Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2026-05-06 19:17:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Wed May 6 19:17:44 2026 rev:137 rq:1351090 version:202602 Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2026-04-25 21:35:30.417221716 +0200 +++ /work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes 2026-05-06 19:18:23.882323370 +0200 @@ -1,0 +2,19 @@ +Tue May 5 01:43:11 UTC 2026 - Richard Lyu <[email protected]> + +- Replace 'Support multiple entries' patch with 'drop GCD system memory check' patches + because the fix was merged upstream (bsc#1259640) + - Remove ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch + - Add backported patch drop GCD system memory check from MemoryAttribute protocol + - ovmf-ArmPkg-CpuDxe-Drop-GCD-system-memory-check-from-Memo.patch + 99d8c3710a0f ArmPkg/CpuDxe: Drop GCD system memory check from MemoryAttribute protocol + - ovmf-ArmPkg-CpuDxe-Refuse-to-clear-XN-from-device-memory-.patch + c00c1216ce7f ArmPkg/CpuDxe: Refuse to clear XN from device memory mappings + +------------------------------------------------------------------- +Mon May 4 00:26:04 UTC 2026 - Richard Lyu <[email protected]> + +- Update OVMF descriptors + - Set priority for qcow2 over raw format images. + - Lower the priority of the CoCo OVMF descriptor. + +------------------------------------------------------------------- +++ only whitespace diff in changes, re-diffing Old: ---- ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch New: ---- ovmf-ArmPkg-CpuDxe-Drop-GCD-system-memory-check-from-Memo.patch ovmf-ArmPkg-CpuDxe-Refuse-to-clear-XN-from-device-memory-.patch ----------(Old B)---------- Old:/work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes- because the fix was merged upstream (bsc#1259640) /work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes: - Remove ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch /work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes- - Add backported patch drop GCD system memory check from MemoryAttribute protocol ----------(Old E)---------- ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes- - Add backported patch drop GCD system memory check from MemoryAttribute protocol /work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes: - ovmf-ArmPkg-CpuDxe-Drop-GCD-system-memory-check-from-Memo.patch /work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes- 99d8c3710a0f ArmPkg/CpuDxe: Drop GCD system memory check from MemoryAttribute protocol New:/work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes- 99d8c3710a0f ArmPkg/CpuDxe: Drop GCD system memory check from MemoryAttribute protocol /work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes: - ovmf-ArmPkg-CpuDxe-Refuse-to-clear-XN-from-device-memory-.patch /work/SRC/openSUSE:Factory/.ovmf.new.30200/ovmf.changes- c00c1216ce7f ArmPkg/CpuDxe: Refuse to clear XN from device memory mappings ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.XTks58/_old 2026-05-06 19:18:25.586393594 +0200 +++ /var/tmp/diff_new_pack.XTks58/_new 2026-05-06 19:18:25.590393758 +0200 @@ -88,11 +88,12 @@ Patch18: %{name}-Revert-UefiCpuPkg-BaseRiscV64CpuTimerLib-Add-constru.patch # https://github.com/tianocore/edk2/pull/12248 Patch19: %{name}-OvmfPkg-RiscVVirt-PlatformPei-Do-not-set-PcdTpmBaseA.patch -# Bug 1259640 - OVMF crashes when exiting from aarch64 GRUB -Patch20: %{name}-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch # Bug 1260358 - [SLES][16.1][Build33.1][x86_64][kvm] Fail to install uefi 15-SP7 vm # Bug 1259826 - latest version of ovmf package dont support -kernel -initrd options -Patch21: %{name}-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch +Patch20: %{name}-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch +# Bug 1259640 - OVMF crashes when exiting from aarch64 GRUB +Patch21: %{name}-ArmPkg-CpuDxe-Drop-GCD-system-memory-check-from-Memo.patch +Patch22: %{name}-ArmPkg-CpuDxe-Refuse-to-clear-XN-from-device-memory-.patch BuildRequires: bc BuildRequires: cross-arm-binutils BuildRequires: cross-arm-gcc%{gcc_version} ++++++ descriptors.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-ovmf-x86_64-secure-ms.json new/descriptors/50-ovmf-x86_64-secure-ms.json --- old/descriptors/50-ovmf-x86_64-secure-ms.json 2026-04-01 04:55:52.000000000 +0200 +++ new/descriptors/50-ovmf-x86_64-secure-ms.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Secure Boot, SMM, and MS certs enrolled", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-smm-ms-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-smm-ms-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "requires-smm", - "secure-boot", - "enrolled-keys", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-ovmf-x86_64-secure-opensuse.json new/descriptors/50-ovmf-x86_64-secure-opensuse.json --- old/descriptors/50-ovmf-x86_64-secure-opensuse.json 2026-04-01 04:55:44.000000000 +0200 +++ new/descriptors/50-ovmf-x86_64-secure-opensuse.