ArmVirtPkg/ArmVirtQemu: Add RngDxe driver

Add the RngDxe driver to the build, backed by either RNDR or TRNG, one of which is expected to be available in most cases: - RNDR is implemented by the 'max' CPU that QEMU implements in TCG mode - TRNG is implemented by the KVM hypervisor, which backs QEMU's 'host' CPU Other TCG modes (e.g., the 'cortex-a*' CPUs) implement neither, which should prevent the RngDxe driver from dispatching entirely, resulting in the same situation as before. Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Leif Lindholm <quic_llindhol@quicinc.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Committed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc
2024-05-24 15:48:52 +00:00 · 2024-05-24 15:48:52 +00:00 · 2024-05-24 15:48:52 +00:00 · 2024-05-24 15:48:52 +00:00 · 2024-05-24 15:48:52 +00:00 · 2024-05-24 15:48:52 +00:00
553 changed files with 40484 additions and 4222 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -79,7 +79,7 @@ jobs:
      uses: actions/checkout@v4

    - name: Install Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
      with:
        python-version: '3.11'
        cache: 'pip'
@ -136,15 +136,26 @@ jobs:
            print(f'ci_setup_supported={str(ci_setup_supported).lower()}', file=fh)
            print(f'setup_supported={str(setup_supported).lower()}', file=fh)

+    - name: Convert Arch to Log Format
+      id: convert_arch_hyphen
+      env:
+        ARCH_LIST: ${{ matrix.ArchList }}
+      shell: python
+      run: |
+        import os
+
+        with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+            print(f'arch_list={os.environ["ARCH_LIST"].replace(",", "-")}', file=fh)
+
    - name: Setup
      if: steps.get_ci_file_operations.outputs.setup_supported == 'true'
      run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019

    - name: Upload Setup Log As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      if: (success() || failure()) && steps.get_ci_file_operations.outputs.setup_supported == 'true'
      with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Setup-Log
        path: |
          **/SETUPLOG.txt
          retention-days: 7
@ -155,10 +166,10 @@ jobs:
      run: stuart_ci_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019

    - name: Upload CI Setup Log As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      if: (success() || failure()) && steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
      with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-CI-Setup-Log
        path: |
          **/CISETUP.txt
          retention-days: 7
@ -168,10 +179,10 @@ jobs:
      run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019

    - name: Upload Update Log As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      if: success() || failure()
      with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Update-Log
        path: |
          **/UPDATE_LOG.txt
        retention-days: 7
@ -228,7 +239,7 @@ jobs:

    - name: Attempt to Load CodeQL CLI From Cache
      id: codeqlcli_cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
        key: ${{ steps.cache_key_gen.outputs.codeql_cli_cache_key }}
@ -284,10 +295,10 @@ jobs:
        delete_dirs(build_path)

    - name: Upload Build Logs As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      if: success() || failure()
      with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Build-Logs
        path: |
          **/BUILD_REPORT.TXT
          **/OVERRIDELOG.TXT
@ -329,10 +340,10 @@ jobs:
                print(f'upload_sarif_file=false', file=fh)

    - name: Upload CodeQL Results (SARIF) As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      if: steps.env_data.outputs.upload_sarif_file == 'true'
      with:
-        name: ${{ matrix.Package }}-CodeQL-SARIF
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-CodeQL-SARIF
        path: |
          ${{ steps.env_data.outputs.emacs_file_path }}
          ${{ steps.env_data.outputs.sarif_file_path }}
@ -340,7 +351,7 @@ jobs:
        if-no-files-found: warn

    - name: Upload CodeQL Results (SARIF) To GitHub Code Scanning
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
      if: steps.env_data.outputs.upload_sarif_file == 'true'
      with:
        # Path to SARIF file relative to the root of the repository.
--- a/.gitmodules
+++ b/.gitmodules
@ -35,3 +35,6 @@
 [submodule "CryptoPkg/Library/MbedTlsLib/mbedtls"]
 	path = CryptoPkg/Library/MbedTlsLib/mbedtls
 	url = https://github.com/ARMmbed/mbedtls
+[submodule "SecurityPkg/DeviceSecurity/SpdmLib/libspdm"]
+	path = SecurityPkg/DeviceSecurity/SpdmLib/libspdm
+	url = https://github.com/DMTF/libspdm.git
--- a/.pytool/CISettings.py
+++ b/.pytool/CISettings.py
@ -237,6 +237,8 @@ class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManag
            "MdePkg/Library/MipiSysTLib/mipisyst", False))
        rs.append(RequiredSubmodule(
            "CryptoPkg/Library/MbedTlsLib/mbedtls", False))
+        rs.append(RequiredSubmodule(
+            "SecurityPkg/DeviceSecurity/SpdmLib/libspdm", False))
        return rs

    def GetName(self):
--- a/ArmPkg/ArmPkg.dec
+++ b/ArmPkg/ArmPkg.dec
@ -139,11 +139,6 @@
  # Define if the GICv3 controller should use the GICv2 legacy
  gArmTokenSpaceGuid.PcdArmGicV3WithV2Legacy|FALSE|BOOLEAN|0x00000042

