This makes capsule PKCS#7 signatures reproducible.
openssl smime -sign embeds a signingTime signed attribute (current
UTCTime) by default. Because the attribute is inside the signed
digest, the resulting RSA signature differs on every invocation even
when the key and payload are identical, breaking reproducible builds
of signed FMP capsules.
Pass -noattr to drop all signed attributes from the SignerInfo. The
signature is then computed directly over the content, producing
byte-identical output across runs.
The FMP update path is unaffected: FmpAuthenticationLibPkcs7 calls
Pkcs7Verify() without extracting signed attributes, and rollback
protection uses FwVersion / LowestSupportedVersion in
FMP_PAYLOAD_HEADER plus the auth header MonotonicCount, not
signingTime. signingTime is only consumed by DxeImageVerificationLib
for Secure Boot dbt checks on PE/COFF images, which is a separate
code path.
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Collect paths to drivers as they being saved and pass to
GenerateOutputJson() for inclusion into the output JSON file.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
When a capsule is signed, --decode printed a warning if neither openssl
nor signtool was configured via command-line options. And yet, it then
proceeded to attempt the verification anyway.
Current implementation only ever uses --trusted-public-cert during
verification, so there could be some logic to this behaviour. However,
it's still confusing, so don't attempt to verify anything if it's not
expected to work.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
The "Dependencies" key of Payloads was set to "None" string for capsules
with no DepEx. The produced JSON file wasn't suitable for passing back
to --encode without modifications.
Fix the issue by removing such invalid "Dependencies" keys similarly how
it's done for keys related to signing.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Allows substituting the GUID with the human-readable `TtyTerm` tag, akin
to other terminal types
Signed-off-by: Filip Lewinski <filip.lewinski@3mdeb.com>
This reverts commit 3fe1d56cc9.
PR https://github.com/tianocore/edk2/pull/11757 introduced a
"Breaking Change" feature for out of tree builds of tools.
This breaking change is blocking testing of edk2-stable202602
due to side effects on building FitGen tool in edk2-platforms.
Revert this feature for the edk2-stable202602 release and
work on this feature after the release.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
This reverts commit f0542ae07d.
PR https://github.com/tianocore/edk2/pull/11757 introduced a
"Breaking Change" feature for out of tree builds of tools.
This breaking change is blocking testing of edk2-stable202602
due to side effects on building FitGen tool in edk2-platforms.
Revert this feature for the edk2-stable202602 release and
work on this feature after the release.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Use $(SEP) with addprefix of $(OBJDIR) to support Windows MINGW
CLANG builds that use Windows path separators with GNU makefiles.
This fixes Windows MINGW CLANG builds of the PcdValueInit
application that is required for structured PCDs.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Main EDK2 build supports out-of-tree builds but BaseTools make process
still creates tools and object files in-tree. In order to make
out-of-tree build support complete move the generated tools and
interim obj files to $WORKSPACE location as well.
This patch also changes the location of BaseTools for in-tree builds
(default behavior when WORKSPACE is not provided before calling
edksetup) to $WORKSPACE/BaseTools/Build/... It may potentially break
external workflows that invoke tools from the default location outside
of the build tool.
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
VfrLexer.h is built as a part of VfrCompile build and
shouldn't be present at the BaseTools/Source/C level.
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
New warning after updating gcc:
EfiRom.c: In function ‘main’:
EfiRom.c:78:17: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
The assigned value is not used, so fix the warning by just removing it.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
StringFuncs.c: In function ‘SplitStringByWhitespace’:
StringFuncs.c:113:15: error: variable ‘Item’ set but not used [-Werror=unused-but-set-variable=]
113 | UINTN Item;
| ^~~~
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The PCD value defined in module subsections can be added to global PCD
database. Therefore the unsolved expressions, even belongs to the global
scope, can incorrectly refer to the value from module subsection.
This only happens when the referred PCD has no value assignment in the
platform dsc file. Which also should raise an error.
Signed-off-by: Paddy Deng <paddydeng@ami.com>
Update _get_win32_parent_processes() to detect a
cycle in parent process ids that can cause
_get_win32_parent_processes() to never return.
If a pid cycle is detected, then return the list
of parent process ids detected up to the point
the cycle is detected.
GitHub Actions builds using windows-2025 can
reproduce this issue once in a while. It shows
up as job that runs until a timeout. If the job
is canceled, the logs show a python stack in the
loop in _get_win32_parent_processes().
