UefiCpuPkg/PiSmmCpuDxeSmm: fix NULL deref when gSmmBaseHobGuid is missing

Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=4682
Fixes: 725acd0b9c

Before commit 725acd0b9c ("UefiCpuPkg: Avoid assuming only one
smmbasehob", 2023-12-12), PiCpuSmmEntry() used to look up
"gSmmBaseHobGuid", and allocate "mCpuHotPlugData.SmBase" regardless of the
GUID's presence:

> -  mCpuHotPlugData.SmBase = (UINTN *)AllocatePool (sizeof (UINTN) * mMaxNumberOfCpus);
> -  ASSERT (mCpuHotPlugData.SmBase != NULL);

After commit 725acd0b9c, PiCpuSmmEntry() -> GetSmBase() would allocate
"mCpuHotPlugData.SmBase" only on the success path, and no allocation would
be performed on *any* of the error paths.

This caused a problem: if "mCpuHotPlugData.SmBase" was left NULL because
the GUID HOB was missing, PiCpuSmmEntry() would still be supposed to
allocate "mCpuHotPlugData.SmBase", just like earlier. However, because
commit 725acd0b9c conflated the two possible error modes (out of SMRAM,
and no GUID HOB), PiCpuSmmEntry() could not decide whether it should
allocate "mCpuHotPlugData.SmBase", or not. Currently, we never allocate if
GetSmBase() fails -- for any reason --, which means that on platforms that
don't produce the GUID HOB, "mCpuHotPlugData.SmBase" is left NULL, leading
to null pointer dereferences later, in PiCpuSmmEntry().

Now that a prior patch in the series distinguishes the two error modes
from each other, we can tell exactly when the GUID HOB is not found, and
reinstate the earlier "mCpuHotPlugData.SmBase" allocation for that case.
(With an actual error check thrown in, in addition to the original
"assertion".)

Cc: Dun Tan <dun.tan@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Reported-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>
Reviewed-by: Rahul Kumar <rahul1.kumar@intel.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Gerd Hoffmann <kraxel@redhat.com>

.azurepipelines/Ubuntu-PatchCheck.yml

@@ -27,7 +27,7 @@ steps:
 
 - task: UsePythonVersion@0
   inputs:
-    versionSpec: '>=3.10.6'
+    versionSpec: '3.12'
     architecture: 'x64'
 
 - script: |

.azurepipelines/templates/defaults.yml

@@ -8,5 +8,5 @@
 ##
 
 variables:
-  default_python_version: ">=3.10.6"
+  default_python_version: "3.12"
   default_linux_image: "ghcr.io/tianocore/containers/fedora-37-test:a0dd931"

.editorconfig

@@ -0,0 +1,31 @@
+# EditorConfig file: https://EditorConfig.org
+
+root = true
+
+[*]
+charset = latin1
+end_of_line = crlf
+indent_style = space
+indent_size = 2
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.py]
+charset = utf-8
+indent_style = space
+indent_size = 4
+
+[*.sh]
+end_of_line = lf
+
+[.gitattributes]
+end_of_line = lf
+
+[.mailmap]
+charset = utf-8
+
+[Maintainers.txt]
+charset = utf-8
+
+[Makefile,GNUmakefile]
+indent_style = tab

.git-blame-ignore-revs

@@ -50,3 +50,7 @@ e7108d0e9655b1795c94ac372b0449f28dd907df
 40b0b23ed34f48c26d711d3e4613a4bb35eeadff
 # ArmPkg: Apply uncrustify changes
 429309e0c6b74792d679681a8edd0d5ae0ff850c
+# EmulatorPkg: Format with Uncrustify 73.0.8
+972e3b0b9d67ef2847c9c1c89e606e6074a7ddda
+# OvmfPkg: Format with Uncrustify 73.0.8
+0e9ce9146a6dc50a35488e3a4a7a2a4bbaf1eb1c

.github/codeql/codeql-config.yml

@@ -1,29 +0,0 @@
-## @file
-# CodeQL configuration file for edk2.
-#
-# Copyright (c) Microsoft Corporation.
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-##
-
-name: "CodeQL config"
-
-# The following line disables the default queries. This is used because we want to enable on query at a time by
-# explicitly specifying each query in a "queries" array as they are enabled.
-#
-# See the following for more information about adding custom queries:
-# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-a-custom-configuration-file
-
-#disable-default-queries: true
-
-queries:
-  - name: EDK2 CodeQL Query List
-    uses: ./.github/codeql/edk2.qls
-
-# We must specify a query for CodeQL to run. Until the first query is enabled, enable the security query suite but
-# exclude all problem levels from impacting the results. After the first query is enabled, this filter can be relaxed
-# to find the level of problems desired from the query.
-query-filters:
-- exclude:
-    problem.severity:
-      - warning
-      - recommendation

.github/codeql/edk2.qls

@@ -1,24 +0,0 @@
----
-- description: EDK2 (C++) queries
-
-# Bring in all queries from the official cpp-queries suite so individual queries can be explicitly enabled.
-
-- queries: '.'
-  from: codeql/cpp-queries
-
-# Enable individual queries below.
-
-- include:
-    id: cpp/conditionallyuninitializedvariable
-- include:
-    id: cpp/infinite-loop-with-unsatisfiable-exit-condition
-- include:
-    id: cpp/overflow-buffer
-- include:
-    id: cpp/overrunning-write
-- include:
-    id: cpp/overrunning-write-with-float
-- include:
-    id: cpp/pointer-overflow-check
-- include:
-    id: cpp/very-likely-overrunning-write

.github/workflows/codeql-analysis.yml

@@ -1,118 +0,0 @@
-# @file
-# GitHub Workflow for CodeQL Analysis
-#
-# Copyright (c) Microsoft Corporation.
-#
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-##
-
-name: "CodeQL"
-
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
-    paths-ignore:
-      - '**/*.bat'
-      - '**/*.md'
-      - '**/*.py'
-      - '**/*.rst'
-      - '**/*.sh'
-      - '**/*.txt'
-
-  schedule:
-    # https://crontab.guru/#20_23_*_*_4
-    - cron: '20 23 * * 4'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: windows-2019
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - Package: "ArmPkg"
-            ArchList: "IA32,X64"
-          - Package: "CryptoPkg"
-            ArchList: "IA32"
-          - Package: "CryptoPkg"
-            ArchList: "X64"
-          - Package: "DynamicTablesPkg"
-            ArchList: "IA32,X64"
-          - Package: "FatPkg"
-            ArchList: "IA32,X64"
-          - Package: "FmpDevicePkg"
-            ArchList: "IA32,X64"
-          - Package: "IntelFsp2Pkg"
-            ArchList: "IA32,X64"
-          - Package: "IntelFsp2WrapperPkg"
-            ArchList: "IA32,X64"
-          - Package: "MdeModulePkg"
-            ArchList: "IA32"
-          - Package: "MdeModulePkg"
-            ArchList: "X64"
-          - Package: "MdePkg"
-            ArchList: "IA32,X64"
-          - Package: "PcAtChipsetPkg"
-            ArchList: "IA32,X64"
-          - Package: "PrmPkg"
-            ArchList: "IA32,X64"
-          - Package: "SecurityPkg"
-            ArchList: "IA32,X64"
-          - Package: "ShellPkg"
-            ArchList: "IA32,X64"
-          - Package: "SourceLevelDebugPkg"
-            ArchList: "IA32,X64"
-          - Package: "StandaloneMmPkg"
-            ArchList: "IA32,X64"
-          - Package: "UefiCpuPkg"
-            ArchList: "IA32,X64"
-          - Package: "UnitTestFrameworkPkg"
-            ArchList: "IA32,X64"
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Install Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: '3.10.6'
-        cache: 'pip'
-        cache-dependency-path: 'pip-requirements.txt'
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: 'cpp'
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/
-        config-file: ./.github/codeql/codeql-config.yml
-        # Note: Add new queries to codeql-config.yml file as they are enabled.
-
-    - name: Install/Upgrade pip Modules
-      run: pip install -r pip-requirements.txt --upgrade
-
-    - name: Setup
-      run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
-
-    - name: Update
-      run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
-
-    - name: Build Tools From Source
-      run: python BaseTools/Edk2ToolsBuild.py -t VS2019
-
-    - name: CI Build
-      run: stuart_ci_build -c .pytool/CISettings.py -p ${{ matrix.Package }} -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2

.github/workflows/codeql.yml

@@ -0,0 +1,350 @@
+# This workflow runs CodeQL against the repository.
+#
+# Results are uploaded to GitHub Code Scanning.
+#
+# Due to a known issue with the CodeQL extractor when building the edk2
+# codebase on Linux systems, only Windows agents are used for build with
+# the VS toolchain.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+    paths-ignore:
+      - '!**.c'
+      - '!**.h'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: windows-2019
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - Package: "ArmPkg"
+            ArchList: "IA32,X64"
+          - Package: "CryptoPkg"
+            ArchList: "IA32"
+          - Package: "CryptoPkg"
+            ArchList: "X64"
+          - Package: "DynamicTablesPkg"
+            ArchList: "IA32,X64"
+          - Package: "FatPkg"
+            ArchList: "IA32,X64"
+          - Package: "FmpDevicePkg"
+            ArchList: "IA32,X64"
+          - Package: "IntelFsp2Pkg"
+            ArchList: "IA32,X64"
+          - Package: "IntelFsp2WrapperPkg"
+            ArchList: "IA32,X64"
+          - Package: "MdeModulePkg"
+            ArchList: "IA32"
+          - Package: "MdeModulePkg"
+            ArchList: "X64"
+          - Package: "MdePkg"
+            ArchList: "IA32,X64"
+          - Package: "PcAtChipsetPkg"
+            ArchList: "IA32,X64"
+          - Package: "PrmPkg"
+            ArchList: "IA32,X64"
+          - Package: "SecurityPkg"
+            ArchList: "IA32,X64"
+          - Package: "ShellPkg"
+            ArchList: "IA32,X64"
+          - Package: "SourceLevelDebugPkg"
+            ArchList: "IA32,X64"
+          - Package: "StandaloneMmPkg"
+            ArchList: "IA32,X64"
+          - Package: "UefiCpuPkg"
+            ArchList: "IA32,X64"
+          - Package: "UnitTestFrameworkPkg"
+            ArchList: "IA32,X64"
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+        cache: 'pip'
+        cache-dependency-path: 'pip-requirements.txt'
+
+    - name: Use Git Long Paths on Windows
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        git config --system core.longpaths true
+
+    - name: Install/Upgrade pip Modules
+      run: pip install -r pip-requirements.txt --upgrade requests sarif-tools
+
+    - name: Determine CI Settings File Supported Operations
+      id: get_ci_file_operations
+      shell: python
+      run: |
+        import importlib
+        import os
+        import sys
+        from pathlib import Path
+        from edk2toolext.invocables.edk2_ci_setup import CiSetupSettingsManager
+        from edk2toolext.invocables.edk2_setup import SetupSettingsManager
+
+        # Find the repo CI Settings file
+        ci_settings_file = list(Path(os.environ['GITHUB_WORKSPACE']).rglob('.pytool/CISettings.py'))
+
+        # Note: At this point, submodules have not been pulled, only one CI Settings file should exist
+        if len(ci_settings_file) != 1 or not ci_settings_file[0].is_file():
+            print("::error title=Workspace Error!::Failed to find CI Settings file!")
+            sys.exit(1)
+
+        ci_settings_file = ci_settings_file[0]
+
+        # Try Finding the Settings class in the file
+        module_name = 'ci_settings'
+
+        spec = importlib.util.spec_from_file_location(module_name, ci_settings_file)
+        module = importlib.util.module_from_spec(spec)
+        spec.loader.exec_module(module)
+
+        try:
+            settings = getattr(module, 'Settings')
+        except AttributeError:
+            print("::error title=Workspace Error!::Failed to find Settings class in CI Settings file!")
+            sys.exit(1)
+
+        # Determine Which Operations Are Supported by the Settings Class
+        ci_setup_supported = issubclass(settings, CiSetupSettingsManager)
+        setup_supported = issubclass(settings, SetupSettingsManager)
+
+        with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+            print(f'ci_setup_supported={str(ci_setup_supported).lower()}', file=fh)
+            print(f'setup_supported={str(setup_supported).lower()}', file=fh)
+
+    - name: Setup
+      if: steps.get_ci_file_operations.outputs.setup_supported == 'true'
+      run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
+
+    - name: Upload Setup Log As An Artifact
+      uses: actions/upload-artifact@v3
+      if: (success() || failure()) && steps.get_ci_file_operations.outputs.setup_supported == 'true'
+      with:
+        name: ${{ matrix.Package }}-Logs
+        path: |
+          **/SETUPLOG.txt
+          retention-days: 7
+        if-no-files-found: ignore
+
+    - name: CI Setup
+      if: steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
+      run: stuart_ci_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
+
+    - name: Upload CI Setup Log As An Artifact
+      uses: actions/upload-artifact@v3
+      if: (success() || failure()) && steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
+      with:
+        name: ${{ matrix.Package }}-Logs
+        path: |
+          **/CISETUP.txt
+          retention-days: 7
+        if-no-files-found: ignore
+
+    - name: Update
+      run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
+
+    - name: Upload Update Log As An Artifact
+      uses: actions/upload-artifact@v3
+      if: success() || failure()
+      with:
+        name: ${{ matrix.Package }}-Logs
+        path: |
+          **/UPDATE_LOG.txt
+        retention-days: 7
+        if-no-files-found: ignore
+
+    - name: Build Tools From Source
+      run: python BaseTools/Edk2ToolsBuild.py -t VS2019
+
+    - name: Find CodeQL Plugin Directory
+      id: find_dir
+      shell: python
+      run: |
+        import os
+        import sys
+        from pathlib import Path
+
+        # Find the plugin directory that contains the CodeQL plugin
+        plugin_dir = list(Path(os.environ['GITHUB_WORKSPACE']).rglob('BaseTools/Plugin/CodeQL'))
+
+        # This should only be found once
+        if len(plugin_dir) == 1:
+            plugin_dir = str(plugin_dir[0])
+
+            with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+                print(f'codeql_plugin_dir={plugin_dir}', file=fh)
+        else:
+            print("::error title=Workspace Error!::Failed to find CodeQL plugin directory!")
+            sys.exit(1)
+
+    - name: Get CodeQL CLI Cache Data
+      id: cache_key_gen
+      env:
+        CODEQL_PLUGIN_DIR: ${{ steps.find_dir.outputs.codeql_plugin_dir }}
+      shell: python
+      run: |
+        import os
+        import yaml
+
+        codeql_cli_ext_dep_name = 'codeqlcli_windows_ext_dep'
+        codeql_plugin_file = os.path.join(os.environ['CODEQL_PLUGIN_DIR'], codeql_cli_ext_dep_name + '.yaml')
+
+        with open (codeql_plugin_file) as pf:
+            codeql_cli_ext_dep = yaml.safe_load(pf)
+
+            cache_key_name = codeql_cli_ext_dep['name']
+            cache_key_version = codeql_cli_ext_dep['version']
+            cache_key = f'{cache_key_name}-{cache_key_version}'
+
+            codeql_plugin_cli_ext_dep_dir = os.path.join(os.environ['CODEQL_PLUGIN_DIR'], codeql_cli_ext_dep['name'].strip() + '_extdep')
+
+            with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+                print(f'codeql_cli_cache_key={cache_key}', file=fh)
+                print(f'codeql_cli_ext_dep_dir={codeql_plugin_cli_ext_dep_dir}', file=fh)
+
+    - name: Attempt to Load CodeQL CLI From Cache
+      id: codeqlcli_cache
+      uses: actions/cache@v3
+      with:
+        path: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
+        key: ${{ steps.cache_key_gen.outputs.codeql_cli_cache_key }}
+
+    - name: Download CodeQL CLI
+      if: steps.codeqlcli_cache.outputs.cache-hit != 'true'
+      run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019 --codeql
+
+    - name: Remove CI Plugins Irrelevant to CodeQL
+      shell: python
+      env:
+        CODEQL_PLUGIN_DIR: ${{ steps.find_dir.outputs.codeql_plugin_dir }}
+      run: |
+        import os
+        import shutil
+        from pathlib import Path
+
+        # Only these two plugins are needed for CodeQL
+        plugins_to_keep = ['CompilerPlugin']
+
+        plugin_dir = Path('.pytool/Plugin').absolute()
+        if plugin_dir.is_dir():
+            for dir in plugin_dir.iterdir():
+                if str(dir.stem) not in plugins_to_keep:
+                    shutil.rmtree(str(dir.absolute()), ignore_errors=True)
+
+    - name: CI Build
+      env:
+        STUART_CODEQL_PATH: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
+      run: stuart_ci_build -c .pytool/CISettings.py -t DEBUG -p ${{ matrix.Package }} -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019 --codeql
+
+    - name: Build Cleanup
+      id: build_cleanup
+      shell: python
+      run: |
+        import os
+        import shutil
+        from pathlib import Path
+
+        dirs_to_delete = ['ia32', 'x64', 'arm', 'aarch64']
+
+        def delete_dirs(path: Path):
+            if path.exists() and path.is_dir():
+                if path.name.lower() in dirs_to_delete:
+                    print(f'Removed {str(path)}')
+                    shutil.rmtree(path)
+                    return
+
+                for child_dir in path.iterdir():
+                    delete_dirs(child_dir)
+
+        build_path = Path(os.environ['GITHUB_WORKSPACE'], 'Build')
+        delete_dirs(build_path)
+
+    - name: Upload Build Logs As An Artifact
+      uses: actions/upload-artifact@v3
+      if: success() || failure()
+      with:
+        name: ${{ matrix.Package }}-Logs
+        path: |
+          **/BUILD_REPORT.TXT
+          **/OVERRIDELOG.TXT
+          **/BUILDLOG_*.md
+          **/BUILDLOG_*.txt
+          **/CI_*.md
+          **/CI_*.txt
+        retention-days: 7
+        if-no-files-found: ignore
+
+    - name: Prepare Env Data for CodeQL Upload
+      id: env_data
+      env:
+        PACKAGE_NAME: ${{ matrix.Package }}
+      shell: python
+      run: |
+        import logging
+        import os
+        from edk2toollib.utility_functions import RunCmd
+        from io import StringIO
+        from pathlib import Path
+
+        package = os.environ['PACKAGE_NAME'].strip().lower()
+        directory_name = 'codeql-analysis-' + package + '-debug'
+        file_name = 'codeql-db-' + package + '-debug-0.sarif'
+        sarif_path = Path('Build', directory_name, file_name)
+
+        with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+            if sarif_path.is_file():
+                emacs_file_path = sarif_path.with_name(sarif_path.stem + "-emacs.txt")
+                out_stream_buffer = StringIO()
+                exit_code = RunCmd("sarif", f"emacs {sarif_path} --output {emacs_file_path} --no-autotrim",
+                                   outstream=out_stream_buffer,
+                                   logging_level=logging.NOTSET)
+                print(f'upload_sarif_file=true', file=fh)
+                print(f'emacs_file_path={emacs_file_path}', file=fh)
+                print(f'sarif_file_path={sarif_path}', file=fh)
+            else:
+                print(f'upload_sarif_file=false', file=fh)
+
+    - name: Upload CodeQL Results (SARIF) As An Artifact
+      uses: actions/upload-artifact@v3
+      if: steps.env_data.outputs.upload_sarif_file == 'true'
+      with:
+        name: ${{ matrix.Package }}-CodeQL-SARIF
+        path: |
+          ${{ steps.env_data.outputs.emacs_file_path }}
+          ${{ steps.env_data.outputs.sarif_file_path }}
+        retention-days: 14
+        if-no-files-found: warn
+
+    - name: Upload CodeQL Results (SARIF) To GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v2
+      if: steps.env_data.outputs.upload_sarif_file == 'true'
+      with:
+        # Path to SARIF file relative to the root of the repository.
+        sarif_file: ${{ steps.env_data.outputs.sarif_file_path }}
+        # Optional category for the results. Used to differentiate multiple results for one commit.
+        # Each package is a separate category.
+        category: ${{ matrix.Package }}

.github/workflows/stale.yml

@@ -0,0 +1,44 @@
+# This workflow warns and then closes issues and PRs that have had no activity
+# for a specified amount of time.
+#
+# For more information, see:
+# https://github.com/actions/stale
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+
+name: Stale Check
+
+on:
+  schedule:
+    # At 23:35 on every day-of-week from Sunday through Saturday
+    # https://crontab.guru/#35_23_*_*_0-6
+    - cron: '35 23 * * 0-6'
+  workflow_dispatch:
+
+jobs:
+  stale:
+    name: Stale
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+
+    steps:
+    - name: Check for Stale Items
+      uses: actions/stale@v8
+      with:
+        days-before-issue-close: -1
+        days-before-issue-stale: -1
+        days-before-pr-stale: 60
+        days-before-pr-close: 7
+        stale-pr-message: >
+          This PR has been automatically marked as stale because it has not had
+          activity in 60 days. It will be closed if no further activity occurs within
+          7 days. Thank you for your contributions.
+        close-pr-message: >
+          This pull request has been automatically been closed because it did not have any
+          activity in 60 days and no follow up within 7 days after being marked stale.
+          Thank you for your contributions.
+        stale-pr-label: stale

.gitmodules

@@ -32,3 +32,6 @@
 [submodule "MdePkg/Library/MipiSysTLib/mipisyst"]
 	path = MdePkg/Library/MipiSysTLib/mipisyst
 	url = https://github.com/MIPI-Alliance/public-mipi-sys-t.git
+[submodule "CryptoPkg/Library/MbedTlsLib/mbedtls"]
+	path = CryptoPkg/Library/MbedTlsLib/mbedtls
+	url = https://github.com/ARMmbed/mbedtls

.pytool/CISettings.py

@@ -7,12 +7,27 @@
 ##
 import os
 import logging
+import sys
 from edk2toolext.environment import shell_environment
 from edk2toolext.invocables.edk2_ci_build import CiBuildSettingsManager
 from edk2toolext.invocables.edk2_setup import SetupSettingsManager, RequiredSubmodule
 from edk2toolext.invocables.edk2_update import UpdateSettingsManager
 from edk2toolext.invocables.edk2_pr_eval import PrEvalSettingsManager
 from edk2toollib.utility_functions import GetHostInfo
+from pathlib import Path
+
+
+try:
+    # Temporarily needed until edk2 can update to the latest edk2-pytools
+    # that has the CodeQL helpers.
+    #
+    # May not be present until submodules are populated.
+    #
+    root = Path(__file__).parent.parent.resolve()
+    sys.path.append(str(root/'BaseTools'/'Plugin'/'CodeQL'/'integration'))
+    import stuart_codeql as codeql_helpers
+except ImportError:
+    pass
 
 
 class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManager, PrEvalSettingsManager):
@@ -34,6 +49,11 @@ class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManag
         group.add_argument("-force_piptools", "--fpt", dest="force_piptools", action="store_true", default=False, help="Force the system to use pip tools")
         group.add_argument("-no_piptools", "--npt", dest="no_piptools", action="store_true", default=False, help="Force the system to not use pip tools")
 
+        try:
+            codeql_helpers.add_command_line_option(parserObj)
+        except NameError:
+            pass
+
     def RetrieveCommandLineOptions(self, args):
         super().RetrieveCommandLineOptions(args)
         if args.force_piptools:
@@ -41,6 +61,11 @@ class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManag
         if args.no_piptools:
             self.UseBuiltInBaseTools = False
 
+        try:
+            self.codeql = codeql_helpers.is_codeql_enabled_on_command_line(args)
+        except NameError:
+            pass
+
     # ####################################################################################### #
     #                        Default Support for this Ci Build                                #
     # ####################################################################################### #
@@ -169,6 +194,17 @@ class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManag
             else:
                 logging.warning("Falling back to using in-tree BaseTools")
 
+            try:
+                scopes += codeql_helpers.get_scopes(self.codeql)
+
+                if self.codeql:
+                    shell_environment.GetBuildVars().SetValue(
+                        "STUART_CODEQL_AUDIT_ONLY",
+                        "TRUE",
+                        "Set in CISettings.py")
+            except NameError:
+                pass
+
             self.ActualScopes = scopes
         return self.ActualScopes
 
@@ -199,6 +235,8 @@ class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManag
             "MdePkg/Library/BaseFdtLib/libfdt", False))
         rs.append(RequiredSubmodule(
             "MdePkg/Library/MipiSysTLib/mipisyst", False))
+        rs.append(RequiredSubmodule(
+            "CryptoPkg/Library/MbedTlsLib/mbedtls", False))
         return rs
 
     def GetName(self):

.pytool/Plugin/HostUnitTestDscCompleteCheck/HostUnitTestDscCompleteCheck.py

@@ -10,7 +10,7 @@ import logging
 import os
 from edk2toolext.environment.plugintypes.ci_build_plugin import ICiBuildPlugin
 from edk2toollib.uefi.edk2.parsers.dsc_parser import DscParser
-from edk2toollib.uefi.edk2.parsers.inf_parser import InfParser
+from edk2toollib.uefi.edk2.parsers.inf_parser import InfParser, AllPhases
 from edk2toolext.environment.var_dict import VarDict
 
 
@@ -116,8 +116,9 @@ class HostUnitTestDscCompleteCheck(ICiBuildPlugin):
                     # should compile test a library that is declared type HOST_APPLICATION
                     pass
 
-                elif len(infp.SupportedPhases) > 0 and \
-                        "HOST_APPLICATION" in infp.SupportedPhases:
+                elif (len(infp.SupportedPhases) > 0 and
+                      "HOST_APPLICATION" in infp.SupportedPhases and
+                      infp.SupportedPhases != AllPhases):
                     # should compile test a library that supports HOST_APPLICATION but
                     # require it to be an explicit opt-in
                     pass

.pytool/Plugin/UncrustifyCheck/UncrustifyCheck.py

@@ -12,6 +12,7 @@ import logging
 import os
 import pathlib
 import shutil
+import stat
 import timeit
 from edk2toolext.environment import version_aggregator
 from edk2toolext.environment.plugin_manager import PluginManager
@@ -110,7 +111,7 @@ class UncrustifyCheck(ICiBuildPlugin):
     # A package can add any additional paths with "AdditionalIncludePaths"
     # A package can remove any of these paths with "IgnoreStandardPaths"
     #
-    STANDARD_PLUGIN_DEFINED_PATHS = ("*.c", "*.h")
+    STANDARD_PLUGIN_DEFINED_PATHS = ("*.c", "*.h", "*.cpp")
 
     #
     # The Uncrustify application path should set in this environment variable
@@ -299,7 +300,7 @@ class UncrustifyCheck(ICiBuildPlugin):
         If git is not found, an empty list will be returned.
         """
         if not shutil.which("git"):
-            logging.warn(
+            logging.warning(
                 "Git is not found on this system. Git submodule paths will not be considered.")
             return []
 
@@ -325,7 +326,7 @@ class UncrustifyCheck(ICiBuildPlugin):
         If git is not found, an empty list will be returned.
         """
         if not shutil.which("git"):
-            logging.warn(
+            logging.warning(
                 "Git is not found on this system. Git submodule paths will not be considered.")
             return []
 
@@ -372,9 +373,9 @@ class UncrustifyCheck(ICiBuildPlugin):
                 file_template_path = pathlib.Path(os.path.join(self._plugin_path, file_template_name))
                 self._file_template_contents = file_template_path.read_text()
         except KeyError:
-            logging.warn("A file header template is not specified in the config file.")
+            logging.warning("A file header template is not specified in the config file.")
         except FileNotFoundError:
-            logging.warn("The specified file header template file was not found.")
+            logging.warning("The specified file header template file was not found.")
         try:
             func_template_name = parser["dummy_section"]["cmt_insert_func_header"]
 
@@ -384,9 +385,9 @@ class UncrustifyCheck(ICiBuildPlugin):
                 func_template_path = pathlib.Path(os.path.join(self._plugin_path, func_template_name))
                 self._func_template_contents = func_template_path.read_text()
         except KeyError:
-            logging.warn("A function header template is not specified in the config file.")
+            logging.warning("A function header template is not specified in the config file.")
         except FileNotFoundError:
-            logging.warn("The specified function header template file was not found.")
+            logging.warning("The specified function header template file was not found.")
 
     def _initialize_app_info(self) -> None:
         """
@@ -628,7 +629,7 @@ class UncrustifyCheck(ICiBuildPlugin):
             """
             Private function to attempt to change permissions on file/folder being deleted.
             """
-            os.chmod(path, os.stat.S_IWRITE)
+            os.chmod(path, stat.S_IWRITE)
             func(path)
 
         for _ in range(3):  # retry up to 3 times

.pytool/Plugin/UncrustifyCheck/uncrustify.cfg

@@ -215,7 +215,7 @@ indent_braces                   = false
 indent_braces_no_class          = false
 indent_braces_no_func           = true
 indent_braces_no_struct         = false
-indent_class                    = false
+indent_class                    = true
 indent_class_colon              = false
 indent_cmt_with_tabs            = false         # Whether to indent comments that are not at a brace level with tabs on
                                                 # a tabstop. Requires indent_with_tabs=2. If false, will use spaces.
@@ -223,7 +223,7 @@ indent_col1_comment             = true
 indent_col1_multi_string_literal= true
 indent_comma_paren              = true
 indent_else_if                  = true
-indent_extern                   = false
+indent_extern                   = true
 indent_first_bool_expr          = true
 
 indent_func_def_param_paren_pos_threshold = 0

.pytool/Plugin/UncrustifyCheck/uncrustify_ext_dep.yaml

@@ -10,7 +10,7 @@
   "type": "nuget",
   "name": "mu-uncrustify-release",
   "source": "https://pkgs.dev.azure.com/projectmu/Uncrustify/_packaging/mu_uncrustify/nuget/v3/index.json",
-  "version": "73.0.3",
+  "version": "73.0.8",
   "flags": ["set_shell_var", "host_specific"],
   "var_name": "UNCRUSTIFY_CI_PATH"
 }