-  ## Define the conduit to use for monitor calls.
-  # Default PcdMonitorConduitHvc = FALSE, conduit = SMC
-  # If PcdMonitorConduitHvc = TRUE, conduit = HVC
-  gArmTokenSpaceGuid.PcdMonitorConduitHvc|FALSE|BOOLEAN|0x00000047
-
  # Whether to remap all unused memory NX before installing the CPU arch
  # protocol driver. This is needed on platforms that map all DRAM with RWX
  # attributes initially, and can be disabled otherwise.
@ -317,6 +312,11 @@
  gArmTokenSpaceGuid.PcdSystemBiosRelease|0xFFFF|UINT16|0x30000058
  gArmTokenSpaceGuid.PcdEmbeddedControllerFirmwareRelease|0xFFFF|UINT16|0x30000059

+  ## Define the conduit to use for monitor calls.
+  # Default PcdMonitorConduitHvc = FALSE, conduit = SMC
+  # If PcdMonitorConduitHvc = TRUE, conduit = HVC
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|FALSE|BOOLEAN|0x00000047
+
 [PcdsFixedAtBuild.common, PcdsDynamic.common]
  #
  # ARM Architectural Timer
--- a/ArmPkg/Include/Chipset/ArmCortexA5x.h
+++ b/ArmPkg/Include/Chipset/ArmCortexA5x.h
@ -1,44 +0,0 @@
-/** @file
-
-  Copyright (c) 2012 - 2021, Arm Limited. All rights reserved.<BR>
-
-  SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef ARM_CORTEX_A5X_H_
-#define ARM_CORTEX_A5X_H_
-
-//
-// Cortex A5x feature bit definitions
-//
-#define A5X_FEATURE_SMP  (1 << 6)
-
-//
-// Helper functions to access CPU Extended Control Register
-//
-UINT64
-EFIAPI
-ArmReadCpuExCr (
-  VOID
-  );
-
-VOID
-EFIAPI
-ArmWriteCpuExCr (
-  IN  UINT64  Val
-  );
-
-VOID
-EFIAPI
-ArmSetCpuExCrBit (
-  IN  UINT64  Bits
-  );
-
-VOID
-EFIAPI
-ArmUnsetCpuExCrBit (
-  IN  UINT64  Bits
-  );
-
-#endif // ARM_CORTEX_A5X_H_
--- a/ArmPkg/Include/Chipset/ArmCortexA9.h
+++ b/ArmPkg/Include/Chipset/ArmCortexA9.h
@ -1,57 +0,0 @@
-/** @file
-
-  Copyright (c) 2011, ARM Limited. All rights reserved.
-
-  SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef ARM_CORTEX_A9_H_
-#define ARM_CORTEX_A9_H_
-
-#include <Chipset/ArmV7.h>
-
-//
-// Cortex A9 feature bit definitions
-//
-#define A9_FEATURE_PARITY  (1<<9)
-#define A9_FEATURE_AOW     (1<<8)
-#define A9_FEATURE_EXCL    (1<<7)
-#define A9_FEATURE_SMP     (1<<6)
-#define A9_FEATURE_FOZ     (1<<3)
-#define A9_FEATURE_DPREF   (1<<2)
-#define A9_FEATURE_HINT    (1<<1)
-#define A9_FEATURE_FWD     (1<<0)
-
-//
-// Cortex A9 Watchdog
-//
-#define ARM_A9_WATCHDOG_REGION  0x600
-
-#define ARM_A9_WATCHDOG_LOAD_REGISTER     0x20
-#define ARM_A9_WATCHDOG_CONTROL_REGISTER  0x28
-
-#define ARM_A9_WATCHDOG_WATCHDOG_MODE  (1 << 3)
-#define ARM_A9_WATCHDOG_TIMER_MODE     (0 << 3)
-#define ARM_A9_WATCHDOG_SINGLE_SHOT    (0 << 1)
-#define ARM_A9_WATCHDOG_AUTORELOAD     (1 << 1)
-#define ARM_A9_WATCHDOG_ENABLE         1
-
-//
-// SCU register offsets & masks
-//
-#define A9_SCU_CONTROL_OFFSET     0x0
-#define A9_SCU_CONFIG_OFFSET      0x4
-#define A9_SCU_INVALL_OFFSET      0xC
-#define A9_SCU_FILT_START_OFFSET  0x40
-#define A9_SCU_FILT_END_OFFSET    0x44
-#define A9_SCU_SACR_OFFSET        0x50
-#define A9_SCU_SSACR_OFFSET       0x54
-
-UINTN
-EFIAPI
-ArmGetScuBaseAddress (
-  VOID
-  );
-
-#endif // ARM_CORTEX_A9_H_
--- a/ArmPkg/Include/Library/ArmGicArchLib.h
+++ b/ArmPkg/Include/Library/ArmGicArchLib.h
@ -1,9 +1,15 @@
 /** @file
 *
 *  Copyright (c) 2015, Linaro Ltd. All rights reserved.
+*  Copyright (c) 2024, Arm Limited. All rights reserved.
 *
 *  SPDX-License-Identifier: BSD-2-Clause-Patent
 *
+*  @par Reference(s):
+*  - Arm Generic Interrupt Controller Architecture Specification,
+*    Issue H, January 2022.
+*    (https://developer.arm.com/documentation/ihi0069/)
+*
 **/

 #ifndef ARM_GIC_ARCH_LIB_H_
@ -23,4 +29,12 @@ ArmGicGetSupportedArchRevision (
  VOID
  );

