Rebase onto edk2-stable202402

.conform.yaml

@@ -0,0 +1,16 @@
+---
+policies:
+  - type: commit
+    spec:
+      header:
+        length: 80
+        imperative: false
+        invalidLastCharacters: .
+      body:
+        required: false
+      dco: true
+      gpg:
+        required: true
+      spellcheck:
+        locale: US
+      maximumOfOneCommit: false

.github/scripts/build-ipxe.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+export CROSS_COMPILE="x86_64-elf-"
+make -C src bin-x86_64-efi-sb/ipxe.efi EMBED=$PWD/dasharo.ipxe BUILD_ID_CMD="echo 0x1234567890" \
+  EXTRA_CFLAGS="-Wno-address-of-packed-member  -m64  -fuse-ld=bfd \
+  -Wl,--build-id=none -fno-delete-null-pointer-checks -Wlogical-op -march=nocona \
+  -malign-data=abi -mcmodel=large -mno-red-zone -fno-pic"
+

.github/scripts/build-qemu.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+make -C BaseTools
+source ./edksetup.sh
+
+export EDK2_PLATFORMS_PATH="$WORKSPACE/edk2-platforms"
+export PACKAGES_PATH="$WORKSPACE:\
+$WORKSPACE/ipxe/src/bin-x86_64-efi-sb:\
+$EDK2_PLATFORMS_PATH/Platform/Intel:\
+$EDK2_PLATFORMS_PATH/Silicon/Intel:\
+$EDK2_PLATFORMS_PATH/Features/Intel:\
+$EDK2_PLATFORMS_PATH/Features/Intel/Debugging:\
+$EDK2_PLATFORMS_PATH/Features/Intel/Network:\
+$EDK2_PLATFORMS_PATH/Features/Intel/OutOfBandManagement:\
+$EDK2_PLATFORMS_PATH/Features/Intel/PowerManagement:\
+$EDK2_PLATFORMS_PATH/Features/Intel/SystemInformation:\
+$EDK2_PLATFORMS_PATH/Features/Intel/UserInterface"
+
+build -a IA32 -a X64 -t GCC5 -b RELEASE -p OvmfPkg/OvmfPkgX64.dsc
+build -a IA32 -a X64 -t GCC5 -b DEBUG -p OvmfPkg/OvmfPkgX64.dsc

.github/scripts/run-qemu.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+cp ./Build/OvmfX64/RELEASE_GCC5/FV/OVMF_VARS.fd /tmp/OVMF_VARS.fd 
+
+q35_params="-machine q35,smm=on \
+    -global driver=cfi.pflash01,property=secure,value=on \
+    -drive if=pflash,format=raw,unit=0,file=Build/OvmfX64/RELEASE_GCC5/FV/OVMF_CODE.fd,readonly=on \
+    -drive if=pflash,format=raw,unit=1,file=/tmp/OVMF_VARS.fd \
+    -debugcon file:debug.log -global isa-debugcon.iobase=0x402 \
+    -global ICH9-LPC.disable_s3=1 \
+    -qmp unix:/tmp/qmp-socket,server,nowait \
+    -net none \
+    -serial telnet:localhost:1234,server,nowait"
+
+if [ "$1" == "nographic" ]; then
+    qemu-system-x86_64 $q35_params -nographic
+else
+    qemu-system-x86_64 $q35_params
+fi