.pytool/Readme.md

@@ -15,7 +15,7 @@ on the TianoCore wiki.
 | ArmPlatformPkg       |                    | :heavy_check_mark: |
 | ArmVirtPkg           | SEE PACKAGE README | SEE PACKAGE README |
 | CryptoPkg            | :heavy_check_mark: | :heavy_check_mark: | Spell checking in audit mode
-| DynamicTablesPkg     |                    | :heavy_check_mark: |
+| DynamicTablesPkg     | :heavy_check_mark: | :heavy_check_mark: |
 | EmbeddedPkg          |
 | EmulatorPkg          | SEE PACKAGE README | SEE PACKAGE README | Spell checking in audit mode
 | FatPkg               | :heavy_check_mark: | :heavy_check_mark: |

ArmPkg/Application/ArmCpuInfo/ArmCpuInfo.inf

@@ -1,31 +0,0 @@
-## @file
-#  Application to present AArch64 cpu information.
-#
-#  Based on HelloWorld:
-#  Copyright (c) 2008 - 2018, Intel Corporation. All rights reserved.<BR>
-#  Copyright (c) 2023, Linaro Ltd. All rights reserved.<BR>
-#
-#  SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-##
-
-[Defines]
-  INF_VERSION                    = 0x00010019
-  BASE_NAME                      = ArmCpuInfo
-  FILE_GUID                      = b3134491-6502-4faf-a9da-007184e32163
-  MODULE_TYPE                    = UEFI_APPLICATION
-  VERSION_STRING                 = 1.0
-  ENTRY_POINT                    = UefiMain
-
-[Sources]
-  ArmCpuInfo.c
-
-[Packages]
-  ArmPkg/ArmPkg.dec
-  MdePkg/MdePkg.dec
-  MdeModulePkg/MdeModulePkg.dec
-
-[LibraryClasses]
-  ArmLib
-  UefiApplicationEntryPoint
-  UefiLib

ArmPkg/ArmPkg.dec

@@ -328,6 +328,7 @@
   gArmTokenSpaceGuid.PcdArmArchTimerIntrNum|30|UINT32|0x00000036
   gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum|26|UINT32|0x00000040
   gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum|27|UINT32|0x00000041
+  gArmTokenSpaceGuid.PcdArmArchTimerHypVirtIntrNum|28|UINT32|0x0000004A
 
   #
   # ARM Generic Watchdog

ArmPkg/ArmPkg.dsc

@@ -168,7 +168,6 @@
   ArmPkg/Drivers/ArmPsciMpServicesDxe/ArmPsciMpServicesDxe.inf
   ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
   ArmPkg/Library/ArmMmuLib/ArmMmuPeiLib.inf
-  ArmPkg/Application/ArmCpuInfo/ArmCpuInfo.inf
 
 [Components.AARCH64, Components.ARM]
   ArmPkg/Library/StandaloneMmMmuLib/ArmMmuStandaloneMmLib.inf

ArmPkg/Drivers/ArmPsciMpServicesDxe/ArmPsciMpServicesDxe.c

@@ -103,7 +103,9 @@ DispatchCpu (
 
   ArmCallSmc (&Args);
 
-  if (Args.Arg0 != ARM_SMC_PSCI_RET_SUCCESS) {
+  if (Args.Arg0 == ARM_SMC_PSCI_RET_ALREADY_ON) {
+    Status = EFI_NOT_READY;
+  } else if (Args.Arg0 != ARM_SMC_PSCI_RET_SUCCESS) {
     DEBUG ((DEBUG_ERROR, "PSCI_CPU_ON call failed: %d\n", Args.Arg0));
     Status = EFI_DEVICE_ERROR;
   }

ArmPkg/Drivers/ArmScmiDxe/ScmiPerformanceProtocol.c

@@ -1,12 +1,12 @@
 /** @file
 
-  Copyright (c) 2017-2021, Arm Limited. All rights reserved.<BR>
+  Copyright (c) 2017-2023, Arm Limited. All rights reserved.<BR>
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  System Control and Management Interface V1.0
-    http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/
-    DEN0056A_System_Control_and_Management_Interface.pdf
+  System Control and Management Interface V3.2, latest version at:
+  - https://developer.arm.com/documentation/den0056/latest/
+
 **/
 
 #include <Library/BaseMemoryLib.h>
@@ -416,6 +416,75 @@ PerformanceLevelGet (
   return EFI_SUCCESS;
 }
 
+/** Discover the attributes of the FastChannel for the specified
+    performance domain and the specified message.
+
+  @param[in]  This        A Pointer to SCMI_PERFORMANCE_PROTOCOL Instance.
+  @param[in]  DomainId    Identifier for the performance domain.
+  @param[in]  MessageId   Message Id of the FastChannel to discover.
+                          Must be one of:
+                           - PERFORMANCE_LIMITS_SET
+                           - PERFORMANCE_LIMITS_GET
+                           - PERFORMANCE_LEVEL_SET
+                           - PERFORMANCE_LEVEL_GET
+  @param[out] FastChannel If success, contains the FastChannel description.
+
+  @retval EFI_SUCCESS             Performance level got successfully.
+  @retval EFI_DEVICE_ERROR        SCP returns an SCMI error.
+  @retval EFI_INVALID_PARAMETER   Invalid parameter.
+  @retval EFI_TIMEOUT             Time out.
+  @retval EFI_UNSUPPORTED         Unsupported.
+**/
+EFI_STATUS
+DescribeFastchannel (
+  IN  SCMI_PERFORMANCE_PROTOCOL     *This,
+  IN  UINT32                        DomainId,
+  IN  SCMI_MESSAGE_ID_PERFORMANCE   MessageId,
+  OUT SCMI_PERFORMANCE_FASTCHANNEL  *FastChannel
+  )
+{
+  EFI_STATUS    Status;
+  SCMI_COMMAND  Cmd;
+  UINT32        PayloadLength;
+  UINT32        *ReturnValues;
+  UINT32        *MessageParams;
+
+  if ((This == NULL)  ||
+      (FastChannel == NULL))
+  {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  Status = ScmiCommandGetPayload (&MessageParams);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  *MessageParams++ = DomainId;
+  *MessageParams   = MessageId;
+
+  Cmd.ProtocolId = ScmiProtocolIdPerformance;
+  Cmd.MessageId  = ScmiMessageIdPerformanceDescribeFastchannel;
+  PayloadLength  = sizeof (DomainId) + sizeof (MessageId);
+
+  Status = ScmiCommandExecute (
+             &Cmd,
+             &PayloadLength,
+             &ReturnValues
+             );
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  CopyMem (
+    FastChannel,
+    ReturnValues,
+    sizeof (SCMI_PERFORMANCE_FASTCHANNEL)
+    );
+
+  return Status;
+}
+
 // Instance of the SCMI performance management protocol.
 STATIC CONST SCMI_PERFORMANCE_PROTOCOL  PerformanceProtocol = {
   PerformanceGetVersion,
@@ -425,7 +494,8 @@ STATIC CONST SCMI_PERFORMANCE_PROTOCOL  PerformanceProtocol = {
   PerformanceLimitsSet,
   PerformanceLimitsGet,
   PerformanceLevelSet,
-  PerformanceLevelGet
+  PerformanceLevelGet,
+  DescribeFastchannel,
 };
 
 /** Initialize performance management protocol and install on a given Handle.

ArmPkg/Drivers/CpuDxe/AArch64/Mmu.c

@@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/MemoryAllocationLib.h>
 #include "CpuDxe.h"
 
-#define INVALID_ENTRY  ((UINT32)~0)
+#define INVALID_ENTRY  ((UINT64)~0)
 
 #define MIN_T0SZ        16
 #define BITS_PER_LEVEL  9
@@ -169,14 +169,14 @@ GetNextEntryAttribute (
   IN     UINTN   EntryCount,
   IN     UINTN   TableLevel,
   IN     UINT64  BaseAddress,
-  IN OUT UINT32  *PrevEntryAttribute,
+  IN OUT UINT64  *PrevEntryAttribute,
   IN OUT UINT64  *StartGcdRegion
   )
 {
   UINTN                            Index;
   UINT64                           Entry;
-  UINT32                           EntryAttribute;
-  UINT32                           EntryType;
+  UINT64                           EntryAttribute;
+  UINT64                           EntryType;
   EFI_STATUS                       Status;
   UINTN                            NumberOfDescriptors;
   EFI_GCD_MEMORY_SPACE_DESCRIPTOR  *MemorySpaceMap;
@@ -271,7 +271,7 @@ SyncCacheConfig (
   )
 {
   EFI_STATUS                       Status;
-  UINT32                           PageAttribute;
+  UINT64                           PageAttribute;
   UINT64                           *FirstLevelTableAddress;
   UINTN                            TableLevel;
   UINTN                            TableCount;

ArmPkg/Drivers/GenericWatchdogDxe/GenericWatchdog.h

@@ -1,9 +1,13 @@
 /** @file
 *
+*  Copyright (c) 2023, Ampere Computing LLC. All rights reserved.<BR>
 *  Copyright (c) 2013-2017, ARM Limited. All rights reserved.
 *
 *  SPDX-License-Identifier: BSD-2-Clause-Patent
 *
+*  @par Reference(s):
+*  - Generic Watchdog specification in Arm Base System Architecture 1.0C:
+*    https://developer.arm.com/documentation/den0094/c/
 **/
 
 #ifndef GENERIC_WATCHDOG_H_
@@ -14,12 +18,17 @@
 
 // Control Frame:
 #define GENERIC_WDOG_CONTROL_STATUS_REG      ((UINTN)FixedPcdGet64 (PcdGenericWatchdogControlBase) + 0x000)
-#define GENERIC_WDOG_OFFSET_REG              ((UINTN)FixedPcdGet64 (PcdGenericWatchdogControlBase) + 0x008)
+#define GENERIC_WDOG_OFFSET_REG_LOW          ((UINTN)FixedPcdGet64 (PcdGenericWatchdogControlBase) + 0x008)
+#define GENERIC_WDOG_OFFSET_REG_HIGH         ((UINTN)FixedPcdGet64 (PcdGenericWatchdogControlBase) + 0x00C)
 #define GENERIC_WDOG_COMPARE_VALUE_REG_LOW   ((UINTN)FixedPcdGet64 (PcdGenericWatchdogControlBase) + 0x010)
 #define GENERIC_WDOG_COMPARE_VALUE_REG_HIGH  ((UINTN)FixedPcdGet64 (PcdGenericWatchdogControlBase) + 0x014)
+#define GENERIC_WDOG_IID_REG                 ((UINTN)FixedPcdGet64 (PcdGenericWatchdogControlBase) + 0xFCC)
 
 // Values of bit 0 of the Control/Status Register
 #define GENERIC_WDOG_ENABLED   1
 #define GENERIC_WDOG_DISABLED  0
 
+#define GENERIC_WDOG_IID_ARCH_REV_SHIFT  16
+#define GENERIC_WDOG_IID_ARCH_REV_MASK   0xF
+
 #endif // GENERIC_WATCHDOG_H_

ArmPkg/Drivers/GenericWatchdogDxe/GenericWatchdogDxe.c

@@ -1,5 +1,6 @@
 /** @file
 *
+*  Copyright (c) 2023, Ampere Computing LLC. All rights reserved.<BR>
 *  Copyright (c) 2013-2018, ARM Limited. All rights reserved.
 *
 *  SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -27,24 +28,58 @@
    in a second */
 #define TIME_UNITS_PER_SECOND  10000000
 
-// Tick frequency of the generic timer basis of the generic watchdog.
-STATIC UINTN  mTimerFrequencyHz = 0;
-
 /* In cases where the compare register was set manually, information about
    how long the watchdog was asked to wait cannot be retrieved from hardware.
    It is therefore stored here. 0 means the timer is not running. */
-STATIC UINT64  mNumTimerTicks = 0;
+STATIC UINT64  mTimerPeriod = 0;
+
+/* disables watchdog interaction after Exit Boot Services */
+STATIC BOOLEAN  mExitedBootServices = FALSE;
+
+#define MAX_UINT48  0xFFFFFFFFFFFFULL
 
 STATIC EFI_HARDWARE_INTERRUPT2_PROTOCOL  *mInterruptProtocol;
 STATIC EFI_WATCHDOG_TIMER_NOTIFY         mWatchdogNotify;
+STATIC EFI_EVENT                         mEfiExitBootServicesEvent;
+
+/**
+  This function returns the maximum watchdog offset register value.
+
+  @retval MAX_UINT32 The watchdog offset register holds a 32-bit value.
+  @retval MAX_UINT48 The watchdog offset register holds a 48-bit value.
+**/
+STATIC
+UINT64
+GetMaxWatchdogOffsetRegisterValue (
+  VOID
+  )
+{
+  UINT64  MaxWatchdogOffsetValue;
+  UINT32  WatchdogIId;
+  UINT8   WatchdogArchRevision;
+
+  WatchdogIId          = MmioRead32 (GENERIC_WDOG_IID_REG);
+  WatchdogArchRevision = (WatchdogIId >> GENERIC_WDOG_IID_ARCH_REV_SHIFT) & GENERIC_WDOG_IID_ARCH_REV_MASK;
+
+  if (WatchdogArchRevision == 0) {
+    MaxWatchdogOffsetValue = MAX_UINT32;
+  } else {
+    MaxWatchdogOffsetValue = MAX_UINT48;
+  }
+
+  return MaxWatchdogOffsetValue;
+}
 
 STATIC
 VOID
 WatchdogWriteOffsetRegister (
-  UINT32  Value
+  UINT64  Value
   )
 {
-  MmioWrite32 (GENERIC_WDOG_OFFSET_REG, Value);
+  MmioWrite32 (GENERIC_WDOG_OFFSET_REG_LOW, Value & MAX_UINT32);
+  if (GetMaxWatchdogOffsetRegisterValue () == MAX_UINT48) {
+    MmioWrite32 (GENERIC_WDOG_OFFSET_REG_HIGH, (Value >> 32) & MAX_UINT16);
+  }
 }
 
 STATIC
@@ -87,7 +122,8 @@ WatchdogExitBootServicesEvent (
   )
 {
   WatchdogDisable ();
-  mNumTimerTicks = 0;
+  mTimerPeriod        = 0;
+  mExitedBootServices = TRUE;
 }
 
 /* This function is called when the watchdog's first signal (WS0) goes high.
@@ -102,7 +138,6 @@ WatchdogInterruptHandler (
   )
 {
   STATIC CONST CHAR16  ResetString[] = L"The generic watchdog timer ran out.";
-  UINT64               TimerPeriod;
 
   WatchdogDisable ();
 
@@ -115,8 +150,7 @@ WatchdogInterruptHandler (
   // the timer period plus 1.
   //
   if (mWatchdogNotify != NULL) {
-    TimerPeriod = ((TIME_UNITS_PER_SECOND / mTimerFrequencyHz) * mNumTimerTicks);
-    mWatchdogNotify (TimerPeriod + 1);
+    mWatchdogNotify (mTimerPeriod + 1);
   }
 
   gRT->ResetSystem (
@@ -186,6 +220,8 @@ WatchdogRegisterHandler (
 
   @retval EFI_SUCCESS           The watchdog timer has been programmed to fire
                                 in TimerPeriod 100ns units.
+  @retval EFI_DEVICE_ERROR      Boot Services has been exited but TimerPeriod
+                                is not zero.
 
 **/
 STATIC
@@ -196,32 +232,47 @@ WatchdogSetTimerPeriod (
   IN UINT64                            TimerPeriod          // In 100ns units
   )
 {
-  UINTN  SystemCount;
+  UINTN   SystemCount;
+  UINT64  MaxWatchdogOffsetValue;
+  UINT64  TimerFrequencyHz;
+  UINT64  NumTimerTicks;
 
-  // if TimerPeriod is 0, this is a request to stop the watchdog.
+  // If we've exited Boot Services but TimerPeriod isn't zero, this
+  // indicates that the caller is doing something wrong.
+  if (mExitedBootServices && (TimerPeriod != 0)) {
+    mTimerPeriod = 0;
+    WatchdogDisable ();
+    return EFI_DEVICE_ERROR;
+  }
+
+  // If TimerPeriod is 0 this is a request to stop the watchdog.
   if (TimerPeriod == 0) {
-    mNumTimerTicks = 0;
+    mTimerPeriod = 0;
     WatchdogDisable ();
     return EFI_SUCCESS;
   }
 
   // Work out how many timer ticks will equate to TimerPeriod
-  mNumTimerTicks = (mTimerFrequencyHz * TimerPeriod) / TIME_UNITS_PER_SECOND;
+  TimerFrequencyHz = ArmGenericTimerGetTimerFreq ();
+  ASSERT (TimerFrequencyHz != 0);
+  mTimerPeriod  = TimerPeriod;
+  NumTimerTicks = (TimerFrequencyHz * TimerPeriod) / TIME_UNITS_PER_SECOND;
 
   /* If the number of required ticks is greater than the max the watchdog's
      offset register (WOR) can hold, we need to manually compute and set
      the compare register (WCV) */
-  if (mNumTimerTicks > MAX_UINT32) {
+  MaxWatchdogOffsetValue = GetMaxWatchdogOffsetRegisterValue ();
+  if (NumTimerTicks > MaxWatchdogOffsetValue) {
     /* We need to enable the watchdog *before* writing to the compare register,
        because enabling the watchdog causes an "explicit refresh", which
        clobbers the compare register (WCV). In order to make sure this doesn't
        trigger an interrupt, set the offset to max. */
-    WatchdogWriteOffsetRegister (MAX_UINT32);
+    WatchdogWriteOffsetRegister (MaxWatchdogOffsetValue);
     WatchdogEnable ();
     SystemCount = ArmGenericTimerGetSystemCount ();
-    WatchdogWriteCompareRegister (SystemCount + mNumTimerTicks);
+    WatchdogWriteCompareRegister (SystemCount + NumTimerTicks);
   } else {
-    WatchdogWriteOffsetRegister ((UINT32)mNumTimerTicks);
+    WatchdogWriteOffsetRegister (NumTimerTicks);
     WatchdogEnable ();
   }
 
@@ -256,7 +307,7 @@ WatchdogGetTimerPeriod (
     return EFI_INVALID_PARAMETER;
   }
 
-  *TimerPeriod = ((TIME_UNITS_PER_SECOND / mTimerFrequencyHz) * mNumTimerTicks);
+  *TimerPeriod = mTimerPeriod;
 
   return EFI_SUCCESS;
 }
@@ -299,8 +350,6 @@ STATIC EFI_WATCHDOG_TIMER_ARCH_PROTOCOL  mWatchdogTimer = {
   WatchdogGetTimerPeriod
 };
 
-STATIC EFI_EVENT  mEfiExitBootServicesEvent;
-
 EFI_STATUS
 EFIAPI
 GenericWatchdogEntry (
@@ -323,9 +372,6 @@ GenericWatchdogEntry (
      This will avoid conflicts with the universal watchdog */
   ASSERT_PROTOCOL_ALREADY_INSTALLED (NULL, &gEfiWatchdogTimerArchProtocolGuid);
 
-  mTimerFrequencyHz = ArmGenericTimerGetTimerFreq ();
-  ASSERT (mTimerFrequencyHz != 0);
-
   // Install interrupt handler
   Status = mInterruptProtocol->RegisterInterruptSource (
                                  mInterruptProtocol,
@@ -367,7 +413,6 @@ GenericWatchdogEntry (
                   );
   ASSERT_EFI_ERROR (Status);
 
-  mNumTimerTicks = 0;
   WatchdogDisable ();
 
   return EFI_SUCCESS;

ArmPkg/Include/Chipset/AArch64.h

@@ -24,10 +24,17 @@
 // Coprocessor Trap Register (CPTR)
 #define AARCH64_CPTR_TFP  (1 << 10)
 
+// ID_AA64MMFR1 - AArch64 Memory Model Feature Register 0 definitions
+#define AARCH64_MMFR1_VH  (0xF << 8)
+
 // ID_AA64PFR0 - AArch64 Processor Feature Register 0 definitions
 #define AARCH64_PFR0_FP   (0xF << 16)
 #define AARCH64_PFR0_GIC  (0xF << 24)
 
+// ID_AA64DFR0 - AArch64 Debug Feature Register 0 definitions
+#define AARCH64_DFR0_TRACEVER  (0xFULL << 4)
+#define AARCH64_DFR0_TRBE      (0xFULL << 44)
+
 // SCR - Secure Configuration Register definitions
 #define SCR_NS   (1 << 0)
 #define SCR_IRQ  (1 << 1)

ArmPkg/Include/Library/ArmLib.h

@@ -45,8 +45,6 @@ typedef enum {
   ARM_MEMORY_REGION_ATTRIBUTE_DEVICE,
 } ARM_MEMORY_REGION_ATTRIBUTES;
 
-#define IS_ARM_MEMORY_REGION_ATTRIBUTES_SECURE(attr)  ((UINT32)(attr) & 1)
-
 typedef struct {
   EFI_PHYSICAL_ADDRESS            PhysicalBase;
   EFI_VIRTUAL_ADDRESS             VirtualBase;
@@ -766,6 +764,49 @@ ArmHasCcidx (
   VOID
   );
 
+#ifdef MDE_CPU_AARCH64
+///
+/// AArch64-only ID Register Helper functions
+///
+
+/**
+  Checks whether the CPU implements the Virtualization Host Extensions.
+
+  @retval TRUE  FEAT_VHE is implemented.
+  @retval FALSE FEAT_VHE is not mplemented.
+**/
+BOOLEAN
+EFIAPI
+ArmHasVhe (
+  VOID
+  );
+
+/**
+  Checks whether the CPU implements the Trace Buffer Extension.
+
+  @retval TRUE  FEAT_TRBE is implemented.
+  @retval FALSE FEAT_TRBE is not mplemented.
+**/
+BOOLEAN
+EFIAPI
+ArmHasTrbe (
+  VOID
+  );
+
+/**
+  Checks whether the CPU implements the Embedded Trace Extension.
+
+  @retval TRUE  FEAT_ETE is implemented.
+  @retval FALSE FEAT_ETE is not mplemented.
+**/
+BOOLEAN
+EFIAPI
+ArmHasEte (
+  VOID
+  );
+
+#endif // MDE_CPU_AARCH64
+
 #ifdef MDE_CPU_ARM
 ///
 /// AArch32-only ID Register Helper functions

ArmPkg/Include/Protocol/ArmScmiPerformanceProtocol.h

@@ -1,12 +1,12 @@
 /** @file
 
-  Copyright (c) 2017-2021, Arm Limited. All rights reserved.
+  Copyright (c) 2017-2023, Arm Limited. All rights reserved.
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  System Control and Management Interface V1.0
-    http://infocenter.arm.com/help/topic/com.arm.doc.den0056a/
-    DEN0056A_System_Control_and_Management_Interface.pdf
+  System Control and Management Interface V3.2, latest version at:
+  - https://developer.arm.com/documentation/den0056/latest/
+
 **/
 
 #ifndef ARM_SCMI_PERFORMANCE_PROTOCOL_H_
@@ -14,7 +14,10 @@
 
 #include <Protocol/ArmScmi.h>
 
-#define PERFORMANCE_PROTOCOL_VERSION  0x10000
+/// Arm Scmi performance protocol versions.
+#define PERFORMANCE_PROTOCOL_VERSION_V1  0x10000
+#define PERFORMANCE_PROTOCOL_VERSION_V2  0x20000
+#define PERFORMANCE_PROTOCOL_VERSION_V3  0x30000
 
 #define ARM_SCMI_PERFORMANCE_PROTOCOL_GUID  { \
   0x9b8ba84, 0x3dd3, 0x49a6, {0xa0, 0x5a, 0x31, 0x34, 0xa5, 0xf0, 0x7b, 0xad} \
@@ -76,8 +79,58 @@ typedef struct {
   UINT32    RangeMin;
 } SCMI_PERFORMANCE_LIMITS;
 
+/// Doorbell Support bit.
+#define SCMI_PERF_FC_ATTRIB_HAS_DOORBELL  BIT0
+
+/// Performance protocol describe fastchannel
+typedef struct {
+  /// Attributes.
+  UINT32    Attributes;
+
+  /// Rate limit.
+  UINT32    RateLimit;
+
+  /// Lower 32 bits of the FastChannel address.
+  UINT32    ChanAddrLow;
+
+  /// Higher 32 bits of the FastChannel address.
+  UINT32    ChanAddrHigh;
+
+  /// Size of the FastChannel in bytes.
+  UINT32    ChanSize;
+
+  /// Lower 32 bits of the doorbell address.
+  UINT32    DoorbellAddrLow;
+
+  /// Higher 32 bits of the doorbell address.
+  UINT32    DoorbellAddrHigh;
+
+  /// Mask of lower 32 bits to set when writing to the doorbell register.
+  UINT32    DoorbellSetMaskLow;
+
+  /// Mask of higher 32 bits to set when writing to the doorbell register.
+  UINT32    DoorbellSetMaskHigh;
+
+  /// Mask of lower 32 bits to preserve when writing to the doorbell register.
+  UINT32    DoorbellPreserveMaskLow;
+
+  /// Mask of higher 32 bits to preserve when writing to the doorbell register.
+  UINT32    DoorbellPreserveMaskHigh;
+} SCMI_PERFORMANCE_FASTCHANNEL;
+
 #pragma pack()
 
+/// SCMI Message Ids for the Performance Protocol.
+typedef enum {
+  ScmiMessageIdPerformanceDomainAttributes    = 0x3,
+  ScmiMessageIdPerformanceDescribeLevels      = 0x4,
+  ScmiMessageIdPerformanceLimitsSet           = 0x5,
+  ScmiMessageIdPerformanceLimitsGet           = 0x6,
+  ScmiMessageIdPerformanceLevelSet            = 0x7,
+  ScmiMessageIdPerformanceLevelGet            = 0x8,
+  ScmiMessageIdPerformanceDescribeFastchannel = 0xB,
+} SCMI_MESSAGE_ID_PERFORMANCE;
+
 /** Return version of the performance management protocol supported by SCP.
    firmware.
 