+//
+// GIC SPI and extended SPI ranges
+//
+#define ARM_GIC_ARCH_SPI_MIN      32
+#define ARM_GIC_ARCH_SPI_MAX      1019
+#define ARM_GIC_ARCH_EXT_SPI_MIN  4096
+#define ARM_GIC_ARCH_EXT_SPI_MAX  5119
+
 #endif // ARM_GIC_ARCH_LIB_H_
--- a/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
+++ b/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
@ -26,7 +26,7 @@ ArmMonitorCall (
  IN OUT ARM_MONITOR_ARGS  *Args
  )
 {
-  if (FeaturePcdGet (PcdMonitorConduitHvc)) {
+  if (PcdGetBool (PcdMonitorConduitHvc)) {
    ArmCallHvc ((ARM_HVC_ARGS *)Args);
  } else {
    ArmCallSmc ((ARM_SMC_ARGS *)Args);
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCore.h
@ -73,14 +73,4 @@ PeiCommonExceptionEntry (
  IN UINTN   LR
  );

-/*
- * Autogenerated function that calls the library constructors for all of the
- * module's dependent libraries.
- */
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 #endif
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf
@ -8,7 +8,7 @@
 #**/

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = ArmPlatformPrePeiCore
  FILE_GUID                      = b78d02bb-d0b5-4389-bc7f-b39ee846c784
  MODULE_TYPE                    = SEC
--- a/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
+++ b/ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf
@ -8,7 +8,7 @@
 #**/

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = ArmPlatformPrePeiCore
  FILE_GUID                      = 469fc080-aec1-11df-927c-0002a5d5c51b
  MODULE_TYPE                    = SEC
--- a/ArmPlatformPkg/PrePi/PeiMPCore.inf
+++ b/ArmPlatformPkg/PrePi/PeiMPCore.inf
@ -8,7 +8,7 @@
 #**/

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = ArmPlatformPrePiMPCore
  FILE_GUID                      = d959e387-7b91-452c-90e0-a1dbac90ddb8
  MODULE_TYPE                    = SEC
--- a/ArmPlatformPkg/PrePi/PeiUniCore.inf
+++ b/ArmPlatformPkg/PrePi/PeiUniCore.inf
@ -9,7 +9,7 @@
 #**/

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = ArmPlatformPrePiUniCore
  FILE_GUID                      = 3e401783-cc94-4fcd-97bc-bd35ac369d2f
  MODULE_TYPE                    = SEC
--- a/ArmPlatformPkg/PrePi/PrePi.h
+++ b/ArmPlatformPkg/PrePi/PrePi.h
@ -79,10 +79,4 @@ ArchInitialize (
  VOID
  );

-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 #endif /* _PREPI_H_ */
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@ -156,7 +156,9 @@
  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
 !endif
  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+  RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+  ArmTrngLib|ArmPkg/Library/ArmTrngLib/ArmTrngLib.inf
+  ArmMonitorLib|ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf

  #
  # Secure Boot dependencies
@ -266,6 +268,7 @@

 [LibraryClasses.ARM]
  ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf
+  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf

 [BuildOptions]
  GCC:RELEASE_*_*_CC_FLAGS  = -DMDEPKG_NDEBUG
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@ -201,6 +201,9 @@
 [PcdsDynamicHii]
  gUefiOvmfPkgTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gOvmfVariableGuid|0x0|FALSE|NV,BS

+[PcdsPatchableInModule.common]
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform
--- a/ArmVirtPkg/ArmVirtKvmTool.dsc
+++ b/ArmVirtPkg/ArmVirtKvmTool.dsc
@ -126,8 +126,6 @@
  # Use MMIO for accessing RTC controller registers.
  gPcAtChipsetPkgTokenSpaceGuid.PcdRtcUseMmio|TRUE

-  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
-
 [PcdsFixedAtBuild.common]
  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000000F

@ -167,6 +165,8 @@
  #
  gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16

+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsPatchableInModule.common]
  #
  # This will be overridden in the code
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@ -49,10 +49,10 @@

 !include NetworkPkg/NetworkDefines.dsc.inc

-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc

+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses.common]
  ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
  ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
@ -60,7 +60,7 @@
  # Virtio Support
  VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
  VirtioMmioDeviceLib|OvmfPkg/Library/VirtioMmioDeviceLib/VirtioMmioDeviceLib.inf
-  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibMmio.inf
+  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgMmioDxeLib.inf
  QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/BaseQemuFwCfgS3LibNull.inf
  QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
@ -124,8 +124,6 @@
 [BuildOptions]
 !if $(CAVIUM_ERRATUM_27456) == TRUE
  GCC:*_*_AARCH64_PP_FLAGS = -DCAVIUM_ERRATUM_27456
-!else
-  GCC:*_*_AARCH64_CC_XIPFLAGS ==
 !endif

 !include NetworkPkg/NetworkBuildOptions.dsc.inc
@ -295,6 +293,10 @@
  gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
  gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01

+  # whether to use HVC or SMC to issue monitor calls - this typically depends
+  # on the exception level at which the UEFI system firmware executes
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
  #
  # TPM2 support
  #
@ -320,11 +322,7 @@
  gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|5

 [LibraryClasses.common.PEI_CORE, LibraryClasses.common.PEIM]
-!if $(TPM2_ENABLE) == TRUE
  PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
-!else
-  PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
-!endif

 ################################################################################
 #
@ -341,11 +339,11 @@
  ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf
  ArmPkg/Drivers/CpuPei/CpuPei.inf

-!if $(TPM2_ENABLE) == TRUE
  MdeModulePkg/Universal/PCD/Pei/Pcd.inf {
    <LibraryClasses>
      PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
  }
+!if $(TPM2_ENABLE) == TRUE
  MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
    <LibraryClasses>
      ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
@ -434,6 +432,7 @@
      BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
  }
  MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf

  #
  # Status Code Routing
@ -556,6 +555,11 @@
  MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf

+  #
+  # Hash2 Protocol Support
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
  #
  # TPM2 support
  #
--- a/ArmVirtPkg/ArmVirtQemu.fdf
+++ b/ArmVirtPkg/ArmVirtQemu.fdf
@ -111,8 +111,8 @@ READ_LOCK_STATUS   = TRUE
  INF ArmPkg/Drivers/CpuPei/CpuPei.inf
  INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf

-!if $(TPM2_ENABLE) == TRUE
  INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf
+!if $(TPM2_ENABLE) == TRUE
  INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
  INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
  INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@ -75,6 +75,7 @@ READ_LOCK_STATUS   = TRUE
  INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf
  INF OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
  INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf

  #
  # FAT filesystem + GPT/MBR partitioning + UDF filesystem + virtio-fs
@ -177,6 +178,11 @@ READ_LOCK_STATUS   = TRUE
  INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
  INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf

+  #
+  # Hash2 Protocol producer
+  #
+  INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
  #
  # TPM2 support
  #
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@ -46,10 +46,10 @@

 !include NetworkPkg/NetworkDefines.dsc.inc

-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc

+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses.common]
  ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
  ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
@ -57,7 +57,7 @@
  # Virtio Support
  VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
  VirtioMmioDeviceLib|OvmfPkg/Library/VirtioMmioDeviceLib/VirtioMmioDeviceLib.inf
-  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibMmio.inf
+  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgMmioDxeLib.inf
  QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/BaseQemuFwCfgS3LibNull.inf
  QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
  QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
@ -203,6 +203,8 @@
  gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
  gArmTokenSpaceGuid.PcdFvBaseAddress|0x0

+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]
  gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|3

@ -339,6 +341,7 @@
      BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
  }
  MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf

  #
  # Status Code Routing
@ -461,6 +464,11 @@
  MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
  MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf

+  #
+  # Hash2 Protocol Support
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
  #
  # ACPI Support
  #
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@ -23,10 +23,10 @@
  SKUID_IDENTIFIER               = DEFAULT
  FLASH_DEFINITION               = ArmVirtPkg/ArmVirtXen.fdf

-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc

+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses]
  SerialPortLib|OvmfPkg/Library/XenConsoleSerialPortLib/XenConsoleSerialPortLib.inf
 !if $(TARGET) != RELEASE
@ -120,6 +120,8 @@
  gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
  gArmTokenSpaceGuid.PcdFvBaseAddress|0x0

+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]

  gArmTokenSpaceGuid.PcdArmArchTimerSecIntrNum|0x0
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
@ -18,6 +18,8 @@
 #include <Library/FdtSerialPortAddressLib.h>
 #include <libfdt.h>

+#include <Chipset/AArch64.h>
+
 #include <Guid/EarlyPL011BaseAddress.h>
 #include <Guid/FdtHob.h>

@ -224,5 +226,17 @@ PlatformPeim (

  BuildFvHob (PcdGet64 (PcdFvBaseAddress), PcdGet32 (PcdFvSize));

+ #ifdef MDE_CPU_AARCH64
+  //
+  // Set the SMCCC conduit to SMC if executing at EL2, which is typically the
+  // exception level that services HVCs rather than the one that invokes them.
+  //
+  if (ArmReadCurrentEL () == AARCH64_EL2) {
+    Status = PcdSetBoolS (PcdMonitorConduitHvc, FALSE);
+    ASSERT_EFI_ERROR (Status);
+  }
+
+ #endif
+
  return EFI_SUCCESS;
 }
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
@ -45,6 +45,7 @@

 [Pcd]
  gArmTokenSpaceGuid.PcdFvBaseAddress
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc
  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress             ## SOMETIMES_PRODUCES
  gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress

--- a/ArmVirtPkg/PlatformCI/PlatformBuildLib.py
+++ b/ArmVirtPkg/PlatformCI/PlatformBuildLib.py
@ -240,6 +240,8 @@ class PlatformBuilder(UefiBuilder, BuildSettingsManager):
        args += " -serial stdio"
        # Mount disk with startup.nsh
        args += f" -drive file=fat:rw:{VirtualDrive},format=raw,media=disk"
+        # Provides Rng services to the Guest VM
+        args += " -device virtio-rng-pci"

        # Conditional Args
        if (self.env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):
--- a/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRelocatable.inf
+++ b/ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRelocatable.inf
@ -8,7 +8,7 @@
 #**/

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = ArmVirtPrePiUniCoreRelocatable
  FILE_GUID                      = f7d9fd14-9335-4389-80c5-334d6abfcced
  MODULE_TYPE                    = SEC
--- a/ArmVirtPkg/PrePi/PrePi.c
+++ b/ArmVirtPkg/PrePi/PrePi.c
@ -22,12 +22,6 @@

 #include "PrePi.h"

-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 VOID
 PrePiMain (
  IN  UINTN   UefiMemoryBase,
--- a/ArmVirtPkg/XenAcpiPlatformDxe/XenAcpiPlatformDxe.c
+++ b/ArmVirtPkg/XenAcpiPlatformDxe/XenAcpiPlatformDxe.c
@ -128,10 +128,12 @@ InstallXenArmTables (
  EFI_ACPI_DESCRIPTION_HEADER                   *Xsdt;
  EFI_ACPI_2_0_FIXED_ACPI_DESCRIPTION_TABLE     *FadtTable;
  EFI_ACPI_DESCRIPTION_HEADER                   *DsdtTable;
+  EFI_ACPI_3_0_FIRMWARE_ACPI_CONTROL_STRUCTURE  *FacsTable;

