Synced to Fedora: updated to upstream git. rev. 92d07e4 (2017-10-11)

Among other things, OVMF UEFI firmware is now provided here.

Some of the RedHat-specific patches have been dropped in the process,
a few cleanups were also made.

Plus, I have disabled building of ARM firmware images for now: looks
like it needs more support from GCC than we currently have.

.abf.yml

@@ -1,2 +1,4 @@
 sources:
-  edk2-buildtools-r18187.tar.xz: 2c2686035ee53404d42472ad9463a4ddbaf5ef11
+  edk2-20171011-92d07e4.tar.xz: e6efa4211c88036f77a44914dcead69af7aed8d5
+  openssl-1.1.0e-hobbled.tar.xz: 8c74b5fee6a05729f1ea9f178128cfdd5df5d88d
+

0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch

@@ -0,0 +1,112 @@
+From 23df46ebbe7b09451d3a05034acd4d3a25e7177b Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 4 Nov 2014 23:02:53 +0100
+Subject: OvmfPkg: allow exclusion of the shell from the firmware image
+
+When '-D EXCLUDE_SHELL_FROM_FD' is passed to 'build', exclude the shell
+binary from the firmware image.
+
+Peter Jones advised us that firmware vendors for physical systems disable
+the memory-mapped, firmware image-contained UEFI shell in
+SecureBoot-enabled builds. The reason being that the memory-mapped shell
+can always load, it may have direct access to various hardware in the
+system, and it can run UEFI shell scripts (which cannot be signed at all).
+
+Intended use of the new build option:
+
+- In-tree builds: don't pass '-D EXCLUDE_SHELL_FROM_FD'. The resultant
+  firmware image will contain a shell binary, independently of SecureBoot
+  enablement, which is flexible for interactive development. (Ie. no
+  change for in-tree builds.)
+
+- RPM builds: pass both '-D SECURE_BOOT_ENABLE' and
+  '-D EXCLUDE_SHELL_FROM_FD'. The resultant RPM will provide:
+
+  - OVMF_CODE.fd: SecureBoot-enabled firmware, without builtin UEFI shell,
+
+  - OVMF_VARS.fd: variable store template matching OVMF_CODE.fd,
+
+  - UefiShell.iso: a bootable ISO image with the shell on it as default
+    boot loader. The shell binary will load when SecureBoot is turned off,
+    and won't load when SecureBoot is turned on (because it is not
+    signed).
+
+    UefiShell.iso is the reason we're not excluding the shell from the DSC
+    files as well, only the FDF files -- when '-D EXCLUDE_SHELL_FROM_FD'
+    is specified, the shell binary needs to be built the same, only it
+    will be included in UefiShell.iso.
+
+Notes about the 20160608b-988715a -> 20170228-c325e41585e3 rebase:
+
+- no changes
+
+Notes about the 20170228-c325e41585e3 -> 20171011-92d07e48907f rebase:
+
+- no changes
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 9c391def70366cabae08e6008814299c3372fafd)
+(cherry picked from commit d9dd9ee42937b2611fe37183cc9ec7f62d946933)
+---
+ OvmfPkg/OvmfPkgIa32.fdf    | 2 ++
+ OvmfPkg/OvmfPkgIa32X64.fdf | 2 ++
+ OvmfPkg/OvmfPkgX64.fdf     | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
+index a967904..366d6bf 100644
+--- a/OvmfPkg/OvmfPkgIa32.fdf
++++ b/OvmfPkg/OvmfPkgIa32.fdf
+@@ -284,11 +284,13 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+ INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !ifndef $(USE_OLD_SHELL)
+ INF  ShellPkg/Application/Shell/Shell.inf
+ !else
+ INF  RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
++!endif
+ 
+ !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
+index f5a1d86..e4ca33e 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.fdf
++++ b/OvmfPkg/OvmfPkgIa32X64.fdf
+@@ -285,11 +285,13 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+ INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !ifndef $(USE_OLD_SHELL)
+ INF  ShellPkg/Application/Shell/Shell.inf
+ !else
+ INF  RuleOverride = BINARY USE = X64 EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
++!endif
+ 
+ !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
+index 0bba313..3196b26 100644
+--- a/OvmfPkg/OvmfPkgX64.fdf
++++ b/OvmfPkg/OvmfPkgX64.fdf
+@@ -285,11 +285,13 @@ INF  MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResour
+ INF  FatPkg/EnhancedFatDxe/Fat.inf
+ INF  MdeModulePkg/Universal/Disk/UdfDxe/UdfDxe.inf
+ 
++!ifndef $(EXCLUDE_SHELL_FROM_FD)
+ !ifndef $(USE_OLD_SHELL)
+ INF  ShellPkg/Application/Shell/Shell.inf
+ !else
+ INF  RuleOverride = BINARY EdkShellBinPkg/FullShell/FullShell.inf
+ !endif
++!endif
+ 
+ !if ($(SECURE_BOOT_ENABLE) == TRUE) || ($(TLS_ENABLE) == TRUE)
+ INF MdeModulePkg/Logo/LogoOpenSSLDxe.inf
+-- 
+1.8.3.1
+

0019-MdeModulePkg-PciBus-Fix-bug-that-PCI-BUS-claims-too-much-resource.patch

@@ -0,0 +1,73 @@
+From: Ruiyu Ni <ruiyu.ni@intel.com>
+Subject: [PATCH] MdeModulePkg/PciBus: Fix bug that PCI BUS claims too much resource
+Date: Thu, 16 Nov 2017 18:15:14 +0100
+
+The bug was caused by 728d74973c9262b6c7b7ef4be213223d55affec3
+"MdeModulePkg/PciBus: Count multiple hotplug resource paddings".
+
+The patch firstly updated the Bridge->Alignment to the maximum
+alignment of all devices under the bridge, then aligned the
+Bridge->Length to Bridge->Alignment.
+It caused too much resources were claimed.
+
+The new patch firstly aligns Bridge->Length to Bridge->Alignment,
+then updates the Bridge->Alignment to the maximum alignment of all
+devices under the bridge.
+Because the step to update the Bridge->Alignment is to make sure
+the resource allocated to the bus under the Bridge meets all
+devices alignment. But the Bridge->Length doesn't have to align
+to the maximum alignment.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
+Reviewed-by: Eric Dong <eric.dong@intel.com>
+(cherry picked from commit 6e3287442774c1a4bc83f127694700eeb07c18dc)
+---
+ MdeModulePkg/Bus/Pci/PciBusDxe/PciResourceSupport.c | 24 ++++++++++----------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciResourceSupport.c b/MdeModulePkg/Bus/Pci/PciBusDxe/PciResourceSupport.c
+index 8dbe9a00380f..2f713fcee95e 100644
+--- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciResourceSupport.c
++++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciResourceSupport.c
+@@ -389,18 +389,7 @@ CalculateResourceAperture (
+   }
+ 
+   //
+-  // Adjust the bridge's alignment to the MAX (first) alignment of all children.
+-  //
+-  CurrentLink = Bridge->ChildList.ForwardLink;
+-  if (CurrentLink != &Bridge->ChildList) {
+-    Node = RESOURCE_NODE_FROM_LINK (CurrentLink);
+-    if (Node->Alignment > Bridge->Alignment) {
+-      Bridge->Alignment = Node->Alignment;
+-    }
+-  }
+-
+-  //
+-  // At last, adjust the aperture with the bridge's alignment
++  // Adjust the aperture with the bridge's alignment
+   //
+   Aperture[PciResUsageTypical] = ALIGN_VALUE (Aperture[PciResUsageTypical], Bridge->Alignment + 1);
+   Aperture[PciResUsagePadding] = ALIGN_VALUE (Aperture[PciResUsagePadding], Bridge->Alignment + 1);
+@@ -410,6 +399,17 @@ CalculateResourceAperture (
+   // Use the larger one between the padding resource and actual occupied resource.
+   //
+   Bridge->Length = MAX (Aperture[PciResUsageTypical], Aperture[PciResUsagePadding]);
++
++  //
++  // Adjust the bridge's alignment to the MAX (first) alignment of all children.
++  //
++  CurrentLink = Bridge->ChildList.ForwardLink;
++  if (CurrentLink != &Bridge->ChildList) {
++    Node = RESOURCE_NODE_FROM_LINK (CurrentLink);
++    if (Node->Alignment > Bridge->Alignment) {
++      Bridge->Alignment = Node->Alignment;
++    }
++  }
+ }
+ 
+ /**
+-- 
+2.14.1.3.gb7cf6e02401b
+

