marker;
++ CONST UINT8 *Cert;
++ EFI_STATUS Status;
++ UINT8 *Data;
++ UINT8 *Position;
++
++ Status = EFI_SUCCESS;
++
++ //
++ // compute total size first, for UINT32 range check, and allocation
++ //
++ DataSize = sizeof *SingleHeader;
++ VA_START (Marker, CertType);
++ for (Cert = VA_ARG (Marker, CONST UINT8 *);
++ Cert != NULL;
++ Cert = VA_ARG (Marker, CONST UINT8 *)) {
++ UINTN CertSize;
++
++ CertSize = VA_ARG (Marker, UINTN);
++ (VOID)VA_ARG (Marker, CONST EFI_GUID *);
++
++ if (CertSize == 0 ||
++ CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||
++ DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {
++ Status = EFI_INVALID_PARAMETER;
++ break;
++ }
++ DataSize += sizeof *RepeatingHeader + CertSize;
++ }
++ VA_END (Marker);
++
++ if (DataSize == sizeof *SingleHeader) {
++ Status = EFI_INVALID_PARAMETER;
++ }
++ if (EFI_ERROR (Status)) {
++ goto Out;
++ }
++
++ Data = AllocatePool (DataSize);
++ if (Data == NULL) {
++ Status = EFI_OUT_OF_RESOURCES;
++ goto Out;
++ }
++
++ Position = Data;
++
++ SingleHeader = (SINGLE_HEADER *)Position;
++ Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);
++ if (EFI_ERROR (Status)) {
++ goto FreeData;
++ }
++ SingleHeader->TimeStamp.Pad1 = 0;
++ SingleHeader->TimeStamp.Nanosecond = 0;
++ SingleHeader->TimeStamp.TimeZone = 0;
++ SingleHeader->TimeStamp.Daylight = 0;
++ SingleHeader->TimeStamp.Pad2 = 0;
++#if 0
++ SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;
++#else
++ //
++ // This looks like a bug in edk2. According to the UEFI specification,
++ // dwLength is "The length of the entire certificate, including the length of
++ // the header, in bytes". That shouldn't stop right after CertType -- it
++ // should include everything below it.
++ //
++ SingleHeader->dwLength = sizeof *SingleHeader
++ - sizeof SingleHeader->TimeStamp;
++#endif
++ SingleHeader->wRevision = 0x0200;
++ SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;
++ CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);
++ Position += sizeof *SingleHeader;
++
++ VA_START (Marker, CertType);
++ for (Cert = VA_ARG (Marker, CONST UINT8 *);
++ Cert != NULL;
++ Cert = VA_ARG (Marker, CONST UINT8 *)) {
++ UINTN CertSize;
++ CONST EFI_GUID *OwnerGuid;
++
++ CertSize = VA_ARG (Marker, UINTN);
++ OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);
++
++ RepeatingHeader = (REPEATING_HEADER *)Position;
++ CopyGuid (&RepeatingHeader->SignatureType, CertType);
++ RepeatingHeader->SignatureListSize =
++ (UINT32)(sizeof *RepeatingHeader + CertSize);
++ RepeatingHeader->SignatureHeaderSize = 0;
++ RepeatingHeader->SignatureSize =
++ (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);
++ CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);
++ Position += sizeof *RepeatingHeader;
++
++ CopyMem (Position, Cert, CertSize);
++ Position += CertSize;
++ }
++ VA_END (Marker);
++
++ ASSERT (Data + DataSize == Position);
++
++ Status = gRT->SetVariable (VariableName, VendorGuid,
++ (EFI_VARIABLE_NON_VOLATILE |
++ EFI_VARIABLE_BOOTSERVICE_ACCESS |
++ EFI_VARIABLE_RUNTIME_ACCESS |
++ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
++ DataSize, Data);
++
++FreeData:
++ FreePool (Data);
++
++Out:
++ if (EFI_ERROR (Status)) {
++ AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,
++ VendorGuid, Status);
++ }
++ return Status;
++}
++
++
++STATIC
++EFI_STATUS
++EFIAPI
++GetExact (
++ IN CHAR16 *VariableName,
++ IN EFI_GUID *VendorGuid,
++ OUT VOID *Data,
++ IN UINTN DataSize,
++ IN BOOLEAN AllowMissing
++ )
++{
++ UINTN Size;
++ EFI_STATUS Status;
++
++ Size = DataSize;
++ Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
++ if (EFI_ERROR (Status)) {
++ if (Status == EFI_NOT_FOUND && AllowMissing) {
++ ZeroMem (Data, DataSize);
++ return EFI_SUCCESS;
++ }
++
++ AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,
++ VendorGuid, Status);
++ return Status;
++ }
++
++ if (Size != DataSize) {
++ AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
++ "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
++ return EFI_PROTOCOL_ERROR;
++ }
++
++ return EFI_SUCCESS;
++}
++
++typedef struct {
++ UINT8 SetupMode;
++ UINT8 SecureBoot;
++ UINT8 SecureBootEnable;
++ UINT8 CustomMode;
++ UINT8 VendorKeys;
++} SETTINGS;
++
++STATIC
++EFI_STATUS
++EFIAPI
++GetSettings (
++ OUT SETTINGS *Settings
++ )
++{
++ EFI_STATUS Status;
++
++ Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,
++ &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,
++ &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,
++ &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,
++ sizeof Settings->SecureBootEnable, TRUE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++ &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);
++ if (EFI_ERROR (Status)) {
++ return Status;
++ }
++
++ Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
++ &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);
++ return Status;
++}
++
++STATIC
++VOID
++EFIAPI
++PrintSettings (
++ IN CONST SETTINGS *Settings
++ )
++{
++ AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
++ "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,
++ Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);
++}
++
++
++INTN
++EFIAPI
++ShellAppMain (
++ IN UINTN Argc,
++ IN CHAR16 **Argv
++ )
++{
++ EFI_STATUS Status;
++ SETTINGS Settings;
++
++ Status = GetSettings (&Settings);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++ PrintSettings (&Settings);
++
++ if (Settings.SetupMode != 1) {
++ AsciiPrint ("error: already in User Mode\n");
++ return 1;
++ }
++
++ if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
++ Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
++ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++ (EFI_VARIABLE_NON_VOLATILE |
++ EFI_VARIABLE_BOOTSERVICE_ACCESS),
++ sizeof Settings.CustomMode, &Settings.CustomMode);
++ if (EFI_ERROR (Status)) {
++ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
++ &gEfiCustomModeEnableGuid, Status);
++ return 1;
++ }
++ }
++
++ Status = EnrollListOfCerts (
++ EFI_IMAGE_SECURITY_DATABASE,
++ &gEfiImageSecurityDatabaseGuid,
++ &gEfiCertX509Guid,
++ MicrosoftPCA, sizeof MicrosoftPCA, &mMicrosoftOwnerGuid,
++ MicrosoftUefiCA, sizeof MicrosoftUefiCA, &mMicrosoftOwnerGuid,
++ NULL);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++
++ Status = EnrollListOfCerts (
++ EFI_IMAGE_SECURITY_DATABASE1,
++ &gEfiImageSecurityDatabaseGuid,
++ &gEfiCertSha256Guid,
++ mSha256OfDevNull, sizeof mSha256OfDevNull, &gEfiCallerIdGuid,
++ NULL);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++
++ Status = EnrollListOfCerts (
++ EFI_KEY_EXCHANGE_KEY_NAME,
++ &gEfiGlobalVariableGuid,
++ &gEfiCertX509Guid,
++ RedHatPkKek1, sizeof RedHatPkKek1, &gEfiCallerIdGuid,
++ MicrosoftKEK, sizeof MicrosoftKEK, &mMicrosoftOwnerGuid,
++ NULL);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++
++ Status = EnrollListOfCerts (
++ EFI_PLATFORM_KEY_NAME,
++ &gEfiGlobalVariableGuid,
++ &gEfiCertX509Guid,
++ RedHatPkKek1, sizeof RedHatPkKek1, &gEfiGlobalVariableGuid,
++ NULL);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++
++ Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
++ Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
++ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++ sizeof Settings.CustomMode, &Settings.CustomMode);
++ if (EFI_ERROR (Status)) {
++ AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,
++ &gEfiCustomModeEnableGuid, Status);
++ return 1;
++ }
++
++ Status = GetSettings (&Settings);
++ if (EFI_ERROR (Status)) {
++ return 1;
++ }
++ PrintSettings (&Settings);
++
++ if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||
++ Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||
++ Settings.VendorKeys != 0) {
++ AsciiPrint ("error: unexpected\n");
++ return 1;
++ }
++
++ AsciiPrint ("info: success\n");
++ return 0;
++}
+diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+new file mode 100644
+index 0000000..0ad86a2
+--- /dev/null
++++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+@@ -0,0 +1,52 @@
++## @file
++# Enroll default PK, KEK, DB.
++#
++# Copyright (C) 2014, Red Hat, Inc.
++#
++# This program and the accompanying materials are licensed and made available
++# under the terms and conditions of the BSD License which accompanies this
++# distribution. The full text of the license may be found at
++# http://opensource.org/licenses/bsd-license.
++#
++# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR
++# IMPLIED.
++##
++
++[Defines]
++ INF_VERSION = 0x00010006
++ BASE_NAME = EnrollDefaultKeys
++ FILE_GUID = D5C1DF0B-1BAC-4EDF-BA48-08834009CA5A
++ MODULE_TYPE = UEFI_APPLICATION
++ VERSION_STRING = 0.1
++ ENTRY_POINT = ShellCEntryLib
++
++#
++# VALID_ARCHITECTURES = IA32 X64
++#
++
++[Sources]
++ EnrollDefaultKeys.c
++
++[Packages]
++ MdePkg/MdePkg.dec
++ MdeModulePkg/MdeModulePkg.dec
++ SecurityPkg/SecurityPkg.dec
++ ShellPkg/ShellPkg.dec
++
++[Guids]
++ gEfiCertPkcs7Guid
++ gEfiCertSha256Guid
++ gEfiCertX509Guid
++ gEfiCustomModeEnableGuid
++ gEfiGlobalVariableGuid
++ gEfiImageSecurityDatabaseGuid
++ gEfiSecureBootEnableDisableGuid
++
++[LibraryClasses]
++ BaseMemoryLib
++ DebugLib
++ MemoryAllocationLib
++ ShellCEntryLib
++ UefiLib
++ UefiRuntimeServicesTableLib
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index b577767..4d268c9 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -865,6 +865,10 @@
+
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++ <LibraryClasses>
++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++ }
+ !endif
+
+ OvmfPkg/PlatformDxe/Platform.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index a6a40be..6836622 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -874,6 +874,10 @@
+
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++ <LibraryClasses>
++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++ }
+ !endif
+
+ OvmfPkg/PlatformDxe/Platform.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 8bd3754..0b3008f 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -872,6 +872,10 @@
+
+ !if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf {
++ <LibraryClasses>
++ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
++ }
+ !endif
+
+ OvmfPkg/PlatformDxe/Platform.inf
+--
+1.8.3.1
+
diff --git a/SOURCES/0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch b/SOURCES/0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
new file mode 100644
index 0000000..fd6d5fa
--- /dev/null
+++ b/SOURCES/0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
@@ -0,0 +1,69 @@
+From 58755c51d3252312d80cbcb97928d71199c2f5e1 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 13:49:43 +0200
+Subject: ArmPlatformPkg: introduce fixed PCD for early hello message (RH only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Drew has proposed that ARM|AARCH64 platform firmware (especially virtual
+machine firmware) print a reasonably early, simple hello message to the
+serial port, regardless of debug mask settings. This should inform
+interactive users, and provide some rough help in localizing boot
+problems, even with restrictive debug masks.
+
+If a platform doesn't want this feature, it should stick with the default
+empty string.
+
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
+Downstream only:
+<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
+
+Suggested-by: Drew Jones <drjones@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 7ce97b06421434c82095f01a1753a8c9c546cc30)
+(cherry picked from commit 20b1f1cbd0590aa71c6d99d35e23cf08e0707750)
+(cherry picked from commit 6734b88cf7abcaf42632e3d2fc469b2169dd2f16)
+(cherry picked from commit ef77da632559e9baa1c69869e4cbea377068ef27)
+---
+ ArmPlatformPkg/ArmPlatformPkg.dec | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ArmPlatformPkg/ArmPlatformPkg.dec b/ArmPlatformPkg/ArmPlatformPkg.dec
+index dff4598..3c5c6c7 100644
+--- a/ArmPlatformPkg/ArmPlatformPkg.dec
++++ b/ArmPlatformPkg/ArmPlatformPkg.dec
+@@ -112,6 +112,13 @@
+ ## If set, this will swap settings for HDLCD RED_SELECT and BLUE_SELECT registers
+ gArmPlatformTokenSpaceGuid.PcdArmHdLcdSwapBlueRedSelect|FALSE|BOOLEAN|0x00000045
+
++ #
++ # Early hello message (ASCII string), printed to the serial port.
++ # If set to the empty string, nothing is printed.
++ # Otherwise, a trailing CRLF should be specified explicitly.
++ #
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|""|VOID*|0x00000100
++
+ [PcdsFixedAtBuild.common,PcdsDynamic.common]
+ ## PL031 RealTimeClock
+ gArmPlatformTokenSpaceGuid.PcdPL031RtcBase|0x0|UINT32|0x00000024
+--
+1.8.3.1
+
diff --git a/SOURCES/0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch b/SOURCES/0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
new file mode 100644
index 0000000..9ee5345
--- /dev/null
+++ b/SOURCES/0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
@@ -0,0 +1,121 @@
+From f4b7aae411d88b2b83f85d20ef06a4032a57e7de Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 13:59:20 +0200
+Subject: ArmPlatformPkg: PrePeiCore: write early hello message to the serial
+ port (RH)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- adapt to upstream commit 7e2a8dfe8a9a ("ArmPlatformPkg/PrePeiCore: seed
+ temporary stack before entering PEI core", 2017-11-09) -- conflict
+ resolution in "ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf"
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+The FixedPcdGetSize() macro expands to an integer constant, therefore an
+optimizing compiler can eliminate the new code, if the platform DSC
+doesn't override the empty string (size=1) default of
+PcdEarlyHelloMessage.
+
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
+Downstream only:
+<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit b16c4c505ce0e27305235533eac9236aa66f132e)
+(cherry picked from commit 742e5bf6d5ce5a1e73879d6e5c0dd00feda7a9ac)
+(cherry picked from commit 93d69eb9393cf05af90676253875c59c1bec67fd)
+(cherry picked from commit 638594083b191f84f5d9333eb6147a31570f5a5a)
+---
+ ArmPlatformPkg/PrePeiCore/MainMPCore.c | 5 +++++
+ ArmPlatformPkg/PrePeiCore/MainUniCore.c | 5 +++++
+ ArmPlatformPkg/PrePeiCore/PrePeiCore.h | 1 +
+ ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf | 2 ++
+ ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf | 2 ++
+ 5 files changed, 15 insertions(+)
+
+diff --git a/ArmPlatformPkg/PrePeiCore/MainMPCore.c b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
+index dc47adb..cbd7223 100644
+--- a/ArmPlatformPkg/PrePeiCore/MainMPCore.c
++++ b/ArmPlatformPkg/PrePeiCore/MainMPCore.c
+@@ -117,6 +117,11 @@ PrimaryMain (
+ UINTN TemporaryRamBase;
+ UINTN TemporaryRamSize;
+
++ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) {
++ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage),
++ FixedPcdGetSize (PcdEarlyHelloMessage) - 1);
++ }
++
+ CreatePpiList (&PpiListSize, &PpiList);
+
+ // Enable the GIC Distributor
+diff --git a/ArmPlatformPkg/PrePeiCore/MainUniCore.c b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
+index 134a469..af39fc0 100644
+--- a/ArmPlatformPkg/PrePeiCore/MainUniCore.c
++++ b/ArmPlatformPkg/PrePeiCore/MainUniCore.c
+@@ -35,6 +35,11 @@ PrimaryMain (
+ UINTN TemporaryRamBase;
+ UINTN TemporaryRamSize;
+
++ if (FixedPcdGetSize (PcdEarlyHelloMessage) > 1) {
++ SerialPortWrite (FixedPcdGetPtr (PcdEarlyHelloMessage),
++ FixedPcdGetSize (PcdEarlyHelloMessage) - 1);
++ }
++
+ CreatePpiList (&PpiListSize, &PpiList);
+
+ // Adjust the Temporary Ram as the new Ppi List (Common + Platform Ppi Lists) is created at
+diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
+index 1608946..bf843d7 100644
+--- a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
+@@ -21,6 +21,7 @@
+ #include <Library/DebugLib.h>
+ #include <Library/IoLib.h>
+ #include <Library/PcdLib.h>
++#include <Library/SerialPortLib.h>
+
+ #include <PiPei.h>
+ #include <Ppi/TemporaryRamSupport.h>
+diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
+index e3a31fa..1bc0c45 100644
+--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
+@@ -72,6 +72,8 @@
+ gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
+ gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
+
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage
++
+ gArmTokenSpaceGuid.PcdGicDistributorBase
+ gArmTokenSpaceGuid.PcdGicInterruptInterfaceBase
+ gArmTokenSpaceGuid.PcdGicSgiIntId
+diff --git a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
+index ec83cec..b100820 100644
+--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
++++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
+@@ -70,4 +70,6 @@
+ gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize
+ gArmPlatformTokenSpaceGuid.PcdCPUCoreSecondaryStackSize
+
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage
++
+ gEfiMdeModulePkgTokenSpaceGuid.PcdInitValueInTempStack
+--
+1.8.3.1
+
diff --git a/SOURCES/0015-ArmVirtPkg-set-early-hello-message-RH-only.patch b/SOURCES/0015-ArmVirtPkg-set-early-hello-message-RH-only.patch
new file mode 100644
index 0000000..7b1268c
--- /dev/null
+++ b/SOURCES/0015-ArmVirtPkg-set-early-hello-message-RH-only.patch
@@ -0,0 +1,55 @@
+From 2d4db6ec70e004cd9ac147615d17033bee5d3b18 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 14 Oct 2015 14:07:17 +0200
+Subject: ArmVirtPkg: set early hello message (RH only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Print a friendly banner on QEMU, regardless of debug mask settings.
+
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1270279
+Downstream only:
+<http://thread.gmane.org/gmane.comp.bios.edk2.devel/2996/focus=3433>.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 5d4a15b9019728b2d96322bc679099da49916925)
+(cherry picked from commit 179df76dbb0d199bd905236e98775b4059c6502a)
+(cherry picked from commit ce3f59d0710c24c162d5222bbf5cd7e36180c80c)
+(cherry picked from commit c201a8e6ae28d75f7ba581828b533c3b26fa7f18)
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 4bf94ce..035b729 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -89,6 +89,7 @@
+ gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE
+
+ [PcdsFixedAtBuild.common]
++ gArmPlatformTokenSpaceGuid.PcdEarlyHelloMessage|"UEFI firmware starting.\r\n"
+ gArmPlatformTokenSpaceGuid.PcdCoreCount|1
+ !if $(ARCH) == AARCH64
+ gArmTokenSpaceGuid.PcdVFPEnabled|1
+--
+1.8.3.1
+
diff --git a/SOURCES/0016-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch b/SOURCES/0016-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
new file mode 100644
index 0000000..14d4635
--- /dev/null
+++ b/SOURCES/0016-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
@@ -0,0 +1,82 @@
+From 759bd3f591e2db699bdef4c7ea4e97c908e7f027 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:45 +0100
+Subject: OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Message-id: <20171120235748.29669-5-pbonzini@redhat.com>
+Patchwork-id: 77760
+O-Subject: [PATCH 4/7] OvmfPkg: enable DEBUG_VERBOSE (RHEL only)
+Bugzilla: 1488247
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+Set the DEBUG_VERBOSE bit (0x00400000) in the log mask. We want detailed
+debug messages, and code in OvmfPkg logs many messages on the
+DEBUG_VERBOSE level.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 78d3ed73172b5738e32d2b0bc03f7984b9584117)
+(cherry picked from commit 7aeeaabc9871f657e65d2b99d81011b4964a1ce9)
+(cherry picked from commit a0617a6be1a80966099ddceb010f89202a79ee76)
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
+ OvmfPkg/OvmfPkgX64.dsc | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 4d268c9..57bf021 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -481,7 +481,7 @@
+ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
+ # // significantly impact boot performance
+ # DEBUG_ERROR 0x80000000 // Error
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+
+ !ifdef $(SOURCE_DEBUG_ENABLE)
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 6836622..0e87c8f 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -486,7 +486,7 @@
+ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
+ # // significantly impact boot performance
+ # DEBUG_ERROR 0x80000000 // Error
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+
+ !ifdef $(SOURCE_DEBUG_ENABLE)
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 0b3008f..38ba204 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -486,7 +486,7 @@
+ # DEBUG_VERBOSE 0x00400000 // Detailed debug messages that may
+ # // significantly impact boot performance
+ # DEBUG_ERROR 0x80000000 // Error
+- gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F
+
+ !ifdef $(SOURCE_DEBUG_ENABLE)
+ gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+--
+1.8.3.1
+
diff --git a/SOURCES/0017-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch b/SOURCES/0017-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch
new file mode 100644
index 0000000..1fe8371
--- /dev/null
+++ b/SOURCES/0017-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch
@@ -0,0 +1,101 @@
+From bd650684712fb840dbcda5d6eaee065bd9e91fa1 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:46 +0100
+Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in QemuVideoDxe (RH only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Message-id: <20171120235748.29669-6-pbonzini@redhat.com>
+Patchwork-id: 77761
+O-Subject: [PATCH 5/7] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in
+ QemuVideoDxe (RH only)
+Bugzilla: 1488247
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+In commit 5b2291f9567a ("OvmfPkg: QemuVideoDxe uses
+MdeModulePkg/FrameBufferLib"), QemuVideoDxe was rebased to
+FrameBufferBltLib.
+
+The FrameBufferBltLib instance added in commit b1ca386074bd
+("MdeModulePkg: Add FrameBufferBltLib library instance") logs many
+messages on the VERBOSE level; for example, a normal boot with OVMF can
+produce 500+ "VideoFill" messages, dependent on the progress bar, when the
+VERBOSE bit is set in PcdDebugPrintErrorLevel.
+
+QemuVideoDxe itself doesn't log anything at the VERBOSE level, so we lose
+none of its messages this way.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 9b0d031dee7e823f6717bab73e422fbc6f0a6c52)
+(cherry picked from commit 9122d5f2e8d8d289064d1e1700cb61964d9931f3)
+(cherry picked from commit 7eb3be1d4ccafc26c11fe5afb95cc12b250ce6f0)
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgX64.dsc | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 57bf021..2b2e874 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -744,7 +744,10 @@
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+
+- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 0e87c8f..892cc5e 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -753,7 +753,10 @@
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+
+- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 38ba204..e7cb582 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -751,7 +751,10 @@
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+ MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
+
+- OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf
++ OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
+
+ #
+--
+1.8.3.1
+
diff --git a/SOURCES/0018-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch b/SOURCES/0018-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
new file mode 100644
index 0000000..3bea094
--- /dev/null
+++ b/SOURCES/0018-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
@@ -0,0 +1,92 @@
+From 5a27af700f49e00608f232f618dedd7bf5e9b3e6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 21 Nov 2017 00:57:47 +0100
+Subject: OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in NvmExpressDxe (RH
+ only)
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Notes about the 20171011-92d07e48907f -> 20180508-ee3198e672e2 rebase:
+
+- no changes
+
+Message-id: <20171120235748.29669-7-pbonzini@redhat.com>
+Patchwork-id: 77759
+O-Subject: [PATCH 6/7] OvmfPkg: silence EFI_D_VERBOSE (0x00400000) in
+ NvmExpressDxe (RH only)
+Bugzilla: 1488247
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Laszlo Ersek <lersek@redhat.com>
+
+NvmExpressDxe logs all BlockIo read & write calls on the EFI_D_VERBOSE
+level.
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(this patch was previously applied as commit 5f432837b9c60c2929b13dda1a1b488d5c3a6d2f)
+(cherry picked from commit 33e00146eb878588ad1395d7b1ae38f401729da4)
+(cherry picked from commit bd10cabcfcb1bc9a32b05062f4ee3792e27bc2d8)
+---
+ OvmfPkg/OvmfPkgIa32.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgIa32X64.dsc | 5 ++++-
+ OvmfPkg/OvmfPkgX64.dsc | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index 2b2e874..f6d7833 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -738,7 +738,10 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 892cc5e..d6e628b 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -747,7 +747,10 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index e7cb582..a9fe89c 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -745,7 +745,10 @@
+ OvmfPkg/SataControllerDxe/SataControllerDxe.inf
+ MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf
+ MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf
+- MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf
++ MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressDxe.inf {
++ <PcdsFixedAtBuild>
++ gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
++ }
+ MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf
+--
+1.8.3.1
+
diff --git a/SOURCES/0019-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch b/SOURCES/0019-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch
new file mode 100644
index 0000000..aef16e3
--- /dev/null
+++ b/SOURCES/0019-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch
@@ -0,0 +1,222 @@
+From fca819227b23a4d0597e3da42d7edce1da8fb0f4 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 15 May 2018 12:40:05 +0200
+Subject: OvmfPkg/PlatformBootManagerLib: connect consoles unconditionally
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Message-id: <20180515104005.12265-2-lersek@redhat.com>
+Patchwork-id: 80268
+O-Subject: [RHEL-7.6 ovmf PATCH 1/1] OvmfPkg/PlatformBootManagerLib: connect
+ consoles unconditionally
+Bugzilla: 1577546
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+If both ConIn and ConOut exist, but ConIn references none of the PS/2
+keyboard, the USB wild-card keyboard, and any serial ports, then
+PlatformInitializeConsole() currently allows the boot to proceed without
+any input devices at all. This makes for a bad user experience -- the
+firmware menu could only be entered through OsIndications, set by a guest
+OS.
+
+Do what ArmVirtQemu does already, namely connect the consoles, and add
+them to ConIn / ConOut / ErrOut, unconditionally. (The underlying
+EfiBootManagerUpdateConsoleVariable() function checks for duplicates.)
+
+The issue used to be masked by the EfiBootManagerConnectAll() call that
+got conditionalized in commit 245c643cc8b7.
+
+This patch is best viewed with "git show -b -W".
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Fixes: 245c643cc8b73240c3b88cb55b2911b285a8c10d
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1577546
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+(cherry picked from commit f803c03cc2e0b6b0b0bed447a97ea2c61b04ed82)
+(cherry picked from commit 3e05bfc48cd7b2cf4c1cbfc1d0cd2572338fad1e)
+---
+ .../Library/PlatformBootManagerLib/BdsPlatform.c | 127 +++++++--------------
+ 1 file changed, 44 insertions(+), 83 deletions(-)
+
+diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+index 862fa6eb..004b753 100644
+--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+@@ -26,7 +26,6 @@ VOID *mEfiDevPathNotifyReg;
+ EFI_EVENT mEfiDevPathEvent;
+ VOID *mEmuVariableEventReg;
+ EFI_EVENT mEmuVariableEvent;
+-BOOLEAN mDetectVgaOnly;
+ UINT16 mHostBridgeDevId;
+
+ //
+@@ -830,35 +829,33 @@ DetectAndPreparePlatformPciDevicePath (
+ );
+ ASSERT_EFI_ERROR (Status);
+
+- if (!mDetectVgaOnly) {
++ //
++ // Here we decide whether it is LPC Bridge
++ //
++ if ((IS_PCI_LPC (Pci)) ||
++ ((IS_PCI_ISA_PDECODE (Pci)) &&
++ (Pci->Hdr.VendorId == 0x8086) &&
++ (Pci->Hdr.DeviceId == 0x7000)
++ )
++ ) {
+ //
+- // Here we decide whether it is LPC Bridge
++ // Add IsaKeyboard to ConIn,
++ // add IsaSerial to ConOut, ConIn, ErrOut
+ //
+- if ((IS_PCI_LPC (Pci)) ||
+- ((IS_PCI_ISA_PDECODE (Pci)) &&
+- (Pci->Hdr.VendorId == 0x8086) &&
+- (Pci->Hdr.DeviceId == 0x7000)
+- )
+- ) {
+- //
+- // Add IsaKeyboard to ConIn,
+- // add IsaSerial to ConOut, ConIn, ErrOut
+- //
+- DEBUG ((EFI_D_INFO, "Found LPC Bridge device\n"));
+- PrepareLpcBridgeDevicePath (Handle);
+- return EFI_SUCCESS;
+- }
++ DEBUG ((EFI_D_INFO, "Found LPC Bridge device\n"));
++ PrepareLpcBridgeDevicePath (Handle);
++ return EFI_SUCCESS;
++ }
++ //
++ // Here we decide which Serial device to enable in PCI bus
++ //
++ if (IS_PCI_16550SERIAL (Pci)) {
+ //
+- // Here we decide which Serial device to enable in PCI bus
++ // Add them to ConOut, ConIn, ErrOut.
+ //
+- if (IS_PCI_16550SERIAL (Pci)) {
+- //
+- // Add them to ConOut, ConIn, ErrOut.
+- //
+- DEBUG ((EFI_D_INFO, "Found PCI 16550 SERIAL device\n"));
+- PreparePciSerialDevicePath (Handle);
+- return EFI_SUCCESS;
+- }
++ DEBUG ((EFI_D_INFO, "Found PCI 16550 SERIAL device\n"));
++ PreparePciSerialDevicePath (Handle);
++ return EFI_SUCCESS;
+ }
+
+ //
+@@ -878,26 +875,6 @@ DetectAndPreparePlatformPciDevicePath (
+
+
+ /**
+- Do platform specific PCI Device check and add them to ConOut, ConIn, ErrOut
+-
+- @param[in] DetectVgaOnly - Only detect VGA device if it's TRUE.
+-
+- @retval EFI_SUCCESS - PCI Device check and Console variable update
+- successfully.
+- @retval EFI_STATUS - PCI Device check or Console variable update fail.
+-
+-**/
+-EFI_STATUS
+-DetectAndPreparePlatformPciDevicePaths (
+- BOOLEAN DetectVgaOnly
+- )
+-{
+- mDetectVgaOnly = DetectVgaOnly;
+- return VisitAllPciInstances (DetectAndPreparePlatformPciDevicePath);
+-}
+-
+-
+-/**
+ Connect the predefined platform default console device.
+
+ Always try to find and enable PCI display devices.
+@@ -910,50 +887,34 @@ PlatformInitializeConsole (
+ )
+ {
+ UINTN Index;
+- EFI_DEVICE_PATH_PROTOCOL *VarConout;
+- EFI_DEVICE_PATH_PROTOCOL *VarConin;
+
+ //
+- // Connect RootBridge
++ // Do platform specific PCI Device check and add them to ConOut, ConIn,
++ // ErrOut
+ //
+- GetEfiGlobalVariable2 (EFI_CON_OUT_VARIABLE_NAME, (VOID **) &VarConout,
+- NULL);
+- GetEfiGlobalVariable2 (EFI_CON_IN_VARIABLE_NAME, (VOID **) &VarConin, NULL);
+-
+- if (VarConout == NULL || VarConin == NULL) {
+- //
+- // Do platform specific PCI Device check and add them to ConOut, ConIn,
+- // ErrOut
+- //
+- DetectAndPreparePlatformPciDevicePaths (FALSE);
++ VisitAllPciInstances (DetectAndPreparePlatformPciDevicePath);
+
++ //
++ // Have chance to connect the platform default console,
++ // the platform default console is the minimum device group
++ // the platform should support
++ //
++ for (Index = 0; PlatformConsole[Index].DevicePath != NULL; ++Index) {
+ //
+- // Have chance to connect the platform default console,
+- // the platform default console is the minimum device group
+- // the platform should support
++ // Update the console variable with the connect type
+ //
+- for (Index = 0; PlatformConsole[Index].DevicePath != NULL; ++Index) {
+- //
+- // Update the console variable with the connect type
+- //
+- if ((PlatformConsole[Index].ConnectType & CONSOLE_IN) == CONSOLE_IN) {
+- EfiBootManagerUpdateConsoleVariable (ConIn,
+- PlatformConsole[Index].DevicePath, NULL);
+- }
+- if ((PlatformConsole[Index].ConnectType & CONSOLE_OUT) == CONSOLE_OUT) {
+- EfiBootManagerUpdateConsoleVariable (ConOut,
+- PlatformConsole[Index].DevicePath, NULL);
+- }
+- if ((PlatformConsole[Index].ConnectType & STD_ERROR) == STD_ERROR) {
+- EfiBootManagerUpdateConsoleVariable (ErrOut,
+- PlatformConsole[Index].DevicePath, NULL);
+- }
++ if ((PlatformConsole[Index].ConnectType & CONSOLE_IN) == CONSOLE_IN) {
++ EfiBootManagerUpdateConsoleVariable (ConIn,
++ PlatformConsole[Index].DevicePath, NULL);
++ }
++ if ((PlatformConsole[Index].ConnectType & CONSOLE_OUT) == CONSOLE_OUT) {
++ EfiBootManagerUpdateConsoleVariable (ConOut,
++ PlatformConsole[Index].DevicePath, NULL);
++ }
++ if ((PlatformConsole[Index].ConnectType & STD_ERROR) == STD_ERROR) {
++ EfiBootManagerUpdateConsoleVariable (ErrOut,
++ PlatformConsole[Index].DevicePath, NULL);
+ }
+- } else {
+- //
+- // Only detect VGA device and add them to ConOut
+- //
+- DetectAndPreparePlatformPciDevicePaths (TRUE);
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/0020-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch b/SOURCES/0020-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch
new file mode 100644
index 0000000..7a4eb0f
--- /dev/null
+++ b/SOURCES/0020-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch
@@ -0,0 +1,215 @@
+From 402cfd944f9a6764daec96aef9eec4d2393c3a90 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 18 May 2018 21:40:23 +0200
+Subject: ArmVirtPkg/PlatformBootManagerLib: connect Virtio RNG devices again
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Message-id: <20180518194024.30614-2-lersek@redhat.com>
+Patchwork-id: 80426
+O-Subject: [RHEL-7.6 ovmf PATCH 1/2] ArmVirtPkg/PlatformBootManagerLib: connect
+ Virtio RNG devices again
+Bugzilla: 1579518
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Virtio RNG devices are never boot devices, so in commit ff1d0fbfbaec we
+stopped connecting them. This is a problem because an OS boot loader may
+depend on EFI_RNG_PROTOCOL to seed the OS's RNG.