  XenAcpiRsdpStructurePtr = NULL;
  FadtTable               = NULL;
  DsdtTable               = NULL;
+  FacsTable               = NULL;
  TableHandle             = 0;
  NumberOfTableEntries    = 0;

@ -191,6 +193,8 @@ InstallXenArmTables (
        FadtTable = (EFI_ACPI_2_0_FIXED_ACPI_DESCRIPTION_TABLE *)
                    (UINTN)CurrentTablePointer;
        DsdtTable = (EFI_ACPI_DESCRIPTION_HEADER *)(UINTN)FadtTable->Dsdt;
+        FacsTable = (EFI_ACPI_3_0_FIRMWARE_ACPI_CONTROL_STRUCTURE *)
+                    (UINTN)FadtTable->FirmwareCtrl;
      }
    }
  }
@ -198,14 +202,31 @@ InstallXenArmTables (
  //
  // Install DSDT table.
  //
-  Status = AcpiProtocol->InstallAcpiTable (
-                           AcpiProtocol,
-                           DsdtTable,
-                           DsdtTable->Length,
-                           &TableHandle
-                           );
-  if (EFI_ERROR (Status)) {
-    return Status;
+  if (DsdtTable != NULL) {
+    Status = AcpiProtocol->InstallAcpiTable (
+                             AcpiProtocol,
+                             DsdtTable,
+                             DsdtTable->Length,
+                             &TableHandle
+                             );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  //
+  // Install FACS table.
+  //
+  if (FacsTable != NULL) {
+    Status = AcpiProtocol->InstallAcpiTable (
+                             AcpiProtocol,
+                             FacsTable,
+                             FacsTable->Length,
+                             &TableHandle
+                             );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
  }

  return EFI_SUCCESS;
--- a/BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
+++ b/BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml
@ -16,9 +16,9 @@
  "scope": "codeql-ext-dep",
  "type": "web",
  "name": "codeql_cli",
-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.12.4/codeql.zip",
-  "version": "2.12.4",
-  "sha256": "f682f1155d627ad97f10b1bcad97f682011986717bd3823e9cf831ed83ac96e7",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql.zip",
+  "version": "2.17.3",
+  "sha256": "e5ac1d87ab38e405c9af5db234a338b10dffabc98a648903f1664dd2a566dfd5",
  "compression_type": "zip",
  "internal_path": "/codeql/",
  "flags": ["set_shell_var", ],
--- a/BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
+++ b/BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml
@ -14,9 +14,9 @@
  "scope": "codeql-linux-ext-dep",
  "type": "web",
  "name": "codeql_linux_cli",
-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.14.5/codeql-linux64.zip",
-  "version": "2.14.5",
-  "sha256": "72aa5d748ff9ab57cfd86045560683bdc4897e0fe6d9f9a2786d9394674ae733",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql-linux64.zip",
+  "version": "2.17.3",
+  "sha256": "9fba000c4b821534d354bc16821aa066fdb1304446226ea449870e64a8ad3c7a",
  "compression_type": "zip",
  "internal_path": "/codeql/",
  "flags": ["set_shell_var", ],
--- a/BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
+++ b/BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml
@ -14,9 +14,9 @@
  "scope": "codeql-windows-ext-dep",
  "type": "web",
  "name": "codeql_windows_cli",
-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.14.5/codeql-win64.zip",
-  "version": "2.14.5",
-  "sha256": "861fcb38365cc311efee0c3a28c77494e93c69a969885b72e53173ad473f61aa",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql-win64.zip",
+  "version": "2.17.3",
+  "sha256": "4c6fbf2ea2eaf0f47bf0347eacf54c6b9d6bdf7acb6b63e17f9e6f2dd83b34e7",
  "compression_type": "zip",
  "internal_path": "/codeql/",
  "flags": ["set_shell_var", ],
--- a/BaseTools/Scripts/GetUtcDateTime.py
+++ b/BaseTools/Scripts/GetUtcDateTime.py
@ -29,7 +29,7 @@ def Main():
        print ("ERROR: At least one argument is required!\n")
        PARSER.print_help()

-    today = datetime.datetime.utcnow()
+    today = datetime.datetime.now(datetime.timezone.utc)
    if ARGS.year:
        ReversedNumber = str(today.year)[::-1]
        print (''.join(hex(ord(HexString))[2:] for HexString in ReversedNumber))
--- a/BaseTools/Scripts/PatchCheck.py
+++ b/BaseTools/Scripts/PatchCheck.py
@ -28,6 +28,7 @@ class Verbose:

 class PatchCheckConf:
    ignore_change_id = False
+    ignore_multi_package = False

 class EmailAddressCheck:
    """Checks an email address."""
@ -85,7 +86,11 @@ class EmailAddressCheck:
            self.error("The email address cannot contain a space: " +
                       mo.group(3))

-        if ' via Groups.Io' in name and mo.group(3).endswith('@groups.io'):
+        if mo.group(3) == 'devel@edk2.groups.io':
+            self.error("Email rewritten by lists DMARC / DKIM / SPF: " +
+                       email)
+
+        if ' via groups.io' in name.lower() and mo.group(3).endswith('@groups.io'):
            self.error("Email rewritten by lists DMARC / DKIM / SPF: " +
                       email)

