Version in base suite: 2020.11-2+deb11u1 Base version: edk2_2020.11-2+deb11u1 Target version: edk2_2020.11-2+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/edk2/edk2_2020.11-2+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/edk2/edk2_2020.11-2+deb11u2.dsc changelog | 16 patches/0001-SecurityPkg-Create-SecureBootVariableLib.patch | 199 ++++++++++ patches/0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch | 29 + patches/0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch | 49 ++ patches/0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch | 94 ++++ patches/0005-EmulatorPkg-add-SecureBootVariableLib-class-resoluti.patch | 19 patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch | 92 ++++ patches/series | 6 tests/shell.py | 23 - 9 files changed, 503 insertions(+), 24 deletions(-) diff: /srv/release.debian.org/tmp/VEr5mh93Es/edk2-2020.11/EmulatorPkg/Unix/Host/X11IncludeHack: No such file or directory diff: /srv/release.debian.org/tmp/pOKShrP0mW/edk2-2020.11/EmulatorPkg/Unix/Host/X11IncludeHack: No such file or directory diff -Nru edk2-2020.11/debian/changelog edk2-2020.11/debian/changelog --- edk2-2020.11/debian/changelog 2021-08-18 22:57:56.000000000 +0000 +++ edk2-2020.11/debian/changelog 2024-02-14 01:22:25.000000000 +0000 @@ -1,3 +1,19 @@ +edk2 (2020.11-2+deb11u2) bullseye-security; urgency=medium + + * Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733. + Thanks to Mate Kukri. LP: #2040137. + - Backport support for GetSetupMode() and IsSecureBootEnabled(): + + 0001-SecurityPkg-Create-SecureBootVariableLib.patch + + 0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch + + 0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch + + 0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch + + 0005-EmulatorPkg-add-SecureBootVariableLib-class-resoluti.patch + - Disable the built-in Shell when SecureBoot is enabled: + + Disable-the-Shell-when-SecureBoot-is-enabled.patch + - d/tests: Drop the boot-to-shell tests for images w/ Secure Boot active. + + -- dann frazier Tue, 13 Feb 2024 18:22:25 -0700 + edk2 (2020.11-2+deb11u1) bullseye; urgency=medium * Address Boot Guard TOCTOU vulnerability (CVE-2019-11098) (Closes: #991495) diff -Nru edk2-2020.11/debian/patches/0001-SecurityPkg-Create-SecureBootVariableLib.patch edk2-2020.11/debian/patches/0001-SecurityPkg-Create-SecureBootVariableLib.patch --- edk2-2020.11/debian/patches/0001-SecurityPkg-Create-SecureBootVariableLib.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-2020.11/debian/patches/0001-SecurityPkg-Create-SecureBootVariableLib.patch 2024-02-14 01:22:25.000000000 +0000 @@ -0,0 +1,199 @@ +From bb806a6e88fb9744412f1698fb534429b14c93e0 Mon Sep 17 00:00:00 2001 +From: Grzegorz Bernacki +Date: Mon, 2 Aug 2021 12:46:23 +0200 +Subject: [PATCH 1/6] SecurityPkg: Create SecureBootVariableLib. + +This commits add library, which consist helper functions related +to creation/removal Secure Boot variables. Some of the functions +was moved from SecureBootConfigImpl.c file. + +Signed-off-by: Grzegorz Bernacki +Reviewed-by: Sunny Wang +Reviewed-by: Jiewen Yao + +[ dannf: Drop all functions except GetSetupMode() ] + +Origin: https://github.com/tianocore/edk2/commit/bb806a6e88fb9744412f1698fb534429b14c93e0 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641 +Bug-Ubuntu: https://launchpad.net/bugs/2040137 +Last-Update: 2024-02-13 + +--- /dev/null ++++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h +@@ -0,0 +1,29 @@ ++/** @file ++ Provides a helper functions for creating variable authenticated ++ payloads, signature lists related to secure boot keys. ++ ++Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
++(C) Copyright 2018 Hewlett Packard Enterprise Development LP
++Copyright (c) 2021, ARM Ltd. All rights reserved.
++Copyright (c) 2021, Semihalf All rights reserved.
++SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#ifndef SECURE_BOOT_VARIABLE_LIB_H_ ++#define SECURE_BOOT_VARIABLE_LIB_H_ ++ ++/** ++ Fetches the value of SetupMode variable. ++ ++ @param[out] SetupMode Pointer to UINT8 for SetupMode output ++ ++ @retval other Error codes from GetVariable. ++--*/ ++EFI_STATUS ++EFIAPI ++GetSetupMode ( ++ OUT UINT8 *SetupMode ++); ++ ++#endif +--- /dev/null ++++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +@@ -0,0 +1,53 @@ ++/** @file ++ This library provides helper functions to set/clear Secure Boot ++ keys and databases. ++ ++ Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
++ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
++ Copyright (c) 2021, ARM Ltd. All rights reserved.
++ Copyright (c) 2021, Semihalf All rights reserved.
++ SPDX-License-Identifier: BSD-2-Clause-Patent ++**/ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "Library/DxeServicesLib.h" ++ ++/** ++ Fetches the value of SetupMode variable. ++ ++ @param[out] SetupMode Pointer to UINT8 for SetupMode output ++ ++ @retval other Retval from GetVariable. ++**/ ++EFI_STATUS ++EFIAPI ++GetSetupMode ( ++ OUT UINT8 *SetupMode ++) ++{ ++ UINTN Size; ++ EFI_STATUS Status; ++ ++ Size = sizeof (*SetupMode); ++ Status = gRT->GetVariable ( ++ EFI_SETUP_MODE_NAME, ++ &gEfiGlobalVariableGuid, ++ NULL, ++ &Size, ++ SetupMode ++ ); ++ if (EFI_ERROR (Status)) { ++ return Status; ++ } ++ ++ return EFI_SUCCESS; ++} +--- /dev/null ++++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +@@ -0,0 +1,46 @@ ++## @file ++# Provides helper function for initialization of Secure Boot ++# keys and databases. ++# ++# Copyright (c) 2021, ARM Ltd. All rights reserved.
++# Copyright (c) 2021, Semihalf All rights reserved.
++# ++# SPDX-License-Identifier: BSD-2-Clause-Patent ++# ++## ++ ++[Defines] ++ INF_VERSION = 0x00010005 ++ BASE_NAME = SecureBootVariableLib ++ MODULE_UNI_FILE = SecureBootVariableLib.uni ++ FILE_GUID = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F ++ MODULE_TYPE = DXE_DRIVER ++ VERSION_STRING = 1.0 ++ LIBRARY_CLASS = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION ++ ++# ++# The following information is for reference only and not required by the build tools. ++# ++# VALID_ARCHITECTURES = IA32 X64 AARCH64 ++# ++ ++[Sources] ++ SecureBootVariableLib.c ++ ++[Packages] ++ MdePkg/MdePkg.dec ++ MdeModulePkg/MdeModulePkg.dec ++ SecurityPkg/SecurityPkg.dec ++ CryptoPkg/CryptoPkg.dec ++ ++[LibraryClasses] ++ BaseLib ++ BaseMemoryLib ++ DebugLib ++ MemoryAllocationLib ++ BaseCryptLib ++ DxeServicesLib ++ ++[Guids] ++ ## CONSUMES ## Variable:L"SecureBoot" ++ gEfiGlobalVariableGuid +--- /dev/null ++++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni +@@ -0,0 +1,16 @@ ++// /** @file ++// ++// Provides helper function for initialization of Secure Boot ++// keys and databases. ++// ++// Copyright (c) 2021, ARM Ltd. All rights reserved.
++// Copyright (c) 2021, Semihalf All rights reserved.
