v2023020013.1.1

What's Changed

• [CHERRY-PICK] Support building BaseLib for AARCH64 with VC on 202311 (#662) @kuqin12 (#716)
  
  Change Details

    # Preface

  Please ensure you have read the contribution
  docs prior to submitting the pull request. In particular,
  pull request
  guidelines.

  Description

  The existing assembly file for AARCH64 has a direct reference to InternalAssertJumpBuffer, which is an external symbol, thus causing VC to fail compilation for this file.

  The change added the explicit import to resolve the symbol.

  For each item, place an "x" in between [ and ] if true. Example: [x].
  (you can also check items in the GitHub UI)

  • Impacts functionality?
  • Functionality - Does the change ultimately impact how firmware functions?
  • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
  • Security - Does the change have a direct security impact on an application,
    flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ...
  • Breaking change?
  • Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  • Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
  • Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  • Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...

  How This Was Tested

  This change is verified against QemuPkg CI build pipeline.

  Integration Instructions

  N/A

  (cherry picked from commit d51cd1b)
  

  
  

  ---

  
  

🔐 Security Impacting

• CryptoPkg: Update shared crypto to 2023.2.8 @makubacki (#715)
  
  Change Details

    ## Description

  Shared crypto binaries in this release include PEI and Standalone MM
  AARCH64 builds.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • QemuQ35Pkg and QemuSbsaPkg CI, boot, and tests.
  • Also test new AARCH64 binaries on a physical AARCH64 platform.

  Integration Instructions

  Use the new PEI and Standalone MM AARCH64 binaries if needed for a platform.
  

  
  

  ---

  
  

Full Changelog: v2023020013.1.0...v2023020013.1.1

v2023020013.1.0

What's Changed

🚀 Features & ✨ Enhancements

• Remove requirements on `CRYPTO_SERVICES` and `ARCH` variables @kuqin12 (#710)
  
  Change Details

    ## Description

  The original implementation of autogenerated dsc files is requiring platform owners to define all CRYPTO_SERVICES and ARCH variables when the dsc is included. This would require certain platforms, such as some AARCH64 platforms, to pull in unrelated library instances for BL32 or BL33 only builds.

  This change updated the autogeneration script to only require ARCH when CRYPTO_SERVICES is not NONE, and accordingly only include the needed modules and libraries.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  This was tested

  Integration Instructions

  Platforms can define the CRYPTO_SERVICES to be NONE in order to ignore all the libraries and components of this category.
  

  
  

  ---

  
  

• [CHERRY-PICK] RNG Related Commits (Needed for Arm RngDxe to Work) [Rebase \& FF] @makubacki (#708)
  
  Change Details

    ## Description

  Multiple commits. Some partial cherry-picks due to edk2 commits spanning
  package boundaries (partial between Mu Basecore and Mu Tiano Plus).

  ---

  Fix duplicate GUID in MdePkg BaseRngLibTimerLib

  Prevents a GUID conflict with the instance in MdeModulePkg.

  ---

  [CHERRY-PICK] MdePkg/Rng: Add GetRngGuid() to RngLib

  The EFI_RNG_PROTOCOL can use the RngLib. The RngLib has multiple
  implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
  To allow the RngDxe to detect when such implementation is used,
  add a GetRngGuid() function to the RngLib.

  Signed-off-by: Pierre Gondois [email protected]
  Reviewed-by: Liming Gao [email protected]
  Reviewed-by: Sami Mujawar [email protected]
  Acked-by: Ard Biesheuvel [email protected]
  Tested-by: Kun Qin [email protected]
  (cherry picked from commit 5443c2d)

  ---

  [CHERRY-PICK] SecurityPkg/SecurityPkg.dec: Move PcdCpuRngSupportedAlgorithm to MdePkg

  In order to use PcdCpuRngSupportedAlgorithm in the MdePkg in a
  following patch and to avoid making the MdePkg dependent on another
  package, move PcdCpuRngSupportedAlgorithm to the MdePkg.

  As the Pcd is only used for AARCH64, place it in an AARCH64
  specific sections.

  Signed-off-by: Pierre Gondois [email protected]
  Reviewed-by: Liming Gao [email protected]
  Reviewed-by: Sami Mujawar [email protected]
  Acked-by: Ard Biesheuvel [email protected]
  Acked-by: Jiewen Yao [email protected]
  Tested-by: Kun Qin [email protected]
  (cherry picked from commit 65b5dd8)

  ---

  [CHERRY-PICK] MdeModulePkg: Duplicate BaseRngLibTimerLib to MdeModulePkg

  BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4504

  The BaseRngLibTimerLib allows to generate number based on a timer.
  This mechanism allows to have a basic non-secure implementation
  for non-production platforms.
  To bind and identify Random Number Generators implementations with
  a GUID, an unsafe GUID should be added. This GUID cannot be added
  to the MdePkg unless it is also added to a specification.