@ -94,6 +99,7 @@ class CommitMessageCheck:

    def __init__(self, subject, message, author_email):
        self.ok = True
+        self.ignore_multi_package = False

        if subject is None and  message is None:
            self.error('Commit message is missing!')
@ -116,6 +122,7 @@ class CommitMessageCheck:
            self.check_overall_format()
            if not PatchCheckConf.ignore_change_id:
                self.check_change_id_format()
+            self.check_ci_options_format()
        self.report_message_result()

    url = 'https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format'
@ -198,7 +205,7 @@ class CommitMessageCheck:
            if s[2] != ' ':
                self.error("There should be a space after '" + sig + ":'")

-            EmailAddressCheck(s[3], sig)
+            self.ok &= EmailAddressCheck(s[3], sig).ok

        return sigs

@ -225,8 +232,10 @@ class CommitMessageCheck:
        )

    def check_misc_signatures(self):
-        for sig in self.sig_types:
-            self.find_signatures(sig)
+        for sigtype in self.sig_types:
+            sigs = self.find_signatures(sigtype)
+            if sigtype == 'Cc' and len(sigs) == 0:
+                self.error('No Cc: tags for maintainers/reviewers found!')

    cve_re = re.compile('CVE-[0-9]{4}-[0-9]{5}[^0-9]')

@ -318,6 +327,15 @@ class CommitMessageCheck:
            self.error('\"%s\" found in commit message:' % cid)
            return

+    def check_ci_options_format(self):
+        cio='Continuous-integration-options:'
+        for line in self.msg.splitlines():
+            if not line.startswith(cio):
+                continue
+            options = line.split(':', 1)[1].split()
+            if 'PatchCheck.ignore-multi-package' in options:
+                self.ignore_multi_package = True
+
 (START, PRE_PATCH, PATCH) = range(3)

 class GitDiffCheck:
@ -555,6 +573,7 @@ class CheckOnePatch:

        msg_check = CommitMessageCheck(self.commit_subject, self.commit_msg, self.author_email)
        msg_ok = msg_check.ok
+        self.ignore_multi_package = msg_check.ignore_multi_package

        diff_ok = True
        if self.diff is not None:
@ -665,6 +684,7 @@ class CheckGitCommits:
    """

    def __init__(self, rev_spec, max_count):
+        dec_files = self.read_dec_files_from_git()
        commits = self.read_commit_list_from_git(rev_spec, max_count)
        if len(commits) == 1 and Verbose.level > Verbose.ONELINE:
            commits = [ rev_spec ]
@ -680,10 +700,66 @@ class CheckGitCommits:
            email = self.read_committer_email_address_from_git(commit)
            self.ok &= EmailAddressCheck(email, 'Committer').ok
            patch = self.read_patch_from_git(commit)
-            self.ok &= CheckOnePatch(commit, patch).ok
+            check_patch = CheckOnePatch(commit, patch)
+            self.ok &= check_patch.ok
+            ignore_multi_package = check_patch.ignore_multi_package
+            if PatchCheckConf.ignore_multi_package:
+                ignore_multi_package = True
+            prefix = 'WARNING: ' if ignore_multi_package else ''
+            check_parent = self.check_parent_packages (dec_files, commit, prefix)
+            if not ignore_multi_package:
+                self.ok &= check_parent
+
        if not commits:
            print("Couldn't find commit matching: '{}'".format(rev_spec))

+    def check_parent_packages(self, dec_files, commit, prefix):
+        ok = True
+        modified = self.get_parent_packages (dec_files, commit, 'AM')
+        if len (modified) > 1:
+            print("{}The commit adds/modifies files in multiple packages:".format(prefix))
+            print(" *", '\n * '.join(modified))
+            ok = False
+        deleted = self.get_parent_packages (dec_files, commit, 'D')
+        if len (deleted) > 1:
+            print("{}The commit deletes files from multiple packages:".format(prefix))
+            print(" *", '\n * '.join(deleted))
+            ok = False
+        return ok
+
+    def get_parent_packages(self, dec_files, commit, filter):
+        filelist = self.read_files_modified_from_git (commit, filter)
+        parents = set()
+        for file in filelist:
+            dec_found = False
+            for dec_file in dec_files:
+                if os.path.commonpath([dec_file, file]):
+                    dec_found = True
+                    parents.add(dec_file)
+            if not dec_found and os.path.dirname (file):
+                # No DEC file found and file is in a subdir
+                # Covers BaseTools, .github, .azurepipelines, .pytool
+                parents.add(file.split('/')[0])
+        return list(parents)
+
+    def read_dec_files_from_git(self):
+        # run git ls-files *.dec
+        out = self.run_git('ls-files', '*.dec')
+        # return list of .dec files
+        try:
+            return out.split()
+        except:
+            return []
+
+    def read_files_modified_from_git(self, commit, filter):
+        # run git diff-tree --no-commit-id --name-only -r <commit>
+        out = self.run_git('diff-tree', '--no-commit-id', '--name-only',
+                           '--diff-filter=' + filter, '-r', commit)
+        try:
+            return out.split()
+        except:
+            return []
+
    def read_commit_list_from_git(self, rev_spec, max_count):
        # Run git to get the commit patch
        cmd = [ 'rev-list', '--abbrev-commit', '--no-walk' ]
@ -794,6 +870,9 @@ class PatchCheckApp:
        group.add_argument("--ignore-change-id",
                           action="store_true",
                           help="Ignore the presence of 'Change-Id:' tags in commit message")
+        group.add_argument("--ignore-multi-package",
+                           action="store_true",
+                           help="Ignore if commit modifies files in multiple packages")
        self.args = parser.parse_args()
        if self.args.oneline:
            Verbose.level = Verbose.ONELINE
@ -801,6 +880,8 @@ class PatchCheckApp:
            Verbose.level = Verbose.SILENT
        if self.args.ignore_change_id:
            PatchCheckConf.ignore_change_id = True
+        if self.args.ignore_multi_package:
+            PatchCheckConf.ignore_multi_package = True