0020-MdeModulePkg-Bds-Remove-assertion-in-BmCharToUint.patch

@@ -0,0 +1,34 @@
+From: Ruiyu Ni <ruiyu.ni@intel.com>
+Subject: [PATCH] MdeModulePkg/Bds: Remove assertion in BmCharToUint
+Date: Thu, 16 Nov 2017 18:04:42 +0100
+
+BmCharToUint() could be called using external data and it
+already contains logic to return -1 when data is invalid,
+so removing unnecessary assertion to avoid system hang.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Star Zeng <star.zeng@intel.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+(cherry picked from commit 618ef6f9bae14e1543d61993ab7ab8992063e4cc)
+---
+ MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c
+index 11ab86792a52..a3fa25424592 100644
+--- a/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c
++++ b/MdeModulePkg/Library/UefiBootManagerLib/BmMisc.c
+@@ -420,7 +420,6 @@ BmCharToUint (
+     return (Char - L'A' + 0xA);
+   }
+ 
+-  ASSERT (FALSE);
+   return (UINTN) -1;
+ }
+ 
+-- 
+2.14.1.3.gb7cf6e02401b
+
+

0021-MdeModulePkg-Bds-Check-variable-name-even-if-OptionNumber-is-NULL.patch

@@ -0,0 +1,105 @@
+From: Ruiyu Ni <ruiyu.ni@intel.com>
+Subject: [PATCH] MdeModulePkg/Bds: Check variable name even *if* OptionNumber is NULL
+Date: Thu, 16 Nov 2017 18:04:43 +0100
+
+Current implementation skips to check whether the last four
+characters are digits when the OptionNumber is NULL.
+Even worse, it may incorrectly return FALSE when OptionNumber is
+NULL.
+
+The patch fixes it to always check the variable name even
+OptionNumber is NULL.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+(cherry picked from commit 5e6e2dcc380dcd841f6f979fea8c302c80a87ec3)
+---
+ MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c | 45 +++++++++++++-------
+ 1 file changed, 30 insertions(+), 15 deletions(-)
+
+diff --git a/MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c b/MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c
+index b0a35058d02b..32918caf324c 100644
+--- a/MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c
++++ b/MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c
+@@ -785,6 +785,8 @@ EfiBootManagerIsValidLoadOptionVariableName (
+   UINTN                             VariableNameLen;
+   UINTN                             Index;
+   UINTN                             Uint;
++  EFI_BOOT_MANAGER_LOAD_OPTION_TYPE LocalOptionType;
++  UINT16                            LocalOptionNumber;
+ 
+   if (VariableName == NULL) {
+     return FALSE;
+@@ -792,39 +794,52 @@ EfiBootManagerIsValidLoadOptionVariableName (
+ 
+   VariableNameLen = StrLen (VariableName);
+ 
++  //
++  // Return FALSE when the variable name length is too small.
++  //
+   if (VariableNameLen <= 4) {
+     return FALSE;
+   }
+ 
+-  for (Index = 0; Index < ARRAY_SIZE (mBmLoadOptionName); Index++) {
+-    if ((VariableNameLen - 4 == StrLen (mBmLoadOptionName[Index])) &&
+-        (StrnCmp (VariableName, mBmLoadOptionName[Index], VariableNameLen - 4) == 0)
++  //
++  // Return FALSE when the variable name doesn't start with Driver/SysPrep/Boot/PlatformRecovery.
++  //
++  for (LocalOptionType = 0; LocalOptionType < ARRAY_SIZE (mBmLoadOptionName); LocalOptionType++) {
++    if ((VariableNameLen - 4 == StrLen (mBmLoadOptionName[LocalOptionType])) &&
++        (StrnCmp (VariableName, mBmLoadOptionName[LocalOptionType], VariableNameLen - 4) == 0)
+         ) {
+       break;
+     }
+   }
++  if (LocalOptionType == ARRAY_SIZE (mBmLoadOptionName)) {
++    return FALSE;
++  }
+ 
+-  if (Index == ARRAY_SIZE (mBmLoadOptionName)) {
++  //
++  // Return FALSE when the last four characters are not hex digits.
++  //
++  LocalOptionNumber = 0;
++  for (Index = VariableNameLen - 4; Index < VariableNameLen; Index++) {
++    Uint = BmCharToUint (VariableName[Index]);
++    if (Uint == -1) {
++      break;
++    } else {
++      LocalOptionNumber = (UINT16) Uint + LocalOptionNumber * 0x10;
++    }
++  }
++  if (Index != VariableNameLen) {
+     return FALSE;
+   }
+ 
+   if (OptionType != NULL) {
+-    *OptionType = (EFI_BOOT_MANAGER_LOAD_OPTION_TYPE) Index;
++    *OptionType = LocalOptionType;
+   }
+ 
+   if (OptionNumber != NULL) {
+-    *OptionNumber = 0;
+-    for (Index = VariableNameLen - 4; Index < VariableNameLen; Index++) {
+-      Uint = BmCharToUint (VariableName[Index]);
+-      if (Uint == -1) {
+-        break;
+-      } else {
+-        *OptionNumber = (UINT16) Uint + *OptionNumber * 0x10;
+-      }
+-    }
++    *OptionNumber = LocalOptionNumber;
+   }
+ 
+-  return (BOOLEAN) (Index == VariableNameLen);
++  return TRUE;
+ }
+ 
+ /**
+-- 
+2.14.1.3.gb7cf6e02401b
+

0022-OvmfPkg-make-it-a-proper-BASE-library.patch

@@ -0,0 +1,50 @@
+From d9edd0b560db7d32b8b93e82d7051d5cf58e9744 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 16 Nov 2017 20:52:57 +0100
+Subject: [PATCH 1/3] OvmfPkg: make it a proper BASE library
+
+Remove Uefi.h, which includes UefiSpec.h, and change the
+return value to match RETURN_STATUS.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Jordan Justen (Intel address) <jordan.l.justen@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+index 5435767c1c..74f4d9c2d6 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+@@ -15,7 +15,6 @@
+ **/
+ 
+ #include <Base.h>
+-#include <Uefi.h>
+ #include <Library/DebugLib.h>
+ #include <Library/BaseLib.h>
+ #include <Library/IoLib.h>
+@@ -32,7 +31,7 @@
+ /**
+   This constructor function does not have to do anything.
+ 
+-  @retval EFI_SUCCESS   The constructor always returns RETURN_SUCCESS.
++  @retval RETURN_SUCCESS   The constructor always returns RETURN_SUCCESS.
+ 
+ **/
+ RETURN_STATUS
+@@ -41,7 +40,7 @@ PlatformDebugLibIoPortConstructor (
+   VOID
+   )
+ {
+-  return EFI_SUCCESS;
++  return RETURN_SUCCESS;
+ }
+ 
+ /**
+-- 
+2.14.3
+