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Secure Boot, SMM, and openSUSE certs enrolled", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-smm-opensuse-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-smm-opensuse-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "requires-smm", - "secure-boot", - "enrolled-keys", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-ovmf-x86_64-secure-suse.json new/descriptors/50-ovmf-x86_64-secure-suse.json --- old/descriptors/50-ovmf-x86_64-secure-suse.json 2026-04-01 04:55:38.000000000 +0200 +++ new/descriptors/50-ovmf-x86_64-secure-suse.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Secure Boot, SMM, and SUSE certs enrolled", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-smm-suse-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-smm-suse-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "requires-smm", - "secure-boot", - "enrolled-keys", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-ovmf-x86_64-secure.json new/descriptors/50-ovmf-x86_64-secure.json --- old/descriptors/50-ovmf-x86_64-secure.json 2026-03-31 18:14:38.000000000 +0200 +++ new/descriptors/50-ovmf-x86_64-secure.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,35 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Secure Boot and SMM", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-smm-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-smm-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "requires-smm", - "secure-boot", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-ovmf-x86_64-sev-snp.json new/descriptors/50-ovmf-x86_64-sev-snp.json --- old/descriptors/50-ovmf-x86_64-sev-snp.json 2026-03-31 18:14:38.000000000 +0200 +++ new/descriptors/50-ovmf-x86_64-sev-snp.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,25 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with AMD SEV-SNP", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "memory", - "filename": "@DATADIR@/ovmf-x86_64-sev.bin" - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-q35-*" - ] - } - ], - "features": [ - "amd-sev-snp", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/50-ovmf-x86_64-sev.json new/descriptors/50-ovmf-x86_64-sev.json --- old/descriptors/50-ovmf-x86_64-sev.json 2026-03-31 18:14:38.000000000 +0200 +++ new/descriptors/50-ovmf-x86_64-sev.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,30 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with AMD SEV (Stateless)", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "mode": "stateless", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-sev.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-q35-*" - ] - } - ], - "features": [ - "amd-sev", - "amd-sev-es", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/51-ovmf-x86_64-secure-ms.json new/descriptors/51-ovmf-x86_64-secure-ms.json --- old/descriptors/51-ovmf-x86_64-secure-ms.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/51-ovmf-x86_64-secure-ms.json 2026-04-01 04:55:52.000000000 +0200 @@ -0,0 +1,36 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot, SMM, and MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-smm-ms-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-smm-ms-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "requires-smm", + "secure-boot", + "enrolled-keys", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/51-ovmf-x86_64-secure-opensuse.json new/descriptors/51-ovmf-x86_64-secure-opensuse.json --- old/descriptors/51-ovmf-x86_64-secure-opensuse.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/51-ovmf-x86_64-secure-opensuse.json 2026-04-01 04:55:44.000000000 +0200 @@ -0,0 +1,36 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot, SMM, and openSUSE certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-smm-opensuse-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-smm-opensuse-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "requires-smm", + "secure-boot", + "enrolled-keys", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/51-ovmf-x86_64-secure-suse.json new/descriptors/51-ovmf-x86_64-secure-suse.json --- old/descriptors/51-ovmf-x86_64-secure-suse.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/51-ovmf-x86_64-secure-suse.json 2026-04-01 04:55:38.000000000 +0200 @@ -0,0 +1,36 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot, SMM, and SUSE certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-smm-suse-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-smm-suse-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "requires-smm", + "secure-boot", + "enrolled-keys", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/51-ovmf-x86_64-secure.json new/descriptors/51-ovmf-x86_64-secure.json --- old/descriptors/51-ovmf-x86_64-secure.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/51-ovmf-x86_64-secure.json 2026-03-31 18:14:38.000000000 +0200 @@ -0,0 +1,35 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot and SMM", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-smm-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-smm-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "requires-smm", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/60-aavmf-aarch64.json new/descriptors/60-aavmf-aarch64.json --- old/descriptors/60-aavmf-aarch64.json 2026-03-31 18:14:38.000000000 +0200 +++ new/descriptors/60-aavmf-aarch64.