  To keep the MdePkg self-contained, copy the BaseRngLibTimerLib to
  the MdeModulePkg. This will allow to define an unsafe Rng GUID
  in a later patch in the MdeModulePkg.

  The MdePkg implementation will be removed later. This allows to give
  some time to platform owners to switch to the MdeModulePkg
  implementation.

  Signed-off-by: Pierre Gondois [email protected]
  Reviewed-by: Sami Mujawar [email protected]
  Acked-by: Ard Biesheuvel [email protected]
  Tested-by: Kun Qin [email protected]

  ---

  [CHERRY-PICK] SecurityPkg/SecurityPkg.dec: Move PcdCpuRngSupportedAlgorithm to MdePkg

  In order to use PcdCpuRngSupportedAlgorithm in the MdePkg in a
  following patch and to avoid making the MdePkg dependent on another
  package, move PcdCpuRngSupportedAlgorithm to the MdePkg.

  As the Pcd is only used for AARCH64, place it in an AARCH64
  specific sections.

  Signed-off-by: Pierre Gondois [email protected]
  Reviewed-by: Liming Gao [email protected]
  Reviewed-by: Sami Mujawar [email protected]
  Acked-by: Ard Biesheuvel [email protected]
  Acked-by: Jiewen Yao [email protected]
  Tested-by: Kun Qin [email protected]

  (cherry picked from commit 65b5dd8)

  ---

  [CHERRY-PICK] MdeModulePkg/Rng: Add GUID to describe unsafe Rng algorithms

  BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441

  The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple
  implementations, some of them are unsafe (e.g. BaseRngLibTimerLib).
  To allow the RngDxe to detect when such implementation is used,
  a GetRngGuid() function is added in a following patch.

  Prepare GetRngGuid() return values and add a gEdkiiRngAlgorithmUnSafe
  to describe an unsafe implementation, cf. the BaseRngLibTimerLib.

  Signed-off-by: Pierre Gondois [email protected]
  Reviewed-by: Sami Mujawar [email protected]
  Acked-by: Ard Biesheuvel [email protected]
  Tested-by: Kun Qin [email protected]

  ---

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • Mu Basecore CI.
  • Build QemuQ35Pkg and QemuSbsaPkg IA32, X64, and AARCH64 with the changes.
  • Leverage edk2 upstream testing.

  Integration Instructions

  • Use the gEdkiiRngAlgorithmUnSafe if needed to integrate other code changes.
    

  
  

  ---

🐛 Bug Fixes

• [CHERRY-PICK] StandaloneMmPkg/Core: Remove optimization for depex evaluation @makubacki (#706)
  
  Change Details

    ## Description

  The current dependency evaluator violates the memory access permission
  when patching depex grammar directly in the read-only depex memory area.

  Laszlo pointed out the optimization issue in the thread (1) "Memory
  Attribute for depex section" and provided suggested patch to remove the
  perf optimization.

  In my testing, removing the optimization does not make significant perf
  reduction. That makes sense that StandaloneMM dispatcher only searches
  in MM protocol database and does not depend on UEFI/DXE protocol
  database. Also, we don't have many protocols in StandaloneMM like
  UEFI/DXE.

  From Laszlo,

  "The patch removes the EFI_DEP_REPLACE_TRUE handling altogether, plus it
  CONST-ifies the Iterator pointer (which points into the DEPEX section),
  so that the compiler catch any possible accesses at build time that
  would write to the write-protected DEPEX memory area."

  (1) https://edk2.groups.io/g/devel/message/113531

  Signed-off-by: Nhi Pham [email protected]
  Tested-by: levi.yun [email protected]
  Reviewed-by: levi.yun [email protected]
  Reviewed-by: Ray Ni [email protected]

  (cherry picked from commit 2ddae5d)

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security imp...

v2023020013.0.0

What's Changed

• [CHERRY-PICK] .pytool/Plugin: UncrustifyCheck: use stat instead of os.stat @Javagedes (#691)
  
  Change Details

    ## Description

  The UncrustifyCheck plugin passes os.stat.S_IWRITE to os.chmod, when attempting to change file permissions. os.stat.S_IWRITE does not exist as os.stat is a function. The correct value is stat.S_IWRITE.

  Cc: Liming Gao [email protected]
  Cc: Michael D Kinney [email protected]
  Cc: Sean Brogan [email protected]
  Reviewed-by: Michael D Kinney [email protected]

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Verified that when failing, the failure is no longer overshadowed by the exception thrown for S_IWRITE not existing.

