Rebase on edk2-stable202411

[crawfxrd]

No description provided.

[crawfxrd]

Evaluation of commits from edk2-stable202108 base.

• U: Change exists in upstream
• F: Change is or should be applied as a fix-up commit
• D: Change should be dropped

---

• [U] 88f5720 MdeModulePkg/UsbBusDxe: fix NOOP build error
• 27585e7 Update DBX to 2023-05-09
• [F] 42a443d SecurityPkg: Fix debug build
• c466cc2 Add System76 Secure Boot keys
• [D] 5c49aca Update DBX to 2022-09-07
• 99891bd SecureBootConfig: Remove blank line
• 3485d55 SecureBootConfig: Split long strings
• c1a7127 SecureBootConfig: Clear PK and reset
• 2f21edd SecureBootConfig: Restore keys and reset
• 860c29c SecureBootConfig: Update variable and perform reset
• 8cfead2 SecureBootConfig: Add text key to perform the actions
• 30f6b2f SecureBootConfig: Modify UI
• 4de3256 UiApp: Link to SecureBootConfig
• ff91020 Notify System76 security callback prior to loading boot options
• [U] 9437739 BaseTools: Fix DevicePath tool build failure issue
• [U] e91ea55 Basetools: turn off gcc12 warning
• [U] 5e86b20 BaseTools: fix gcc12 warning
• [U] b764882 BaseTools: fix gcc12 warning
• a2abc5e UefiPayloadPkg: Add Pop!_OS Recovery to boot text
• a618e43 MdeModulePkg/BmBootDesciption: Remove device prefixes
• [D] bbc0497 UefiPayloadPkg: Add PCI support from DuetPkg
  • Fix coreboot dGPU driver integration to prevent assert with PciHostBridgeDxe
• 61a7f36 UefiPayloadPkg: Add Intel GOP driver
• fc1c47c UefiPayloadPkg: Add System76 Setup menu
• [D] fec64b0 Update brotli to fix compiling with GCC 11
• 05aa27e MdeModulePkg/BM: Update boot options on device change
• 06cc698 MdeModulePkg/Core: Signal notify events on protocol removal
• cb870a1 UiApp: Dynamically generated firmware configuration information page
• 90e04a7 MdeModulePkg/BMM: Unregister F9 and F10 hotkeys
• 1d01d2a MdeModulePkg/BMM: Remove Commit/Discard buttons
• 70e9b22 MdeModulePkg/BMM: Save BootOrder on list update
• e9d6369 MdeModulePkg/BMM: Add some debug logging
• 58d6aae MdeModulePkg/UiApp: Add warning if no bootable options found
• 4e0fcab MdeModulePkg/BootMaintenanceManagerUiLib: Make it look like current BMM
• 2d04a62 MdeModulePkg/UiApp: Make it look like current FrontPage
• 8a0955d MdeModulePkg/BM: Make it look like current BootMngr
• 06f4583 UefiPayloadPkg: Disable EFI shell
• 9daa69a UefiPayloadPkg: Add library for logging to EC
• 9030464 fix secureboot
• bcfe7a5 UefiPayloadPkg/Include/Coreboot.h: Remove __packed
• 600c565 Revert "UefiPayloadPkg: Add FV Guid for DXEFV and PLDFV"
• aae506c UefiPayloadPkg/BlSMMStoreDxe: Support Secureboot
• bf2ca74 UefiPayloadPkg: Update APRIORI
• 654e595 Fix TPM detection
• 9657bbe MdeModulePkg: Be more verbose about SecureBoot and the reason why the boot failed
• 10cbbe0 [HACK]UefiPayloadPkg: Fix TPM2 support without PEI
• 802391f UefiPayloadPkg/SecureBootEnrollDefaultKeys: Make SecureBoot configurable
• db04386 UefiPayloadPkg: Check TPM PPI requests in PlatformBootManager
• 7d5abcd UefiPayloadPkg: Parse coreboot's TPM PPI handoff buffer
• d296a36 OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu: Add timeout
• bdb15bf OvmfPkg: Introduce Tcg2PhysicalPresencePlatformLib
• 25af751 UefiPayloadPkg: Add TPM support