 if __name__ == "__main__":
    sys.exit(PatchCheckApp().retval)
--- a/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
+++ b/BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h
@ -1556,7 +1556,17 @@ typedef enum {
  EfiKeyF12,
  EfiKeyPrint,
  EfiKeySLck,
-  EfiKeyPause
+  EfiKeyPause,
+  EfiKeyIntl0,
+  EfiKeyIntl1,
+  EfiKeyIntl2,
+  EfiKeyIntl3,
+  EfiKeyIntl4,
+  EfiKeyIntl5,
+  EfiKeyIntl6,
+  EfiKeyIntl7,
+  EfiKeyIntl8,
+  EfiKeyIntl9
 } EFI_KEY;

 typedef struct {
--- a/BaseTools/Source/Python/AutoGen/GenC.py
+++ b/BaseTools/Source/Python/AutoGen/GenC.py
@ -1371,6 +1371,14 @@ def CreateLibraryConstructorCode(Info, AutoGenC, AutoGenH):
    else:
        if Info.ModuleType in [SUP_MODULE_BASE, SUP_MODULE_SEC, SUP_MODULE_USER_DEFINED, SUP_MODULE_HOST_APPLICATION]:
            AutoGenC.Append(gLibraryString[SUP_MODULE_BASE].Replace(Dict))
+            if Info.ModuleType == SUP_MODULE_SEC and Info.AutoGenVersion >= 0x0001001E:
+                AutoGenH.Append(("\n"
+                                 "// ProcessLibraryConstructorList() declared here because SEC has no standard entry point.\n"
+                                 "VOID\n"
+                                 "EFIAPI\n"
+                                 "ProcessLibraryConstructorList (\n"
+                                 "  VOID\n"
+                                 "  );\n"))
        elif Info.ModuleType in SUP_MODULE_SET_PEI:
            AutoGenC.Append(gLibraryString['PEI'].Replace(Dict))
        elif Info.ModuleType in [SUP_MODULE_DXE_CORE, SUP_MODULE_DXE_DRIVER, SUP_MODULE_DXE_SMM_DRIVER, SUP_MODULE_DXE_RUNTIME_DRIVER,
--- a/BaseTools/Source/Python/FMMT/FMMT.py
+++ b/BaseTools/Source/Python/FMMT/FMMT.py
@ -37,7 +37,7 @@ parser.add_argument("-l", "--LayoutFileName", dest="LayoutFileName", nargs='+',
                        the file will be generated with default name (Layout_'InputFileName'.txt). \
                        Currently supports two formats: json, txt. More formats will be added in the future")
 parser.add_argument("-c", "--ConfigFilePath", dest="ConfigFilePath", nargs='+',
-                    help="Provide the target FmmtConf.ini file path: '-c C:\Code\FmmtConf.ini' \
+                    help="Provide the target FmmtConf.ini file path: '-c C:\\Code\\FmmtConf.ini' \
                        FmmtConf file saves the target guidtool used in compress/uncompress process.\
                        If do not provide, FMMT tool will search the inputfile folder for FmmtConf.ini firstly, if not found,\
                        the FmmtConf.ini saved in FMMT tool's folder will be used as default.")
--- a/BaseTools/Source/Python/GenFds/Capsule.py
+++ b/BaseTools/Source/Python/GenFds/Capsule.py
@ -1,6 +1,7 @@
 ## @file
 # generate capsule
 #
+#  Copyright (C) 2024 Advanced Micro Devices, Inc. All rights reserved.<BR>
 #  Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
@ -78,6 +79,8 @@ class Capsule (CapsuleClassObject):
                    Flags |= 0x00010000
                elif flag == 'InitiateReset':
                    Flags |= 0x00040000
+        if 'OEM_CAPSULE_FLAGS' in self.TokensDict:
+            Flags |= int(self.TokensDict['OEM_CAPSULE_FLAGS'],16)
        Header.write(pack('=I', Flags))
        #
        # typedef struct {
--- a/BaseTools/Source/Python/GenFds/FfsInfStatement.py
+++ b/BaseTools/Source/Python/GenFds/FfsInfStatement.py
@ -19,6 +19,7 @@ from .GenFdsGlobalVariable import GenFdsGlobalVariable
 from .Ffs import SectionSuffix,FdfFvFileTypeToFileType
 import subprocess
 import sys
+from pathlib import Path
 from . import Section
 from . import RuleSimpleFile
 from . import RuleComplexFile
@ -92,7 +93,7 @@ class FfsInfStatement(FfsInfStatementClassObject):

                if ModuleType != SUP_MODULE_USER_DEFINED and ModuleType != SUP_MODULE_HOST_APPLICATION:
                    for LibraryClass in PlatformDataBase.LibraryClasses.GetKeys():
-                        if LibraryClass.startswith("NULL") and PlatformDataBase.LibraryClasses[LibraryClass, ModuleType]:
+                        if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit() and PlatformDataBase.LibraryClasses[LibraryClass, ModuleType]:
                            self.InfModule.LibraryClasses[LibraryClass] = PlatformDataBase.LibraryClasses[LibraryClass, ModuleType]