+
+Connect Virtio RNG devices again. And, while commit ff1d0fbfbaec removed
+that from PlatformBootManagerAfterConsole(), reintroduce it now to
+PlatformBootManagerBeforeConsole() -- this way Driver#### options launched
+between both functions may access EFI_RNG_PROTOCOL too.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Fixes: ff1d0fbfbaec55038ccf888759588fa4e21516f4
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1579518
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+(cherry picked from commit c4add6b6e971e0bb3f276ed3636a083e782e96cc)
+(cherry picked from commit 1d33f4bb28e1aa2c4d62979596140c22677a2e9f)
+---
+ .../Library/PlatformBootManagerLib/PlatformBm.c | 129 +++++++++++++++++++++
+ .../PlatformBootManagerLib.inf | 1 +
+ 2 files changed, 130 insertions(+)
+
+diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+index 5d5e51d..62cce6a 100644
+--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
++++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+@@ -16,6 +16,7 @@
+ **/
+
+ #include <IndustryStandard/Pci22.h>
++#include <IndustryStandard/Virtio095.h>
+ #include <Library/BootLogoLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/PcdLib.h>
+@@ -27,6 +28,7 @@
+ #include <Protocol/LoadedImage.h>
+ #include <Protocol/PciIo.h>
+ #include <Protocol/PciRootBridgeIo.h>
++#include <Protocol/VirtioDevice.h>
+ #include <Guid/EventGroup.h>
+ #include <Guid/RootBridgesConnectedEventGroup.h>
+
+@@ -261,6 +263,121 @@ IsPciDisplay (
+
+
+ /**
++ This FILTER_FUNCTION checks if a handle corresponds to a Virtio RNG device at
++ the VIRTIO_DEVICE_PROTOCOL level.
++**/
++STATIC
++BOOLEAN
++EFIAPI
++IsVirtioRng (
++ IN EFI_HANDLE Handle,
++ IN CONST CHAR16 *ReportText
++ )
++{
++ EFI_STATUS Status;
++ VIRTIO_DEVICE_PROTOCOL *VirtIo;
++
++ Status = gBS->HandleProtocol (Handle, &gVirtioDeviceProtocolGuid,
++ (VOID**)&VirtIo);
++ if (EFI_ERROR (Status)) {
++ return FALSE;
++ }
++ return (BOOLEAN)(VirtIo->SubSystemDeviceId ==
++ VIRTIO_SUBSYSTEM_ENTROPY_SOURCE);
++}
++
++
++/**
++ This FILTER_FUNCTION checks if a handle corresponds to a Virtio RNG device at
++ the EFI_PCI_IO_PROTOCOL level.
++**/
++STATIC
++BOOLEAN
++EFIAPI
++IsVirtioPciRng (
++ IN EFI_HANDLE Handle,
++ IN CONST CHAR16 *ReportText
++ )
++{
++ EFI_STATUS Status;
++ EFI_PCI_IO_PROTOCOL *PciIo;
++ UINT16 VendorId;
++ UINT16 DeviceId;
++ UINT8 RevisionId;
++ BOOLEAN Virtio10;
++ UINT16 SubsystemId;
++
++ Status = gBS->HandleProtocol (Handle, &gEfiPciIoProtocolGuid,
++ (VOID**)&PciIo);
++ if (EFI_ERROR (Status)) {
++ return FALSE;
++ }
++
++ //
++ // Read and check VendorId.
++ //
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OFFSET,
++ 1, &VendorId);
++ if (EFI_ERROR (Status)) {
++ goto PciError;
++ }
++ if (VendorId != VIRTIO_VENDOR_ID) {
++ return FALSE;
++ }
++
++ //
++ // Read DeviceId and RevisionId.
++ //
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OFFSET,
++ 1, &DeviceId);
++ if (EFI_ERROR (Status)) {
++ goto PciError;
++ }
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, PCI_REVISION_ID_OFFSET,
++ 1, &RevisionId);
++ if (EFI_ERROR (Status)) {
++ goto PciError;
++ }
++
++ //
++ // From DeviceId and RevisionId, determine whether the device is a
++ // modern-only Virtio 1.0 device. In case of Virtio 1.0, DeviceId can
++ // immediately be restricted to VIRTIO_SUBSYSTEM_ENTROPY_SOURCE, and
++ // SubsystemId will only play a sanity-check role. Otherwise, DeviceId can
++ // only be sanity-checked, and SubsystemId will decide.
++ //
++ if (DeviceId == 0x1040 + VIRTIO_SUBSYSTEM_ENTROPY_SOURCE &&
++ RevisionId >= 0x01) {
++ Virtio10 = TRUE;
++ } else if (DeviceId >= 0x1000 && DeviceId <= 0x103F && RevisionId == 0x00) {
++ Virtio10 = FALSE;
++ } else {
++ return FALSE;
++ }
++
++ //
++ // Read and check SubsystemId as dictated by Virtio10.
++ //
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16,
++ PCI_SUBSYSTEM_ID_OFFSET, 1, &SubsystemId);
++ if (EFI_ERROR (Status)) {
++ goto PciError;
++ }
++ if (Virtio10 && SubsystemId >= 0x40) {
++ return TRUE;
++ }
++ if (!Virtio10 && SubsystemId == VIRTIO_SUBSYSTEM_ENTROPY_SOURCE) {
++ return TRUE;
++ }
++ return FALSE;
++
++PciError:
++ DEBUG ((DEBUG_ERROR, "%a: %s: %r\n", __FUNCTION__, ReportText, Status));
++ return FALSE;
++}
++
++
++/**
+ This CALLBACK_FUNCTION attempts to connect a handle non-recursively, asking
+ the matching driver to produce all first-level child handles.
+ **/
+@@ -644,6 +761,18 @@ PlatformBootManagerBeforeConsole (
+ // Register platform-specific boot options and keyboard shortcuts.
+ //
+ PlatformRegisterOptionsAndKeys ();
++
++ //
++ // At this point, VIRTIO_DEVICE_PROTOCOL instances exist only for Virtio MMIO
++ // transports. Install EFI_RNG_PROTOCOL instances on Virtio MMIO RNG devices.
++ //
++ FilterAndProcess (&gVirtioDeviceProtocolGuid, IsVirtioRng, Connect);
++
++ //
++ // Install both VIRTIO_DEVICE_PROTOCOL and (dependent) EFI_RNG_PROTOCOL
++ // instances on Virtio PCI RNG devices.
++ //
++ FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciRng, Connect);
+ }
+
+ /**
+diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+index 1e22f8b..d6c1ef9 100644
+--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
++++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+@@ -83,3 +83,4 @@
+ gEfiLoadedImageProtocolGuid
+ gEfiPciRootBridgeIoProtocolGuid
+ gEfiSimpleFileSystemProtocolGuid
++ gVirtioDeviceProtocolGuid
+--
+1.8.3.1
+
diff --git a/SOURCES/0021-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch b/SOURCES/0021-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch
new file mode 100644
index 0000000..6918750
--- /dev/null
+++ b/SOURCES/0021-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch
@@ -0,0 +1,188 @@
+From 3f2be5f30bbd996473e7336b29ac43795d999676 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 18 May 2018 21:40:24 +0200
+Subject: OvmfPkg/PlatformBootManagerLib: connect Virtio RNG devices again
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+- no changes to the patch body
+
+Message-id: <20180518194024.30614-3-lersek@redhat.com>
+Patchwork-id: 80427
+O-Subject: [RHEL-7.6 ovmf PATCH 2/2] OvmfPkg/PlatformBootManagerLib: connect
+ Virtio RNG devices again
+Bugzilla: 1579518
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Virtio RNG devices are never boot devices, so in commit 245c643cc8b7 we
+stopped connecting them. This is a problem because an OS boot loader may
+depend on EFI_RNG_PROTOCOL to seed the OS's RNG.
+
+Connect Virtio RNG devices again. And, while commit 245c643cc8b7 removed
+that from PlatformBootManagerAfterConsole(), reintroduce it now to
+PlatformBootManagerBeforeConsole() -- this way Driver#### options launched
+between both functions may access EFI_RNG_PROTOCOL too.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Fixes: 245c643cc8b73240c3b88cb55b2911b285a8c10d
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1579518
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+(cherry picked from commit 7ebad830d6ab61f0395f6f4bae4156664bbd8086)
+(cherry picked from commit 4c7e315ccb97dd7c3dc7f38e22b84ffbc4df90e3)
+---
+ .../Library/PlatformBootManagerLib/BdsPlatform.c | 105 +++++++++++++++++++++
+ .../Library/PlatformBootManagerLib/BdsPlatform.h | 1 +
+ 2 files changed, 106 insertions(+)
+
+diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+index 004b753..5d4d323 100644
+--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+@@ -319,6 +319,15 @@ ConnectRootBridge (
+ );
+
+ STATIC
++EFI_STATUS
++EFIAPI
++ConnectVirtioPciRng (
++ IN EFI_HANDLE Handle,
++ IN VOID *Instance,
++ IN VOID *Context
++ );
++
++STATIC
+ VOID
+ SaveS3BootScript (
+ VOID
+@@ -399,6 +408,13 @@ PlatformBootManagerBeforeConsole (
+ ASSERT_RETURN_ERROR (PcdStatus);
+
+ PlatformRegisterOptionsAndKeys ();
++
++ //
++ // Install both VIRTIO_DEVICE_PROTOCOL and (dependent) EFI_RNG_PROTOCOL
++ // instances on Virtio PCI RNG devices.
++ //
++ VisitAllInstancesOfProtocol (&gEfiPciIoProtocolGuid, ConnectVirtioPciRng,
++ NULL);
+ }
+
+
+@@ -427,6 +443,95 @@ ConnectRootBridge (
+ }
+
+
++STATIC
++EFI_STATUS
++EFIAPI
++ConnectVirtioPciRng (
++ IN EFI_HANDLE Handle,
++ IN VOID *Instance,
++ IN VOID *Context
++ )
++{
++ EFI_PCI_IO_PROTOCOL *PciIo;
++ EFI_STATUS Status;
++ UINT16 VendorId;
++ UINT16 DeviceId;
++ UINT8 RevisionId;
++ BOOLEAN Virtio10;
++ UINT16 SubsystemId;
++
++ PciIo = Instance;
++
++ //
++ // Read and check VendorId.
++ //
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OFFSET,
++ 1, &VendorId);
++ if (EFI_ERROR (Status)) {
++ goto Error;
++ }
++ if (VendorId != VIRTIO_VENDOR_ID) {
++ return EFI_SUCCESS;
++ }
++
++ //
++ // Read DeviceId and RevisionId.
++ //
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OFFSET,
++ 1, &DeviceId);
++ if (EFI_ERROR (Status)) {
++ goto Error;
++ }
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, PCI_REVISION_ID_OFFSET,
++ 1, &RevisionId);
++ if (EFI_ERROR (Status)) {
++ goto Error;
++ }
++
++ //
++ // From DeviceId and RevisionId, determine whether the device is a
++ // modern-only Virtio 1.0 device. In case of Virtio 1.0, DeviceId can
++ // immediately be restricted to VIRTIO_SUBSYSTEM_ENTROPY_SOURCE, and
++ // SubsystemId will only play a sanity-check role. Otherwise, DeviceId can
++ // only be sanity-checked, and SubsystemId will decide.
++ //
++ if (DeviceId == 0x1040 + VIRTIO_SUBSYSTEM_ENTROPY_SOURCE &&
++ RevisionId >= 0x01) {
++ Virtio10 = TRUE;
++ } else if (DeviceId >= 0x1000 && DeviceId <= 0x103F && RevisionId == 0x00) {
++ Virtio10 = FALSE;
++ } else {
++ return EFI_SUCCESS;
++ }
++
++ //
++ // Read and check SubsystemId as dictated by Virtio10.
++ //
++ Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16,
++ PCI_SUBSYSTEM_ID_OFFSET, 1, &SubsystemId);
++ if (EFI_ERROR (Status)) {
++ goto Error;
++ }
++ if ((Virtio10 && SubsystemId >= 0x40) ||
++ (!Virtio10 && SubsystemId == VIRTIO_SUBSYSTEM_ENTROPY_SOURCE)) {
++ Status = gBS->ConnectController (
++ Handle, // ControllerHandle
++ NULL, // DriverImageHandle -- connect all drivers
++ NULL, // RemainingDevicePath -- produce all child handles
++ FALSE // Recursive -- don't follow child handles
++ );
++ if (EFI_ERROR (Status)) {
++ goto Error;
++ }
++ }
++ return EFI_SUCCESS;
++
++Error:
++ DEBUG ((DEBUG_ERROR, "%a: %r\n", __FUNCTION__, Status));
++ return Status;
++}
++
++
+ /**
+ Add IsaKeyboard to ConIn; add IsaSerial to ConOut, ConIn, ErrOut.
+
+diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.h b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.h
+index 97ffbb5..4948ca6 100644
+--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.h
++++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.h
+@@ -30,6 +30,7 @@ Abstract:
+ #include <IndustryStandard/Acpi.h>
+ #include <IndustryStandard/SmBios.h>
+ #include <IndustryStandard/PeImage.h>
++#include <IndustryStandard/Virtio095.h>
+
+ #include <Library/DebugLib.h>
+ #include <Library/BaseMemoryLib.h>
+--
+1.8.3.1
+
diff --git a/SOURCES/0027-BaseTools-tools_def-add-fno-unwind-tables-to-GCC_AAR.patch b/SOURCES/0027-BaseTools-tools_def-add-fno-unwind-tables-to-GCC_AAR.patch
new file mode 100644
index 0000000..080f995
--- /dev/null
+++ b/SOURCES/0027-BaseTools-tools_def-add-fno-unwind-tables-to-GCC_AAR.patch
@@ -0,0 +1,73 @@
+From 7ef29963526aa451b1101e4b92e47d3028c9035a Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 18 May 2018 19:20:32 +0200
+Subject: BaseTools/tools_def: add "-fno-unwind-tables" to GCC_AARCH64_CC_FLAGS
+
+Notes about the RHEL-7.6/ovmf-20180508-2.gitee3198e672e2.el7 ->
+RHEL-8.0/20180508-ee3198e672e2 rebase:
+
+- reorder the rebase changelog in the commit message so that it reads like
+ a blog: place more recent entries near the top
+
+- in RHEL-8.0 Alpha, this patch was applied downstream-only, for fixing
+ RHBZ#1579525. Since then, the patch has been upstreamed, and now it is
+ cherry-picked from upstream.
+
+The ElfConvert routines in GenFw don't handle the ".eh_frame" ELF section
+emitted by gcc. For this reason, Leif disabled the generation of that
+section for AARCH64 with "-fno-asynchronous-unwind-tables" in commit
+28e80befa4fe [1], and Ard did the same for IA32 and X64 in commit
+26ecc55c027d [2]. (The CLANG38 toolchain received the same flag at its
+inception, in commit 6f756db5ea05 [3].)
+
+However, ".eh_frame" is back now; in upstream gcc commit 9cbee213b579 [4]
+(part of tag "gcc-8_1_0-release"), both "-fasynchronous-unwind-tables" and
+"-funwind-tables" were made the default for AARCH64. (The patch author
+described the effects on the gcc mailing list [5].) We have to counter the
+latter flag with "-fno-unwind-tables", otherwise GenFw chokes on
+".eh_frame" again (triggered for example on Fedora 28).
+
+"-f[no-]unwind-tables" goes back to at least gcc-4.4 [6], so it's safe to
+add to GCC_AARCH64_CC_FLAGS.
+
+[1] https://github.com/tianocore/edk2/commit/28e80befa4fe
+[2] https://github.com/tianocore/edk2/commit/26ecc55c027d
+[3] https://github.com/tianocore/edk2/commit/6f756db5ea05
+[4] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=9cbee213b579
+[5] http://mid.mail-archive.com/7b28c03a-c032-6cec-c127-1c12cbe98eeb@foss.arm.com
+[6] https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Code-Gen-Options.html
+
+Cc: "Danilo C. L. de Paula" <ddepaula@redhat.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Cole Robinson <crobinso@redhat.com>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Leif Lindholm <leif.lindholm@linaro.org>
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Reported-by: "Danilo C. L. de Paula" <ddepaula@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+(cherry picked from commit cbf00651eda6818ca3c76115b8a18e3f6b23eef4)
+---
+ BaseTools/Conf/tools_def.template | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
+index 03d7000..9429033 100755
+--- a/BaseTools/Conf/tools_def.template
++++ b/BaseTools/Conf/tools_def.template
+@@ -4537,7 +4537,7 @@ DEFINE GCC_X64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-ad
+ DEFINE GCC_IPF_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -minline-int-divide-min-latency
+ DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie
+ DEFINE GCC_ARM_CC_XIPFLAGS = -mno-unaligned-access
+-DEFINE GCC_AARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -fno-short-enums -fverbose-asm -funsigned-char -ffunction-sections -fdata-sections -Wno-address -fno-asynchronous-unwind-tables -fno-pic -fno-pie -ffixed-x18
++DEFINE GCC_AARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -fno-short-enums -fverbose-asm -funsigned-char -ffunction-sections -fdata-sections -Wno-address -fno-asynchronous-unwind-tables -fno-unwind-tables -fno-pic -fno-pie -ffixed-x18
+ DEFINE GCC_AARCH64_CC_XIPFLAGS = -mstrict-align -mgeneral-regs-only
+ DEFINE GCC_DLINK_FLAGS_COMMON = -nostdlib --pie
+ DEFINE GCC_DLINK2_FLAGS_COMMON = -Wl,--script=$(EDK_TOOLS_PATH)/Scripts/GccBase.lds
+--
+1.8.3.1
+
diff --git a/SOURCES/LICENSE.qosb b/SOURCES/LICENSE.qosb
new file mode 100644
index 0000000..9849381
--- /dev/null
+++ b/SOURCES/LICENSE.qosb
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Patrick Uiterwijk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/SOURCES/edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch b/SOURCES/edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch
new file mode 100644
index 0000000..aba9574
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch
@@ -0,0 +1,197 @@
+From eff60320e87dcda19a50de4f1ac05af4a5e1b133 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 18 Jul 2018 00:18:19 +0200
+Subject: [PATCH 3/6] ArmVirtPkg/ArmVirtQemu: enable the IPv6 stack
+
+Message-id: <20180717221822.13110-3-lersek@redhat.com>
+Patchwork-id: 81375
+O-Subject: [RHEL8/virt212 edk2 PATCH 2/5] ArmVirtPkg/ArmVirtQemu: enable the
+ IPv6 stack
+Bugzilla: 1536627
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Wei Huang <wei@redhat.com>
+
+Add the IPv6 stack to ArmVirtQemu with a cumulative port of the following
+OvmfPkg commits:
+
+* 36c6413f76e5 "OvmfPkg: enable the IPv6 support", 2014-12-19
+
+* 96302b80d90e "OvmfPkg: Enable Network2 Shell Commands for IPv6",
+ 2016-03-08
+
+* 6d0f8941bdc2 "OvmfPkg: always resolve OpenSslLib, IntrinsicLib and
+ BaseCryptLib", 2017-01-17
+
+* 32e22f20c985 "OvmfPkg: correct the IScsiDxe module included for the IPv6
+ stack", 2017-01-17
+
+The IPv6-enabled IScsiDxe driver depends on BaseCryptLib, and the
+"CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf" instance depends on
+IntrinsicLib and OpensslLib. This is why commit 6d0f8941bdc2 is relevant.
+
+However, unlike in OvmfPkg, in ArmVirtPkg we'll precisely track the
+firmware features that require these library classes. (The OvmfPkg
+discussion was quite complex, and the OvmfPkg solution was a compromise:
+<http://mid.mail-archive.com/1484569332-13440-1-git-send-email-jiaxin.wu@intel.com>.)
+
+The ArmVirtXen platform is not extended with the relevant drivers because
+currently it doesn't include any networking support.
+
+Cc: Julien Grall <julien.grall@linaro.org>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1007
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+(cherry picked from commit ae08ea246fe9b4a4e05b7ee6cdbd5b0fa38f3f69)
+---
+ ArmVirtPkg/ArmVirt.dsc.inc | 18 +++++++++++++++---
+ ArmVirtPkg/ArmVirtQemu.dsc | 13 ++++++++++++-
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 12 +++++++++++-
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 13 ++++++++++++-
+ 4 files changed, 50 insertions(+), 6 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 2bb8860..f031e81 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -80,6 +80,9 @@
+ DpcLib|MdeModulePkg/Library/DxeDpcLib/DxeDpcLib.inf
+ UdpIoLib|MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.inf
+ IpIoLib|MdeModulePkg/Library/DxeIpIoLib/DxeIpIoLib.inf
++!if $(NETWORK_IP6_ENABLE) == TRUE
++ TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
++!endif
+ !if $(HTTP_BOOT_ENABLE) == TRUE
+ HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
+ !endif
+@@ -141,14 +144,20 @@
+ XenIoMmioLib|OvmfPkg/Library/XenIoMmioLib/XenIoMmioLib.inf
+
+ #
+- # Secure Boot dependencies
++ # CryptoPkg libraries needed by multiple firmware features
+ #
+-!if $(SECURE_BOOT_ENABLE) == TRUE
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE)
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
++ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
++!endif
++
++ #
++ # Secure Boot dependencies
++ #
++!if $(SECURE_BOOT_ENABLE) == TRUE
+ TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+
+ # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
+@@ -403,6 +412,9 @@
+ NULL|ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.inf
+ NULL|ShellPkg/Library/UefiShellInstall1CommandsLib/UefiShellInstall1CommandsLib.inf
+ NULL|ShellPkg/Library/UefiShellNetwork1CommandsLib/UefiShellNetwork1CommandsLib.inf
++!if $(NETWORK_IP6_ENABLE) == TRUE
++ NULL|ShellPkg/Library/UefiShellNetwork2CommandsLib/UefiShellNetwork2CommandsLib.inf
++!endif
+ HandleParsingLib|ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf
+ PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
+ BcfgCommandLib|ShellPkg/Library/UefiShellBcfgCommandLib/UefiShellBcfgCommandLib.inf
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index bb9d7c8..41ff17d 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -34,6 +34,7 @@
+ # -D FLAG=VALUE
+ #
+ DEFINE SECURE_BOOT_ENABLE = FALSE
++ DEFINE NETWORK_IP6_ENABLE = FALSE
+ DEFINE HTTP_BOOT_ENABLE = FALSE
+
+ !include ArmVirtPkg/ArmVirt.dsc.inc
+@@ -353,10 +354,20 @@
+ MdeModulePkg/Universal/Network/MnpDxe/MnpDxe.inf
+ MdeModulePkg/Universal/Network/VlanConfigDxe/VlanConfigDxe.inf
+ MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Dxe.inf
+- MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
+ MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Dxe.inf
++!if $(NETWORK_IP6_ENABLE) == TRUE
++ NetworkPkg/Ip6Dxe/Ip6Dxe.inf
++ NetworkPkg/TcpDxe/TcpDxe.inf
++ NetworkPkg/Udp6Dxe/Udp6Dxe.inf
++ NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
++ NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
++ NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
++ NetworkPkg/IScsiDxe/IScsiDxe.inf
++!else
++ MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
+ MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
+ MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
++!endif
+ !if $(HTTP_BOOT_ENABLE) == TRUE
+ NetworkPkg/DnsDxe/DnsDxe.inf
+ NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 8941b7f..82d9cbd 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -125,10 +125,20 @@ READ_LOCK_STATUS = TRUE
+ INF MdeModulePkg/Universal/Network/MnpDxe/MnpDxe.inf
+ INF MdeModulePkg/Universal/Network/VlanConfigDxe/VlanConfigDxe.inf
+ INF MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Dxe.inf
+- INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
+ INF MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Dxe.inf
++!if $(NETWORK_IP6_ENABLE) == TRUE
++ INF NetworkPkg/Ip6Dxe/Ip6Dxe.inf
++ INF NetworkPkg/TcpDxe/TcpDxe.inf
++ INF NetworkPkg/Udp6Dxe/Udp6Dxe.inf
++ INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
++ INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
++ INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
++ INF NetworkPkg/IScsiDxe/IScsiDxe.inf
++!else
++ INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
+ INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
+ INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
++!endif
+ !if $(HTTP_BOOT_ENABLE) == TRUE
+ INF NetworkPkg/DnsDxe/DnsDxe.inf
+ INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 9027805..83fc12f 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -34,6 +34,7 @@
+ # -D FLAG=VALUE
+ #
+ DEFINE SECURE_BOOT_ENABLE = FALSE
++ DEFINE NETWORK_IP6_ENABLE = FALSE
+ DEFINE HTTP_BOOT_ENABLE = FALSE
+
+ !include ArmVirtPkg/ArmVirt.dsc.inc
+@@ -336,10 +337,20 @@
+ MdeModulePkg/Universal/Network/MnpDxe/MnpDxe.inf
+ MdeModulePkg/Universal/Network/VlanConfigDxe/VlanConfigDxe.inf
+ MdeModulePkg/Universal/Network/Mtftp4Dxe/Mtftp4Dxe.inf
+- MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
+ MdeModulePkg/Universal/Network/Udp4Dxe/Udp4Dxe.inf
++!if $(NETWORK_IP6_ENABLE) == TRUE
++ NetworkPkg/Ip6Dxe/Ip6Dxe.inf
++ NetworkPkg/TcpDxe/TcpDxe.inf
++ NetworkPkg/Udp6Dxe/Udp6Dxe.inf
++ NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
++ NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
++ NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
++ NetworkPkg/IScsiDxe/IScsiDxe.inf
++!else
++ MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
+ MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
+ MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
++!endif
+ !if $(HTTP_BOOT_ENABLE) == TRUE
+ NetworkPkg/DnsDxe/DnsDxe.inf
+ NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch b/SOURCES/edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch
new file mode 100644
index 0000000..bf902a8
--- /dev/null
+++ b/SOURCES/edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch
@@ -0,0 +1,76 @@
+From c51468996553e70659b85a24cbdad61a27dac952 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 18 Jul 2018 00:18:18 +0200
+Subject: [PATCH 2/6] ArmVirtPkg: unify HttpLib resolutions in
+ "ArmVirt.dsc.inc"
+
+Message-id: <20180717221822.13110-2-lersek@redhat.com>
+Patchwork-id: 81376
+O-Subject: [RHEL8/virt212 edk2 PATCH 1/5] ArmVirtPkg: unify HttpLib resolutions
+ in "ArmVirt.dsc.inc"
+Bugzilla: 1536627
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Wei Huang <wei@redhat.com>
+
+We already resolve a number of networking-related library classes in
+ArmVirt.dsc.inc; follow suit with HttpLib.
+
+Cc: Julien Grall <julien.grall@linaro.org>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1007
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+(cherry picked from commit 77b702bfa4947caaa6b4b04730820d91bdf07b03)
+---
+ ArmVirtPkg/ArmVirt.dsc.inc | 3 +++
+ ArmVirtPkg/ArmVirtQemu.dsc | 4 ----
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ----
+ 3 files changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
+index 35bccb3d..2bb8860 100644
+--- a/ArmVirtPkg/ArmVirt.dsc.inc
++++ b/ArmVirtPkg/ArmVirt.dsc.inc
+@@ -80,6 +80,9 @@
+ DpcLib|MdeModulePkg/Library/DxeDpcLib/DxeDpcLib.inf
+ UdpIoLib|MdeModulePkg/Library/DxeUdpIoLib/DxeUdpIoLib.inf
+ IpIoLib|MdeModulePkg/Library/DxeIpIoLib/DxeIpIoLib.inf
++!if $(HTTP_BOOT_ENABLE) == TRUE
++ HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
++!endif
+
+ #
+ # It is not possible to prevent the ARM compiler from inserting calls to intrinsic functions.
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 035b729..bb9d7c8 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -63,10 +63,6 @@
+ PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
+ PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
+
+-!if $(HTTP_BOOT_ENABLE) == TRUE
+- HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
+-!endif
+-
+ [LibraryClasses.common.PEIM]
+ ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf
+
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 1981aae..9027805 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -63,10 +63,6 @@
+ PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
+ PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
+
+-!if $(HTTP_BOOT_ENABLE) == TRUE
+- HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
+-!endif
+-
+ [LibraryClasses.common.UEFI_DRIVER]
+ UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch b/SOURCES/edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
new file mode 100644
index 0000000..2cd5f00
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
@@ -0,0 +1,273 @@
+From 29c394f110b1f769e629e8775874261e33d4abd9 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Oct 2018 21:03:45 +0200
+Subject: [PATCH 4/4] BaseTools: Add more checker in Decompress algorithm to
+ access the valid buffer (CVE FIX)
+
+Message-id: <20181024190345.15288-5-lersek@redhat.com>
+Patchwork-id: 82886
+O-Subject: [RHEL8 edk2 PATCH 4/4] BaseTools: Add more checker in Decompress
+ algorithm to access the valid buffer (CVE FIX)
+Bugzilla: 1641445
+1641453
+1641464
+1641469
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL8 note start --v--
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641445
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641453
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641464
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641469
+
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5731
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5732 (contrarily to the upstream commit message). The
+best I could achieve up-stream was to get the "CVE FIX" expression into
+the subject, and a whole-sale dump of the CVEs into the body. I had not
+been invited to the original (off-list, embargoed) analysis and review.
+
+The differences that "git-backport-diff" reports as "functional" for this
+backport aren't actually functional differences. They are due to
+downstream lacking two upstream commits:
+
+- f7496d717357 ("BaseTools: Clean up source files", 2018-07-09), with the
+ "usual" diffstat "289 files changed, 10645 insertions(+), 10645
+ deletions(-)";
+
+- more importantly, 472eb3b89682 ("BaseTools: Add --uefi option to enable
+ UefiCompress method", 2018-10-13).
+
+(Side note: in upstream, commit 472eb3b89682 was incorrectly reverted as
+part of 1ccc4d895dd8 ("Revert BaseTools: PYTHON3 migration", 2018-10-15),
+but then it was re-applied in f1400101a732.)
+
+In commit 472eb3b89682, the "UEFI" compression/decompression method was
+added to BaseTools, beyond the original "Tiano" method. This caused the
+Tiano method to be indented more deeply, in the main() function of
+"TianoCompress.c". (Also the original Decompress() function was renamed to
+TDecompress().) The CVE fix applies to the "Tiano" method, which RHEL8
+does have, but at a different nesting level. Therefore the changes have
+been backported manually, and the difference in indentation is also why
+"git-backport-diff" thinks the changes are functional.
+
+This backport, once applied, can be diffed against the upstream tree more
+easily as follows:
+
+ git diff -b HEAD..041d89bc0f01 -- \
+ BaseTools/Source/C/Common/Decompress.c \
+ BaseTools/Source/C/TianoCompress/TianoCompress.c
+
+--^-- RHEL8 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 041d89bc0f0119df37a5fce1d0f16495ff905089)
+---
+ BaseTools/Source/C/Common/Decompress.c | 23 +++++++++++++++++++--
+ BaseTools/Source/C/TianoCompress/TianoCompress.c | 26 +++++++++++++++++++++++-
+ 2 files changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c
+index 8f1afb4..bdc10f5 100644
+--- a/BaseTools/Source/C/Common/Decompress.c
++++ b/BaseTools/Source/C/Common/Decompress.c
+@@ -194,12 +194,16 @@ Returns:
+ UINT16 Avail;
+ UINT16 NextCode;
+ UINT16 Mask;
++ UINT16 MaxTableLength;
+
+ for (Index = 1; Index <= 16; Index++) {
+ Count[Index] = 0;
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -237,6 +241,7 @@ Returns:
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -250,6 +255,9 @@ Returns:
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -643,10 +651,14 @@ Returns: (VOID)
+
+ BytesRemain--;
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ return ;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ return ;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+@@ -684,6 +696,7 @@ Returns:
+ --*/
+ {
+ UINT8 *Src;
++ UINT32 CompSize;
+
+ *ScratchSize = sizeof (SCRATCH_DATA);
+
+@@ -692,7 +705,13 @@ Returns:
+ return EFI_INVALID_PARAMETER;
+ }
+
++ CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
+ *DstSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
++
++ if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
++ return EFI_INVALID_PARAMETER;
++ }
++
+ return EFI_SUCCESS;
+ }
+
+@@ -752,7 +771,7 @@ Returns:
+ CompSize = Src[0] + (Src[1] << 8) + (Src[2] << 16) + (Src[3] << 24);
+ OrigSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
+
+- if (SrcSize < CompSize + 8) {
++ if (SrcSize < CompSize + 8 || (CompSize + 8) < 8) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+index 046fb36..d07fd9e 100644
+--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c
++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+@@ -1753,6 +1753,7 @@ Returns:
+ SCRATCH_DATA *Scratch;
+ UINT8 *Src;
+ UINT32 OrigSize;
++ UINT32 CompSize;
+
+ SetUtilityName(UTILITY_NAME);
+
+@@ -1761,6 +1762,7 @@ Returns:
+ OutBuffer = NULL;
+ Scratch = NULL;
+ OrigSize = 0;
++ CompSize = 0;
+ InputLength = 0;
+ InputFileName = NULL;
+ OutputFileName = NULL;
+@@ -1979,15 +1981,24 @@ Returns:
+ if (DebugMode) {
+ DebugMsg(UTILITY_NAME, 0, DebugLevel, "Decoding\n", NULL);
+ }
++ if (InputLength < 8){
++ Error (NULL, 0, 3000, "Invalid", "The input file %s is too small.", InputFileName);
++ goto ERROR;
++ }
+ //
+ // Get Compressed file original size
+ //
+ Src = (UINT8 *)FileBuffer;
+ OrigSize = Src[4] + (Src[5] << 8) + (Src[6] << 16) + (Src[7] << 24);
++ CompSize = Src[0] + (Src[1] << 8) + (Src[2] <<16) + (Src[3] <<24);
+
+ //
+ // Allocate OutputBuffer
+ //
++ if (InputLength < CompSize + 8 || (CompSize + 8) < 8) {
++ Error (NULL, 0, 3000, "Invalid", "The input file %s data is invalid.", InputFileName);
++ goto ERROR;
++ }
+ OutBuffer = (UINT8 *)malloc(OrigSize);
+ if (OutBuffer == NULL) {
+ Error (NULL, 0, 4001, "Resource:", "Memory cannot be allocated!");
+@@ -2171,12 +2182,16 @@ Returns:
+ UINT16 Mask;
+ UINT16 WordOfStart;
+ UINT16 WordOfCount;
++ UINT16 MaxTableLength;
+
+ for (Index = 0; Index <= 16; Index++) {
+ Count[Index] = 0;
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -2220,6 +2235,7 @@ Returns:
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -2233,6 +2249,9 @@ Returns:
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -2617,11 +2636,16 @@ Returns: (VOID)
+ DataIdx = Sd->mOutBuf - DecodeP (Sd) - 1;
+
+ BytesRemain--;
++
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ goto Done ;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ goto Done ;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch b/SOURCES/edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
new file mode 100644
index 0000000..cf09fe5
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
@@ -0,0 +1,73 @@
+From 115cf260ac54a6793a184227d6ae6bfe3da74a56 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 9 Jan 2019 17:10:05 +0100
+Subject: [PATCH 1/4] BaseTools: Fix UEFI and Tiano Decompression logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190109161007.3471-2-philmd@redhat.com>
+Patchwork-id: 83924
+O-Subject: [RHEL8 edk2 PATCH 1/3] BaseTools: Fix UEFI and Tiano Decompression
+ logic issue
+Bugzilla: 1662184
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 041d89bc0f0119df37a5fce1d0f16495ff905089.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit 5e45a1fdcfbf9b2b389122eb97475148594625f8)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ BaseTools/Source/C/Common/Decompress.c | 6 ++++++
+ BaseTools/Source/C/TianoCompress/TianoCompress.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/BaseTools/Source/C/Common/Decompress.c b/BaseTools/Source/C/Common/Decompress.c
+index bdc10f5..af76f67 100644
+--- a/BaseTools/Source/C/Common/Decompress.c
++++ b/BaseTools/Source/C/Common/Decompress.c
+@@ -662,6 +662,12 @@ Returns: (VOID)
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ return ;
++ }
+ }
+ }
+
+diff --git a/BaseTools/Source/C/TianoCompress/TianoCompress.c b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+index d07fd9e..369f7b3 100644
+--- a/BaseTools/Source/C/TianoCompress/TianoCompress.c
++++ b/BaseTools/Source/C/TianoCompress/TianoCompress.c
+@@ -2649,6 +2649,12 @@ Returns: (VOID)
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ goto Done ;
++ }
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch b/SOURCES/edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch
new file mode 100644
index 0000000..feeb709
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch
@@ -0,0 +1,98 @@
+From bd8f7996e759b1aa2549efc6062dbed8ac9b8dcb Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 29 Aug 2018 17:12:00 +0200
+Subject: [PATCH 3/7] BaseTools/Source/C: split "-O2" to BUILD_OPTFLAGS
+
+Message-id: <20180829151204.26958-4-lersek@redhat.com>
+Patchwork-id: 81961
+O-Subject: [RHEL8/virt212 edk2 PATCH 3/7] BaseTools/Source/C: split "-O2" to
+ BUILD_OPTFLAGS
+Bugzilla: 1607906
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+The option "-O2" is not a preprocessor flag, but a code generation
+(compilation) flag. Move it from BUILD_CPPFLAGS to BUILD_CFLAGS and
+BUILD_CXXFLAGS.