• 7f99fae UefiPayloadPkg: Advertise TPM support in BlSupportDxe
• c134065 UefiPayloadPkg: Check more ACPI tables
• eec38fd UefiPayloadPkg: Add Secureboot support
• b956477 UefiPayloadPkg: Scan for Option ROMs
• [U] 8c767bb Ps2KbdCtrller: Make wait for SUCCESS after BAT non-fatal
• 7386ad5 UefiPayloadPkg: don't set PcdDebugPropertyMask for release builds
• [U] e727453 SdMmcPciDxe: Reduce timeout for SD card reset
  • SD_MMC_TIMEOUT=100000
• 553bda4 BaseTools: array.fromstring and array.tostring removed in python 3.9
• 3e7febc BlSMMStoreDxe: make error msgs unique
• [D] b664a53 UefiPayloadPkg: Allow boot timeout to be set via cmd line
  • 55637a2 UefiPayloadPkg: Make Boot Timeout configurable
  • PLATFORM_BOOT_TIMEOUT=2
• [D] b376a7d ShellPkg: disable startup script, show welcome banner
• 3fb944f UefiPayloadPkg: Update APRIORI
• 1d70aa7 UefiCpuPkg: Disable MTRR programming for UefiPayloadPkg
• 0bef9cc UefiPayloadPkg: Add support for Firmware Volume Block Protocol
• d3b38ea UefiPayloadPkg/Library/PlatformBootManagerLib: Remove broken VGA detection
• 69ae47b UefiPayloadPkg: Add RNG support
• 95c4925 UefiPayloadPkg: Use new filesystem drivers
• d996a4b Add filesystem drivers
  • Update drivers to latest releases
• [U] 9f528fb MdeModulePkg/Usb/Keyboard.c: don't request protocol before setting
• bbab5b9 MdeModulePkg/Usb/Keyboard.c: remove Get/SetConfig calls
• [D] 5e84cc0 UefiPayloadPkg: Reduce timeout to 2s
  • PLATFORM_BOOT_TIMEOUT=2
• 2af54dd UefiPayloadPkg: Stall before connecting devices
• 0028331 MdeModulePkg/BdsDxe: Forward any key for booting
• 232f661 MdeModulePkg: Wait for input after boot failure
• 552ca5c UefiPayloadPkg: Clear screen on boot error
• 94e7cfc UefiPayloadPkg: Copy PlatformBootManagerUnableToBoot() from OvmfPkg
• de7030e UefiPayloadPkg: Set ResetOnMemoryTypeInformationChange to FALSE
• 587653c MdeModulePkg/SdMmcPciHcDxe: add Bayhub support
• e167ed1 MdeModulePkg/GraphicsConsole: don't draw cursor at 0,0
• 003534f MdeModulePkg/BmBootDesciption: Improve device descriptions
• a363907 MdeModulePkg/BmBoot: skip secondary eMMC entries
• 530cc53 MdeModulePkg/Frontpage: get SMBIOS Data from table directly
• 112268c MdeModulePkg/GraphicsConsole: Don't re-set video output mode
• 726280b UefiPayloadPkg: Disable Device Manager
• b1ab82d BmpSupportLib: fix BMP validation
• [D] 2e16857 MdeModulePkg: load boot logo into BGRT table
  • 444260d ("UefiPayloadPkg: Load Boot Logo into ACPI table")
  • BOOTSPLASH_IMAGE=TRUE
• 308f9a4 MdeModulePkg/BootLogoLib: Center logo 38.2% from top of screen
• 7ab0901 MdeModulePkg/Logo: Use System76 boot logo
• [U] d1c0828 UefiPayloadPkg: Enable boot logo
  • 79aab22 ("UefiPayloadPkg: Add a Macro to enable Boot Logo")
  • BOOTSPLASH_IMAGE=TRUE
• b4dd94c UefiPayloadPkg: Show boot message as progress text
• [D] f428f53 UefiPayloadPkg: Map ESC to Boot Manager
  • BOOT_MANAGER_ESCAPE=TRUE
• [D] 75b91c0 UefiPayloadPkg: Enable PS2 keyboard by default
  • PS2_KEYBOARD_ENABLE=TRUE
  • SIO_BUS_ENABLE=TRUE
• [D] 9f1dd0a UefiPayloadPkg: Default to coreboot
  • BOOTLOADER=COREBOOT
• 6db1a55 UefiPayloadPkg: Increase FV size
• [U] 72f8b9d UefiPayloadPkg: Fix the build error when enable Core ci for UefiPayloadPkg