  Integration Instructions

  N/A
  

  
  

  ---

  
  

⚠️ Breaking Changes

• Update pytool dependency @Javagedes (#688)
  
  Change Details

    ## Description

  Integrates edk2-pytool-extensions 0.27.0 and edk2-pytool-library 0.20.0, which overhauls the database functionality to use an ORM for managing the database schema and access to the database.

  Updates the only plugin in MU_BASECORE that uses the database functionality, HostBasedUnitTestRunner.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Verified HostBaseUnitTestRunner works as expected with CC_REORGANIZE=TRUE, which results in the Edk2DB functionality being used.

  Integration Instructions

  HostBasedUnitTestRunner will continue to work in the default configuration, but setting CC_REORGANIZE=TRUE on the command line will not work unless the consuming repository also updates the below:
   

  • Update edk2-pytool-extensions >= v0.27.0
  • Update edk2-pytool-library to >= v0.20.0
    

  
  

  ---

🚀 Features & ✨ Enhancements

• [CHERRY-PICK] CryptoPkg/generate\_cryptodriver.py: Add PEI and Standalone MM AARCH64 support @makubacki (#698)
  
  Change Details

    ## Description

  Generates shared crypto files for PEI and Standalone MM AARCH64.

  This will be used for an upcoming binary release from
  mu_crypto_release

  (cherry picked from commit 440050a)

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • Verified PEI and Standalone MM AARCH64 files are produced in generated output.

  Integration Instructions

  • Use the PEI and Standalone MM AARCH64 binaries if needed for a platform following
    the normal shared binary integration instructions.
    

  
  

  ---

• [CHERRY-PICK] MdePkg/CompilerIntrinsicsLib: Add IntrinsicLib class and strcmp @makubacki (#703)
  
  Change Details

    ## Description

  Adds the IntrinsicLib library class to allow the library to satisfy
  dependencies on that class where needed.

  Adds a strcmp implementation which is needed when building OpenSSL
  for AARCH64 (with Visual Studio or GCC).

  (cherry picked from commit dea7433)

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • Build OpensslPkg with VS for IA32, X64, and AARCH64
  • Build OpensslPkg with GCC for IA32, X64, and AARCH64
  • Verify intrinsic linking is satisfied

  Integration Instructions

  • Use where IntriniscLib is needed if applicable
  • Backward compatible
    

  
  

  ---

🐛 Bug Fixes

• [CHERRY-PICK] CryptoPkg/generate\_cryptodriver.py: Fix Crypto protocol include path @makubacki (#697)
  
  Change Details

    ## Description

  The CryptoPkg/Private directory no longer exists. Replace with
  the EDK II Crypto protocol definition in CryptoPkg/Include/Protocol which
  is identical.

  (cherry picked from commit 46a55e1)

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests,...

v2023020012.0.1

What's Changed

• [REBASE \&\& FF] Compatibility Mode Updates @TaylorBeebe (#683)
  
  Change Details

    ## Description

  Patches:

  1. Linux shim currently incorrectly uses the UEFI memory attribute protocol causing a page fault. The broken shim does not have the NXCOMPAT flag, so compatibility mode can be used to uninstall the protocol when it is loaded. For flexibility, this patch adds a policy configuration option to allow platforms to choose not to install the protocol.

  2. Because the memory attribute protocol may not be present on the platform, this update uses the cpu arch protocol to update the attributes of the AP buffer to avoid a fault when executing the wakeup function.

  3. As described in the enhanced memory protection document, entering compatibility mode maps page zero, no longer applies attributes to loaded images, allocates memory as RWX, and uninstalls the memory attribute protocol. This patch implements compatibility mode in the DXE Core as it is currently defined. Compatiblity mode is triggered when a non-NXCOMPAT image is loaded.

  4. Renames the MemoryAttributeProtocol global to mMemoryAttributeProtocol.

  These changes were tested on Q35 by booting to Windows and on SBSA by booting to Ubuntu with a shim which misuses the memory attribute protocol and is not NX compatible.
  

  
  

  ---

  
  

Full Changelog: v2023020012.0.0...v2023020012.0.1

v2023020012.0.0

What's Changed

⚠️ Breaking Changes

• Remove the openssl library and it's associated files from CryptoPkg. @kenlautner (#680)
  
  Change Details

    ## Description

  Project MU has encouraged the use of a crypto binaries for several years now but has allowed platforms to use the traditional DIY crypto implementations if they want to. This change finally removes Openssl from CryptoPkg along with its associated wrapper libraries and the BaseCryptLib implementation of it. Only the NULL implementation of BaseCryptLib will be available by default in CryptoPkg but it outlines the APIs to use for platforms.