@@ -235,6 +288,34 @@ EFI_STATUS
   OUT UINT32                    *Level
   );
 
+/** Discover the attributes of the FastChannel for the specified
+    performance domain and the specified message.
+
+  @param[in]  This        A Pointer to SCMI_PERFORMANCE_PROTOCOL Instance.
+  @param[in]  DomainId    Identifier for the performance domain.
+  @param[in]  MessageId   Message Id of the FastChannel to discover.
+                          Must be one of:
+                           - PERFORMANCE_LIMITS_SET
+                           - PERFORMANCE_LIMITS_GET
+                           - PERFORMANCE_LEVEL_SET
+                           - PERFORMANCE_LEVEL_GET
+  @param[out] FastChannel If success, contains the FastChannel description.
+
+  @retval EFI_SUCCESS             Performance level got successfully.
+  @retval EFI_DEVICE_ERROR        SCP returns an SCMI error.
+  @retval EFI_INVALID_PARAMETER   Invalid parameter.
+  @retval EFI_TIMEOUT             Time out.
+  @retval EFI_UNSUPPORTED         Unsupported.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *SCMI_PERFORMANCE_DESCRIBE_FASTCHANNEL)(
+  IN  SCMI_PERFORMANCE_PROTOCOL       *This,
+  IN  UINT32                          DomainId,
+  IN  SCMI_MESSAGE_ID_PERFORMANCE     MessageId,
+  OUT SCMI_PERFORMANCE_FASTCHANNEL    *FastChannel
+  );
+
 typedef struct _SCMI_PERFORMANCE_PROTOCOL {
   SCMI_PERFORMANCE_GET_VERSION              GetVersion;
   SCMI_PERFORMANCE_GET_ATTRIBUTES           GetProtocolAttributes;
@@ -244,15 +325,7 @@ typedef struct _SCMI_PERFORMANCE_PROTOCOL {
   SCMI_PERFORMANCE_LIMITS_GET               LimitsGet;
   SCMI_PERFORMANCE_LEVEL_SET                LevelSet;
   SCMI_PERFORMANCE_LEVEL_GET                LevelGet;
+  SCMI_PERFORMANCE_DESCRIBE_FASTCHANNEL     DescribeFastchannel;
 } SCMI_PERFORMANCE_PROTOCOL;
 
-typedef enum {
-  ScmiMessageIdPerformanceDomainAttributes = 0x3,
-  ScmiMessageIdPerformanceDescribeLevels   = 0x4,
-  ScmiMessageIdPerformanceLimitsSet        = 0x5,
-  ScmiMessageIdPerformanceLimitsGet        = 0x6,
-  ScmiMessageIdPerformanceLevelSet         = 0x7,
-  ScmiMessageIdPerformanceLevelGet         = 0x8,
-} SCMI_MESSAGE_ID_PERFORMANCE;
-
 #endif /* ARM_SCMI_PERFORMANCE_PROTOCOL_H_ */

ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c

@@ -104,3 +104,49 @@ ArmHasCcidx (
   Mmfr2 = ArmReadIdAA64Mmfr2 ();
   return (((Mmfr2 >> 20) & 0xF) == 1) ? TRUE : FALSE;
 }
+
+/**
+  Checks whether the CPU implements the Virtualization Host Extensions.
+
+  @retval TRUE  FEAT_VHE is implemented.
+  @retval FALSE FEAT_VHE is not mplemented.
+**/
+BOOLEAN
+EFIAPI
+ArmHasVhe (
+  VOID
+  )
+{
+  return ((ArmReadIdAA64Mmfr1 () & AARCH64_MMFR1_VH) != 0);
+}
+
+/**
+  Checks whether the CPU implements the Trace Buffer Extension.
+
+  @retval TRUE  FEAT_TRBE is implemented.
+  @retval FALSE FEAT_TRBE is not mplemented.
+**/
+BOOLEAN
+EFIAPI
+ArmHasTrbe (
+  VOID
+  )
+{
+  return ((ArmReadIdAA64Dfr0 () & AARCH64_DFR0_TRBE) != 0);
+}
+
+/**
+  Checks whether the CPU implements the Embedded Trace Extension.
+
+  @retval TRUE  FEAT_ETE is implemented.
+  @retval FALSE FEAT_ETE is not mplemented.
+**/
+BOOLEAN
+EFIAPI
+ArmHasEte (
+  VOID
+  )
+{
+  // The ID_AA64DFR0_EL1.TraceVer field identifies the presence of FEAT_ETE.
+  return ((ArmReadIdAA64Dfr0 () & AARCH64_DFR0_TRACEVER) != 0);
+}

ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuLibCore.c

@@ -20,16 +20,9 @@
 #include <Library/BaseLib.h>
 #include <Library/DebugLib.h>
 #include <Library/HobLib.h>
+#include "ArmMmuLibInternal.h"
 
-STATIC
-VOID (
-  EFIAPI  *mReplaceLiveEntryFunc
-  )(
-    IN  UINT64  *Entry,
-    IN  UINT64  Value,
-    IN  UINT64  RegionStart,
-    IN  BOOLEAN DisableMmu
-    ) = ArmReplaceLiveTranslationEntry;
+STATIC  ARM_REPLACE_LIVE_TRANSLATION_ENTRY  mReplaceLiveEntryFunc = ArmReplaceLiveTranslationEntry;
 
 STATIC
 UINT64
@@ -742,7 +735,7 @@ ArmMmuBaseLibConstructor (
 
   Hob = GetFirstGuidHob (&gArmMmuReplaceLiveTranslationEntryFuncGuid);
   if (Hob != NULL) {
-    mReplaceLiveEntryFunc = *(VOID **)GET_GUID_HOB_DATA (Hob);
+    mReplaceLiveEntryFunc = *(ARM_REPLACE_LIVE_TRANSLATION_ENTRY *)GET_GUID_HOB_DATA (Hob);
   } else {
     //
     // The ArmReplaceLiveTranslationEntry () helper function may be invoked

ArmPkg/Library/ArmMmuLib/AArch64/ArmMmuPeiLibConstructor.c

@@ -13,6 +13,7 @@
 #include <Library/CacheMaintenanceLib.h>
 #include <Library/DebugLib.h>
 #include <Library/HobLib.h>
+#include "ArmMmuLibInternal.h"
 
 EFI_STATUS
 EFIAPI
@@ -21,9 +22,9 @@ ArmMmuPeiLibConstructor (
   IN CONST EFI_PEI_SERVICES     **PeiServices
   )
 {
-  extern UINT32  ArmReplaceLiveTranslationEntrySize;
-  VOID           *ArmReplaceLiveTranslationEntryFunc;
-  VOID           *Hob;
+  extern UINT32                       ArmReplaceLiveTranslationEntrySize;
+  ARM_REPLACE_LIVE_TRANSLATION_ENTRY  ArmReplaceLiveTranslationEntryFunc;
+  VOID                                *Hob;
 
   EFI_FV_FILE_INFO  FileInfo;
   EFI_STATUS        Status;

ArmPkg/Library/ArmMmuLib/Arm/ArmMmuLibCore.c

@@ -169,7 +169,6 @@ PopulateLevel2PageTable (
 
       // Overwrite the section entry to point to the new Level2 Translation Table
       *SectionEntry = (TranslationTable & TT_DESCRIPTOR_SECTION_PAGETABLE_ADDRESS_MASK) |
-                      (IS_ARM_MEMORY_REGION_ATTRIBUTES_SECURE (Attributes) ? (1 << 3) : 0) |
                       TT_DESCRIPTOR_SECTION_TYPE_PAGE_TABLE;
     } else {
       // We do not support the other section type (16MB Section)
@@ -192,7 +191,6 @@ PopulateLevel2PageTable (
     ZeroMem ((VOID *)TranslationTable, TRANSLATION_TABLE_PAGE_SIZE);
 
     *SectionEntry = (TranslationTable & TT_DESCRIPTOR_SECTION_PAGETABLE_ADDRESS_MASK) |
-                    (IS_ARM_MEMORY_REGION_ATTRIBUTES_SECURE (Attributes) ? (1 << 3) : 0) |
                     TT_DESCRIPTOR_SECTION_TYPE_PAGE_TABLE;
   }
 

ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf

@@ -19,10 +19,12 @@
   CONSTRUCTOR                    = ArmMmuBaseLibConstructor
 
 [Sources.AARCH64]
+  ArmMmuLibInternal.h
   AArch64/ArmMmuLibCore.c
   AArch64/ArmMmuLibReplaceEntry.S
 
 [Sources.ARM]
+  ArmMmuLibInternal.h
   Arm/ArmMmuLibConvert.c
   Arm/ArmMmuLibCore.c
   Arm/ArmMmuLibUpdate.c

ArmPkg/Library/ArmMmuLib/ArmMmuLibInternal.h

@@ -0,0 +1,23 @@
+/** @file
+  Arm MMU library instance internal header file.
+
+  Copyright (C) Microsoft Corporation. All rights reserved.
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ARM_MMU_LIB_INTERNAL_H_
+#define ARM_MMU_LIB_INTERNAL_H_
+
+typedef
+VOID(
+ EFIAPI  *ARM_REPLACE_LIVE_TRANSLATION_ENTRY
+ )(
+  IN  UINT64  *Entry,
+  IN  UINT64  Value,
+  IN  UINT64  RegionStart,
+  IN  BOOLEAN DisableMmu
+  );
+
+#endif

ArmPkg/Library/ArmMmuLib/ArmMmuPeiLib.inf

@@ -17,6 +17,7 @@
   CONSTRUCTOR                    = ArmMmuPeiLibConstructor
 
 [Sources.AARCH64]
+  ArmMmuLibInternal.h
   AArch64/ArmMmuLibCore.c
   AArch64/ArmMmuPeiLibConstructor.c
   AArch64/ArmMmuLibReplaceEntry.S

ArmPkg/Library/DebugPeCoffExtraActionLib/DebugPeCoffExtraActionLib.c

@@ -17,45 +17,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/PeCoffExtraActionLib.h>
 #include <Library/PrintLib.h>
 
-/**
-  If the build is done on cygwin the paths are cygpaths.
-  /cygdrive/c/tmp.txt vs c:\tmp.txt so we need to convert
-  them to work with RVD commands
-
-  @param  Name  Path to convert if needed
-
-**/
-CHAR8 *
-DeCygwinPathIfNeeded (
-  IN  CHAR8  *Name,
-  IN  CHAR8  *Temp,
-  IN  UINTN  Size
-  )
-{
-  CHAR8  *Ptr;
-  UINTN  Index;
-  UINTN  Index2;
-
-  Ptr = AsciiStrStr (Name, "/cygdrive/");
-  if (Ptr == NULL) {
-    return Name;
-  }
-
-  for (Index = 9, Index2 = 0; (Index < (Size + 9)) && (Ptr[Index] != '\0'); Index++, Index2++) {
-    Temp[Index2] = Ptr[Index];
-    if (Temp[Index2] == '/') {
-      Temp[Index2] = '\\';
-    }
-
-    if (Index2 == 1) {
-      Temp[Index2 - 1] = Ptr[Index];
-      Temp[Index2]     = ':';
-    }
-  }
-
-  return Temp;
-}
-
 /**
   Performs additional actions after a PE/COFF image has been loaded and relocated.
 
@@ -71,23 +32,24 @@ PeCoffLoaderRelocateImageExtraAction (
   IN OUT PE_COFF_LOADER_IMAGE_CONTEXT  *ImageContext
   )
 {
- #if !defined (MDEPKG_NDEBUG)
-  CHAR8  Temp[512];
- #endif
-
+#ifdef __GNUC__
   if (ImageContext->PdbPointer) {
- #ifdef __CC_ARM
-    // Print out the command for the DS-5 to load symbols for this image
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "add-symbol-file %a 0x%p\n", DeCygwinPathIfNeeded (ImageContext->PdbPointer, Temp, sizeof (Temp)), (UINTN)(ImageContext->ImageAddress + ImageContext->SizeOfHeaders)));
- #elif __GNUC__
-    // This may not work correctly if you generate PE/COFF directly as then the Offset would not be required
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "add-symbol-file %a 0x%p\n", DeCygwinPathIfNeeded (ImageContext->PdbPointer, Temp, sizeof (Temp)), (UINTN)(ImageContext->ImageAddress + ImageContext->SizeOfHeaders)));
- #else
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "Loading driver at 0x%11p EntryPoint=0x%11p\n", (VOID *)(UINTN)ImageContext->ImageAddress, FUNCTION_ENTRY_POINT (ImageContext->EntryPoint)));
- #endif
-  } else {
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "Loading driver at 0x%11p EntryPoint=0x%11p\n", (VOID *)(UINTN)ImageContext->ImageAddress, FUNCTION_ENTRY_POINT (ImageContext->EntryPoint)));
+    DEBUG ((
+      DEBUG_LOAD | DEBUG_INFO,
+      "add-symbol-file %a 0x%p\n",
+      ImageContext->PdbPointer,
+      (UINTN)(ImageContext->ImageAddress + ImageContext->SizeOfHeaders)
+      ));
+    return;
   }
+#endif
+
+  DEBUG ((
+    DEBUG_LOAD | DEBUG_INFO,
+    "Loading driver at 0x%11p EntryPoint=0x%11p\n",
+    (VOID *)(UINTN)ImageContext->ImageAddress,
+    FUNCTION_ENTRY_POINT (ImageContext->EntryPoint)
+    ));
 }
 
 /**
@@ -106,21 +68,21 @@ PeCoffLoaderUnloadImageExtraAction (
   IN OUT PE_COFF_LOADER_IMAGE_CONTEXT  *ImageContext
   )
 {
- #if !defined (MDEPKG_NDEBUG)
-  CHAR8  Temp[512];
- #endif
-
+#ifdef __GNUC__
   if (ImageContext->PdbPointer) {
- #ifdef __CC_ARM
-    // Print out the command for the RVD debugger to load symbols for this image
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "unload symbols_only %a\n", DeCygwinPathIfNeeded (ImageContext->PdbPointer, Temp, sizeof (Temp))));
- #elif __GNUC__
-    // This may not work correctly if you generate PE/COFF directly as then the Offset would not be required
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "remove-symbol-file %a 0x%08x\n", DeCygwinPathIfNeeded (ImageContext->PdbPointer, Temp, sizeof (Temp)), (UINTN)(ImageContext->ImageAddress + ImageContext->SizeOfHeaders)));
- #else
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "Unloading %a\n", ImageContext->PdbPointer));
- #endif
-  } else {
-    DEBUG ((DEBUG_LOAD | DEBUG_INFO, "Unloading driver at 0x%11p\n", (VOID *)(UINTN)ImageContext->ImageAddress));
+    DEBUG ((
+      DEBUG_LOAD | DEBUG_INFO,
+      "remove-symbol-file %a 0x%08x\n",
+      ImageContext->PdbPointer,
+      (UINTN)(ImageContext->ImageAddress + ImageContext->SizeOfHeaders)
+      ));
+    return;
   }
+#endif
+
+  DEBUG ((
+    DEBUG_LOAD | DEBUG_INFO,
+    "Unloading driver at 0x%11p\n",
+    (VOID *)(UINTN)ImageContext->ImageAddress
+    ));
 }

ArmPkg/Universal/Smbios/SmbiosMiscDxe/Type00/MiscBiosVendorFunction.c

@@ -185,7 +185,7 @@ SMBIOS_MISC_TABLE_FUNCTION (MiscBiosVendor) {
   UINTN               VendorStrLen;
   UINTN               VerStrLen;
   UINTN               DateStrLen;
-  UINTN               BiosPhysicalSize;
+  UINT64              BiosPhysicalSize;
   CHAR16              *Vendor;
   CHAR16              *Version;
   CHAR16              *ReleaseDate;

ArmPlatformPkg/Library/PL031RealTimeClockLib/PL031RealTimeClockLib.c

@@ -27,8 +27,6 @@
 #include <Library/UefiRuntimeServicesTableLib.h>
 #include <Library/UefiRuntimeLib.h>
 
-#include <Protocol/RealTimeClock.h>
-
 #include "PL031RealTimeClock.h"
 
 STATIC BOOLEAN    mPL031Initialized = FALSE;
@@ -113,7 +111,9 @@ EXIT:
   @retval EFI_SUCCESS            The operation completed successfully.
   @retval EFI_INVALID_PARAMETER  Time is NULL.
   @retval EFI_DEVICE_ERROR       The time could not be retrieved due to hardware error.
-  @retval EFI_SECURITY_VIOLATION The time could not be retrieved due to an authentication failure.
+  @retval EFI_UNSUPPORTED        This call is not supported by this platform at the time the call is made.
+                                 The platform should describe this runtime service as unsupported at runtime
+                                 via an EFI_RT_PROPERTIES_TABLE configuration table.
 
 **/
 EFI_STATUS
@@ -174,6 +174,9 @@ LibGetTime (
   @retval EFI_SUCCESS           The operation completed successfully.
   @retval EFI_INVALID_PARAMETER A time field is out of range.
   @retval EFI_DEVICE_ERROR      The time could not be set due to hardware error.
+  @retval EFI_UNSUPPORTED       This call is not supported by this platform at the time the call is made.
+                                The platform should describe this runtime service as unsupported at runtime
+                                via an EFI_RT_PROPERTIES_TABLE configuration table.
 
 **/
 EFI_STATUS
@@ -226,8 +229,13 @@ LibSetTime (
   @param  Time                  The current alarm setting.
 
   @retval EFI_SUCCESS           The alarm settings were returned.
-  @retval EFI_INVALID_PARAMETER Any parameter is NULL.
+  @retval EFI_INVALID_PARAMETER Enabled is NULL.
+  @retval EFI_INVALID_PARAMETER Pending is NULL.
+  @retval EFI_INVALID_PARAMETER Time is NULL.
   @retval EFI_DEVICE_ERROR      The wakeup time could not be retrieved due to a hardware error.
+  @retval EFI_UNSUPPORTED       This call is not supported by this platform at the time the call is made.
+                                The platform should describe this runtime service as unsupported at runtime
+                                via an EFI_RT_PROPERTIES_TABLE configuration table.
 
 **/
 EFI_STATUS
@@ -250,9 +258,13 @@ LibGetWakeupTime (
 
   @retval EFI_SUCCESS           If Enable is TRUE, then the wakeup alarm was enabled. If
                                 Enable is FALSE, then the wakeup alarm was disabled.
-  @retval EFI_INVALID_PARAMETER A time field is out of range.
+  @retval EFI_INVALID_PARAMETER Enabled is NULL.
+  @retval EFI_INVALID_PARAMETER Pending is NULL.
+  @retval EFI_INVALID_PARAMETER Time is NULL.
   @retval EFI_DEVICE_ERROR      The wakeup time could not be set due to a hardware error.
-  @retval EFI_UNSUPPORTED       A wakeup timer is not supported on this platform.
+  @retval EFI_UNSUPPORTED       This call is not supported by this platform at the time the call is made.
+                                The platform should describe this runtime service as unsupported at runtime
+                                via an EFI_RT_PROPERTIES_TABLE configuration table.
 
 **/
 EFI_STATUS
@@ -274,9 +286,10 @@ LibSetWakeupTime (
   @param[in]    Event   The Event that is being processed
   @param[in]    Context Event Context
 **/
+STATIC
 VOID
 EFIAPI
-LibRtcVirtualNotifyEvent (
+VirtualNotifyEvent (
   IN EFI_EVENT  Event,
   IN VOID       *Context
   )
@@ -309,7 +322,6 @@ LibRtcInitialize (
   )
 {
   EFI_STATUS  Status;
-  EFI_HANDLE  Handle;
 
   // Initialize RTC Base Address
   mPL031RtcBase = PcdGet32 (PcdPL031RtcBase);
@@ -330,23 +342,13 @@ LibRtcInitialize (
     return Status;
   }
 
-  // Install the protocol
-  Handle = NULL;
-  Status = gBS->InstallMultipleProtocolInterfaces (
-                  &Handle,
-                  &gEfiRealTimeClockArchProtocolGuid,
-                  NULL,
-                  NULL
-                  );
-  ASSERT_EFI_ERROR (Status);
-
   //
   // Register for the virtual address change event
   //
   Status = gBS->CreateEventEx (
                   EVT_NOTIFY_SIGNAL,
                   TPL_NOTIFY,
-                  LibRtcVirtualNotifyEvent,
+                  VirtualNotifyEvent,
                   NULL,
                   &gEfiEventVirtualAddressChangeGuid,
                   &mRtcVirtualAddrChangeEvent

ArmVirtPkg/ArmVirt.dsc.inc

@@ -37,7 +37,7 @@
 !if $(TARGET) == RELEASE
   DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
 !else
-  DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+  DebugLib|ArmVirtPkg/Library/DebugLibFdtPL011Uart/DebugLibFdtPL011UartRam.inf
 !endif
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
 
@@ -52,6 +52,7 @@
   IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsicArmVirt.inf
   UefiDecompressLib|MdePkg/Library/BaseUefiDecompressLib/BaseUefiDecompressLib.inf
   CpuLib|MdePkg/Library/BaseCpuLib/BaseCpuLib.inf
+  ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
 
   UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
   HobLib|ArmVirtPkg/Library/ArmVirtDxeHobLib/ArmVirtDxeHobLib.inf
@@ -121,6 +122,7 @@
   # ARM PL011 UART Driver
   PL011UartLib|ArmPlatformPkg/Library/PL011UartLib/PL011UartLib.inf
   SerialPortLib|ArmVirtPkg/Library/FdtPL011SerialPortLib/FdtPL011SerialPortLib.inf
+  FdtSerialPortAddressLib|OvmfPkg/Library/FdtSerialPortAddressLib/FdtSerialPortAddressLib.inf
 
   PeCoffExtraActionLib|ArmPkg/Library/DebugPeCoffExtraActionLib/DebugPeCoffExtraActionLib.inf
   #PeCoffExtraActionLib|MdePkg/Library/BasePeCoffExtraActionLibNull/BasePeCoffExtraActionLibNull.inf
@@ -154,7 +156,7 @@
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
 !endif
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
 
   #
   # Secure Boot dependencies
@@ -188,6 +190,9 @@
   PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf
   PeiServicesTablePointerLib|ArmPkg/Library/PeiServicesTablePointerLib/PeiServicesTablePointerLib.inf
   MemoryAllocationLib|MdePkg/Library/PeiMemoryAllocationLib/PeiMemoryAllocationLib.inf
+!if $(TARGET) != RELEASE
+  DebugLib|ArmVirtPkg/Library/DebugLibFdtPL011Uart/DebugLibFdtPL011UartFlash.inf
+!endif
 
 [LibraryClasses.common.PEI_CORE]
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
@@ -203,6 +208,9 @@
 
   PeiServicesTablePointerLib|ArmPkg/Library/PeiServicesTablePointerLib/PeiServicesTablePointerLib.inf
   SerialPortLib|ArmVirtPkg/Library/FdtPL011SerialPortLib/EarlyFdtPL011SerialPortLib.inf
+!if $(TARGET) != RELEASE
+  DebugLib|ArmVirtPkg/Library/DebugLibFdtPL011Uart/DebugLibFdtPL011UartFlash.inf
+!endif
 
 [LibraryClasses.common.PEIM]
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
@@ -218,6 +226,9 @@
 
   PeiServicesTablePointerLib|ArmPkg/Library/PeiServicesTablePointerLib/PeiServicesTablePointerLib.inf
   SerialPortLib|ArmVirtPkg/Library/FdtPL011SerialPortLib/EarlyFdtPL011SerialPortLib.inf
+!if $(TARGET) != RELEASE
+  DebugLib|ArmVirtPkg/Library/DebugLibFdtPL011Uart/DebugLibFdtPL011UartFlash.inf
+!endif
 
 [LibraryClasses.common.DXE_CORE]
   HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
@@ -245,7 +256,7 @@
   MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
   CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
 !if $(TARGET) != RELEASE
-  DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf
+  DebugLib|ArmVirtPkg/Library/DebugLibFdtPL011Uart/DxeRuntimeDebugLibFdtPL011Uart.inf
 !endif
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
 
@@ -304,26 +315,28 @@
   gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2f
 !endif
 
-  #  DEBUG_INIT      0x00000001  // Initialization
-  #  DEBUG_WARN      0x00000002  // Warnings
-  #  DEBUG_LOAD      0x00000004  // Load events
-  #  DEBUG_FS        0x00000008  // EFI File system
-  #  DEBUG_POOL      0x00000010  // Alloc & Free (pool)
-  #  DEBUG_PAGE      0x00000020  // Alloc & Free (page)
-  #  DEBUG_INFO      0x00000040  // Informational debug messages
-  #  DEBUG_DISPATCH  0x00000080  // PEI/DXE/SMM Dispatchers
-  #  DEBUG_VARIABLE  0x00000100  // Variable
-  #  DEBUG_BM        0x00000400  // Boot Manager
-  #  DEBUG_BLKIO     0x00001000  // BlkIo Driver
-  #  DEBUG_NET       0x00004000  // SNP Driver
-  #  DEBUG_UNDI      0x00010000  // UNDI Driver
-  #  DEBUG_LOADFILE  0x00020000  // LoadFile
-  #  DEBUG_EVENT     0x00080000  // Event messages
-  #  DEBUG_GCD       0x00100000  // Global Coherency Database changes
-  #  DEBUG_CACHE     0x00200000  // Memory range cachability changes
-  #  DEBUG_VERBOSE   0x00400000  // Detailed debug messages that may
-  #                              // significantly impact boot performance
-  #  DEBUG_ERROR     0x80000000  // Error
+  #  DEBUG_INIT           0x00000001  // Initialization
+  #  DEBUG_WARN           0x00000002  // Warnings
+  #  DEBUG_LOAD           0x00000004  // Load events
+  #  DEBUG_FS             0x00000008  // EFI File system
+  #  DEBUG_POOL           0x00000010  // Alloc & Free (pool)
+  #  DEBUG_PAGE           0x00000020  // Alloc & Free (page)
+  #  DEBUG_INFO           0x00000040  // Informational debug messages
+  #  DEBUG_DISPATCH       0x00000080  // PEI/DXE/SMM Dispatchers
+  #  DEBUG_VARIABLE       0x00000100  // Variable
+  #  DEBUG_BM             0x00000400  // Boot Manager
+  #  DEBUG_BLKIO          0x00001000  // BlkIo Driver
+  #  DEBUG_NET            0x00004000  // Network Io Driver
+  #  DEBUG_UNDI           0x00010000  // UNDI Driver
+  #  DEBUG_LOADFILE       0x00020000  // LoadFile
+  #  DEBUG_EVENT          0x00080000  // Event messages
+  #  DEBUG_GCD            0x00100000  // Global Coherency Database changes
+  #  DEBUG_CACHE          0x00200000  // Memory range cachability changes
+  #  DEBUG_VERBOSE        0x00400000  // Detailed debug messages that may
+  #                                   // significantly impact boot performance
+  #  DEBUG_MANAGEABILITY  0x00800000  // Detailed debug and payload manageability messages
+  #                                   // related to modules such as Redfish, IPMI, MCTP etc.
+  #  DEBUG_ERROR          0x80000000  // Error
 !if $(TARGET) != RELEASE
   gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|$(DEBUG_PRINT_ERROR_LEVEL)
 !endif
@@ -383,6 +396,10 @@
     <PcdsFixedAtBuild>
       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
   }
+  ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf {
+    <PcdsFixedAtBuild>
+      gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE
+  }
   OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf {
     <PcdsFixedAtBuild>
       gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE

ArmVirtPkg/ArmVirtCloudHv.dsc

@@ -129,7 +129,7 @@
   gArmTokenSpaceGuid.PcdSystemMemoryBase|0x40000000
 
   # initial location of the device tree blob passed by Cloud Hypervisor -- base of DRAM
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x40000000
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x40000000
 
   gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
   gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
@@ -178,6 +178,7 @@
   gArmTokenSpaceGuid.PcdArmArchTimerIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum|0x0
+  gArmTokenSpaceGuid.PcdArmArchTimerHypVirtIntrNum|0x0
 
   #
   # ARM General Interrupt Controller
@@ -340,7 +341,7 @@
   #
   # PCI support
   #
-  ArmPkg/Drivers/ArmPciCpuIo2Dxe/ArmPciCpuIo2Dxe.inf {
+  UefiCpuPkg/CpuMmio2Dxe/CpuMmio2Dxe.inf {
     <LibraryClasses>
       NULL|OvmfPkg/Fdt/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf
   }

ArmVirtPkg/ArmVirtCloudHv.fdf

@@ -169,6 +169,7 @@ READ_LOCK_STATUS   = TRUE
   INF ShellPkg/Application/Shell/Shell.inf
   INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
   INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+  INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
   INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 
   #
@@ -200,7 +201,7 @@ READ_LOCK_STATUS   = TRUE
   #
   # PCI support
   #
-  INF ArmPkg/Drivers/ArmPciCpuIo2Dxe/ArmPciCpuIo2Dxe.inf
+  INF UefiCpuPkg/CpuMmio2Dxe/CpuMmio2Dxe.inf
   INF MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciHostBridgeDxe.inf
   INF MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf
   INF OvmfPkg/PciHotPlugInitDxe/PciHotPlugInit.inf

ArmVirtPkg/ArmVirtKvmTool.dsc

@@ -77,6 +77,9 @@
   PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf
   PlatformHookLib|ArmVirtPkg/Library/Fdt16550SerialPortHookLib/Fdt16550SerialPortHookLib.inf
   SerialPortLib|MdeModulePkg/Library/BaseSerialPortLib16550/BaseSerialPortLib16550.inf
+!if $(TARGET) != RELEASE
+  DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+!endif
 
   HwInfoParserLib|DynamicTablesPkg/Library/FdtHwInfoParserLib/FdtHwInfoParserLib.inf
   DynamicPlatRepoLib|DynamicTablesPkg/Library/Common/DynamicPlatRepoLib/DynamicPlatRepoLib.inf
@@ -88,6 +91,14 @@
   PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf
   PlatformHookLib|ArmVirtPkg/Library/Fdt16550SerialPortHookLib/EarlyFdt16550SerialPortHookLib.inf
   SerialPortLib|MdeModulePkg/Library/BaseSerialPortLib16550/BaseSerialPortLib16550.inf
+!if $(TARGET) != RELEASE
+  DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(TARGET) != RELEASE
+  DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf
+!endif
 
 [LibraryClasses.common.UEFI_DRIVER]
   UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
@@ -168,7 +179,7 @@
   # We are booting from RAM using the Linux kernel boot protocol,
   # x0 will point to the DTB image in memory.
   #
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x0
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x0
 
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
@@ -183,6 +194,7 @@
   gArmTokenSpaceGuid.PcdArmArchTimerIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum|0x0
+  gArmTokenSpaceGuid.PcdArmArchTimerHypVirtIntrNum|0x0
 
   #
   # ARM General Interrupt Controller
@@ -360,7 +372,7 @@
   #
   # PCI support
   #
-  ArmPkg/Drivers/ArmPciCpuIo2Dxe/ArmPciCpuIo2Dxe.inf {
+  UefiCpuPkg/CpuMmio2Dxe/CpuMmio2Dxe.inf {
     <LibraryClasses>
       NULL|OvmfPkg/Fdt/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf
       NULL|OvmfPkg/Library/BaseCachingPciExpressLib/BaseCachingPciExpressLib.inf

ArmVirtPkg/ArmVirtKvmTool.fdf

@@ -195,7 +195,7 @@ READ_LOCK_STATUS   = TRUE
   #
   # PCI support
   #
-  INF ArmPkg/Drivers/ArmPciCpuIo2Dxe/ArmPciCpuIo2Dxe.inf
+  INF UefiCpuPkg/CpuMmio2Dxe/CpuMmio2Dxe.inf
   INF MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciHostBridgeDxe.inf
   INF MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf
   INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf

ArmVirtPkg/ArmVirtPkg.ci.yaml

@@ -24,7 +24,6 @@
         ],
         ## Both file path and directory path are accepted.
         "IgnoreFiles": [
-            "Library/PlatformBootManagerLib/PlatformBm.c"
         ]
     },
     ## options defined .pytool/Plugin/CompilerPlugin
@@ -125,5 +124,13 @@
         ],           # words to extend to the dictionary for this package
         "IgnoreStandardPaths": [],   # Standard Plugin defined paths that should be ignore
         "AdditionalIncludePaths": [] # Additional paths to spell check (wildcards supported)
+    },
+
+    "DebugMacroCheck": {
+      "StringSubstitutions": {
+          # DynamicTablesPkg/Include/ConfigurationManagerObject.h
+          # Reason: Expansion of macro that contains a print specifier.
+          "FMT_CM_OBJECT_ID": "0x%lx"
+      }
     }
 }

ArmVirtPkg/ArmVirtPkg.dec

@@ -41,27 +41,6 @@
   gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|FALSE|BOOLEAN|0x00000004
 
 [PcdsFixedAtBuild, PcdsPatchableInModule]
-  #
-  # This is the physical address where the device tree is expected to be stored
-  # upon first entry into UEFI. This needs to be a FixedAtBuild PCD, so that we
-  # can do a first pass over the device tree in the SEC phase to discover the
-  # UART base address.
-  #
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x0|UINT64|0x00000001
-
-  #
-  # Padding in bytes to add to the device tree allocation, so that the DTB can
-  # be modified in place (default: 256 bytes)
-  #
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeAllocationPadding|256|UINT32|0x00000002
-
-  #
-  # Binary representation of the GUID that determines the terminal type. The
-  # size must be exactly 16 bytes. The default value corresponds to
-  # EFI_VT_100_GUID.
-  #
-  gArmVirtTokenSpaceGuid.PcdTerminalTypeGuidBuffer|{0x65, 0x60, 0xA6, 0xDF, 0x19, 0xB4, 0xD3, 0x11, 0x9A, 0x2D, 0x00, 0x90, 0x27, 0x3F, 0xC1, 0x4D}|VOID*|0x00000007
-
   ##
   # This is the physical address of Rsdp which is the core struct of Acpi.
   # Cloud Hypervisor has no other way to pass Rsdp address to the guest except use a PCD.