++// ++// SPDX-License-Identifier: BSD-2-Clause-Patent ++// ++// **/ ++ ++ ++#string STR_MODULE_ABSTRACT #language en-US "Provides helper functions to initialize PK, KEK and databases based on default variables." ++ ++#string STR_MODULE_DESCRIPTION #language en-US "Provides helper functions to initialize PK, KEK and databases based on default variables." +--- a/SecurityPkg/SecurityPkg.dec ++++ b/SecurityPkg/SecurityPkg.dec +@@ -87,6 +87,10 @@ + ## @libraryclass Provides interfaces about firmware TPM measurement. + # + TcgEventLogRecordLib|Include/Library/TcgEventLogRecordLib.h ++ ++ ## @libraryclass Provides helper functions related to creation/removal Secure Boot variables. ++ # ++ SecureBootVariableLib|Include/Library/SecureBootVariableLib.h + [Guids] + ## Security package token space guid. + # Include/Guid/SecurityPkgTokenSpace.h +--- a/SecurityPkg/SecurityPkg.dsc ++++ b/SecurityPkg/SecurityPkg.dsc +@@ -67,6 +67,7 @@ + VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf + RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf ++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + + [LibraryClasses.ARM] + # diff -Nru edk2-2020.11/debian/patches/0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch edk2-2020.11/debian/patches/0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch --- edk2-2020.11/debian/patches/0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-2020.11/debian/patches/0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch 2024-02-14 01:22:25.000000000 +0000 @@ -0,0 +1,29 @@ +From 12a4d0cb9dd9e241fcd86f2ff78d1560ea1ffe67 Mon Sep 17 00:00:00 2001 +From: Grzegorz Bernacki +Date: Mon, 2 Aug 2021 12:46:25 +0200 +Subject: [PATCH 3/6] ArmVirtPkg: add SecureBootVariableLib class resolution + +The edk2 patch + SecurityPkg: Create library for setting Secure Boot variables. + +moves generic functions from SecureBootConfigDxe and places +them into SecureBootVariableLib. This patch adds SecureBootVariableLib +mapping for ArmVirtPkg platform. + +Signed-off-by: Grzegorz Bernacki +Reviewed-by: Sunny Wang +Reviewed-by: Liming Gao +Reviewed-by: Ard Biesheuvel + +[ dannf: Drop SecureBootVariableProvisionLib ] + +--- a/ArmVirtPkg/ArmVirt.dsc.inc ++++ b/ArmVirtPkg/ArmVirt.dsc.inc +@@ -168,6 +168,7 @@ + # + !if $(SECURE_BOOT_ENABLE) == TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf ++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + + # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff -Nru edk2-2020.11/debian/patches/0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch edk2-2020.11/debian/patches/0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch --- edk2-2020.11/debian/patches/0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-2020.11/debian/patches/0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch 2024-02-14 01:22:25.000000000 +0000 @@ -0,0 +1,49 @@ +From 3d427c5f839dd7c6983b25525888fb19125a75db Mon Sep 17 00:00:00 2001 +From: Grzegorz Bernacki +Date: Mon, 2 Aug 2021 12:46:26 +0200 +Subject: [PATCH 4/6] OvmfPkg: add SecureBootVariableLib class resolution + +The edk2 patch + SecurityPkg: Create library for setting Secure Boot variables. + +moves generic functions from SecureBootConfigDxe and places +them into SecureBootVariableLib. This patch adds SecureBootVariableLib +mapping for OvmfPkg. + +Signed-off-by: Grzegorz Bernacki +Reviewed-by: Laszlo Ersek +Reviewed-by: Sunny Wang +Reviewed-by: Ard Biesheuvel + +[ dannf: Drop SecureBootVariableProvisionLib ] + +--- a/OvmfPkg/OvmfPkgIa32.dsc ++++ b/OvmfPkg/OvmfPkgIa32.dsc +@@ -198,6 +198,7 @@ + !if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf ++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + !else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf + !endif +--- a/OvmfPkg/OvmfPkgIa32X64.dsc ++++ b/OvmfPkg/OvmfPkgIa32X64.dsc +@@ -202,6 +202,7 @@ + !if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf ++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + !else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf + !endif +--- a/OvmfPkg/OvmfPkgX64.dsc ++++ b/OvmfPkg/OvmfPkgX64.dsc +@@ -202,6 +202,7 @@ + !if $(SECURE_BOOT_ENABLE) == TRUE + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf ++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + !else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf + !endif diff -Nru edk2-2020.11/debian/patches/0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch edk2-2020.11/debian/patches/0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch --- edk2-2020.11/debian/patches/0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-2020.11/debian/patches/0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch 2024-02-14 01:22:25.000000000 +0000 @@ -0,0 +1,94 @@ +From 6eb407947592e084110a124be089bef167af1383 Mon Sep 17 00:00:00 2001 +From: kuqin +Date: Fri, 15 Apr 2022 13:03:22 -0700 +Subject: [PATCH] SecurityPkg: SecureBootVariableLib: Added newly supported + interfaces + +REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911 + +This change updated the interfaces provided by SecureBootVariableLib. + +The new additions provided interfaces to enroll single authenticated +variable from input, a helper function to query secure boot status, +enroll all secure boot variables from UefiSecureBoot.h defined data +structures, a as well as a routine that deletes all secure boot related +variables. + +Cc: Jiewen Yao +Cc: Jian J Wang +Cc: Min Xu + +Signed-off-by: Kun Qin +Reviewed-by: Jiewen Yao +Acked-by: Michael Kubacki +[ dannf: Context adjustments ] + +Origin: https://github.com/tianocore/edk2/commit/6eb407947592e084110a124be089bef167af1383 +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641 +Bug-Ubuntu: https://launchpad.net/bugs/2040137 +Last-Update: 2024-02-13 + +--- a/SecurityPkg/Include/Library/SecureBootVariableLib.h ++++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h +@@ -26,4 +26,17 @@ + OUT UINT8 *SetupMode + ); + ++/** ++ Helper function to quickly determine whether SecureBoot is enabled. ++ ++ @retval TRUE SecureBoot is verifiably enabled. ++ @retval FALSE SecureBoot is either disabled or an error prevented checkng. ++ ++**/ ++BOOLEAN ++EFIAPI ++IsSecureBootEnabled ( ++ VOID ++ ); ++ + #endif +--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c ++++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +@@ -51,3 +51,41 @@ + + return EFI_SUCCESS; + } ++ ++/** ++ Helper function to quickly determine whether SecureBoot is enabled. ++ ++ @retval TRUE SecureBoot is verifiably enabled. ++ @retval FALSE SecureBoot is either disabled or an error prevented checking. ++ ++**/ ++BOOLEAN ++EFIAPI ++IsSecureBootEnabled ( ++ VOID ++ ) ++{ ++ EFI_STATUS Status; ++ UINT8 *SecureBoot; ++ ++ SecureBoot = NULL; ++ ++ Status = GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, NULL); ++ // ++ // Skip verification if SecureBoot variable doesn't exist. ++ // ++ if (EFI_ERROR (Status)) { ++ DEBUG ((DEBUG_ERROR, "Cannot check SecureBoot variable %r \n ", Status)); ++ return FALSE; ++ } ++ ++ // ++ // Skip verification if SecureBoot is disabled but not AuditMode ++ // ++ if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) { ++ FreePool (SecureBoot); ++ return FALSE; ++ } else { ++ return TRUE; ++ } ++} diff -Nru edk2-2020.11/debian/patches/0005-EmulatorPkg-add-SecureBootVariableLib-class-resoluti.patch edk2-2020.11/debian/patches/0005-EmulatorPkg-add-SecureBootVariableLib-class-resoluti.patch --- edk2-2020.11/debian/patches/0005-EmulatorPkg-add-SecureBootVariableLib-class-resoluti.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-2020.11/debian/patches/0005-EmulatorPkg-add-SecureBootVariableLib-class-resoluti.patch 2024-02-14 01:22:25.000000000 +0000 @@ -0,0 +1,19 @@ +From b926956418f3e7b8e72dd4b6bcb35eef91ccf210 Mon Sep 17 00:00:00 2001 +From: Grzegorz Bernacki +Date: Mon, 2 Aug 2021 12:46:27 +0200 +Subject: [PATCH 5/6] EmulatorPkg: add SecureBootVariableLib class resolution + +The edk2 patch + SecurityPkg: Create library for setting Secure Boot variables. + +moves generic functions from SecureBootConfigDxe and places +them into SecureBootVariableLib. This patch adds SecureBootVariableLib +mapping for EmulatorPkg. + +Signed-off-by: Grzegorz Bernacki +Reviewed-by: Sunny Wang +Reviewed-by: Ray Ni +--- + EmulatorPkg/EmulatorPkg.dsc | 2 ++ + 1 file changed, 2 insertions(+) + diff -Nru edk2-2020.11/debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch edk2-2020.11/debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch --- edk2-2020.11/debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch 1970-01-01 00:00:00.000000000 +0000 +++ edk2-2020.11/debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch 2024-02-14 01:22:25.000000000 +0000 @@ -0,0 +1,92 @@ +From: Mate Kukri +Date: Wed, 6 Dec 2023 15:47:42 +0000 +Subject: Shell: Disable the Shell when SecureBoot is enabled and not in + SetupMode + +Signed-off-by: Mate Kukri +--- + ShellPkg/Application/Shell/Shell.c | 14 ++++++++++++++ + ShellPkg/Application/Shell/Shell.h | 3 +++ + ShellPkg/Application/Shell/Shell.inf | 2 ++ + ShellPkg/ShellPkg.dsc | 1 + + 4 files changed, 20 insertions(+) + +Origin: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137/+attachment/5741528/+files/Disable-the-Shell-when-SecureBoot-is-enabled.patch +Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641 +Bug-Ubuntu: https://launchpad.net/bugs/2040137 +Last-Updated: 2024-02-11 +Forwarded: https://bugzilla.tianocore.org/show_bug.cgi?id=4641#c0 + +--- a/ShellPkg/Application/Shell/Shell.c ++++ b/ShellPkg/Application/Shell/Shell.c +@@ -334,6 +334,20 @@ + EFI_HANDLE ConInHandle; + EFI_SIMPLE_TEXT_INPUT_PROTOCOL *OldConIn; + SPLIT_LIST *Split; ++ UINT8 SetupMode; ++ ++ // ++ // Check for Secure Boot mode ++ // ++ if (IsSecureBootEnabled()) { ++ Status = GetSetupMode (&SetupMode); ++ if (EFI_ERROR (Status)) { ++ return (Status); ++ } ++ if (SetupMode != 1) { ++ return (EFI_SECURITY_VIOLATION); ++ } ++ } + + if (PcdGet8(PcdShellSupportLevel) > 3) { + return (EFI_UNSUPPORTED); +--- a/ShellPkg/Application/Shell/Shell.h ++++ b/ShellPkg/Application/Shell/Shell.h +@@ -11,9 +11,11 @@ + #define _SHELL_INTERNAL_HEADER_ + + #include ++//#include + + #include + #include ++#include + + #include + #include +@@ -42,6 +44,7 @@ + #include + #include + #include ++#include + + #include "ShellParametersProtocol.h" + #include "ShellProtocol.h" +--- a/ShellPkg/Application/Shell/Shell.inf ++++ b/ShellPkg/Application/Shell/Shell.inf +@@ -47,6 +47,7 @@ + MdePkg/MdePkg.dec + ShellPkg/ShellPkg.dec + MdeModulePkg/MdeModulePkg.dec ++ SecurityPkg/SecurityPkg.dec + + [LibraryClasses] + BaseLib +@@ -66,6 +67,7 @@ + SortLib + HandleParsingLib + UefiHiiServicesLib ++ SecureBootVariableLib + + [Guids] + gShellVariableGuid ## SOMETIMES_CONSUMES ## GUID +--- a/ShellPkg/ShellPkg.dsc ++++ b/ShellPkg/ShellPkg.dsc +@@ -59,6 +59,7 @@ + DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf + DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf ++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + + [LibraryClasses.ARM,LibraryClasses.AARCH64] + # diff -Nru edk2-2020.11/debian/patches/series edk2-2020.11/debian/patches/series --- edk2-2020.11/debian/patches/series 2021-08-18 22:57:56.000000000 +0000 +++ edk2-2020.11/debian/patches/series 2024-02-14 01:22:25.000000000 +0000 @@ -3,4 +3,8 @@ ovmf-vars-generator-Pass-OEM-Strings-to-the-guest.patch ovmf-vars-generator-ignore-qemu-warnings.patch ovmf-vars-generator-no-defaults.patch -UefiCpuPkg-Move-MigrateGdt-from-DiscoverMemory-to-Te.patch +0001-SecurityPkg-Create-SecureBootVariableLib.patch +0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch +0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch +0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch +Disable-the-Shell-when-SecureBoot-is-enabled.patch diff -Nru edk2-2020.11/debian/tests/shell.py edk2-2020.11/debian/tests/shell.py --- edk2-2020.11/debian/tests/shell.py 2021-08-18 22:57:56.000000000 +0000 +++ edk2-2020.11/debian/tests/shell.py 2024-02-14 01:22:25.000000000 +0000 @@ -140,18 +140,6 @@ ) self.run_cmd_check_shell(cmd) - def test_ovmf_ms(self): - cmd = [ - 'qemu-system-x86_64', - '-machine', 'q35,accel=tcg', - '-global', 'ICH9-LPC.disable_s3=1', - ] + self.Qemu_Common_Params + self.Qemu_Ovmf_Common_Params - cmd = cmd + self.gen_pflash_params( - '/usr/share/OVMF/OVMF_CODE.ms.fd', - '/usr/share/OVMF/OVMF_VARS.ms.fd', - ) - self.run_cmd_check_shell(cmd) - def test_ovmf_4m(self): cmd = [ 'qemu-system-x86_64', @@ -174,17 +162,6 @@ ) self.run_cmd_check_shell(cmd) - def test_ovmf_4m_ms(self): - cmd = [ - 'qemu-system-x86_64', - '-machine', 'q35,accel=tcg', - ] + self.Qemu_Common_Params + self.Qemu_Ovmf_Common_Params - cmd = cmd + self.gen_pflash_params( - '/usr/share/OVMF/OVMF_CODE_4M.ms.fd', - '/usr/share/OVMF/OVMF_VARS_4M.ms.fd', - ) - self.run_cmd_check_shell(cmd) - def test_ovmf32_4m_secboot(self): cmd = [ 'qemu-system-i386',