[ilikenwf]

These look especially interesting too:

UefiPayloadPkg: Fix PciHostBridgeLib
On modern platforms with TBT devices the coreboot resource allocator
opens large PCI bridge MMIO windows above 4GiB to place hotplugable
PCI BARs there as they won't fit below 4GiB. In addition modern
GPGPU devices have very big PCI bars that doesn't fit below 4GiB.

The PciHostBridgeLib made lots of assumptions about the coreboot
resource allocator that were not verified at runtime and are no
longer true.

Remove all of the 'coreboot specific' code and implement the same
logic as OvmfPkg's ScanForRootBridges.

Fixes assertion
"ASSERT [PciHostBridgeDxe] Bridge->Mem.Limit < 0x0000000100000000ULL".

tianocore@c248802

UefiPayloadPkg: Fix PciHostBridgeLib
Don't assume a 64bit register always holds an address greater than 4GB.
Check the value in the register and decide which Aperature it should be
assigned to.

Fixes assertion
"ASSERT [PciHostBridgeDxe] Bridge->MemAbove4G.Base >= 0x0000000100000000ULL".

Tested with coreboot as bootloader on platforms that have PCI resource
above 4GiB and on platforms that don't have resource above 4GiB.

tianocore@bfefdc2

[crawfxrd]

Yes. Patrick (9elements) and Sean (Star Labs) have done substantial work on upstreaming coreboot-based work to edk2. It is unfortunate that Intel and edk2 devs are fucking stupid and rejects all new work that doesn't conform to their half-baked "universal payload" project.

[ilikenwf]

Sadly that kind of apathetic approach is common with the big silicon makers lately, in regard to all aspects of compatibility and general support.

As an aside, it would be cool to have a basic password supported sometime...since though they don't really secure things, they'd prevent an evil maid from being able to easily use the MS shim to bypass secureboot or use their own keys, without having to take apart and mess around with a chip clip...even if we use our own keys, if we want to change the PRIME mode from hybrid to nvidia, secureboot needs to either be off briefly, or the MS key has to be enrolled...though that's another issue and the disable should work, then reenable after the reboot...

[crawfxrd]

The coreboot SMMSTORE support in particular is not upstreamed because the UefiPayloadPkg interface in considered "legacy". IIRC, Sean did some work on a "Universal payload" for coreboot, but it was either never completed or never upstreamed.

Sean has done a lot more work for edk2 integration than I think anyone else has recently (and by "recently", I mean 2+ years). In terms of features, its probably best to ask him (or Matt; MrChromebox) if its even possible with a coreboot-based bootloader.

I am more inclined in creating a UEFI, coreboot-specific payload written in Rust than working with upstream edk2. (Admittedly, less so, since they supposedly accept GitHub PRs now rather than mail patches.)

I detest edk2, and UEFI in general, and avoid working on it if possible. It's one of the primary reasons why we (I) say "do it in the OS if possible" (like managing keys for "Secure Boot").

For firmware (UEFI) password, we have system76/firmware-open#174. But see previous paragraph.

[ilikenwf]

Thank you for the context—it helps clarify why things are as they are and why UEFI seems to have fragmented far beyond the "Universal" part of its acronym.

While vanilla Tianocore is serviceable (I do wonder how well that it would run on Clevo/System76 hardware), I can absolutely see how an alternative, longer-term solution in a safe language could be easier to maintain and port across the various hardware models you're expected to support. I suppose it would also make it easier to integrate new features, and also integrate existing ones as options that coreboot provides like measured boot, heads, etc, as well.

I might reach out to Sean or MrChromebox regarding SMM/DXE integration support. That said, when it comes to NVIDIA and dGPU handling, I’m not sure "Advanced Optimus" MUX support brings much to the table, and switching modes can be worked around either using the MS cert with custom ones, or through temporary disabling of secureboot.

My /boot and other drives are fully encrypted anyway, which mitigates most realistic threats in my case—I’m just a geek sitting in an office, after all, not a dissident. I care more about open source with reasonable security than anything else.

For nVidia, getting G-Sync working is far more interesting to me. After some digging, I suspect NVIDIA’s SMM/DXE modules primarily validate hardware and inject a SLIC line into the SSDT table. If I can figure that out—or get some help doing so—it could be something System76 could standardize across all supported models. To confirm we'd just have to look at the stock bios ACPI tables for a Bonobo/x370SNx and see if the relevant lines are there. I have an issue opened up for that here for more context (sorry for all the issues I keep opening): system76/firmware-open#592

I share your dislike for UEFI. Back when I was more spry and sharp on UEFI internals, I made a bit of side money breaking AMI’s BIOS Guard attempts, and it's complexity and the always included nework stacks in OEM implementations, ostensibly for pxe - but also automatic updates and "stuff" is creepy.

Sorry for the slightly incoherent speech patterns, I need to go to bed.

[ilikenwf]

I added some info on the GSync issue. I have largely figured out the concept involved, but am not sure on the execution...and it may or may not require the advanced optimus mux control that we don't have (yet).