ArmVirtPkg/ArmVirtQemu.dsc

@@ -70,7 +70,7 @@
 
   CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
   BootLogoLib|MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf
-  PlatformBootManagerLib|ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+  PlatformBootManagerLib|OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf
   PlatformBmPrintScLib|OvmfPkg/Library/PlatformBmPrintScLib/PlatformBmPrintScLib.inf
   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
@@ -182,7 +182,7 @@
 !if $(TTY_TERMINAL) == TRUE
   gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType|4
   # Set terminal type to TtyTerm, the value encoded is EFI_TTY_TERM_GUID
-  gArmVirtTokenSpaceGuid.PcdTerminalTypeGuidBuffer|{0x80, 0x6d, 0x91, 0x7d, 0xb1, 0x5b, 0x8c, 0x45, 0xa4, 0x8f, 0xe2, 0x5f, 0xdd, 0x51, 0xef, 0x94}
+  gUefiOvmfPkgTokenSpaceGuid.PcdTerminalTypeGuidBuffer|{0x80, 0x6d, 0x91, 0x7d, 0xb1, 0x5b, 0x8c, 0x45, 0xa4, 0x8f, 0xe2, 0x5f, 0xdd, 0x51, 0xef, 0x94}
 !else
   gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType|1
 !endif
@@ -201,7 +201,7 @@
   gArmTokenSpaceGuid.PcdSystemMemoryBase|0x40000000
 
   # initial location of the device tree blob passed by QEMU -- base of DRAM
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x40000000
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x40000000
 
   gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
   gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
@@ -253,6 +253,7 @@
   gArmTokenSpaceGuid.PcdArmArchTimerIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum|0x0
+  gArmTokenSpaceGuid.PcdArmArchTimerHypVirtIntrNum|0x0
 
   #
   # ARM General Interrupt Controller
@@ -525,7 +526,7 @@
   #
   # PCI support
   #
-  ArmPkg/Drivers/ArmPciCpuIo2Dxe/ArmPciCpuIo2Dxe.inf {
+  UefiCpuPkg/CpuMmio2Dxe/CpuMmio2Dxe.inf {
     <LibraryClasses>
       NULL|OvmfPkg/Fdt/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf
   }

ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc

@@ -103,6 +103,7 @@ READ_LOCK_STATUS   = TRUE
   INF ShellPkg/Application/Shell/Shell.inf
   INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
   INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+  INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
   INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 
   #
@@ -152,7 +153,7 @@ READ_LOCK_STATUS   = TRUE
   #
   # PCI support
   #
-  INF ArmPkg/Drivers/ArmPciCpuIo2Dxe/ArmPciCpuIo2Dxe.inf
+  INF UefiCpuPkg/CpuMmio2Dxe/CpuMmio2Dxe.inf
   INF MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciHostBridgeDxe.inf
   INF MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf
   INF OvmfPkg/PciHotPlugInitDxe/PciHotPlugInit.inf

ArmVirtPkg/ArmVirtQemuKernel.dsc

@@ -69,7 +69,7 @@
 
   CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
   BootLogoLib|MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf
-  PlatformBootManagerLib|ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+  PlatformBootManagerLib|OvmfPkg/Library/PlatformBootManagerLibLight/PlatformBootManagerLib.inf
   PlatformBmPrintScLib|OvmfPkg/Library/PlatformBmPrintScLib/PlatformBmPrintScLib.inf
   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
   FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
@@ -147,7 +147,7 @@
 !if $(TTY_TERMINAL) == TRUE
   gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType|4
   # Set terminal type to TtyTerm, the value encoded is EFI_TTY_TERM_GUID
-  gArmVirtTokenSpaceGuid.PcdTerminalTypeGuidBuffer|{0x80, 0x6d, 0x91, 0x7d, 0xb1, 0x5b, 0x8c, 0x45, 0xa4, 0x8f, 0xe2, 0x5f, 0xdd, 0x51, 0xef, 0x94}
+  gUefiOvmfPkgTokenSpaceGuid.PcdTerminalTypeGuidBuffer|{0x80, 0x6d, 0x91, 0x7d, 0xb1, 0x5b, 0x8c, 0x45, 0xa4, 0x8f, 0xe2, 0x5f, 0xdd, 0x51, 0xef, 0x94}
 !else
   gEfiMdePkgTokenSpaceGuid.PcdDefaultTerminalType|1
 !endif
@@ -198,7 +198,7 @@
   # Define a default initial address for the device tree.
   # Ignored if x0 != 0 at entry.
   #
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x40000000
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x40000000
 
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
@@ -214,6 +214,7 @@
   gArmTokenSpaceGuid.PcdArmArchTimerIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum|0x0
+  gArmTokenSpaceGuid.PcdArmArchTimerHypVirtIntrNum|0x0
 
   #
   # ARM General Interrupt Controller
@@ -430,7 +431,7 @@
   #
   # PCI support
   #
-  ArmPkg/Drivers/ArmPciCpuIo2Dxe/ArmPciCpuIo2Dxe.inf {
+  UefiCpuPkg/CpuMmio2Dxe/CpuMmio2Dxe.inf {
     <LibraryClasses>
       NULL|OvmfPkg/Fdt/FdtPciPcdProducerLib/FdtPciPcdProducerLib.inf
   }

ArmVirtPkg/ArmVirtXen.dsc

@@ -29,6 +29,9 @@
 
 [LibraryClasses]
   SerialPortLib|OvmfPkg/Library/XenConsoleSerialPortLib/XenConsoleSerialPortLib.inf
+!if $(TARGET) != RELEASE
+  DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+!endif
   RealTimeClockLib|OvmfPkg/Library/XenRealTimeClockLib/XenRealTimeClockLib.inf
   XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
 
@@ -52,6 +55,11 @@
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
   TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(TARGET) != RELEASE
+  DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf
+!endif
+
 [LibraryClasses.common.UEFI_DRIVER]
   UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
 
@@ -107,7 +115,7 @@
   #
   gArmTokenSpaceGuid.PcdSystemMemoryBase|0x0
   gArmTokenSpaceGuid.PcdSystemMemorySize|0x0
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x0
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress|0x0
 
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
@@ -118,6 +126,7 @@
   gArmTokenSpaceGuid.PcdArmArchTimerIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum|0x0
   gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum|0x0
+  gArmTokenSpaceGuid.PcdArmArchTimerHypVirtIntrNum|0x0
 
   #
   # ARM General Interrupt Controller
@@ -146,6 +155,9 @@
       PrePiHobListPointerLib|ArmPlatformPkg/Library/PrePiHobListPointerLib/PrePiHobListPointerLib.inf
       MemoryAllocationLib|EmbeddedPkg/Library/PrePiMemoryAllocationLib/PrePiMemoryAllocationLib.inf
       SerialPortLib|OvmfPkg/Library/XenConsoleSerialPortLib/XenConsoleSerialPortLib.inf
+!if $(TARGET) != RELEASE
+      DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
+!endif
   }
 
   #

ArmVirtPkg/ArmVirtXen.fdf

@@ -180,6 +180,7 @@ READ_LOCK_STATUS   = TRUE
   INF ShellPkg/Application/Shell/Shell.inf
   INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf
   INF ShellPkg/DynamicCommand/HttpDynamicCommand/HttpDynamicCommand.inf
+  INF ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
   INF OvmfPkg/LinuxInitrdDynamicShellCommand/LinuxInitrdDynamicShellCommand.inf
 
   #

ArmVirtPkg/Include/Guid/EarlyPL011BaseAddress.h

@@ -1,6 +1,6 @@
 /** @file
-  GUID for the HOB that caches the base address of the PL011 serial port, for
-  when PCD access is not available.
+  GUID for the HOB that caches the base address(es) of the PL011 serial port(s),
+  for when PCD access is not available.
 
   Copyright (C) 2014, Red Hat, Inc.
 
@@ -18,4 +18,15 @@
 
 extern EFI_GUID  gEarlyPL011BaseAddressGuid;
 
+typedef struct {
+  //
+  // for SerialPortLib and console IO
+  //
+  UINT64    ConsoleAddress;
+  //
+  // for DebugLib; may equal ConsoleAddress if there's only one PL011 UART
+  //
+  UINT64    DebugAddress;
+} EARLY_PL011_BASE_ADDRESS;
+
 #endif

ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf

@@ -26,6 +26,7 @@
   EmbeddedPkg/EmbeddedPkg.dec
   MdeModulePkg/MdeModulePkg.dec
   MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
 
 [LibraryClasses]
   ArmSmcLib
@@ -36,4 +37,4 @@
   HobLib
 
 [Pcd]
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress

ArmVirtPkg/Library/ArmVirtTimerFdtClientLib/ArmVirtTimerFdtClientLib.c

@@ -35,6 +35,7 @@ ArmVirtTimerFdtClientLibConstructor (
   CONST INTERRUPT_PROPERTY  *InterruptProp;
   UINT32                    PropSize;
   INT32                     SecIntrNum, IntrNum, VirtIntrNum, HypIntrNum;
+  INT32                     HypVirtIntrNum;
   RETURN_STATUS             PcdStatus;
 
   Status = gBS->LocateProtocol (
@@ -66,10 +67,10 @@ ArmVirtTimerFdtClientLibConstructor (
   }
 
   //
-  // - interrupts : Interrupt list for secure, non-secure, virtual and
-  //  hypervisor timers, in that order.
+  // - interrupts : Interrupt list for secure, non-secure, virtual,
+  //  hypervisor and hypervisor virtual timers, in that order.
   //
-  ASSERT (PropSize == 36 || PropSize == 48);
+  ASSERT (PropSize >= 36);
 
   SecIntrNum = SwapBytes32 (InterruptProp[0].Number)
                + (InterruptProp[0].Type ? 16 : 0);
@@ -79,6 +80,8 @@ ArmVirtTimerFdtClientLibConstructor (
                 + (InterruptProp[2].Type ? 16 : 0);
   HypIntrNum = PropSize < 48 ? 0 : SwapBytes32 (InterruptProp[3].Number)
                + (InterruptProp[3].Type ? 16 : 0);
+  HypVirtIntrNum = PropSize < 60 ? 0 : SwapBytes32 (InterruptProp[4].Number)
+                   + (InterruptProp[4].Type ? 16 : 0);
 
   DEBUG ((
     DEBUG_INFO,
@@ -97,6 +100,8 @@ ArmVirtTimerFdtClientLibConstructor (
   ASSERT_RETURN_ERROR (PcdStatus);
   PcdStatus = PcdSet32S (PcdArmArchTimerHypIntrNum, HypIntrNum);
   ASSERT_RETURN_ERROR (PcdStatus);
+  PcdStatus = PcdSet32S (PcdArmArchTimerHypVirtIntrNum, HypVirtIntrNum);
+  ASSERT_RETURN_ERROR (PcdStatus);
 
   return EFI_SUCCESS;
 }

ArmVirtPkg/Library/ArmVirtTimerFdtClientLib/ArmVirtTimerFdtClientLib.inf

@@ -40,6 +40,7 @@
   gArmTokenSpaceGuid.PcdArmArchTimerIntrNum
   gArmTokenSpaceGuid.PcdArmArchTimerVirtIntrNum
   gArmTokenSpaceGuid.PcdArmArchTimerHypIntrNum
+  gArmTokenSpaceGuid.PcdArmArchTimerHypVirtIntrNum
 
 [Depex]
   gFdtClientProtocolGuid

ArmVirtPkg/Library/CloudHvVirtMemInfoLib/CloudHvVirtMemInfoPeiLib.inf

@@ -26,6 +26,7 @@
   EmbeddedPkg/EmbeddedPkg.dec
   MdeModulePkg/MdeModulePkg.dec
   MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
 
 [LibraryClasses]
   ArmLib
@@ -44,4 +45,4 @@
 [FixedPcd]
   gArmTokenSpaceGuid.PcdFdSize
   gArmTokenSpaceGuid.PcdFvSize
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress

ArmVirtPkg/Library/DebugLibFdtPL011Uart/DebugLib.c

@@ -0,0 +1,355 @@
+/** @file
+  Originally copied from "MdePkg/Library/BaseDebugLibSerialPort/DebugLib.c" at
+  commit f36e1ec1f0a5, and customized for:
+
+  - RAM vs. flash dependent PL011 UART initialization,
+
+  - direct PL011 UART access, with the base address taken from the device tree
+    such that the debug output be separate from the SerialPortLib / UEFI console
+    traffic.
+
+  Both of these customizations are hidden behind DebugLibFdtPL011UartWrite(),
+  which replaces SerialPortWrite().
+
+  Copyright (C) Red Hat
+  Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Base.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseLib.h>
+#include <Library/PrintLib.h>
+#include <Library/PcdLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugPrintErrorLevelLib.h>
+
+#include "Write.h"
+
+//
+// Define the maximum debug and assert message length that this library supports
+//
+#define MAX_DEBUG_MESSAGE_LENGTH  0x100
+
+//
+// VA_LIST can not initialize to NULL for all compiler, so we use this to
+// indicate a null VA_LIST
+//
+VA_LIST  mVaListNull;
+
+/**
+  Prints a debug message to the debug output device if the specified error level is enabled.
+
+  If any bit in ErrorLevel is also set in DebugPrintErrorLevelLib function
+  GetDebugPrintErrorLevel (), then print the message specified by Format and the
+  associated variable argument list to the debug output device.
+
+  If Format is NULL, then ASSERT().
+
+  @param  ErrorLevel  The error level of the debug message.
+  @param  Format      Format string for the debug message to print.
+  @param  ...         Variable argument list whose contents are accessed
+                      based on the format string specified by Format.
+
+**/
+VOID
+EFIAPI
+DebugPrint (
+  IN  UINTN        ErrorLevel,
+  IN  CONST CHAR8  *Format,
+  ...
+  )
+{
+  VA_LIST  Marker;
+
+  VA_START (Marker, Format);
+  DebugVPrint (ErrorLevel, Format, Marker);
+  VA_END (Marker);
+}
+
+/**
+  Prints a debug message to the debug output device if the specified
+  error level is enabled base on Null-terminated format string and a
+  VA_LIST argument list or a BASE_LIST argument list.
+
+  If any bit in ErrorLevel is also set in DebugPrintErrorLevelLib function
+  GetDebugPrintErrorLevel (), then print the message specified by Format and
+  the associated variable argument list to the debug output device.
+
+  If Format is NULL, then ASSERT().
+
+  @param  ErrorLevel      The error level of the debug message.
+  @param  Format          Format string for the debug message to print.
+  @param  VaListMarker    VA_LIST marker for the variable argument list.
+  @param  BaseListMarker  BASE_LIST marker for the variable argument list.
+
+**/
+VOID
+DebugPrintMarker (
+  IN  UINTN        ErrorLevel,
+  IN  CONST CHAR8  *Format,
+  IN  VA_LIST      VaListMarker,
+  IN  BASE_LIST    BaseListMarker
+  )
+{
+  CHAR8  Buffer[MAX_DEBUG_MESSAGE_LENGTH];
+
+  //
+  // If Format is NULL, then ASSERT().
+  //
+  ASSERT (Format != NULL);
+
+  //
+  // Check driver debug mask value and global mask
+  //
+  if ((ErrorLevel & GetDebugPrintErrorLevel ()) == 0) {
+    return;
+  }
+
+  //
+  // Convert the DEBUG() message to an ASCII String
+  //
+  if (BaseListMarker == NULL) {
+    AsciiVSPrint (Buffer, sizeof (Buffer), Format, VaListMarker);
+  } else {
+    AsciiBSPrint (Buffer, sizeof (Buffer), Format, BaseListMarker);
+  }
+
+  //
+  // Send the print string to a Serial Port
+  //
+  DebugLibFdtPL011UartWrite ((UINT8 *)Buffer, AsciiStrLen (Buffer));
+}
+
+/**
+  Prints a debug message to the debug output device if the specified
+  error level is enabled.
+
+  If any bit in ErrorLevel is also set in DebugPrintErrorLevelLib function
+  GetDebugPrintErrorLevel (), then print the message specified by Format and
+  the associated variable argument list to the debug output device.
+
+  If Format is NULL, then ASSERT().
+
+  @param  ErrorLevel    The error level of the debug message.
+  @param  Format        Format string for the debug message to print.
+  @param  VaListMarker  VA_LIST marker for the variable argument list.
+
+**/
+VOID
+EFIAPI
+DebugVPrint (
+  IN  UINTN        ErrorLevel,
+  IN  CONST CHAR8  *Format,
+  IN  VA_LIST      VaListMarker
+  )
+{
+  DebugPrintMarker (ErrorLevel, Format, VaListMarker, NULL);
+}
+
+/**
+  Prints a debug message to the debug output device if the specified
+  error level is enabled.
+  This function use BASE_LIST which would provide a more compatible
+  service than VA_LIST.
+
+  If any bit in ErrorLevel is also set in DebugPrintErrorLevelLib function
+  GetDebugPrintErrorLevel (), then print the message specified by Format and
+  the associated variable argument list to the debug output device.
+
+  If Format is NULL, then ASSERT().
+
+  @param  ErrorLevel      The error level of the debug message.
+  @param  Format          Format string for the debug message to print.
+  @param  BaseListMarker  BASE_LIST marker for the variable argument list.
+
+**/
+VOID
+EFIAPI
+DebugBPrint (
+  IN  UINTN        ErrorLevel,
+  IN  CONST CHAR8  *Format,
+  IN  BASE_LIST    BaseListMarker
+  )
+{
+  DebugPrintMarker (ErrorLevel, Format, mVaListNull, BaseListMarker);
+}
+
+/**
+  Prints an assert message containing a filename, line number, and description.
+  This may be followed by a breakpoint or a dead loop.
+
+  Print a message of the form "ASSERT <FileName>(<LineNumber>): <Description>\n"
+  to the debug output device.  If DEBUG_PROPERTY_ASSERT_BREAKPOINT_ENABLED bit of
+  PcdDebugProperyMask is set then CpuBreakpoint() is called. Otherwise, if
+  DEBUG_PROPERTY_ASSERT_DEADLOOP_ENABLED bit of PcdDebugProperyMask is set then
+  CpuDeadLoop() is called.  If neither of these bits are set, then this function
+  returns immediately after the message is printed to the debug output device.
+  DebugAssert() must actively prevent recursion.  If DebugAssert() is called while
+  processing another DebugAssert(), then DebugAssert() must return immediately.
+
+  If FileName is NULL, then a <FileName> string of "(NULL) Filename" is printed.
+  If Description is NULL, then a <Description> string of "(NULL) Description" is printed.
+
+  @param  FileName     The pointer to the name of the source file that generated the assert condition.
+  @param  LineNumber   The line number in the source file that generated the assert condition
+  @param  Description  The pointer to the description of the assert condition.
+
+**/
+VOID
+EFIAPI
+DebugAssert (
+  IN CONST CHAR8  *FileName,
+  IN UINTN        LineNumber,
+  IN CONST CHAR8  *Description
+  )
+{
+  CHAR8  Buffer[MAX_DEBUG_MESSAGE_LENGTH];
+
+  //
+  // Generate the ASSERT() message in Ascii format
+  //
+  AsciiSPrint (Buffer, sizeof (Buffer), "ASSERT [%a] %a(%d): %a\n", gEfiCallerBaseName, FileName, LineNumber, Description);
+
+  //
+  // Send the print string to the Console Output device
+  //
+  DebugLibFdtPL011UartWrite ((UINT8 *)Buffer, AsciiStrLen (Buffer));
+
+  //
+  // Generate a Breakpoint, DeadLoop, or NOP based on PCD settings
+  //
+  if ((PcdGet8 (PcdDebugPropertyMask) & DEBUG_PROPERTY_ASSERT_BREAKPOINT_ENABLED) != 0) {
+    CpuBreakpoint ();
+  } else if ((PcdGet8 (PcdDebugPropertyMask) & DEBUG_PROPERTY_ASSERT_DEADLOOP_ENABLED) != 0) {
+    CpuDeadLoop ();
+  }
+}
+
+/**
+  Fills a target buffer with PcdDebugClearMemoryValue, and returns the target buffer.
+
+  This function fills Length bytes of Buffer with the value specified by
+  PcdDebugClearMemoryValue, and returns Buffer.
+
+  If Buffer is NULL, then ASSERT().
+  If Length is greater than (MAX_ADDRESS - Buffer + 1), then ASSERT().
+
+  @param   Buffer  The pointer to the target buffer to be filled with PcdDebugClearMemoryValue.
+  @param   Length  The number of bytes in Buffer to fill with zeros PcdDebugClearMemoryValue.
+
+  @return  Buffer  The pointer to the target buffer filled with PcdDebugClearMemoryValue.
+
+**/
+VOID *
+EFIAPI
+DebugClearMemory (
+  OUT VOID  *Buffer,
+  IN UINTN  Length
+  )
+{
+  //
+  // If Buffer is NULL, then ASSERT().
+  //
+  ASSERT (Buffer != NULL);
+
+  //
+  // SetMem() checks for the the ASSERT() condition on Length and returns Buffer
+  //
+  return SetMem (Buffer, Length, PcdGet8 (PcdDebugClearMemoryValue));
+}
+
+/**
+  Returns TRUE if ASSERT() macros are enabled.
+
+  This function returns TRUE if the DEBUG_PROPERTY_DEBUG_ASSERT_ENABLED bit of
+  PcdDebugProperyMask is set.  Otherwise FALSE is returned.
+
+  @retval  TRUE    The DEBUG_PROPERTY_DEBUG_ASSERT_ENABLED bit of PcdDebugProperyMask is set.
+  @retval  FALSE   The DEBUG_PROPERTY_DEBUG_ASSERT_ENABLED bit of PcdDebugProperyMask is clear.
+
+**/
+BOOLEAN
+EFIAPI
+DebugAssertEnabled (
+  VOID
+  )
+{
+  return (BOOLEAN)((PcdGet8 (PcdDebugPropertyMask) & DEBUG_PROPERTY_DEBUG_ASSERT_ENABLED) != 0);
+}
+
+/**
+  Returns TRUE if DEBUG() macros are enabled.
+
+  This function returns TRUE if the DEBUG_PROPERTY_DEBUG_PRINT_ENABLED bit of
+  PcdDebugProperyMask is set.  Otherwise FALSE is returned.
+
+  @retval  TRUE    The DEBUG_PROPERTY_DEBUG_PRINT_ENABLED bit of PcdDebugProperyMask is set.
+  @retval  FALSE   The DEBUG_PROPERTY_DEBUG_PRINT_ENABLED bit of PcdDebugProperyMask is clear.
+
+**/
+BOOLEAN
+EFIAPI
+DebugPrintEnabled (
+  VOID
+  )
+{
+  return (BOOLEAN)((PcdGet8 (PcdDebugPropertyMask) & DEBUG_PROPERTY_DEBUG_PRINT_ENABLED) != 0);
+}
+
+/**
+  Returns TRUE if DEBUG_CODE() macros are enabled.
+
+  This function returns TRUE if the DEBUG_PROPERTY_DEBUG_CODE_ENABLED bit of
+  PcdDebugProperyMask is set.  Otherwise FALSE is returned.
+
+  @retval  TRUE    The DEBUG_PROPERTY_DEBUG_CODE_ENABLED bit of PcdDebugProperyMask is set.
+  @retval  FALSE   The DEBUG_PROPERTY_DEBUG_CODE_ENABLED bit of PcdDebugProperyMask is clear.
+
+**/
+BOOLEAN
+EFIAPI
+DebugCodeEnabled (
+  VOID
+  )
+{
+  return (BOOLEAN)((PcdGet8 (PcdDebugPropertyMask) & DEBUG_PROPERTY_DEBUG_CODE_ENABLED) != 0);
+}
+
+/**
+  Returns TRUE if DEBUG_CLEAR_MEMORY() macro is enabled.
+
+  This function returns TRUE if the DEBUG_PROPERTY_CLEAR_MEMORY_ENABLED bit of
+  PcdDebugProperyMask is set.  Otherwise FALSE is returned.
+
+  @retval  TRUE    The DEBUG_PROPERTY_CLEAR_MEMORY_ENABLED bit of PcdDebugProperyMask is set.
+  @retval  FALSE   The DEBUG_PROPERTY_CLEAR_MEMORY_ENABLED bit of PcdDebugProperyMask is clear.
+
+**/
+BOOLEAN
+EFIAPI
+DebugClearMemoryEnabled (
+  VOID
+  )
+{
+  return (BOOLEAN)((PcdGet8 (PcdDebugPropertyMask) & DEBUG_PROPERTY_CLEAR_MEMORY_ENABLED) != 0);
+}
+
+/**
+  Returns TRUE if any one of the bit is set both in ErrorLevel and PcdFixedDebugPrintErrorLevel.
+
+  This function compares the bit mask of ErrorLevel and PcdFixedDebugPrintErrorLevel.
+
+  @retval  TRUE    Current ErrorLevel is supported.
+  @retval  FALSE   Current ErrorLevel is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+DebugPrintLevelEnabled (
+  IN  CONST UINTN  ErrorLevel
+  )
+{
+  return (BOOLEAN)((ErrorLevel & PcdGet32 (PcdFixedDebugPrintErrorLevel)) != 0);
+}

ArmVirtPkg/Library/DebugLibFdtPL011Uart/DebugLibFdtPL011UartFlash.inf

@@ -0,0 +1,55 @@
+## @file
+# DebugLib instance that produces debug output directly via PL011UartLib.
+#
+# If there are at least two PL011 UARTs in the device tree, and the /chosen
+# node's "stdout-path" property references one PL011 UART, then both raw
+# SerialPortLib IO, and -- via SerialDxe -- UEFI console IO, will occur on that
+# UART; and this DebugLib instance will produce output on a *different* UART.
+#
+# This instance is suitable for modules that may run from flash or RAM.
+#
+# Copyright (C) Red Hat
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION    = 1.27
+  BASE_NAME      = DebugLibFdtPL011UartFlash
+  FILE_GUID      = 43A4C56B-D071-4CE0-A157-9D59E6161DEC
+  MODULE_TYPE    = BASE
+  VERSION_STRING = 1.0
+  LIBRARY_CLASS  = DebugLib|SEC PEI_CORE PEIM
+
+[Sources]
+  DebugLib.c
+  Flash.c
+  Write.h
+
+[Packages]
+  ArmPlatformPkg/ArmPlatformPkg.dec
+  ArmVirtPkg/ArmVirtPkg.dec
+  MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugPrintErrorLevelLib
+  FdtSerialPortAddressLib # Flash.c
+  PL011UartLib
+  PcdLib
+  PrintLib
+
+[Pcd]
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress # Flash.c
+  gEfiMdePkgTokenSpaceGuid.PcdDebugClearMemoryValue
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask
+  gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel
+
+[FixedPcd]
+  gArmPlatformTokenSpaceGuid.PL011UartClkInHz
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultDataBits
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultParity
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultStopBits

ArmVirtPkg/Library/DebugLibFdtPL011Uart/DebugLibFdtPL011UartRam.inf

@@ -0,0 +1,60 @@
+## @file
+# DebugLib instance that produces debug output directly via PL011UartLib.
+#
+# If there are at least two PL011 UARTs in the device tree, and the /chosen
+# node's "stdout-path" property references one PL011 UART, then both raw
+# SerialPortLib IO, and -- via SerialDxe -- UEFI console IO, will occur on that
+# UART; and this DebugLib instance will produce output on a *different* UART.
+#
+# This instance is suitable for modules that can only run from RAM (except
+# DXE_RUNTIME_DRIVER).
+#
+# Copyright (C) Red Hat
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION    = 1.27
+  BASE_NAME      = DebugLibFdtPL011UartRam
+  FILE_GUID      = 0584DE55-9C4C-49C1-ADA0-F62C9C1F3600
+  MODULE_TYPE    = BASE
+  VERSION_STRING = 1.0
+  LIBRARY_CLASS  = DebugLib|DXE_CORE SMM_CORE MM_CORE_STANDALONE DXE_DRIVER DXE_SMM_DRIVER SMM_DRIVER MM_STANDALONE UEFI_DRIVER UEFI_APPLICATION
+  CONSTRUCTOR    = DebugLibFdtPL011UartRamConstructor
+
+[Sources]
+  DebugLib.c
+  Ram.c
+  Ram.h
+  RamNonRuntime.c
+  Write.h
+
+[Packages]
+  ArmPlatformPkg/ArmPlatformPkg.dec
+  ArmVirtPkg/ArmVirtPkg.dec
+  MdePkg/MdePkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugPrintErrorLevelLib
+  HobLib                  # Ram.c
+  PL011UartLib
+  PcdLib
+  PrintLib
+
+[Pcd]
+  gEfiMdePkgTokenSpaceGuid.PcdDebugClearMemoryValue
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask
+  gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel
+
+[FixedPcd]
+  gArmPlatformTokenSpaceGuid.PL011UartClkInHz
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultDataBits
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultParity
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultStopBits
+
+[Guids]
+  gEarlyPL011BaseAddressGuid # Ram.c