0023-OvmfPkg-create-a-separate-PlatformDebugLibIoPort-ins.patch

@@ -0,0 +1,254 @@
+From ba774b89b5a206c71a2ce0db8184747fac0f6af7 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 16 Nov 2017 10:33:29 +0100
+Subject: [PATCH 2/3] OvmfPkg: create a separate PlatformDebugLibIoPort
+ instance for SEC
+
+The next patch will want to add a global variable to
+PlatformDebugLibIoPort, but this is not suitable for the SEC
+phase, because SEC runs from read-only flash.  The solution is
+to have two library instances, one for SEC and another
+for all other firmware phases.  This patch adds the "plumbing"
+for the SEC library instance, separating the INF files and
+moving the constructor to a separate C source file.
+
+Contributed-under: TianoCore Contribution Agreement 1.1
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Jordan Justen (Intel address) <jordan.l.justen@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ OvmfPkg/OvmfPkgIa32.dsc                            |  2 +-
+ OvmfPkg/OvmfPkgIa32X64.dsc                         |  2 +-
+ OvmfPkg/OvmfPkgX64.dsc                             |  2 +-
+ .../PlatformDebugLibIoPort.inf                     |  3 +-
+ .../PlatformRomDebugLibIoPort.inf                  | 52 ++++++++++++++++++++++
+ OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c  | 15 -------
+ .../PlatformDebugLibIoPort/DebugLibDetect.c        | 31 +++++++++++++
+ .../PlatformDebugLibIoPort/DebugLibDetectRom.c     | 31 +++++++++++++
+ 8 files changed, 119 insertions(+), 19 deletions(-)
+ create mode 100644 OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ create mode 100644 OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c
+ create mode 100644 OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c
+
+diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
+index c2f534fdbf..7ccb61147f 100644
+--- a/OvmfPkg/OvmfPkgIa32.dsc
++++ b/OvmfPkg/OvmfPkgIa32.dsc
+@@ -207,7 +207,7 @@ [LibraryClasses.common.SEC]
+ !ifdef $(DEBUG_ON_SERIAL_PORT)
+   DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+ !else
+-  DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
++  DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ !endif
+   ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf
+   ExtractGuidedSectionLib|MdePkg/Library/BaseExtractGuidedSectionLib/BaseExtractGuidedSectionLib.inf
+diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
+index 9f300a2e6f..237ec71b5e 100644
+--- a/OvmfPkg/OvmfPkgIa32X64.dsc
++++ b/OvmfPkg/OvmfPkgIa32X64.dsc
+@@ -212,7 +212,7 @@ [LibraryClasses.common.SEC]
+ !ifdef $(DEBUG_ON_SERIAL_PORT)
+   DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+ !else
+-  DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
++  DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ !endif
+   ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf
+   ExtractGuidedSectionLib|MdePkg/Library/BaseExtractGuidedSectionLib/BaseExtractGuidedSectionLib.inf
+diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
+index 1ffcf37f8b..a5047fa38e 100644
+--- a/OvmfPkg/OvmfPkgX64.dsc
++++ b/OvmfPkg/OvmfPkgX64.dsc
+@@ -212,7 +212,7 @@ [LibraryClasses.common.SEC]
+ !ifdef $(DEBUG_ON_SERIAL_PORT)
+   DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+ !else
+-  DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
++  DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+ !endif
+   ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf
+   ExtractGuidedSectionLib|MdePkg/Library/BaseExtractGuidedSectionLib/BaseExtractGuidedSectionLib.inf
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf b/OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
+index 0e74fe94cb..de3c2f542b 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
+@@ -21,7 +21,7 @@ [Defines]
+   FILE_GUID                      = DF934DA3-CD31-49FE-AF50-B3C87C79325F
+   MODULE_TYPE                    = BASE
+   VERSION_STRING                 = 1.0
+-  LIBRARY_CLASS                  = DebugLib
++  LIBRARY_CLASS                  = DebugLib|PEI_CORE PEIM DXE_CORE DXE_DRIVER DXE_RUNTIME_DRIVER SMM_CORE DXE_SMM_DRIVER UEFI_DRIVER UEFI_APPLICATION
+   CONSTRUCTOR                    = PlatformDebugLibIoPortConstructor
+ 
+ #
+@@ -30,6 +30,7 @@ [Defines]
+ 
+ [Sources]
+   DebugLib.c
++  DebugLibDetect.c
+ 
+ [Packages]
+   MdePkg/MdePkg.dec
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf b/OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+new file mode 100644
+index 0000000000..491c0318de
+--- /dev/null
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/PlatformRomDebugLibIoPort.inf
+@@ -0,0 +1,52 @@
++## @file
++#  Instance of Debug Library for the QEMU debug console port.
++#  It uses Print Library to produce formatted output strings.
++#
++#  Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved.<BR>
++#  Copyright (c) 2017, Red Hat, Inc.<BR>
++#
++#  This program and the accompanying materials
++#  are licensed and made available under the terms and conditions of the BSD License
++#  which accompanies this distribution. The full text of the license may be found at
++#  http://opensource.org/licenses/bsd-license.php.
++#  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++#  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++#
++#
++##
++
++[Defines]
++  INF_VERSION                    = 0x00010005
++  BASE_NAME                      = PlatformRomDebugLibIoPort
++  FILE_GUID                      = CEB0D9D3-328F-4C24-8C02-28FA1986AE1B
++  MODULE_TYPE                    = BASE
++  VERSION_STRING                 = 1.0
++  LIBRARY_CLASS                  = DebugLib|SEC
++  CONSTRUCTOR                    = PlatformRomDebugLibIoPortConstructor
++
++#
++#  VALID_ARCHITECTURES           = IA32 X64 IPF EBC
++#
++
++[Sources]
++  DebugLib.c
++  DebugLibDetectRom.c
++
++[Packages]
++  MdePkg/MdePkg.dec
++  OvmfPkg/OvmfPkg.dec
++
++[LibraryClasses]
++  BaseMemoryLib
++  IoLib
++  PcdLib
++  PrintLib
++  BaseLib
++  DebugPrintErrorLevelLib
++
++[Pcd]
++  gUefiOvmfPkgTokenSpaceGuid.PcdDebugIoPort                ## CONSUMES
++  gEfiMdePkgTokenSpaceGuid.PcdDebugClearMemoryValue        ## CONSUMES
++  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask            ## CONSUMES
++  gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel    ## CONSUMES
++
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+index 74f4d9c2d6..5a1c86f2c3 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+@@ -28,21 +28,6 @@
+ //
+ #define MAX_DEBUG_MESSAGE_LENGTH  0x100
+ 
+-/**
+-  This constructor function does not have to do anything.
+-
+-  @retval RETURN_SUCCESS   The constructor always returns RETURN_SUCCESS.
+-
+-**/
+-RETURN_STATUS
+-EFIAPI
+-PlatformDebugLibIoPortConstructor (
+-  VOID
+-  )
+-{
+-  return RETURN_SUCCESS;
+-}
+-
+ /**
+   Prints a debug message to the debug output device if the specified error level is enabled.
+ 
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c
+new file mode 100644
+index 0000000000..bad054f286
+--- /dev/null
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c
+@@ -0,0 +1,31 @@
++/** @file
++  Constructor code for QEMU debug port library.
++  Non-SEC instance.
++
++  Copyright (c) 2017, Red Hat, Inc.<BR>
++  This program and the accompanying materials
++  are licensed and made available under the terms and conditions of the BSD License
++  which accompanies this distribution.  The full text of the license may be found at
++  http://opensource.org/licenses/bsd-license.php.
++
++  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++
++**/
++
++#include <Base.h>
++
++/**
++  This constructor function does not have anything to do.
++
++  @retval RETURN_SUCCESS   The constructor always returns RETURN_SUCCESS.
++
++**/
++RETURN_STATUS
++EFIAPI
++PlatformDebugLibIoPortConstructor (
++  VOID
++  )
++{
++  return RETURN_SUCCESS;
++}
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c
+new file mode 100644
+index 0000000000..83a118a0f7
+--- /dev/null
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c
+@@ -0,0 +1,31 @@
++/** @file
++  Constructor code for QEMU debug port library.
++  SEC instance.
++
++  Copyright (c) 2017, Red Hat, Inc.<BR>
++  This program and the accompanying materials
++  are licensed and made available under the terms and conditions of the BSD License
++  which accompanies this distribution.  The full text of the license may be found at
++  http://opensource.org/licenses/bsd-license.php.
++
++  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++
++**/
++
++#include <Base.h>
++
++/**
++  This constructor function does not have anything to do.
++
++  @retval RETURN_SUCCESS   The constructor always returns RETURN_SUCCESS.
++
++**/
++RETURN_STATUS
++EFIAPI
++PlatformRomDebugLibIoPortConstructor (
++  VOID
++  )
++{
++  return RETURN_SUCCESS;
++}
+-- 
+2.14.3
+