.github/workflows/build.yml

@@ -0,0 +1,95 @@
+name: Check EDK2 QEMU Build
+
+on:
+  push:
+    branches:
+      - dasharo
+    tags:
+      - 'qemu_q35_v*'
+  pull_request:
+    branches:
+      - dasharo
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v2
+      with:
+        submodules: 'recursive'  # Checkout submodules recursively.
+
+    - name: Clone edk2-platforms Repository
+      run: |
+        git clone https://github.com/Dasharo/edk2-platforms.git && \
+        cd edk2-platforms && \
+        git checkout 3323ed481d35096fb6a7eae7b49f35eff00f86cf && \
+        cd -
+
+    - name: Clone iPXE Repository
+      run: |
+        git clone https://git.ipxe.org/ipxe.git && \
+        cd ipxe && \
+        git checkout 77b07ea4fdc259d7253c6f9df2beda6e6c7a9d85 && \
+        sed -i 's|//#define\s*IMAGE_SCRIPT.*|#define IMAGE_SCRIPT|' "src/config/general.h" && \
+        sed -i 's|.*DOWNLOAD_PROTO_HTTPS|#define DOWNLOAD_PROTO_HTTPS|g'  "src/config/general.h" && \
+        wget https://raw.githubusercontent.com/Dasharo/dasharo-blobs/main/dasharo/dasharo.ipxe && \
+        cd -
+
+    - name: Build iPXE
+      run: |
+        docker run --rm -i -v $PWD/ipxe:/home/coreboot/ipxe:rw \
+          -v $PWD/.github:/home/coreboot/ipxe/.github \
+          -u $(id -u):$(id -g) -w /home/coreboot/ipxe \
+          coreboot/coreboot-sdk:2021-09-23_b0d87f753c \
+         ./.github/scripts/build-ipxe.sh
+
+    - name: Build OVMF Firmware Image
+      run: |
+        docker run --rm -i -v $PWD:/home/coreboot/coreboot:rw \
+          -u $(id -u):$(id -g) -w /home/coreboot/coreboot \
+          coreboot/coreboot-sdk:2021-09-23_b0d87f753c \
+         ./.github/scripts/build-qemu.sh
+
+    - name: Check RELEASE build Artifacts
+      run: |
+        if [ -f "Build/OvmfX64/RELEASE_GCC5/FV/OVMF_CODE.fd" ] && [ -f "Build/OvmfX64/RELEASE_GCC5/FV/OVMF_VARS.fd" ]; then
+          echo "RELEASE build successful. OVMF firmware image files found."
+          cp Build/OvmfX64/RELEASE_GCC5/FV/OVMF_CODE.fd OVMF_CODE_RELEASE.fd
+          cp Build/OvmfX64/RELEASE_GCC5/FV/OVMF_VARS.fd OVMF_VARS_RELEASE.fd
+        else
+          echo "RELEASE build failed. OVMF firmware image files not found."
+          exit 1
+        fi
+
+    - name: Check DEBUG build Artifacts
+      run: |
+        if [ -f "Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd" ] && [ -f "Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd" ]; then
+          echo "DEBUG build successful. OVMF firmware image files found."
+          cp Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd OVMF_CODE_DEBUG.fd
+          cp Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd OVMF_VARS_DEBUG.fd
+        else
+          echo "DEBUG build failed. OVMF firmware image files not found."
+          exit 1
+        fi
+
+    - name: Upload Artifacts
+      uses: actions/upload-artifact@v2
+      with:
+        name: ovmf-artifacts  # Name for the artifact
+        path: |
+          OVMF_CODE_RELEASE.fd
+          OVMF_VARS_RELEASE.fd
+          OVMF_CODE_DEBUG.fd
+          OVMF_VARS_DEBUG.fd
+
+    - name: Create GitHub Release
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.event.ref, 'refs/tags/qemu')
+      with:
+        files: |
+          OVMF_CODE_RELEASE.fd
+          OVMF_VARS_RELEASE.fd
+          OVMF_CODE_DEBUG.fd
+          OVMF_VARS_DEBUG.fd

.github/workflows/dbx.yml

@@ -0,0 +1,33 @@
+name: Check if UEFI revocation list is up-to-date
+
+on:
+  push:
+    branches:
+      - dasharo
+  pull_request:
+    branches:
+      - dasharo
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v2
+
+    - name: Check if DBX is up-to-date
+      run: |
+        echo 'Fetching DBX from uefi.org'
+        wget https://uefi.org/sites/default/files/resources/x64_DBXUpdate.bin -o /dev/null
+        if [ $? -ne 0 ]; then
+          echo 'Failed to fetch latest DBX.'
+          exit 1
+        fi
+        diff <(sha256sum x64_DBXUpdate.bin | awk '{ print $1 }') <(sha256sum DasharoPayloadPkg/SecureBootDefaultKeys/DBXUpdate.bin | awk '{ print $1 }')
+        if [ $? -ne 0 ]; then
+          echo 'UEFI DBX is out of date.'
+          exit 1
+        else
+          echo 'UEFI DBX is up-to-date.'
+        fi

.gitmodules

@@ -35,3 +35,6 @@
 [submodule "CryptoPkg/Library/MbedTlsLib/mbedtls"]
 	path = CryptoPkg/Library/MbedTlsLib/mbedtls
 	url = https://github.com/ARMmbed/mbedtls
+[submodule "CrScreenshotDxe"]
+	path = CrScreenshotDxe
+	url = https://github.com/LongSoft/CrScreenshotDxe.git

.pre-commit-config.yaml

@@ -0,0 +1,40 @@
+---
+default_stages: [pre-commit]
+
+default_install_hook_types: [pre-commit, commit-msg]
+
+ci:
+  autoupdate_commit_msg: 'pre-commit: autoupdate hooks'
+  autofix_prs: false
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: check-added-large-files
+        files: ^DasharoModulePkg/
+      - id: check-merge-conflict
+        files: ^DasharoModulePkg/
+      - id: check-symlinks
+        files: ^DasharoModulePkg/
+      - id: detect-private-key
+        files: ^DasharoModulePkg/
+      - id: end-of-file-fixer
+        files: ^DasharoModulePkg/
+      - id: trailing-whitespace
+        files: ^DasharoModulePkg/
+      - id: mixed-line-ending
+        files: ^DasharoModulePkg/
+
+  - repo: https://github.com/talos-systems/conform
+    rev: v0.1.0-alpha.27
+    hooks:
+      - id: conform
+        stages:
+          - commit-msg
+
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.2.5
+    hooks:
+      - id: codespell
+        files: ^DasharoModulePkg/

BaseTools/Source/C/Makefiles/header.makefile

@@ -104,7 +104,7 @@ else
 CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
 -fno-delete-null-pointer-checks -Wall -Werror \
 -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
--Wno-unused-result -nostdlib -g
+-Wno-unused-result -nostdlib -g -Wno-vla-parameter -Wno-stringop-overflow -Wno-use-after-free -Wno-dangling-pointer
 endif
 endif
 ifneq ($(CLANG),)

CryptoPkg/Include/Library/BaseCryptLib.h

@@ -2234,6 +2234,8 @@ Pkcs7FreeSigners (
   unchained to the signer's certificates.
   The input signed data could be wrapped in a ContentInfo structure.
 