ArmVirtPkg/Library/DebugLibFdtPL011Uart/DxeRuntimeDebugLibFdtPL011Uart.inf

@@ -0,0 +1,61 @@
+## @file
+# DebugLib instance that produces debug output directly via PL011UartLib.
+#
+# If there are at least two PL011 UARTs in the device tree, and the /chosen
+# node's "stdout-path" property references one PL011 UART, then both raw
+# SerialPortLib IO, and -- via SerialDxe -- UEFI console IO, will occur on that
+# UART; and this DebugLib instance will produce output on a *different* UART.
+#
+# This instance is suitable for DXE_RUNTIME_DRIVER modules. When exiting boot
+# services, UART access is stopped.
+#
+# Copyright (C) Red Hat
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION    = 1.27
+  BASE_NAME      = DxeRuntimeDebugLibFdtPL011Uart
+  FILE_GUID      = 8A6E0972-81B5-4FF4-BB24-A07748415947
+  MODULE_TYPE    = DXE_RUNTIME_DRIVER
+  VERSION_STRING = 1.0
+  LIBRARY_CLASS  = DebugLib|DXE_RUNTIME_DRIVER
+  CONSTRUCTOR    = DxeRuntimeDebugLibFdtPL011UartConstructor
+  DESTRUCTOR     = DxeRuntimeDebugLibFdtPL011UartDestructor
+
+[Sources]
+  DebugLib.c
+  Ram.c
+  Ram.h
+  Runtime.c
+  Write.h
+
+[Packages]
+  ArmPlatformPkg/ArmPlatformPkg.dec
+  ArmVirtPkg/ArmVirtPkg.dec
+  MdePkg/MdePkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugPrintErrorLevelLib
+  HobLib                  # Ram.c
+  PL011UartLib
+  PcdLib
+  PrintLib
+
+[Pcd]
+  gEfiMdePkgTokenSpaceGuid.PcdDebugClearMemoryValue
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask
+  gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel
+
+[FixedPcd]
+  gArmPlatformTokenSpaceGuid.PL011UartClkInHz
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultDataBits
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultParity
+  gEfiMdePkgTokenSpaceGuid.PcdUartDefaultStopBits
+
+[Guids]
+  gEarlyPL011BaseAddressGuid # Ram.c

ArmVirtPkg/Library/DebugLibFdtPL011Uart/Flash.c

@@ -0,0 +1,107 @@
+/** @file
+  Define DebugLibFdtPL011UartWrite() for modules that may run from flash or RAM.
+
+  Copyright (C) Red Hat
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Library/FdtSerialPortAddressLib.h>
+#include <Library/PL011UartLib.h>
+#include <Library/PcdLib.h>
+
+#include "Write.h"
+
+/**
+  (Copied from SerialPortWrite() in "MdePkg/Include/Library/SerialPortLib.h" at
+  commit c4547aefb3d0, with the Buffer non-nullity assertion removed:)
+
+  Write data from buffer to serial device.
+
+  Writes NumberOfBytes data bytes from Buffer to the serial device.
+  The number of bytes actually written to the serial device is returned.
+  If the return value is less than NumberOfBytes, then the write operation failed.
+  If NumberOfBytes is zero, then return 0.
+
+  @param  Buffer           Pointer to the data buffer to be written.
+  @param  NumberOfBytes    Number of bytes to written to the serial device.
+
+  @retval 0                NumberOfBytes is 0.
+  @retval >0               The number of bytes written to the serial device.
+                           If this value is less than NumberOfBytes, then the write operation failed.
+**/
+UINTN
+DebugLibFdtPL011UartWrite (
+  IN UINT8  *Buffer,
+  IN UINTN  NumberOfBytes
+  )
+{
+  CONST VOID          *DeviceTree;
+  RETURN_STATUS       Status;
+  FDT_SERIAL_PORTS    Ports;
+  UINT64              DebugAddress;
+  UINT64              BaudRate;
+  UINT32              ReceiveFifoDepth;
+  EFI_PARITY_TYPE     Parity;
+  UINT8               DataBits;
+  EFI_STOP_BITS_TYPE  StopBits;
+
+  DeviceTree = (VOID *)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress);
+  if (DeviceTree == NULL) {
+    return 0;
+  }
+
+  Status = FdtSerialGetPorts (DeviceTree, "arm,pl011", &Ports);
+  if (RETURN_ERROR (Status)) {
+    return 0;
+  }
+
+  if (Ports.NumberOfPorts == 1) {
+    //
+    // Just one UART; direct DebugLib to it.
+    //
+    DebugAddress = Ports.BaseAddress[0];
+  } else {
+    UINT64  ConsoleAddress;
+
+    Status = FdtSerialGetConsolePort (DeviceTree, &ConsoleAddress);
+    if (EFI_ERROR (Status)) {
+      //
+      // At least two UARTs; but failed to get the console preference. Use the
+      // second UART for DebugLib.
+      //
+      DebugAddress = Ports.BaseAddress[1];
+    } else {
+      //
+      // At least two UARTs; and console preference available. Use the first
+      // such UART for DebugLib that *differs* from ConsoleAddress.
+      //
+      if (ConsoleAddress == Ports.BaseAddress[0]) {
+        DebugAddress = Ports.BaseAddress[1];
+      } else {
+        DebugAddress = Ports.BaseAddress[0];
+      }
+    }
+  }
+
+  BaudRate         = (UINTN)FixedPcdGet64 (PcdUartDefaultBaudRate);
+  ReceiveFifoDepth = 0; // Use the default value for Fifo depth
+  Parity           = (EFI_PARITY_TYPE)FixedPcdGet8 (PcdUartDefaultParity);
+  DataBits         = FixedPcdGet8 (PcdUartDefaultDataBits);
+  StopBits         = (EFI_STOP_BITS_TYPE)FixedPcdGet8 (PcdUartDefaultStopBits);
+
+  Status = PL011UartInitializePort (
+             (UINTN)DebugAddress,
+             FixedPcdGet32 (PL011UartClkInHz),
+             &BaudRate,
+             &ReceiveFifoDepth,
+             &Parity,
+             &DataBits,
+             &StopBits
+             );
+  if (RETURN_ERROR (Status)) {
+    return 0;
+  }
+
+  return PL011UartWrite ((UINTN)DebugAddress, Buffer, NumberOfBytes);
+}

ArmVirtPkg/Library/DebugLibFdtPL011Uart/Ram.c

@@ -0,0 +1,124 @@
+/** @file
+  Define DebugLibFdtPL011UartWrite() for modules that can only run from RAM.
+
+  Copyright (C) Red Hat
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi/UefiBaseType.h>
+#include <Uefi/UefiMultiPhase.h>
+#include <Pi/PiBootMode.h>
+#include <Pi/PiHob.h>
+#include <Library/HobLib.h>
+#include <Library/PL011UartLib.h>
+#include <Library/PcdLib.h>
+#include <Guid/EarlyPL011BaseAddress.h>
+
+#include "Ram.h"
+#include "Write.h"
+
+UINTN          mDebugLibFdtPL011UartAddress;
+RETURN_STATUS  mDebugLibFdtPL011UartPermanentStatus = RETURN_SUCCESS;
+
+/**
+  Statefully initialize both the library instance and the debug PL011 UART.
+**/
+STATIC
+RETURN_STATUS
+Initialize (
+  VOID
+  )
+{
+  CONST VOID                      *Hob;
+  CONST EARLY_PL011_BASE_ADDRESS  *UartBase;
+  RETURN_STATUS                   Status;
+  UINTN                           DebugAddress;
+  UINT64                          BaudRate;
+  UINT32                          ReceiveFifoDepth;
+  EFI_PARITY_TYPE                 Parity;
+  UINT8                           DataBits;
+  EFI_STOP_BITS_TYPE              StopBits;
+
+  if (mDebugLibFdtPL011UartAddress != 0) {
+    return RETURN_SUCCESS;
+  }
+
+  if (RETURN_ERROR (mDebugLibFdtPL011UartPermanentStatus)) {
+    return mDebugLibFdtPL011UartPermanentStatus;
+  }
+
+  Hob = GetFirstGuidHob (&gEarlyPL011BaseAddressGuid);
+  if ((Hob == NULL) || (GET_GUID_HOB_DATA_SIZE (Hob) != sizeof *UartBase)) {
+    Status = RETURN_NOT_FOUND;
+    goto Failed;
+  }
+
+  UartBase = GET_GUID_HOB_DATA (Hob);
+
+  DebugAddress = (UINTN)UartBase->DebugAddress;
+  if (DebugAddress == 0) {
+    Status = RETURN_NOT_FOUND;
+    goto Failed;
+  }
+
+  BaudRate         = (UINTN)PcdGet64 (PcdUartDefaultBaudRate);
+  ReceiveFifoDepth = 0; // Use the default value for Fifo depth
+  Parity           = (EFI_PARITY_TYPE)PcdGet8 (PcdUartDefaultParity);
+  DataBits         = PcdGet8 (PcdUartDefaultDataBits);
+  StopBits         = (EFI_STOP_BITS_TYPE)PcdGet8 (PcdUartDefaultStopBits);
+
+  Status = PL011UartInitializePort (
+             DebugAddress,
+             FixedPcdGet32 (PL011UartClkInHz),
+             &BaudRate,
+             &ReceiveFifoDepth,
+             &Parity,
+             &DataBits,
+             &StopBits
+             );
+  if (RETURN_ERROR (Status)) {
+    goto Failed;
+  }
+
+  mDebugLibFdtPL011UartAddress = DebugAddress;
+  return RETURN_SUCCESS;
+
+Failed:
+  mDebugLibFdtPL011UartPermanentStatus = Status;
+  return Status;
+}
+
+/**
+  (Copied from SerialPortWrite() in "MdePkg/Include/Library/SerialPortLib.h" at
+  commit c4547aefb3d0, with the Buffer non-nullity assertion removed:)
+
+  Write data from buffer to serial device.
+
+  Writes NumberOfBytes data bytes from Buffer to the serial device.
+  The number of bytes actually written to the serial device is returned.
+  If the return value is less than NumberOfBytes, then the write operation failed.
+  If NumberOfBytes is zero, then return 0.
+
+  @param  Buffer           Pointer to the data buffer to be written.
+  @param  NumberOfBytes    Number of bytes to written to the serial device.
+
+  @retval 0                NumberOfBytes is 0.
+  @retval >0               The number of bytes written to the serial device.
+                           If this value is less than NumberOfBytes, then the write operation failed.
+**/
+UINTN
+DebugLibFdtPL011UartWrite (
+  IN UINT8  *Buffer,
+  IN UINTN  NumberOfBytes
+  )
+{
+  RETURN_STATUS  Status;
+
+  Status = Initialize ();
+  if (RETURN_ERROR (Status)) {
+    return 0;
+  }
+
+  return PL011UartWrite (mDebugLibFdtPL011UartAddress, Buffer, NumberOfBytes);
+}

ArmVirtPkg/Library/DebugLibFdtPL011Uart/Ram.h

@@ -0,0 +1,18 @@
+/** @file
+  Declare the variables that modules that can only run from RAM use for
+  remembering initialization status.
+
+  Copyright (C) Red Hat
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef DEBUG_LIB_FDT_PL011_UART_RAM_H_
+#define DEBUG_LIB_FDT_PL011_UART_RAM_H_
+
+#include <Base.h>
+
+extern UINTN          mDebugLibFdtPL011UartAddress;
+extern RETURN_STATUS  mDebugLibFdtPL011UartPermanentStatus;
+
+#endif

ArmVirtPkg/Library/DebugLibFdtPL011Uart/RamNonRuntime.c

@@ -0,0 +1,27 @@
+/** @file
+  Provide an empty lib instance constructor for modules that can only run from
+  RAM but are not DXE_RUNTIME_DRIVER modules.
+
+  This ensures that e.g. any HobLib constructor is ordered correctly. (The
+  DXE_CORE calls constructors late, but the DXE_CORE HobLib instance needs no
+  construction anyway.)
+
+  Copyright (C) Red Hat
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Base.h>
+
+/**
+  Empty library instance constructor, only for ensuring the connectivity of the
+  constructor dependency graph.
+**/
+RETURN_STATUS
+EFIAPI
+DebugLibFdtPL011UartRamConstructor (
+  VOID
+  )
+{
+  return RETURN_SUCCESS;
+}

ArmVirtPkg/Library/DebugLibFdtPL011Uart/Runtime.c

@@ -0,0 +1,88 @@
+/** @file
+  Permanently disable the library instance in DXE_RUNTIME_DRIVER modules when
+  exiting boot services.
+
+  Copyright (C) Red Hat
+  Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi/UefiSpec.h>
+
+#include "Ram.h"
+
+STATIC EFI_EVENT  mExitBootServicesEvent;
+
+/**
+  Notification function that is triggered when the boot service
+  ExitBootServices() is called.
+
+  @param[in] Event    Event whose notification function is being invoked. Here,
+                      unused.
+
+  @param[in] Context  The pointer to the notification function's context, which
+                      is implementation-dependent. Here, unused.
+**/
+STATIC
+VOID
+EFIAPI
+ExitBootServicesNotify (
+  IN EFI_EVENT  Event,
+  IN VOID       *Context
+  )
+{
+  mDebugLibFdtPL011UartAddress         = 0;
+  mDebugLibFdtPL011UartPermanentStatus = RETURN_ABORTED;
+}
+
+/**
+  Library instance constructor, registering ExitBootServicesNotify().
+
+  @param[in] ImageHandle  The firmware-allocated handle for the EFI image.
+
+  @param[in] SystemTable  A pointer to the EFI System Table.
+
+  @retval EFI_SUCCESS  The operation completed successfully.
+
+  @return              Error codes propagated from CreateEvent(); the
+                       registration of ExitBootServicesNotify() failed.
+**/
+EFI_STATUS
+EFIAPI
+DxeRuntimeDebugLibFdtPL011UartConstructor (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  return SystemTable->BootServices->CreateEvent (
+                                      EVT_SIGNAL_EXIT_BOOT_SERVICES,
+                                      TPL_CALLBACK,
+                                      ExitBootServicesNotify,
+                                      NULL /* NotifyContext */,
+                                      &mExitBootServicesEvent
+                                      );
+}
+
+/**
+  Library instance destructor, deregistering ExitBootServicesNotify().
+
+  @param[in] ImageHandle  The firmware-allocated handle for the EFI image.
+
+  @param[in] SystemTable  A pointer to the EFI System Table.
+
+  @retval EFI_SUCCESS  Library instance tear-down complete.
+
+  @return              Error codes propagated from CloseEvent(); the
+                       deregistration of ExitBootServicesNotify() failed.
+**/
+EFI_STATUS
+EFIAPI
+DxeRuntimeDebugLibFdtPL011UartDestructor (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  return SystemTable->BootServices->CloseEvent (mExitBootServicesEvent);
+}

ArmVirtPkg/Library/DebugLibFdtPL011Uart/Write.h

@@ -0,0 +1,39 @@
+/** @file
+  Declare DebugLibFdtPL011UartWrite(), for abstracting PL011 UART initialization
+  differences between flash- vs. RAM-based modules.
+
+  Copyright (C) Red Hat
+  Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2012 - 2014, ARM Ltd. All rights reserved.
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef DEBUG_LIB_FDT_PL011_UART_WRITE_H_
+#define DEBUG_LIB_FDT_PL011_UART_WRITE_H_
+
+/**
+  (Copied from SerialPortWrite() in "MdePkg/Include/Library/SerialPortLib.h" at
+  commit c4547aefb3d0, with the Buffer non-nullity assertion removed:)
+
+  Write data from buffer to serial device.
+
+  Writes NumberOfBytes data bytes from Buffer to the serial device.
+  The number of bytes actually written to the serial device is returned.
+  If the return value is less than NumberOfBytes, then the write operation failed.
+  If NumberOfBytes is zero, then return 0.
+
+  @param  Buffer           Pointer to the data buffer to be written.
+  @param  NumberOfBytes    Number of bytes to written to the serial device.
+
+  @retval 0                NumberOfBytes is 0.
+  @retval >0               The number of bytes written to the serial device.
+                           If this value is less than NumberOfBytes, then the write operation failed.
+**/
+UINTN
+DebugLibFdtPL011UartWrite (
+  IN UINT8  *Buffer,
+  IN UINTN  NumberOfBytes
+  );
+
+#endif

ArmVirtPkg/Library/Fdt16550SerialPortHookLib/EarlyFdt16550SerialPortHookLib.c

@@ -17,90 +17,7 @@
 #include <Library/HobLib.h>
 #include <Library/PcdLib.h>
 #include <Library/PlatformHookLib.h>
-#include <libfdt.h>
-
-/** Get the UART base address of the console serial-port from the DT.
-
-  This function fetches the node referenced in the "stdout-path"
-  property of the "chosen" node and returns the base address of
-  the console UART.
-
-  @param [in]   Fdt                   Pointer to a Flattened Device Tree (Fdt).
-  @param [out]  SerialConsoleAddress  If success, contains the base address
-                                      of the console serial-port.
-
-  @retval EFI_SUCCESS             The function completed successfully.
-  @retval EFI_NOT_FOUND           Console serial-port info not found in DT.
-  @retval EFI_INVALID_PARAMETER   Invalid parameter.
-**/
-STATIC
-EFI_STATUS
-EFIAPI
-GetSerialConsolePortAddress (
-  IN  CONST VOID    *Fdt,
-  OUT       UINT64  *SerialConsoleAddress
-  )
-{
-  CONST CHAR8   *Prop;
-  INT32         PropSize;
-  CONST CHAR8   *Path;
-  INT32         PathLen;
-  INT32         ChosenNode;
-  INT32         SerialConsoleNode;
-  INT32         Len;
-  CONST CHAR8   *NodeStatus;
-  CONST UINT64  *RegProperty;
-
-  if ((Fdt == NULL) || (fdt_check_header (Fdt) != 0)) {
-    return EFI_INVALID_PARAMETER;
-  }
-
-  // The "chosen" node resides at the root of the DT. Fetch it.
-  ChosenNode = fdt_path_offset (Fdt, "/chosen");
-  if (ChosenNode < 0) {
-    return EFI_NOT_FOUND;
-  }
-
-  Prop = fdt_getprop (Fdt, ChosenNode, "stdout-path", &PropSize);
-  if (PropSize < 0) {
-    return EFI_NOT_FOUND;
-  }
-
-  // Determine the actual path length, as a colon terminates the path.
-  Path = ScanMem8 (Prop, PropSize, ':');
-  if (Path == NULL) {
-    PathLen = AsciiStrLen (Prop);
-  } else {
-    PathLen = Path - Prop;
-  }
-
-  // Aliases cannot start with a '/', so it must be the actual path.
-  if (Prop[0] == '/') {
-    SerialConsoleNode = fdt_path_offset_namelen (Fdt, Prop, PathLen);
-  } else {
-    // Lookup the alias, as this contains the actual path.
-    Path = fdt_get_alias_namelen (Fdt, Prop, PathLen);
-    if (Path == NULL) {
-      return EFI_NOT_FOUND;
-    }
-
-    SerialConsoleNode = fdt_path_offset (Fdt, Path);
-  }
-
-  NodeStatus = fdt_getprop (Fdt, SerialConsoleNode, "status", &Len);
-  if ((NodeStatus != NULL) && (AsciiStrCmp (NodeStatus, "okay") != 0)) {
-    return EFI_NOT_FOUND;
-  }
-
-  RegProperty = fdt_getprop (Fdt, SerialConsoleNode, "reg", &Len);
-  if (Len != 16) {
-    return EFI_INVALID_PARAMETER;
-  }
-
-  *SerialConsoleAddress = fdt64_to_cpu (ReadUnaligned64 (RegProperty));
-
-  return EFI_SUCCESS;
-}
+#include <Library/FdtSerialPortAddressLib.h>
 
 /** Platform hook to retrieve the 16550 UART base address from the platform
     Device tree and store it in PcdSerialRegisterBase.
@@ -108,6 +25,7 @@ GetSerialConsolePortAddress (
   @retval RETURN_SUCCESS            Success.
   @retval RETURN_INVALID_PARAMETER  A parameter was invalid.
   @retval RETURN_NOT_FOUND          Serial port information not found.
+  @retval RETURN_PROTOCOL_ERROR     Invalid information in the Device Tree.
 
 **/
 RETURN_STATUS
@@ -129,7 +47,7 @@ PlatformHookSerialPortInitialize (
     return RETURN_NOT_FOUND;
   }
 
-  Status = GetSerialConsolePortAddress (DeviceTreeBase, &SerialConsoleAddress);
+  Status = FdtSerialGetConsolePort (DeviceTreeBase, &SerialConsoleAddress);
   if (RETURN_ERROR (Status)) {
     return Status;
   }

ArmVirtPkg/Library/Fdt16550SerialPortHookLib/EarlyFdt16550SerialPortHookLib.inf

@@ -22,15 +22,15 @@
 [LibraryClasses]
   BaseLib
   PcdLib
-  FdtLib
+  FdtSerialPortAddressLib
   HobLib
 
 [Packages]
   ArmVirtPkg/ArmVirtPkg.dec
-  EmbeddedPkg/EmbeddedPkg.dec
   MdeModulePkg/MdeModulePkg.dec
   MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
 
 [Pcd]
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
   gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase

ArmVirtPkg/Library/FdtPL011SerialPortLib/EarlyFdtPL011SerialPortLib.c

@@ -15,7 +15,7 @@
 #include <Library/PcdLib.h>
 #include <Library/PL011UartLib.h>
 #include <Library/SerialPortLib.h>
-#include <libfdt.h>
+#include <Library/FdtSerialPortAddressLib.h>
 
 RETURN_STATUS
 EFIAPI
@@ -56,74 +56,48 @@ SerialPortGetBaseAddress (
   UINT8               DataBits;
   EFI_STOP_BITS_TYPE  StopBits;
   VOID                *DeviceTreeBase;
-  INT32               Node, Prev;
-  INT32               Len;
-  CONST CHAR8         *Compatible;
-  CONST CHAR8         *NodeStatus;
-  CONST CHAR8         *CompatibleItem;
-  CONST UINT64        *RegProperty;
-  UINTN               UartBase;
+  FDT_SERIAL_PORTS    Ports;
+  UINT64              UartBase;
   RETURN_STATUS       Status;
 
   DeviceTreeBase = (VOID *)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress);
 
-  if ((DeviceTreeBase == NULL) || (fdt_check_header (DeviceTreeBase) != 0)) {
+  if (DeviceTreeBase == NULL) {
+    return 0;
+  }
+
+  Status = FdtSerialGetPorts (DeviceTreeBase, "arm,pl011", &Ports);
+  if (RETURN_ERROR (Status)) {
     return 0;
   }
 
   //
-  // Enumerate all FDT nodes looking for a PL011 and capture its base address
+  // Default to the first port found, but (if there are multiple ports) allow
+  // the "/chosen" node to override it. Note that if FdtSerialGetConsolePort()
+  // fails, it does not modify UartBase.
   //
-  for (Prev = 0; ; Prev = Node) {
-    Node = fdt_next_node (DeviceTreeBase, Prev, NULL);
-    if (Node < 0) {
-      break;
-    }
+  UartBase = Ports.BaseAddress[0];
+  if (Ports.NumberOfPorts > 1) {
+    FdtSerialGetConsolePort (DeviceTreeBase, &UartBase);
+  }
 
-    Compatible = fdt_getprop (DeviceTreeBase, Node, "compatible", &Len);
-    if (Compatible == NULL) {
-      continue;
-    }
+  BaudRate         = (UINTN)FixedPcdGet64 (PcdUartDefaultBaudRate);
+  ReceiveFifoDepth = 0; // Use the default value for Fifo depth
+  Parity           = (EFI_PARITY_TYPE)FixedPcdGet8 (PcdUartDefaultParity);
+  DataBits         = FixedPcdGet8 (PcdUartDefaultDataBits);
+  StopBits         = (EFI_STOP_BITS_TYPE)FixedPcdGet8 (PcdUartDefaultStopBits);
 
-    //
-    // Iterate over the NULL-separated items in the compatible string
-    //
-    for (CompatibleItem = Compatible; CompatibleItem < Compatible + Len;
-         CompatibleItem += 1 + AsciiStrLen (CompatibleItem))
-    {
-      if (AsciiStrCmp (CompatibleItem, "arm,pl011") == 0) {
-        NodeStatus = fdt_getprop (DeviceTreeBase, Node, "status", &Len);
-        if ((NodeStatus != NULL) && (AsciiStrCmp (NodeStatus, "okay") != 0)) {
-          continue;
-        }
-
-        RegProperty = fdt_getprop (DeviceTreeBase, Node, "reg", &Len);
-        if (Len != 16) {
-          return 0;
-        }
-
-        UartBase = (UINTN)fdt64_to_cpu (ReadUnaligned64 (RegProperty));
-
-        BaudRate         = (UINTN)FixedPcdGet64 (PcdUartDefaultBaudRate);
-        ReceiveFifoDepth = 0; // Use the default value for Fifo depth
-        Parity           = (EFI_PARITY_TYPE)FixedPcdGet8 (PcdUartDefaultParity);
-        DataBits         = FixedPcdGet8 (PcdUartDefaultDataBits);
-        StopBits         = (EFI_STOP_BITS_TYPE)FixedPcdGet8 (PcdUartDefaultStopBits);
-
-        Status = PL011UartInitializePort (
-                   UartBase,
-                   FixedPcdGet32 (PL011UartClkInHz),
-                   &BaudRate,
-                   &ReceiveFifoDepth,
-                   &Parity,
-                   &DataBits,
-                   &StopBits
-                   );
-        if (!EFI_ERROR (Status)) {
-          return UartBase;
-        }
-      }
-    }
+  Status = PL011UartInitializePort (
+             UartBase,
+             FixedPcdGet32 (PL011UartClkInHz),
+             &BaudRate,
+             &ReceiveFifoDepth,
+             &Parity,
+             &DataBits,
+             &StopBits
+             );
+  if (!RETURN_ERROR (Status)) {
+    return UartBase;
   }
 
   return 0;

ArmVirtPkg/Library/FdtPL011SerialPortLib/EarlyFdtPL011SerialPortLib.inf

@@ -22,16 +22,16 @@
 [LibraryClasses]
   PL011UartLib
   PcdLib
-  FdtLib
+  FdtSerialPortAddressLib
 
 [Packages]
   MdePkg/MdePkg.dec
-  EmbeddedPkg/EmbeddedPkg.dec
   ArmPlatformPkg/ArmPlatformPkg.dec
   ArmVirtPkg/ArmVirtPkg.dec
+  OvmfPkg/OvmfPkg.dec
 
 [Pcd]
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
 
 [FixedPcd]
   gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate

ArmVirtPkg/Library/FdtPL011SerialPortLib/FdtPL011SerialPortLib.c

@@ -23,49 +23,57 @@
 #include <Library/HobLib.h>
 #include <Guid/EarlyPL011BaseAddress.h>
 
-STATIC UINTN  mSerialBaseAddress;
+STATIC UINTN          mSerialBaseAddress;
+STATIC RETURN_STATUS  mPermanentStatus = RETURN_SUCCESS;
 
+/**
+  Program hardware of Serial port
+
+  @retval RETURN_SUCCESS    If the serial port was initialized successfully by
+                            this call, or an earlier call, to
+                            SerialPortInitialize().
+
+  @retval RETURN_NOT_FOUND  If no PL011 base address could be found.
+
+  @return                   Error codes forwarded from
+                            PL011UartInitializePort().
+**/
 RETURN_STATUS
 EFIAPI
 SerialPortInitialize (
   VOID
   )
 {
-  return RETURN_SUCCESS;
-}
+  VOID                            *Hob;
+  RETURN_STATUS                   Status;
+  CONST EARLY_PL011_BASE_ADDRESS  *UartBase;
+  UINTN                           SerialBaseAddress;
+  UINT64                          BaudRate;
+  UINT32                          ReceiveFifoDepth;
+  EFI_PARITY_TYPE                 Parity;
+  UINT8                           DataBits;
+  EFI_STOP_BITS_TYPE              StopBits;
 
-/**
+  if (mSerialBaseAddress != 0) {
+    return RETURN_SUCCESS;
+  }
 
-  Program hardware of Serial port
-
-  @return    RETURN_NOT_FOUND if no PL011 base address could be found
-             Otherwise, result of PL011UartInitializePort () is returned
-
-**/
-RETURN_STATUS
-EFIAPI
-FdtPL011SerialPortLibInitialize (
-  VOID
-  )
-{
-  VOID                *Hob;
-  CONST UINT64        *UartBase;
-  UINT64              BaudRate;
-  UINT32              ReceiveFifoDepth;
-  EFI_PARITY_TYPE     Parity;
-  UINT8               DataBits;
-  EFI_STOP_BITS_TYPE  StopBits;
+  if (RETURN_ERROR (mPermanentStatus)) {
+    return mPermanentStatus;
+  }
 