+
+Because "VfrCompile/GNUmakefile" uses "-O2" through BUILD_CPPFLAGS, and
+because it doesn't use BUILD_CXXFLAGS, we have to introduce BUILD_OPTFLAGS
+separately, so that "VfrCompile/GNUmakefile" can continue using just this
+flag.
+
+This patch doesn't change behavior.
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1540244
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+(cherry picked from commit b8a66170264395edeaa61e6d22930a58e576a685)
+---
+ BaseTools/Source/C/Makefiles/header.makefile | 6 +++++-
+ BaseTools/Source/C/VfrCompile/GNUmakefile | 11 +++++++----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
+index 08421ba..498c6cf 100644
+--- a/BaseTools/Source/C/Makefiles/header.makefile
++++ b/BaseTools/Source/C/Makefiles/header.makefile
+@@ -68,7 +68,8 @@ $(error Bad HOST_ARCH)
+ endif
+
+ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
+-BUILD_CPPFLAGS = $(INCLUDE) -O2
++BUILD_CPPFLAGS = $(INCLUDE)
++BUILD_OPTFLAGS = -O2
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+ BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
+@@ -91,6 +92,9 @@ ifeq ($(DARWIN),Darwin)
+ endif
+ endif
+
++# keep BUILD_OPTFLAGS last
++BUILD_CFLAGS += $(BUILD_OPTFLAGS)
++BUILD_CXXFLAGS += $(BUILD_OPTFLAGS)
+
+ .PHONY: all
+ .PHONY: install
+diff --git a/BaseTools/Source/C/VfrCompile/GNUmakefile b/BaseTools/Source/C/VfrCompile/GNUmakefile
+index c4ec61a..bbe562c 100644
+--- a/BaseTools/Source/C/VfrCompile/GNUmakefile
++++ b/BaseTools/Source/C/VfrCompile/GNUmakefile
+@@ -25,6 +25,9 @@ OBJECTS = AParser.o DLexerBase.o ATokenBuffer.o EfiVfrParser.o VfrLexer.o VfrSyn
+
+ VFR_CPPFLAGS = -DPCCTS_USE_NAMESPACE_STD $(BUILD_CPPFLAGS)
+
++# keep BUILD_OPTFLAGS last
++VFR_CXXFLAGS = $(BUILD_OPTFLAGS)
++
+ LINKER = $(BUILD_CXX)
+
+ EXTRA_CLEAN_OBJECTS = EfiVfrParser.cpp EfiVfrParser.h VfrParser.dlg VfrTokens.h VfrLexer.cpp VfrLexer.h VfrSyntax.cpp tokens.h
+@@ -58,16 +61,16 @@ Pccts/dlg/dlg:
+ BIN_DIR='.' $(MAKE) -C Pccts/dlg
+
+ ATokenBuffer.o: Pccts/h/ATokenBuffer.cpp
+- $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $? -o $@
++ $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $(VFR_CXXFLAGS) $? -o $@
+
+ DLexerBase.o: Pccts/h/DLexerBase.cpp
+- $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $? -o $@
++ $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $(VFR_CXXFLAGS) $? -o $@
+
+ AParser.o: Pccts/h/AParser.cpp
+- $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $? -o $@
++ $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $(VFR_CXXFLAGS) $? -o $@
+
+ VfrSyntax.o: VfrSyntax.cpp
+- $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $? -o $@
++ $(BUILD_CXX) -c $(VFR_CPPFLAGS) $(INC) $(VFR_CXXFLAGS) $? -o $@
+
+ clean: localClean
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch b/SOURCES/edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch
new file mode 100644
index 0000000..334d001
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch
@@ -0,0 +1,46 @@
+From 7ad1348d09a32c467229ee8bef98a09e47b5a708 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 29 Aug 2018 17:12:02 +0200
+Subject: [PATCH 5/7] BaseTools/Source/C: take EXTRA_LDFLAGS from the caller
+
+Message-id: <20180829151204.26958-6-lersek@redhat.com>
+Patchwork-id: 81965
+O-Subject: [RHEL8/virt212 edk2 PATCH 5/7] BaseTools/Source/C: take EXTRA_LDFLAGS
+ from the caller
+Bugzilla: 1607906
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+Allow the caller of the top-level makefile either to set EXTRA_LDFLAGS in
+the environment or to pass EXTRA_LDFLAGS as a macro definition on the
+command line. EXTRA_LDFLAGS extends (and potentially overrides) default
+link-editing flags set in the makefiles.
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1540244
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+(cherry picked from commit 81502cee20ac4046f08bb4aec754c7091c8808dc)
+---
+ BaseTools/Source/C/Makefiles/header.makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
+index 1b4cad5..7f283d6 100644
+--- a/BaseTools/Source/C/Makefiles/header.makefile
++++ b/BaseTools/Source/C/Makefiles/header.makefile
+@@ -99,6 +99,9 @@ endif
+ BUILD_CFLAGS += $(BUILD_OPTFLAGS)
+ BUILD_CXXFLAGS += $(BUILD_OPTFLAGS)
+
++# keep EXTRA_LDFLAGS last
++BUILD_LFLAGS += $(EXTRA_LDFLAGS)
++
+ .PHONY: all
+ .PHONY: install
+ .PHONY: clean
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch b/SOURCES/edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch
new file mode 100644
index 0000000..6a97cc4
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch
@@ -0,0 +1,48 @@
+From c8f78f5ef3463ffb63d26879d858327aba934d12 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 29 Aug 2018 17:12:01 +0200
+Subject: [PATCH 4/7] BaseTools/Source/C: take EXTRA_OPTFLAGS from the caller
+
+Message-id: <20180829151204.26958-5-lersek@redhat.com>
+Patchwork-id: 81966
+O-Subject: [RHEL8/virt212 edk2 PATCH 4/7] BaseTools/Source/C: take
+ EXTRA_OPTFLAGS from the caller
+Bugzilla: 1607906
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+Allow the caller of the top-level makefile either to set EXTRA_OPTFLAGS in
+the environment or to pass EXTRA_OPTFLAGS as a macro definition on the
+command line. EXTRA_OPTFLAGS extends (and potentially overrides) default C
+compilation flags set in the makefiles.
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1540244
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+(cherry picked from commit b0ca5dae78ff71397a8ef568f1914da7668ff5a9)
+---
+ BaseTools/Source/C/Makefiles/header.makefile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
+index 498c6cf..1b4cad5 100644
+--- a/BaseTools/Source/C/Makefiles/header.makefile
++++ b/BaseTools/Source/C/Makefiles/header.makefile
+@@ -69,7 +69,10 @@ endif
+
+ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)
+ BUILD_CPPFLAGS = $(INCLUDE)
+-BUILD_OPTFLAGS = -O2
++
++# keep EXTRA_OPTFLAGS last
++BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS)
++
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+ BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch b/SOURCES/edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch
new file mode 100644
index 0000000..0571886
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch
@@ -0,0 +1,80 @@
+From 5825a1b2507e195c40a8655e18c5485c00513445 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 29 Aug 2018 17:12:03 +0200
+Subject: [PATCH 6/7] BaseTools/VfrCompile: honor EXTRA_LDFLAGS
+
+Message-id: <20180829151204.26958-7-lersek@redhat.com>
+Patchwork-id: 81963
+O-Subject: [RHEL8/virt212 edk2 PATCH 6/7] BaseTools/VfrCompile: honor
+ EXTRA_LDFLAGS
+Bugzilla: 1607906
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+In commit 81502cee20ac ("BaseTools/Source/C: take EXTRA_LDFLAGS from the
+caller", 2018-08-16), I missed that "VfrCompile/GNUmakefile" does not use
+BUILD_LFLAGS in the APPLICATION linking rule, unlike "app.makefile" does.
+Instead, "VfrCompile/GNUmakefile" uses the (undefined) LFLAGS macro.
+Therefore commit 81502cee20ac did not cover the linking step of
+VfrCompile.
+
+Thankfully, the structure of the linking rules is the same, between
+"app.makefile" and "VfrCompile/GNUmakefile". Rename the undefined LFLAGS
+macro in "VfrCompile/GNUmakefile" to VFR_LFLAGS (for consistency with
+VFR_CXXFLAGS), and set it to EXTRA_LDFLAGS.
+
+As a result, we have:
+
+ | compilation | linking
+ -----------+--------------------------------+----------------------
+ VfrCompile | VFR_CXXFLAGS = | VFR_LFLAGS =
+ | BUILD_OPTFLAGS = | EXTRA_LDFLAGS
+ | '-O2' + EXTRA_OPTFLAGS |
+ -----------+--------------------------------+----------------------
+ other apps | BUILD_CFLAGS/BUILD_CXXFLAGS = | BUILD_LFLAGS =
+ | [...] + BUILD_OPTFLAGS = | [...] + EXTRA_LDFLAGS
+ | [...] + '-O2' + EXTRA_OPTFLAGS |
+
+This table shows
+- that the VfrCompile compilation and linking flags are always a subset of
+ the corresponding flags used by the other apps,
+- and that the EXTRA flags are always at the end.
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1540244
+Fixes: 81502cee20ac4046f08bb4aec754c7091c8808dc
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+(cherry picked from commit aa4e0df1f0c7ffdff07d7e382c9da89cbe207cdb)
+---
+ BaseTools/Source/C/VfrCompile/GNUmakefile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/BaseTools/Source/C/VfrCompile/GNUmakefile b/BaseTools/Source/C/VfrCompile/GNUmakefile
+index bbe562c..9273589 100644
+--- a/BaseTools/Source/C/VfrCompile/GNUmakefile
++++ b/BaseTools/Source/C/VfrCompile/GNUmakefile
+@@ -28,6 +28,9 @@ VFR_CPPFLAGS = -DPCCTS_USE_NAMESPACE_STD $(BUILD_CPPFLAGS)
+ # keep BUILD_OPTFLAGS last
+ VFR_CXXFLAGS = $(BUILD_OPTFLAGS)
+
++# keep EXTRA_LDFLAGS last
++VFR_LFLAGS = $(EXTRA_LDFLAGS)
++
+ LINKER = $(BUILD_CXX)
+
+ EXTRA_CLEAN_OBJECTS = EfiVfrParser.cpp EfiVfrParser.h VfrParser.dlg VfrTokens.h VfrLexer.cpp VfrLexer.h VfrSyntax.cpp tokens.h
+@@ -42,7 +45,7 @@ APPLICATION = $(MAKEROOT)/bin/$(APPNAME)
+ all: $(MAKEROOT)/bin $(APPLICATION)
+
+ $(APPLICATION): $(OBJECTS)
+- $(LINKER) -o $(APPLICATION) $(LFLAGS) $(OBJECTS) -L$(MAKEROOT)/libs $(LIBS)
++ $(LINKER) -o $(APPLICATION) $(VFR_LFLAGS) $(OBJECTS) -L$(MAKEROOT)/libs $(LIBS)
+
+ VfrCompiler.o: ../Include/Common/BuildVersion.h
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch b/SOURCES/edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch
new file mode 100644
index 0000000..377b88c
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch
@@ -0,0 +1,46 @@
+From 5898a7a6403bb5ff73fc27a39f9c64b746089cb1 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 29 Aug 2018 17:11:58 +0200
+Subject: [PATCH 1/7] BaseTools/footer.makefile: expand BUILD_CFLAGS last for C
+ files too
+
+Message-id: <20180829151204.26958-2-lersek@redhat.com>
+Patchwork-id: 81962
+O-Subject: [RHEL8/virt212 edk2 PATCH 1/7] BaseTools/footer.makefile: expand
+ BUILD_CFLAGS last for C files too
+Bugzilla: 1607906
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+BUILD_CPPFLAGS should be expanded before BUILD_CFLAGS. (The rule for C++
+source files already does this, with BUILD_CPPFLAGS and BUILD_CXXFLAGS.)
+
+This patch doesn't change behavior.
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1540244
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+(cherry picked from commit 67983484a4430c5f82bb5f1397e010c759136321)
+---
+ BaseTools/Source/C/Makefiles/footer.makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/BaseTools/Source/C/Makefiles/footer.makefile b/BaseTools/Source/C/Makefiles/footer.makefile
+index 0926aa9..5bda9e4 100644
+--- a/BaseTools/Source/C/Makefiles/footer.makefile
++++ b/BaseTools/Source/C/Makefiles/footer.makefile
+@@ -24,7 +24,7 @@ $(LIBRARY): $(OBJECTS)
+ $(BUILD_AR) crs $@ $^
+
+ %.o : %.c
+- $(BUILD_CC) -c $(BUILD_CFLAGS) $(BUILD_CPPFLAGS) $< -o $@
++ $(BUILD_CC) -c $(BUILD_CPPFLAGS) $(BUILD_CFLAGS) $< -o $@
+
+ %.o : %.cpp
+ $(BUILD_CXX) -c $(BUILD_CPPFLAGS) $(BUILD_CXXFLAGS) $< -o $@
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch b/SOURCES/edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch
new file mode 100644
index 0000000..b32d6a9
--- /dev/null
+++ b/SOURCES/edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch
@@ -0,0 +1,51 @@
+From e7091299a079fd0405f01276f35838884b4c06b5 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 29 Aug 2018 17:11:59 +0200
+Subject: [PATCH 2/7] BaseTools/header.makefile: remove "-c" from BUILD_CFLAGS
+
+Message-id: <20180829151204.26958-3-lersek@redhat.com>
+Patchwork-id: 81964
+O-Subject: [RHEL8/virt212 edk2 PATCH 2/7] BaseTools/header.makefile: remove "-c"
+ from BUILD_CFLAGS
+Bugzilla: 1607906
+Acked-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+Option "-c" is a mode selection flag (choosing between compiling and
+linking); it should not be in BUILD_CFLAGS, which applies only to
+compiling anyway. The compilation rule for C source files, in
+"footer.makefile", already includes "-c" -- currently we have double "-c"
+options.
+
+This patch doesn't change behavior.
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1540244
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+(cherry picked from commit 03252ae287c4a61983b3793ff71baeabe2ff3df7)
+---
+ BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
+index db43677..08421ba 100644
+--- a/BaseTools/Source/C/Makefiles/header.makefile
++++ b/BaseTools/Source/C/Makefiles/header.makefile
+@@ -71,9 +71,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKE
+ BUILD_CPPFLAGS = $(INCLUDE) -O2
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
+ else
+-BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -g
+ endif
+ BUILD_LFLAGS =
+ BUILD_CXXFLAGS = -Wno-unused-result
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch b/SOURCES/edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
new file mode 100644
index 0000000..f316c12
--- /dev/null
+++ b/SOURCES/edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
@@ -0,0 +1,130 @@
+From 8358e53013fc62c9556598ad842d233906de00ef Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Oct 2018 21:03:44 +0200
+Subject: [PATCH 3/4] IntelFrameworkModulePkg: Add more checker in
+ UefiTianoDecompressLib (CVE FIX)
+
+Message-id: <20181024190345.15288-4-lersek@redhat.com>
+Patchwork-id: 82885
+O-Subject: [RHEL8 edk2 PATCH 3/4] IntelFrameworkModulePkg: Add more checker in
+ UefiTianoDecompressLib (CVE FIX)
+Bugzilla: 1641453
+1641464
+1641469
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL8 note start --v--
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641453
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641464
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641469
+
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5731 or CVE-2017-5732 (contrarily to the upstream commit
+message). The best I could achieve up-stream was to get the "CVE FIX"
+expression into the subject, and a whole-sale dump of the CVEs into the
+body. I had not been invited to the original (off-list, embargoed)
+analysis and review.
+
+The trivial context difference (whitespace) is due to RHEL8 lacking
+upstream commit 0a6f48249a60 ("IntelFrameworkModulePkg: Clean up source
+files", 2018-06-28). I've considered backporting that (since it only
+cleans up whitespace). However, the diffstat on that commit convinced me
+otherwise: "246 files changed, 4067 insertions(+), 4067 deletions(-)".
+I've decided not to do a partial backport of that (i.e. just for
+"BaseUefiTianoCustomDecompressLib.c").
+
+--^-- RHEL8 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+To make sure the valid buffer be accessed only.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 684db6da64bc7b5faee4e1174e801c245f563b5c)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ .../BaseUefiTianoCustomDecompressLib.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+index cb009e7..9b00166 100644
+--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+@@ -143,6 +143,7 @@ MakeTable (
+ UINT16 Mask;
+ UINT16 WordOfStart;
+ UINT16 WordOfCount;
++ UINT16 MaxTableLength;
+
+ //
+ // The maximum mapping table width supported by this internal
+@@ -155,6 +156,9 @@ MakeTable (
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -196,6 +200,7 @@ MakeTable (
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -209,6 +214,9 @@ MakeTable (
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -615,10 +623,14 @@ Decode (
+ //
+ BytesRemain--;
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ goto Done ;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ goto Done ;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+@@ -688,7 +700,7 @@ UefiDecompressGetInfo (
+ }
+
+ CompressedSize = ReadUnaligned32 ((UINT32 *)Source);
+- if (SourceSize < (CompressedSize + 8)) {
++ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch b/SOURCES/edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
new file mode 100644
index 0000000..e35c99b
--- /dev/null
+++ b/SOURCES/edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
@@ -0,0 +1,55 @@
+From 601458a0a87bf4169d1f0c81c0bb454d22abe8f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 9 Jan 2019 17:10:07 +0100
+Subject: [PATCH 3/4] IntelFrameworkModulePkg: Fix UEFI and Tiano Decompression
+ logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190109161007.3471-4-philmd@redhat.com>
+Patchwork-id: 83926
+O-Subject: [RHEL8 edk2 PATCH 3/3] IntelFrameworkModulePkg: Fix UEFI and Tiano
+ Decompression logic issue
+Bugzilla: 1662184
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 684db6da64bc7b5faee4e1174e801c245f563b5c.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit ade71c52a49d659b20c0b433fb11ddb4f4f543c4)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ .../BaseUefiTianoCustomDecompressLib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+index 9b00166..e34bf4b 100644
+--- a/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
++++ b/IntelFrameworkModulePkg/Library/BaseUefiTianoCustomDecompressLib/BaseUefiTianoCustomDecompressLib.c
+@@ -634,6 +634,12 @@ Decode (
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ goto Done ;
++ }
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch b/SOURCES/edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
new file mode 100644
index 0000000..0c7b2cc
--- /dev/null
+++ b/SOURCES/edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
@@ -0,0 +1,78 @@
+From 3b8ff18ad4ac1af740a979ad27fb83dbbdca70ef Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Oct 2018 21:03:42 +0200
+Subject: [PATCH 1/4] MdeModulePkg Variable: Fix Timestamp zeroing issue on
+ APPEND_WRITE
+
+Message-id: <20181024190345.15288-2-lersek@redhat.com>
+Patchwork-id: 82887
+O-Subject: [RHEL8 edk2 PATCH 1/4] MdeModulePkg Variable: Fix Timestamp zeroing
+ issue on APPEND_WRITE
+Bugzilla: 1641436
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Star Zeng <star.zeng@intel.com>
+
+--v-- RHEL8 note start --v--
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641436
+
+This patch fixes CVE-2018-3613. Unfortunately, the upstream subject line
+does not include the CVE number. I've decided to stick with the upstream
+subject verbatim in the backport, so we can more easily drop this patch at
+the next rebase. On the upstream list, I did complain loudly, so there's
+hope the next CVE fix will advertise the CVE number in the subject.
+
+In practice, the vulnerability is difficult to exploit. Please refer to
+the following messages in the upstream discussion:
+
+ https://lists.01.org/pipermail/edk2-devel/2018-October/031103.html
+ https://lists.01.org/pipermail/edk2-devel/2018-October/031140.html
+
+--^-- RHEL8 note end --^--
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=415
+
+When SetVariable() to a time based auth variable with APPEND_WRITE
+attribute, and if the EFI_VARIABLE_AUTHENTICATION_2.TimeStamp in
+the input Data is earlier than current value, it will cause timestamp
+zeroing.
+
+This issue may bring time based auth variable downgrade problem.
+For example:
+A vendor released three certs at 2014, 2015, and 2016, and system
+integrated the 2016 cert. User can SetVariable() with 2015 cert and
+APPEND_WRITE attribute to cause timestamp zeroing first, then
+SetVariable() with 2014 cert to downgrade the cert.
+
+This patch fixes this issue.
+
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Chao Zhang <chao.b.zhang@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Star Zeng <star.zeng@intel.com>
+Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
+(cherry picked from commit b7dc8888f31402f410c53242839271ba3b94b619)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+index 6caf603..60439b5 100644
+--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
++++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c
+@@ -2460,6 +2460,8 @@ UpdateVariable (
+ if (Variable->CurrPtr != NULL) {
+ if (VariableCompareTimeStampInternal (&(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), TimeStamp)) {
+ CopyMem (&AuthVariable->TimeStamp, TimeStamp, sizeof (EFI_TIME));
++ } else {
++ CopyMem (&AuthVariable->TimeStamp, &(((AUTHENTICATED_VARIABLE_HEADER *) CacheVariable->CurrPtr)->TimeStamp), sizeof (EFI_TIME));
+ }
+ }
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch b/SOURCES/edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
new file mode 100644
index 0000000..6fd94c1
--- /dev/null
+++ b/SOURCES/edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
@@ -0,0 +1,133 @@
+From 41129e136b621728eb5cb1c81aafcc5fedc53a12 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 24 Oct 2018 21:03:43 +0200
+Subject: [PATCH 2/4] MdePkg: Add more checker in UefiDecompressLib to access
+ the valid buffer only (CVE FIX)
+
+Message-id: <20181024190345.15288-3-lersek@redhat.com>
+Patchwork-id: 82883
+O-Subject: [RHEL8 edk2 PATCH 2/4] MdePkg: Add more checker in UefiDecompressLib
+ to access the valid buffer only (CVE FIX)
+Bugzilla: 1641449
+1641453
+1641464
+1641469
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+--v-- RHEL8 note start --v--
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641449
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641453
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641464
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1641469
+
+Unfortunately, the upstream patch series was not structured according to
+the CVE reports. This patch contributes to fixing:
+
+- CVE-2017-5732
+- CVE-2017-5733
+- CVE-2017-5734
+- CVE-2017-5735
+
+but not CVE-2017-5731 (contrarily to the upstream commit message). The
+best I could achieve up-stream was to get the "CVE FIX" expression into
+the subject, and a whole-sale dump of the CVEs into the body. I had not
+been invited to the original (off-list, embargoed) analysis and review.
+
+The trivial context difference (whitespace) is due to RHEL8 lacking
+upstream commit 9095d37b8fe5 ("MdePkg: Clean up source files",
+2018-06-28). I've considered backporting that (since it only cleans up
+whitespace). However, the diffstat on that commit convinced me otherwise:
+"729 files changed, 15667 insertions(+), 15667 deletions(-)". I've decided
+not to do a partial backport of that (i.e. just for
+"BaseUefiDecompressLib.c").
+
+--^-- RHEL8 note end --^--
+
+Fix CVE-2017-5731,CVE-2017-5732,CVE-2017-5733,CVE-2017-5734,CVE-2017-5735
+https://bugzilla.tianocore.org/show_bug.cgi?id=686
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Holtsclaw Brent <brent.holtsclaw@intel.com>
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 2ec7953d49677142c5f7552e9e3d96fb406ba0c4)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ .../BaseUefiDecompressLib/BaseUefiDecompressLib.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+index e818543..0c6b1fe 100644
+--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+@@ -152,6 +152,7 @@ MakeTable (
+ UINT16 Mask;
+ UINT16 WordOfStart;
+ UINT16 WordOfCount;
++ UINT16 MaxTableLength;
+
+ //
+ // The maximum mapping table width supported by this internal
+@@ -164,6 +165,9 @@ MakeTable (
+ }
+
+ for (Index = 0; Index < NumOfChar; Index++) {
++ if (BitLen[Index] > 16) {
++ return (UINT16) BAD_TABLE;
++ }
+ Count[BitLen[Index]]++;
+ }
+
+@@ -205,6 +209,7 @@ MakeTable (
+
+ Avail = NumOfChar;
+ Mask = (UINT16) (1U << (15 - TableBits));
++ MaxTableLength = (UINT16) (1U << TableBits);
+
+ for (Char = 0; Char < NumOfChar; Char++) {
+
+@@ -218,6 +223,9 @@ MakeTable (
+ if (Len <= TableBits) {
+
+ for (Index = Start[Len]; Index < NextCode; Index++) {
++ if (Index >= MaxTableLength) {
++ return (UINT16) BAD_TABLE;
++ }
+ Table[Index] = Char;
+ }
+
+@@ -620,11 +628,16 @@ Decode (
+ // Write BytesRemain of bytes into mDstBase
+ //
+ BytesRemain--;
++
+ while ((INT16) (BytesRemain) >= 0) {
+- Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+ if (Sd->mOutBuf >= Sd->mOrigSize) {
+ goto Done;
+ }
++ if (DataIdx >= Sd->mOrigSize) {
++ Sd->mBadTableFlag = (UINT16) BAD_TABLE;
++ goto Done;
++ }
++ Sd->mDstBase[Sd->mOutBuf++] = Sd->mDstBase[DataIdx++];
+
+ BytesRemain--;
+ }
+@@ -694,7 +707,7 @@ UefiDecompressGetInfo (
+ }
+
+ CompressedSize = ReadUnaligned32 ((UINT32 *)Source);
+- if (SourceSize < (CompressedSize + 8)) {
++ if (SourceSize < (CompressedSize + 8) || (CompressedSize + 8) < 8) {
+ return RETURN_INVALID_PARAMETER;
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch b/SOURCES/edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
new file mode 100644
index 0000000..381062b
--- /dev/null
+++ b/SOURCES/edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
@@ -0,0 +1,56 @@
+From c46469847b68f6a1a5b42feaf0de7a83fd0bed85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 9 Jan 2019 17:10:06 +0100
+Subject: [PATCH 2/4] MdePkg BaseUefiDecompressLib: Fix UEFI Decompression
+ logic issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20190109161007.3471-3-philmd@redhat.com>
+Patchwork-id: 83923
+O-Subject: [RHEL8 edk2 PATCH 2/3] MdePkg BaseUefiDecompressLib: Fix UEFI
+ Decompression logic issue
+Bugzilla: 1662184
+Acked-by: Laszlo Ersek <lersek@redhat.com>
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+From: Liming Gao <liming.gao@intel.com>
+
+https://bugzilla.tianocore.org/show_bug.cgi?id=1317
+
+This is a regression issue caused by 2ec7953d49677142c5f7552e9e3d96fb406ba0c4.
+In Decode() function, once mOutBuf is fully filled, Decode() should return.
+Current logic misses the checker of mOutBuf after while() loop.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Liming Gao <liming.gao@intel.com>
+Cc: Michael Kinney <michael.d.kinney@intel.com>
+Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
+(cherry picked from commit 1c4cecc9fd314de0dce8125b0d4b45967637a401)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+index 0c6b1fe..8c30e97 100644
+--- a/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
++++ b/MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.c
+@@ -641,6 +641,12 @@ Decode (
+
+ BytesRemain--;
+ }
++ //
++ // Once mOutBuf is fully filled, directly return
++ //
++ if (Sd->mOutBuf >= Sd->mOrigSize) {
++ goto Done;
++ }
+ }
+ }
+
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch b/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch
new file mode 100644
index 0000000..5c526b2
--- /dev/null
+++ b/SOURCES/edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch
@@ -0,0 +1,100 @@
+From 1f2c35936d1731da26c3ed8d002785240853a742 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 7 Nov 2018 11:25:57 +0100
+Subject: [PATCH] NetworkPkg: UefiPxeBcDxe: Add EXCLUSIVE attribute when
+ opening SNP protocol installed by PXE.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20181107102557.9106-2-lersek@redhat.com>
+Patchwork-id: 82937
+O-Subject: [RHEL8 edk2 PATCH 1/1] NetworkPkg: UefiPxeBcDxe: Add EXCLUSIVE
+ attribute when opening SNP protocol installed by PXE.
+Bugzilla: 1643377
+Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: "edk2-devel-bounces@lists.01.org" <edk2-devel-bounces@lists.01.org>
+
+--v-- RHEL8 note start --v--
+
+Please see the analysis for this backport in
+<https://bugzilla.redhat.com/show_bug.cgi?id=1643377#c20> through
+<https://bugzilla.redhat.com/show_bug.cgi?id=1643377#c25>.
+
+There was a trivial conflict to resolve while cherry-picking the upstream
+commit; please refer to
+<https://bugzilla.redhat.com/show_bug.cgi?id=1643377#c28>.
+
+--^-- RHEL8 note end --^--
+
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1152
+
+v2: Sync the same logic to Ipv6 and update code comments.
+
+The PXE driver installs a SNP and open this SNP with attribute BY_DRIVER
+to avoid it being opened by MNP driver, this SNP is also expected not to
+be opened by other drivers with EXCLUSIVE attribute. In some cases, other
+drivers may happen to do this by error, and thus cause a system crash.
+This patch adds EXCLUSIVE attribute when opening SNP in PXE driver, and
+will reject all OpenProtocol requests by EXCLUSIVE.
+
+Cc: Subramanian, Sriram <sriram-s@hpe.com>
+Cc: Ye Ting <ting.ye@intel.com>
+Cc: Fu Siyuan <siyuan.fu@intel.com>
+Cc: Wu Jiaxin <jiaxin.wu@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Wang Fan <fan.wang@intel.com>
+Reviewed-by: Sriram Subramanian <sriram-s@hpe.com>
+Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
+Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
+(cherry picked from commit cde5a72d365eff5b02b8330fef1c8d36fced08eb)
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
+index 8dd787b..437cd6f 100644
+--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
++++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
+@@ -814,7 +814,7 @@ PxeBcCreateIp4Children (
+ }
+
+ //
+- // Open SNP on the child handle BY_DRIVER. It will prevent any additionally
++ // Open SNP on the child handle BY_DRIVER|EXCLUSIVE. It will prevent any additionally
+ // layering to perform the experiment.
+ //
+ Status = gBS->OpenProtocol (
+@@ -823,7 +823,7 @@ PxeBcCreateIp4Children (
+ (VOID **) &Snp,
+ This->DriverBindingHandle,
+ Private->Ip4Nic->Controller,
+- EFI_OPEN_PROTOCOL_BY_DRIVER
++ EFI_OPEN_PROTOCOL_BY_DRIVER|EFI_OPEN_PROTOCOL_EXCLUSIVE
+ );
+ if (EFI_ERROR (Status)) {
+ goto ON_ERROR;
+@@ -1157,7 +1157,7 @@ PxeBcCreateIp6Children (
+ }
+
+ //
+- // Open SNP on the child handle BY_DRIVER. It will prevent any additionally
++ // Open SNP on the child handle BY_DRIVER|EXCLUSIVE. It will prevent any additionally
+ // layering to perform the experiment.
+ //
+ Status = gBS->OpenProtocol (
+@@ -1166,7 +1166,7 @@ PxeBcCreateIp6Children (
+ (VOID **) &Snp,
+ This->DriverBindingHandle,
+ Private->Ip6Nic->Controller,
+- EFI_OPEN_PROTOCOL_BY_DRIVER
++ EFI_OPEN_PROTOCOL_BY_DRIVER|EFI_OPEN_PROTOCOL_EXCLUSIVE
+ );
+ if (EFI_ERROR (Status)) {
+ goto ON_ERROR;
+--
+1.8.3.1
+
diff --git a/SOURCES/edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch b/SOURCES/edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch
new file mode 100644
index 0000000..250879f
--- /dev/null
+++ b/SOURCES/edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch
@@ -0,0 +1,154 @@
+From 02ed2c501cdd56e9c404bdc8eac0abb9dfd5a04c Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 18 Jul 2018 00:18:20 +0200
+Subject: [PATCH 4/6] advertise OpenSSL due to IPv6 enablement too (RHEL only)
+
+Message-id: <20180717221822.13110-4-lersek@redhat.com>
+Patchwork-id: 81378
+O-Subject: [RHEL8/virt212 edk2 PATCH 3/5] advertise OpenSSL due to IPv6
+ enablement too (RHEL only)
+Bugzilla: 1536627
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Wei Huang <wei@redhat.com>
+
+With "-D NETWORK_IP6_ENABLE", we pull the IPv6-enabled IScsiDxe driver
+into the edk2-ovmf and edk2-aarch64 builds. That driver depends on OpenSSL
+(the crypto part only, not the ssl part). Accordingly, extend our
+(downstream-only) OpenSSL advertisment to NETWORK_IP6_ENABLE.
+
+(At the next rebase, this patch will be squashed into commit "advertise
+OpenSSL on TianoCore splash screen / boot logo (RHEL only)".)