  All Openssl files have been moved to the MU_CRYPTO_RELEASE repo that you can find here

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Tested on Intel physical platforms and the Q35 QEMU virtual platform.

  Integration Instructions

  First you'll need to remove all references to the OpensslLib and IntrinsicLib libraries in your platform dsc file. Additionally, any non-NULL instance of BaseCryptLib needs to removed as well.

  To use the crypto binary you need to make a few adjustments on your platform:

  1. Define the service level that you want for each phase of UEFI in the defines sections of your DSC.

      [Defines]
          DEFINE PEI_CRYPTO_SERVICES = TINY_SHA
          DEFINE DXE_CRYPTO_SERVICES = STANDARD
          DEFINE SMM_CRYPTO_SERVICES = STANDARD
          DEFINE STANDALONEMM_CRYPTO_SERVICES = STANDARD
          DEFINE PEI_CRYPTO_ARCH = IA32
          DEFINE DXE_CRYPTO_ARCH = X64
          DEFINE SMM_CRYPTO_ARCH = X64
          DEFINE STANDALONEMM_CRYPTO_ARCH = X64
  

  2. Add the DSC include.

     !include CryptoPkg/Driver/Bin/CryptoDriver.inc.dsc

  3. Add the FDF includes to your platform FDF.

      [FV.FVBOOTBLOCK]
      !include CryptoPkg/Driver/Bin/CryptoDriver.PEI.inc.fdf
  
      [FV.FVDXE]
        !include CryptoPkg/Driver/Bin/CryptoDriver.DXE.inc.fdf
        !include CryptoPkg/Driver/Bin/CryptoDriver.SMM.inc.fdf
        !include CryptoPkg/Driver/Bin/CryptoDriver.STANDALONEMM.inc.fdf
  

  For the fdf includes you don't need both the STANDALONEMM and SMM versions. You typically should include only one of them.
  

  
  

  ---

  
  

• BaseTools: Add Cargo Feature support for build @Javagedes (#682)
  
  Change Details

    ## Description

  Adds build support for setting cargo features via EDKII Feature Pcds.
  Adds a new makefile variable, CARGO_FEATURES [a comma separated list]
  that is generated per module based on any FeaturePcds in the INF that
  are enabled. any build rule can consume this makefile variable.

  Updates the build rules for building rust crates to consume this
  variable.

  Updates cargo make's config to pass the variable to the underlying
  build command.

  WARNING: Makefile.toml will be updated via mu_devops (microsoft/mu_devops#298)

  diff --git a/.sync/rust_config/Makefile.toml b/.sync/rust_config/Makefile.toml
  index 3019bc95..fdcf5643 100644
  --- a/.sync/rust_config/Makefile.toml
  +++ b/.sync/rust_config/Makefile.toml
  @@ -7,6 +7,7 @@ RUSTC_BOOTSTRAP = 1
   ARCH = "X64"
   TARGET_TRIPLE = { source = "${ARCH}", mapping = { "X64" = "x86_64-unknown-uefi", "IA32" = "i686-unknown-uefi", "AARCH64" = "aarch64-unknown-uefi", "LOCAL" = "${CARGO_MAKE_RUST_TARGET_TRIPLE}" }, condition = { env_not_set = [ "TARGET_TRIPLE" ] } }
   
  +CARGO_FEATURES_FLAG = {value = "--features ${FEATURES}", condition = {env_set = ["FEATURES"], env_true = ["FEATURES"]}}
   BUILD_FLAGS = "--profile ${RUSTC_PROFILE} --target ${TARGET_TRIPLE} -Zbuild-std=core,compiler_builtins,alloc -Zbuild-std-features=compiler-builtins-mem -Zunstable-options --timings=html"
   TEST_FLAGS = { value = "", condition = { env_not_set = ["TEST_FLAGS"] } }
   COV_FLAGS = { value = "--out html --exclude-files **/tests/*", condition = { env_not_set = ["COV_FLAGS"] } }
  @@ -47,15 +48,17 @@ description = """Builds a single rust package.
   Customizations:
       -p [development|release]: Builds in debug or release. Default: development
       -e ARCH=[IA32|X64|AARCH64|LOCAL]: Builds with specifed arch. Default: X64
  +    -e FEATURES=[feature,...]: Builds with the specified features. Default: none
   
   Example:
       `cargo make build RustModule`
       `cargo make -p release build RustModule`
       `cargo make -e ARCH=IA32 build RustLib`
  +    `cargo make -e FEATURES=feature1,feature2 build RustLib`
   """
   clear = true
   command = "cargo"
  -args = ["build", "@@split(INDIVIDUAL_PACKAGE_TARGETS, )", "@@split(BUILD_FLAGS, )"]
  +args = ["build", "@@split(INDIVIDUAL_PACKAGE_TARGETS, )", "@@split(BUILD_FLAGS, )", "@@split(CARGO_FEATURES_FLAG, ,remove-empty)"]
   dependencies = ["individual-package-targets"]
   
   [tasks.check]

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Created a featurePCD and ensured that the rust feature is passed to cargo. Ensured that when the featurepcd is set to true, the feature is enabled in cargo. Ensured that when the featurepcd is set to false, the feature is not enabled in cargo.