   Hob = GetFirstGuidHob (&gEarlyPL011BaseAddressGuid);
   if ((Hob == NULL) || (GET_GUID_HOB_DATA_SIZE (Hob) != sizeof *UartBase)) {
-    return RETURN_NOT_FOUND;
+    Status = RETURN_NOT_FOUND;
+    goto Failed;
   }
 
   UartBase = GET_GUID_HOB_DATA (Hob);
 
-  mSerialBaseAddress = (UINTN)*UartBase;
-  if (mSerialBaseAddress == 0) {
-    return RETURN_NOT_FOUND;
+  SerialBaseAddress = (UINTN)UartBase->ConsoleAddress;
+  if (SerialBaseAddress == 0) {
+    Status = RETURN_NOT_FOUND;
+    goto Failed;
   }
 
   BaudRate         = (UINTN)PcdGet64 (PcdUartDefaultBaudRate);
@@ -74,15 +82,25 @@ FdtPL011SerialPortLibInitialize (
   DataBits         = PcdGet8 (PcdUartDefaultDataBits);
   StopBits         = (EFI_STOP_BITS_TYPE)PcdGet8 (PcdUartDefaultStopBits);
 
-  return PL011UartInitializePort (
-           mSerialBaseAddress,
-           FixedPcdGet32 (PL011UartClkInHz),
-           &BaudRate,
-           &ReceiveFifoDepth,
-           &Parity,
-           &DataBits,
-           &StopBits
-           );
+  Status = PL011UartInitializePort (
+             SerialBaseAddress,
+             FixedPcdGet32 (PL011UartClkInHz),
+             &BaudRate,
+             &ReceiveFifoDepth,
+             &Parity,
+             &DataBits,
+             &StopBits
+             );
+  if (RETURN_ERROR (Status)) {
+    goto Failed;
+  }
+
+  mSerialBaseAddress = SerialBaseAddress;
+  return RETURN_SUCCESS;
+
+Failed:
+  mPermanentStatus = Status;
+  return Status;
 }
 
 /**
@@ -102,7 +120,7 @@ SerialPortWrite (
   IN UINTN  NumberOfBytes
   )
 {
-  if (mSerialBaseAddress != 0) {
+  if (!RETURN_ERROR (SerialPortInitialize ())) {
     return PL011UartWrite (mSerialBaseAddress, Buffer, NumberOfBytes);
   }
 
@@ -126,7 +144,7 @@ SerialPortRead (
   IN  UINTN  NumberOfBytes
   )
 {
-  if (mSerialBaseAddress != 0) {
+  if (!RETURN_ERROR (SerialPortInitialize ())) {
     return PL011UartRead (mSerialBaseAddress, Buffer, NumberOfBytes);
   }
 
@@ -146,7 +164,7 @@ SerialPortPoll (
   VOID
   )
 {
-  if (mSerialBaseAddress != 0) {
+  if (!RETURN_ERROR (SerialPortInitialize ())) {
     return PL011UartPoll (mSerialBaseAddress);
   }
 
@@ -199,7 +217,7 @@ SerialPortSetAttributes (
 {
   RETURN_STATUS  Status;
 
-  if (mSerialBaseAddress == 0) {
+  if (RETURN_ERROR (SerialPortInitialize ())) {
     Status = RETURN_UNSUPPORTED;
   } else {
     Status = PL011UartInitializePort (
@@ -234,7 +252,7 @@ SerialPortSetControl (
 {
   RETURN_STATUS  Status;
 
-  if (mSerialBaseAddress == 0) {
+  if (RETURN_ERROR (SerialPortInitialize ())) {
     Status = RETURN_UNSUPPORTED;
   } else {
     Status = PL011UartSetControl (mSerialBaseAddress, Control);
@@ -261,7 +279,7 @@ SerialPortGetControl (
 {
   RETURN_STATUS  Status;
 
-  if (mSerialBaseAddress == 0) {
+  if (RETURN_ERROR (SerialPortInitialize ())) {
     Status = RETURN_UNSUPPORTED;
   } else {
     Status = PL011UartGetControl (mSerialBaseAddress, Control);

ArmVirtPkg/Library/FdtPL011SerialPortLib/FdtPL011SerialPortLib.inf

@@ -15,7 +15,7 @@
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = SerialPortLib|DXE_CORE DXE_DRIVER UEFI_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
-  CONSTRUCTOR                    = FdtPL011SerialPortLibInitialize
+  CONSTRUCTOR                    = SerialPortInitialize
 
 [Sources.common]
   FdtPL011SerialPortLib.c

ArmVirtPkg/Library/KvmtoolPlatformPeiLib/KvmtoolPlatformPeiLib.inf

@@ -24,6 +24,7 @@
   EmbeddedPkg/EmbeddedPkg.dec
   MdeModulePkg/MdeModulePkg.dec
   MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
 
 [LibraryClasses]
   DebugLib
@@ -34,12 +35,12 @@
 
 [FixedPcd]
   gArmTokenSpaceGuid.PcdFvSize
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeAllocationPadding
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeAllocationPadding
 
 [Pcd]
   gArmTokenSpaceGuid.PcdFvBaseAddress
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
   gEfiMdeModulePkgTokenSpaceGuid.PcdSerialRegisterBase
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
 
 [Guids]
   gFdtHobGuid

ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c

@@ -9,11 +9,13 @@
 
 #include <PiPei.h>
 
+#include <Library/BaseMemoryLib.h>
 #include <Library/MemoryAllocationLib.h>
 #include <Library/DebugLib.h>
 #include <Library/HobLib.h>
 #include <Library/PcdLib.h>
 #include <Library/PeiServicesLib.h>
+#include <Library/FdtSerialPortAddressLib.h>
 #include <libfdt.h>
 
 #include <Guid/EarlyPL011BaseAddress.h>
@@ -37,25 +39,23 @@ PlatformPeim (
   VOID
   )
 {
-  VOID          *Base;
-  VOID          *NewBase;
-  UINTN         FdtSize;
-  UINTN         FdtPages;
-  UINT64        *FdtHobData;
-  UINT64        *UartHobData;
-  INT32         Node, Prev;
-  INT32         Parent, Depth;
-  CONST CHAR8   *Compatible;
-  CONST CHAR8   *CompItem;
-  CONST CHAR8   *NodeStatus;
-  INT32         Len;
-  INT32         RangesLen;
-  INT32         StatusLen;
-  CONST UINT64  *RegProp;
-  CONST UINT32  *RangesProp;
-  UINT64        UartBase;
-  UINT64        TpmBase;
-  EFI_STATUS    Status;
+  VOID                      *Base;
+  VOID                      *NewBase;
+  UINTN                     FdtSize;
+  UINTN                     FdtPages;
+  UINT64                    *FdtHobData;
+  EARLY_PL011_BASE_ADDRESS  *UartHobData;
+  FDT_SERIAL_PORTS          Ports;
+  INT32                     Node, Prev;
+  INT32                     Parent, Depth;
+  CONST CHAR8               *Compatible;
+  CONST CHAR8               *CompItem;
+  INT32                     Len;
+  INT32                     RangesLen;
+  CONST UINT64              *RegProp;
+  CONST UINT32              *RangesProp;
+  UINT64                    TpmBase;
+  EFI_STATUS                Status;
 
   Base = (VOID *)(UINTN)PcdGet64 (PcdDeviceTreeInitialBaseAddress);
   ASSERT (Base != NULL);
@@ -73,7 +73,56 @@ PlatformPeim (
 
   UartHobData = BuildGuidHob (&gEarlyPL011BaseAddressGuid, sizeof *UartHobData);
   ASSERT (UartHobData != NULL);
-  *UartHobData = 0;
+  SetMem (UartHobData, sizeof *UartHobData, 0);
+
+  Status = FdtSerialGetPorts (Base, "arm,pl011", &Ports);
+  if (!EFI_ERROR (Status)) {
+    if (Ports.NumberOfPorts == 1) {
+      //
+      // Just one UART; direct both SerialPortLib+console and DebugLib to it.
+      //
+      UartHobData->ConsoleAddress = Ports.BaseAddress[0];
+      UartHobData->DebugAddress   = Ports.BaseAddress[0];
+    } else {
+      UINT64  ConsoleAddress;
+
+      Status = FdtSerialGetConsolePort (Base, &ConsoleAddress);
+      if (EFI_ERROR (Status)) {
+        //
+        // At least two UARTs; but failed to get the console preference. Use the
+        // first UART for SerialPortLib+console, and the second one for
+        // DebugLib.
+        //
+        UartHobData->ConsoleAddress = Ports.BaseAddress[0];
+        UartHobData->DebugAddress   = Ports.BaseAddress[1];
+      } else {
+        //
+        // At least two UARTs; and console preference available. Use the
+        // preferred UART for SerialPortLib+console, and *another* UART for
+        // DebugLib.
+        //
+        UartHobData->ConsoleAddress = ConsoleAddress;
+        if (ConsoleAddress == Ports.BaseAddress[0]) {
+          UartHobData->DebugAddress = Ports.BaseAddress[1];
+        } else {
+          UartHobData->DebugAddress = Ports.BaseAddress[0];
+        }
+      }
+    }
+
+    DEBUG ((
+      DEBUG_INFO,
+      "%a: PL011 UART (console) @ 0x%lx\n",
+      __func__,
+      UartHobData->ConsoleAddress
+      ));
+    DEBUG ((
+      DEBUG_INFO,
+      "%a: PL011 UART (debug) @ 0x%lx\n",
+      __func__,
+      UartHobData->DebugAddress
+      ));
+  }
 
   TpmBase = 0;
 
@@ -100,23 +149,8 @@ PlatformPeim (
     for (CompItem = Compatible; CompItem != NULL && CompItem < Compatible + Len;
          CompItem += 1 + AsciiStrLen (CompItem))
     {
-      if (AsciiStrCmp (CompItem, "arm,pl011") == 0) {
-        NodeStatus = fdt_getprop (Base, Node, "status", &StatusLen);
-        if ((NodeStatus != NULL) && (AsciiStrCmp (NodeStatus, "okay") != 0)) {
-          continue;
-        }
-
-        RegProp = fdt_getprop (Base, Node, "reg", &Len);
-        ASSERT (Len == 16);
-
-        UartBase = fdt64_to_cpu (ReadUnaligned64 (RegProp));
-
-        DEBUG ((DEBUG_INFO, "%a: PL011 UART @ 0x%lx\n", __func__, UartBase));
-
-        *UartHobData = UartBase;
-        break;
-      } else if (FeaturePcdGet (PcdTpm2SupportEnabled) &&
-                 (AsciiStrCmp (CompItem, "tcg,tpm-tis-mmio") == 0))
+      if (FeaturePcdGet (PcdTpm2SupportEnabled) &&
+          (AsciiStrCmp (CompItem, "tcg,tpm-tis-mmio") == 0))
       {
         RegProp = fdt_getprop (Base, Node, "reg", &Len);
         ASSERT (Len == 8 || Len == 16);

ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf

@@ -31,24 +31,26 @@
   gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled
 
 [LibraryClasses]
+  BaseMemoryLib
   DebugLib
   HobLib
   FdtLib
+  FdtSerialPortAddressLib
   PcdLib
   PeiServicesLib
 
 [FixedPcd]
   gArmTokenSpaceGuid.PcdFvSize
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeAllocationPadding
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeAllocationPadding
 
 [Pcd]
   gArmTokenSpaceGuid.PcdFvBaseAddress
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress         ## SOMETIMES_PRODUCES
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress             ## SOMETIMES_PRODUCES
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
 
 [Ppis]
-  gOvmfTpmDiscoveredPpiGuid                               ## SOMETIMES_PRODUCES
-  gPeiTpmInitializationDonePpiGuid                        ## SOMETIMES_PRODUCES
+  gOvmfTpmDiscoveredPpiGuid                                   ## SOMETIMES_PRODUCES
+  gPeiTpmInitializationDonePpiGuid                            ## SOMETIMES_PRODUCES
 
 [Guids]
   gEarlyPL011BaseAddressGuid

ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoPeiLib.inf

@@ -26,6 +26,7 @@
   EmbeddedPkg/EmbeddedPkg.dec
   MdeModulePkg/MdeModulePkg.dec
   MdePkg/MdePkg.dec
+  OvmfPkg/OvmfPkg.dec
 
 [LibraryClasses]
   ArmLib
@@ -44,4 +45,4 @@
   gArmTokenSpaceGuid.PcdSystemMemorySize
   gArmTokenSpaceGuid.PcdFdSize
   gArmTokenSpaceGuid.PcdFvSize
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress

ArmVirtPkg/PlatformCI/.azurepipelines/Ubuntu-GCC5.yml

@@ -140,6 +140,19 @@ jobs:
             Build.Target: "RELEASE"
             Run: false
 
+          CLOUDHV_AARCH64_DEBUG:
+            Build.File: "$(package)/PlatformCI/CloudHvBuild.py"
+            Build.Arch: "AARCH64"
+            Build.Flags: ""
+            Build.Target: "DEBUG"
+            Run: false
+          CLOUDHV_AARCH64_RELEASE:
+            Build.File: "$(package)/PlatformCI/CloudHvBuild.py"
+            Build.Arch: "AARCH64"
+            Build.Flags: ""
+            Build.Target: "RELEASE"
+            Run: false
+
     workspace:
       clean: all
 

ArmVirtPkg/PlatformCI/CloudHvBuild.py

@@ -0,0 +1,32 @@
+# @file
+# Script to Build ArmVirtPkg UEFI firmware
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+import os
+import sys
+
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+from PlatformBuildLib import SettingsManager
+from PlatformBuildLib import PlatformBuilder
+
+    # ####################################################################################### #
+    #                                Common Configuration                                     #
+    # ####################################################################################### #
+class CommonPlatform():
+    ''' Common settings for this platform.  Define static data here and use
+        for the different parts of stuart
+    '''
+    PackagesSupported = ("ArmVirtPkg",)
+    ArchSupported = ("AARCH64",)
+    TargetsSupported = ("DEBUG", "RELEASE")
+    Scopes = ('armvirt', 'edk2-build')
+    WorkspaceRoot = os.path.realpath(os.path.join(
+        os.path.dirname(os.path.abspath(__file__)), "..", ".."))
+
+    DscName = os.path.join("ArmVirtPkg", "ArmVirtCloudHv.dsc")
+    FvQemuArg = "" # ignored
+
+import PlatformBuildLib
+PlatformBuildLib.CommonPlatform = CommonPlatform

ArmVirtPkg/PlatformCI/PlatformBuildLib.py

@@ -244,6 +244,11 @@ class PlatformBuilder(UefiBuilder, BuildSettingsManager):
         # Conditional Args
         if (self.env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):
             args += " -display none"  # no graphics
+        else:
+            args += " -device virtio-gpu-pci"                         # add recommended QEMU graphics device
+            args += " -device qemu-xhci,id=usb"                       # add USB support for below devices
+            args += " -device usb-tablet,id=input0,bus=usb.0,port=1"  # add a usb mouse
+            args += " -device usb-kbd,id=input1,bus=usb.0,port=2"     # add a usb keyboard
 
         if (self.env.GetValue("MAKE_STARTUP_NSH").upper() == "TRUE"):
             f = open(os.path.join(VirtualDrive, "startup.nsh"), "w")

ArmVirtPkg/PlatformCI/ReadMe.md

@@ -5,28 +5,43 @@ to use the same Pytools based build infrastructure locally.
 
 ## Supported Configuration Details
 
-This solution for building and running ArmVirtPkg has only been validated with Ubuntu
-18.04 and the GCC5 toolchain. Two different firmware builds are supported and are
-described below.
+This solution for building and running ArmVirtPkg has been validated with Fedora
+37 Linux and the GCC5 toolchain. The following different firmware builds are
+supported.
 
-| Configuration name      | Architecture       | DSC File         |Additional Flags |
-| :----------             | :-----             | :-----           | :----           |
-| AARCH64                 | AARCH64            | ArmVirtQemu.dsc  | None            |
-| ARM                     | ARM                | ArmVirtQemu.dsc  | None            |
+| Configuration name      | Architecture       | DSC File               | Additional Flags |
+| :----------             | :-----             | :-----                 | :----            |
+| AARCH64 - KVM Cloud HV  | AARCH64            | ArmVirtCloudHv.dsc     | None             |
+| ARM - KVM Cloud HV      | ARM                | ArmVirtCloudHv.dsc     | None             |
+| AARCH64 - kvmtool       | AARCH64            | ArmVirtKvmTool.dsc     | None             |
+| ARM - kvmtool           | ARM                | ArmVirtKvmTool.dsc     | None             |
+| AARCH64 - QEMU          | AARCH64            | ArmVirtQemu.dsc        | None             |
+| ARM - QEMU              | ARM                | ArmVirtQemu.dsc        | None             |
+| AARCH64 - QEMU Kernel   | AARCH64            | ArmVirtQemuKernel.dsc  | None             |
+| ARM - QEMU Kernel       | ARM                | ArmVirtQemuKernel.dsc  | None             |
+| AARCH64 - Xen HV        | AARCH64            | ArmVirtXen.dsc         | None             |
+| ARM - Xen HV            | ARM                | ArmVirtXen.dsc         | None             |
 
 ## EDK2 Developer environment
 
-- [Python 3.8.x - Download & Install](https://www.python.org/downloads/)
+- [Python 3.12.x - Download & Install](https://www.python.org/downloads/)
 - [GIT - Download & Install](https://git-scm.com/download/)
 - [QEMU - Download, Install, and add to your path](https://www.qemu.org/download/)
 - [Edk2 Source](https://github.com/tianocore/edk2)
-- Additional packages found necessary for Ubuntu 18.04
-  - apt-get install gcc g++ make uuid-dev
+- Additional packages found necessary for Fedora Linux 37
+  - dnf install gcc g++ make libuuid-devel
 
 Note: edksetup, Submodule initialization and manual installation of NASM, iASL, or
 the required cross-compiler toolchains are **not** required, this is handled by the
 Pytools build system.
 
+The code is built in CI using a container. The latest Fedora Linux 37 container is
+available in this GitHub container registry feed
+[fedora-37-test](https://github.com/tianocore/containers/pkgs/container/containers%2Ffedora-37-test).
+
+The exact container version tested in CI is maintained in this file
+[edk2/.azurepipelines/templates/default.yml](https://github.com/tianocore/edk2/blob/HEAD/.azurepipelines/templates/defaults.yml).
+
 ## Building with Pytools for ArmVirtPkg
 
 If you are unfamiliar with Pytools, it is recommended to first read through
@@ -57,16 +72,16 @@ the generic set of edk2 [Build Instructions](https://github.com/tianocore/tianoc
     pip install --upgrade -r pip-requirements.txt
     ```
 
-4. Initialize & Update Submodules - only when submodules updated
+4. Initialize & Update Submodules - only when submodules updated (QEMU build example)
 
     ``` bash
-    stuart_setup -c ArmVirtPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH>
+    stuart_setup -c ArmVirtPkg/PlatformCI/QemuBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH>
     ```
 
-5. Initialize & Update Dependencies - only as needed when ext_deps change
+5. Initialize & Update Dependencies - only as needed when ext_deps change (QEMU build example)
 
     ``` bash
-    stuart_update -c ArmVirtPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH>
+    stuart_update -c ArmVirtPkg/PlatformCI/QemuBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH>
     ```
 
 6. Compile the basetools if necessary - only when basetools C source files change
@@ -75,13 +90,13 @@ the generic set of edk2 [Build Instructions](https://github.com/tianocore/tianoc
     python BaseTools/Edk2ToolsBuild.py -t <ToolChainTag>
     ```
 
-7. Compile Firmware
+7. Compile Firmware (QEMU build example)
 
     ``` bash
-    stuart_build -c ArmVirtPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH>
+    stuart_build -c ArmVirtPkg/PlatformCI/QemuBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH>
     ```
 
-    - use `stuart_build -c ArmVirtPkg/PlatformCI/PlatformBuild.py -h` option to see additional
+    - use `stuart_build -c ArmVirtPkg/PlatformCI/QemuBuild.py -h` option to see additional
     options like `--clean`
 
 8. Running Emulator
@@ -90,7 +105,7 @@ the generic set of edk2 [Build Instructions](https://github.com/tianocore/tianoc
     - or use the `--FlashOnly` feature to just run the emulator.
 
       ``` bash
-      stuart_build -c ArmVirtPkg/PlatformCI/PlatformBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH> --FlashOnly
+      stuart_build -c ArmVirtPkg/PlatformCI/QemuBuild.py TOOL_CHAIN_TAG=<TOOL_CHAIN_TAG> -a <TARGET_ARCH> --FlashOnly
       ```
 
 ### Notes
@@ -120,7 +135,7 @@ command-line. _stuart_build_ currently requires values to be assigned, so add an
 For example, to enable the TPM2 support, instead of the traditional "-D TPM2_ENABLE=TRUE", the stuart_build
 command-line would be:
 
-`stuart_build -c ArmVirtPkg/PlatformCI/PlatformBuild.py BLD_*_TPM2_ENABLE=TRUE`
+`stuart_build -c ArmVirtPkg/PlatformCI/QemuBuild.py BLD_*_TPM2_ENABLE=TRUE`
 
 ## References
 

ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRelocatable.inf

@@ -35,6 +35,7 @@
   ArmPkg/ArmPkg.dec
   ArmPlatformPkg/ArmPlatformPkg.dec
   ArmVirtPkg/ArmVirtPkg.dec
+  OvmfPkg/OvmfPkg.dec
 
 [LibraryClasses]
   BaseLib
@@ -93,6 +94,6 @@
 [Pcd]
   gArmTokenSpaceGuid.PcdSystemMemoryBase
   gArmTokenSpaceGuid.PcdSystemMemorySize
-  gArmVirtTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
   gArmTokenSpaceGuid.PcdFdBaseAddress
   gArmTokenSpaceGuid.PcdFvBaseAddress
+  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress

BaseTools/Conf/target.template

@@ -22,8 +22,8 @@ ACTIVE_PLATFORM       = EmulatorPkg/EmulatorPkg.dsc
 #  TARGET                List       Optional    Zero or more of the following: DEBUG, RELEASE, NOOPT
 #                                               UserDefined; separated by a space character.
 #                                               If the line is missing or no value is specified, all
-#                                               valid targets specified in the platform description file 
-#                                               will attempt to be built. The following line will build 
+#                                               valid targets specified in the platform description file
+#                                               will attempt to be built. The following line will build
 #                                               DEBUG platform target.
 TARGET                = DEBUG
 
@@ -32,7 +32,7 @@ TARGET                = DEBUG
 #                                               or AArch64.
 #                                               Multiple values can be specified on a single line, using
 #                                               space characters to separate the values.  These are used
-#                                               during the parsing of a platform description file, 
+#                                               during the parsing of a platform description file,
 #                                               restricting the build output target(s.)
 #                                               The Build Target ARCH is determined by (precedence high to low):
 #                                                 Command-line: -a ARCH option
@@ -51,7 +51,7 @@ TOOL_CHAIN_CONF       = Conf/tools_def.txt
 #  TAGNAME               List      Optional   Specify the name(s) of the tools_def.txt TagName to use.
 #                                             If not specified, all applicable TagName tools will be
 #                                             used for the build.  The list uses space character separation.
-TOOL_CHAIN_TAG        = VS2015x86
+TOOL_CHAIN_TAG        = VS2019
 
 # MAX_CONCURRENT_THREAD_NUMBER  NUMBER  Optional  The number of concurrent threads. If not specified or set
 #                                                 to zero, tool automatically detect number of processor
@@ -64,7 +64,7 @@ TOOL_CHAIN_TAG        = VS2015x86
 
 
 # BUILD_RULE_CONF  Filename Optional  Specify the file name to use for the build rules that are followed
-#                                     when generating Makefiles. If not specified, the file: 
+#                                     when generating Makefiles. If not specified, the file:
 #                                     WORKSPACE/Conf/build_rule.txt will be used
 BUILD_RULE_CONF = Conf/build_rule.txt
 

BaseTools/Conf/tools_def.template

@@ -1859,7 +1859,7 @@ DEFINE CLANGDWARF_X64_DLINK2_FLAGS        = -Wl,--defsym=PECOFF_HEADER_SIZE=0x22
 DEFINE CLANGDWARF_IA32_TARGET             = -target i686-pc-linux-gnu
 DEFINE CLANGDWARF_X64_TARGET              = -target x86_64-pc-linux-gnu
 
-DEFINE CLANGDWARF_WARNING_OVERRIDES    = -Wno-parentheses-equality -Wno-tautological-compare -Wno-tautological-constant-out-of-range-compare -Wno-empty-body -Wno-unused-const-variable -Wno-varargs -Wno-unknown-warning-option -Wno-unused-but-set-variable -Wno-unused-const-variable -Wno-unaligned-access -Wno-unneeded-internal-declaration
+DEFINE CLANGDWARF_WARNING_OVERRIDES    = -Wno-parentheses-equality -Wno-empty-body -Wno-unused-const-variable -Wno-varargs -Wno-unknown-warning-option -Wno-unused-but-set-variable -Wno-unused-const-variable -Wno-unaligned-access -Wno-unneeded-internal-declaration
 DEFINE CLANGDWARF_ALL_CC_FLAGS         = DEF(GCC48_ALL_CC_FLAGS) DEF(CLANGDWARF_WARNING_OVERRIDES) -fno-stack-protector -mms-bitfields -Wno-address -Wno-shift-negative-value -Wno-unknown-pragmas -Wno-incompatible-library-redeclaration -fno-asynchronous-unwind-tables -mno-sse -mno-mmx -msoft-float -mno-implicit-float  -ftrap-function=undefined_behavior_has_been_optimized_away_by_clang -funsigned-char -fno-ms-extensions -Wno-null-dereference
 
 ###########################
@@ -2015,7 +2015,7 @@ DEFINE CLANGDWARF_AARCH64_DLINK_FLAGS  = DEF(CLANGDWARF_AARCH64_TARGET) DEF(GCC_
 *_CLANGDWARF_AARCH64_RC_FLAGS       = DEF(GCC_AARCH64_RC_FLAGS) DEF(GCC_AARCH64_RC_BTI_FLAGS)
 *_CLANGDWARF_AARCH64_VFRPP_FLAGS    = DEF(GCC_VFRPP_FLAGS) DEF(CLANGDWARF_AARCH64_TARGET) $(PLATFORM_FLAGS)
 *_CLANGDWARF_AARCH64_ASLPP_FLAGS    = DEF(GCC_ASLPP_FLAGS) DEF(CLANGDWARF_AARCH64_TARGET)
-*_CLANGDWARF_AARCH64_CC_XIPFLAGS    = DEF(GCC_AARCH64_CC_XIPFLAGS)
+*_CLANGDWARF_AARCH64_CC_XIPFLAGS    = -mstrict-align
 
   DEBUG_CLANGDWARF_AARCH64_CC_FLAGS    = DEF(CLANGDWARF_AARCH64_CC_FLAGS) $(PLATFORM_FLAGS) -flto -O1
   DEBUG_CLANGDWARF_AARCH64_DLINK_FLAGS = DEF(CLANGDWARF_AARCH64_DLINK_FLAGS) -flto -Wl,-O1 -fuse-ld=lld -L$(WORKSPACE)/ArmPkg/Library/GccLto -llto-aarch64 -Wl,-plugin-opt=-pass-through=-llto-aarch64 -Wl,--no-pie,--no-relax