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ ArmVirtPkg/ArmVirtQemu.dsc | 2 +-
+ ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 2 +-
+ ArmVirtPkg/ArmVirtQemuKernel.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32.fdf | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.dsc | 2 +-
+ OvmfPkg/OvmfPkgIa32X64.fdf | 2 +-
+ OvmfPkg/OvmfPkgX64.dsc | 2 +-
+ OvmfPkg/OvmfPkgX64.fdf | 2 +-
+ 9 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
+index 41ff17d..7091b6c 100644
+--- a/ArmVirtPkg/ArmVirtQemu.dsc
++++ b/ArmVirtPkg/ArmVirtQemu.dsc
+@@ -332,7 +332,7 @@
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+-!if $(SECURE_BOOT_ENABLE) == TRUE
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE)
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+index 82d9cbd..a3f5fa9 100644
+--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
++++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+@@ -201,7 +201,7 @@ READ_LOCK_STATUS = TRUE
+ #
+ # TianoCore logo (splash screen)
+ #
+-!if $(SECURE_BOOT_ENABLE) == TRUE
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ INF MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+index 83fc12f..5730633 100644
+--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
++++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
+@@ -315,7 +315,7 @@
+ MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf
+ MdeModulePkg/Universal/DriverHealthManagerDxe/DriverHealthManagerDxe.inf
+ MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
+-!if $(SECURE_BOOT_ENABLE) == TRUE
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE)
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index f6d7833..bef8df9 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -688,7 +688,7 @@
+ NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
+-!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index 73007dd..43f80cd 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -297,7 +297,7 @@ INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
+ !endif
+
+-!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ INF MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index d6e628b..2085848 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -697,7 +697,7 @@
+ NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
+-!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index 116b3c6..d858012 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -298,7 +298,7 @@ INF RuleOverride = BINARY USE = X64 EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
+ !endif
+
+-!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ INF MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index a9fe89c..7bcb9fa 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -695,7 +695,7 @@
+ NULL|IntelFrameworkModulePkg/Library/LegacyBootManagerLib/LegacyBootManagerLib.inf
+ !endif
+ }
+-!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ MdeModulePkg/Logo/LogoDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 84d5845..41ce2d0 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -298,7 +298,7 @@ INF RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
+ !endif
+
+-!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
++!if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(NETWORK_IP6_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+ !else
+ INF MdeModulePkg/Logo/LogoDxe.inf
+--
+1.8.3.1
+
diff --git a/SOURCES/ovmf-vars-generator b/SOURCES/ovmf-vars-generator
new file mode 100755
index 0000000..06d0396
--- /dev/null
+++ b/SOURCES/ovmf-vars-generator
@@ -0,0 +1,273 @@
+#!/bin/python
+# Copyright (C) 2017 Red Hat
+# Authors:
+# - Patrick Uiterwijk <puiterwijk@redhat.com>
+# - Kashyap Chamarthy <kchamart@redhat.com>
+#
+# Licensed under MIT License, for full text see LICENSE
+#
+# Purpose: Launch a QEMU guest and enroll ithe UEFI keys into an OVMF
+# variables ("VARS") file. Then boot a Linux kernel with QEMU.
+# Finally, perform a check to verify if Secure Boot
+# is enabled.
+
+from __future__ import print_function
+
+import argparse
+import os
+import logging
+import tempfile
+import shutil
+import string
+import subprocess
+
+
+def strip_special(line):
+ return ''.join([c for c in str(line) if c in string.printable])
+
+
+def generate_qemu_cmd(args, readonly, *extra_args):
+ if args.disable_smm:
+ machinetype = 'pc'
+ else:
+ machinetype = 'q35,smm=on'
+ machinetype += ',accel=%s' % ('kvm' if args.enable_kvm else 'tcg')
+ return [
+ args.qemu_binary,
+ '-machine', machinetype,
+ '-display', 'none',
+ '-no-user-config',
+ '-nodefaults',
+ '-m', '256',
+ '-smp', '2,sockets=2,cores=1,threads=1',
+ '-chardev', 'pty,id=charserial1',
+ '-device', 'isa-serial,chardev=charserial1,id=serial1',
+ '-global', 'driver=cfi.pflash01,property=secure,value=%s' % (
+ 'off' if args.disable_smm else 'on'),
+ '-drive',
+ 'file=%s,if=pflash,format=raw,unit=0,readonly=on' % (
+ args.ovmf_binary),
+ '-drive',
+ 'file=%s,if=pflash,format=raw,unit=1,readonly=%s' % (
+ args.out_temp, 'on' if readonly else 'off'),
+ '-serial', 'stdio'] + list(extra_args)
+
+
+def download(url, target, suffix, no_download):
+ istemp = False
+ if target and os.path.exists(target):
+ return target, istemp
+ if not target:
+ temped = tempfile.mkstemp(prefix='qosb.', suffix='.%s' % suffix)
+ os.close(temped[0])
+ target = temped[1]
+ istemp = True
+ if no_download:
+ raise Exception('%s did not exist, but downloading was disabled' %
+ target)
+ import requests
+ logging.debug('Downloading %s to %s', url, target)
+ r = requests.get(url, stream=True)
+ with open(target, 'wb') as f:
+ for chunk in r.iter_content(chunk_size=1024):
+ if chunk:
+ f.write(chunk)
+ return target, istemp
+
+
+def enroll_keys(args):
+ shutil.copy(args.ovmf_template_vars, args.out_temp)
+
+ logging.info('Starting enrollment')
+
+ cmd = generate_qemu_cmd(
+ args,
+ False,
+ '-drive',
+ 'file=%s,format=raw,if=none,media=cdrom,id=drive-cd1,'
+ 'readonly=on' % args.uefi_shell_iso,
+ '-device',
+ 'ide-cd,drive=drive-cd1,id=cd1,'
+ 'bootindex=1')
+ p = subprocess.Popen(cmd,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT)
+ logging.info('Performing enrollment')
+ # Wait until the UEFI shell starts (first line is printed)
+ read = p.stdout.readline()
+ if b'char device redirected' in read:
+ read = p.stdout.readline()
+ if args.print_output:
+ print(strip_special(read), end='')
+ print()
+ # Send the escape char to enter the UEFI shell early
+ p.stdin.write(b'\x1b')
+ p.stdin.flush()
+ # And then run the following three commands from the UEFI shell:
+ # change into the first file system device; install the default
+ # keys and certificates, and reboot
+ p.stdin.write(b'fs0:\r\n')
+ p.stdin.write(b'EnrollDefaultKeys.efi\r\n')
+ p.stdin.write(b'reset -s\r\n')
+ p.stdin.flush()
+ while True:
+ read = p.stdout.readline()
+ if args.print_output:
+ print('OUT: %s' % strip_special(read), end='')
+ print()
+ if b'info: success' in read:
+ break
+ p.wait()
+ if args.print_output:
+ print(strip_special(p.stdout.read()), end='')
+ logging.info('Finished enrollment')
+
+
+def test_keys(args):
+ logging.info('Grabbing test kernel')
+ kernel, kerneltemp = download(args.kernel_url, args.kernel_path,
+ 'kernel', args.no_download)
+
+ logging.info('Starting verification')
+ try:
+ cmd = generate_qemu_cmd(
+ args,
+ True,
+ '-append', 'console=tty0 console=ttyS0,115200n8',
+ '-kernel', kernel)
+ p = subprocess.Popen(cmd,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.STDOUT)
+ logging.info('Performing verification')
+ while True:
+ read = p.stdout.readline()
+ if args.print_output:
+ print('OUT: %s' % strip_special(read), end='')
+ print()
+ if b'Secure boot disabled' in read:
+ raise Exception('Secure Boot was disabled')
+ elif b'Secure boot enabled' in read:
+ logging.info('Confirmed: Secure Boot is enabled')
+ break
+ elif b'Kernel is locked down from EFI secure boot' in read:
+ logging.info('Confirmed: Secure Boot is enabled')
+ break
+ p.kill()
+ if args.print_output:
+ print(strip_special(p.stdout.read()), end='')
+ logging.info('Finished verification')
+ finally:
+ if kerneltemp:
+ os.remove(kernel)
+
+
+def parse_args():
+ parser = argparse.ArgumentParser()
+ parser.add_argument('output', help='Filename for output vars file')
+ parser.add_argument('--out-temp', help=argparse.SUPPRESS)
+ parser.add_argument('--force', help='Overwrite existing output file',
+ action='store_true')
+ parser.add_argument('--print-output', help='Print the QEMU guest output',
+ action='store_true')
+ parser.add_argument('--verbose', '-v', help='Increase verbosity',
+ action='count')
+ parser.add_argument('--quiet', '-q', help='Decrease verbosity',
+ action='count')
+ parser.add_argument('--qemu-binary', help='QEMU binary path',
+ default='/usr/bin/qemu-system-x86_64')
+ parser.add_argument('--enable-kvm', help='Enable KVM acceleration',
+ action='store_true')
+ parser.add_argument('--ovmf-binary', help='OVMF secureboot code file',
+ default='/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd')
+ parser.add_argument('--ovmf-template-vars', help='OVMF empty vars file',
+ default='/usr/share/edk2/ovmf/OVMF_VARS.fd')
+ parser.add_argument('--uefi-shell-iso', help='Path to uefi shell iso',
+ default='/usr/share/edk2/ovmf/UefiShell.iso')
+ parser.add_argument('--skip-enrollment',
+ help='Skip enrollment, only test', action='store_true')
+ parser.add_argument('--skip-testing',
+ help='Skip testing generated "VARS" file',
+ action='store_true')
+ parser.add_argument('--kernel-path',
+ help='Specify a consistent path for kernel')
+ parser.add_argument('--no-download', action='store_true',
+ help='Never download a kernel')
+ parser.add_argument('--fedora-version',
+ help='Fedora version to get kernel for checking',
+ default='27')
+ parser.add_argument('--kernel-url', help='Kernel URL',
+ default='https://download.fedoraproject.org/pub/fedora'
+ '/linux/releases/%(version)s/Everything/x86_64'
+ '/os/images/pxeboot/vmlinuz')
+ parser.add_argument('--disable-smm',
+ help=('Don\'t restrict varstore pflash writes to '
+ 'guest code that executes in SMM. Use this '
+ 'option only if your OVMF binary doesn\'t have '
+ 'the edk2 SMM driver stack built into it '
+ '(possibly because your QEMU binary lacks SMM '
+ 'emulation). Note that without restricting '
+ 'varstore pflash writes to guest code that '
+ 'executes in SMM, a malicious guest kernel, '
+ 'used for testing, could undermine Secure '
+ 'Boot.'),
+ action='store_true')
+ args = parser.parse_args()
+ args.kernel_url = args.kernel_url % {'version': args.fedora_version}
+
+ validate_args(args)
+ return args
+
+
+def validate_args(args):
+ if (os.path.exists(args.output)
+ and not args.force
+ and not args.skip_enrollment):
+ raise Exception('%s already exists' % args.output)
+
+ if args.skip_enrollment and not os.path.exists(args.output):
+ raise Exception('%s does not yet exist' % args.output)
+
+ verbosity = (args.verbose or 1) - (args.quiet or 0)
+ if verbosity >= 2:
+ logging.basicConfig(level=logging.DEBUG)
+ elif verbosity == 1:
+ logging.basicConfig(level=logging.INFO)
+ elif verbosity < 0:
+ logging.basicConfig(level=logging.ERROR)
+ else:
+ logging.basicConfig(level=logging.WARN)
+
+ if args.skip_enrollment:
+ args.out_temp = args.output
+ else:
+ temped = tempfile.mkstemp(prefix='qosb.', suffix='.vars')
+ os.close(temped[0])
+ args.out_temp = temped[1]
+ logging.debug('Temp output: %s', args.out_temp)
+
+
+def move_to_dest(args):
+ shutil.copy(args.out_temp, args.output)
+ os.remove(args.out_temp)
+
+
+def main():
+ args = parse_args()
+ if not args.skip_enrollment:
+ enroll_keys(args)
+ if not args.skip_testing:
+ test_keys(args)
+ if not args.skip_enrollment:
+ move_to_dest(args)
+ if args.skip_testing:
+ logging.info('Created %s' % args.output)
+ else:
+ logging.info('Created and verified %s' % args.output)
+ else:
+ logging.info('Verified %s', args.output)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/SOURCES/ovmf-whitepaper-c770f8c.txt b/SOURCES/ovmf-whitepaper-c770f8c.txt
new file mode 100644
index 0000000..ba727b4
--- /dev/null
+++ b/SOURCES/ovmf-whitepaper-c770f8c.txt
@@ -0,0 +1,2422 @@
+Open Virtual Machine Firmware (OVMF) Status Report
+July 2014 (with updates in August 2014 - January 2015)
+
+Author: Laszlo Ersek <lersek@redhat.com>
+Copyright (C) 2014-2015, Red Hat, Inc.
+CC BY-SA 4.0 <http://creativecommons.org/licenses/by-sa/4.0/>
+
+Abstract
+--------
+
+The Unified Extensible Firmware Interface (UEFI) is a specification that
+defines a software interface between an operating system and platform firmware.
+UEFI is designed to replace the Basic Input/Output System (BIOS) firmware
+interface.
+
+Hardware platform vendors have been increasingly adopting the UEFI
+Specification to govern their boot firmware developments. OVMF (Open Virtual
+Machine Firmware), a sub-project of Intel's EFI Development Kit II (edk2),
+enables UEFI support for Ia32 and X64 Virtual Machines.
+
+This paper reports on the status of the OVMF project, treats features and
+limitations, gives end-user hints, and examines some areas in-depth.
+
+Keywords: ACPI, boot options, CSM, edk2, firmware, flash, fw_cfg, KVM, memory
+map, non-volatile variables, OVMF, PCD, QEMU, reset vector, S3, Secure Boot,
+Smbios, SMM, TianoCore, UEFI, VBE shim, Virtio
+
+Table of Contents
+-----------------
+
+- Motivation
+- Scope
+- Example qemu invocation
+- Installation of OVMF guests with virt-manager and virt-install
+- Supported guest operating systems
+- Compatibility Support Module (CSM)
+- Phases of the boot process
+- Project structure
+- Platform Configuration Database (PCD)
+- Firmware image structure
+- S3 (suspend to RAM and resume)
+- A comprehensive memory map of OVMF
+- Known Secure Boot limitations
+- Variable store and LockBox in SMRAM
+- Select features
+ - X64-specific reset vector for OVMF
+ - Client library for QEMU's firmware configuration interface
+ - Guest ACPI tables
+ - Guest SMBIOS tables
+ - Platform-specific boot policy
+ - Virtio drivers
+ - Platform Driver
+ - Video driver
+- Afterword
+
+Motivation
+----------
+
+OVMF extends the usual benefits of virtualization to UEFI. Reasons to use OVMF
+include:
+
+- Legacy-free guests. A UEFI-based environment eliminates dependencies on
+ legacy address spaces and devices. This is especially beneficial when used
+ with physically assigned devices where the legacy operating mode is
+ troublesome to support, ex. assigned graphics cards operating in legacy-free,
+ non-VGA mode in the guest.
+
+- Future proof guests. The x86 market is steadily moving towards a legacy-free
+ platform and guest operating systems may eventually require a UEFI
+ environment. OVMF provides that next generation firmware support for such
+ applications.
+
+- GUID partition tables (GPTs). MBR partition tables represent partition
+ offsets and sizes with 32-bit integers, in units of 512 byte sectors. This
+ limits the addressable portion of the disk to 2 TB. GPT represents logical
+ block addresses with 64 bits.
+
+- Liberating boot loader binaries from residing in contested and poorly defined
+ space between the partition table and the partitions.
+
+- Support for booting off disks (eg. pass-through physical SCSI devices) with a
+ 4kB physical and logical sector size, i.e. which don't have 512-byte block
+ emulation.
+
+- Development and testing of Secure Boot-related features in guest operating
+ systems. Although OVMF's Secure Boot implementation is currently not secure
+ against malicious UEFI drivers, UEFI applications, and guest kernels,
+ trusted guest code that only uses standard UEFI interfaces will find a valid
+ Secure Boot environment under OVMF, with working key enrollment and signature
+ validation. This enables development and testing of portable, Secure
+ Boot-related guest code.
+
+- Presence of non-volatile UEFI variables. This furthers development and
+ testing of OS installers, UEFI boot loaders, and unique, dependent guest OS
+ features. For example, an efivars-backed pstore (persistent storage)
+ file system works under Linux.
+
+- Altogether, a near production-level UEFI environment for virtual machines
+ when Secure Boot is not required.
+
+Scope
+-----
+
+UEFI and especially Secure Boot have been topics fraught with controversy and
+political activism. This paper sidesteps these aspects and strives to focus on
+use cases, hands-on information for end users, and technical details.
+
+Unless stated otherwise, the expression "X supports Y" means "X is technically
+compatible with interfaces provided or required by Y". It does not imply
+support as an activity performed by natural persons or companies.
+
+We discuss the status of OVMF at a state no earlier than edk2 SVN revision
+16158. The paper concentrates on upstream projects and communities, but
+occasionally it pans out about OVMF as it is planned to be shipped (as
+Technical Preview) in Red Hat Enterprise Linux 7.1. Such digressions are marked
+with the [RHEL] margin notation.
+
+Although other VMMs and accelerators are known to support (or plan to support)
+OVMF to various degrees -- for example, VirtualBox, Xen, BHyVe --, we'll
+emphasize OVMF on qemu/KVM, because QEMU and KVM have always been Red Hat's
+focus wrt. OVMF.
+
+The recommended upstream QEMU version is 2.1+. The recommended host Linux
+kernel (KVM) version is 3.10+. The recommended QEMU machine type is
+"qemu-system-x86_64 -M pc-i440fx-2.1" or later.
+
+The term "TianoCore" is used interchangeably with "edk2" in this paper.
+
+Example qemu invocation
+-----------------------
+
+The following commands give a quick foretaste of installing a UEFI operating
+system on OVMF, relying only on upstream edk2 and qemu.
+
+- Clone and build OVMF:
+
+ git clone https://github.com/tianocore/edk2.git
+ cd edk2
+ nice OvmfPkg/build.sh -a X64 -n $(getconf _NPROCESSORS_ONLN)
+
+ (Note that this ad-hoc build will not include the Secure Boot feature.)
+
+- The build output file, "OVMF.fd", includes not only the executable firmware
+ code, but the non-volatile variable store as well. For this reason, make a
+ VM-specific copy of the build output (the variable store should be private to
+ the virtual machine):
+
+ cp Build/OvmfX64/DEBUG_GCC4?/FV/OVMF.fd fedora.flash
+
+ (The variable store and the firmware executable are also available in the
+ build output as separate files: "OVMF_VARS.fd" and "OVMF_CODE.fd". This
+ enables central management and updates of the firmware executable, while each
+ virtual machine can retain its own variable store.)
+
+- Download a Fedora LiveCD:
+
+ wget https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Xfce-x86_64-20-1.iso
+
+- Create a virtual disk (qcow2 format, 20 GB in size):
+
+ qemu-img create -f qcow2 fedora.img 20G
+
+- Create the following qemu wrapper script under the name "fedora.sh":
+
+ # Basic virtual machine properties: a recent i440fx machine type, KVM
+ # acceleration, 2048 MB RAM, two VCPUs.
+ OPTS="-M pc-i440fx-2.1 -enable-kvm -m 2048 -smp 2"
+
+ # The OVMF binary, including the non-volatile variable store, appears as a
+ # "normal" qemu drive on the host side, and it is exposed to the guest as a
+ # persistent flash device.
+ OPTS="$OPTS -drive if=pflash,format=raw,file=fedora.flash"
+
+ # The hard disk is exposed to the guest as a virtio-block device. OVMF has a
+ # driver stack that supports such a disk. We specify this disk as first boot
+ # option. OVMF recognizes the boot order specification.
+ OPTS="$OPTS -drive id=disk0,if=none,format=qcow2,file=fedora.img"
+ OPTS="$OPTS -device virtio-blk-pci,drive=disk0,bootindex=0"
+
+ # The Fedora installer disk appears as an IDE CD-ROM in the guest. This is
+ # the 2nd boot option.
+ OPTS="$OPTS -drive id=cd0,if=none,format=raw,readonly"
+ OPTS="$OPTS,file=Fedora-Live-Xfce-x86_64-20-1.iso"
+ OPTS="$OPTS -device ide-cd,bus=ide.1,drive=cd0,bootindex=1"
+
+ # The following setting enables S3 (suspend to RAM). OVMF supports S3
+ # suspend/resume.
+ OPTS="$OPTS -global PIIX4_PM.disable_s3=0"
+
+ # OVMF emits a number of info / debug messages to the QEMU debug console, at
+ # ioport 0x402. We configure qemu so that the debug console is indeed
+ # available at that ioport. We redirect the host side of the debug console to
+ # a file.
+ OPTS="$OPTS -global isa-debugcon.iobase=0x402 -debugcon file:fedora.ovmf.log"
+
+ # QEMU accepts various commands and queries from the user on the monitor
+ # interface. Connect the monitor with the qemu process's standard input and
+ # output.
+ OPTS="$OPTS -monitor stdio"
+
+ # A USB tablet device in the guest allows for accurate pointer tracking
+ # between the host and the guest.
+ OPTS="$OPTS -device piix3-usb-uhci -device usb-tablet"
+
+ # Provide the guest with a virtual network card (virtio-net).
+ #
+ # Normally, qemu provides the guest with a UEFI-conformant network driver
+ # from the iPXE project, in the form of a PCI expansion ROM. For this test,
+ # we disable the expansion ROM and allow OVMF's built-in virtio-net driver to
+ # take effect.
+ #
+ # On the host side, we use the SLIRP ("user") network backend, which has
+ # relatively low performance, but it doesn't require extra privileges from
+ # the user executing qemu.
+ OPTS="$OPTS -netdev id=net0,type=user"
+ OPTS="$OPTS -device virtio-net-pci,netdev=net0,romfile="
+
+ # A Spice QXL GPU is recommended as the primary VGA-compatible display
+ # device. It is a full-featured virtual video card, with great operating
+ # system driver support. OVMF supports it too.
+ OPTS="$OPTS -device qxl-vga"
+
+ qemu-system-x86_64 $OPTS
+
+- Start the Fedora guest:
+
+ sh fedora.sh
+
+- The above command can be used for both installation and later boots of the
+ Fedora guest.
+
+- In order to verify basic OVMF network connectivity:
+
+ - Assuming that the non-privileged user running qemu belongs to group G
+ (where G is a numeric identifier), ensure as root on the host that the
+ group range in file "/proc/sys/net/ipv4/ping_group_range" includes G.
+
+ - As the non-privileged user, boot the guest as usual.
+
+ - On the TianoCore splash screen, press ESC.
+
+ - Navigate to Boot Manager | EFI Internal Shell
+
+ - In the UEFI Shell, issue the following commands:
+
+ ifconfig -s eth0 dhcp
+ ping A.B.C.D
+
+ where A.B.C.D is a public IPv4 address in dotted decimal notation that your
+ host can reach.
+
+ - Type "quit" at the (qemu) monitor prompt.
+
+Installation of OVMF guests with virt-manager and virt-install
+--------------------------------------------------------------
+
+(1) Assuming OVMF has been installed on the host with the following files:
+ - /usr/share/OVMF/OVMF_CODE.fd
+ - /usr/share/OVMF/OVMF_VARS.fd
+
+ locate the "nvram" stanza in "/etc/libvirt/qemu.conf", and edit it as
+ follows:
+
+ nvram = [ "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd" ]
+
+(2) Restart libvirtd with your Linux distribution's service management tool;
+ for example,
+
+ systemctl restart libvirtd
+
+(3) In virt-manager, proceed with the guest installation as usual:
+ - select File | New Virtual Machine,
+ - advance to Step 5 of 5,
+ - in Step 5, check "Customize configuration before install",
+ - click Finish;
+ - in the customization dialog, select Overview | Firmware, and choose UEFI,
+ - click Apply and Begin Installation.
+
+(4) With virt-install:
+
+ LDR="loader=/usr/share/OVMF/OVMF_CODE.fd,loader_ro=yes,loader_type=pflash"
+ virt-install \
+ --name fedora20 \
+ --memory 2048 \
+ --vcpus 2 \
+ --os-variant fedora20 \
+ --boot hd,cdrom,$LDR \
+ --disk size=20 \
+ --disk path=Fedora-Live-Xfce-x86_64-20-1.iso,device=cdrom,bus=scsi
+
+(5) A popular, distribution-independent, bleeding-edge OVMF package is
+ available under <https://www.kraxel.org/repos/>, courtesy of Gerd Hoffmann.
+
+ The "edk2.git-ovmf-x64" package provides the following files, among others:
+ - /usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd
+ - /usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd
+
+ When using this package, adapt steps (1) and (4) accordingly.
+
+(6) Additionally, the "edk2.git-ovmf-x64" package seeks to simplify the
+ enablement of Secure Boot in a virtual machine (strictly for development
+ and testing purposes).
+
+ - Boot the virtual machine off the CD-ROM image called
+ "/usr/share/edk2.git/ovmf-x64/UefiShell.iso"; before or after installing
+ the main guest operating system.
+
+ - When the UEFI shell appears, issue the following commands:
+
+ EnrollDefaultKeys.efi
+ reset -s
+
+ - The EnrollDefaultKeys.efi utility enrolls the following keys:
+
+ - A static example X.509 certificate (CN=TestCommonName) as Platform Key
+ and first Key Exchange Key.
+
+ The private key matching this certificate has been destroyed (but you
+ shouldn't trust this statement).
+
+ - "Microsoft Corporation KEK CA 2011" as second Key Exchange Key
+ (SHA1: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30).
+
+ - "Microsoft Windows Production PCA 2011" as first DB entry
+ (SHA1: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d).
+
+ - "Microsoft Corporation UEFI CA 2011" as second DB entry
+ (SHA1: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3).
+
+ These keys suffice to boot released versions of popular Linux
+ distributions (through the shim.efi utility), and Windows 8 and Windows
+ Server 2012 R2, in Secure Boot mode.
+
+Supported guest operating systems
+---------------------------------
+
+Upstream OVMF does not favor some guest operating systems over others for
+political or ideological reasons. However, some operating systems are harder to
+obtain and/or technically more difficult to support. The general expectation is
+that recent UEFI OSes should just work. Please consult the "OvmfPkg/README"
+file.
+
+The following guest OSes were tested with OVMF:
+- Red Hat Enterprise Linux 6
+- Red Hat Enterprise Linux 7
+- Fedora 18
+- Fedora 19
+- Fedora 20
+- Windows Server 2008 R2 SP1
+- Windows Server 2012
+- Windows 8
+
+Notes about Windows Server 2008 R2 (paraphrasing the "OvmfPkg/README" file):
+
+- QEMU should be started with one of the "-device qxl-vga" and "-device VGA"
+ options.
+
+- Only one video mode, 1024x768x32, is supported at OS runtime.
+
+ Please refer to the section about QemuVideoDxe (OVMF's built-in video driver)
+ for more details on this limitation.
+
+- The qxl-vga video card is recommended ("-device qxl-vga"). After booting the
+ installed guest OS, select the video card in Device Manager, and upgrade the
+ video driver to the QXL XDDM one.
+
+ The QXL XDDM driver can be downloaded from
+ <http://www.spice-space.org/download.html>, under Guest | Windows binaries.
+
+ This driver enables additional graphics resolutions at OS runtime, and
+ provides S3 (suspend/resume) capability.
+
+Notes about Windows Server 2012 and Windows 8:
+
+- QEMU should be started with the "-device qxl-vga,revision=4" option (or a
+ later revision, if available).
+
+- The guest OS's builtin video driver inherits the video mode / frame buffer
+ from OVMF. There's no way to change the resolution at OS runtime.
+
+ For this reason, a platform driver has been developed for OVMF, which allows
+ users to change the preferred video mode in the firmware. Please refer to the
+ section about PlatformDxe for details.
+
+- It is recommended to upgrade the guest OS's video driver to the QXL WDDM one,
+ via Device Manager.
+
+ Binaries for the QXL WDDM driver can be found at
+ <http://people.redhat.com/~vrozenfe/qxlwddm> (pick a version greater than or
+ equal to 0.6), while the source code resides at
+ <https://github.com/vrozenfe/qxl-dod>.
+
+ This driver enables additional graphics resolutions at OS runtime, and
+ provides S3 (suspend/resume) capability.
+
+Compatibility Support Module (CSM)
+----------------------------------
+
+Collaboration between SeaBIOS and OVMF developers has enabled SeaBIOS to be
+built as a Compatibility Support Module, and OVMF to embed and use it.
+
+Benefits of a SeaBIOS CSM include:
+
+- The ability to boot legacy (non-UEFI) operating systems, such as legacy Linux
+ systems, Windows 7, OpenBSD 5.2, FreeBSD 8/9, NetBSD, DragonflyBSD, Solaris
+ 10/11.
+
+- Legacy (non-UEFI-compliant) PCI expansion ROMs, such as a VGA BIOS, mapped by
+ QEMU in emulated devices' ROM BARs, are loaded and executed by OVMF.
+
+ For example, this grants the Windows Server 2008 R2 SP1 guest's native,
+ legacy video driver access to all modes of all QEMU video cards.
+
+Building the CSM target of the SeaBIOS source tree is out of scope for this
+report. Additionally, upstream OVMF does not enable the CSM by default.
+
+Interested users and developers should look for OVMF's "-D CSM_ENABLE"
+build-time option, and check out the <https://www.kraxel.org/repos/> continuous
+integration repository, which provides CSM-enabled OVMF builds.
+
+[RHEL] The "OVMF_CODE.fd" firmware image made available on the Red Hat
+ Enterprise Linux 7.1 host does not include a Compatibility Support
+ Module, for the following reasons:
+
+ - Virtual machines running officially supported, legacy guest operating
+ systems should just use the standalone SeaBIOS firmware. Firmware
+ selection is flexible in virtualization, see eg. "Installation of OVMF
+ guests with virt-manager and virt-install" above.
+
+ - The 16-bit thunking interface between OVMF and SeaBIOS is very complex
+ and presents a large debugging and support burden, based on past
+ experience.
+
+ - Secure Boot is incompatible with CSM.
+
+ - Inter-project dependencies should be minimized whenever possible.
+
+ - Using the default QXL video card, the Windows 2008 R2 SP1 guest can be
+ installed with its built-in, legacy video driver. Said driver will
+ select the only available video mode, 1024x768x32. After installation,
+ the video driver can be upgraded to the full-featured QXL XDDM driver.
+
+Phases of the boot process
+--------------------------
+
+The PI and UEFI specifications, and Intel's UEFI and EDK II Learning and
+Development materials provide ample information on PI and UEFI concepts. The
+following is an absolutely minimal, rough glossary that is included only to
+help readers new to PI and UEFI understand references in later, OVMF-specific
+sections. We defer heavily to the official specifications and the training
+materials, and frequently quote them below.
+
+A central concept to mention early is the GUID -- globally unique identifier. A
+GUID is a 128-bit number, written as XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,
+where each X stands for a hexadecimal nibble. GUIDs are used to name everything
+in PI and in UEFI. Programmers introduce new GUIDs with the "uuidgen" utility,
+and standards bodies standardize well-known services by positing their GUIDs.
+
+The boot process is roughly divided in the following phases:
+
+- Reset vector code.
+
+- SEC: Security phase. This phase is the root of firmware integrity.
+
+- PEI: Pre-EFI Initialization. This phase performs "minimal processor, chipset
+ and platform configuration for the purpose of discovering memory". Modules in
+ PEI collectively save their findings about the platform in a list of HOBs
+ (hand-off blocks).
+
+ When developing PEI code, the Platform Initialization (PI) specification
+ should be consulted.
+
+- DXE: Driver eXecution Environment, pronounced as "Dixie". This "is the phase
+ where the bulk of the booting occurs: devices are enumerated and initialized,
+ UEFI services are supported, and protocols and drivers are implemented. Also,
+ the tables that create the UEFI interface are produced".
+
+ On the PEI/DXE boundary, the HOBs produced by PEI are consumed. For example,
+ this is how the memory space map is configured initially.
+
+- BDS: Boot Device Selection. It is "responsible for determining how and where
+ you want to boot the operating system".
+
+ When developing DXE and BDS code, it is mainly the UEFI specification that
+ should be consulted. When speaking about DXE, BDS is frequently considered to
+ be a part of it.
+
+The following concepts are tied to specific boot process phases:
+
+- PEIM: a PEI Module (pronounced "PIM"). A binary module running in the PEI
+ phase, consuming some PPIs and producing other PPIs, and producing HOBs.
+
+- PPI: PEIM-to-PEIM interface. A structure of function pointers and related
+ data members that establishes a PEI service, or an instance of a PEI service.
+ PPIs are identified by GUID.
+
+ An example is EFI_PEI_S3_RESUME2_PPI (6D582DBC-DB85-4514-8FCC-5ADF6227B147).
+
+- DXE driver: a binary module running in the DXE and BDS phases, consuming some
+ protocols and producing other protocols.
+
+- Protocol: A structure of function pointers and related data members that
+ establishes a DXE service, or an instance of a DXE service. Protocols are
+ identified by GUID.
+
+ An example is EFI_BLOCK_IO_PROTOCOL (964E5B21-6459-11D2-8E39-00A0C969723B).
+
+- Architectural protocols: a set of standard protocols that are foundational to
+ the working of a UEFI system. Each architectural protocol has at most one
+ instance. Architectural protocols are implemented by a subset of DXE drivers.
+ DXE drivers explicitly list the set of protocols (including architectural
+ protocols) that they need to work. UEFI drivers can only be loaded once all
+ architectural protocols have become available during the DXE phase.
+
+ An example is EFI_VARIABLE_WRITE_ARCH_PROTOCOL
+ (6441F818-6362-4E44-B570-7DBA31DD2453).
+
+Project structure
+-----------------
+
+The term "OVMF" usually denotes the project (community and development effort)
+that provide and maintain the subject matter UEFI firmware for virtual
+machines. However the term is also frequently applied to the firmware binary
+proper that a virtual machine executes.
+
+OVMF emerges as a compilation of several modules from the edk2 source
+repository. "edk2" stands for EFI Development Kit II; it is a "modern,
+feature-rich, cross-platform firmware development environment for the UEFI and
+PI specifications".
+
+The composition of OVMF is dictated by the following build control files:
+
+ OvmfPkg/OvmfPkgIa32.dsc
+ OvmfPkg/OvmfPkgIa32.fdf
+
+ OvmfPkg/OvmfPkgIa32X64.dsc
+ OvmfPkg/OvmfPkgIa32X64.fdf
+
+ OvmfPkg/OvmfPkgX64.dsc
+ OvmfPkg/OvmfPkgX64.fdf
+
+The format of these files is described in the edk2 DSC and FDF specifications.
+Roughly, the DSC file determines:
+- library instance resolutions for library class requirements presented by the
+ modules to be compiled,
+- the set of modules to compile.
+
+The FDF file roughly determines:
+- what binary modules (compilation output files, precompiled binaries, graphics
+ image files, verbatim binary sections) to include in the firmware image,
+- how to lay out the firmware image.
+
+The Ia32 flavor of these files builds a firmware where both PEI and DXE phases
+are 32-bit. The Ia32X64 flavor builds a firmware where the PEI phase consists
+of 32-bit modules, and the DXE phase is 64-bit. The X64 flavor builds a purely
+64-bit firmware.
+
+The word size of the DXE phase must match the word size of the runtime OS -- a
+32-bit DXE can't cooperate with a 64-bit OS, and a 64-bit DXE can't work a
+32-bit OS.