  Integration Instructions

  Developers will need to complete the following:

  1. Remove the temporary Conf file, so that it can be repopulated.
  2. Update consuming repository's Makefile.toml from mu_devops.

  ---

🔐 Security Impacting

• Remove the openssl library and it's associated files from CryptoPkg. @kenlautner (#680)
  
  Change Details

    ## Description

  Project MU has encouraged the use of a crypto binaries for several years now but has allowed platforms to use the traditional DIY crypto implementations if they want to. This change finally removes Openssl from CryptoPkg along with its associated wrapper libraries and the BaseCryptLib implementation of it. Only the NULL implementation of BaseCryptLib will be available by default in CryptoPkg but it outlines the APIs to use for platforms.

  All Openssl files have been moved to the MU_CRYPTO_RELEASE repo that you can find here

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (...

v2023020011.0.0

What's Changed

• CryptoPkg/OpensslLibFull: Add Arm CC flags @makubacki (#679)
  
  Change Details

    ## Description

  A number of flags are needed to successfully build OpenSSL code. For
  example, the code triggers several Visual Studio warnings. This
  change brings the CC flags already present in other crypto lib INFs
  to the OpensslLibFull instance.

  This allows the library instance to compile on VS(2022) for AARCH64.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • AARCH64 build with VS2022. Fails before due to compiler warnings, passes after.

  Integration Instructions

  N/A - Impacts module build specific to VS toolchain and Arm architecture. Adds
  support without impacting existing builds.
  

  
  

  ---

  
  

• Fix Incorrect Mock RNG Prototypes @Flickdm (#672)
  
  Change Details

    # Preface

  Description

  Corrects and error with the MOCK Rng Prototypes

  For each item, place an "x" in between [ and ] if true. Example: [x].
  (you can also check items in the GitHub UI)

  • Impacts functionality?
    • No
  • Impacts security?
    • No
  • Breaking change?
    • No
  • Includes tests?
    • No
  • Includes documentation?
    • No

  How This Was Tested

  Unit tests in a private repository

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• .git-blame-ignore-revs: Ignore Line Ending and Uncrustify only commits @makubacki (#670)
  
  Change Details

    ## Description

  Adds commits that only applied Uncrustify formatting or converted
  line endings to a .git-blame-ignore-revs file so they are ignored
  by git blame. This is supported by GitHub:
  https://github.blog/changelog/2022-03-24-ignore-commits-in-the-blame-view-beta/

  This helps clean up git blame by filtering out these changes.

  Note: This file needs to be updated on rebase branches. Processes
  like filter-branch can automatically update relevant SHAs.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • git blame

  Integration Instructions

  N/A
  

  
  

  ---

  
  

⚠️ Breaking Changes

• CryptoPkg: Add Standalone MM Crypto Support [Rebase \& FF] @makubacki (#676)
  
  Change Details

    ## Description

  Contributes to microsoft/mu_crypto_release#46

  1. CryptoPkg: Add CryptoStandaloneMm and StandaloneMmCryptLib

  Adds a Standalone MM instance of BaseCryptLib intended to only be
  used with the CryptoStandaloneMm driver added. The library instance
  can be linked against Standalone MM drivers to the use the
  gEdkiiSmmCryptoProtocolGuid protocol instance produced by
  CryptoStandaloneMm.

  2. CryptoPkg: Generate unique include FDF files per PI phase

  Removes the "BOOTBLOCK" file that served as PEI previously and
  instead use a straightforward mapping of PI phase to include.

  This allows PI phases supported in thee future such as Standalone
  MM to seamlessly have a FDF generated that is separated from DXE
  and SMM. It also simplifies integration.

  3. CryptoPkg: Add Standalone MM shared binary build file generation

  Adds support to update the include DSC/FDF files for including
  Standalone MM binaries and generate Standalone MM INFs.