0024-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch

@@ -0,0 +1,270 @@
+From b23853af6eb71e4c9b2e2d235b1db80541d33116 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 15 Nov 2017 18:01:00 +0100
+Subject: [PATCH 3/3] OvmfPkg: save on I/O port accesses when the debug port is
+ not in use
+
+When SEV is enabled, every debug message printed by OVMF to the
+QEMU debug port traps from the guest to QEMU character by character
+because "REP OUTSB" cannot be used by IoWriteFifo8.  Furthermore,
+when OVMF is built with the DEBUG_VERBOSE bit (value 0x00400000)
+enabled in "gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel", then the
+OvmfPkg/IoMmuDxe driver, and the OvmfPkg/Library/BaseMemEncryptSevLib
+library instance that is built into it, produce a huge amount of
+log messages.  Therefore, in SEV guests, the boot time impact is huge
+(about 45 seconds _additional_ time spent writing to the debug port).
+
+While these messages are very useful for analyzing guest behavior,
+most of the time the user won't be capturing the OVMF debug log.
+In fact libvirt does not provide a method for configuring log capture;
+users that wish to do this (or are instructed to do this) have to resort
+to <qemu:arg>.
+
+The debug console device provides a handy detection mechanism; when read,
+it returns 0xE9 (which is very much unlike the 0xFF that is returned by
+an unused port).  Use it to skip the possibly expensive OUT instructions
+when the debug I/O port isn't plugged anywhere.
+
+For SEC, the debug port has to be read before each full message.
+However:
+
+- if the debug port is available, then reading one byte before writing
+a full message isn't tragic, especially because SEC doesn't print many
+messages
+
+- if the debug port is not available, then reading one byte instead of
+writing a full message is still a win.
+
+Contributed-under: TianoCore Contribution Agreement 1.0
+Cc: Laszlo Ersek <lersek@redhat.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Jordan Justen (Intel address) <jordan.l.justen@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ .../PlatformDebugLibIoPort/DebugLibDetect.h        | 57 ++++++++++++++++++++++
+ OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c  | 28 +++++++++--
+ .../PlatformDebugLibIoPort/DebugLibDetect.c        | 30 ++++++++++--
+ .../PlatformDebugLibIoPort/DebugLibDetectRom.c     | 21 +++++++-
+ 4 files changed, 127 insertions(+), 9 deletions(-)
+ create mode 100644 OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.h
+
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.h b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.h
+new file mode 100644
+index 0000000000..1f739b55d8
+--- /dev/null
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.h
+@@ -0,0 +1,57 @@
++/** @file
++  Base Debug library instance for QEMU debug port.
++  It uses PrintLib to send debug messages to a fixed I/O port.
++
++  Copyright (c) 2017, Red Hat, Inc.<BR>
++  This program and the accompanying materials
++  are licensed and made available under the terms and conditions of the BSD License
++  which accompanies this distribution.  The full text of the license may be found at
++  http://opensource.org/licenses/bsd-license.php.
++
++  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
++  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
++
++**/
++
++#ifndef __DEBUG_IO_PORT_DETECT_H__
++#define __DEBUG_IO_PORT_DETECT_H__
++
++#include <Base.h>
++
++//
++// The constant value that is read from the debug I/O port
++//
++#define BOCHS_DEBUG_PORT_MAGIC    0xE9
++
++
++/**
++  Helper function to return whether the virtual machine has a debug I/O port.
++  PlatformDebugLibIoPortFound can call this function directly or cache the
++  result.
++
++  @retval TRUE   if the debug I/O port device was detected.
++  @retval FALSE  otherwise
++
++**/
++BOOLEAN
++EFIAPI
++PlatformDebugLibIoPortDetect (
++  VOID
++  );
++
++/**
++  Return whether the virtual machine has a debug I/O port.  DebugLib.c
++  calls this function instead of PlatformDebugLibIoPortDetect, to allow
++  caching if possible.
++
++  @retval TRUE   if the debug I/O port device was detected.
++  @retval FALSE  otherwise
++
++**/
++BOOLEAN
++EFIAPI
++PlatformDebugLibIoPortFound (
++  VOID
++  );
++
++#endif
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+index 5a1c86f2c3..36cde54976 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLib.c
+@@ -22,6 +22,7 @@
+ #include <Library/PcdLib.h>
+ #include <Library/BaseMemoryLib.h>
+ #include <Library/DebugPrintErrorLevelLib.h>
++#include "DebugLibDetect.h"
+ 
+ //
+ // Define the maximum debug and assert message length that this library supports
+@@ -61,9 +62,10 @@ DebugPrint (
+   ASSERT (Format != NULL);
+ 
+   //
+-  // Check driver debug mask value and global mask
++  // Check if the global mask disables this message or the device is inactive
+   //
+-  if ((ErrorLevel & GetDebugPrintErrorLevel ()) == 0) {
++  if ((ErrorLevel & GetDebugPrintErrorLevel ()) == 0 ||
++      !PlatformDebugLibIoPortFound ()) {
+     return;
+   }
+ 
+@@ -120,9 +122,11 @@ DebugAssert (
+              FileName, (UINT64)LineNumber, Description);
+ 
+   //
+-  // Send the print string to the debug I/O port
++  // Send the print string to the debug I/O port, if present
+   //
+-  IoWriteFifo8 (PcdGet16 (PcdDebugIoPort), Length, Buffer);
++  if (PlatformDebugLibIoPortFound ()) {
++    IoWriteFifo8 (PcdGet16 (PcdDebugIoPort), Length, Buffer);
++  }
+ 
+   //
+   // Generate a Breakpoint, DeadLoop, or NOP based on PCD settings
+@@ -265,3 +269,19 @@ DebugPrintLevelEnabled (
+ {
+   return (BOOLEAN) ((ErrorLevel & PcdGet32(PcdFixedDebugPrintErrorLevel)) != 0);
+ }
++
++/**
++  Return the result of detecting the debug I/O port device.
++
++  @retval TRUE   if the debug I/O port device was detected.
++  @retval FALSE  otherwise
++
++**/
++BOOLEAN
++EFIAPI
++PlatformDebugLibIoPortDetect (
++  VOID
++  )
++{
++  return IoRead8 (PcdGet16 (PcdDebugIoPort)) == BOCHS_DEBUG_PORT_MAGIC;
++}
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c
+index bad054f286..81c44eece9 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetect.c
+@@ -1,6 +1,6 @@
+ /** @file
+-  Constructor code for QEMU debug port library.
+-  Non-SEC instance.
++  Detection code for QEMU debug port.
++  Non-SEC instance, caches the result of detection.
+ 
+   Copyright (c) 2017, Red Hat, Inc.<BR>
+   This program and the accompanying materials
+@@ -14,9 +14,16 @@
+ **/
+ 
+ #include <Base.h>
++#include "DebugLibDetect.h"
++
++//
++// Set to TRUE if the debug I/O port is enabled
++//
++STATIC BOOLEAN mDebugIoPortFound = FALSE;
+ 
+ /**
+-  This constructor function does not have anything to do.
++  This constructor function checks if the debug I/O port device is present,
++  caching the result for later use.
+ 
+   @retval RETURN_SUCCESS   The constructor always returns RETURN_SUCCESS.
+ 
+@@ -27,5 +34,22 @@ PlatformDebugLibIoPortConstructor (
+   VOID
+   )
+ {
++  mDebugIoPortFound = PlatformDebugLibIoPortDetect();
+   return RETURN_SUCCESS;
+ }
++
++/**
++  Return the cached result of detecting the debug I/O port device.
++
++  @retval TRUE   if the debug I/O port device was detected.
++  @retval FALSE  otherwise
++
++**/
++BOOLEAN
++EFIAPI
++PlatformDebugLibIoPortFound (
++  VOID
++  )
++{
++  return mDebugIoPortFound;
++}
+diff --git a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c
+index 83a118a0f7..b950919675 100644
+--- a/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c
++++ b/OvmfPkg/Library/PlatformDebugLibIoPort/DebugLibDetectRom.c
+@@ -1,6 +1,6 @@
+ /** @file
+-  Constructor code for QEMU debug port library.
+-  SEC instance.
++  Detection code for QEMU debug port.
++  SEC instance, cannot cache the result of detection.
+ 
+   Copyright (c) 2017, Red Hat, Inc.<BR>
+   This program and the accompanying materials
+@@ -14,6 +14,7 @@
+ **/
+ 
+ #include <Base.h>
++#include "DebugLibDetect.h"
+ 
+ /**
+   This constructor function does not have anything to do.
+@@ -29,3 +30,19 @@ PlatformRomDebugLibIoPortConstructor (
+ {
+   return RETURN_SUCCESS;
+ }
++
++/**
++  Return the result of detecting the debug I/O port device.
++
++  @retval TRUE   if the debug I/O port device was detected.
++  @retval FALSE  otherwise
++
++**/
++BOOLEAN
++EFIAPI
++PlatformDebugLibIoPortFound (
++  VOID
++  )
++{
++  return PlatformDebugLibIoPortDetect ();
++}
+-- 
+2.14.3
+

basetools-arm.patch

@@ -1,14 +0,0 @@
-diff --git a/Source/C/GNUmakefile b/Source/C/GNUmakefile
-index e0dde3e..bee0059 100644
---- a/Source/C/GNUmakefile
-+++ b/Source/C/GNUmakefile
-@@ -22,6 +22,9 @@ ifndef ARCH
-   ifneq (,$(strip $(filter $(uname_m), x86_64 amd64)))
-     ARCH=X64
-   endif
-+  ifeq ($(patsubst arm%,ARM,$(uname_m)),ARM)
-+    ARCH=ARM
-+  endif
-   ifeq ($(patsubst i%86,IA32,$(uname_m)),IA32)
-     ARCH=IA32
-   endif