+
+OVMF pulls together modules from across the edk2 tree. For example:
+
+- common drivers and libraries that are platform independent are usually
+ located under MdeModulePkg and MdePkg,
+
+- common but hardware-specific drivers and libraries that match QEMU's
+ pc-i440fx-* machine type are pulled in from IntelFrameworkModulePkg,
+ PcAtChipsetPkg and UefiCpuPkg,
+
+- the platform independent UEFI Shell is built from ShellPkg,
+
+- OvmfPkg includes drivers and libraries that are useful for virtual machines
+ and may or may not be specific to QEMU's pc-i440fx-* machine type.
+
+Platform Configuration Database (PCD)
+-------------------------------------
+
+Like the "Phases of the boot process" section, this one introduces a concept in
+very raw form. We defer to the PCD related edk2 specifications, and we won't
+discuss implementation details here. Our purpose is only to offer the reader a
+usable (albeit possibly inaccurate) definition, so that we can refer to PCDs
+later on.
+
+Colloquially, when we say "PCD", we actually mean "PCD entry"; that is, an
+entry stored in the Platform Configuration Database.
+
+The Platform Configuration Database is
+- a firmware-wide
+- name-value store
+- of scalars and buffers
+- where each entry may be
+ - build-time constant, or
+ - run-time dynamic, or
+ - theoretically, a middle option: patchable in the firmware file itself,
+ using a dedicated tool. (OVMF does not utilize externally patchable
+ entries.)
+
+A PCD entry is declared in the DEC file of the edk2 top-level Package directory
+whose modules (drivers and libraries) are the primary consumers of the PCD
+entry. (See for example OvmfPkg/OvmfPkg.dec). Basically, a PCD in a DEC file
+exposes a simple customization point.
+
+Interest in a PCD entry is communicated to the build system by naming the PCD
+entry in the INF file of the interested module (application, driver or
+library). The module may read and -- dependent on the PCD entry's category --
+write the PCD entry.
+
+Let's investigate the characteristics of the Database and the PCD entries.
+
+- Firmware-wide: technically, all modules may access all entries they are
+ interested in, assuming they advertise their interest in their INF files.
+ With careful design, PCDs enable inter-driver propagation of (simple) system
+ configuration. PCDs are available in both PEI and DXE.
+
+ (UEFI drivers meant to be portable (ie. from third party vendors) are not
+ supposed to use PCDs, since PCDs qualify internal to the specific edk2
+ firmware in question.)
+
+- Name-value store of scalars and buffers: each PCD has a symbolic name, and a
+ fixed scalar type (UINT16, UINT32 etc), or VOID* for buffers. Each PCD entry
+ belongs to a namespace, where a namespace is (obviously) a GUID, defined in
+ the DEC file.
+
+- A DEC file can permit several categories for a PCD:
+ - build-time constant ("FixedAtBuild"),
+ - patchable in the firmware image ("PatchableInModule", unused in OVMF),
+ - runtime modifiable ("Dynamic").
+
+The platform description file (DSC) of a top-level Package directory may choose
+the exact category for a given PCD entry that its modules wish to use, and
+assign a default (or constant) initial value to it.
+
+In addition, the edk2 build system too can initialize PCD entries to values
+that it calculates while laying out the flash device image. Such PCD
+assignments are described in the FDF control file.
+
+Firmware image structure
+------------------------
+
+(We assume the common X64 choice for both PEI and DXE, and the default DEBUG
+build target.)
+
+The OvmfPkg/OvmfPkgX64.fdf file defines the following layout for the flash
+device image "OVMF.fd":
+
+ Description Compression type Size
+ ------------------------------ ---------------------- -------
+ Non-volatile data storage open-coded binary data 128 KB
+ Variable store 56 KB
+ Event log 4 KB
+ Working block 4 KB
+ Spare area 64 KB
+
+ FVMAIN_COMPACT uncompressed 1712 KB
+ FV Firmware File System file LZMA compressed
+ PEIFV uncompressed 896 KB
+ individual PEI modules uncompressed
+ DXEFV uncompressed 8192 KB
+ individual DXE modules uncompressed
+
+ SECFV uncompressed 208 KB
+ SEC driver
+ reset vector code
+
+The top-level image consists of three regions (three firmware volumes):
+- non-volatile data store (128 KB),
+- main firmware volume (FVMAIN_COMPACT, 1712 KB),
+- firmware volume containing the reset vector code and the SEC phase code (208
+ KB).
+
+In total, the OVMF.fd file has size 128 KB + 1712 KB + 208 KB == 2 MB.
+
+(1) The firmware volume with non-volatile data store (128 KB) has the following
+ internal structure, in blocks of 4 KB:
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ L: event log
+ LIVE | varstore |L|W| W: working block
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ SPARE | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The first half of this firmware volume is "live", while the second half is
+ "spare". The spare half is important when the variable driver reclaims
+ unused storage and reorganizes the variable store.
+
+ The live half dedicates 14 blocks (56 KB) to the variable store itself. On
+ top of those, one block is set aside for an event log, and one block is
+ used as the working block of the fault tolerant write protocol. Fault
+ tolerant writes are used to recover from an occasional (virtual) power loss
+ during variable updates.
+
+ The blocks in this firmware volume are accessed, in stacking order from
+ least abstract to most abstract, by:
+
+ - EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL (provided by
+ OvmfPkg/QemuFlashFvbServicesRuntimeDxe),
+
+ - EFI_FAULT_TOLERANT_WRITE_PROTOCOL (provided by
+ MdeModulePkg/Universal/FaultTolerantWriteDxe),
+
+ - architectural protocols instrumental to the runtime UEFI variable
+ services:
+ - EFI_VARIABLE_ARCH_PROTOCOL,
+ - EFI_VARIABLE_WRITE_ARCH_PROTOCOL.
+
+ In a non-secure boot build, the DXE driver providing these architectural
+ protocols is MdeModulePkg/Universal/Variable/RuntimeDxe. In a secure boot
+ build, where authenticated variables are available, the DXE driver
+ offering these protocols is SecurityPkg/VariableAuthenticated/RuntimeDxe.
+
+(2) The main firmware volume (FVMAIN_COMPACT, 1712 KB) embeds further firmware
+ volumes. The outermost layer is a Firmware File System (FFS), carrying a
+ single file. This file holds an LZMA-compressed section, which embeds two
+ firmware volumes: PEIFV (896 KB) with PEIMs, and DXEFV (8192 KB) with DXE
+ and UEFI drivers.
+
+ This scheme enables us to build 896 KB worth of PEI drivers and 8192 KB
+ worth of DXE and UEFI drivers, compress them all with LZMA in one go, and
+ store the compressed result in 1712 KB, saving room in the flash device.
+
+(3) The SECFV firmware volume (208 KB) is not compressed. It carries the
+ "volume top file" with the reset vector code, to end at 4 GB in
+ guest-physical address space, and the SEC phase driver (OvmfPkg/Sec).
+
+ The last 16 bytes of the volume top file (mapped directly under 4 GB)
+ contain a NOP slide and a jump instruction. This is where QEMU starts
+ executing the firmware, at address 0xFFFF_FFF0. The reset vector and the
+ SEC driver run from flash directly.
+
+ The SEC driver locates FVMAIN_COMPACT in the flash, and decompresses the
+ main firmware image to RAM. The rest of OVMF (PEI, DXE, BDS phases) run
+ from RAM.
+
+As already mentioned, the OVMF.fd file is mapped by qemu's
+"hw/block/pflash_cfi01.c" device just under 4 GB in guest-physical address
+space, according to the command line option
+
+ -drive if=pflash,format=raw,file=fedora.flash
+
+(refer to the Example qemu invocation). This is a "ROMD device", which can
+switch out of "ROMD mode" and back into it.
+
+Namely, in the default ROMD mode, the guest-physical address range backed by
+the flash device reads and executes as ROM (it does not trap from KVM to QEMU).
+The first write access in this mode traps to QEMU, and flips the device out of
+ROMD mode.
+
+In non-ROMD mode, the flash chip is programmed by storing CFI (Common Flash
+Interface) command values at the flash-covered addresses; both reads and writes
+trap to QEMU, and the flash contents are modified and synchronized to the
+host-side file. A special CFI command flips the flash device back to ROMD mode.
+
+Qemu implements the above based on the KVM_CAP_READONLY_MEM / KVM_MEM_READONLY
+KVM features, and OVMF puts it to use in its EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL
+implementation, under "OvmfPkg/QemuFlashFvbServicesRuntimeDxe".
+
+IMPORTANT: Never pass OVMF.fd to qemu with the -bios option. That option maps
+the firmware image as ROM into the guest's address space, and forces OVMF to
+emulate non-volatile variables with a fallback driver that is bound to have
+insufficient and confusing semantics.
+
+The 128 KB firmware volume with the variable store, discussed under (1), is
+also built as a separate host-side file, named "OVMF_VARS.fd". The "rest" is
+built into a third file, "OVMF_CODE.fd", which is only 1920 KB in size. The
+variable store is mapped into its usual location, at 4 GB - 2 MB = 0xFFE0_0000,
+through the following qemu options:
+
+ -drive if=pflash,format=raw,readonly,file=OVMF_CODE.fd \
+ -drive if=pflash,format=raw,file=fedora.varstore.fd
+
+This way qemu configures two flash chips consecutively, with start addresses
+growing downwards, which is transparent to OVMF.
+
+[RHEL] Red Hat Enterprise Linux 7.1 ships a Secure Boot-enabled, X64, DEBUG
+ firmware only. Furthermore, only the split files ("OVMF_VARS.fd" and
+ "OVMF_CODE.fd") are available.
+
+S3 (suspend to RAM and resume)
+------------------------------
+
+As noted in Example qemu invocation, the
+
+ -global PIIX4_PM.disable_s3=0
+
+command line option tells qemu and OVMF if the user would like to enable S3
+support. (This is corresponds to the /domain/pm/suspend-to-mem/@enabled libvirt
+domain XML attribute.)
+
+Implementing / orchestrating S3 was a considerable community effort in OVMF. A
+detailed description exceeds the scope of this report; we only make a few
+statements.
+
+(1) S3-related PPIs and protocols are well documented in the PI specification.
+
+(2) Edk2 contains most modules that are needed to implement S3 on a given
+ platform. One abstraction that is central to the porting / extending of the
+ S3-related modules to a new platform is the LockBox library interface,
+ which a specific platform can fill in by implementing its own LockBox
+ library instance.
+
+ The LockBox library provides a privileged name-value store (to be addressed
+ by GUIDs). The privilege separation stretches between the firmware and the
+ operating system. That is, the S3-related machinery of the firmware saves
+ some items in the LockBox securely, under well-known GUIDs, before booting
+ the operating system. During resume (which is a form of warm reset), the
+ firmware is activated again, and retrieves items from the LockBox. Before
+ jumping to the OS's resume vector, the LockBox is secured again.
+
+ We'll return to this later when we separately discuss SMRAM and SMM.
+
+(3) During resume, the DXE and later phases are never reached; only the reset
+ vector, and the SEC and PEI phases of the firmware run. The platform is
+ supposed to detect a resume in progress during PEI, and to store that fact
+ in the BootMode field of the Phase Handoff Information Table (PHIT) HOB.
+ OVMF keys this off the CMOS, see OvmfPkg/PlatformPei.
+
+ At the end of PEI, the DXE IPL PEIM (Initial Program Load PEI Module, see
+ MdeModulePkg/Core/DxeIplPeim) examines the Boot Mode, and if it says "S3
+ resume in progress", then the IPL branches to the PEIM that exports
+ EFI_PEI_S3_RESUME2_PPI (provided by UefiCpuPkg/Universal/Acpi/S3Resume2Pei)
+ rather than loading the DXE core.
+
+ S3Resume2Pei executes the technical steps of the resumption, relying on the
+ contents of the LockBox.
+
+(4) During first boot (or after a normal platform reset), when DXE does run,
+ hardware drivers in the DXE phase are encouraged to "stash" their hardware
+ configuration steps (eg. accesses to PCI config space, I/O ports, memory
+ mapped addresses, and so on) in a centrally maintained, so called "S3 boot
+ script". Hardware accesses are represented with opcodes of a special binary
+ script language.
+
+ This boot script is to be replayed during resume, by S3Resume2Pei. The
+ general goal is to bring back hardware devices -- which have been powered
+ off during suspend -- to their original after-first-boot state, and in
+ particular, to do so quickly.
+
+ At the moment, OVMF saves only one opcode in the S3 resume boot script: an
+ INFORMATION opcode, with contents 0xDEADBEEF (in network byte order). The
+ consensus between Linux developers seems to be that boot firmware is only
+ responsible for restoring basic chipset state, which OVMF does during PEI
+ anyway, independently of S3 vs. normal reset. (One example is the power
+ management registers of the i440fx chipset.) Device and peripheral state is
+ the responsibility of the runtime operating system.
+
+ Although an experimental OVMF S3 boot script was at one point captured for
+ the virtual Cirrus VGA card, such a boot script cannot follow eg. video
+ mode changes effected by the OS. Hence the operating system can never avoid
+ restoring device state, and most Linux display drivers (eg. stdvga, QXL)
+ already cover S3 resume fully.
+
+ The XDDM and WDDM driver models used under Windows OSes seem to recognize
+ this notion of runtime OS responsibility as well. (See the list of OSes
+ supported by OVMF in a separate section.)
+
+(5) The S3 suspend/resume data flow in OVMF is included here tersely, for
+ interested developers.
+
+ (a) BdsLibBootViaBootOption()
+ EFI_ACPI_S3_SAVE_PROTOCOL [AcpiS3SaveDxe]
+ - saves ACPI S3 Context to LockBox ---------------------+
+ (including FACS address -- FACS ACPI table |
+ contains OS waking vector) |
+ |
+ - prepares boot script: |
+ EFI_S3_SAVE_STATE_PROTOCOL.Write() [S3SaveStateDxe] |
+ S3BootScriptLib [PiDxeS3BootScriptLib] |
+ - opcodes & arguments are saved in NVS. --+ |
+ | |
+ - issues a notification by installing | |
+ EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL | |
+ | |
+ (b) EFI_S3_SAVE_STATE_PROTOCOL [S3SaveStateDxe] | |
+ S3BootScriptLib [PiDxeS3BootScriptLib] | |
+ - closes script with special opcode <---------+ |
+ - script is available in non-volatile memory |
+ via PcdS3BootScriptTablePrivateDataPtr --+ |
+ | |
+ BootScriptExecutorDxe | |
+ S3BootScriptLib [PiDxeS3BootScriptLib] | |
+ - Knows about boot script location by <----+ |
+ synchronizing with the other library |
+ instance via |
+ PcdS3BootScriptTablePrivateDataPtr. |
+ - Copies relocated image of itself to |
+ reserved memory. --------------------------------+ |
+ - Saved image contains pointer to boot script. ---|--+ |
+ | | |
+ Runtime: | | |
+ | | |
+ (c) OS is booted, writes OS waking vector to FACS, | | |
+ suspends machine | | |
+ | | |
+ S3 Resume (PEI): | | |
+ | | |
+ (d) PlatformPei sets S3 Boot Mode based on CMOS | | |
+ | | |
+ (e) DXE core is skipped and EFI_PEI_S3_RESUME2 is | | |
+ called as last step of PEI | | |
+ | | |
+ (f) S3Resume2Pei retrieves from LockBox: | | |
+ - ACPI S3 Context (path to FACS) <------------------|--|--+
+ | | |
+ +------------------|--|--+
+ - Boot Script Executor Image <----------------------+ | |
+ | |
+ (g) BootScriptExecutorDxe | |
+ S3BootScriptLib [PiDxeS3BootScriptLib] | |
+ - executes boot script <-----------------------------+ |
+ |
+ (h) OS waking vector available from ACPI S3 Context / FACS <--+
+ is called
+
+A comprehensive memory map of OVMF
+----------------------------------
+
+The following section gives a detailed analysis of memory ranges below 4 GB
+that OVMF statically uses.
+
+In the rightmost column, the PCD entry is identified by which the source refers
+to the address or size in question.
+
+The flash-covered range has been discussed previously in "Firmware image
+structure", therefore we include it only for completeness. Due to the fact that
+this range is always backed by a memory mapped device (and never RAM), it is
+unaffected by S3 (suspend to RAM and resume).
+
++--------------------------+ 4194304 KB
+| |
+| SECFV | size: 208 KB
+| |
++--------------------------+ 4194096 KB
+| |
+| FVMAIN_COMPACT | size: 1712 KB
+| |
++--------------------------+ 4192384 KB
+| |
+| variable store | size: 64 KB PcdFlashNvStorageFtwSpareSize
+| spare area |
+| |
++--------------------------+ 4192320 KB PcdOvmfFlashNvStorageFtwSpareBase
+| |
+| FTW working block | size: 4 KB PcdFlashNvStorageFtwWorkingSize
+| |
++--------------------------+ 4192316 KB PcdOvmfFlashNvStorageFtwWorkingBase
+| |
+| Event log of | size: 4 KB PcdOvmfFlashNvStorageEventLogSize
+| non-volatile storage |
+| |
++--------------------------+ 4192312 KB PcdOvmfFlashNvStorageEventLogBase
+| |
+| variable store | size: 56 KB PcdFlashNvStorageVariableSize
+| |
++--------------------------+ 4192256 KB PcdOvmfFlashNvStorageVariableBase
+
+The flash-mapped image of OVMF.fd covers the entire structure above (2048 KB).
+
+When using the split files, the address 4192384 KB
+(PcdOvmfFlashNvStorageFtwSpareBase + PcdFlashNvStorageFtwSpareSize) is the
+boundary between the mapped images of OVMF_VARS.fd (56 KB + 4 KB + 4 KB + 64 KB
+= 128 KB) and OVMF_CODE.fd (1712 KB + 208 KB = 1920 KB).
+
+With regard to RAM that is statically used by OVMF, S3 (suspend to RAM and
+resume) complicates matters. Many ranges have been introduced only to support
+S3, hence for all ranges below, the following questions will be audited:
+
+(a) when and how a given range is initialized after first boot of the VM,
+(b) how it is protected from memory allocations during DXE,
+(c) how it is protected from the OS,
+(d) how it is accessed on the S3 resume path,
+(e) how it is accessed on the warm reset path.
+
+Importantly, the term "protected" is meant as protection against inadvertent
+reallocations and overwrites by co-operating DXE and OS modules. It does not
+imply security against malicious code.
+
++--------------------------+ 17408 KB
+| |
+|DXEFV from FVMAIN_COMPACT | size: 8192 KB PcdOvmfDxeMemFvSize
+| decompressed firmware |
+| volume with DXE modules |
+| |
++--------------------------+ 9216 KB PcdOvmfDxeMemFvBase
+| |
+|PEIFV from FVMAIN_COMPACT | size: 896 KB PcdOvmfPeiMemFvSize
+| decompressed firmware |
+| volume with PEI modules |
+| |
++--------------------------+ 8320 KB PcdOvmfPeiMemFvBase
+| |
+| permanent PEI memory for | size: 32 KB PcdS3AcpiReservedMemorySize
+| the S3 resume path |
+| |
++--------------------------+ 8288 KB PcdS3AcpiReservedMemoryBase
+| |
+| temporary SEC/PEI heap | size: 32 KB PcdOvmfSecPeiTempRamSize
+| and stack |
+| |
++--------------------------+ 8256 KB PcdOvmfSecPeiTempRamBase
+| |
+| unused | size: 32 KB
+| |
++--------------------------+ 8224 KB
+| |
+| SEC's table of | size: 4 KB PcdGuidedExtractHandlerTableSize
+| GUIDed section handlers |
+| |
++--------------------------+ 8220 KB PcdGuidedExtractHandlerTableAddress
+| |
+| LockBox storage | size: 4 KB PcdOvmfLockBoxStorageSize
+| |
++--------------------------+ 8216 KB PcdOvmfLockBoxStorageBase
+| |
+| early page tables on X64 | size: 24 KB PcdOvmfSecPageTablesSize
+| |
++--------------------------+ 8192 KB PcdOvmfSecPageTablesBase
+
+(1) Early page tables on X64:
+
+ (a) when and how it is initialized after first boot of the VM
+
+ The range is filled in during the SEC phase
+ [OvmfPkg/ResetVector/Ia32/PageTables64.asm]. The CR3 register is verified
+ against the base address in SecCoreStartupWithStack()
+ [OvmfPkg/Sec/SecMain.c].
+
+ (b) how it is protected from memory allocations during DXE
+
+ If S3 was enabled on the QEMU command line (see "-global
+ PIIX4_PM.disable_s3=0" earlier), then InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] protects the range with an AcpiNVS memory
+ allocation HOB, in PEI.
+
+ If S3 was disabled, then this range is not protected. DXE's own page tables
+ are first built while still in PEI (see HandOffToDxeCore()
+ [MdeModulePkg/Core/DxeIplPeim/X64/DxeLoadFunc.c]). Those tables are located
+ in permanent PEI memory. After CR3 is switched over to them (which occurs
+ before jumping to the DXE core entry point), we don't have to preserve the
+ initial tables.
+
+ (c) how it is protected from the OS
+
+ If S3 is enabled, then (1b) reserves it from the OS too.
+
+ If S3 is disabled, then the range needs no protection.
+
+ (d) how it is accessed on the S3 resume path
+
+ It is rewritten same as in (1a), which is fine because (1c) reserved it.
+
+ (e) how it is accessed on the warm reset path
+
+ It is rewritten same as in (1a).
+
+(2) LockBox storage:
+
+ (a) when and how it is initialized after first boot of the VM
+
+ InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the
+ area during PEI. This is correct but not strictly necessary, since on first
+ boot the area is zero-filled anyway.
+
+ The LockBox signature of the area is filled in by the PEI module or DXE
+ driver that has been linked against OVMF's LockBoxLib and is run first. The
+ signature is written in LockBoxLibInitialize()
+ [OvmfPkg/Library/LockBoxLib/LockBoxLib.c].
+
+ Any module calling SaveLockBox() [OvmfPkg/Library/LockBoxLib/LockBoxLib.c]
+ will co-populate this area.
+
+ (b) how it is protected from memory allocations during DXE
+
+ If S3 is enabled, then InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] protects the range as AcpiNVS.
+
+ Otherwise, the range is covered with a BootServicesData memory allocation
+ HOB.
+
+ (c) how it is protected from the OS
+
+ If S3 is enabled, then (2b) protects it sufficiently.
+
+ Otherwise the range requires no runtime protection, and the
+ BootServicesData allocation type from (2b) ensures that the range will be
+ released to the OS.
+
+ (d) how it is accessed on the S3 resume path
+
+ The S3 Resume PEIM restores data from the LockBox, which has been correctly
+ protected in (2c).
+
+ (e) how it is accessed on the warm reset path
+
+ InitializeRamRegions() [OvmfPkg/PlatformPei/MemDetect.c] zeroes out the
+ range during PEI, effectively emptying the LockBox. Modules will
+ re-populate the LockBox as described in (2a).
+
+(3) SEC's table of GUIDed section handlers
+
+ (a) when and how it is initialized after first boot of the VM
+
+ The following two library instances are linked into SecMain:
+ - IntelFrameworkModulePkg/Library/LzmaCustomDecompressLib,
+ - MdePkg/Library/BaseExtractGuidedSectionLib.
+
+ The first library registers its LZMA decompressor plugin (which is a called
+ a "section handler") by calling the second library:
+
+ LzmaDecompressLibConstructor() [GuidedSectionExtraction.c]
+ ExtractGuidedSectionRegisterHandlers() [BaseExtractGuidedSectionLib.c]
+
+ The second library maintains its table of registered "section handlers", to
+ be indexed by GUID, in this fixed memory area, independently of S3
+ enablement.
+
+ (The decompression of FVMAIN_COMPACT's FFS file section that contains the
+ PEIFV and DXEFV firmware volumes occurs with the LZMA decompressor
+ registered above. See (6) and (7) below.)
+
+ (b) how it is protected from memory allocations during DXE
+
+ There is no need to protect this area from DXE: because nothing else in
+ OVMF links against BaseExtractGuidedSectionLib, the area loses its
+ significance as soon as OVMF progresses from SEC to PEI, therefore DXE is
+ allowed to overwrite the region.
+
+ (c) how it is protected from the OS
+
+ When S3 is enabled, we cover the range with an AcpiNVS memory allocation
+ HOB in InitializeRamRegions().
+
+ When S3 is disabled, the range is not protected.
+
+ (d) how it is accessed on the S3 resume path
+
+ The table of registered section handlers is again managed by
+ BaseExtractGuidedSectionLib linked into SecMain exclusively. Section
+ handler registrations update the table in-place (based on GUID matches).
+
+ (e) how it is accessed on the warm reset path
+
+ If S3 is enabled, then the OS won't damage the table (due to (3c)), thus
+ see (3d).
+
+ If S3 is disabled, then the OS has most probably overwritten the range with
+ its own data, hence (3a) -- complete reinitialization -- will come into
+ effect, based on the table signature check in BaseExtractGuidedSectionLib.
+
+(4) temporary SEC/PEI heap and stack
+
+ (a) when and how it is initialized after first boot of the VM
+
+ The range is configured in [OvmfPkg/Sec/X64/SecEntry.S] and
+ SecCoreStartupWithStack() [OvmfPkg/Sec/SecMain.c]. The stack half is read &
+ written by the CPU transparently. The heap half is used for memory
+ allocations during PEI.
+
+ Data is migrated out (to permanent PEI stack & memory) in (or soon after)
+ PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c].
+
+ (b) how it is protected from memory allocations during DXE
+
+ It is not necessary to protect this range during DXE because its use ends
+ still in PEI.
+
+ (c) how it is protected from the OS
+
+ If S3 is enabled, then InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] reserves it as AcpiNVS.
+
+ If S3 is disabled, then the range doesn't require protection.
+
+ (d) how it is accessed on the S3 resume path
+
+ Same as in (4a), except the target area of the migration triggered by
+ PublishPeiMemory() [OvmfPkg/PlatformPei/MemDetect.c] is different -- see
+ (5).
+
+ (e) how it is accessed on the warm reset path
+
+ Same as in (4a). The stack and heap halves both may contain garbage, but it
+ doesn't matter.
+
+(5) permanent PEI memory for the S3 resume path
+
+ (a) when and how it is initialized after first boot of the VM
+
+ No particular initialization or use.
+
+ (b) how it is protected from memory allocations during DXE
+
+ We don't need to protect this area during DXE.
+
+ (c) how it is protected from the OS
+
+ When S3 is enabled, InitializeRamRegions()
+ [OvmfPkg/PlatformPei/MemDetect.c] makes sure the OS stays away by covering
+ the range with an AcpiNVS memory allocation HOB.
+
+ When S3 is disabled, the range needs no protection.
+
+ (d) how it is accessed on the S3 resume path
+
+ PublishPeiMemory() installs the range as permanent RAM for PEI. The range
+ will serve as stack and will satisfy allocation requests during the rest of
+ PEI. OS data won't overlap due to (5c).
+
+ (e) how it is accessed on the warm reset path
+
+ Same as (5a).
+
+(6) PEIFV -- decompressed firmware volume with PEI modules
+
+ (a) when and how it is initialized after first boot of the VM
+
+ DecompressMemFvs() [OvmfPkg/Sec/SecMain.c] populates the area, by
+ decompressing the flash-mapped FVMAIN_COMPACT volume's contents. (Refer to
+ "Firmware image structure".)
+
+ (b) how it is protected from memory allocations during DXE
+
+ When S3 is disabled, PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c]
+ covers the range with a BootServicesData memory allocation HOB.
+
+ When S3 is enabled, the same is coverage is ensured, just with the stronger
+ AcpiNVS memory allocation type.
+
+ (c) how it is protected from the OS
+
+ When S3 is disabled, it is not necessary to keep the range from the OS.
+
+ Otherwise the AcpiNVS type allocation from (6b) provides coverage.
+
+ (d) how it is accessed on the S3 resume path
+
+ Rather than decompressing it again from FVMAIN_COMPACT, GetS3ResumePeiFv()
+ [OvmfPkg/Sec/SecMain.c] reuses the protected area for parsing / execution
+ from (6c).
+
+ (e) how it is accessed on the warm reset path
+
+ Same as (6a).
+
+(7) DXEFV -- decompressed firmware volume with DXE modules
+
+ (a) when and how it is initialized after first boot of the VM
+
+ Same as (6a).
+
+ (b) how it is protected from memory allocations during DXE
+
+ PeiFvInitialization() [OvmfPkg/PlatformPei/Fv.c] covers the range with a
+ BootServicesData memory allocation HOB.
+
+ (c) how it is protected from the OS
+
+ The OS is allowed to release and reuse this range.
+
+ (d) how it is accessed on the S3 resume path
+
+ It's not; DXE never runs during S3 resume.
+
+ (e) how it is accessed on the warm reset path
+
+ Same as in (7a).
+
+Known Secure Boot limitations
+-----------------------------
+
+Under "Motivation" we've mentioned that OVMF's Secure Boot implementation is
+not suitable for production use yet -- it's only good for development and
+testing of standards-conformant, non-malicious guest code (UEFI and operating
+system alike).
+
+Now that we've examined the persistent flash device, the workings of S3, and
+the memory map, we can discuss two currently known shortcomings of OVMF's
+Secure Boot that in fact make it insecure. (Clearly problems other than these
+two might exist; the set of issues considered here is not meant to be
+exhaustive.)
+
+One trait of Secure Boot is tamper-evidence. Secure Boot may not prevent
+malicious modification of software components (for example, operating system
+drivers), but by being the root of integrity on a platform, it can catch (or
+indirectly contribute to catching) unauthorized changes, by way of signature
+and certificate checks at the earliest phases of boot.
+
+If an attacker can tamper with key material stored in authenticated and/or
+boot-time only persistent variables (for example, PK, KEK, db, dbt, dbx), then
+the intended security of this scheme is compromised. The UEFI 2.4A
+specification says
+
+- in section 28.3.4:
+
+ Platform Keys:
+
+ The public key must be stored in non-volatile storage which is tamper and
+ delete resistant.
+
+ Key Exchange Keys:
+
+ The public key must be stored in non-volatile storage which is tamper
+ resistant.
+
+- in section 28.6.1:
+
+ The signature database variables db, dbt, and dbx must be stored in
+ tamper-resistant non-volatile storage.
+
+(1) The combination of QEMU, KVM, and OVMF does not provide this kind of
+ resistance. The variable store in the emulated flash chip is directly
+ accessible to, and reprogrammable by, UEFI drivers, applications, and
+ operating systems.
+
+(2) Under "S3 (suspend to RAM and resume)" we pointed out that the LockBox
+ storage must be similarly secure and tamper-resistant.
+
+ On the S3 resume path, the PEIM providing EFI_PEI_S3_RESUME2_PPI
+ (UefiCpuPkg/Universal/Acpi/S3Resume2Pei) restores and interprets data from
+ the LockBox that has been saved there during boot. This PEIM, being part of
+ the firmware, has full access to the platform. If an operating system can
+ tamper with the contents of the LockBox, then at the next resume the
+ platform's integrity might be subverted.
+
+ OVMF stores the LockBox in normal guest RAM (refer to the memory map
+ section above). Operating systems and third party UEFI drivers and UEFI
+ applications that respect the UEFI memory map will not inadvertently
+ overwrite the LockBox storage, but there's nothing to prevent eg. a
+ malicious kernel from modifying the LockBox.
+
+One means to address these issues is SMM and SMRAM (System Management Mode and
+System Management RAM).
+
+During boot and resume, the firmware can enter and leave SMM and access SMRAM.
+Before the DXE phase is left, and control is transferred to the BDS phase (when
+third party UEFI drivers and applications can be loaded, and an operating
+system can be loaded), SMRAM is locked in hardware, and subsequent modules
+cannot access it directly. (See EFI_DXE_SMM_READY_TO_LOCK_PROTOCOL.)
+
+Once SMRAM has been locked, UEFI drivers and the operating system can enter SMM
+by raising a System Management Interrupt (SMI), at which point trusted code
+(part of the platform firmware) takes control. SMRAM is also unlocked by
+platform reset, at which point the boot firmware takes control again.
+
+Variable store and LockBox in SMRAM
+-----------------------------------
+
+Edk2 provides almost all components to implement the variable store and the
+LockBox in SMRAM. In this section we summarize ideas for utilizing those
+facilities.
+
+The SMRAM and SMM infrastructure in edk2 is built up as follows:
+
+(1) The platform hardware provides SMM / SMI / SMRAM.
+
+ Qemu/KVM doesn't support these features currently and should implement them
+ in the longer term.
+
+(2) The platform vendor (in this case, OVMF developers) implement device
+ drivers for the platform's System Management Mode:
+
+ - EFI_SMM_CONTROL2_PROTOCOL: for raising a synchronous (and/or) periodic
+ SMI(s); that is, for entering SMM.
+
+ - EFI_SMM_ACCESS2_PROTOCOL: for describing and accessing SMRAM.
+
+ These protocols are documented in the PI Specification, Volume 4.
+
+(3) The platform DSC file is to include the following platform-independent
+ modules:
+
+ - MdeModulePkg/Core/PiSmmCore/PiSmmIpl.inf: SMM Initial Program Load
+ - MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf: SMM Core
+
+(4) At this point, modules of type DXE_SMM_DRIVER can be loaded.
+
+ Such drivers are privileged. They run in SMM, have access to SMRAM, and are
+ separated and switched from other drivers through SMIs. Secure
+ communication between unprivileged (non-SMM) and privileged (SMM) drivers
+ happens through EFI_SMM_COMMUNICATION_PROTOCOL (implemented by the SMM
+ Core, see (3)).
+
+ DXE_SMM_DRIVER modules must sanitize their input (coming from unprivileged
+ drivers) carefully.
+
+(5) The authenticated runtime variable services driver (for Secure Boot builds)
+ is located under "SecurityPkg/VariableAuthenticated/RuntimeDxe". OVMF
+ currently builds the driver (a DXE_RUNTIME_DRIVER module) with the
+ "VariableRuntimeDxe.inf" control file (refer to "OvmfPkg/OvmfPkgX64.dsc"),
+ which does not use SMM.
+
+ The directory includes two more INF files:
+
+ - VariableSmm.inf -- module type: DXE_SMM_DRIVER. A privileged driver that
+ runs in SMM and has access to SMRAM.
+
+ - VariableSmmRuntimeDxe.inf -- module type: DXE_RUNTIME_DRIVER. A
+ non-privileged driver that implements the variable runtime services
+ (replacing the current "VariableRuntimeDxe.inf" file) by communicating
+ with the above privileged SMM half via EFI_SMM_COMMUNICATION_PROTOCOL.
+
+(6) An SMRAM-based LockBox implementation needs to be discussed in two parts,
+ because the LockBox is accessed in both PEI and DXE.
+
+ (a) During DXE, drivers save data in the LockBox. A save operation is
+ layered as follows:
+
+ - The unprivileged driver wishing to store data in the LockBox links
+ against the "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.inf"
+ library instance.
+
+ The library allows the unprivileged driver to format requests for the
+ privileged SMM LockBox driver (see below), and to parse responses.