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
The stuart tools automatically add -D WIN_HOST_BUILD to
edk2 build command line if a Windows build environment
is detected. This behavior is added to build.py so that
builds of the EmulatorPkg using build.py are not required
to add the option -D WIN_HOST_BUILD when building in a
Windows environment. This aligns Linux and Windows builds
of the EmulatorPkg removing the need to specify extra
defines.
In order to build the EmulatorPkg for Windows Mingw
environments, EmulatorPkg DSC/FDF files require a way
to detect if Windows Mingw environment is present.
The Windows Mingw environment can be detected if
CLANG_BIN is set and mingw32-make.exe is detected
in the CLANG_BIN directory.
If a Windows Mingw environment is detected, add
-D WIN_MINGW32_BUILD to the edk2 build command line.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
The ELF psABIs for all architectures stipulate that R_*_NONE relocations
require no action at relocation time, and merely exist to declare a
dependency on a symbol in a way that cannot be conveyed by the code
itself (i.e., using an actual symbol reference). Given that EFI PE/COFF
images are always fully linked binaries, such a dependency cannot be
translated, and there are no known reasons why this would be necessary.
So instead of ignoring such relocations specifically on x86_64 only,
ignore them on all architectures when converting ELF binaries to
PE/COFF.
Fixes: #11878
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
For nebulous reasons, the original ELF psABI deviated from common sense,
and decided to #define R_AARCH64_NONE as '256', in spite of the fact
that no other architecture uses anything other than 0x0.
This has now been fixed in the psABI, so fix it in our code as well.
Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Use $(OS) in all GNUMakefiles to detect if the GNUMakefile
is being used in a Windows OS. If a Windows OS is detected,
then override SHELL to use cmd.exe. This prevents make
utility from using sh.exe if sh.exe happens to be in PATH.
If sh.exe is used, then backslash (\) characters in file
paths are removed and builds break for files not found.
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
When the number of build threads multiplied by per-thread file
descriptor usage exceeds the system's open file descriptor limit,
some threads may fail to acquire necessary resources (e.g., pipes
or semaphores), leading to deadlocks or hangs during parallel builds.
To prevent this situation, calculate the safety upper limit of
concurrency by dividing the system's maximum file descriptor limit by
3 (An empirical value derived from balancing performance overhead
against the theoretical number of file descriptors consumed per thread).
The actual thread count is then clamped to this safe value.
Other usages of ThreadNum()—such as during actual compilation or log
queue creation—do not significantly contribute to file descriptor
consumption. Therefore, adjusting ThreadNum() globally would be
unwarranted, as it could unnecessarily restrict parallelism in stages
that are not FD-bound.
This ensures stable parallel builds even under constrained resource
limits.
Signed-off-by: Ayden Meng <mengxiangdong@loongson.cn>
Previously, when file descriptors were exhausted in high-concurrency
builds (e.g., 512 threads with 1024 FD limit), the build would hang or
fail silently without clear indication of the root cause.
This change catches relevant OSError instances and terminates the build,
ensuring failures due to resource limits are explicit.
Signed-off-by: Ayden Meng <mengxiangdong@loongson.cn>
There are no functional changes in this commit. It adds non-functional
minor code cleanups made while tracking down the bugs fixed in the
preceding commits.
- Fix spelling 'arrary' -> 'array' where it occurs in the tool code and comments.
- When renaming ExtractFieldNameAndArrary to ExtractFieldNameAndArrayIdx,
we fix the typo and also clarify what the method does: it returns the field name
and the array index when present. Since it is always used to populate a local
variable named ArrayIdx, we stick to that spelling in the renamed method.
- Add comment clarifying that mArrayNum holds array length (but again, don't
go for a bigger global rename).
- Rename CVfrVarDataTypeDB::GetFieldWidth to GetFieldType. It is only used
once, and the new name correctly matches what it does.
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
Internal types such as pFormIdField, pFormSetGuidField have
no associated field type, however the Dump command assumes
that all types do. This causes null pointer dereferencing which
can be caught by sanitizers.
De facto, the field type for these types was already
dumped as <null>, this achieves the same safely.
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
The previous logic for accessing bit fields is wrong when the bit field
starts beyond the first byte, in a storage unit larger than a byte.
This caused unaligned memory accesses which can be caught
by sanitizers.
We also bump the tool minor version number to reflect a functional bugfix.
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>