build-iso.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+# args
+dir="$1"
+
+# cfg
+shell="$dir/Shell.efi"
+enroll="$dir/EnrollDefaultKeys.efi"
+vfat="$dir/shell.img"
+iso="$dir/UefiShell.iso"
+export MTOOLS_SKIP_CHECK=1
+
+# calc size
+s1=$(stat --format=%s -- $shell)
+s2=$(stat --format=%s -- $enroll)
+size=$(( ($s1 + $s2) * 11 / 10 ))
+set -x
+
+# create non-partitioned FAT image
+/sbin/mkdosfs -C "$vfat" -n UEFI_SHELL -- "$(( $size / 1024 ))"
+mmd	-i "$vfat"			::efi
+mmd	-i "$vfat"			::efi/boot
+mcopy	-i "$vfat"	"$shell"	::efi/boot/bootx64.efi
+mcopy	-i "$vfat"	"$enroll"	::
+#mdir	-i "$vfat"	-/		::
+
+# build ISO with FAT image file as El Torito EFI boot image
+genisoimage -input-charset ASCII -J -rational-rock \
+	-efi-boot "${vfat##*/}" -no-emul-boot -o "$iso" -- "$vfat"
+rm -f "$vfat"

edk2.spec

@@ -1,31 +1,60 @@
-%define svndate   20150807
-%define svnrev    18187
+%global edk2_date	20171011
+%global edk2_githash	92d07e4
+%global openssl_version	1.1.0e
+
+%bcond_without build_ovmf_x64
+%bcond_without build_ovmf_ia32
+
+# Disable ARM firmware until its build process is fixed.
+%bcond_with build_aavmf_aarch64
+%bcond_with build_aavmf_arm
+
 
 Name:		edk2
-Version:	%{svndate}
-Release:	1.svn%{svnrev}
+Version:	%{edk2_date}
+Release:	1.git%{edk2_githash}
 Summary:	EFI Development Kit II
-
-# There are no formal releases from upstream.
-# Tarballs are created with:
-
-# svn export -r ${svnrev} \
-#     https://svn.code.sf.net/p/edk2/code/trunk/edk2/BaseTools edk2-buildtools-r${svnrev}
-# rm -rf edk2-buildtools-r${svnrev}/Bin
-# tar -cv edk2-buildtools-r${svnrev} | xz -6 > edk2-buildtools-r${svnrev}.tar.xz
-Source0:	edk2-buildtools-r%{svnrev}.tar.xz
-Patch1:		basetools-arm.patch
-
 License:	BSD
 Group:		Emulators
 URL:		http://www.tianocore.org/edk2/
 
-# We need to build tools everywhere, but how is still an open question
-# https://bugzilla.redhat.com/show_bug.cgi?id=992180
-ExclusiveArch:	%{ix86} x86_64 %{arm}
+Source0:	edk2-%{edk2_date}-%{edk2_githash}.tar.xz
+Source1:	openssl-%{openssl_version}-hobbled.tar.xz
+Source2:	ovmf-whitepaper-c770f8c.txt
+Source10:	hobble-openssl
+Source11:	build-iso.sh
+Source12:	update-tarball.sh
+Source13:	openssl-patch-to-tarball.sh
+
+# non-upstream patches
+Patch0006:	0006-advertise-OpenSSL-on-TianoCore-splash-screen-boot-lo.patch
+Patch0014:	0014-OvmfPkg-allow-exclusion-of-the-shell-from-the-firmwa.patch
+# TODO: Enroll ROSA certs, if possible, instead of the RedHat's.
+Patch0015:	0015-OvmfPkg-EnrollDefaultKeys-application-for-enrolling-.patch
+
+# upstream backports
+Patch0019:	0019-MdeModulePkg-PciBus-Fix-bug-that-PCI-BUS-claims-too-much-resource.patch
+Patch0020:	0020-MdeModulePkg-Bds-Remove-assertion-in-BmCharToUint.patch
+Patch0021:	0021-MdeModulePkg-Bds-Check-variable-name-even-if-OptionNumber-is-NULL.patch
+
+# submitted upstream by Fedora
+Patch0022:	0022-OvmfPkg-make-it-a-proper-BASE-library.patch
+Patch0023:	0023-OvmfPkg-create-a-separate-PlatformDebugLibIoPort-ins.patch
+Patch0024:	0024-OvmfPkg-save-on-I-O-port-accesses-when-the-debug-por.patch
+
+# openssl patches from Fedora
+Patch1021:	openssl-1.1.0-issuer-hash.patch
+Patch1039:	openssl-1.1.0-cc-reqs.patch
+Patch1040:	openssl-1.1.0-disable-ssl3.patch
+Patch1044:	openssl-1.1.0-bio-fd-preserve-nl.patch
 
 BuildRequires:	python-devel
 BuildRequires:	pkgconfig(uuid)
+BuildRequires:	iasl
+BuildRequires:	nasm
+BuildRequires:	dosfstools
+BuildRequires:	mtools
+BuildRequires:	genisoimage
 
 Requires:	edk2-tools = %{EVRD}
 Requires:	edk2-tools-doc = %{EVRD}
@@ -34,6 +63,8 @@ Requires:	edk2-tools-doc = %{EVRD}
 EDK II is a development code base for creating UEFI drivers, applications
 and firmware images.
 
+#---------------------------------------------------------------------------
+
 %package tools
 Summary:	EFI Development Kit II Tools
 Group:		Development/Tools
@@ -43,92 +74,12 @@ Requires:	edk2-tools-python = %{EVRD}
 This package provides tools that are needed to
 build EFI executables and ROMs using the GNU tools.
 
-%package tools-python
-Summary:	EFI Development Kit II Tools
-Group:		Development/Tools
-Requires:	python
-BuildArch:      noarch
-
-%description tools-python
-This package provides tools that are needed to build EFI executables
-and ROMs using the GNU tools.  You do not need to install this package;
-you probably want to install edk2-tools only.
-
-%package tools-doc
-Summary:	Documentation for EFI Development Kit II Tools
-Group:		Development/Tools
-
-%description tools-doc
-This package documents the tools that are needed to
-build EFI executables and ROMs using the GNU tools.
-
-%prep
-%setup -q -n edk2-buildtools-r%{svnrev}
-%patch1 -p1
-
-%build
-export WORKSPACE=`pwd`
-
-# Build is broken if MAKEFLAGS contains -j option.
-unset MAKEFLAGS
-make
-
-%install
-mkdir -p %{buildroot}%{_bindir}
-install	\
-	Source/C/bin/BootSectImage \
-	Source/C/bin/EfiLdrImage \
-	Source/C/bin/EfiRom \
-	Source/C/bin/GenCrc32 \
-	Source/C/bin/GenFfs \
-	Source/C/bin/GenFv \
-	Source/C/bin/GenFw \
-	Source/C/bin/GenPage \
-	Source/C/bin/GenSec \
-	Source/C/bin/GenVtf \
-	Source/C/bin/GnuGenBootSector \
-	Source/C/bin/LzmaCompress \
-	BinWrappers/PosixLike/LzmaF86Compress \
-	Source/C/bin/Split \
-	Source/C/bin/TianoCompress \
-	Source/C/bin/VfrCompile \
-	Source/C/bin/VolInfo \
-	%{buildroot}%{_bindir}
-
-ln -f %{buildroot}%{_bindir}/GnuGenBootSector \
-	%{buildroot}%{_bindir}/GenBootSector
-
-mkdir -p %{buildroot}%{_datadir}/%{name}
-install \
-        BuildEnv \
-        %{buildroot}%{_datadir}/%{name}
-
-mkdir -p %{buildroot}%{_datadir}/%{name}/Conf
-install \
-        Conf/build_rule.template \
-        Conf/tools_def.template \
-        Conf/target.template \
-        %{buildroot}%{_datadir}/%{name}/Conf
-
-mkdir -p %{buildroot}%{_datadir}/%{name}/Scripts
-
-cp -R Source/Python %{buildroot}%{_datadir}/%{name}/Python
-
-find %{buildroot}%{_datadir}/%{name}/Python -name "*.pyd" | xargs rm
-
-for i in build BPDG Ecc GenDepex GenFds GenPatchPcdTable PatchPcdValue TargetTool Trim UPT; do
-  echo '#!/bin/sh
-PYTHONPATH=%{_datadir}/%{name}/Python
-export PYTHONPATH
-exec python '%{_datadir}/%{name}/Python/$i/$i.py' "$@"' > %{buildroot}%{_bindir}/$i
-  chmod +x %{buildroot}%{_bindir}/$i
-done
-
 %files tools
+%doc License.txt
 %{_bindir}/BootSectImage
+%{_bindir}/Brotli
 %{_bindir}/EfiLdrImage
 %{_bindir}/EfiRom
-%{_bindir}/GenBootSector
 %{_bindir}/GenCrc32
 %{_bindir}/GenFfs
 %{_bindir}/GenFv
@@ -143,9 +94,23 @@ done
 %{_bindir}/TianoCompress
 %{_bindir}/VfrCompile
 %{_bindir}/VolInfo
+%dir %{_datadir}/%{name}
 %{_datadir}/%{name}/BuildEnv
-%{_datadir}/%{name}/Conf/
-%{_datadir}/%{name}/Scripts/
+%{_datadir}/%{name}/Conf
+%{_datadir}/%{name}/Scripts
+
+#---------------------------------------------------------------------------
+
+%package tools-python
+Summary:	EFI Development Kit II Tools
+Group:		Development/Tools
+Requires:	python
+BuildArch:      noarch
+
+%description tools-python
+This package provides tools that are needed to build EFI executables
+and ROMs using the GNU tools.  You do not need to install this package;
+you probably want to install edk2-tools only.
 