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,31 +0,0 @@ -{ - "description": "UEFI firmware for aarch64", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/aavmf-aarch64-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/aavmf-aarch64-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "aarch64", - "machines": [ - "virt-*" - ] - } - ], - "features": [ - "verbose-static" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/60-ovmf-riscv64.json new/descriptors/60-ovmf-riscv64.json --- old/descriptors/60-ovmf-riscv64.json 2026-03-31 18:14:38.000000000 +0200 +++ new/descriptors/60-ovmf-riscv64.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,31 +0,0 @@ -{ - "description": "UEFI firmware for riscv (riscv64)", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-riscv64-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-riscv64-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "riscv64", - "machines": [ - "virt-*" - ] - } - ], - "features": [ - "verbose-static" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/60-ovmf-x86_64-ms.json new/descriptors/60-ovmf-x86_64-ms.json --- old/descriptors/60-ovmf-x86_64-ms.json 2026-04-01 04:55:24.000000000 +0200 +++ new/descriptors/60-ovmf-x86_64-ms.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Secure Boot, and MS certs enrolled", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-ms-4m-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-ms-4m-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-i440fx-*", - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "secure-boot", - "enrolled-keys", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/60-ovmf-x86_64-opensuse.json new/descriptors/60-ovmf-x86_64-opensuse.json --- old/descriptors/60-ovmf-x86_64-opensuse.json 2026-04-01 04:55:17.000000000 +0200 +++ new/descriptors/60-ovmf-x86_64-opensuse.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Secure Boot, and openSUSE certs enrolled", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-opensuse-4m-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-opensuse-4m-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-i440fx-*", - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "secure-boot", - "enrolled-keys", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/60-ovmf-x86_64-suse.json new/descriptors/60-ovmf-x86_64-suse.json --- old/descriptors/60-ovmf-x86_64-suse.json 2026-04-01 04:55:07.000000000 +0200 +++ new/descriptors/60-ovmf-x86_64-suse.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Secure Boot, and SUSE certs enrolled", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-suse-4m-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-suse-4m-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-i440fx-*", - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "secure-boot", - "enrolled-keys", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/60-ovmf-x86_64-tdx.json new/descriptors/60-ovmf-x86_64-tdx.json --- old/descriptors/60-ovmf-x86_64-tdx.json 2026-03-31 18:14:38.000000000 +0200 +++ new/descriptors/60-ovmf-x86_64-tdx.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,27 +0,0 @@ -{ - "description": "UEFI firmware for x86_64, with Intel TDX", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "memory", - "filename": "@DATADIR@/ovmf-x86_64-tdx-secureboot.bin" - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-q35-*" - ] - } - ], - "features": [ - "enrolled-keys", - "intel-tdx", - "secure-boot", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/60-ovmf-x86_64.json new/descriptors/60-ovmf-x86_64.json --- old/descriptors/60-ovmf-x86_64.json 2026-03-31 18:14:38.000000000 +0200 +++ new/descriptors/60-ovmf-x86_64.json 1970-01-01 01:00:00.000000000 +0100 @@ -1,34 +0,0 @@ -{ - "description": "UEFI firmware for x86_64", - "interface-types": [ - "uefi" - ], - "mapping": { - "device": "flash", - "executable": { - "filename": "@DATADIR@/ovmf-x86_64-4m-code.bin", - "format": "raw" - }, - "nvram-template": { - "filename": "@DATADIR@/ovmf-x86_64-4m-vars.bin", - "format": "raw" - } - }, - "targets": [ - { - "architecture": "x86_64", - "machines": [ - "pc-i440fx-*", - "pc-q35-*" - ] - } - ], - "features": [ - "acpi-s3", - "acpi-s4", - "verbose-dynamic" - ], - "tags": [ - - ] -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-aavmf-aarch64.json new/descriptors/61-aavmf-aarch64.json --- old/descriptors/61-aavmf-aarch64.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-aavmf-aarch64.json 2026-03-31 18:14:38.000000000 +0200 @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for aarch64", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/aavmf-aarch64-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/aavmf-aarch64-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "aarch64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-riscv64.json new/descriptors/61-ovmf-riscv64.json --- old/descriptors/61-ovmf-riscv64.