Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2026-03-31 15:46:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.1999 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Tue Mar 31 15:46:37 2026 rev:133 rq:1343844 version:202602 Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2026-03-17 19:04:55.481733814 +0100 +++ /work/SRC/openSUSE:Factory/.ovmf.new.1999/ovmf.changes 2026-03-31 15:49:25.492295721 +0200 @@ -1,0 +2,23 @@ +Tue Mar 31 06:41:39 UTC 2026 - Richard Lyu <[email protected]> + +- Add ovmf-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch (bsc#1260358, bsc#1259826) + - Since d2cbaefc0822 (flip EnableLegacyLoader to false), shim is + required for direct kernel boot with Secure Boot to avoid CVE-2025-2296. + - While libvirt >= v11.2.0 and qemu >= 10.0 support the shim option, + the latest version of virt-install remains incompatible. + - Upstream plans to remove the legacy loader in 1-2 years (dropping + X86QemuLoadImageLib in favor of GenericQemuLoadImageLib). + - Revert this patch as a workaround. + +------------------------------------------------------------------- +Tue Mar 31 06:26:14 UTC 2026 - Richard Lyu <[email protected]> + +- Add ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch (bsc#1259640) + - The check performed by RegionIsSystemMemory is not necessarily limited to a single entry + of type EfiGcdSystemMemory in the GCD memory map. For example, when a memory region spans + multiple contiguous GCD entries, the current implementation returns False even though the + entire range is system memory. + - Therefore, this modification expands the RegionIsSystemMemory check to support multiple + contiguous entries. + +------------------------------------------------------------------- +++ only whitespace diff in changes, re-diffing New: ---- ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch ovmf-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.ovmf.new.1999/ovmf.changes- /work/SRC/openSUSE:Factory/.ovmf.new.1999/ovmf.changes:- Add ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch (bsc#1259640) /work/SRC/openSUSE:Factory/.ovmf.new.1999/ovmf.changes- - The check performed by RegionIsSystemMemory is not necessarily limited to a single entry New:/work/SRC/openSUSE:Factory/.ovmf.new.1999/ovmf.changes- /work/SRC/openSUSE:Factory/.ovmf.new.1999/ovmf.changes:- Add ovmf-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch (bsc#1260358, bsc#1259826) /work/SRC/openSUSE:Factory/.ovmf.new.1999/ovmf.changes- - Since d2cbaefc0822 (flip EnableLegacyLoader to false), shim is ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.4791P6/_old 2026-03-31 15:49:27.432376894 +0200 +++ /var/tmp/diff_new_pack.4791P6/_new 2026-03-31 15:49:27.432376894 +0200 @@ -1,7 +1,7 @@ # # spec file for package ovmf # -# Copyright (c) 2026 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -88,6 +88,11 @@ Patch18: %{name}-Revert-UefiCpuPkg-BaseRiscV64CpuTimerLib-Add-constru.patch # https://github.com/tianocore/edk2/pull/12248 Patch19: %{name}-OvmfPkg-RiscVVirt-PlatformPei-Do-not-set-PcdTpmBaseA.patch +# Bug 1259640 - OVMF crashes when exiting from aarch64 GRUB +Patch20: %{name}-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch +# Bug 1260358 - [SLES][16.1][Build33.1][x86_64][kvm] Fail to install uefi 15-SP7 vm +# Bug 1259826 - latest version of ovmf package dont support -kernel -initrd options +Patch21: %{name}-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch BuildRequires: bc BuildRequires: cross-arm-binutils BuildRequires: cross-arm-gcc%{gcc_version} ++++++ uefi-shell.spec ++++++ --- /var/tmp/diff_new_pack.4791P6/_old 2026-03-31 15:49:27.464378233 +0200 +++ /var/tmp/diff_new_pack.4791P6/_new 2026-03-31 15:49:27.468378401 +0200 @@ -1,7 +1,7 @@ # # spec file for package uefi-shell # -# Copyright (c) 2026 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ ovmf-ArmPkg-CpuDxe-Support-multiple-entries-in-RegionIsSy.patch ++++++ >From 11d4c6633ae00b1dc25fd288f5452a955c21bc97 Mon Sep 17 00:00:00 2001 From: Richard Lyu <[email protected]> Date: Mon, 30 Mar 2026 16:33:38 +0800 Subject: [PATCH] ArmPkg/CpuDxe: Support multiple entries in RegionIsSystemMemory check