 %files tools-python
 %{_bindir}/build
@@ -158,29 +123,284 @@ done
 %{_bindir}/TargetTool
 %{_bindir}/Trim
 %{_bindir}/UPT
-%{_datadir}/%{name}/Python/
+%dir %{_datadir}/%{name}
+%{_datadir}/%{name}/Python
+
+#---------------------------------------------------------------------------
+
+%package tools-doc
+Summary:	Documentation for EFI Development Kit II Tools
+Group:		Development/Tools
+
+%description tools-doc
+This package documents the tools that are needed to
+build EFI executables and ROMs using the GNU tools.
 
 %files tools-doc
-%doc UserManuals/BootSectImage_Utility_Man_Page.rtf
-%doc UserManuals/Build_Utility_Man_Page.rtf
-%doc UserManuals/EfiLdrImage_Utility_Man_Page.rtf
-%doc UserManuals/EfiRom_Utility_Man_Page.rtf
-%doc UserManuals/GenBootSector_Utility_Man_Page.rtf
-%doc UserManuals/GenCrc32_Utility_Man_Page.rtf
-%doc UserManuals/GenDepex_Utility_Man_Page.rtf
-%doc UserManuals/GenFds_Utility_Man_Page.rtf
-%doc UserManuals/GenFfs_Utility_Man_Page.rtf
-%doc UserManuals/GenFv_Utility_Man_Page.rtf
-%doc UserManuals/GenFw_Utility_Man_Page.rtf
-%doc UserManuals/GenPage_Utility_Man_Page.rtf
-%doc UserManuals/GenPatchPcdTable_Utility_Man_Page.rtf
-%doc UserManuals/GenSec_Utility_Man_Page.rtf
-%doc UserManuals/GenVtf_Utility_Man_Page.rtf
-%doc UserManuals/LzmaCompress_Utility_Man_Page.rtf
-%doc UserManuals/PatchPcdValue_Utility_Man_Page.rtf
-%doc UserManuals/SplitFile_Utility_Man_Page.rtf
-%doc UserManuals/TargetTool_Utility_Man_Page.rtf
-%doc UserManuals/TianoCompress_Utility_Man_Page.rtf
-%doc UserManuals/Trim_Utility_Man_Page.rtf
-%doc UserManuals/VfrCompiler_Utility_Man_Page.rtf
-%doc UserManuals/VolInfo_Utility_Man_Page.rtf
+%doc BaseTools/UserManuals/*.rtf
+
+#---------------------------------------------------------------------------
+
+%if %{with build_ovmf_x64}
+%package ovmf
+Summary:	Open Virtual Machine Firmware
+License:	BSD and OpenSSL
+Provides:	OVMF = %{version}-%{release}
+Obsoletes:	OVMF < %{version}-%{release}
+BuildArch:	noarch
+
+%description ovmf
+EFI Development Kit II.
+Open Virtual Machine Firmware (x64).
+
+%files ovmf
+%doc OvmfPkg/License.txt
+%doc LICENSE.openssl
+%doc OvmfPkg/README
+%doc ovmf-whitepaper-c770f8c.txt
+%dir %{_datadir}/%{name}
+%dir %{_datadir}/%{name}/ovmf
+%{_datadir}/%{name}/ovmf/OVMF*.fd
+%{_datadir}/%{name}/ovmf/*.efi
+%{_datadir}/%{name}/ovmf/*.iso
+%{_datadir}/OVMF
+%endif
+
+#---------------------------------------------------------------------------
+
+%if %{with build_ovmf_ia32}
+%package ovmf-ia32
+Summary:	Open Virtual Machine Firmware
+License:	BSD and OpenSSL
+Provides:	OVMF = %{version}-%{release}
+Obsoletes:	OVMF < %{version}-%{release}
+BuildArch:	noarch
+
+%description ovmf-ia32
+EFI Development Kit II.
+Open Virtual Machine Firmware (ia32).
+
+%files ovmf-ia32
+%doc OvmfPkg/License.txt
+%doc LICENSE.openssl
+%doc OvmfPkg/README
+%doc ovmf-whitepaper-c770f8c.txt
+%dir %{_datadir}/%{name}
+%dir %{_datadir}/%{name}/ovmf-ia32
+%{_datadir}/%{name}/ovmf-ia32/OVMF*.fd
+%{_datadir}/%{name}/ovmf-ia32/*.efi
+%{_datadir}/%{name}/ovmf-ia32/*.iso
+%endif
+
+#---------------------------------------------------------------------------
+
+%if %{with build_aavmf_aarch64}
+%package aarch64
+Summary:	AARCH64 Virtual Machine Firmware
+Provides:	AAVMF = %{version}-%{release}
+Obsoletes:	AAVMF < %{version}-%{release}
+BuildArch:	noarch
+
+%description aarch64
+EFI Development Kit II.
+AARCH64 UEFI Firmware.
+
+%files aarch64
+%doc OvmfPkg/License.txt
+%doc LICENSE.openssl
+%dir %{_datadir}/%{name}
+%dir %{_datadir}/%{name}/aarch64
+%{_datadir}/%{name}/aarch64/QEMU*.fd
+%{_datadir}/%{name}/aarch64/*.raw
+%{_datadir}/AAVMF/AAVMF_*
+%endif
+
+#---------------------------------------------------------------------------
+
+%if %{with build_aavmf_arm}
+%package arm
+Summary:	ARM Virtual Machine Firmware
+BuildArch:	noarch
+
+%description arm
+EFI Development Kit II.
+armv7 UEFI Firmware.
+
+%files arm
+%doc OvmfPkg/License.txt
+%doc LICENSE.openssl
+%dir %{_datadir}/%{name}
+%dir %{_datadir}/%{name}/arm
+%{_datadir}/%{name}/arm/QEMU*.fd
+%{_datadir}/%{name}/arm/*.raw
+%{_datadir}/AAVMF/AAVMF32_*
+%endif
+
+#---------------------------------------------------------------------------
+
+%prep
+%setup -q -n tianocore-%{name}-%{edk2_githash}
+
+
+# Ensure old shell and binary packages are not used
+rm -rf EdkShellBinPkg
+rm -rf EdkShellPkg
+rm -rf FatBinPkg
+rm -rf ShellBinPkg
+
+cp -a -- %{SOURCE2} .
+
+# add openssl
+(cd .. && tar -xvf %{SOURCE1})
+cp CryptoPkg/Library/OpensslLib/openssl/LICENSE LICENSE.openssl
+
+%apply_patches
+
+base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp
+
+
+%build
+source ./edksetup.sh
+
+# compiler
+CC_FLAGS="-t GCC49"
+
+# parallel builds
+JOBS="%{?_smp_mflags}"
+JOBS="${JOBS#-j}"
+if test "$JOBS" != ""; then
+        CC_FLAGS="${CC_FLAGS} -n $JOBS"
+fi
+
+# common features
+CC_FLAGS="${CC_FLAGS} -b DEBUG"
+CC_FLAGS="${CC_FLAGS} --cmd-len=65536"
+
+# ovmf features
+OVMF_FLAGS="${CC_FLAGS}"
+OVMF_FLAGS="${OVMF_FLAGS} -D TLS_ENABLE"
+OVMF_FLAGS="${OVMF_FLAGS} -D HTTP_BOOT_ENABLE"
+OVMF_FLAGS="${OVMF_FLAGS} -D NETWORK_IP6_ENABLE"
+OVMF_FLAGS="${OVMF_FLAGS} -D FD_SIZE_2MB"
+
+# ovmf + secure boot features
+OVMF_SB_FLAGS="${OVMF_FLAGS}"
+OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SECURE_BOOT_ENABLE"
+OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D SMM_REQUIRE"
+OVMF_SB_FLAGS="${OVMF_SB_FLAGS} -D EXCLUDE_SHELL_FROM_FD"
+
+# arm firmware features
+ARM_FLAGS="${CC_FLAGS}"
+
+unset MAKEFLAGS
+make -C BaseTools #%{?_smp_mflags}
+sed -i -e 's/-Werror//' Conf/tools_def.txt
+
+# build ovmf (x64)
+%if %{with build_ovmf_x64}
+mkdir -p ovmf
+build ${OVMF_FLAGS} -a X64 -p OvmfPkg/OvmfPkgX64.dsc
+cp Build/OvmfX64/*/FV/OVMF_*.fd ovmf/
+rm -rf Build/OvmfX64
+
+# build ovmf (x64) with secure boot
+build ${OVMF_SB_FLAGS} -a IA32 -a X64 -p OvmfPkg/OvmfPkgIa32X64.dsc
+cp Build/Ovmf3264/*/FV/OVMF_CODE.fd ovmf/OVMF_CODE.secboot.fd
+
+# build ovmf (x64) shell iso with EnrollDefaultKeys
+cp Build/Ovmf3264/*/X64/Shell.efi ovmf/
+cp Build/Ovmf3264/*/X64/EnrollDefaultKeys.efi ovmf
+sh %{SOURCE11} ovmf/
+%endif
+
+
+# build ovmf-ia32
+%if %{with build_ovmf_ia32}
+mkdir -p ovmf-ia32
+build ${OVMF_FLAGS} -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc
+cp Build/OvmfIa32/*/FV/OVMF_CODE.fd ovmf-ia32/
+rm -rf Build/OvmfIa32
+
+# build ovmf-ia32 with secure boot
+build ${OVMF_SB_FLAGS} -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc
+cp Build/OvmfIa32/*/FV/OVMF_CODE.fd ovmf-ia32/OVMF_CODE.secboot.fd
+
+# build ovmf-ia32 shell iso with EnrollDefaultKeys
+cp Build/OvmfIa32/*/IA32/Shell.efi ovmf-ia32/Shell.efi
+cp Build/OvmfIa32/*/IA32/EnrollDefaultKeys.efi ovmf-ia32/EnrollDefaultKeys.efi
+sh %{SOURCE11} ovmf-ia32/
+%endif
+
+
+# build aarch64 firmware
+%if %{with build_aavmf_aarch64}
+mkdir -p aarch64
+build $ARM_FLAGS -a AARCH64 -p ArmVirtPkg/ArmVirtQemu.dsc
+cp Build/ArmVirtQemu-AARCH64/DEBUG_*/FV/*.fd aarch64
+dd of="aarch64/QEMU_EFI-pflash.raw" if="/dev/zero" bs=1M count=64
+dd of="aarch64/QEMU_EFI-pflash.raw" if="aarch64/QEMU_EFI.fd" conv=notrunc
+dd of="aarch64/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64
+%endif
+
+
+# build aarch64 firmware
+%if %{with build_aavmf_arm}
+mkdir -p arm
+build $ARM_FLAGS -a ARM -p ArmVirtPkg/ArmVirtQemu.dsc
+cp Build/ArmVirtQemu-ARM/DEBUG_*/FV/*.fd arm
+dd of="arm/QEMU_EFI-pflash.raw" if="/dev/zero" bs=1M count=64
+dd of="arm/QEMU_EFI-pflash.raw" if="arm/QEMU_EFI.fd" conv=notrunc
+dd of="arm/vars-template-pflash.raw" if="/dev/zero" bs=1M count=64
+%endif
+
+%install
+mkdir -p %{buildroot}%{_bindir} \
+         %{buildroot}%{_datadir}/%{name}/Conf \
+         %{buildroot}%{_datadir}/%{name}/Scripts
+install BaseTools/Source/C/bin/* \
+        %{buildroot}%{_bindir}
+install BaseTools/BinWrappers/PosixLike/LzmaF86Compress \
+        %{buildroot}%{_bindir}
+install BaseTools/BuildEnv \
+        %{buildroot}%{_datadir}/%{name}
+install BaseTools/Conf/*.template \
+        %{buildroot}%{_datadir}/%{name}/Conf
+install BaseTools/Scripts/GccBase.lds \
+        %{buildroot}%{_datadir}/%{name}/Scripts
+
+cp -R BaseTools/Source/Python %{buildroot}%{_datadir}/%{name}/Python
+for i in build BPDG Ecc GenDepex GenFds GenPatchPcdTable PatchPcdValue TargetTool Trim UPT; do
+echo '#!/bin/sh
+export PYTHONPATH=%{_datadir}/%{name}/Python
+exec python '%{_datadir}/%{name}/Python/$i/$i.py' "$@"' > %{buildroot}%{_bindir}/$i
+  chmod +x %{buildroot}%{_bindir}/$i
+done
+
+mkdir -p %{buildroot}/usr/share/%{name}
+
+%if %{with build_ovmf_x64}
+cp -a ovmf %{buildroot}/usr/share/%{name}
+# Libvirt hardcodes this directory name
+mkdir %{buildroot}/usr/share/OVMF
+ln -sf ../%{name}/ovmf/OVMF_CODE.fd                %{buildroot}/usr/share/OVMF
+ln -sf ../%{name}/ovmf/OVMF_CODE.secboot.fd        %{buildroot}/usr/share/OVMF
+ln -sf ../%{name}/ovmf/OVMF_VARS.fd                %{buildroot}/usr/share/OVMF
+ln -sf ../%{name}/ovmf/UefiShell.iso               %{buildroot}/usr/share/OVMF
+%endif
+
+%if %{with build_ovmf_ia32}
+cp -a ovmf-ia32 %{buildroot}/usr/share/%{name}
+%endif
+
+%if %{with build_aavmf_aarch64}
+cp -a aarch64 %{buildroot}/usr/share/%{name}
+# Libvirt hardcodes this directory name
+mkdir %{buildroot}/usr/share/AAVMF
+ln -sf ../%{name}/aarch64/QEMU_EFI-pflash.raw      %{buildroot}/usr/share/AAVMF/AAVMF_CODE.fd
+ln -sf ../%{name}/aarch64/vars-template-pflash.raw %{buildroot}/usr/share/AAVMF/AAVMF_VARS.fd
+%endif
+
+%if %{with build_aavmf_arm}
+cp -a arm %{buildroot}/usr/share/%{name}
+ln -sf ../%{name}/arm/QEMU_EFI-pflash.raw          %{buildroot}/usr/share/AAVMF/AAVMF32_CODE.fd
+%endif