  4. CryptoPkg: Add Standalone MM shared binary build file generation

  Adds support to update the include DSC/FDF files for including
  Standalone MM binaries and generate Standalone MM INFs.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • Standalone MM driver build
  • Standalone MM driver runtime dispatch on physical and virtual X64 platform
  • Standalone MM UEFI variable driver usage of gEdkiiSmmCryptoProtocolGuid

  Integration Instructions

  Include file changes:

  • [BREAKING CHANGE]: CryptoDriver.BOOTBLOCK.inc.fdf is removed (renamed to CryptoDriver.PEI.inc.fdf)
  • [BREAKING CHANGE]: CryptoDriver.DXE.inc.fdf no longer includes SMM (DXE_SMM_DRIVER) modules by default
  • CryptoDriver.SMM.inc.fdf is new and contains SMM modules (DXE_SMM_DRIVER)
  • CryptoDriver.STANDALONEMM.inc.fdf is new and contains Standalone MM modules (MM_STANDALONE)

  Update platform FDF files to include the renamed BOOTBLOCK file.
  Include either the SMM or STANDALONEMM file based on platform need.

  ---

  A new build rule may be needed in a platform FDF to integrate Standalone MM binaries. An
  example to use the Standalone MM shared crypto driver is shown below:

  [Rule.Common.MM_STANDALONE.BINARY]
    FILE MM_STANDALONE = $(NAMED_GUID) {
      SMM_DEPEX SMM_DEPEX Optional      |.depex
      PE32      PE32                    |.efi
      UI        STRING="$(MODULE_NAME)" Optional
      VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
    }
  

  Note that the Standalone MM binaries are compiled with libraries specific to the Project Mu
  MM Supervisor.
  

  
  

  ---

  
  

🔐 Security Impacting

• CryptoPkg: Update shared crypto to 2023.2.6 @makubacki (#681)
  
  Change Details

    ## Description

  Crypto binaries in this release include Mu Basecore up to
  v2023020010.0.0 and Standalone MM binaries.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      ...

v2023020010.0.0

What's Changed

• Adding MockRNG to the Google Test Mock @Flickdm (#668)
  
  Change Details

    # Preface

  Please ensure you have read the contribution docs prior
  to submitting the pull request. In particular,
  pull request guidelines.

  Description

  Adds MockRNG to the Google Test Mock

  For each item, place an "x" in between [ and ] if true. Example: [x].
  (you can also check items in the GitHub UI)

  • Impacts functionality?
    • Functionality - No
  • Impacts security?
    • Security - No
  • Breaking change?
    • Breaking change - No
  • Includes tests?
    • Tests - No
  • Includes documentation?
    • Documentation - No

  How This Was Tested

  Local Tests

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Don't Assert if InitializeSeparateExceptionStacks() Fails @TaylorBeebe (#669)
  
  Change Details

    ## Description

  ARM platforms don't initialize separate exception stacks. The ARM CpuExceptionHandler libraries always return EFI_SUCCESS in InitializeSeparateExceptionStacks() to sidestep this exception. To accommodate the use of the NULL library instance which returns EFI_UNSUPPORTED, just print an error when the routine fails.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Tested on a Surface ARM platform

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• FdSizeReport: Handle empty FV sections in Build Report @Javagedes (#664)
  
  Change Details

    ## Description

  Updates the FdSizeReportGenerator to handle the scenario where the build report contains an empty FD region.

  This scenario was not previously seen but has been verified and has been noted to happen when a nested FV does not contain any modules. In this scenario, the "Size: " line is not present and there is no subsection table where the included files would normally be present.

  Example of empty FD region:

  >----------------------------------------------------------------------------------------------------------------------<
  Nested FV
  Type:               FV
  Base Address:       0x0
  <---------------------------------------------------------------------------------------------------------------------->
  

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Reproduced error on partner platform and verified changes resolved the issue.

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• BaseTools: Fix raw strings containing valid escape characters @Javagedes (#663)
  
  Change Details

    ## Description

  Fixes raw regex strings that contain valid (and purposeful) escape characters as they are being treated as individual characters rather than the single escaped character they represent (i.e. '\t' is being treated as a '\' and a 't' rather than a single tab character).

  Note: This is the same patch series being added via https://edk2.groups.io/g/devel/message/112986, but seeing as this is a breaking change being seen by partners, I figured we should get this into MU_BASECORE as quickly as possible.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Verified on multiple partner platforms

  Integration Instructions

  N/A
  

  
  

  ---

  
  

⚠️ Breaking Changes

• Cherry pick and apply uncrustify changes @VivianNK (#609)
  
  Change Details

    ## Description

  Cherry pick uncrustify changes for cpp from edk2 and apply them to relevant files.

  • Impacts functionality?

    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...

  • Impacts security?

    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...

  • Breaking change?

    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Implements new uncrustify standard that needs to be applied to all .cpp files and some cpp-related .h files(GoogleTests). Will need to update the following repos:
      • mu feature config (not dependent on this PR - only cpp file changes) PR
      • mu feature ipmi (not dependent on this PR - only cpp file changes) PR
      • mu tiano plus Draft PR

  • Includes tests?