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-riscv64.json 2026-03-31 18:14:38.000000000 +0200 @@ -0,0 +1,31 @@ +{ + "description": "UEFI firmware for riscv (riscv64)", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-riscv64-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-riscv64-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "riscv64", + "machines": [ + "virt-*" + ] + } + ], + "features": [ + "verbose-static" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-x86_64-ms.json new/descriptors/61-ovmf-x86_64-ms.json --- old/descriptors/61-ovmf-x86_64-ms.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-x86_64-ms.json 2026-04-01 04:55:24.000000000 +0200 @@ -0,0 +1,36 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot, and MS certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-ms-4m-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-ms-4m-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "secure-boot", + "enrolled-keys", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-x86_64-opensuse.json new/descriptors/61-ovmf-x86_64-opensuse.json --- old/descriptors/61-ovmf-x86_64-opensuse.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-x86_64-opensuse.json 2026-04-01 04:55:17.000000000 +0200 @@ -0,0 +1,36 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot, and openSUSE certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-opensuse-4m-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-opensuse-4m-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "secure-boot", + "enrolled-keys", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-x86_64-sev-snp.json new/descriptors/61-ovmf-x86_64-sev-snp.json --- old/descriptors/61-ovmf-x86_64-sev-snp.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-x86_64-sev-snp.json 2026-03-31 18:14:38.000000000 +0200 @@ -0,0 +1,25 @@ +{ + "description": "UEFI firmware for x86_64, with AMD SEV-SNP", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "memory", + "filename": "@DATADIR@/ovmf-x86_64-sev.bin" + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "amd-sev-snp", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-x86_64-sev.json new/descriptors/61-ovmf-x86_64-sev.json --- old/descriptors/61-ovmf-x86_64-sev.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-x86_64-sev.json 2026-03-31 18:14:38.000000000 +0200 @@ -0,0 +1,30 @@ +{ + "description": "UEFI firmware for x86_64, with AMD SEV (Stateless)", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "mode": "stateless", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-sev.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "amd-sev", + "amd-sev-es", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-x86_64-suse.json new/descriptors/61-ovmf-x86_64-suse.json --- old/descriptors/61-ovmf-x86_64-suse.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-x86_64-suse.json 2026-04-01 04:55:07.000000000 +0200 @@ -0,0 +1,36 @@ +{ + "description": "UEFI firmware for x86_64, with Secure Boot, and SUSE certs enrolled", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-suse-4m-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-suse-4m-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "secure-boot", + "enrolled-keys", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-x86_64-tdx.json new/descriptors/61-ovmf-x86_64-tdx.json --- old/descriptors/61-ovmf-x86_64-tdx.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-x86_64-tdx.json 2026-03-31 18:14:38.000000000 +0200 @@ -0,0 +1,27 @@ +{ + "description": "UEFI firmware for x86_64, with Intel TDX", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "memory", + "filename": "@DATADIR@/ovmf-x86_64-tdx-secureboot.bin" + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-q35-*" + ] + } + ], + "features": [ + "enrolled-keys", + "intel-tdx", + "secure-boot", + "verbose-dynamic" + ], + "tags": [ + + ] +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/descriptors/61-ovmf-x86_64.json new/descriptors/61-ovmf-x86_64.json --- old/descriptors/61-ovmf-x86_64.json 1970-01-01 01:00:00.000000000 +0100 +++ new/descriptors/61-ovmf-x86_64.json 2026-03-31 18:14:38.000000000 +0200 @@ -0,0 +1,34 @@ +{ + "description": "UEFI firmware for x86_64", + "interface-types": [ + "uefi" + ], + "mapping": { + "device": "flash", + "executable": { + "filename": "@DATADIR@/ovmf-x86_64-4m-code.bin", + "format": "raw" + }, + "nvram-template": { + "filename": "@DATADIR@/ovmf-x86_64-4m-vars.bin", + "format": "raw" + } + }, + "targets": [ + { + "architecture": "x86_64", + "machines": [ + "pc-i440fx-*", + "pc-q35-*" + ] + } + ], + "features": [ + "acpi-s3", + "acpi-s4", + "verbose-dynamic" + ], + "tags": [ + + ] +} ++++++ ovmf-ArmPkg-CpuDxe-Drop-GCD-system-memory-check-from-Memo.patch ++++++ >From 99d8c3710a0fc2d15fcc28d8b9a1aedbb190b9b9 Mon Sep 17 00:00:00 2001 From: Richard Lyu <[email