BaseTools/Plugin/CodeQL/CodeQlAnalyzePlugin.py

@@ -0,0 +1,222 @@
+# @file CodeQAnalyzePlugin.py
+#
+# A build plugin that analyzes a CodeQL database.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+import json
+import logging
+import os
+import yaml
+
+from analyze import analyze_filter
+from common import codeql_plugin
+
+from edk2toolext import edk2_logging
+from edk2toolext.environment.plugintypes.uefi_build_plugin import \
+    IUefiBuildPlugin
+from edk2toolext.environment.uefi_build import UefiBuilder
+from edk2toollib.uefi.edk2.path_utilities import Edk2Path
+from edk2toollib.utility_functions import RunCmd
+from pathlib import Path
+
+
+class CodeQlAnalyzePlugin(IUefiBuildPlugin):
+
+    def do_post_build(self, builder: UefiBuilder) -> int:
+        """CodeQL analysis post-build functionality.
+
+        Args:
+            builder (UefiBuilder): A UEFI builder object for this build.
+
+        Returns:
+            int: The number of CodeQL errors found. Zero indicates that
+            AuditOnly mode is enabled or no failures were found.
+        """
+        self.builder = builder
+        self.package = builder.edk2path.GetContainingPackage(
+            builder.edk2path.GetAbsolutePathOnThisSystemFromEdk2RelativePath(
+                builder.env.GetValue("ACTIVE_PLATFORM")
+            )
+        )
+
+        self.package_path = Path(
+            builder.edk2path.GetAbsolutePathOnThisSystemFromEdk2RelativePath(
+                self.package
+            )
+        )
+        self.target = builder.env.GetValue("TARGET")
+
+        self.codeql_db_path = codeql_plugin.get_codeql_db_path(
+                                builder.ws, self.package, self.target,
+                                new_path=False)
+
+        self.codeql_path = codeql_plugin.get_codeql_cli_path()
+        if not self.codeql_path:
+            logging.critical("CodeQL build enabled but CodeQL CLI application "
+                             "not found.")
+            return -1
+
+        codeql_sarif_dir_path = self.codeql_db_path[
+                                        :self.codeql_db_path.rindex('-')]
+        codeql_sarif_dir_path = codeql_sarif_dir_path.replace(
+                                        "-db-", "-analysis-")
+        self.codeql_sarif_path = os.path.join(
+                                        codeql_sarif_dir_path,
+                                        (os.path.basename(
+                                            self.codeql_db_path) +
+                                            ".sarif"))
+
+        edk2_logging.log_progress(f"Analyzing {self.package} ({self.target}) "
+                                  f"CodeQL database at:\n"
+                                  f"           {self.codeql_db_path}")
+        edk2_logging.log_progress(f"Results will be written to:\n"
+                                  f"           {self.codeql_sarif_path}")
+
+        # Packages are allowed to specify package-specific query specifiers
+        # in the package CI YAML file that override the global query specifier.
+        audit_only = False
+        query_specifiers = None
+        package_config_file = Path(os.path.join(
+                                self.package_path, self.package + ".ci.yaml"))
+        plugin_data = None
+        if package_config_file.is_file():
+            with open(package_config_file, 'r') as cf:
+                package_config_file_data = yaml.safe_load(cf)
+                if "CodeQlAnalyze" in package_config_file_data:
+                    plugin_data = package_config_file_data["CodeQlAnalyze"]
+                    if "AuditOnly" in plugin_data:
+                        audit_only = plugin_data["AuditOnly"]
+                    if "QuerySpecifiers" in plugin_data:
+                        logging.debug(f"Loading CodeQL query specifiers in "
+                                      f"{str(package_config_file)}")
+                        query_specifiers = plugin_data["QuerySpecifiers"]
+
+        global_audit_only = builder.env.GetValue("STUART_CODEQL_AUDIT_ONLY")
+        if global_audit_only:
+            if global_audit_only.strip().lower() == "true":
+                audit_only = True
+
+        if audit_only:
+            logging.info(f"CodeQL Analyze plugin is in audit only mode for "
+                         f"{self.package} ({self.target}).")
+
+        # Builds can override the query specifiers defined in this plugin
+        # by setting the value in the STUART_CODEQL_QUERY_SPECIFIERS
+        # environment variable.
+        if not query_specifiers:
+            query_specifiers = builder.env.GetValue(
+                                "STUART_CODEQL_QUERY_SPECIFIERS")
+
+        # Use this plugins query set file as the default fallback if it is
+        # not overridden. It is possible the file is not present if modified
+        # locally. In that case, skip the plugin.
+        plugin_query_set = Path(Path(__file__).parent, "CodeQlQueries.qls")
+
+        if not query_specifiers and plugin_query_set.is_file():
+            query_specifiers = str(plugin_query_set.resolve())
+
+        if not query_specifiers:
+            logging.warning("Skipping CodeQL analysis since no CodeQL query "
+                            "specifiers were provided.")
+            return 0
+
+        codeql_params = (f'database analyze {self.codeql_db_path} '
+                         f'{query_specifiers} --format=sarifv2.1.0 '
+                         f'--output={self.codeql_sarif_path} --download '
+                         f'--threads=0')
+
+        # CodeQL requires the sarif file parent directory to exist already.
+        Path(self.codeql_sarif_path).parent.mkdir(exist_ok=True, parents=True)
+
+        cmd_ret = RunCmd(self.codeql_path, codeql_params)
+        if cmd_ret != 0:
+            logging.critical(f"CodeQL CLI analysis failed with return code "
+                             f"{cmd_ret}.")
+
+        if not os.path.isfile(self.codeql_sarif_path):
+            logging.critical(f"The sarif file {self.codeql_sarif_path} was "
+                             f"not created. Analysis cannot continue.")
+            return -1
+
+        filter_pattern_data = []
+        global_filter_file_value = builder.env.GetValue(
+                                    "STUART_CODEQL_FILTER_FILES")
+        if global_filter_file_value:
+            global_filter_files = global_filter_file_value.strip().split(',')
+            global_filter_files = [Path(f) for f in global_filter_files]
+
+            for global_filter_file in global_filter_files:
+                if global_filter_file.is_file():
+                    with open(global_filter_file, 'r') as ff:
+                        global_filter_file_data = yaml.safe_load(ff)
+                        if "Filters" in global_filter_file_data:
+                            current_pattern_data = \
+                                global_filter_file_data["Filters"]
+                            if type(current_pattern_data) is not list:
+                                logging.critical(
+                                    f"CodeQL pattern data must be a list of "
+                                    f"strings. Data in "
+                                    f"{str(global_filter_file.resolve())} is "
+                                    f"invalid. CodeQL analysis is incomplete.")
+                                return -1
+                            filter_pattern_data += current_pattern_data
+                        else:
+                            logging.critical(
+                                f"CodeQL global filter file "
+                                f"{str(global_filter_file.resolve())} is  "
+                                f"malformed. Missing Filters section. CodeQL "
+                                f"analysis is incomplete.")
+                            return -1
+                else:
+                    logging.critical(
+                        f"CodeQL global filter file "
+                        f"{str(global_filter_file.resolve())} was not found. "
+                        f"CodeQL analysis is incomplete.")
+                    return -1
+
+        if plugin_data and "Filters" in plugin_data:
+            if type(plugin_data["Filters"]) is not list:
+                logging.critical(
+                    "CodeQL pattern data must be a list of strings. "
+                    "CodeQL analysis is incomplete.")
+                return -1
+            filter_pattern_data.extend(plugin_data["Filters"])
+
+        if filter_pattern_data:
+            logging.info("Applying CodeQL SARIF result filters.")
+            analyze_filter.filter_sarif(
+                self.codeql_sarif_path,
+                self.codeql_sarif_path,
+                filter_pattern_data,
+                split_lines=False)
+
+        with open(self.codeql_sarif_path, 'r') as sf:
+            sarif_file_data = json.load(sf)
+
+        try:
+            # Perform minimal JSON parsing to find the number of errors.
+            total_errors = 0
+            for run in sarif_file_data['runs']:
+                total_errors += len(run['results'])
+        except KeyError:
+            logging.critical("Sarif file does not contain expected data. "
+                             "Analysis cannot continue.")
+            return -1
+
+        if total_errors > 0:
+            if audit_only:
+                # Show a warning message so CodeQL analysis is not forgotten.
+                # If the repo owners truly do not want to fix CodeQL issues,
+                # analysis should be disabled entirely.
+                logging.warning(f"{self.package} ({self.target}) CodeQL "
+                                f"analysis ignored {total_errors} errors due "
+                                f"to audit mode being enabled.")
+                return 0
+            else:
+                logging.error(f"{self.package} ({self.target}) CodeQL "
+                              f"analysis failed with {total_errors} errors.")
+
+        return total_errors

BaseTools/Plugin/CodeQL/CodeQlAnalyze_plug_in.yaml

@@ -0,0 +1,13 @@
+## @file CodeQlAnalyze_plug_in.py
+#
+# Build plugin used to analyze CodeQL results.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+{
+  "scope": "codeql-analyze",
+  "name": "CodeQL Analyze Plugin",
+  "module": "CodeQlAnalyzePlugin"
+}

BaseTools/Plugin/CodeQL/CodeQlBuildPlugin.py

@@ -0,0 +1,169 @@
+# @file CodeQlBuildPlugin.py
+#
+# A build plugin that produces CodeQL results for the present build.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+import glob
+import logging
+import os
+import stat
+from common import codeql_plugin
+from pathlib import Path
+
+from edk2toolext import edk2_logging
+from edk2toolext.environment.plugintypes.uefi_build_plugin import \
+    IUefiBuildPlugin
+from edk2toolext.environment.uefi_build import UefiBuilder
+from edk2toollib.uefi.edk2.path_utilities import Edk2Path
+from edk2toollib.utility_functions import GetHostInfo, RemoveTree
+
+
+class CodeQlBuildPlugin(IUefiBuildPlugin):
+
+    def do_pre_build(self, builder: UefiBuilder) -> int:
+        """CodeQL pre-build functionality.
+
+        Args:
+            builder (UefiBuilder): A UEFI builder object for this build.
+
+        Returns:
+            int: The plugin return code. Zero indicates the plugin ran
+            successfully. A non-zero value indicates an unexpected error
+            occurred during plugin execution.
+        """
+
+        if not builder.SkipBuild:
+            self.builder = builder
+            self.package = builder.edk2path.GetContainingPackage(
+                builder.edk2path.GetAbsolutePathOnThisSystemFromEdk2RelativePath(
+                    builder.env.GetValue("ACTIVE_PLATFORM")
+                )
+            )
+
+            self.target = builder.env.GetValue("TARGET")
+
+            self.build_output_dir = builder.env.GetValue("BUILD_OUTPUT_BASE")
+
+            self.codeql_db_path = codeql_plugin.get_codeql_db_path(
+                                    builder.ws, self.package, self.target)
+
+            edk2_logging.log_progress(f"{self.package} will be built for CodeQL")
+            edk2_logging.log_progress(f"  CodeQL database will be written to "
+                                    f"{self.codeql_db_path}")
+
+            self.codeql_path = codeql_plugin.get_codeql_cli_path()
+            if not self.codeql_path:
+                logging.critical("CodeQL build enabled but CodeQL CLI application "
+                                "not found.")
+                return -1
+
+            # CodeQL can only generate a database on clean build
+            #
+            # Note: builder.CleanTree() cannot be used here as some platforms
+            #       have build steps that run before this plugin that store
+            #       files in the build output directory.
+            #
+            #       CodeQL does not care about with those files or many others such
+            #       as the FV directory, build logs, etc. so instead focus on
+            #       removing only the directories with compilation/linker output
+            #       for the architectures being built (that need clean runs for
+            #       CodeQL to work).
+            targets = self.builder.env.GetValue("TARGET_ARCH").split(" ")
+            for target in targets:
+                directory_to_delete = Path(self.build_output_dir, target)
+
+                if directory_to_delete.is_dir():
+                    logging.debug(f"Removing {str(directory_to_delete)} to have a "
+                                f"clean build for CodeQL.")
+                    RemoveTree(str(directory_to_delete))
+
+            # CodeQL CLI does not handle spaces passed in CLI commands well
+            # (perhaps at all) as discussed here:
+            #   1. https://github.com/github/codeql-cli-binaries/issues/73
+            #   2. https://github.com/github/codeql/issues/4910
+            #
+            # Since it's unclear how quotes are handled and may change in the
+            # future, this code is going to use the workaround to place the
+            # command in an executable file that is instead passed to CodeQL.
+            self.codeql_cmd_path = Path(self.build_output_dir, "codeql_build_command")
+
+            build_params = self._get_build_params()
+
+            codeql_build_cmd = ""
+            if GetHostInfo().os == "Windows":
+                self.codeql_cmd_path = self.codeql_cmd_path.parent / (
+                    self.codeql_cmd_path.name + '.bat')
+            elif GetHostInfo().os == "Linux":
+                self.codeql_cmd_path = self.codeql_cmd_path.parent / (
+                    self.codeql_cmd_path.name + '.sh')
+                codeql_build_cmd += f"#!/bin/bash{os.linesep * 2}"
+            codeql_build_cmd += "build " + build_params
+
+            self.codeql_cmd_path.parent.mkdir(exist_ok=True, parents=True)
+            self.codeql_cmd_path.write_text(encoding='utf8', data=codeql_build_cmd)
+
+            if GetHostInfo().os == "Linux":
+                os.chmod(self.codeql_cmd_path,
+                        os.stat(self.codeql_cmd_path).st_mode | stat.S_IEXEC)
+                for f in glob.glob(os.path.join(
+                    os.path.dirname(self.codeql_path), '**/*'), recursive=True):
+                        os.chmod(f, os.stat(f).st_mode | stat.S_IEXEC)
+
+            codeql_params = (f'database create {self.codeql_db_path} '
+                            f'--language=cpp '
+                            f'--source-root={builder.ws} '
+                            f'--command={self.codeql_cmd_path}')
+
+            # Set environment variables so the CodeQL build command is picked up
+            # as the active build command.
+            #
+            # Note: Requires recent changes in edk2-pytool-extensions (0.20.0)
+            #       to support reading these variables.
+            builder.env.SetValue(
+                "EDK_BUILD_CMD", self.codeql_path, "Set in CodeQL Build Plugin")
+            builder.env.SetValue(
+                "EDK_BUILD_PARAMS", codeql_params, "Set in CodeQL Build Plugin")
+
+        return 0
+
+    def _get_build_params(self) -> str:
+        """Returns the build command parameters for this build.
+
+        Based on the well-defined `build` command-line parameters.
+
+        Returns:
+            str: A string representing the parameters for the build command.
+        """
+        build_params = f"-p {self.builder.env.GetValue('ACTIVE_PLATFORM')}"
+        build_params += f" -b {self.target}"
+        build_params += f" -t {self.builder.env.GetValue('TOOL_CHAIN_TAG')}"
+
+        max_threads = self.builder.env.GetValue('MAX_CONCURRENT_THREAD_NUMBER')
+        if max_threads is not None:
+            build_params += f" -n {max_threads}"
+
+        rt = self.builder.env.GetValue("TARGET_ARCH").split(" ")
+        for t in rt:
+            build_params += " -a " + t
+
+        if (self.builder.env.GetValue("BUILDREPORTING") == "TRUE"):
+            build_params += (" -y " +
+                             self.builder.env.GetValue("BUILDREPORT_FILE"))
+            rt = self.builder.env.GetValue("BUILDREPORT_TYPES").split(" ")
+            for t in rt:
+                build_params += " -Y " + t
+
+        # add special processing to handle building a single module
+        mod = self.builder.env.GetValue("BUILDMODULE")
+        if (mod is not None and len(mod.strip()) > 0):
+            build_params += " -m " + mod
+            edk2_logging.log_progress("Single Module Build: " + mod)
+
+        build_vars = self.builder.env.GetAllBuildKeyValues(self.target)
+        for key, value in build_vars.items():
+            build_params += " -D " + key + "=" + value
+
+        return build_params

BaseTools/Plugin/CodeQL/CodeQlBuild_plug_in.yaml

@@ -0,0 +1,13 @@
+## @file CodeQlBuild_plug_in.py
+#
+# Build plugin used to produce a CodeQL database from a build.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+{
+  "scope": "codeql-build",
+  "name": "CodeQL Build Plugin",
+  "module": "CodeQlBuildPlugin"
+}

BaseTools/Plugin/CodeQL/CodeQlQueries.qls

@@ -0,0 +1,118 @@
+---
+- description: C++ queries
+
+- queries: '.'
+  from: codeql/cpp-queries
+
+##########################################################################################
+# Queries
+##########################################################################################
+
+## Errors
+- include:
+    id: cpp/badoverflowguard
+- include:
+    id: cpp/infiniteloop
+- include:
+    id: cpp/likely-bugs/memory-management/v2/conditionally-uninitialized-variable
+- include:
+    id: cpp/missing-null-test
+- include:
+    id: cpp/missing-return
+- include:
+    id: cpp/no-space-for-terminator
+- include:
+    id: cpp/pointer-overflow-check
+- include:
+    id: cpp/redundant-null-check-simple
+- include:
+    id: cpp/sizeof/const-int-argument
+- include:
+    id: cpp/sizeof/sizeof-or-operation-as-argument
+- include:
+    id: cpp/unguardednullreturndereferenc
+- include:
+    id: cpp/very-likely-overrunning-write
+
+## Warnings
+- include:
+    id: cpp/comparison-with-wider-type
+- include:
+    id: cpp/conditionallyuninitializedvariable
+- include:
+    id: cpp/comparison-precedence
+- include:
+    id: cpp/implicit-bitfield-downcast
+- include:
+    id: cpp/infinite-loop-with-unsatisfiable-exit-condition
+- include:
+    id: cpp/offset-use-before-range-check
+- include:
+    id: cpp/overflow-buffer
+- include:
+    id: cpp/overflow-calculated
+- include:
+    id: cpp/overflow-destination
+- include:
+    id: cpp/paddingbyteinformationdisclosure
+- include:
+    id: cpp/return-stack-allocated-memory
+- include:
+    id: cpp/static-buffer-overflow
+- include:
+    id: cpp/unsigned-comparison-zero
+- include:
+    id: cpp/uselesstest
+
+## Recommendations
+- include:
+    id: cpp/missing-header-guard
+- include:
+    id: cpp/unused-local-variable
+- include:
+    id: cpp/unused-static-function
+- include:
+    id: cpp/unused-static-variable
+
+# Note: Some queries above are not active by default with the below filter.
+#       Update the filter and run the queries again to get all results.
+- include:
+    tags:
+      - "security"
+      - "correctness"
+    severity:
+      - "error"
+      - "warning"
+      - "recommendation"
+
+# Specifically hide the results of these.
+#
+# The following rules have been evaluated and explicitly not included for the following reasons:
+#   - `cpp/allocation-too-small` - Appears to be hardcoded for C standard library functions `malloc`, `calloc`,
+#     `realloc`, so it consumes time without much value with custom allocation functions in the codebase.
+#   - `cpp/commented-out-code` - Triggers often. Needs further review.
+#   - `cpp/duplicate-include-guard` - The <Phase>EntryPoint.h files includes a common include guard value
+#     `__MODULE_ENTRY_POINT_H__`. This was the only occurrence found. So not very useful.
+#   - `cpp/invalid-pointer-deref` - Very limited results with what appear to be false positives.
+#   - `cpp/use-of-goto` - Goto is valid and allowed in the codebase.
+#   - `cpp/useless-expression` - Triggers too often on cases where a NULL lib implementation is provided for a function.
+#     Because the implementation simply returns, the check considers it useless.
+#   - `cpp/weak-crypto/*` - Crypto algorithms are tracked outside CodeQL.
+- exclude:
+    id: cpp/allocation-too-small
+- exclude:
+    id: cpp/commented-out-code
+- exclude:
+    id: cpp/duplicate-include-guard
+- exclude:
+    id: cpp/invalid-pointer-deref
+- exclude:
+    id: cpp/use-of-goto
+- exclude:
+    id: cpp/useless-expression
+- exclude:
+    id: cpp/weak-crypto/banned-hash-algorithms
+- exclude:
+    id: cpp/weak-crypto/capi/banned-modes
+- exclude:
+    id: cpp/weak-crypto/openssl/banned-hash-algorithms

BaseTools/Plugin/CodeQL/Readme.md

@@ -0,0 +1,388 @@
+# CodeQL Plugin
+
+The set of CodeQL plugins provided include two main plugins that seamlessly integrate into a Stuart build environment:
+
+1. `CodeQlBuildPlugin` - Used to produce a CodeQL database from a build.
+2. `CodeQlAnalyzePlugin` - Used to analyze a CodeQL database.
+
+While CodeQL can be run in a CI environment with other approaches. This plugin offers the following advantages:
+
+1. Provides exactly the same results locally as on a CI server.
+2. Integrates very well into VS Code.
+3. Very simple to use - just use normal Stuart update and build commands.
+4. Very simple to understand - minimally wraps the official CodeQL CLI.
+5. Very simple to integrate - works like any other Stuart build plugin.
+   - Integration is usually just a few lines of code.
+6. Portable - not tied to Azure DevOps specific, GitHub specific, or other host infrastructure.
+7. Versioned - the query and filters are versioned in source control so easy to find and track.
+
+It is very important to read the Integration Instructions in this file and determine how to best integrate the
+CodeQL plugin into your environment.
+
+Due to the total size of dependencies required to run CodeQL and the flexibility needed by a platform to determine what
+CodeQL queries to run and how to interpret results, a number of configuration options are provided to allow a high
+degree of flexibility during platform integration.
+
+This document is focused on those setting up the CodeQL plugin in their environment. Once setup, end users simply need
+to use their normal build commands and process and CodeQL will be integrated with it. The most relevant section for
+such users is [Local Development Tips](#local-development-tips).
+
+## Table of Contents
+
+1. [Database and Analysis Result Locations](#database-and-analysis-result-locations)
+2. [Global Configuration](#global-configuration)
+3. [Package-Specific Configuration](#package-specific-configuration)
+4. [Filter Patterns](#filter-patterns)
+5. [Integration Instructions](#integration-instructions)
+   - [Integration Step 1 - Choose Scopes](#integration-step-1---choose-scopes)
+     - [Scopes Available](#scopes-available)
+   - [Integration Step 2 - Choose CodeQL Queries](#integration-step-2---choose-codeql-queries)
+   - [Integration Step 3 - Determine Global Configuration Values](#integration-step-3---determine-global-configuration-values)
+   - [Integration Step 4 - Determine Package-Specific Configuration Values](#integration-step-4---determine-package-specific-configuration-values)
+   - [Integration Step 5 - Testing](#integration-step-5---testing)
+   - [Integration Step 6 - Define Inclusion and Exclusion Filter Patterns](#integration-step-6---define-inclusion-and-exclusion-filter-patterns)
+6. [High-Level Operation](#high-level-operation)
+   - [CodeQlBuildPlugin](#codeqlbuildplugin)
+   - [CodeQlAnalyzePlugin](#codeqlanalyzeplugin)
+7. [Local Development Tips](#local-development-tips)
+8. [Resolution Guidelines](#resolution-guidelines)
+
+## Database and Analysis Result Locations
+
+The CodeQL database is written to a directory unique to the package and target being built:
+
+  `Build/codeql-db-<package>-<target>-<instance>`
+
+For example: `Build/codeql-db-mdemodulepkg-debug-0`
+
+The plugin does not delete or overwrite existing databases, the instance value is simply increased. This is
+because databases are large, take a long time to generate, and are important for reproducing analysis results. The user
+is responsible for deleting database directories when they are no longer needed.
+
+Similarly, analysis results are written to a directory unique to the package and target. For analysis, results are
+stored in individual files so those files are stored in a single directory.
+
+For example, all analysis results for the above package and target will be stored in:
+  `codeql-analysis-mdemodulepkg-debug`
+
+CodeQL results are stored in [SARIF](https://sarifweb.azurewebsites.net/) (Static Analysis Results Interchange Format)
+([CodeQL SARIF documentation](https://codeql.github.com/docs/codeql-cli/sarif-output/)) files. Each SARIF file
+corresponding to a database will be stored in a file with an instance matching the database instance.
+
+For example, the analysis result file for the above database would be stored in this file:
+  `codeql-analysis-mdemodulepkg-debug/codeql-db-mdemodulepkg-debug-0.sarif`
+
+Result files are overwritten. This is because result files are quick to generate and need to represent the latest
+results for the last analysis operation performed. The user is responsible for backing up SARIF result files if they
+need to saved.
+
+## Global Configuration
+
+Global configuration values are specified with build environment variables.
+
+These values are all optional. They provide a convenient mechanism for a build script to set the value for all packages
+built by the script.
+
+- `STUART_CODEQL_AUDIT_ONLY` - If `true` (case insensitive), `CodeQlAnalyzePlugin` will be in audit-only mode. In this
+  mode all CodeQL failures are ignored.
+- `STUART_CODEQL_PATH` - The path to the CodeQL CLI application to use.
+- `STUART_CODEQL_QUERY_SPECIFIERS` - The CodeQL CLI query specifiers to use. See [Running codeql database analyze](https://codeql.github.com/docs/codeql-cli/analyzing-databases-with-the-codeql-cli/#running-codeql-database-analyze)
+  for possible options.
+- `STUART_CODEQL_FILTER_FILES` - The path to "filter" files that contains filter patterns as described in
+  [Filter Patterns](#filter-patterns).
+  - More than one file may be specified by separating each absolute file path with a comma.
+    - This might be useful to reference a global filter file from an upstream repo and also include a global filter
+      file for the local repo.
+    - Filters are concatenated in the order of files in the variable. Patterns in later files can override patterns
+      in earlier files.
+  - The file only needs to contain a list of filter pattern strings under a `"Filters"` key. For example:
+
+    ```yaml
+      {
+        "Filters": [
+          "<pattern-line-1>",
+          "<pattern-line-2>"
+        ]
+      }
+      ...
+    ```
+
+    Comments are allowed in the filter files and begin with `#` (like a normal YAML file).
+
+## Package-Specific Configuration
+
+Package-specific configuration values reuse existing package-level configuration approaches to simplify adjusting
+CodeQL plugin behavior per package.
+
+These values are all optional. They provide a convenient mechanism for a package owner to adjust settings specific to
+the package.
+
+``` yaml
+  "CodeQlAnalyze": {
+      "AuditOnly": False,         # Don't fail the build if there are errors. Just log them.
+      "QuerySpecifiers": ""       # Query specifiers to pass to CodeQL CLI.
+      "Filters": ""               # Inclusion/exclusion filters
+  }
+```
+
+> _NOTE:_ If a global filter set is provided via `STUART_CODEQL_FILTER_FILES` and a package has a package-specific
+> list, then the package-specific filter list (in a package CI YAML file) is appended onto the global filter list and
+> may be used to override settings in the global list.
+
+The format used to specify items in `"Filters"` is specified in [Filter Patterns](#filter-patterns).
+
+## Filter Patterns
+
+As you inspect results, you may want to include or exclude certain sets of results. For example, exclude some files by
+file path entirely or adjust the CodeQL rule applied to a certain file. This plugin reuses logic from a popular
+GitHub Action called [`filter-sarif`](https://github.com/advanced-security/filter-sarif) to allow filtering as part of
+the plugin analysis process.
+
+If any results are excluded using filters, the results are removed from the SARIF file. This allows the exclude results
+seen locally to exactly match the results on the CI server.
+
+Read the ["Patterns"](https://github.com/advanced-security/filter-sarif#patterns) section there for more details. The
+patterns section is also copied below with some updates to make the information more relevant for an edk2 codebase
+for convenience.
+
+Each pattern line is of the form:
+
+```plaintext
+[+/-]<file pattern>[:<rule pattern>]
+```
+
+For example:
+
+```yaml
+-**/*Test*.c:**             # exclusion pattern: remove all alerts from all test files
+-**/*Test*.c                # ditto, short form of the line above
++**/*.c:cpp/infiniteloop    # inclusion pattern: This line has precedence over the first two
+                            # and thus "allow lists" alerts of type "cpp/infiniteloop"
+**/*.c:cpp/infiniteloop     # ditto, the "+" in inclusion patterns is optional
+**                          # allow all alerts in all files (reverses all previous lines)
+```
+
+- The path separator character in patterns is always `/`, independent of the platform the code is running on and
+  independent of the paths in the SARIF file.
+- `*` matches any character, except a path separator
+- `**` matches any character and is only allowed between path separators, e.g. `/**/file.txt`, `**/file.txt` or `**`.
+  NOT allowed: `**.txt`, `/etc**`
+- The rule pattern is optional. If omitted, it will apply to alerts of all types.
+- Subsequent lines override earlier ones. By default all alerts are included.
+- If you need to use the literals `+`, `-`, `\` or `:` in your pattern, you can escape them with `\`, e.g.
+  `\-this/is/an/inclusion/file/pattern\:with-a-semicolon:and/a/rule/pattern/with/a/\\/backslash`. For `+` and `-`, this
+  is only necessary if they appear at the beginning of the pattern line.
+
+## Integration Instructions
+
+First, note that most CodeQL CLI operations will take a long time the first time they are run. This is due to:
+
+1. Downloads - Downloading the CodeQL CLI binary (during `stuart_update`) and downloading CodeQL queries during
+   CodeQL plugin execution
+2. Cache not established - CodeQL CLI caches data as it performs analysis. The first time analysis is performed will
+   take more time than in the future.
+
+Second, these are build plugins. This means a build needs to take place for the plugins to run. This typically happens
+in the following two scenarios:
+
+1. `stuart_build` - A single package is built and the build process is started by the stuart tools.
+2. `stuart_ci_build` - A number of packages may be built and the build process is started by the `CompilerPlugin`.
+
+In any case, each time a package is built, the CodeQL plugins will be run if their scopes are active.
+
+### Integration Step 1 - Choose Scopes
+
+Decide which scopes need to be enabled in your platform, see [Scopes Available](#scopes-available).
+
+Consider using a build profile to enable CodeQL so developers and pipelines can use the profile when they are
+interested in CodeQL results but in other cases they can easily work without CodeQL in the way.
+
+Furthermore, build-script specific command-line parameters might be useful to control CodeQL scopes and other
+behavior.
+
+#### Scopes Available
+
+This CodeQL plugin leverages scopes to control major pieces of functionality. Any combination of scopes can be
+returned from the `GetActiveScopes()` function in the platform settings manager to add and remove functionality.
+
+Plugin scopes:
+
+- `codeql-analyze` - Activate `CodeQlAnalyzePlugin` to perform post-build analysis of the last generated database for
+  the package and target specified.
+- `codeql-build` - Activate `CodeQlBuildPlugin` to hook the firmware build in pre-build such that the build will
+  generate a CodeQL database during build.
+
+In most cases, to perform a full CodeQL run, `codeql-build` should be enabled so a new CodeQL database is generated
+during build and `codeql-analyze` should be be enabled so analysis of that database is performed after the build is
+completed.
+
+External dependency scopes:
+
+- `codeql-ext-dep` - Downloads the cross-platform CodeQL CLI as an external dependency.
+- `codeql-linux-ext-dep` - Downloads the Linux CodeQL CLI as an external dependency.
+- `codeql-windows-ext-dep` - Downloads the Windows CodeQL CLI as an external dependency.
+
+Note, that the CodeQL CLI is large in size. Sizes as of the [v2.11.2 release](https://github.com/github/codeql-cli-binaries/releases/tag/v2.11.2).
+
+| Cross-platform |  Linux | Windows |
+|:--------------:|:------:|:-------:|
+|     934 MB     | 415 MB |  290 MB |
+
+Therefore, the following is recommended:
+
+1. **Ideal** - Create container images for build agents and install the CodeQL CLI for the container OS into the
+   container.
+2. Leverage host-OS detection (e.g. [`GetHostInfo()`](https://github.com/tianocore/edk2-pytool-library/blob/42ad6561af73ba34564f1577f64f7dbaf1d0a5a2/edk2toollib/utility_functions.py#L112))
+to set the scope for the appropriate operating system. This will download the much smaller OS-specific application.
+
+> _NOTE:_ You should never have more than one CodeQL external dependency scope enabled at a time.
+
+### Integration Step 2 - Choose CodeQL Queries
+
+Determine which queries need to be run against packages in your repo. In most cases, the same set of queries will be
+run against all packages. It is also possible to customize the queries run at the package level.
+
+The default set of Project Mu CodeQL queries is specified in the `MuCodeQlQueries.qls` file in this plugin.
+
+> _NOTE:_ The queries in `MuCodeQlQueries.qls` may change at any time. If you do not want these changes to impact
+> your platform, do not relay on option (3).
+
+The plugin decides what queries to run based on the following, in order of preference:
+
+1. Package CI YAML file query specifier
+2. Build environment variable query specifier
+3. Plugin default query set file
+
+For details on how to set (1) and (2), see the Package CI Configuration and Environment Variable sections respectively.
+
+> _NOTE:_ The value specified is directly passed as a `query specifier` to CodeQL CLI. Therefore, the arguments
+> allowed by the `<query-specifiers>` argument of CodeQL CLI are allowed here. See
+> [Running codeql database analyze](https://codeql.github.com/docs/codeql-cli/analyzing-databases-with-the-codeql-cli/#running-codeql-database-analyze).
+
+A likely scenario is that a platform needs to run local/closed source queries in addition to the open-source queries.
+There's various ways to handle that:
+
+1. Create a query specifier that includes all the queries needed, both public and private and use that query specifier,
+   either globally or at package-level.
+
+   For example, at the global level - `STUART_CODEQL_QUERY_SPECIFIERS` = _"Absolute_path_to_AllMyQueries.qls"_
+
+2. Specify a query specifier that includes the closed sources queries and reuse the public query list provided by
+   this plugin.
+
+   For example, at the global level - `STUART_CODEQL_QUERY_SPECIFIERS` = _"Absolute_path_to_MuCodeQlQueries.qls
+   Absolute_path_to_ClosedSourceQueries.qls"_
+
+Refer to the CodeQL documentation noted above on query specifiers to devise other options.
+
+### Integration Step 3 - Determine Global Configuration Values
+
+Review the Environment Variable section to determine which, if any, global values need to be set in your build script.
+
+### Integration Step 4 - Determine Package-Specific Configuration Values
+
+Review the Package CI Configuration section to determine which, if any, global values need to be set in your
+package's CI YAML file.
+
+### Integration Step 5 - Testing
+
+Verify a `stuart_update` and `stuart_build` (or `stuart_ci_build`) command work.
+
+### Integration Step 6 - Define Inclusion and Exclusion Filter Patterns
+
+After reviewing the test results from Step 5, determine if you need to apply any filters as described in
+[Filter Patterns](#filter-patterns).
+
+## High-Level Operation
+
+This section summarizes the complete CodeQL plugin flow. This is to help developers understand basic theory of
+operation behind the plugin and can be skipped by anyone not interested in those details.
+
+### CodeQlBuildPlugin
+
+1. Register a pre-build hook
+2. Determine the package and target being built
+3. Determine the best CodeQL CLI path to use
+   - First choice, the `STUART_CODEQL_PATH` environment variable
+     - Note: This is set by the CodeQL CLI external dependency if that is used
+   - Second choice, `codeql` as found on the system path
+4. Determine the directory name for the CodeQL database
+   - Format: `Build/codeql-db-<package>-<target>-<instance>`
+5. Clean the build directory of the active platform and target
+   - CodeQL database generation only works on clean builds
+6. Ensure the "build" step is not skipped as a build is needed to generate a CodeQL database
+7. Build a CodeQL file that wraps around the edk2 build
+   - Written to the package build directory
+     - Example: `Build/MdeModulePkg/VS2022/codeql_build_command.bat`
+8. Set the variables necessary for stuart to call CodeQL CLI during the build phase
+   - Sets `EDK_BUILD_CMD` and `EDK_BUILD_PARAMS`
+
+### CodeQlAnalyzePlugin
+
+1. Register a post-build hook
+2. Determine the package and target being built
+3. Determine the best CodeQL CLI path to use
+   - First choice, the `STUART_CODEQL_PATH` environment variable
+     - Note: This is set by the CodeQL CLI external dependency if that is used
+   - Second choice, `codeql` as found on the system path
+4. Determine the directory name for the most recent CodeQL database
+   - Format: `Build/codeql-db-<package>-<target>-<instance>`
+5. Determine plugin audit status for the given package and target
+   - Check if `AuditOnly` is enabled either globally or for the package
+6. Determine the CodeQL query specifiers to use for the given package and target
+   - First choice, the package CI YAML file value
+   - Second choice, the `STUART_CODEQL_QUERY_SPECIFIERS`
+   - Third choice, use `CodeQlQueries.qls` (in the plugin directory)
+7. Run CodeQL CLI to perform database analysis
+8. Parse the analysis SARIF file to determine the number of CodeQL failures
+9. Return the number of failures (or zero if `AuditOnly` is enabled)
+
+## Local Development Tips
+
+This section contains helpful tips to expedite common scenarios when working with CodeQL locally.
+
+1. Pre-build, Build, and Post-Build
+
+   Generating a database requires the pre-build and build steps. Analyzing a database requires the post-build step.
+
+   Therefore, if you are making tweaks that don't affect the build, such as modifying the CodeQL queries used or level
+   of severity reported, you can save time by skipping pre-build and post-build (e.g. `--skipprebuild` and
+   `--skipbuild`).
+
+2. Scopes
+
+   Similar to (1), add/remove `codeql-build` and `codeql-analyze` from the active scopes to save time depending on what
+   you are trying to do.
+
+   If you are focusing on coding, remove the code CodeQL scopes if they are active. If you are ready to check your
+   changes against CodeQL, simply add the scopes back. It is recommended to use build profiles to do this more
+   conveniently.
+
+   If you already have CodeQL CLI enabled, you can remove the `codeql-ext-dep` scope locally. The build will use the
+   `codeql` command on your path.
+
+3. CodeQL Output is in the CI Build Log
+
+   To see exactly which queries CodeQL ran or why it might be taking longer than expected, look in the CI build log
+   (i.e. `Build/CI_BUILDLOG.txt`) where the CodeQL CLI application output is written.
+
+   Search for the text you see in the progress output (e.g. "Analyzing _MdeModulePkg_ (_DEBUG_) CodeQL database at")
+   to jump to the section of the log just before the CodeQL CLI is invoked.
+
+4. Use a SARIF Viewer to Read Results
+
+The [SARIF Viewer extension for VS Code](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer)
+can open the .sarif file generated by this plugin and allow you to click links directly to the problem area in source
+files.
+
+## Resolution Guidelines
+
+This section captures brief guidelines to keep in mind while resolving CodeQL issues.
+
+1. Look at surrounding code. Changes should always take into account the context of nearby code. The new logic may
+   need to account conditions not immediately obvious based on the issue alone. It is easy to focus only on the line
+   of code highlighted by CodeQL and miss the code's role in the big picture.
+2. A CodeQL alert may be benign but the code can be refactored to prevent the alert. Often refactoring the code makes
+   the code intention clearer and avoids an unnecessary exception.
+3. Consider adding unit tests while making CodeQL fixes especially for commonly used code and code with a high volume
+   of CodeQL alerts.