+
+ - The privileged SMM LockBox driver is built from
+ "MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.inf". This
+ driver has module type DXE_SMM_DRIVER and can access SMRAM.
+
+ The driver delegates command parsing and response formatting to
+ "MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.inf".
+
+ - The above two halves (unprivileged and privileged) mirror what we've
+ seen in case of the variable service drivers, under (5).
+
+ (b) In PEI, the S3 Resume PEIM (UefiCpuPkg/Universal/Acpi/S3Resume2Pei)
+ retrieves data from the LockBox.
+
+ Presumably, S3Resume2Pei should be considered an "unprivileged PEIM",
+ and the SMRAM access should be layered as seen in DXE. Unfortunately,
+ edk2 does not implement all of the layers in PEI -- the code either
+ doesn't exist, or it is not open source:
+
+ role | DXE: protocol/module | PEI: PPI/module
+ -------------+--------------------------------+------------------------------
+ unprivileged | any | S3Resume2Pei.inf
+ driver | |
+ -------------+--------------------------------+------------------------------
+ command | LIBRARY_CLASS = LockBoxLib | LIBRARY_CLASS = LockBoxLib
+ formatting | |
+ and response | SmmLockBoxDxeLib.inf | SmmLockBoxPeiLib.inf
+ parsing | |
+ -------------+--------------------------------+------------------------------
+ privilege | EFI_SMM_COMMUNICATION_PROTOCOL | EFI_PEI_SMM_COMMUNICATION_PPI
+ separation | |
+ | PiSmmCore.inf | missing!
+ -------------+--------------------------------+------------------------------
+ platform SMM | EFI_SMM_CONTROL2_PROTOCOL | PEI_SMM_CONTROL_PPI
+ and SMRAM | EFI_SMM_ACCESS2_PROTOCOL | PEI_SMM_ACCESS_PPI
+ access | |
+ | to be done in OVMF | to be done in OVMF
+ -------------+--------------------------------+------------------------------
+ command | LIBRARY_CLASS = LockBoxLib | LIBRARY_CLASS = LockBoxLib
+ parsing and | |
+ response | SmmLockBoxSmmLib.inf | missing!
+ formatting | |
+ -------------+--------------------------------+------------------------------
+ privileged | SmmLockBox.inf | missing!
+ LockBox | |
+ driver | |
+
+ Alternatively, in the future OVMF might be able to provide a LockBoxLib
+ instance (an SmmLockBoxPeiLib substitute) for S3Resume2Pei that
+ accesses SMRAM directly, eliminating the need for deeper layers in the
+ stack (that is, EFI_PEI_SMM_COMMUNICATION_PPI and deeper).
+
+ In fact, a "thin" EFI_PEI_SMM_COMMUNICATION_PPI implementation whose
+ sole Communicate() member invariably returns EFI_NOT_STARTED would
+ cause the current SmmLockBoxPeiLib library instance to directly perform
+ full-depth SMRAM access and LockBox search, obviating the "missing"
+ cells. (With reference to A Tour Beyond BIOS: Implementing S3 Resume
+ with EDK2, by Jiewen Yao and Vincent Zimmer, October 2014.)
+
+Select features
+---------------
+
+In this section we'll browse the top-level "OvmfPkg" package directory, and
+discuss the more interesting drivers and libraries that have not been mentioned
+thus far.
+
+X64-specific reset vector for OVMF
+..................................
+
+The "OvmfPkg/ResetVector" directory customizes the reset vector (found in
+"UefiCpuPkg/ResetVector/Vtf0") for "OvmfPkgX64.fdf", that is, when the SEC/PEI
+phases run in 64-bit (ie. long) mode.
+
+The reset vector's control flow looks roughly like:
+
+ resetVector [Ia16/ResetVectorVtf0.asm]
+ EarlyBspInitReal16 [Ia16/Init16.asm]
+ Main16 [Main.asm]
+ EarlyInit16 [Ia16/Init16.asm]
+
+ ; Transition the processor from
+ ; 16-bit real mode to 32-bit flat mode
+ TransitionFromReal16To32BitFlat [Ia16/Real16ToFlat32.asm]
+
+ ; Search for the
+ ; Boot Firmware Volume (BFV)
+ Flat32SearchForBfvBase [Ia32/SearchForBfvBase.asm]
+
+ ; Search for the SEC entry point
+ Flat32SearchForSecEntryPoint [Ia32/SearchForSecEntry.asm]
+
+ %ifdef ARCH_IA32
+ ; Jump to the 32-bit SEC entry point
+ %else
+ ; Transition the processor
+ ; from 32-bit flat mode
+ ; to 64-bit flat mode
+ Transition32FlatTo64Flat [Ia32/Flat32ToFlat64.asm]
+
+ SetCr3ForPageTables64 [Ia32/PageTables64.asm]
+ ; set CR3 to page tables
+ ; built into the ROM image
+
+ ; enable PAE
+ ; set LME
+ ; enable paging
+
+ ; Jump to the 64-bit SEC entry point
+ %endif
+
+On physical platforms, the initial page tables referenced by
+SetCr3ForPageTables64 are built statically into the flash device image, and are
+present in ROM at runtime. This is fine on physical platforms because the
+pre-built page table entries have the Accessed and Dirty bits set from the
+start.
+
+Accordingly, for OVMF running in long mode on qemu/KVM, the initial page tables
+were mapped as a KVM_MEM_READONLY slot, as part of QEMU's pflash device (refer
+to "Firmware image structure" above).
+
+In spite of the Accessed and Dirty bits being pre-set in the read-only,
+in-flash PTEs, in a virtual machine attempts are made to update said PTE bits,
+differently from physical hardware. The component attempting to update the
+read-only PTEs can be one of the following:
+
+- The processor itself, if it supports nested paging, and the user enables that
+ processor feature,
+
+- KVM code implementing shadow paging, otherwise.
+
+The first case presents no user-visible symptoms, but the second case (KVM,
+shadow paging) used to cause a triple fault, prior to Linux commit ba6a354
+("KVM: mmu: allow page tables to be in read-only slots").
+
+For compatibility with earlier KVM versions, the OvmfPkg/ResetVector directory
+adapts the generic reset vector code as follows:
+
+ Transition32FlatTo64Flat [UefiCpuPkg/.../Ia32/Flat32ToFlat64.asm]
+
+ SetCr3ForPageTables64 [OvmfPkg/ResetVector/Ia32/PageTables64.asm]
+
+ ; dynamically build the initial page tables in RAM, at address
+ ; PcdOvmfSecPageTablesBase (refer to the memory map above),
+ ; identity-mapping the first 4 GB of address space
+
+ ; set CR3 to PcdOvmfSecPageTablesBase
+
+ ; enable PAE
+ ; set LME
+ ; enable paging
+
+This way the PTEs that earlier KVM versions try to update (during shadow
+paging) are located in a read-write memory slot, and the write attempts
+succeed.
+
+Client library for QEMU's firmware configuration interface
+..........................................................
+
+QEMU provides a write-only, 16-bit wide control port, and a read-write, 8-bit
+wide data port for exchanging configuration elements with the firmware.
+
+The firmware writes a selector (a key) to the control port (0x510), and then
+reads the corresponding configuration data (produced by QEMU) from the data
+port (0x511).
+
+If the selected entry is writable, the firmware may overwrite it. If QEMU has
+associated a callback with the entry, then when the entry is completely
+rewritten, QEMU runs the callback. (OVMF does not rewrite any entries at the
+moment.)
+
+A number of selector values (keys) are predefined. In particular, key 0x19
+selects (returns) a directory of { name, selector, size } triplets, roughly
+speaking.
+
+The firmware can request configuration elements by well-known name as well, by
+looking up the selector value first in the directory, by name, and then writing
+the selector to the control port. The number of bytes to read subsequently from
+the data port is known from the directory entry's "size" field.
+
+By convention, directory entries (well-known symbolic names of configuration
+elements) are formatted as POSIX pathnames. For example, the array selected by
+the "etc/system-states" name indicates (among other things) whether the user
+enabled S3 support in QEMU.
+
+The above interface is called "fw_cfg".
+
+The binary data associated with a symbolic name is called an "fw_cfg file".
+
+OVMF's fw_cfg client library is found in "OvmfPkg/Library/QemuFwCfgLib". OVMF
+discovers many aspects of the virtual system with it; we refer to a few
+examples below.
+
+Guest ACPI tables
+.................
+
+An operating system discovers a good amount of its hardware by parsing ACPI
+tables, and by interpreting ACPI objects and methods. On physical hardware, the
+platform vendor's firmware installs ACPI tables in memory that match both the
+hardware present in the system and the user's firmware configuration ("BIOS
+setup").
+
+Under qemu/KVM, the owner of the (virtual) hardware configuration is QEMU.
+Hardware can easily be reconfigured on the command line. Furthermore, features
+like CPU hotplug, PCI hotplug, memory hotplug are continuously developed for
+QEMU, and operating systems need direct ACPI support to exploit these features.
+
+For this reason, QEMU builds its own ACPI tables dynamically, in a
+self-descriptive manner, and exports them to the firmware through a complex,
+multi-file fw_cfg interface. It is rooted in the "etc/table-loader" fw_cfg
+file. (Further details of this interface are out of scope for this report.)
+
+OVMF's AcpiPlatformDxe driver fetches the ACPI tables, and installs them for
+the guest OS with the EFI_ACPI_TABLE_PROTOCOL (which is in turn provided by the
+generic "MdeModulePkg/Universal/Acpi/AcpiTableDxe" driver).
+
+For earlier QEMU versions and machine types (which we generally don't recommend
+for OVMF; see "Scope"), the "OvmfPkg/AcpiTables" directory contains a few
+static ACPI table templates. When the "etc/table-loader" fw_cfg file is
+unavailable, AcpiPlatformDxe installs these default tables (with a little bit
+of dynamic patching).
+
+When OVMF runs in a Xen domU, AcpiTableDxe also installs ACPI tables that
+originate from the hypervisor's environment.
+
+Guest SMBIOS tables
+...................
+
+Quoting the SMBIOS Reference Specification,
+
+ [...] the System Management BIOS Reference Specification addresses how
+ motherboard and system vendors present management information about their
+ products in a standard format [...]
+
+In practice SMBIOS tables are just another set of tables that the platform
+vendor's firmware installs in RAM for the operating system, and, importantly,
+for management applications running on the OS. Without rehashing the "Guest
+ACPI tables" section in full, let's map the OVMF roles seen there from ACPI to
+SMBIOS:
+
+ role | ACPI | SMBIOS
+ -------------------------+-------------------------+-------------------------
+ fw_cfg file | etc/table-loader | etc/smbios/smbios-tables
+ -------------------------+-------------------------+-------------------------
+ OVMF driver | AcpiPlatformDxe | SmbiosPlatformDxe
+ under "OvmfPkg" | |
+ -------------------------+-------------------------+-------------------------
+ Underlying protocol, | EFI_ACPI_TABLE_PROTOCOL | EFI_SMBIOS_PROTOCOL
+ implemented by generic | |
+ driver under | Acpi/AcpiTableDxe | SmbiosDxe
+ "MdeModulePkg/Universal" | |
+ -------------------------+-------------------------+-------------------------
+ default tables available | yes | [RHEL] yes, Type0 and
+ for earlier QEMU machine | | Type1 tables
+ types, with hot-patching | |
+ -------------------------+-------------------------+-------------------------
+ tables fetched in Xen | yes | yes
+ domUs | |
+
+Platform-specific boot policy
+.............................
+
+OVMF's BDS (Boot Device Selection) phase is implemented by
+IntelFrameworkModulePkg/Universal/BdsDxe. Roughly speaking, this large driver:
+
+- provides the EFI BDS architectural protocol (which DXE transfers control to
+ after dispatching all DXE drivers),
+
+- connects drivers to devices,
+
+- enumerates boot devices,
+
+- auto-generates boot options,
+
+- provides "BIOS setup" screens, such as:
+
+ - Boot Manager, for booting an option,
+
+ - Boot Maintenance Manager, for adding, deleting, and reordering boot
+ options, changing console properties etc,
+
+ - Device Manager, where devices can register configuration forms, including
+
+ - Secure Boot configuration forms,
+
+ - OVMF's Platform Driver form (see under PlatformDxe).
+
+Firmware that includes the "IntelFrameworkModulePkg/Universal/BdsDxe" driver
+can customize its behavior by providing an instance of the PlatformBdsLib
+library class. The driver links against this platform library, and the
+platform library can call Intel's BDS utility functions from
+"IntelFrameworkModulePkg/Library/GenericBdsLib".
+
+OVMF's PlatformBdsLib instance can be found in
+"OvmfPkg/Library/PlatformBdsLib". The main function where the BdsDxe driver
+enters the library is PlatformBdsPolicyBehavior(). We mention two OVMF
+particulars here.
+
+(1) OVMF is capable of loading kernel images directly from fw_cfg, matching
+ QEMU's -kernel, -initrd, and -append command line options. This feature is
+ useful for rapid, repeated Linux kernel testing, and is implemented in the
+ following call tree:
+
+ PlatformBdsPolicyBehavior() [OvmfPkg/Library/PlatformBdsLib/BdsPlatform.c]
+ TryRunningQemuKernel() [OvmfPkg/Library/PlatformBdsLib/QemuKernel.c]
+ LoadLinux*() [OvmfPkg/Library/LoadLinuxLib/Linux.c]
+
+ OvmfPkg/Library/LoadLinuxLib ports the efilinux bootloader project into
+ OvmfPkg.
+
+(2) OVMF seeks to comply with the boot order specification passed down by QEMU
+ over fw_cfg.
+
+ (a) About Boot Modes
+
+ During the PEI phase, OVMF determines and stores the Boot Mode in the
+ PHIT HOB (already mentioned in "S3 (suspend to RAM and resume)"). The
+ boot mode is supposed to influence the rest of the system, for example it
+ distinguishes S3 resume (BOOT_ON_S3_RESUME) from a "normal" boot.
+
+ In general, "normal" boots can be further differentiated from each other;
+ for example for speed reasons. When the firmware can tell during PEI that
+ the chassis has not been opened since last power-up, then it might want
+ to save time by not connecting all devices and not enumerating all boot
+ options from scratch; it could just rely on the stored results of the
+ last enumeration. The matching BootMode value, to be set during PEI,
+ would be BOOT_ASSUMING_NO_CONFIGURATION_CHANGES.
+
+ OVMF only sets one of the following two boot modes, based on CMOS
+ contents:
+ - BOOT_ON_S3_RESUME,
+ - BOOT_WITH_FULL_CONFIGURATION.
+
+ For BOOT_ON_S3_RESUME, please refer to "S3 (suspend to RAM and resume)".
+ The other boot mode supported by OVMF, BOOT_WITH_FULL_CONFIGURATION, is
+ an appropriate "catch-all" for a virtual machine, where hardware can
+ easily change from boot to boot.
+
+ (b) Auto-generation of boot options
+
+ Accordingly, when not resuming from S3 sleep (*), OVMF always connects
+ all devices, and enumerates all bootable devices as new boot options
+ (non-volatile variables called Boot####).
+
+ (*) During S3 resume, DXE is not reached, hence BDS isn't either.
+
+ The auto-enumerated boot options are stored in the BootOrder non-volatile
+ variable after any preexistent options. (Boot options may exist before
+ auto-enumeration eg. because the user added them manually with the Boot
+ Maintenance Manager or the efibootmgr utility. They could also originate
+ from an earlier auto-enumeration.)
+
+ PlatformBdsPolicyBehavior() [OvmfPkg/.../BdsPlatform.c]
+ TryRunningQemuKernel() [OvmfPkg/.../QemuKernel.c]
+ BdsLibConnectAll() [IntelFrameworkModulePkg/.../BdsConnect.c]
+ BdsLibEnumerateAllBootOption() [IntelFrameworkModulePkg/.../BdsBoot.c]
+ BdsLibBuildOptionFromHandle() [IntelFrameworkModulePkg/.../BdsBoot.c]
+ BdsLibRegisterNewOption() [IntelFrameworkModulePkg/.../BdsMisc.c]
+ //
+ // Append the new option number to the original option order
+ //
+
+ (c) Relative UEFI device paths in boot options
+
+ The handling of relative ("short-form") UEFI device paths is best
+ demonstrated through an example, and by quoting the UEFI 2.4A
+ specification.
+
+ A short-form hard drive UEFI device path could be (displaying each device
+ path node on a separate line for readability):
+
+ HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/
+ \EFI\fedora\shim.efi
+
+ This device path lacks prefix nodes (eg. hardware or messaging type
+ nodes) that would lead to the hard drive. During load option processing,
+ the above short-form or relative device path could be matched against the
+ following absolute device path:
+
+ PciRoot(0x0)/
+ Pci(0x4,0x0)/
+ HD(1,GPT,14DD1CC5-D576-4BBF-8858-BAF877C8DF61,0x800,0x64000)/
+ \EFI\fedora\shim.efi
+
+ The motivation for this type of device path matching / completion is to
+ allow the user to move around the hard drive (for example, to plug a
+ controller in a different PCI slot, or to expose the block device on a
+ different iSCSI path) and still enable the firmware to find the hard
+ drive.
+
+ The UEFI specification says,
+
+ 9.3.6 Media Device Path
+ 9.3.6.1 Hard Drive
+
+ [...] Section 3.1.2 defines special rules for processing the Hard
+ Drive Media Device Path. These special rules enable a disk's location
+ to change and still have the system boot from the disk. [...]
+
+ 3.1.2 Load Option Processing
+
+ [...] The boot manager must [...] support booting from a short-form
+ device path that starts with the first element being a hard drive
+ media device path [...]. The boot manager must use the GUID or
+ signature and partition number in the hard drive device path to match
+ it to a device in the system. If the drive supports the GPT
+ partitioning scheme the GUID in the hard drive media device path is
+ compared with the UniquePartitionGuid field of the GUID Partition
+ Entry [...]. If the drive supports the PC-AT MBR scheme the signature
+ in the hard drive media device path is compared with the
+ UniqueMBRSignature in the Legacy Master Boot Record [...]. If a
+ signature match is made, then the partition number must also be
+ matched. The hard drive device path can be appended to the matching
+ hardware device path and normal boot behavior can then be used. If
+ more than one device matches the hard drive device path, the boot
+ manager will pick one arbitrarily. Thus the operating system must
+ ensure the uniqueness of the signatures on hard drives to guarantee
+ deterministic boot behavior.
+
+ Edk2 implements and exposes the device path completion logic in the
+ already referenced "IntelFrameworkModulePkg/Library/GenericBdsLib"
+ library, in the BdsExpandPartitionPartialDevicePathToFull() function.
+
+ (d) Filtering and reordering the boot options based on fw_cfg
+
+ Once we have an "all-inclusive", partly preexistent, partly freshly
+ auto-generated boot option list from bullet (b), OVMF loads QEMU's
+ requested boot order from fw_cfg, and filters and reorders the list from
+ (b) with it:
+
+ PlatformBdsPolicyBehavior() [OvmfPkg/.../BdsPlatform.c]
+ TryRunningQemuKernel() [OvmfPkg/.../QemuKernel.c]
+ BdsLibConnectAll() [IntelFrameworkModulePkg/.../BdsConnect.c]
+ BdsLibEnumerateAllBootOption() [IntelFrameworkModulePkg/.../BdsBoot.c]
+ SetBootOrderFromQemu() [OvmfPkg/.../QemuBootOrder.c]
+
+ According to the (preferred) "-device ...,bootindex=N" and the (legacy)
+ '-boot order=drives' command line options, QEMU requests a boot order
+ from the firmware through the "bootorder" fw_cfg file. (For a bootindex
+ example, refer to the "Example qemu invocation" section.)
+
+ This fw_cfg file consists of OpenFirmware (OFW) device paths -- note: not
+ UEFI device paths! --, one per line. An example list is:
+
+ /pci@i0cf8/scsi@4/disk@0,0
+ /pci@i0cf8/ide@1,1/drive@1/disk@0
+ /pci@i0cf8/ethernet@3/ethernet-phy@0
+
+ OVMF filters and reorders the boot option list from bullet (b) with the
+ following nested loops algorithm:
+
+ new_uefi_order := <empty>
+ for each qemu_ofw_path in QEMU's OpenFirmware device path list:
+ qemu_uefi_path_prefix := translate(qemu_ofw_path)
+
+ for each boot_option in current_uefi_order:
+ full_boot_option := complete(boot_option)
+
+ if match(qemu_uefi_path_prefix, full_boot_option):
+ append(new_uefi_order, boot_option)
+ break
+
+ for each unmatched boot_option in current_uefi_order:
+ if survives(boot_option):
+ append(new_uefi_order, boot_option)
+
+ current_uefi_order := new_uefi_order
+
+ OVMF iterates over QEMU's OFW device paths in order, translates each to a
+ UEFI device path prefix, tries to match the translated prefix against the
+ UEFI boot options (which are completed from relative form to absolute
+ form for the purpose of prefix matching), and if there's a match, the
+ matching boot option is appended to the new boot order (which starts out
+ empty).
+
+ (We elaborate on the translate() function under bullet (e). The
+ complete() function has been explained in bullet (c).)
+
+ In addition, UEFI boot options that remain unmatched after filtering and
+ reordering are post-processed, and some of them "survive". Due to the
+ fact that OpenFirmware device paths have less expressive power than their
+ UEFI counterparts, some UEFI boot options are simply inexpressible (hence
+ unmatchable) by the nested loops algorithm.
+
+ An important example is the memory-mapped UEFI shell, whose UEFI device
+ path is inexpressible by QEMU's OFW device paths:
+
+ MemoryMapped(0xB,0x900000,0x10FFFFF)/
+ FvFile(7C04A583-9E3E-4F1C-AD65-E05268D0B4D1)
+
+ (Side remark: notice that the address range visible in the MemoryMapped()
+ node corresponds to DXEFV under "comprehensive memory map of OVMF"! In
+ addition, the FvFile() node's GUID originates from the FILE_GUID entry of
+ "ShellPkg/Application/Shell/Shell.inf".)
+
+ The UEFI shell can be booted by pressing ESC in OVMF on the TianoCore
+ splash screen, and navigating to Boot Manager | EFI Internal Shell. If
+ the "survival policy" was not implemented, the UEFI shell's boot option
+ would always be filtered out.
+
+ The current "survival policy" preserves all boot options that start with
+ neither PciRoot() nor HD().
+
+ (e) Translating QEMU's OpenFirmware device paths to UEFI device path
+ prefixes
+
+ In this section we list the (strictly heuristical) mappings currently
+ performed by OVMF.
+
+ The "prefix only" nature of the translation output is rooted minimally in
+ the fact that QEMU's OpenFirmware device paths cannot carry pathnames
+ within filesystems. There's no way to specify eg.
+
+ \EFI\fedora\shim.efi
+
+ in an OFW device path, therefore a UEFI device path translated from an
+ OFW device path can at best be a prefix (not a full match) of a UEFI
+ device path that ends with "\EFI\fedora\shim.efi".
+
+ - IDE disk, IDE CD-ROM:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/ide@1,1/drive@0/disk@0
+ ^ ^ ^ ^ ^
+ | | | | master or slave
+ | | | primary or secondary
+ | PCI slot & function holding IDE controller
+ PCI root at system bus port, PIO
+
+ UEFI device path prefix:
+
+ PciRoot(0x0)/Pci(0x1,0x1)/Ata(Primary,Master,0x0)
+ ^
+ fixed LUN
+
+ - Floppy disk:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/isa@1/fdc@03f0/floppy@0
+ ^ ^ ^ ^
+ | | | A: or B:
+ | | ISA controller io-port (hex)
+ | PCI slot holding ISA controller
+ PCI root at system bus port, PIO
+
+ UEFI device path prefix:
+
+ PciRoot(0x0)/Pci(0x1,0x0)/Floppy(0x0)
+ ^
+ ACPI UID (A: or B:)
+
+ - Virtio-block disk:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/scsi@6[,3]/disk@0,0
+ ^ ^ ^ ^ ^
+ | | | fixed
+ | | PCI function corresponding to disk (optional)
+ | PCI slot holding disk
+ PCI root at system bus port, PIO
+
+ UEFI device path prefixes (dependent on the presence of a nonzero PCI
+ function in the OFW device path):
+
+ PciRoot(0x0)/Pci(0x6,0x0)/HD(
+ PciRoot(0x0)/Pci(0x6,0x3)/HD(
+
+ - Virtio-scsi disk and virtio-scsi passthrough:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/scsi@7[,3]/channel@0/disk@2,3
+ ^ ^ ^ ^ ^
+ | | | | LUN
+ | | | target
+ | | channel (unused, fixed 0)
+ | PCI slot[, function] holding SCSI controller
+ PCI root at system bus port, PIO
+
+ UEFI device path prefixes (dependent on the presence of a nonzero PCI
+ function in the OFW device path):
+
+ PciRoot(0x0)/Pci(0x7,0x0)/Scsi(0x2,0x3)
+ PciRoot(0x0)/Pci(0x7,0x3)/Scsi(0x2,0x3)
+
+ - Emulated and passed-through (physical) network cards:
+
+ OpenFirmware device path:
+
+ /pci@i0cf8/ethernet@3[,2]
+ ^ ^
+ | PCI slot[, function] holding Ethernet card
+ PCI root at system bus port, PIO
+
+ UEFI device path prefixes (dependent on the presence of a nonzero PCI
+ function in the OFW device path):
+
+ PciRoot(0x0)/Pci(0x3,0x0)
+ PciRoot(0x0)/Pci(0x3,0x2)
+
+Virtio drivers
+..............
+
+UEFI abstracts various types of hardware resources into protocols, and allows
+firmware developers to implement those protocols in device drivers. The Virtio
+Specification defines various types of virtual hardware for virtual machines.
+Connecting the two specifications, OVMF provides UEFI drivers for QEMU's
+virtio-block, virtio-scsi, and virtio-net devices.
+
+The following diagram presents the protocol and driver stack related to Virtio
+devices in edk2 and OVMF. Each node in the graph identifies a protocol and/or
+the edk2 driver that produces it. Nodes on the top are more abstract.
+
+ EFI_BLOCK_IO_PROTOCOL EFI_SIMPLE_NETWORK_PROTOCOL
+ [OvmfPkg/VirtioBlkDxe] [OvmfPkg/VirtioNetDxe]
+ | |
+ | EFI_EXT_SCSI_PASS_THRU_PROTOCOL |
+ | [OvmfPkg/VirtioScsiDxe] |
+ | | |
+ +------------------------+--------------------------+
+ |
+ VIRTIO_DEVICE_PROTOCOL
+ |
+ +---------------------+---------------------+
+ | |
+ [OvmfPkg/VirtioPciDeviceDxe] [custom platform drivers]
+ | |
+ | |
+ EFI_PCI_IO_PROTOCOL [OvmfPkg/Library/VirtioMmioDeviceLib]
+ [MdeModulePkg/Bus/Pci/PciBusDxe] direct MMIO register access
+
+The top three drivers produce standard UEFI abstractions: the Block IO
+Protocol, the Extended SCSI Pass Thru Protocol, and the Simple Network
+Protocol, for virtio-block, virtio-scsi, and virtio-net devices, respectively.
+
+Comparing these device-specific virtio drivers to each other, we can determine:
+
+- They all conform to the UEFI Driver Model. This means that their entry point
+ functions don't immediately start to search for devices and to drive them,
+ they only register instances of the EFI_DRIVER_BINDING_PROTOCOL. The UEFI
+ Driver Model then enumerates devices and chains matching drivers
+ automatically.
+
+- They are as minimal as possible, while remaining correct (refer to source
+ code comments for details). For example, VirtioBlkDxe and VirtioScsiDxe both
+ support only one request in flight.
+
+ In theory, VirtioBlkDxe could implement EFI_BLOCK_IO2_PROTOCOL, which allows
+ queueing. Similarly, VirtioScsiDxe does not support the non-blocking mode of
+ EFI_EXT_SCSI_PASS_THRU_PROTOCOL.PassThru(). (Which is permitted by the UEFI
+ specification.) Both VirtioBlkDxe and VirtioScsiDxe delegate synchronous
+ request handling to "OvmfPkg/Library/VirtioLib". This limitation helps keep
+ the implementation simple, and testing thus far seems to imply satisfactory
+ performance, for a virtual boot firmware.
+
+ VirtioNetDxe cannot avoid queueing, because EFI_SIMPLE_NETWORK_PROTOCOL
+ requires it on the interface level. Consequently, VirtioNetDxe is
+ significantly more complex than VirtioBlkDxe and VirtioScsiDxe. Technical
+ notes are provided in "OvmfPkg/VirtioNetDxe/TechNotes.txt".
+
+- None of these drivers access hardware directly. Instead, the Virtio Device
+ Protocol (OvmfPkg/Include/Protocol/VirtioDevice.h) collects / extracts virtio
+ operations defined in the Virtio Specification, and these backend-independent
+ virtio device drivers go through the abstract VIRTIO_DEVICE_PROTOCOL.
+
+ IMPORTANT: the VIRTIO_DEVICE_PROTOCOL is not a standard UEFI protocol. It is
+ internal to edk2 and not described in the UEFI specification. It should only
+ be used by drivers and applications that live inside the edk2 source tree.
+
+Currently two providers exist for VIRTIO_DEVICE_PROTOCOL:
+
+- The first one is the "more traditional" virtio-pci backend, implemented by
+ OvmfPkg/VirtioPciDeviceDxe. This driver also complies with the UEFI Driver
+ Model. It consumes an instance of the EFI_PCI_IO_PROTOCOL, and, if the PCI
+ device/function under probing appears to be a virtio device, it produces a
+ Virtio Device Protocol instance for it. The driver translates abstract virtio
+ operations to PCI accesses.
+
+- The second provider, the virtio-mmio backend, is a library, not a driver,
+ living in OvmfPkg/Library/VirtioMmioDeviceLib. This library translates
+ abstract virtio operations to MMIO accesses.
+
+ The virtio-mmio backend is only a library -- rather than a standalone, UEFI
+ Driver Model-compliant driver -- because the type of resource it consumes, an
+ MMIO register block base address, is not enumerable.
+
+ In other words, while the PCI root bridge driver and the PCI bus driver
+ produce instances of EFI_PCI_IO_PROTOCOL automatically, thereby enabling the
+ UEFI Driver Model to probe devices and stack up drivers automatically, no
+ such enumeration exists for MMIO register blocks.
+
+ For this reason, VirtioMmioDeviceLib needs to be linked into thin, custom
+ platform drivers that dispose over this kind of information. As soon as a
+ driver knows about the MMIO register block base addresses, it can pass each
+ to the library, and then the VIRTIO_DEVICE_PROTOCOL will be instantiated
+ (assuming a valid virtio-mmio register block of course). From that point on
+ the UEFI Driver Model again takes care of the chaining.
+
+ Typically, such a custom driver does not conform to the UEFI Driver Model
+ (because that would presuppose auto-enumeration for MMIO register blocks).
+ Hence it has the following responsibilities:
+
+ - it shall behave as a "wrapper" UEFI driver around the library,
+
+ - it shall know virtio-mmio base addresses,
+
+ - in its entry point function, it shall create a new UEFI handle with an
+ instance of the EFI_DEVICE_PATH_PROTOCOL for each virtio-mmio device it
+ knows the base address for,
+
+ - it shall call VirtioMmioInstallDevice() on those handles, with the
+ corresponding base addresses.
+
+ OVMF itself does not employ VirtioMmioDeviceLib. However, the library is used
+ (or has been tested as Proof-of-Concept) in the following 64-bit and 32-bit
+ ARM emulator setups:
+
+ - in "RTSM_VE_FOUNDATIONV8_EFI.fd" and "FVP_AARCH64_EFI.fd", on ARM Holdings'
+ ARM(R) v8-A Foundation Model and ARM(R) AEMv8-A Base Platform FVP
+ emulators, respectively:
+
+ EFI_BLOCK_IO_PROTOCOL
+ [OvmfPkg/VirtioBlkDxe]
+ |
+ VIRTIO_DEVICE_PROTOCOL
+ [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf]
+ |
+ [OvmfPkg/Library/VirtioMmioDeviceLib]
+ direct MMIO register access
+
+ - in "RTSM_VE_CORTEX-A15_EFI.fd" and "RTSM_VE_CORTEX-A15_MPCORE_EFI.fd", on
+ "qemu-system-arm -M vexpress-a15":
+
+ EFI_BLOCK_IO_PROTOCOL EFI_SIMPLE_NETWORK_PROTOCOL
+ [OvmfPkg/VirtioBlkDxe] [OvmfPkg/VirtioNetDxe]
+ | |
+ +------------------+---------------+
+ |
+ VIRTIO_DEVICE_PROTOCOL
+ [ArmPlatformPkg/ArmVExpressPkg/ArmVExpressDxe/ArmFvpDxe.inf]
+ |
+ [OvmfPkg/Library/VirtioMmioDeviceLib]
+ direct MMIO register access
+
+ In the above ARM / VirtioMmioDeviceLib configurations, VirtioBlkDxe was
+ tested with booting Linux distributions, while VirtioNetDxe was tested with
+ pinging public IPv4 addresses from the UEFI shell.
+
+Platform Driver
+...............
+
+Sometimes, elements of persistent firmware configuration are best exposed to
+the user in a friendly way. OVMF's platform driver (OvmfPkg/PlatformDxe)
+presents such settings on the "OVMF Platform Configuration" dialog:
+
+- Press ESC on the TianoCore splash screen,
+- Navigate to Device Manager | OVMF Platform Configuration.
+
+At the moment, OVMF's platform driver handles only one setting: the preferred
+graphics resolution. This is useful for two purposes:
+
+- Some UEFI shell commands, like DRIVERS and DEVICES, benefit from a wide
+ display. Using the MODE shell command, the user can switch to a larger text
+ resolution (limited by the graphics resolution), and see the command output
+ in a more easily consumable way.
+
+ [RHEL] The list of text modes available to the MODE command is also limited
+ by ConSplitterDxe (found under MdeModulePkg/Universal/Console).
+ ConSplitterDxe builds an intersection of text modes that are
+ simultaneously supported by all consoles that ConSplitterDxe
+ multiplexes console output to.
+
+ In practice, the strongest text mode restriction comes from
+ TerminalDxe, which provides console I/O on serial ports. TerminalDxe
+ has a very limited built-in list of text modes, heavily pruning the
+ intersection built by ConSplitterDxe, and made available to the MODE
+ command.
+
+ On the Red Hat Enterprise Linux 7.1 host, TerminalDxe's list of modes
+ has been extended with text resolutions that match the Spice QXL GPU's
+ common graphics resolutions. This way a "full screen" text mode should
+ always be available in the MODE command.
+
+- The other advantage of controlling the graphics resolution lies with UEFI
+ operating systems that don't (yet) have a native driver for QEMU's virtual
+ video cards -- eg. the Spice QXL GPU. Such OSes may choose to inherit the
+ properties of OVMF's EFI_GRAPHICS_OUTPUT_PROTOCOL (provided by
+ OvmfPkg/QemuVideoDxe, see later).