protected]> Date: Tue, 14 Apr 2026 14:54:24 +0800 Subject: [PATCH 1/2] ArmPkg/CpuDxe: Drop GCD system memory check from MemoryAttribute protocol The UEFI specification does not restrict the MemoryAttribute Protocol to system memory only. The protocol should permit manipulating permission attributes on any existing, valid mapping, consistent with other architectures. Remove RegionIsSystemMemory() and its use as a precondition in GetMemoryAttributes(), SetMemoryAttributes() and ClearMemoryAttributes(). Signed-off-by: Richard Lyu <[email protected]> --- ArmPkg/Drivers/CpuDxe/MemoryAttribute.c | 48 ------------------------- 1 file changed, 48 deletions(-) diff --git a/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c b/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c index c77feb848c45..65d232c71f81 100644 --- a/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c +++ b/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c @@ -8,42 +8,6 @@ #include "CpuDxe.h" -/** - Check whether the provided memory range is covered by a single entry of type - EfiGcdSystemMemory in the GCD memory map. - - @param BaseAddress The physical address that is the start address of - a memory region. - @param Length The size in bytes of the memory region. - - @return Whether the region is system memory or not. -**/ -STATIC -BOOLEAN -RegionIsSystemMemory ( - IN EFI_PHYSICAL_ADDRESS BaseAddress, - IN UINT64 Length - ) -{ - EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; - EFI_PHYSICAL_ADDRESS GcdEndAddress; - EFI_STATUS Status; - - Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor); - if (EFI_ERROR (Status) || - (GcdDescriptor.GcdMemoryType != EfiGcdMemoryTypeSystemMemory)) - { - return FALSE; - } - - GcdEndAddress = GcdDescriptor.BaseAddress + GcdDescriptor.Length; - - // - // Return TRUE if the GCD descriptor covers the range entirely - // - return GcdEndAddress >= (BaseAddress + Length); -} - /** This function retrieves the attributes of the memory region specified by BaseAddress and Length. If different attributes are obtained from different @@ -92,10 +56,6 @@ GetMemoryAttributes ( return EFI_INVALID_PARAMETER; } - if (!RegionIsSystemMemory (BaseAddress, Length)) { - return EFI_UNSUPPORTED; - } - DEBUG (( DEBUG_VERBOSE, "%a: BaseAddress == 0x%lx, Length == 0x%lx\n", @@ -212,10 +172,6 @@ SetMemoryAttributes ( return EFI_INVALID_PARAMETER; } - if (!RegionIsSystemMemory (BaseAddress, Length)) { - return EFI_UNSUPPORTED; - } - return ArmSetMemoryAttributes (BaseAddress, Length, Attributes, Attributes); } @@ -280,10 +236,6 @@ ClearMemoryAttributes ( return EFI_INVALID_PARAMETER; } - if (!RegionIsSystemMemory (BaseAddress, Length)) { - return EFI_UNSUPPORTED; - } - return ArmSetMemoryAttributes (BaseAddress, Length, 0, Attributes); } -- 2.51.0 ++++++ ovmf-ArmPkg-CpuDxe-Refuse-to-clear-XN-from-device-memory-.patch ++++++ >From c00c1216ce7f6e02b00da95747a7f4d4c239c1b1 Mon Sep 17 00:00:00 2001 From: Richard Lyu <[email protected]> Date: Tue, 14 Apr 2026 16:09:38 +0800 Subject: [PATCH 2/2] ArmPkg/CpuDxe: Refuse to clear XN from device memory mappings The ARM architecture requires the XN attribute on device memory mappings. Failure to preserve XN permits speculative instruction fetches to MMIO regions, leading to unpredictable behavior such as stuck transactions in the memory controller or the I-cache prefetcher inadvertently acknowledging device interrupts. Add a check in ClearMemoryAttributes() that returns EFI_UNSUPPORTED when the caller requests clearing EFI_MEMORY_XP on a region that contains device memory. The check traverses the translation table to determine whether any portion of the given address range is mapped with the device memory attribute. Signed-off-by: Richard Lyu <[email protected]> --- ArmPkg/Drivers/CpuDxe/MemoryAttribute.c | 26 +++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c b/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c index 65d232c71f81..4830546daf83 100644 --- a/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c +++ b/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c @@ -214,6 +214,11 @@ ClearMemoryAttributes ( IN UINT64 Attributes ) { + UINTN RegionAddress; + UINTN RegionLength; + UINTN RegionAttributes; + EFI_STATUS Status; + DEBUG (( DEBUG_INFO, "%a: BaseAddress == 0x%lx, Length == 0x%lx, Attributes == 0x%lx\n", @@ -236,6 +241,27 @@ ClearMemoryAttributes ( return EFI_INVALID_PARAMETER; } + // ARM requires XN on device memory to prevent speculative instruction fetches + if ((Attributes & EFI_MEMORY_XP) != 0) { + for (RegionAddress = (UINTN)BaseAddress; + RegionAddress < (UINTN)(BaseAddress + Length); + RegionAddress += RegionLength) + { + Status = GetMemoryRegion ( + &RegionAddress, + &RegionLength, + &RegionAttributes + ); + if (EFI_ERROR (Status)) { + return EFI_UNSUPPORTED; + } + + if ((RegionAttributes & TT_ATTR_INDX_MASK) == TT_ATTR_INDX_DEVICE_MEMORY) { + return EFI_UNSUPPORTED; + } + } + } + return ArmSetMemoryAttributes (BaseAddress, Length, 0, Attributes); } -- 2.51.0