The check performed by RegionIsSystemMemory is not necessarily limited to a single entry of type EfiGcdSystemMemory in the GCD memory map. For example, when a memory region spans multiple contiguous GCD entries, the current implementation returns False even though the entire range is system memory. Therefore, this modification expands the RegionIsSystemMemory check to support multiple contiguous entries. Signed-off-by: Richard Lyu <[email protected]> --- ArmPkg/Drivers/CpuDxe/MemoryAttribute.c | 29 ++++++++++++++----------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c b/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c index c77feb848c45..927f0d2b7ee9 100644 --- a/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c +++ b/ArmPkg/Drivers/CpuDxe/MemoryAttribute.c @@ -9,7 +9,7 @@ #include "CpuDxe.h" /** - Check whether the provided memory range is covered by a single entry of type + Check whether the provided memory range is covered by one or more entries of type EfiGcdSystemMemory in the GCD memory map. @param BaseAddress The physical address that is the start address of @@ -26,22 +26,25 @@ RegionIsSystemMemory ( ) { EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; - EFI_PHYSICAL_ADDRESS GcdEndAddress; + EFI_PHYSICAL_ADDRESS CurrentAddress; + EFI_PHYSICAL_ADDRESS EndAddress; EFI_STATUS Status; - Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor); - if (EFI_ERROR (Status) || - (GcdDescriptor.GcdMemoryType != EfiGcdMemoryTypeSystemMemory)) - { - return FALSE; - } + CurrentAddress = BaseAddress; + EndAddress = BaseAddress + Length; - GcdEndAddress = GcdDescriptor.BaseAddress + GcdDescriptor.Length; + while (CurrentAddress < EndAddress) { + Status = gDS->GetMemorySpaceDescriptor (CurrentAddress, &GcdDescriptor); + if (EFI_ERROR (Status) || + (GcdDescriptor.GcdMemoryType != EfiGcdMemoryTypeSystemMemory)) + { + return FALSE; + } + + CurrentAddress = GcdDescriptor.BaseAddress + GcdDescriptor.Length; + } - // - // Return TRUE if the GCD descriptor covers the range entirely - // - return GcdEndAddress >= (BaseAddress + Length); + return TRUE; } /** -- 2.51.0 ++++++ ovmf-Revert-OvmfPkg-X86QemuLoadImageLib-flip-default-for-.patch ++++++ >From bbc5624b80dc99b96e9f39f0c998327f66b3b146 Mon Sep 17 00:00:00 2001 From: Richard Lyu <[email protected]> Date: Tue, 31 Mar 2026 14:16:03 +0800 Subject: [PATCH] Revert "OvmfPkg/X86QemuLoadImageLib: flip default for EnableLegacyLoader to false" This reverts commit d2cbaefc082294eadaa30a3d5f0fa8ba264a574a. --- .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 2 +- OvmfPkg/RUNTIME_CONFIG.md | 15 ++++++--------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c index e888ac1a97ac..4679a7b8b12d 100644 --- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c @@ -444,7 +444,7 @@ QemuLoadKernelImage ( &Enabled ); if (EFI_ERROR (RetStatus)) { - Enabled = FALSE; + Enabled = TRUE; } if (!Enabled) { diff --git a/OvmfPkg/RUNTIME_CONFIG.md b/OvmfPkg/RUNTIME_CONFIG.md index 57d0dd96111a..b75a5dacadf5 100644 --- a/OvmfPkg/RUNTIME_CONFIG.md +++ b/OvmfPkg/RUNTIME_CONFIG.md @@ -153,19 +153,16 @@ without EFI stub. If you are using kernels that old secure boot support is the least of your problems though ... The linux kernel is typically signed by the distro secure boot keys -and is verified by the distro `shim.efi` binary. qemu version 10.0 -(released in April 2025) got support for passing the shim binary +and is verified by the distro `shim.efi` binary. qemu release 10.0 +(ETA ~ March 2025) will get support for passing the shim binary (additionally to kernel + initrd) to the firmware, so the usual secure boot verification can work with direct kernel load too. -In edk2-stable202502 and newer the EnableLegacyLoader config option is -available and enabled by default. +For now the legacy loader is enabled by default. Once the new qemu +release is available in most linux distros the defaut will be flipped +to disabled. -In edk2-stable202602 and newer the EnableLegacyLoader config option is -disabled by default. - -Here is the qemu command line for direct kernel boot with secure boot -verification: +Usage (qemu 10.0+): ``` qemu-system-x86_64 \ -- 2.51.0