+
+ Although the display can be used at runtime in such cases, by direct
+ framebuffer access, its properties, for example, the resolution, cannot be
+ modified. The platform driver allows the user to select the preferred GOP
+ resolution, reboot, and let the guest OS inherit that preferred resolution.
+
+The platform driver has three access points: the "normal" driver entry point, a
+set of HII callbacks, and a GOP installation callback.
+
+(1) Driver entry point: the PlatformInit() function.
+
+ (a) First, this function loads any available settings, and makes them take
+ effect. For the preferred graphics resolution in particular, this means
+ setting the following PCDs:
+
+ gEfiMdeModulePkgTokenSpaceGuid.PcdVideoHorizontalResolution
+ gEfiMdeModulePkgTokenSpaceGuid.PcdVideoVerticalResolution
+
+ These PCDs influence the GraphicsConsoleDxe driver (located under
+ MdeModulePkg/Universal/Console), which switches to the preferred
+ graphics mode, and produces EFI_SIMPLE_TEXT_OUTPUT_PROTOCOLs on GOPs:
+
+ EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL
+ [MdeModulePkg/Universal/Console/GraphicsConsoleDxe]
+ |
+ EFI_GRAPHICS_OUTPUT_PROTOCOL
+ [OvmfPkg/QemuVideoDxe]
+ |
+ EFI_PCI_IO_PROTOCOL
+ [MdeModulePkg/Bus/Pci/PciBusDxe]
+
+ (b) Second, the driver entry point registers the user interface, including
+ HII callbacks.
+
+ (c) Third, the driver entry point registers a GOP installation callback.
+
+(2) HII callbacks and the user interface.
+
+ The Human Interface Infrastructure (HII) "is a set of protocols that allow
+ a UEFI driver to provide the ability to register user interface and
+ configuration content with the platform firmware".
+
+ OVMF's platform driver:
+
+ - provides a static, basic, visual form (PlatformForms.vfr), written in the
+ Visual Forms Representation language,
+
+ - includes a UCS-16 encoded message catalog (Platform.uni),
+
+ - includes source code that dynamically populates parts of the form, with
+ the help of MdeModulePkg/Library/UefiHiiLib -- this library simplifies
+ the handling of IFR (Internal Forms Representation) opcodes,
+
+ - processes form actions that the user takes (Callback() function),
+
+ - loads and saves platform configuration in a private, non-volatile
+ variable (ExtractConfig() and RouteConfig() functions).
+
+ The ExtractConfig() HII callback implements the following stack of
+ conversions, for loading configuration and presenting it to the user:
+
+ MultiConfigAltResp -- form engine / HII communication
+ ^
+ |
+ [BlockToConfig]
+ |
+ MAIN_FORM_STATE -- binary representation of form/widget
+ ^ state
+ |
+ [PlatformConfigToFormState]
+ |
+ PLATFORM_CONFIG -- accessible to DXE and UEFI drivers
+ ^
+ |
+ [PlatformConfigLoad]
+ |
+ UEFI non-volatile variable -- accessible to external utilities
+
+ The layers are very similar for the reverse direction, ie. when taking
+ input from the user, and saving the configuration (RouteConfig() HII
+ callback):
+
+ ConfigResp -- form engine / HII communication
+ |
+ [ConfigToBlock]
+ |
+ v
+ MAIN_FORM_STATE -- binary representation of form/widget
+ | state
+ [FormStateToPlatformConfig]
+ |
+ v
+ PLATFORM_CONFIG -- accessible to DXE and UEFI drivers
+ |
+ [PlatformConfigSave]
+ |
+ v
+ UEFI non-volatile variable -- accessible to external utilities
+
+(3) When the platform driver starts, a GOP may not be available yet. Thus the
+ driver entry point registers a callback (the GopInstalled() function) for
+ GOP installations.
+
+ When the first GOP is produced (usually by QemuVideoDxe, or potentially by
+ a third party video driver), PlatformDxe retrieves the list of graphics
+ modes the GOP supports, and dynamically populates the drop-down list of
+ available resolutions on the form. The GOP installation callback is then
+ removed.
+
+Video driver
+............
+
+OvmfPkg/QemuVideoDxe is OVMF's built-in video driver. We can divide its
+services in two parts: graphics output protocol (primary), and Int10h (VBE)
+shim (secondary).
+
+(1) QemuVideoDxe conforms to the UEFI Driver Model; it produces an instance of
+ the EFI_GRAPHICS_OUTPUT_PROTOCOL (GOP) on each PCI display that it supports
+ and is connected to:
+
+ EFI_GRAPHICS_OUTPUT_PROTOCOL
+ [OvmfPkg/QemuVideoDxe]
+ |
+ EFI_PCI_IO_PROTOCOL
+ [MdeModulePkg/Bus/Pci/PciBusDxe]
+
+ It supports the following QEMU video cards:
+
+ - Cirrus 5430 ("-device cirrus-vga"),
+ - Standard VGA ("-device VGA"),
+ - QXL VGA ("-device qxl-vga", "-device qxl").
+
+ For Cirrus the following resolutions and color depths are available:
+ 640x480x32, 800x600x32, 1024x768x24. On stdvga and QXL a long list of
+ resolutions is available. The list is filtered against the frame buffer
+ size during initialization.
+
+ The size of the QXL VGA compatibility framebuffer can be changed with the
+
+ -device qxl-vga,vgamem_mb=$NUM_MB
+
+ QEMU option. If $NUM_MB exceeds 32, then the following is necessary
+ instead:
+
+ -device qxl-vga,vgamem_mb=$NUM_MB,ram_size_mb=$((NUM_MB*2))
+
+ because the compatibility framebuffer can't cover more than half of PCI BAR
+ #0. The latter defaults to 64MB in size, and is controlled by the
+ "ram_size_mb" property.
+
+(2) When QemuVideoDxe binds the first Standard VGA or QXL VGA device, and there
+ is no real VGA BIOS present in the C to F segments (which could originate
+ from a legacy PCI option ROM -- refer to "Compatibility Support Module
+ (CSM)"), then QemuVideoDxe installs a minimal, "fake" VGA BIOS -- an Int10h
+ (VBE) "shim".
+
+ The shim is implemented in 16-bit assembly in
+ "OvmfPkg/QemuVideoDxe/VbeShim.asm". The "VbeShim.sh" shell script assembles
+ it and formats it as a C array ("VbeShim.h") with the help of the "nasm"
+ utility. The driver's InstallVbeShim() function copies the shim in place
+ (the C segment), and fills in the VBE Info and VBE Mode Info structures.
+ The real-mode 10h interrupt vector is pointed to the shim's handler.
+
+ The shim is (correctly) irrelevant and invisible for all UEFI operating
+ systems we know about -- except Windows Server 2008 R2 and other Windows
+ operating systems in that family.
+
+ Namely, the Windows 2008 R2 SP1 (and Windows 7) UEFI guest's default video
+ driver dereferences the real mode Int10h vector, loads the pointed-to
+ handler code, and executes what it thinks to be VGA BIOS services in an
+ internal real-mode emulator. Consequently, video mode switching used not to
+ work in Windows 2008 R2 SP1 when it ran on the "pure UEFI" build of OVMF,
+ making the guest uninstallable. Hence the (otherwise optional, non-default)
+ Compatibility Support Module (CSM) ended up a requirement for running such
+ guests.
+
+ The hard dependency on the sophisticated SeaBIOS CSM and the complex
+ supporting edk2 infrastructure, for enabling this family of guests, was
+ considered suboptimal by some members of the upstream community,
+
+ [RHEL] and was certainly considered a serious maintenance disadvantage for
+ Red Hat Enterprise Linux 7.1 hosts.
+
+ Thus, the shim has been collaboratively developed for the Windows 7 /
+ Windows Server 2008 R2 family. The shim provides a real stdvga / QXL
+ implementation for the few services that are in fact necessary for the
+ Windows 2008 R2 SP1 (and Windows 7) UEFI guest, plus some "fakes" that the
+ guest invokes but whose effect is not important. The only supported mode is
+ 1024x768x32, which is enough to install the guest and then upgrade its
+ video driver to the full-featured QXL XDDM one.
+
+ The C segment is not present in the UEFI memory map prepared by OVMF.
+ Memory space that would cover it is never added (either in PEI, in the form
+ of memory resource descriptor HOBs, or in DXE, via gDS->AddMemorySpace()).
+ This way the handler body is invisible to all other UEFI guests, and the
+ rest of edk2.
+
+ The Int10h real-mode IVT entry is covered with a Boot Services Code page,
+ making that too inaccessible to the rest of edk2. Due to the allocation
+ type, UEFI guest OSes different from the Windows Server 2008 family can
+ reclaim the page at zero. (The Windows 2008 family accesses that page
+ regardless of the allocation type.)
+
+Afterword
+---------
+
+After the bulk of this document was written in July 2014, OVMF development has
+not stopped. To name two significant code contributions from the community: in
+January 2015, OVMF runs on the "q35" machine type of QEMU, and it features a
+driver for Xen paravirtual block devices (and another for the underlying Xen
+bus).
+
+Furthermore, a dedicated virtualization platform has been contributed to
+ArmPlatformPkg that plays a role parallel to OvmfPkg's. It targets the "virt"
+machine type of qemu-system-arm and qemu-system-aarch64. Parts of OvmfPkg are
+being refactored and modularized so they can be reused in
+"ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc".
diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec
new file mode 100644
index 0000000..9d7ca0f
--- /dev/null
+++ b/SPECS/edk2.spec
@@ -0,0 +1,1054 @@
+ExclusiveArch: x86_64 aarch64
+
+%define GITDATE 20180508
+%define GITCOMMIT ee3198e672e2
+%define TOOLCHAIN GCC5
+%define OPENSSL_VER 1.1.0h
+
+Name: edk2
+Version: %{GITDATE}git%{GITCOMMIT}
+Release: 9%{?dist}
+Summary: UEFI firmware for 64-bit virtual machines
+Group: Applications/Emulators
+License: BSD and OpenSSL and MIT
+URL: http://www.tianocore.org
+
+# The source tarball is created using following commands:
+# COMMIT=%{GITCOMMIT}
+# git archive --format=tar --prefix=edk2-$COMMIT/ $COMMIT \
+# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
+Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
+Source1: ovmf-whitepaper-c770f8c.txt
+Source2: openssl-fedora-264133c642cdb6fc916f1d9bba9db4cb4cd4a17c.tar.xz
+Source3: ovmf-vars-generator
+Source4: LICENSE.qosb
+
+Patch0003: 0003-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
+Patch0004: 0004-OvmfPkg-increase-max-debug-message-length-to-512-RHE.patch
+Patch0005: 0005-OvmfPkg-QemuVideoDxe-enable-debug-messages-in-VbeShi.patch
+Patch0006: 0006-MdeModulePkg-TerminalDxe-add-other-text-resolutions-.patch
+Patch0007: 0007-MdeModulePkg-TerminalDxe-set-xterm-resolution-on-mod.patch
+Patch0008: 0008-OvmfPkg-take-PcdResizeXterm-from-the-QEMU-command-li.patch
+Patch0009: 0009-ArmVirtPkg-QemuFwCfgLib-allow-UEFI_DRIVER-client-mod.patch
+Patch0010: 0010-ArmVirtPkg-take-PcdResizeXterm-from-the-QEMU-command.patch
+Patch0011: 0011-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
+Patch0012: 0012-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
+Patch0013: 0013-ArmPlatformPkg-introduce-fixed-PCD-for-early-hello-m.patch
+Patch0014: 0014-ArmPlatformPkg-PrePeiCore-write-early-hello-message-.patch
+Patch0015: 0015-ArmVirtPkg-set-early-hello-message-RH-only.patch
+Patch0016: 0016-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch
+Patch0017: 0017-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch
+Patch0018: 0018-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
+Patch0019: 0019-OvmfPkg-PlatformBootManagerLib-connect-consoles-unco.patch
+Patch0020: 0020-ArmVirtPkg-PlatformBootManagerLib-connect-Virtio-RNG.patch
+Patch0021: 0021-OvmfPkg-PlatformBootManagerLib-connect-Virtio-RNG-de.patch
+Patch0027: 0027-BaseTools-tools_def-add-fno-unwind-tables-to-GCC_AAR.patch
+# For bz#1536627 - IPv6 enablement in OVMF
+Patch35: edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch
+# For bz#1536627 - IPv6 enablement in OVMF
+Patch36: edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch
+# For bz#1536627 - IPv6 enablement in OVMF
+Patch37: edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch
+# For bz#1607906 - edk2-tools: Does not use RPM build flags
+Patch38: edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch
+# For bz#1607906 - edk2-tools: Does not use RPM build flags
+Patch39: edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch
+# For bz#1607906 - edk2-tools: Does not use RPM build flags
+Patch40: edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch
+# For bz#1607906 - edk2-tools: Does not use RPM build flags
+Patch41: edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch
+# For bz#1607906 - edk2-tools: Does not use RPM build flags
+Patch42: edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch
+# For bz#1607906 - edk2-tools: Does not use RPM build flags
+Patch43: edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch
+# For bz#1641436 - CVE-2018-3613 edk2: Logic error in MdeModulePkg in EDK II firmware allows for privilege escalation by authenticated users [rhel-8]
+Patch44: edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch
+# For bz#1641449 - CVE-2017-5732 edk2: Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c [rhel-8]
+# For bz#1641453 - CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]
+# For bz#1641464 - CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]
+# For bz#1641469 - CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]
+Patch45: edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch
+# For bz#1641453 - CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]
+# For bz#1641464 - CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]
+# For bz#1641469 - CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]
+Patch46: edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch
+# For bz#1641445 - CVE-2017-5731 edk2: Privilege escalation via processing of malformed files in TianoCompress.c [rhel-8]
+# For bz#1641453 - CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8]
+# For bz#1641464 - CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8]
+# For bz#1641469 - CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8]
+Patch47: edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch
+# For bz#1643377 - Exception when grubx64.efi used for UEFI netboot
+Patch48: edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch
+# For bz#1662184 - backport fix for (theoretical?) regression introduced by earlier CVE fixes
+Patch49: edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch
+# For bz#1662184 - backport fix for (theoretical?) regression introduced by earlier CVE fixes
+Patch50: edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch
+# For bz#1662184 - backport fix for (theoretical?) regression introduced by earlier CVE fixes
+Patch51: edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch
+
+
+# python2-devel and libuuid-devel are required for building tools
+BuildRequires: python2-devel
+BuildRequires: libuuid-devel
+BuildRequires: /usr/bin/iasl
+BuildRequires: binutils gcc git
+
+%ifarch x86_64
+# Only OVMF includes 80x86 assembly files (*.nasm*).
+BuildRequires: nasm
+
+# Only OVMF includes the Secure Boot feature, for which we need to separate out
+# the UEFI shell.
+BuildRequires: dosfstools
+BuildRequires: mtools
+BuildRequires: genisoimage
+
+# For generating the variable store template with the default certificates
+# enrolled, we need qemu-kvm.
+BuildRequires: qemu-kvm
+
+# For verifying SB enablement in the above variable store template, we need a
+# guest kernel that prints "Secure boot enabled".
+BuildRequires: kernel-core
+BuildRequires: rpmdevtools
+
+# For orchestrating the above two steps (varstore generation and verification),
+# we need to launch "ovmf-vars-generator" -- which we run on Python 3.
+BuildRequires: python3-devel
+
+%package ovmf
+Summary: UEFI firmware for x86_64 virtual machines
+BuildArch: noarch
+Provides: OVMF = %{version}-%{release}
+Obsoletes: OVMF < 20180508-100.gitee3198e672e2.el7
+
+# OVMF includes the Secure Boot and IPv6 features; it has a builtin OpenSSL
+# library.
+Provides: bundled(openssl) = %{OPENSSL_VER}
+License: BSD and OpenSSL
+
+# URL taken from the Maintainers.txt file.
+URL: http://www.tianocore.org/ovmf/
+
+%description ovmf
+OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for
+Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU
+and KVM.
+
+%else
+%package aarch64
+Summary: UEFI firmware for aarch64 virtual machines
+BuildArch: noarch
+Provides: AAVMF = %{version}-%{release}
+Obsoletes: AAVMF < 20180508-100.gitee3198e672e2.el7
+
+# No Secure Boot for AAVMF yet, but we include OpenSSL for the IPv6 stack.
+Provides: bundled(openssl) = %{OPENSSL_VER}
+License: BSD and OpenSSL
+
+# URL taken from the Maintainers.txt file.
+URL: https://github.com/tianocore/tianocore.github.io/wiki/ArmVirtPkg
+
+%description aarch64
+AAVMF (ARM Architecture Virtual Machine Firmware) is an EFI Development Kit II
+platform that enables UEFI support for QEMU/KVM ARM Virtual Machines. This
+package contains a 64-bit build.
+%endif
+
+%package tools
+Summary: EFI Development Kit II Tools
+Group: Development/Tools
+License: BSD
+URL: https://github.com/tianocore/tianocore.github.io/wiki/BaseTools
+%description tools
+This package provides tools that are needed to
+build EFI executables and ROMs using the GNU tools.
+
+%package tools-doc
+Summary: Documentation for EFI Development Kit II Tools
+Group: Development/Tools
+BuildArch: noarch
+License: BSD
+URL: https://github.com/tianocore/tianocore.github.io/wiki/BaseTools
+%description tools-doc
+This package documents the tools that are needed to
+build EFI executables and ROMs using the GNU tools.
+
+%description
+EDK II is a modern, feature-rich, cross-platform firmware development
+environment for the UEFI and PI specifications. This package contains sample
+64-bit UEFI firmware builds for QEMU and KVM.
+
+%prep
+%setup -q -n edk2-%{GITCOMMIT}
+
+# Ensure old shell and binary packages are not used
+rm -rf EdkShellBinPkg
+rm -rf EdkShellPkg
+rm -rf FatBinPkg
+rm -rf ShellBinPkg
+
+%{lua:
+ tmp = os.tmpname();
+ f = io.open(tmp, "w+");
+ count = 0;
+ for i, p in ipairs(patches) do
+ f:write(p.."\n");
+ count = count + 1;
+ end;
+ f:close();
+ print("PATCHCOUNT="..count.."\n")
+ print("PATCHLIST="..tmp.."\n")
+}
+
+git init -q
+git config user.name rpm-build
+git config user.email rpm-build
+git config core.whitespace cr-at-eol
+git config am.keepcr true
+git add -A .
+git commit -q -a --author 'rpm-build <rpm-build>' \
+ -m '%{name}-%{GITCOMMIT} base'
+
+COUNT=$(grep '\.patch$' $PATCHLIST | wc -l)
+if [ $COUNT -ne $PATCHCOUNT ]; then
+ echo "Found $COUNT patches in $PATCHLIST, expected $PATCHCOUNT"
+ exit 1
+fi
+if [ $COUNT -gt 0 ]; then
+ for pf in `cat $PATCHLIST`; do
+ git am $pf
+ done
+fi
+echo "Applied $COUNT patches"
+rm -f $PATCHLIST
+
+cp -a -- %{SOURCE1} %{SOURCE3} .
+tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
+
+# Done by %setup, but we do not use it for the auxiliary tarballs
+chmod -Rf a+rX,u+w,g-w,o-w .
+
+%build
+# For the time being, we need Python 2 for the build. See RHBZ 1593429 and
+# <https://url.corp.redhat.com/rhel8-py2>.
+export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
+
+source ./edksetup.sh
+make -C "$EDK_TOOLS_PATH" \
+ EXTRA_OPTFLAGS="%{optflags}" \
+ EXTRA_LDFLAGS="%{__global_ldflags}"
+
+SMP_MFLAGS="%{?_smp_mflags}"
+if [[ x"$SMP_MFLAGS" = x-j* ]]; then
+ CC_FLAGS="$CC_FLAGS -n ${SMP_MFLAGS#-j}"
+elif [ -n "%{?jobs}" ]; then
+ CC_FLAGS="$CC_FLAGS -n %{?jobs}"
+fi
+
+CC_FLAGS="$CC_FLAGS --cmd-len=65536 -t %{TOOLCHAIN} -b DEBUG --hash"
+CC_FLAGS="$CC_FLAGS -D NETWORK_IP6_ENABLE"
+
+%ifarch x86_64
+# Build with neither SB nor SMM; include UEFI shell.
+build ${CC_FLAGS} -D FD_SIZE_4MB -a X64 -p OvmfPkg/OvmfPkgX64.dsc
+
+# Build with SB and SMM; exclude UEFI shell.
+build -D SECURE_BOOT_ENABLE -D EXCLUDE_SHELL_FROM_FD ${CC_FLAGS} \
+ -a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc -D SMM_REQUIRE \
+ -D FD_SIZE_4MB
+
+# Sanity check: the varstore templates must be identical.
+cmp Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd
+
+# Prepare an ISO image that boots the UEFI shell.
+(
+ UEFI_SHELL_BINARY=Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/Shell.efi
+ ENROLLER_BINARY=Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/EnrollDefaultKeys.efi
+ UEFI_SHELL_IMAGE=uefi_shell.img
+ ISO_IMAGE=UefiShell.iso
+
+ UEFI_SHELL_BINARY_BNAME=$(basename -- "$UEFI_SHELL_BINARY")
+ UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY")
+ ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY")
+
+ # add 1MB then 10% for metadata
+ UEFI_SHELL_IMAGE_KB=$((
+ (UEFI_SHELL_SIZE + ENROLLER_SIZE + 1 * 1024 * 1024) * 11 / 10 / 1024
+ ))
+
+ # create non-partitioned FAT image
+ rm -f -- "$UEFI_SHELL_IMAGE"
+ mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB"
+
+ # copy the shell binary into the FAT image
+ export MTOOLS_SKIP_CHECK=1
+ mmd -i "$UEFI_SHELL_IMAGE" ::efi
+ mmd -i "$UEFI_SHELL_IMAGE" ::efi/boot
+ mcopy -i "$UEFI_SHELL_IMAGE" "$UEFI_SHELL_BINARY" ::efi/boot/bootx64.efi
+ mcopy -i "$UEFI_SHELL_IMAGE" "$ENROLLER_BINARY" ::
+ mdir -i "$UEFI_SHELL_IMAGE" -/ ::
+
+ # build ISO with FAT image file as El Torito EFI boot image
+ genisoimage -input-charset ASCII -J -rational-rock \
+ -efi-boot "$UEFI_SHELL_IMAGE" -no-emul-boot \
+ -o "$ISO_IMAGE" -- "$UEFI_SHELL_IMAGE"
+)
+
+# Enroll the default certificates in a separate variable store template.
+%{__python3} ovmf-vars-generator --verbose --verbose \
+ --qemu-binary /usr/libexec/qemu-kvm \
+ --ovmf-binary Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ --uefi-shell-iso UefiShell.iso \
+ --skip-testing \
+ OVMF_VARS.secboot.fd
+
+%else
+# Build with a verbose debug mask first, and stash the binary.
+build ${CC_FLAGS} -a AARCH64 \
+ -p ArmVirtPkg/ArmVirtQemu.dsc \
+ -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F
+cp -a Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
+ QEMU_EFI.verbose.fd
+
+# Rebuild with a silent (errors only) debug mask.
+build ${CC_FLAGS} -a AARCH64 \
+ -p ArmVirtPkg/ArmVirtQemu.dsc \
+ -D DEBUG_PRINT_ERROR_LEVEL=0x80000000
+%endif
+
+%install
+
+cp -a License.txt License.edk2.txt
+
+%ifarch x86_64
+mkdir -p \
+ $RPM_BUILD_ROOT%{_datadir}/OVMF \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf
+
+# We don't ship the SB-less, SMM-less binary.
+%if 0
+install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.fd
+ln -s ../%{name}/ovmf/OVMF_CODE.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/
+%endif
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
+
+install -m 0644 Build/OvmfX64/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
+install -m 0644 OVMF_VARS.secboot.fd \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
+install -m 0644 UefiShell.iso \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/UefiShell.iso
+
+ln -s ../%{name}/ovmf/OVMF_CODE.secboot.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/
+ln -s ../%{name}/ovmf/OVMF_VARS.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/
+ln -s ../%{name}/ovmf/OVMF_VARS.secboot.fd $RPM_BUILD_ROOT%{_datadir}/OVMF/
+ln -s ../%{name}/ovmf/UefiShell.iso $RPM_BUILD_ROOT%{_datadir}/OVMF/
+
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/Shell.efi \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/Shell.efi
+install -m 0644 Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/X64/EnrollDefaultKeys.efi \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
+
+%else
+mkdir -p \
+ $RPM_BUILD_ROOT%{_datadir}/AAVMF \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64
+
+# Pad and install the verbose binary.
+cat QEMU_EFI.verbose.fd \
+ /dev/zero \
+| head -c 64m \
+ > $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw
+
+# Pad and install the silent (default) binary.
+cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
+ /dev/zero \
+| head -c 64m \
+ > $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw
+
+# Create varstore template.
+cat Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \
+ /dev/zero \
+| head -c 64m \
+ > $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/vars-template-pflash.raw
+
+ln -s ../%{name}/aarch64/QEMU_EFI-pflash.raw \
+ $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd
+ln -s ../%{name}/aarch64/QEMU_EFI-silent-pflash.raw \
+ $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_CODE.fd
+ln -s ../%{name}/aarch64/vars-template-pflash.raw \
+ $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_VARS.fd
+
+chmod 0644 -- $RPM_BUILD_ROOT%{_datadir}/AAVMF/AAVMF_*.fd
+
+install -m 0644 QEMU_EFI.verbose.fd \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI.fd
+install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_EFI.fd \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd
+install -m 0644 Build/ArmVirtQemu-AARCH64/DEBUG_%{TOOLCHAIN}/FV/QEMU_VARS.fd \
+ $RPM_BUILD_ROOT%{_datadir}/%{name}/aarch64/QEMU_VARS.fd
+
+%endif
+
+cp -a CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
+
+# install the tools
+mkdir -p %{buildroot}%{_bindir} \
+ %{buildroot}%{_datadir}/%{name}/Conf \
+ %{buildroot}%{_datadir}/%{name}/Scripts
+install BaseTools/Source/C/bin/* \
+ %{buildroot}%{_bindir}
+install BaseTools/BinWrappers/PosixLike/LzmaF86Compress \
+ %{buildroot}%{_bindir}
+install BaseTools/BuildEnv \
+ %{buildroot}%{_datadir}/%{name}
+install BaseTools/Conf/*.template \
+ %{buildroot}%{_datadir}/%{name}/Conf
+install BaseTools/Scripts/GccBase.lds \
+ %{buildroot}%{_datadir}/%{name}/Scripts
+
+%ifarch x86_64
+%files ovmf
+%else
+%files aarch64
+%endif
+
+%defattr(-,root,root,-)
+%license License.edk2.txt
+%license OvmfPkg/License.txt
+%license LICENSE.openssl
+%dir %{_datadir}/%{name}/
+
+%ifarch x86_64
+%doc OvmfPkg/README
+%doc ovmf-whitepaper-c770f8c.txt
+%dir %{_datadir}/OVMF/
+%dir %{_datadir}/%{name}/ovmf/
+%if 0
+%{_datadir}/%{name}/ovmf/OVMF_CODE.fd
+%{_datadir}/OVMF/OVMF_CODE.fd
+%endif
+%{_datadir}/%{name}/ovmf/OVMF_CODE.secboot.fd
+%{_datadir}/%{name}/ovmf/OVMF_VARS.fd
+%{_datadir}/%{name}/ovmf/OVMF_VARS.secboot.fd
+%{_datadir}/%{name}/ovmf/UefiShell.iso
+%{_datadir}/OVMF/OVMF_CODE.secboot.fd
+%{_datadir}/OVMF/OVMF_VARS.fd
+%{_datadir}/OVMF/OVMF_VARS.secboot.fd
+%{_datadir}/OVMF/UefiShell.iso
+%{_datadir}/%{name}/ovmf/Shell.efi
+%{_datadir}/%{name}/ovmf/EnrollDefaultKeys.efi
+
+%else
+%dir %{_datadir}/AAVMF/
+%dir %{_datadir}/%{name}/aarch64/
+%{_datadir}/%{name}/aarch64/QEMU_EFI-pflash.raw
+%{_datadir}/%{name}/aarch64/QEMU_EFI-silent-pflash.raw
+%{_datadir}/%{name}/aarch64/vars-template-pflash.raw
+%{_datadir}/AAVMF/AAVMF_CODE.verbose.fd
+%{_datadir}/AAVMF/AAVMF_CODE.fd
+%{_datadir}/AAVMF/AAVMF_VARS.fd
+%{_datadir}/%{name}/aarch64/QEMU_EFI.fd
+%{_datadir}/%{name}/aarch64/QEMU_EFI.silent.fd
+%{_datadir}/%{name}/aarch64/QEMU_VARS.fd
+%endif
+
+%files tools
+%license License.txt
+%{_bindir}/BootSectImage
+%{_bindir}/Brotli
+%{_bindir}/DevicePath
+%{_bindir}/EfiLdrImage
+%{_bindir}/EfiRom
+%{_bindir}/GenCrc32
+%{_bindir}/GenFfs
+%{_bindir}/GenFv
+%{_bindir}/GenFw
+%{_bindir}/GenPage
+%{_bindir}/GenSec
+%{_bindir}/GenVtf
+%{_bindir}/GnuGenBootSector
+%{_bindir}/LzmaCompress
+%{_bindir}/LzmaF86Compress
+%{_bindir}/Split
+%{_bindir}/TianoCompress
+%{_bindir}/VfrCompile
+%{_bindir}/VolInfo
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/BuildEnv
+%{_datadir}/%{name}/Conf
+%{_datadir}/%{name}/Scripts
+
+%files tools-doc
+%doc BaseTools/UserManuals/*.rtf
+
+%check
+
+%ifarch x86_64
+# Of the installed host kernels, boot the one with the highest Version-Release
+# under OVMF, and check if it prints "Secure boot enabled".
+KERNEL_PKG=$(rpm -q kernel-core | rpmdev-sort | tail -n 1)
+KERNEL_IMG=$(rpm -q -l $KERNEL_PKG | egrep '^/lib/modules/[^/]+/vmlinuz$')
+
+%{__python3} ovmf-vars-generator --verbose --verbose \
+ --qemu-binary /usr/libexec/qemu-kvm \
+ --ovmf-binary Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_CODE.fd \
+ --ovmf-template-vars Build/Ovmf3264/DEBUG_%{TOOLCHAIN}/FV/OVMF_VARS.fd \
+ --uefi-shell-iso UefiShell.iso \
+ --kernel-path $KERNEL_IMG \
+ --skip-enrollment \
+ --no-download \
+ OVMF_VARS.secboot.fd
+
+%else
+true
+
+%endif
+
+%changelog
+* Mon Jan 21 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-9.el8
+- edk2-BaseTools-Fix-UEFI-and-Tiano-Decompression-logic-iss.patch [bz#1662184]
+- edk2-MdePkg-BaseUefiDecompressLib-Fix-UEFI-Decompression-.patch [bz#1662184]
+- edk2-IntelFrameworkModulePkg-Fix-UEFI-and-Tiano-Decompres.patch [bz#1662184]
+- edk2-git-Use-HTTPS-support.patch []
+- Resolves: bz#1662184
+ (backport fix for (theoretical?) regression introduced by earlier CVE fixes)
+
+* Wed Nov 21 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-8.el8
+- edk2-NetworkPkg-UefiPxeBcDxe-Add-EXCLUSIVE-attribute-when.patch [bz#1643377]
+- Resolves: bz#1643377
+ (Exception when grubx64.efi used for UEFI netboot)
+
+* Fri Nov 16 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-7.el8
+- Rebuilding edk2 outside the module branch
+- Resolves: bz#1637650
+ (Move ipxe and edk2 out of the virt module.)