    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...

  • Includes documentation?

    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Local CI build

  Integration Instructions

  WIll need to have up to date mu_tiano_plus branch once merged.
  

  
  

  ---

  
  

🐛 Bug Fixes

• Ensure Stack Guard Init is Performed Regardless of Platform NX Policy @TaylorBeebe (#671)
  
  Change Details

    ## De...

v2023020009.0.3

What's Changed

• Update iasl ext dep to 20230628 @Javagedes (#658)
  
  Change Details

    ## Description

  Updates the default iasl external dependency from 20210105 to 20230628.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  • mu_basecore: CI Pipelines
  • mu_tiano_platforms: QemuQ35, QemuSbsa

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• [CHERRY-PICK] BaseTools: Resolve regex syntax warnings @Javagedes (#659)
  
  Change Details

    ## Description

  Switches regex patterns to raw text to resolve python 3.12 syntax warnings in regards to invalid escape sequences, as is suggested by the re (regex) module in python.

  Cc: Rebecca Cran [email protected]
  Cc: Liming Gao [email protected]
  Cc: Bob Feng [email protected]
  Cc: Yuwei Chen [email protected]

  Reviewed-by: Rebecca Cran [email protected]

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  N/A

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• release-basetools.yml: Update for compatibility with v4 GitHub actions @makubacki (#655)
  
  Change Details

    ## Description

  Commit edd2738 updated the actions/download-artifact GitHub action
  in this workflow to v4. Both actions/download-artifact and
  actions/upload-artifact recently released a v4 version with
  significant breaking changes.

  Relevant to this workflow and this change, is that a v4 download
  action must be paired with a v4 upload action. See:
  https://github.com/actions/download-artifact?tab=readme-ov-file#v4---whats-new

  Breaking Changes

  1. On self hosted runners, additional firewall rules may be required.
  2. Downloading artifacts that were created from
     action/upload-artifact@v3 and below are not supported.

  This results in the release-basetools.yml workflow currently
  failing when attempting to download the artifacts in the publish
  step (which only runs on a GitHub publish event - not tested in PRs).

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Ran workflow skipping conditional on publish step on my mu_basecore fork.

  Integration Instructions

  N/A
  

  
  

  ---

  
  

Full Changelog: v2023020009.0.2...v2023020009.0.3

v2023020009.0.2

What's Changed

• Remake fdsizereportgenerator @Javagedes (#647)
  
  Change Details

    ## Description

  Re-writes most of the FDSizeReportGenerator Plugin to enable support accurately showing multiple FDs in a single FDF file. Previously, only the first FD detected was used for generating the report. While all regions would be shown, the offsets were based off the first FD and would be innacurate. This resolves #644

  Before Report

  

  After Report

  

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Verified report is correctly generated both via the plugin and command line. Verified report generates for multiple different platforms.

  Integration Instructions

    </blockquote>
    <hr>
  </details>
  

• Bugfix rust module incremental build support @Javagedes (#649)
  
  Change Details

    ## Description

  Previously, the incremental build support for rust modules was broken because the previous attempt of updating the last modified time using utime() was not permanent (for an unknown reason). This commit does two things:

  1. Updates the logic to use pathlib.Path's touch() function, which has proven to reliably update the last modified time of the file.

  2. Always touch the toml file instead of checking to see if any of the rust files has been touched since the last build. The previous logic was unnecessary complicated because the cargo build system will decide if a re-build is necessary, and make will only copy the file if the efi has changed.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  1. Verified changes to a rust module propagated into the final firmware.
  2. Verified changes to a rust library propagated to a rust module that then also propagated into the final firmware.
  3. Verified that making no changes to a rust module or library resulted in cargo build skipping the re-build and the final efi remained the same exact efi of the previous build (efi was not modified or re-copied)

  This was verified on Windows and Ubuntu 22.04

  Integration Instructions

  Clear your Conf folder
  

  
  

  ---

  
  

• Update CodeQL CLI from v2.14.5 to v2.15.4 @makubacki (#648)
  
  Change Details

    ## Description

  Updates to latest to fix numerous bugs. Complete set of changes:

  github/codeql-cli-binaries@v2.14.5...v2.15.4

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  GitHub CodeQL workflows.

  Integration Instructions

  N/A
  

  
  

  ---

  
  

Full Changelog: v2023020009.0.1...v2023020009.0.2

v2023020009.0.1

What's Changed

• Added codeql fixes to DxeCorePerformanceLib.c @kenlautner (#636)
  
  Change Details

    ## Description

  Addressed some codeql errors in DxeCorePerformanceLib.c. Nothing functionally has changed as a null module name being returned is being accounted for already.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Tested on an intel physical platform.