hobble-openssl

@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# Quit out if anything fails.
+set -e
+
+# Clean out patent-or-otherwise-encumbered code.
+# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
+# IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
+# RC5:   5,724,428 01/11/2015 - expired, we do not remove it anymore
+# EC:    ????????? ??/??/2020
+# SRP:   ????????? ??/??/20??
+
+# Remove assembler portions of IDEA, MDC2, and RC5.
+# (find crypto/rc5/asm -type f | xargs -r rm -fv)
+
+# SRP.
+for a in srp; do
+  for c in `find crypto/$a -name "*.c" -a \! -name "*test*" -type f` ; do
+	echo Destroying $c
+	> $c
+  done
+done
+
+for c in `find crypto/bn -name "*gf2m.c"`; do
+	echo Destroying $c
+	> $c
+done
+
+for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c" -o -name "ecp_nistp22?.c" -o -name "ectest.c"`; do
+	echo Destroying $c
+	> $c
+done
+
+for h in `find crypto ssl apps test -name "*.h"` ; do
+	echo Removing SRP and EC2M references from $h
+	cat $h | \
+	awk    'BEGIN {ech=1;} \
+		/^#[ \t]*ifndef.*NO_SRP/ {ech--; next;} \
+		/^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \
+                /^#[ \t]*if/ {if(ech < 1) ech--;} \
+		{if(ech>0) {;print $0};} \
+		/^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \
+	mv $h.hobbled $h
+done
+
+# Make the makefiles happy.
+# touch crypto/rc5/asm/rc5-586.pl