+
+* Tue Nov 06 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8
+- edk2-MdeModulePkg-Variable-Fix-Timestamp-zeroing-issue-on.patch [bz#1641436]
+- edk2-MdePkg-Add-more-checker-in-UefiDecompressLib-to-acce.patch [bz#1641449 bz#1641453 bz#1641464 bz#1641469]
+- edk2-IntelFrameworkModulePkg-Add-more-checker-in-UefiTian.patch [bz#1641453 bz#1641464 bz#1641469]
+- edk2-BaseTools-Add-more-checker-in-Decompress-algorithm-t.patch [bz#1641445 bz#1641453 bz#1641464 bz#1641469]
+- Resolves: bz#1641436
+ (CVE-2018-3613 edk2: Logic error in MdeModulePkg in EDK II firmware allows for privilege escalation by authenticated users [rhel-8])
+- Resolves: bz#1641445
+ (CVE-2017-5731 edk2: Privilege escalation via processing of malformed files in TianoCompress.c [rhel-8])
+- Resolves: bz#1641449
+ (CVE-2017-5732 edk2: Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c [rhel-8])
+- Resolves: bz#1641453
+ (CVE-2017-5733 edk2: Privilege escalation via heap-based buffer overflow in MakeTable() function [rhel-8])
+- Resolves: bz#1641464
+ (CVE-2017-5734 edk2: Privilege escalation via stack-based buffer overflow in MakeTable() function [rhel-8])
+- Resolves: bz#1641469
+ (CVE-2017-5735 edk2: Privilege escalation via heap-based buffer overflow in Decode() function [rhel-8])
+
+* Tue Sep 04 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-5.el8
+- edk2-BaseTools-footer.makefile-expand-BUILD_CFLAGS-last-f.patch [bz#1607906]
+- edk2-BaseTools-header.makefile-remove-c-from-BUILD_CFLAGS.patch [bz#1607906]
+- edk2-BaseTools-Source-C-split-O2-to-BUILD_OPTFLAGS.patch [bz#1607906]
+- edk2-BaseTools-Source-C-take-EXTRA_OPTFLAGS-from-the-call.patch [bz#1607906]
+- edk2-BaseTools-Source-C-take-EXTRA_LDFLAGS-from-the-calle.patch [bz#1607906]
+- edk2-BaseTools-VfrCompile-honor-EXTRA_LDFLAGS.patch [bz#1607906]
+- edk2-redhat-inject-the-RPM-compile-and-link-options-to-th.patch [bz#1607906]
+- Resolves: bz#1607906
+ (edk2-tools: Does not use RPM build flags)
+
+* Wed Aug 08 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-4.el8
+- edk2-redhat-provide-virtual-bundled-OpenSSL-in-edk2-ovmf-.patch [bz#1607801]
+- Resolves: bz#1607801
+ (add 'Provides: bundled(openssl) = 1.1.0h' to the spec file)
+
+* Tue Jul 24 2018 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-3.el8
+- edk2-redhat-Provide-and-Obsolete-OVMF-and-AAVMF.patch [bz#1596148]
+- edk2-ArmVirtPkg-unify-HttpLib-resolutions-in-ArmVirt.dsc..patch [bz#1536627]
+- edk2-ArmVirtPkg-ArmVirtQemu-enable-the-IPv6-stack.patch [bz#1536627]
+- edk2-advertise-OpenSSL-due-to-IPv6-enablement-too-RHEL-on.patch [bz#1536627]
+- edk2-redhat-add-D-NETWORK_IP6_ENABLE-to-the-build-flags.patch [bz#1536627]
+- edk2-redhat-update-license-fields-and-files-in-the-spec-f.patch [bz#1536627]
+- Resolves: bz#1536627
+ (IPv6 enablement in OVMF)
+- Resolves: bz#1596148
+ (restore Provides/Obsoletes macros for OVMF and AAVMF, from RHEL-8 Alpha)
+
+* Tue Jul 10 2018 Danilo C. L. de Paula <ddepaula@redhat.com> - 20180508gitee3198e672e2-2.el8
+- Rebase edk2 on top of 20180508gitee3198e672e2
+
+* Fri Jun 08 2018 Miroslav Rezanina <mrezanin@redhat.com> - 20180508-2.gitee3198e672e2
+- OvmfPkg/PlatformBootManagerLib: connect consoles unconditionally [bz#1577546]
+- build OVMF varstore template with SB enabled / certs enrolled [bz#1561128]
+- connect Virtio RNG devices again [bz#1579518]
+- Resolves: bz#1577546
+ (no input consoles connected under certain circumstances)
+- Resolves: bz#1561128
+ (OVMF Secure boot enablement (enrollment of default keys))
+- Resolves: bz#1579518
+ (EFI_RNG_PROTOCOL no longer produced for virtio-rng)
+* Wed Dec 06 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-4.git92d07e48907f.el7
+- ovmf-MdeModulePkg-Core-Dxe-log-informative-memprotect-msg.patch [bz#1520485]
+- ovmf-MdeModulePkg-BdsDxe-fall-back-to-a-Boot-Manager-Menu.patch [bz#1515418]
+- Resolves: bz#1515418
+ (RFE: Provide diagnostics for failed boot)
+- Resolves: bz#1520485
+ (AAVMF: two new messages with silent build)
+
+* Fri Dec 01 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-3.git92d07e48907f.el7
+- ovmf-UefiCpuPkg-CpuDxe-Fix-multiple-entries-of-RT_CODE-in.patch [bz#1518308]
+- ovmf-MdeModulePkg-DxeCore-Filter-out-all-paging-capabilit.patch [bz#1518308]
+- ovmf-MdeModulePkg-Core-Merge-memory-map-after-filtering-p.patch [bz#1518308]
+- Resolves: bz#1518308
+ (UEFI memory map regression (runtime code entry splitting) introduced by c1cab54ce57c)
+
+* Mon Nov 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-2.git92d07e48907f.el7
+- ovmf-MdeModulePkg-Bds-Remove-assertion-in-BmCharToUint.patch [bz#1513632]
+- ovmf-MdeModulePkg-Bds-Check-variable-name-even-if-OptionN.patch [bz#1513632]
+- ovmf-MdeModulePkg-PciBus-Fix-bug-that-PCI-BUS-claims-too-.patch [bz#1514105]
+- ovmf-OvmfPkg-make-it-a-proper-BASE-library.patch [bz#1488247]
+- ovmf-OvmfPkg-create-a-separate-PlatformDebugLibIoPort-ins.patch [bz#1488247]
+- ovmf-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch [bz#1488247]
+- ovmf-OvmfPkg-enable-DEBUG_VERBOSE-RHEL-only.patch [bz#1488247]
+- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-QemuVide.patch [bz#1488247]
+- ovmf-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch [bz#1488247]
+- ovmf-Revert-redhat-introduce-separate-silent-and-verbose-.patch [bz#1488247]
+- Resolves: bz#1488247
+ (make debug logging no-op unless a debug console is active)
+- Resolves: bz#1513632
+ ([RHEL-ALT 7.5] AAVMF fails to boot after setting BootNext)
+- Resolves: bz#1514105
+ (backport edk2 commit 6e3287442774 so that PciBusDxe not over-claim resources)
+
+* Wed Oct 18 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20171011-1.git92d07e48907f.el7
+- Rebase to 92d07e48907f [bz#1469787]
+- Resolves: bz#1469787
+ ((ovmf-rebase-rhel-7.5) Rebase OVMF for RHEL-7.5)
+- Resolves: bz#1434740
+ (OvmfPkg/PciHotPlugInitDxe: don't reserve IO space when IO support is disabled)
+- Resolves: bz#1434747
+ ([Q35] code12 error when hotplug x710 device in win2016)
+- Resolves: bz#1447027
+ (Guest cannot boot with 240 or above vcpus when using ovmf)
+- Resolves: bz#1458192
+ ([Q35] recognize "usb-storage" devices in XHCI ports)
+- Resolves: bz#1468526
+ (>1TB RAM support)
+- Resolves: bz#1488247
+ (provide "OVMF_CODE.secboot.verbose.fd" for log capturing; silence "OVMF_CODE.secboot.fd")
+- Resolves: bz#1496170
+ (Inconsistent MOR control variables exposed by OVMF, breaks Windows Device Guard)
+
+* Fri May 12 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-5.gitc325e41585e3.el7
+- ovmf-OvmfPkg-EnrollDefaultKeys-update-SignatureOwner-GUID.patch [bz#1443351]
+- ovmf-OvmfPkg-EnrollDefaultKeys-expose-CertType-parameter-.patch [bz#1443351]
+- ovmf-OvmfPkg-EnrollDefaultKeys-blacklist-empty-file-in-db.patch [bz#1443351]
+- ovmf-OvmfPkg-introduce-the-FD_SIZE_IN_KB-macro-build-flag.patch [bz#1443351]
+- ovmf-OvmfPkg-OvmfPkg.fdf.inc-extract-VARS_LIVE_SIZE-and-V.patch [bz#1443351]
+- ovmf-OvmfPkg-introduce-4MB-flash-image-mainly-for-Windows.patch [bz#1443351]
+- ovmf-OvmfPkg-raise-max-variable-size-auth-non-auth-to-33K.patch [bz#1443351]
+- ovmf-OvmfPkg-PlatformPei-handle-non-power-of-two-spare-si.patch [bz#1443351]
+- ovmf-redhat-update-local-build-instructions-with-D-FD_SIZ.patch [bz#1443351]
+- ovmf-redhat-update-OVMF-build-commands-with-D-FD_SIZE_4MB.patch [bz#1443351]
+- Resolves: bz#1443351
+ ([svvp][ovmf] job "Secure Boot Logo Test" failed with q35&ovmf)
+
+* Fri Apr 28 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-4.gitc325e41585e3.el7
+- ovmf-ShellPkg-Shell-clean-up-bogus-member-types-in-SPLIT_.patch [bz#1442908]
+- ovmf-ShellPkg-Shell-eliminate-double-free-in-RunSplitComm.patch [bz#1442908]
+- Resolves: bz#1442908
+ (Guest hang when running a wrong command in Uefishell)
+
+* Tue Apr 04 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-3.gitc325e41585e3.el7
+- ovmf-ArmVirtPkg-FdtClientDxe-supplement-missing-EFIAPI-ca.patch [bz#1430262]
+- ovmf-ArmVirtPkg-ArmVirtPL031FdtClientLib-unconditionally-.patch [bz#1430262]
+- ovmf-MdeModulePkg-RamDiskDxe-fix-C-string-literal-catenat.patch [bz#1430262]
+- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-ACPI-GUID.patch [bz#1430262]
+- ovmf-EmbeddedPkg-introduce-PlatformHasAcpiLib.patch [bz#1430262]
+- ovmf-EmbeddedPkg-introduce-EDKII-Platform-Has-Device-Tree.patch [bz#1430262]
+- ovmf-ArmVirtPkg-add-PlatformHasAcpiDtDxe.patch [bz#1430262]
+- ovmf-ArmVirtPkg-enable-AcpiTableDxe-and-EFI_ACPI_TABLE_PR.patch [bz#1430262]
+- ovmf-ArmVirtPkg-FdtClientDxe-install-DT-as-sysconfig-tabl.patch [bz#1430262]
+- ovmf-ArmVirtPkg-PlatformHasAcpiDtDxe-don-t-expose-DT-if-Q.patch [bz#1430262]
+- ovmf-ArmVirtPkg-remove-PURE_ACPI_BOOT_ENABLE-and-PcdPureA.patch [bz#1430262]
+- Resolves: bz#1430262
+ (AAVMF: forward QEMU's DT to the guest OS only if ACPI payload is unavailable)
+
+* Mon Mar 27 2017 Miroslav Rezanina <mrezanin@redhat.com> - 20170228-2.gitc325e41585e3.el7
+- ovmf-MdeModulePkg-Core-Dxe-downgrade-CodeSegmentCount-is-.patch [bz#1433428]
+- Resolves: bz#1433428
+ (AAVMF: Fix error message during ARM guest VM installation)
+
+* Wed Mar 08 2017 Laszlo Ersek <lersek@redhat.com> - ovmf-20170228-1.gitc325e41585e3.el7
+- Rebase to upstream c325e41585e3 [bz#1416919]
+- Resolves: bz#1373812
+ (guest boot from network even set 'boot order=1' for virtio disk with OVMF)
+- Resolves: bz#1380282
+ (Update OVMF to openssl-1.0.2k-hobbled)
+- Resolves: bz#1412313
+ (select broadcast SMI if available)
+- Resolves: bz#1416919
+ (Rebase OVMF for RHEL-7.4)
+- Resolves: bz#1426330
+ (disable libssl in CryptoPkg)
+
+* Mon Sep 12 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160608b-1.git988715a.el7
+- rework downstream-only commit dde83a75b566 "setup the tree for the secure
+ boot feature (RHEL only)", excluding patent-encumbered files from the
+ upstream OpenSSL 1.0.2g tarball [bz#1374710]
+- rework downstream-only commit dfc3ca1ee509 "CryptoPkg/OpensslLib: Upgrade
+ OpenSSL version to 1.0.2h", excluding patent-encumbered files from the
+ upstream OpenSSL 1.0.2h tarball [bz#1374710]
+
+* Thu Aug 04 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160608-3.git988715a.el7
+- ovmf-MdePkg-PCI-Add-missing-PCI-PCIE-definitions.patch [bz#1332408]
+- ovmf-ArmPlatformPkg-NorFlashDxe-accept-both-non-secure-an.patch [bz#1353494]
+- ovmf-ArmVirtPkg-ArmVirtQemu-switch-secure-boot-build-to-N.patch [bz#1353494]
+- ovmf-ArmPlatformPkg-NorFlashAuthenticatedDxe-remove-this-.patch [bz#1353494]
+- ovmf-ArmVirtPkg-add-FDF-definition-for-empty-varstore.patch [bz#1353494]
+- ovmf-redhat-package-the-varstore-template-produced-by-the.patch [bz#1353494]
+- ovmf-ArmVirtPkg-Re-add-the-Driver-Health-Manager.patch [bz#1353494]
+- ovmf-ArmVirtPkg-HighMemDxe-allow-patchable-PCD-for-PcdSys.patch [bz#1353494]
+- ovmf-ArmVirtPkg-ArmVirtQemuKernel-make-ACPI-support-AARCH.patch [bz#1353494]
+- ovmf-ArmVirtPkg-align-ArmVirtQemuKernel-with-ArmVirtQemu.patch [bz#1353494]
+- ovmf-ArmVirtPkg-ArmVirtQemu-factor-out-shared-FV.FvMain-d.patch [bz#1353494]
+- ovmf-ArmVirtPkg-factor-out-Rules-FDF-section.patch [bz#1353494]
+- ovmf-ArmVirtPkg-add-name-GUIDs-to-FvMain-instances.patch [bz#1353494]
+- ovmf-OvmfPkg-add-a-Name-GUID-to-each-Firmware-Volume.patch [bz#1353494]
+- ovmf-OvmfPkg-PlatformBootManagerLib-remove-stale-FvFile-b.patch [bz#1353494]
+- ovmf-MdePkg-IndustryStandard-introduce-EFI_PCI_CAPABILITY.patch [bz#1332408]
+- ovmf-MdeModulePkg-PciBusDxe-look-for-the-right-capability.patch [bz#1332408]
+- ovmf-MdeModulePkg-PciBusDxe-recognize-hotplug-capable-PCI.patch [bz#1332408]
+- ovmf-OvmfPkg-add-PciHotPlugInitDxe.patch [bz#1332408]
+- ovmf-ArmPkg-ArmGicLib-manage-GICv3-SPI-state-at-the-distr.patch [bz#1356655]
+- ovmf-ArmVirtPkg-PlatformBootManagerLib-remove-stale-FvFil.patch [bz#1353494]
+- ovmf-OvmfPkg-EnrollDefaultKeys-assign-Status-before-readi.patch [bz#1356913]
+- ovmf-OvmfPkg-EnrollDefaultKeys-silence-VS2015x86-warning-.patch [bz#1356913]
+- ovmf-CryptoPkg-update-openssl-to-ignore-RVCT-3079.patch [bz#1356184]
+- ovmf-CryptoPkg-Fix-typos-in-comments.patch [bz#1356184]
+- ovmf-CryptoPkg-BaseCryptLib-Avoid-passing-NULL-ptr-to-fun.patch [bz#1356184]
+- ovmf-CryptoPkg-BaseCryptLib-Init-the-content-of-struct-Ce.patch [bz#1356184]
+- ovmf-CryptoPkg-OpensslLib-Upgrade-OpenSSL-version-to-1.0..patch [bz#1356184]
+- Resolves: bz#1332408
+ (Q35 machine can not hot-plug scsi controller under switch)
+- Resolves: bz#1353494
+ ([OVMF] "EFI Internal Shell" should be removed from "Boot Manager")
+- Resolves: bz#1356184
+ (refresh embedded OpenSSL to 1.0.2h)
+- Resolves: bz#1356655
+ (AAVMF: stop accessing unmapped gicv3 registers)
+- Resolves: bz#1356913
+ (fix use-without-initialization in EnrollDefaultKeys.efi)
+
+* Tue Jul 12 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160608-2.git988715a.el7
+- ovmf-ArmPkg-ArmGicV3Dxe-configure-all-interrupts-as-non-s.patch [bz#1349407]
+- ovmf-ArmVirtPkg-PlatformBootManagerLib-Postpone-the-shell.patch [bz#1353689]
+- Resolves: bz#1349407
+ (AArch64: backport fix to run over gicv3 emulation)
+- Resolves: bz#1353689
+ (AAVMF: Drops to shell with uninitialized NVRAM file)
+
+* Thu Jun 9 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160608-1.git988715a.el7
+- Resolves: bz#1341733
+ (prevent SMM stack overflow in OVMF while enrolling certificates in "db")
+- Resolves: bz#1257882
+ (FEAT: support to boot from virtio 1.0 modern devices)
+- Resolves: bz#1333238
+ (Q35 machine can not boot up successfully with more than 3 virtio-scsi
+ storage controller under switch)
+- Resolves: bz#1330955
+ (VM can not be booted up from hard disk successfully when with a passthrough
+ USB stick)
+
+* Thu May 19 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160419-2.git90bb4c5.el7
+- Submit scratch builds from the exploded tree again to
+ supp-rhel-7.3-candidate, despite FatPkg being OSS at this point; see
+ bz#1329559.
+
+* Wed Apr 20 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160419-1.git90bb4c5.el7
+- FatPkg is under the 2-clause BSDL now; "ovmf" has become OSS
+- upgrade to openssl-1.0.2g
+- Resolves: bz#1323363
+ (remove "-D SECURE_BOOT_ENABLE" from AAVMF)
+- Resolves: bz#1257882
+ (FEAT: support to boot from virtio 1.0 modern devices)
+- Resolves: bz#1308678
+ (clearly separate SB-less, SMM-less OVMF binary from SB+SMM OVMF binary)
+
+* Fri Feb 19 2016 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20160202-2.gitd7c0dfa.el7
+- ovmf-restore-TianoCore-splash-logo-without-OpenSSL-advert.patch [bz#1308678]
+- ovmf-OvmfPkg-ArmVirtPkg-show-OpenSSL-less-logo-without-Se.patch [bz#1308678]
+- ovmf-OvmfPkg-simplify-VARIABLE_STORE_HEADER-generation.patch [bz#1308678]
+- ovmf-redhat-bring-back-OVMF_CODE.fd-but-without-SB-and-wi.patch [bz#1308678]
+- ovmf-redhat-rename-OVMF_CODE.smm.fd-to-OVMF_CODE.secboot..patch [bz#1308678]
+
+* Tue Feb 2 2016 Laszlo Ersek <lersek@redhat.com> - ovmf-20160202-1.gitd7c0dfa.el7
+- rebase to upstream d7c0dfa
+- update OpenSSL to 1.0.2e (upstream)
+- update FatPkg to SVN r97 (upstream)
+- drive NVMe devices (upstream)
+- resize xterm on serial console mode change, when requested with
+ -fw_cfg name=opt/(ovmf|aavmf)/PcdResizeXterm,string=y
+ (downstream)
+- Resolves: bz#1259395
+ (revert / roll back AAVMF fix for BZ 1188054)
+- Resolves: bz#1202819
+ (OVMF: secure boot limitations)
+- Resolves: bz#1182495
+ (OVMF rejects iPXE oprom when Secure Boot is enabled)
+
+* Thu Nov 5 2015 Laszlo Ersek <lersek@redhat.com> - ovmf-20151104-1.gitb9ffeab.el7
+- rebase to upstream b9ffeab
+- Resolves: bz#1207554
+ ([AAVMF] AArch64: populate SMBIOS)
+- Resolves: bz#1270279
+ (AAVMF: output improvements)
+
+* Thu Jun 25 2015 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20150414-2.gitc9e5618.el7
+- ovmf-OvmfPkg-PlatformPei-set-SMBIOS-entry-point-version-d.patch [bz#1232876]
+- Resolves: bz#1232876
+ (OVMF should install a version 2.8 SMBIOS entry point)
+
+* Sat Apr 18 2015 Laszlo Ersek <lersek@redhat.com> - 20150414-1.gitc9e5618.el7
+- rebase from upstream 9ece15a to c9e5618
+- adapt .gitignore files
+- update to openssl-0.9.8zf
+- create Logo-OpenSSL.bmp rather than modifying Logo.bmp in-place
+- update to FatPkg SVN r93 (git 8ff136aa)
+- drop the following downstream-only patches (obviated by upstream
+ counterparts):
+ "tools_def.template: use forward slash with --add-gnu-debuglink (RHEL only)"
+ "tools_def.template: take GCC48 prefixes from environment (RHEL only)"
+ "OvmfPkg: set video resolution of text setup to 640x480 (RHEL only)"
+ "OvmfPkg: resolve OrderedCollectionLib with base red-black tree instance"
+ "OvmfPkg: AcpiPlatformDxe: actualize QemuLoader.h comments"
+ "OvmfPkg: AcpiPlatformDxe: remove current ACPI table loader"
+ "OvmfPkg: AcpiPlatformDxe: implement QEMU's full ACPI table loader interface"
+ "OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size"
+ "OvmfPkg: disable stale fork of SecureBootConfigDxe"
+ "OvmfPkg: SecureBootConfigDxe: remove stale fork"
+ "Try to read key strike even when ..."
+ "OvmfPkg: BDS: remove dead call to PlatformBdsEnterFrontPage()"
+ "OvmfPkg: BDS: drop useless return statement"
+ "OvmfPkg: BDS: don't overwrite the BDS Front Page timeout"
+ "OvmfPkg: BDS: optimize second argument in PlatformBdsEnterFrontPage() call"
+ 'OvmfPkg: BDS: drop superfluous "connect first boot option" logic'
+ "OvmfPkg: BDS: drop custom boot timeout, revert to IntelFrameworkModulePkg's"
+ "Add comments to clarify mPubKeyStore buffer MemCopy. ..."
+ "MdeModulePkg/SecurityPkg Variable: Add boundary check..."
+ "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands"
+- merge downstream AAVMF patch "adapt packaging to Arm64", which forces us to
+ rename the main package from "OVMF" to "ovmf"
+- drop the following ARM BDS specific tweaks (we'll only build the Intel BDS):
+ "ArmPlatformPkg/Bds: generate ESP Image boot option if user pref is unset
+ (Acadia)"
+ "ArmPlatformPkg/Bds: check for other defaults too if user pref is unset
+ (Acadia)"
+ "ArmPlatformPkg/ArmVirtualizationPkg: auto-detect boot path (Acadia)"
+ "ArmPlatformPkg/Bds: initialize ConIn/ConOut/ErrOut before connecting
+ terminals"
+ "ArmPlatformPkg/Bds: let FindCandidate() search all filesystems"
+ "ArmPlatformPkg/Bds: FindCandidateOnHandle(): log full device path"
+ "ArmPlatformPkg/Bds: fall back to Boot Menu when no default option was found"
+ "ArmPlatformPkg/Bds: always connect drivers before looking at boot options"
+- drop patch "ArmPlatformPkg/ArmVirtualizationPkg: enable DEBUG_VERBOSE (Acadia
+ only)", obsoleted by fixed bug 1197141
+- tweak patch "write up build instructions (for interactive, local development)
+ (RHELSA)". The defaults in "BaseTools/Conf/target.template", ie.
+ ACTIVE_PLATFORM and TARGET_ARCH, are set for OVMF / X64. The AAVMF build
+ instructions now spell out the necessary override options (-p and -a,
+ respectively).
+- extend patch "build FAT driver from source (RHELSA)" to the Xen build as well
+ (only for consistency; we don't build for Xen).
+- drop the following downstream-only AAVMF patches, due to the 77d5dac ->
+ c9e5618 AAVMF rebase & join:
+ "redhat/process-rh-specific.sh: fix check for hunk-less filtered patches"
+ "redhat/process-rh-specific.sh: suppress missing files in final 'rm'"
+ "ArmVirtualizationQemu: build UEFI shell from source (Acadia only)"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for READ and WRITE"
+ "MdePkg: UefiScsiLib: do not encode LUN in CDB for other SCSI commands"
+ "ArmVirtualizationPkg: work around cache incoherence on KVM affecting DTB"
+ "Changed build target to supp-rhel-7.1-candidate"
+ "ArmVirtualizationPkg: VirtFdtDxe: forward FwCfg addresses from DTB to PCDs"
+ "ArmVirtualizationPkg: introduce QemuFwCfgLib instance for DXE drivers"
+ "ArmVirtualizationPkg: clone PlatformIntelBdsLib from ArmPlatformPkg"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: add basic policy"
+ "OvmfPkg: extract QemuBootOrderLib"
+ "OvmfPkg: QemuBootOrderLib: featurize PCI-like device path translation"
+ "OvmfPkg: introduce VIRTIO_MMIO_TRANSPORT_GUID"
+ "ArmVirtualizationPkg: VirtFdtDxe: use dedicated VIRTIO_MMIO_TRANSPORT_GUID"
+ "OvmfPkg: QemuBootOrderLib: widen ParseUnitAddressHexList() to UINT64"
+ "OvmfPkg: QemuBootOrderLib: OFW-to-UEFI translation for virtio-mmio"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: adhere to QEMU's boot order"
+ "ArmVirtualizationPkg: identify "new shell" as builtin shell for Intel BDS"
+ "ArmVirtualizationPkg: Intel BDS: load EFI-stubbed Linux kernel from fw_cfg"
+ 'Revert "ArmVirtualizationPkg: work around cache incoherence on KVM affecting
+ DTB"'
+ "OvmfPkg: QemuBootOrderLib: expose QEMU's "-boot menu=on[, splash-time=N]""
+ "OvmfPkg: PlatformBdsLib: get front page timeout from QEMU"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: get front page timeout from QEMU"
+ "ArmPkg: ArmArchTimerLib: clean up comments"
+ "ArmPkg: ArmArchTimerLib: use edk2-conformant (UINT64 * UINT32) / UINT32"
+ "ArmPkg: ArmArchTimerLib: conditionally rebase to actual timer frequency"
+ "ArmVirtualizationQemu: ask the hardware for the timer frequency"
+ "ArmPkg: DebugPeCoffExtraActionLib: debugger commands are not errors"
+ "ArmPlatformPkg: PEIM startup is not an error"
+ "ArmVirtualizationPkg: PlatformIntelBdsLib: lack of QEMU kernel is no error"
+ "ArmVirtualizationPkg: expose debug message bitmask on build command line"
+- tweak patch "rebase to upstream 77d5dac (Acadia only)": update spec changelog
+ only
+- tweak patch "spec: build AAVMF with the Intel BDS driver (RHELSA only)":
+ apply "-D INTEL_BDS" to manual build instructions in redhat/README too
+- tweak patch "spec: build and install verbose and silent (default) AAVMF
+ binaries": apply DEBUG_PRINT_ERROR_LEVEL setting to interactive build
+ instructions in redhat/README too
+- install OVMF whitepaper as part of the OVMF build's documentation
+- Resolves: bz#1211337
+ (merge AAVMF into OVMF)
+- Resolves: bz#1206523
+ ([AAVMF] fix missing cache maintenance)
+
+* Fri Mar 06 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-5.git77d5dac.el7_1
+- aavmf-ArmPkg-DebugPeCoffExtraActionLib-debugger-commands-a.patch [bz#1197141]
+- aavmf-ArmPlatformPkg-PEIM-startup-is-not-an-error.patch [bz#1197141]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-lack-of-QEM.patch [bz#1197141]
+- aavmf-ArmVirtualizationPkg-expose-debug-message-bitmask-on.patch [bz#1197141]
+- aavmf-spec-build-and-install-verbose-and-silent-default-AA.patch [bz#1197141]
+- Resolves: bz#1197141
+ (create silent & verbose builds)
+
+* Tue Feb 10 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-4.git77d5dac.el7
+- aavmf-ArmPkg-ArmArchTimerLib-clean-up-comments.patch [bz#1188247]
+- aavmf-ArmPkg-ArmArchTimerLib-use-edk2-conformant-UINT64-UI.patch [bz#1188247]
+- aavmf-ArmPkg-ArmArchTimerLib-conditionally-rebase-to-actua.patch [bz#1188247]
+- aavmf-ArmVirtualizationQemu-ask-the-hardware-for-the-timer.patch [bz#1188247]
+- aavmf-ArmPkg-TimerDxe-smack-down-spurious-timer-interrupt-.patch [bz#1188054]
+- Resolves: bz#1188054
+ (guest reboot (asked from within AAVMF) regressed in 3.19.0-0.rc5.58.aa7a host kernel)
+- Resolves: bz#1188247
+ (backport "fix gBS->Stall()" series)
+
+* Mon Jan 19 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-3.git77d5dac.el7
+- aavmf-OvmfPkg-QemuBootOrderLib-expose-QEMU-s-boot-menu-on-.patch [bz#1172756]
+- aavmf-OvmfPkg-PlatformBdsLib-get-front-page-timeout-from-Q.patch [bz#1172756]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-get-front-p.patch [bz#1172756]
+- Resolves: bz#1172756
+ ([RFE]Expose boot-menu shortcut to domain via AAVMF)
+
+* Wed Jan 14 2015 Miroslav Rezanina <mrezanin@redhat.com> - AAVMF-20141113-2.git77d5dac.el7
+- aavmf-ArmVirtualizationPkg-VirtFdtDxe-forward-FwCfg-addres.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-introduce-QemuFwCfgLib-instance.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-clone-PlatformIntelBdsLib-from-.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-add-basic-p.patch [bz#1172749]
+- aavmf-OvmfPkg-extract-QemuBootOrderLib.patch [bz#1172749]
+- aavmf-OvmfPkg-QemuBootOrderLib-featurize-PCI-like-device-p.patch [bz#1172749]
+- aavmf-OvmfPkg-introduce-VIRTIO_MMIO_TRANSPORT_GUID.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-VirtFdtDxe-use-dedicated-VIRTIO.patch [bz#1172749]
+- aavmf-OvmfPkg-QemuBootOrderLib-widen-ParseUnitAddressHexLi.patch [bz#1172749]
+- aavmf-OvmfPkg-QemuBootOrderLib-OFW-to-UEFI-translation-for.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-PlatformIntelBdsLib-adhere-to-Q.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-identify-new-shell-as-builtin-s.patch [bz#1172749]
+- aavmf-ArmVirtualizationPkg-Intel-BDS-load-EFI-stubbed-Linu.patch [bz#1172749]
+- aavmf-spec-build-AAVMF-with-the-Intel-BDS-driver-RHELSA-on.patch [bz#1172749]
+- aavmf-Revert-ArmVirtualizationPkg-work-around-cache-incohe.patch [bz#1172910]
+- Resolves: bz#1172749
+ (implement fw_cfg, boot order handling, and -kernel booting in ArmVirtualizationQemu)
+- Resolves: bz#1172910
+ (revert Acadia-only workaround (commit df7bca4e) once Acadia host kernel (KVM) is fixed)
+
+* Fri Dec 05 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-7.git9ece15a.el7
+- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-READ.patch [bz#1166971]
+- ovmf-MdePkg-UefiScsiLib-do-not-encode-LUN-in-CDB-for-othe.patch [bz#1166971]
+- Resolves: bz#1166971
+ (virtio-scsi disks and cd-roms with nonzero LUN are rejected with errors)
+
+* Tue Nov 25 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-6.git9ece15a.el7
+- ovmf-OvmfPkg-AcpiPlatformDxe-make-dependency-on-PCI-enume.patch [bz#1166027]
+- Resolves: bz#1166027
+ (backport "OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration explicit")
+
+* Tue Nov 18 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-4.git9ece15a.el7
+- ovmf-Add-comments-to-clarify-mPubKeyStore-buffer-MemCopy.patch [bz#1162314]
+- ovmf-MdeModulePkg-SecurityPkg-Variable-Add-boundary-check.patch [bz#1162314]
+- Resolves: bz#1162314
+ (EMBARGOED OVMF: uefi: INTEL-TA-201410-001 && INTEL-TA-201410-002 [rhel-7.1])
+
+* Thu Nov 13 2014 Laszlo Ersek <lersek@redhat.com> - AAVMF-20141113-1.git77d5dac
+- rebased to upstream 77d5dac
+ <https://bugzilla.redhat.com/show_bug.cgi?id=1162314#c1>
+- patch "ArmVirtualizationPkg: FdtPL011SerialPortLib: support UEFI_APPLICATION"
+ is now upstream (SVN r16219, git edb5073)
+
+* Thu Nov 13 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-3.git9ece15a.el7
+- ovmf-Revert-OvmfPkg-set-video-resolution-of-text-setup-to.patch [bz#1153927]
+- ovmf-Try-to-read-key-strike-even-when-the-TimeOuts-value-.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-remove-dead-call-to-PlatformBdsEnterFron.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-drop-useless-return-statement.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-don-t-overwrite-the-BDS-Front-Page-timeo.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-optimize-second-argument-in-PlatformBdsE.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-drop-superfluous-connect-first-boot-opti.patch [bz#1153927]
+- ovmf-OvmfPkg-BDS-drop-custom-boot-timeout-revert-to-Intel.patch [bz#1153927]
+- ovmf-OvmfPkg-set-video-resolution-of-text-setup-to-640x48.patch [bz#1153927]
+- Resolves: bz#1153927
+ (set NEXTBOOT to uefi setting failed from Windows Recovery console)
+
+* Tue Nov 11 2014 Miroslav Rezanina <mrezanin@redhat.com> - OVMF-20140822-2.git9ece15a
+- ovmf-redhat-process-rh-specific.sh-suppress-missing-files.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-QemuVideoDxe-fix-querying-of-.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-implement-QEM.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-remove-curren.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-AcpiPlatformDxe-actualize-Qem.patch [bz#1145784]
+- ovmf-Revert-RH-only-OvmfPkg-resolve-OrderedCollectionLib-.patch [bz#1145784]
+- ovmf-OvmfPkg-QemuVideoDxe-work-around-misreported-QXL-fra.patch [bz#1145784]
+- ovmf-OvmfPkg-resolve-OrderedCollectionLib-with-base-red-b.patch [bz#1145784]
+- ovmf-OvmfPkg-AcpiPlatformDxe-actualize-QemuLoader.h-comme.patch [bz#1145784]
+- ovmf-OvmfPkg-AcpiPlatformDxe-remove-current-ACPI-table-lo.patch [bz#1145784]
+- ovmf-OvmfPkg-AcpiPlatformDxe-implement-QEMU-s-full-ACPI-t.patch [bz#1145784]
+- ovmf-spec-build-small-bootable-ISO-with-standalone-UEFI-s.patch [bz#1147592]
+- ovmf-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch [bz#1147592]
+- ovmf-spec-exclude-the-UEFI-shell-from-the-SecureBoot-enab.patch [bz#1147592]
+- ovmf-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch [bz#1148296]
+- ovmf-spec-package-EnrollDefaultKeys.efi-on-UefiShell.iso-.patch [bz#1148296]
+- ovmf-OvmfPkg-disable-stale-fork-of-SecureBootConfigDxe.patch [bz#1148294]
+- ovmf-OvmfPkg-SecureBootConfigDxe-remove-stale-fork.patch [bz#1148294]
+- Resolves: bz#1145784
+ (OVMF sync with QXL and ACPI patches up to edk2 7a9612ce)
+- Resolves: bz#1147592
+ (the binary RPM should include a small ISO file with a directly bootable UEFI shell binary)
+- Resolves: bz#1148294
+ (drop OvmfPkg's stale fork of SecureBootConfigDxe)
+- Resolves: bz#1148296
+ (provide a non-interactive way to auto-enroll important SecureBoot certificates)
+
+* Wed Oct 15 2014 Laszlo Ersek <lersek@redhat.com> - AAVMF-20141015-1.gitc373687
+- ported packaging to aarch64 / AAVMF
+
+* Fri Aug 22 2014 Laszlo Ersek <lersek@redhat.com> - 20140822-1.git9ece15a.el7
+- rebase from upstream 3facc08 to 9ece15a
+- update to openssl-0.9.8zb
+- update to FatPkg SVN r86 (git 2355ea2c)
+- the following patches of Paolo Bonzini have been merged in upstream; drop the
+ downstream-only copies:
+ 7bc1421 edksetup.sh: Look for BuildEnv under EDK_TOOLS_PATH
+ d549344 edksetup.sh: Ensure that WORKSPACE points to the top of an edk2
+ checkout
+ 1c023eb BuildEnv: remove useless check before setting $WORKSPACE
+- include the following patches that have been pending review on the upstream
+ list for a long time:
+ [PATCH 0/4] OvmfPkg: complete client for QEMU's ACPI loader interface
+ http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8369
+ [PATCH] OvmfPkg: QemuVideoDxe: fix querying of QXL's drawable buffer size
+ http://thread.gmane.org/gmane.comp.bios.tianocore.devel/8515
+- nasm is a build-time dependency now because upstream BuildTools has started
+ to call it directly
+
+* Wed Jul 23 2014 Laszlo Ersek <lersek@redhat.com> - 20140723-1.git3facc08.el7
+- rebase from upstream a618eaa to 3facc08
+- update to openssl-0.9.8za
+- drop downstream-only split varstore patch, rely on upstream's
+
+* Tue Jun 24 2014 Miroslav Rezanina <mrezanin@redhat.com> - 20140619-1.gita618eaa.el7
+- Initial version