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• [CHERRY-PICK] MdePkg: Add ProcessorUpgradeSocket definitions from SMBIOS 3.7.0 @apop5 (#641)
  
  Change Details

    ## Description

  Add newer Smbios 3.7 enums to PROCESSOR_UPGRADE in MdePkg/Include/IndustryStandard/Smbios.h

  This patch adds below definitions from SMBIOS 3.7.0 into Smbios.h

  • ProcessorUpgradeSocketAM5
  • ProcessorUpgradeSocketSP5
  • ProcessorUpgradeSocketSP6
  • ProcessorUpgradeSocketBGA883
  • ProcessorUpgradeSocketBGA1190
  • ProcessorUpgradeSocketBGA4129
  • ProcessorUpgradeSocketLGA4710
  • ProcessorUpgradeSocketLGA7529

  Reviewed-by: Star Zeng [email protected]
  Reviewed-by: Liming Gao [email protected]

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Verified build with just cherry pick of updated enum.

  Integration Instructions

  n/a
  

  
  

  ---

  
  

• Restrict Module Types for Stack Cookie Libraries in MdeLibs.dsc.inc to Exclude HOST\_APPLICATION @TaylorBeebe (#639)
  
  Change Details

    ## Description

  Specify the module types for stack cookie libraries to include all but HOST_APPLICATION to prevent conflict with the C runtime stack cookie logic linked in via the standard lib.

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentation
      on an a separate Web page, ...

  How This Was Tested

  Building Q35

  Integration Instructions

  N/A
  

  
  

  ---

  
  

🔐 Security Impacting

• [REBASE \&\& FF] Update GetMemoryMapWithPopulatedAccessAttributes() to Defer Free/Allocate Calls, Improve Documentation @TaylorBeebe (#613)
  
  Change Details

    ## Description

  During the initialization of the memory protection, a complete map
  of system memory is created via a call toGetMemoryMapWithPopulatedAccessAttributes().
  The first step of the function was to fetch the EFI memory map and subsequent
  steps manipulated it to create the output. The subsequent steps included
  freeing and allocating memory which potentially changed the memory
  layout and caused the output memory map to be incorrect. Because
  allocating and freeing memory only transitions memory type between
  EfiConventionalMemory and EfiBootServicesMemory (which are required
  to have the same memory protection policy), this nuance didn't matter.
  However, as the DXE core is updated to support more strict protections
  on free memory, this nuance will matter.

  This patch updates the GetMemoryMapWithPopulatedAccessAttributes()
  routine to calculate and allocate all required memory before
  fetching the EFI memory map used in the output, and adds a function
  to free that memory once the caller is done with the ouput.

  Also, to improve the long-term maintainability of the memory protection
  support code, this change adds code documentation in the form of inline
  comments to the memory protection initialization logic.

  Test Case 1:
  
  The only difference between before and after this change set is the absence of an EfiConventionalMemory section. The post-changes on the right prints out the location of the allocated memory map and bitmap which is where the EfiConventionalMemory section used to be. In reality, both memory maps have essentially the same layout, but the memory map post-changes accurately reflects the actual memory map because no allocations or frees are done during its creation.

  Test Case 2:
  
  Same explanation as above with image protection on.

• Check for Clang and GCC Support When Defining NO\_STACK\_COOKIE @TaylorBeebe (#640)
  
  Change Details

    ## Description

  Older versions of Clang and GCC don't support the no_stack_protector attribute. To determine if the attribute is supported for the active Clang toolchain, the __has_attribute() language extension can be used. To determine support for GCC, the major version can be checked. According to the docs, the earliest version which supported the attribute was v11: https://gcc.gnu.org/onlinedocs/gcc-11.4.0/gcc/Common-Function-Attributes.html

  • Impacts functionality?
    • Functionality - Does the change ultimately impact how firmware functions?
    • Examples: Add a new library, publish a new PPI, update an algorithm, ...
  • Impacts security?
    • Security - Does the change have a direct security impact on an application,
      flow, or firmware?
    • Examples: Crypto algorithm change, buffer overflow fix, parameter
      validation improvement, ...
  • Breaking change?
    • Breaking change - Will anyone consuming this change experience a break
      in build or boot behavior?
    • Examples: Add a new library class, move a module to a different repo, call
      a function in a new library class in a pre-existing module, ...
  • Includes tests?
    • Tests - Does the change include any explicit test code?
    • Examples: Unit tests, integration tests, robot tests, ...
  • Includes documentation?
    • Documentation - Does the change contain explicit documentation additions
      outside direct code modifications (and comments)?
    • Examples: Update readme file, add feature readme file, link to documentati...