BaseTools/Plugin/CodeQL/analyze/analyze_filter.py

@@ -0,0 +1,184 @@
+# @file analyze_filter.py
+#
+# Filters results in a SARIF file.
+#
+#            Apache License
+#      Version 2.0, January 2004
+#   http://www.apache.org/licenses/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file has been altered from its original form. Based on code in:
+#   https://github.com/advanced-security/filter-sarif
+#
+# It primarily contains modifications made to integrate with the CodeQL plugin.
+#
+# Specifically:
+#   https://github.com/advanced-security/filter-sarif/blob/main/filter_sarif.py
+#
+# View the full and complete license as provided by that repository here:
+#   https://github.com/advanced-security/filter-sarif/blob/main/LICENSE
+#
+# SPDX-License-Identifier: Apache-2.0
+##
+
+import json
+import logging
+import re
+from os import PathLike
+from typing import Iterable, List, Tuple
+
+from analyze.globber import match
+
+
+def _match_path_and_rule(
+    path: str, rule: str, patterns: Iterable[str]) -> bool:
+    """Returns whether a given path matches a given rule.
+
+    Args:
+        path (str): A file path string.
+        rule (str): A rule file path string.
+        patterns (Iterable[str]): An iterable of pattern strings.
+
+    Returns:
+        bool: True if the path matches a rule. Otherwise, False.
+    """
+    result = True
+    for s, fp, rp in patterns:
+        if match(rp, rule) and match(fp, path):
+            result = s
+    return result
+
+
+def _parse_pattern(line: str) -> Tuple[str]:
+    """Parses a given pattern line.
+
+    Args:
+        line (str): The line string that contains the rule.
+
+    Returns:
+        Tuple[str]: The parsed sign, file pattern, and rule pattern from the
+                    line.
+    """
+    sep_char = ':'
+    esc_char = '\\'
+    file_pattern = ''
+    rule_pattern = ''
+    seen_separator = False
+    sign = True
+
+    # inclusion or exclusion pattern?
+    u_line = line
+    if line:
+        if line[0] == '-':
+            sign = False
+            u_line = line[1:]
+        elif line[0] == '+':
+            u_line = line[1:]
+
+    i = 0
+    while i < len(u_line):
+        c = u_line[i]
+        i = i + 1
+        if c == sep_char:
+            if seen_separator:
+                raise Exception(
+                    'Invalid pattern: "' + line + '" Contains more than one '
+                    'separator!')
+            seen_separator = True
+            continue
+        elif c == esc_char:
+            next_c = u_line[i] if (i < len(u_line)) else None
+            if next_c in ['+' , '-', esc_char, sep_char]:
+                i = i + 1
+                c = next_c
+        if seen_separator:
+            rule_pattern = rule_pattern + c
+        else:
+            file_pattern = file_pattern + c
+
+    if not rule_pattern:
+        rule_pattern = '**'
+
+    return sign, file_pattern, rule_pattern
+
+
+def filter_sarif(input_sarif: PathLike,
+                 output_sarif: PathLike,
+                 patterns: List[str],
+                 split_lines: bool) -> None:
+    """Filters a SARIF file with a given set of filter patterns.
+
+    Args:
+        input_sarif (PathLike): Input SARIF file path.
+        output_sarif (PathLike): Output SARIF file path.
+        patterns (PathLike): List of filter pattern strings.
+        split_lines (PathLike): Whether to split lines in individual patterns.
+    """
+    if split_lines:
+        tmp = []
+        for p in patterns:
+            tmp = tmp + re.split('\r?\n', p)
+        patterns = tmp
+
+    patterns = [_parse_pattern(p) for p in patterns if p]
+
+    logging.debug('Given patterns:')
+    for s, fp, rp in patterns:
+        logging.debug(
+            'files: {file_pattern}    rules: {rule_pattern} ({sign})'.format(
+                file_pattern=fp,
+                rule_pattern=rp,
+                sign='positive' if s else 'negative'))
+
+    with open(input_sarif, 'r') as f:
+        s = json.load(f)
+
+    for run in s.get('runs', []):
+        if run.get('results', []):
+            new_results = []
+            for r in run['results']:
+                if r.get('locations', []):
+                    new_locations = []
+                    for l in r['locations']:
+                        # TODO: The uri field is optional. We might have to
+                        #       fetch the actual uri from "artifacts" via
+                        #       "index"
+                        # (see https://github.com/microsoft/sarif-tutorials/blob/main/docs/2-Basics.md#-linking-results-to-artifacts)
+                        uri = l.get(
+                                    'physicalLocation', {}).get(
+                                        'artifactLocation', {}).get(
+                                            'uri', None)
+
+                        # TODO: The ruleId field is optional and potentially
+                        #       ambiguous. We might have to fetch the actual
+                        #       ruleId from the rule metadata via the ruleIndex
+                        #       field.
+                        # (see https://github.com/microsoft/sarif-tutorials/blob/main/docs/2-Basics.md#rule-metadata)
+                        ruleId = r['ruleId']
+
+                        if (uri is None or
+                            _match_path_and_rule(uri, ruleId, patterns)):
+                            new_locations.append(l)
+                    r['locations'] = new_locations
+                    if new_locations:
+                        new_results.append(r)
+                else:
+                    # locations array doesn't exist or is empty, so we can't
+                    # match on anything. Therefore, we include the result in
+                    # the output.
+                    new_results.append(r)
+            run['results'] = new_results
+
+    with open(output_sarif, 'w') as f:
+        json.dump(s, f, indent=2)

BaseTools/Plugin/CodeQL/analyze/globber.py

@@ -0,0 +1,127 @@
+# @file globber.py
+#
+# Provides global functionality for use by the CodeQL plugin.
+#
+# Copyright 2019 Jaakko Kangasharju
+#
+#            Apache License
+#      Version 2.0, January 2004
+#   http://www.apache.org/licenses/
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This file has been altered from its original form. Based on code in:
+#   https://github.com/advanced-security/filter-sarif
+#
+# Specifically:
+#   https://github.com/advanced-security/filter-sarif/blob/main/filter_sarif.py
+#
+# It primarily contains modifications made to integrate with the CodeQL plugin.
+#
+# SPDX-License-Identifier: Apache-2.0
+##
+
+import re
+
+_double_star_after_invalid_regex = re.compile(r'[^/\\]\*\*')
+_double_star_first_before_invalid_regex = re.compile('^\\*\\*[^/]')
+_double_star_middle_before_invalid_regex = re.compile(r'[^\\]\*\*[^/]')
+
+
+def _match_component(pattern_component, file_name_component):
+    if len(pattern_component) == 0 and len(file_name_component) == 0:
+        return True
+    elif len(pattern_component) == 0:
+        return False
+    elif len(file_name_component) == 0:
+        return pattern_component == '*'
+    elif pattern_component[0] == '*':
+        return (_match_component(pattern_component, file_name_component[1:]) or
+                _match_component(pattern_component[1:], file_name_component))
+    elif pattern_component[0] == '?':
+        return _match_component(pattern_component[1:], file_name_component[1:])
+    elif pattern_component[0] == '\\':
+        return (len(pattern_component) >= 2 and
+                pattern_component[1] == file_name_component[0] and
+                _match_component(
+                    pattern_component[2:], file_name_component[1:]))
+    elif pattern_component[0] != file_name_component[0]:
+        return False
+    else:
+        return _match_component(pattern_component[1:], file_name_component[1:])
+
+
+def _match_components(pattern_components, file_name_components):
+    if len(pattern_components) == 0 and len(file_name_components) == 0:
+        return True
+    if len(pattern_components) == 0:
+        return False
+    if len(file_name_components) == 0:
+        return len(pattern_components) == 1 and pattern_components[0] == '**'
+    if pattern_components[0] == '**':
+        return (_match_components(pattern_components, file_name_components[1:])
+                or _match_components(
+                    pattern_components[1:], file_name_components))
+    else:
+        return (
+            _match_component(
+                pattern_components[0], file_name_components[0]) and
+            _match_components(
+                pattern_components[1:], file_name_components[1:]))
+
+
+def match(pattern: str, file_name: str):
+    """Match a glob pattern against a file name.
+
+    Glob pattern matching is for file names, which do not need to exist as
+    files on the file system.
+
+    A file name is a sequence of directory names, possibly followed by the name
+    of a file, with the components separated by a path separator. A glob
+    pattern is similar, except it may contain special characters: A '?' matches
+    any character in a name. A '*' matches any sequence of characters (possibly
+    empty) in a name. Both of these match only within a single component, i.e.,
+    they will not match a path separator. A component in a pattern may also be
+    a literal '**', which matches zero or more components in the complete file
+    name. A backslash '\\' in a pattern acts as an escape character, and
+    indicates that the following character is to be matched literally, even if
+    it is a special character.
+
+    Args:
+        pattern (str): The pattern to match. The path separator in patterns is
+                       always '/'.
+        file_name (str): The file name to match against. The path separator in
+                         file names is the platform separator
+
+    Returns:
+        bool: True if the pattern matches, False otherwise.
+    """
+    if (_double_star_after_invalid_regex.search(pattern) is not None or
+        _double_star_first_before_invalid_regex.search(
+            pattern) is not None or
+        _double_star_middle_before_invalid_regex.search(pattern) is not None):
+        raise ValueError(
+            '** in {} not alone between path separators'.format(pattern))
+
+    pattern = pattern.rstrip('/')
+    file_name = file_name.rstrip('/')
+
+    while '**/**' in pattern:
+        pattern = pattern.replace('**/**', '**')
+
+    pattern_components = pattern.split('/')
+
+    # We split on '\' as well as '/' to support unix and windows-style paths
+    file_name_components = re.split(r'[\\/]', file_name)
+
+    return _match_components(pattern_components, file_name_components)

BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml

@@ -0,0 +1,26 @@
+## @file codeqlcli_ext_dep.yaml
+#
+# Downloads the CodeQL Command-Line Interface (CLI) application that support Linux, Windows, and Mac OS X.
+#
+# This download is very large but conveniently provides support for all operating systems. Use it if you
+# need CodeQL CLI support without concern for the host operating system.
+#
+# In an environment where a platform might build in different operating systems, it is recommended to set
+# the scope for the appropriate CodeQL external dependency based on the host operating system being used.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+{
+  "scope": "codeql-ext-dep",
+  "type": "web",
+  "name": "codeql_cli",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.12.4/codeql.zip",
+  "version": "2.12.4",
+  "sha256": "f682f1155d627ad97f10b1bcad97f682011986717bd3823e9cf831ed83ac96e7",
+  "compression_type": "zip",
+  "internal_path": "/codeql/",
+  "flags": ["set_shell_var", ],
+  "var_name": "STUART_CODEQL_PATH"
+}

BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml

@@ -0,0 +1,24 @@
+## @file codeqlcli_linux_ext_dep.yaml
+#
+# Downloads the Linux CodeQL Command-Line Interface (CLI) application.
+#
+# This download only supports Linux. In an environment where a platform might build in different operating
+# systems, it is recommended to set the scope for the appropriate CodeQL external dependency based on the
+# host operating system being used.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+{
+  "scope": "codeql-linux-ext-dep",
+  "type": "web",
+  "name": "codeql_linux_cli",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.14.5/codeql-linux64.zip",
+  "version": "2.14.5",
+  "sha256": "72aa5d748ff9ab57cfd86045560683bdc4897e0fe6d9f9a2786d9394674ae733",
+  "compression_type": "zip",
+  "internal_path": "/codeql/",
+  "flags": ["set_shell_var", ],
+  "var_name": "STUART_CODEQL_PATH"
+}

BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml

@@ -0,0 +1,24 @@
+## @file codeqlcli_windows_ext_dep.yaml
+#
+# Downloads the Windows CodeQL Command-Line Interface (CLI) application.
+#
+# This download only supports Windows. In an environment where a platform might build in different operating
+# systems, it is recommended to set the scope for the appropriate CodeQL external dependency based on the
+# host operating system being used.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+{
+  "scope": "codeql-windows-ext-dep",
+  "type": "web",
+  "name": "codeql_windows_cli",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.14.5/codeql-win64.zip",
+  "version": "2.14.5",
+  "sha256": "861fcb38365cc311efee0c3a28c77494e93c69a969885b72e53173ad473f61aa",
+  "compression_type": "zip",
+  "internal_path": "/codeql/",
+  "flags": ["set_shell_var", ],
+  "var_name": "STUART_CODEQL_PATH"
+}

BaseTools/Plugin/CodeQL/common/codeql_plugin.py

@@ -0,0 +1,74 @@
+# @file codeql_plugin.py
+#
+# Common logic shared across the CodeQL plugin.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+import os
+import shutil
+from os import PathLike
+
+from edk2toollib.utility_functions import GetHostInfo
+
+
+def get_codeql_db_path(workspace: PathLike, package: str, target: str,
+                       new_path: bool = True) -> str:
+    """Return the CodeQL database path for this build.
+
+    Args:
+        workspace (PathLike): The workspace path.
+        package (str): The package name (e.g. "MdeModulePkg")
+        target (str): The target (e.g. "DEBUG")
+        new_path (bool, optional): Whether to create a new database path or
+                                   return an existing path. Defaults to True.
+
+    Returns:
+        str: The absolute path to the CodeQL database directory.
+    """
+    codeql_db_dir_name = "codeql-db-" + package + "-" + target
+    codeql_db_dir_name = codeql_db_dir_name.lower()
+    codeql_db_path = os.path.join("Build", codeql_db_dir_name)
+    codeql_db_path = os.path.join(workspace, codeql_db_path)
+
+    i = 0
+    while os.path.isdir(f"{codeql_db_path + '-%s' % i}"):
+        i += 1
+
+    if not new_path:
+        if i == 0:
+            return None
+        else:
+            i -= 1
+
+    return codeql_db_path + f"-{i}"
+
+
+def get_codeql_cli_path() -> str:
+    """Return the current CodeQL CLI path.
+
+    Returns:
+        str: The absolute path to the CodeQL CLI application to use for
+             this build.
+    """
+    # The CodeQL executable path can be passed via the
+    # STUART_CODEQL_PATH environment variable (to override with a
+    # custom value for this run) or read from the system path.
+    codeql_path = None
+
+    if "STUART_CODEQL_PATH" in os.environ:
+        codeql_path = os.environ["STUART_CODEQL_PATH"]
+
+        if GetHostInfo().os == "Windows":
+            codeql_path = os.path.join(codeql_path, "codeql.exe")
+        else:
+            codeql_path = os.path.join(codeql_path, "codeql")
+
+        if not os.path.isfile(codeql_path):
+            codeql_path = None
+
+    if not codeql_path:
+        codeql_path = shutil.which("codeql")
+
+    return codeql_path

BaseTools/Plugin/CodeQL/integration/stuart_codeql.py

@@ -0,0 +1,79 @@
+# @file stuart_codeql.py
+#
+# Exports functions commonly needed for Stuart-based platforms to easily
+# enable CodeQL in their platform build.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+from edk2toolext.environment.uefi_build import UefiBuilder
+from edk2toollib.utility_functions import GetHostInfo
+from argparse import ArgumentParser, Namespace
+from typing import Tuple
+
+
+def add_command_line_option(parser: ArgumentParser) -> None:
+    """Adds the CodeQL command to the platform command line options.
+
+    Args:
+        parser (ArgumentParser): The argument parser used in this build.
+
+    """
+    parser.add_argument(
+        '--codeql',
+        dest='codeql',
+        action='store_true',
+        default=False,
+        help="Optional - Produces CodeQL results from the build. See "
+             "BaseTools/Plugin/CodeQL/Readme.md for more info.")
+
+
+def get_scopes(codeql_enabled: bool) -> Tuple[str]:
+    """Returns the active CodeQL scopes for this build.
+
+    Args:
+        codeql_enabled (bool): Whether CodeQL is enabled.
+
+    Returns:
+        Tuple[str]: A tuple of strings containing scopes that enable the
+                    CodeQL plugin.
+    """
+    active_scopes = ()
+
+    if codeql_enabled:
+        if GetHostInfo().os == "Linux":
+            active_scopes += ("codeql-linux-ext-dep",)
+        else:
+            active_scopes += ("codeql-windows-ext-dep",)
+        active_scopes += ("codeql-build", "codeql-analyze")
+
+    return active_scopes
+
+
+def is_codeql_enabled_on_command_line(args: Namespace) -> bool:
+    """Returns whether CodeQL was enabled on the command line.
+
+    Args:
+        args (Namespace): Object holding a string representation of command
+                          line arguments.
+
+    Returns:
+        bool: True if CodeQL is enabled on the command line. Otherwise, false.
+    """
+    return args.codeql
+
+
+def set_audit_only_mode(uefi_builder: UefiBuilder) -> None:
+    """Configures the CodeQL plugin to run in audit only mode.
+
+    Args:
+        uefi_builder (UefiBuilder): The UefiBuilder object for this platform
+                                    build.
+
+    """
+
+    uefi_builder.env.SetValue(
+        "STUART_CODEQL_AUDIT_ONLY",
+        "true",
+        "Platform Defined")

BaseTools/Plugin/DebugMacroCheck/BuildPlugin/DebugMacroCheckBuildPlugin.py

@@ -0,0 +1,127 @@
+# @file DebugMacroCheckBuildPlugin.py
+#
+# A build plugin that checks if DEBUG macros are formatted properly.
+#
+# In particular, that print format specifiers are defined
+# with the expected number of arguments in the variable
+# argument list.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+import logging
+import os
+import pathlib
+import sys
+import yaml
+
+# Import the build plugin
+plugin_file = pathlib.Path(__file__)
+sys.path.append(str(plugin_file.parent.parent))
+
+# flake8 (E402): Ignore flake8 module level import not at top of file
+import DebugMacroCheck                          # noqa: E402
+
+from edk2toolext import edk2_logging                               # noqa: E402
+from edk2toolext.environment.plugintypes.uefi_build_plugin import \
+    IUefiBuildPlugin                                               # noqa: E402
+from edk2toolext.environment.uefi_build import UefiBuilder         # noqa: E402
+from edk2toollib.uefi.edk2.path_utilities import Edk2Path          # noqa: E402
+from pathlib import Path                                           # noqa: E402
+
+
+class DebugMacroCheckBuildPlugin(IUefiBuildPlugin):
+
+    def do_pre_build(self, builder: UefiBuilder) -> int:
+        """Debug Macro Check pre-build functionality.
+
+        The plugin is invoked in pre-build since it can operate independently
+        of build tools and to notify the user of any errors earlier in the
+        build process to reduce feedback time.
+
+        Args:
+            builder (UefiBuilder): A UEFI builder object for this build.
+
+        Returns:
+            int: The number of debug macro errors found. Zero indicates the
+            check either did not run or no errors were found.
+        """
+
+        # Check if disabled in the environment
+        env_disable = builder.env.GetValue("DISABLE_DEBUG_MACRO_CHECK")
+        if env_disable:
+            return 0
+
+        # Only run on targets with compilation
+        build_target = builder.env.GetValue("TARGET").lower()
+        if "no-target" in build_target:
+            return 0
+
+        edk2 = builder.edk2path
+        package = edk2.GetContainingPackage(
+            builder.edk2path.GetAbsolutePathOnThisSystemFromEdk2RelativePath(
+                builder.env.GetValue("ACTIVE_PLATFORM")
+            )
+        )
+        package_path = Path(
+                          edk2.GetAbsolutePathOnThisSystemFromEdk2RelativePath(
+                                package))
+
+        # Every debug macro is printed at DEBUG logging level.
+        # Ensure the level is above DEBUG while executing the macro check
+        # plugin to avoid flooding the log handler.
+        handler_level_context = []
+        for h in logging.getLogger().handlers:
+            if h.level < logging.INFO:
+                handler_level_context.append((h, h.level))
+                h.setLevel(logging.INFO)
+
+        edk2_logging.log_progress("Checking DEBUG Macros")
+
+        # There are two ways to specify macro substitution data for this
+        # plugin. If multiple options are present, data is appended from
+        # each option.
+        #
+        # 1. Specify the substitution data in the package CI YAML file.
+        # 2. Specify a standalone substitution data YAML file.
+        ##
+        sub_data = {}
+
+        # 1. Allow substitution data to be specified in a "DebugMacroCheck" of
+        # the package CI YAML file. This is used to provide a familiar per-
+        # package customization flow for a package maintainer.
+        package_config_file = Path(
+                                os.path.join(
+                                    package_path, package + ".ci.yaml"))
+        if package_config_file.is_file():
+            with open(package_config_file, 'r') as cf:
+                package_config_file_data = yaml.safe_load(cf)
+                if "DebugMacroCheck" in package_config_file_data and \
+                   "StringSubstitutions" in \
+                   package_config_file_data["DebugMacroCheck"]:
+                    logging.info(f"Loading substitution data in "
+                                 f"{str(package_config_file)}")
+                    sub_data |= package_config_file_data["DebugMacroCheck"]["StringSubstitutions"] # noqa
+
+        # 2. Allow a substitution file to be specified as an environment
+        # variable. This is used to provide flexibility in how to specify a
+        # substitution file. The value can be set anywhere prior to this plugin
+        # getting called such as pre-existing build script.
+        sub_file = builder.env.GetValue("DEBUG_MACRO_CHECK_SUB_FILE")
+        if sub_file:
+            logging.info(f"Loading substitution file {sub_file}")
+            with open(sub_file, 'r') as sf:
+                sub_data |= yaml.safe_load(sf)
+
+        try:
+            error_count = DebugMacroCheck.check_macros_in_directory(
+                                            package_path,
+                                            ignore_git_submodules=False,
+                                            show_progress_bar=False,
+                                            **sub_data)
+        finally:
+            for h, l in handler_level_context:
+                h.setLevel(l)
+
+        return error_count

BaseTools/Plugin/DebugMacroCheck/BuildPlugin/DebugMacroCheck_plug_in.yaml

@@ -0,0 +1,11 @@
+## @file
+# Build plugin used to check that debug macros are formatted properly.
+#
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+{
+  "scope": "global",
+  "name": "Debug Macro Check Plugin",
+  "module": "DebugMacroCheckBuildPlugin"
+}