+  Pkcs7GetCertificatesList has not been implemented in BaseCryptoLibMbedTls.
+
   @param[in]  P7Data            Pointer to the PKCS#7 message.
   @param[in]  P7Length          Length of the PKCS#7 message in bytes.
   @param[out] SignerChainCerts  Pointer to the certificates list chained to signer's
@@ -3022,6 +3024,8 @@ DhComputeKey (
   If Seed is NULL, then default seed is used.
   If this interface is not supported, then return FALSE.
 
+  RandomSeed has not been implemented in BaseCryptoLibMbedTls.
+
   @param[in]  Seed      Pointer to seed value.
                         If NULL, default seed is used.
   @param[in]  SeedSize  Size of seed value.

CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf

@@ -81,7 +81,6 @@
   BaseMemoryLib
   MemoryAllocationLib
   DebugLib
-  OpensslLib
   IntrinsicLib
   PrintLib
   PeiServicesTablePointerLib

CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf

@@ -17,7 +17,8 @@
   FILE_GUID                      = 693C5308-AF95-4CE5-ADE9-CA011C2FC642
   MODULE_TYPE                    = DXE_DRIVER
   VERSION_STRING                 = 1.0
-  LIBRARY_CLASS                  = BaseCryptLib|DXE_DRIVER DXE_CORE UEFI_APPLICATION UEFI_DRIVER
+  LIBRARY_CLASS                  = BaseCryptLib|DXE_DRIVER DXE_CORE DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+  DEFINE BASE_CRYPT_PATH         = ../BaseCryptLib
 
 #
 # The following information is for reference only and not required by the build tools.
@@ -27,33 +28,39 @@
 
 [Sources]
   InternalCryptLib.h
-  Cipher/CryptAeadAesGcmNull.c
-  Cipher/CryptAes.c
-  Hash/CryptSha256.c
-  Hash/CryptSha512.c
-  Hash/CryptParallelHashNull.c
-  Hash/CryptSm3Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
+  Hash/CryptSha256.c
+  Hash/CryptSha512.c
+  $(BASE_CRYPT_PATH)/Hash/CryptCShake256.c
+  $(BASE_CRYPT_PATH)/Hash/CryptDispatchApDxe.c
+  $(BASE_CRYPT_PATH)/Hash/CryptParallelHash.c
+  $(BASE_CRYPT_PATH)/Hash/CryptSha3.c
+  $(BASE_CRYPT_PATH)/Hash/CryptSm3.c
+  $(BASE_CRYPT_PATH)/Hash/CryptXkcp.c
   Hmac/CryptHmac.c
   Kdf/CryptHkdf.c
+  Cipher/CryptAes.c
+  Cipher/CryptAeadAesGcm.c
   Pk/CryptRsaBasic.c
-  Pk/CryptRsaExtNull.c
-  Pk/CryptRsaPss.c
-  Pk/CryptRsaPssSignNull.c
-  Bn/CryptBnNull.c
-  Pem/CryptPemNull.c
+  Pk/CryptRsaExt.c
+  Pk/CryptPkcs1Oaep.c
+  Pk/CryptPkcs5Pbkdf2.c
+  Pk/CryptPkcs7Sign.c
+  Pk/CryptPkcs7VerifyCommon.c
+  Pk/CryptPkcs7VerifyBase.c
+  Pk/CryptPkcs7VerifyEku.c
   Pk/CryptDhNull.c
+  Pk/CryptX509.c
+  Pk/CryptAuthenticode.c
+  Pk/CryptTs.c
+  Pk/CryptRsaPss.c
+  Pk/CryptRsaPssSign.c
   Pk/CryptEcNull.c
-  Pk/CryptPkcs1OaepNull.c
-  Pk/CryptPkcs5Pbkdf2Null.c
-  Pk/CryptPkcs7SignNull.c
-  Pk/CryptPkcs7VerifyNull.c
-  Pk/CryptPkcs7VerifyEkuNull.c
-  Pk/CryptX509Null.c
-  Pk/CryptAuthenticodeNull.c
-  Pk/CryptTsNull.c
-  Rand/CryptRandNull.c
+  Pem/CryptPem.c
+  Bn/CryptBnNull.c
+  Rand/CryptRand.c
+
   SysCall/CrtWrapper.c
   SysCall/TimerWrapper.c
 
@@ -72,6 +79,7 @@
   IntrinsicLib
   RngLib
   SynchronizationLib
+  MbedTlsCrtLib
 [Protocols]
   gEfiMpServiceProtocolGuid
 #