openssl-1.1.0-bio-fd-preserve-nl.patch

@@ -0,0 +1,29 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c.preserve-nl	2016-11-10 15:03:44.000000000 +0100
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bss_fd.c	2016-12-22 14:36:16.730740423 +0100
+@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i
+     char *ptr = buf;
+     char *end = buf + size - 1;
+ 
+-    while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n'))
+-        ptr++;
++    while (ptr < end && fd_read(bp, ptr, 1) > 0) {
++        if (*ptr++ == '\n')
++           break;
++    }
+ 
+     ptr[0] = '\0';
+ 
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod
+--- a/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod.preserve-nl	2016-11-10 15:03:45.000000000 +0100
++++ b/CryptoPkg/Library/OpensslLib/openssl/doc/crypto/BIO_read.pod	2016-12-22 14:37:22.731245197 +0100
+@@ -23,7 +23,8 @@ in B<buf>. Usually this operation will a
+ from the BIO of maximum length B<len-1>. There are exceptions to this,
+ however; for example, BIO_gets() on a digest BIO will calculate and
+ return the digest and other BIOs may not support BIO_gets() at all.
+-The returned string is always NUL-terminated.
++The returned string is always NUL-terminated and the '\n' is preserved
++if present in the input data.
+ 
+ BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
+ 

openssl-1.1.0-cc-reqs.patch

@@ -0,0 +1,27 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c.cc-reqs	2017-01-26 14:10:23.000000000 +0100
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/rsa/rsa_gen.c	2017-01-26 16:01:52.622308528 +0100
+@@ -75,6 +75,12 @@ static int rsa_builtin_keygen(RSA *rsa,
+     if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
+         goto err;
+ 
++    /* prepare minimum p and q difference */
++    if (!BN_one(r3))
++        goto err;
++    if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
++        goto err;
++
+     if (BN_copy(rsa->e, e_value) == NULL)
+         goto err;
+ 
+@@ -103,7 +109,9 @@ static int rsa_builtin_keygen(RSA *rsa,
+         do {
+             if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+                 goto err;
+-        } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
++            if (!BN_sub(r2, rsa->q, rsa->p))
++                goto err;
++        } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
+         if (degenerate == 3) {
+             ok = 0;             /* we set our own err */
+             RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);

openssl-1.1.0-disable-ssl3.patch

@@ -0,0 +1,59 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c.disable-ssl3	2016-08-25 17:29:22.000000000 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/ssl_lib.c	2016-09-08 11:08:05.252082263 +0200
+@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+      * or by using the SSL_CONF library.
+      */
+     ret->options |= SSL_OP_NO_COMPRESSION;
++    /*
++     * Disable SSLv3 by default.  Applications can
++     * re-enable it by configuring
++     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++     * or by using the SSL_CONF library.
++     */
++    ret->options |= SSL_OP_NO_SSLv3;
+ 
+     ret->tlsext_status_type = -1;
+ 
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c.disable-ssl3	2016-09-08 11:08:05.252082263 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssl_test.c	2016-09-08 11:11:44.802005886 +0200
+@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
+             SSL_TEST_SERVERNAME_CB_NONE) {
+             server2_ctx = SSL_CTX_new(TLS_server_method());
+             TEST_check(server2_ctx != NULL);
++            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
+         }
+         client_ctx = SSL_CTX_new(TLS_client_method());
+ 
+@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
+             resume_client_ctx = SSL_CTX_new(TLS_client_method());
+             TEST_check(resume_server_ctx != NULL);
+             TEST_check(resume_client_ctx != NULL);
++            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
++            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
+         }
+     }
+ 
+     TEST_check(server_ctx != NULL);
+     TEST_check(client_ctx != NULL);
++    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
++    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
+ 
+     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
+ 
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3 b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c.disable-ssl3	2016-08-25 17:29:23.000000000 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/test/ssltest_old.c	2016-09-08 11:08:05.253082286 +0200
+@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
+         ERR_print_errors(bio_err);
+         goto end;
+     }
++
++    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
++    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
++    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
++
+     /*
+      * Since we will use low security ciphersuites and keys for testing set
+      * security level to zero by default. Tests can override this by adding

openssl-1.1.0-issuer-hash.patch

@@ -0,0 +1,11 @@
+diff -up a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c.issuer-hash	2016-07-18 15:16:32.788881100 +0200
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/x509/x509_cmp.c	2016-07-18 15:17:16.671871840 +0200
+@@ -87,6 +87,7 @@ unsigned long X509_issuer_and_serial_has
+ 
+     if (ctx == NULL)
+         goto err;
++    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+     f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
+     if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL))
+         goto err;

openssl-patch-to-tarball.sh

@@ -0,0 +1,62 @@
+#! /bin/sh
+
+: << \EOF
+  For importing the hobbled OpenSSL tarball from Fedora, the following
+  steps are necessary. Note that both the "sources" file format and the
+  pkgs.fedoraproject.org directory structure have changed, accommodating
+  SHA512 checksums.
+
+  # in a separate directory
+  fedpkg clone -a openssl
+  cd openssl
+  fedpkg switch-branch master
+  gitk -- sources
+
+  # the commit that added the 1.1.0e hobbled tarball is c676ac32d544,
+  # subject "update to upstream version 1.1.0e"
+  git checkout c676ac32d544
+
+  # fetch the hobbled tarball and verify the checksum
+  (
+    set -e
+    while read HASH_TYPE FN EQ HASH; do
+      # remove leading and trailing parens
+      FN="${FN#(*}"
+      FN="${FN%*)}"
+      wget \
+        http://pkgs.fedoraproject.org/repo/pkgs/openssl/$FN/sha512/$HASH/$FN
+    done <sources
+    sha512sum -c sources
+  )
+
+  # unpack the hobbled tarball into edk2, according to
+  # "OpenSSL-HOWTO.txt"; WORKSPACE stands for the root of the edk2 project
+  # tree
+  tar -x --xz -f openssl-1.1.0e-hobbled.tar.xz
+  mv -- openssl-1.1.0e "$WORKSPACE"/CryptoPkg/Library/OpensslLib/openssl
+
+  # update the INF files as described in "OpenSSL-HOWTO.txt", then save
+  # the results as a single commit
+  cd "$WORKSPACE"/CryptoPkg/Library/OpensslLib
+  perl process_files.pl
+  git add -A
+  git commit
+  git format-patch -1
+
+Then run the patch through this script which will build a new tar file.
+EOF
+
+set -e
+edk2_githash=$(awk '/^%global edk2_githash/ {print $3}' edk2.spec)
+openssl_version=$(awk '/^%global openssl_version/ {print $3}' edk2.spec)
+mkdir -p tianocore-openssl-${openssl_version}
+(exec 3> openssl-${openssl_version}-hobbled.tar.xz
+ cd tianocore-openssl-${openssl_version}
+ git init .
+ git config core.whitespace cr-at-eol
+ git config am.keepcr true
+ git am
+ git archive --format=tar --prefix=tianocore-edk2-${edk2_githash}/ \
+  HEAD CryptoPkg/Library/OpensslLib/ | \
+  xz -9ev >&3) < $1
+rm -rf tianocore-openssl-${openssl_version}

update-tarball.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+user="tianocore"
+repo="edk2"
+branch="master"
+
+uri="https://github.com/${user}/${repo}"
+api="${uri/github.com/api.github.com/repos}"
+tar="${uri/github.com/codeload.github.com}/legacy.tar.gz"
+
+if test $# -ge 1; then
+  hash=$1
+  short=$1
+else
+  hash=$(curl -s "${api}/git/refs/heads/${branch}" | grep '"sha"' | cut -d'"' -f4)
+  if test "$hash" = ""; then
+	echo "# failed to fetch $branch hash"
+	exit 1
+  fi
+  short=$(echo $hash | sed -e 's/^\(.......\).*/\1/')
+fi
+
+if test $# = 2; then
+  date=$2
+else
+  date=$(curl -s "${api}/git/commits/$hash" | awk '
+	  /"committer"/	{ c=1 }
+	  /"date"/	{ if (c) { print } }
+  ' | cut -d'"' -f4)
+  date="${date%T*}"
+  date="${date//-/}"
+fi
+
+name="${repo}-${date}-${short}.tar.xz"
+
+if test -f "$name"; then
+	echo "# exists: $name"
+	exit 1
+fi
+
+echo
+echo "# specfile update: version $date, release $short"
+sed -i.old \
+        -e "s/\(%global edk2_date[ \t]\+\)\(.*\)/\1$date/" \
+        -e "s/\(%global edk2_githash[ \t]\+\)\(.*\)/\1$short/" \
+        edk2.spec
+diff -u edk2.spec.old edk2.spec
+
+echo
+echo "# cleanup ..."
+rm -vf ${repo}-*.tar*
+echo "# fetching $name ..."
+curl "$tar/$hash" | zcat | xz -9e > "$name"
+exit 0