                StrModule = str(self.InfModule)
@ -100,7 +101,7 @@ class FfsInfStatement(FfsInfStatementClassObject):
                if StrModule in PlatformDataBase.Modules:
                    PlatformModule = PlatformDataBase.Modules[StrModule]
                    for LibraryClass in PlatformModule.LibraryClasses:
-                        if LibraryClass.startswith("NULL"):
+                        if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit():
                            self.InfModule.LibraryClasses[LibraryClass] = PlatformModule.LibraryClasses[LibraryClass]

                DependencyList = [self.InfModule]
@ -156,7 +157,12 @@ class FfsInfStatement(FfsInfStatementClassObject):
        if len(self.InfFileName) > 1 and self.InfFileName[0] == '\\' and self.InfFileName[1] == '\\':
            pass
        elif self.InfFileName[0] == '\\' or self.InfFileName[0] == '/' :
-            self.InfFileName = self.InfFileName[1:]
+            ws_path = Path(GenFdsGlobalVariable.WorkSpaceDir)
+            inf_path = Path(self.InfFileName)
+            if ws_path in inf_path.parents:
+                self.InfFileName = str(inf_path.relative_to(ws_path))
+            else:
+                self.InfFileName = self.InfFileName[1:]

        if self.InfFileName.find('$') == -1:
            InfPath = NormPath(self.InfFileName)
--- a/BaseTools/Source/Python/Workspace/DscBuildData.py
+++ b/BaseTools/Source/Python/Workspace/DscBuildData.py
@ -3033,7 +3033,7 @@ class DscBuildData(PlatformBuildClassObject):
            StructuredPcdsData["OBJECTS"][include_file] = os.path.getmtime(include_file)
            MakeApp += "$(OBJECTS) : %s\n" % include_file
        if sys.platform == "win32":
-            PcdValueCommonPath = os.path.normpath(mws.join(GlobalData.gGlobalDefines["EDK_TOOLS_PATH"], "Source\C\Common\PcdValueCommon.c"))
+            PcdValueCommonPath = os.path.normpath(mws.join(GlobalData.gGlobalDefines["EDK_TOOLS_PATH"], "Source\\C\\Common\\PcdValueCommon.c"))
            MakeApp = MakeApp + '%s\\PcdValueCommon.c : %s\n' % (self.OutputPath, PcdValueCommonPath)
            MakeApp = MakeApp + '\tcopy /y %s $@\n' % (PcdValueCommonPath)
        else:
--- a/BaseTools/Source/Python/Workspace/WorkspaceCommon.py
+++ b/BaseTools/Source/Python/Workspace/WorkspaceCommon.py
@ -102,12 +102,12 @@ def GetModuleLibInstances(Module, Platform, BuildDatabase, Arch, Target, Toolcha
    #
    if Module.ModuleType != SUP_MODULE_USER_DEFINED:
        for LibraryClass in Platform.LibraryClasses.GetKeys():
-            if LibraryClass.startswith("NULL") and Platform.LibraryClasses[LibraryClass, Module.ModuleType]:
+            if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit() and Platform.LibraryClasses[LibraryClass, Module.ModuleType]:
                Module.LibraryClasses[LibraryClass] = Platform.LibraryClasses[LibraryClass, Module.ModuleType]

    # add forced library instances (specified in module overrides)
    for LibraryClass in Platform.Modules[str(Module)].LibraryClasses:
-        if LibraryClass.startswith("NULL"):
+        if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit():
            Module.LibraryClasses[LibraryClass] = Platform.Modules[str(Module)].LibraryClasses[LibraryClass]

    # EdkII module
@ -123,6 +123,8 @@ def GetModuleLibInstances(Module, Platform, BuildDatabase, Arch, Target, Toolcha
    while len(LibraryConsumerList) > 0:
        M = LibraryConsumerList.pop()
        for LibraryClassName in M.LibraryClasses:
+            if LibraryClassName.startswith("NULL") and LibraryClassName[4:].isdigit() and bool(M.LibraryClass):
+                continue
            if LibraryClassName not in LibraryInstance:
                # override library instance for this module
                LibraryPath = Platform.Modules[str(Module)].LibraryClasses.get(LibraryClassName,Platform.LibraryClasses[LibraryClassName, ModuleType])
@ -139,7 +141,7 @@ def GetModuleLibInstances(Module, Platform, BuildDatabase, Arch, Target, Toolcha

                LibraryModule = BuildDatabase[LibraryPath, Arch, Target, Toolchain]
                # for those forced library instance (NULL library), add a fake library class
-                if LibraryClassName.startswith("NULL"):
+                if LibraryClassName.startswith("NULL") and LibraryClassName[4:].isdigit():
                    LibraryModule.LibraryClass.append(LibraryClassObject(LibraryClassName, [ModuleType]))
                elif LibraryModule.LibraryClass is None \
                     or len(LibraryModule.LibraryClass) == 0 \
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@ -3589,6 +3589,131 @@ CryptoServicePkcs1v2Encrypt (
  return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs1v2Encrypt, Pkcs1v2Encrypt, (PublicKey, PublicKeySize, InData, InDataSize, PrngSeed, PrngSeedSize, EncryptedData, EncryptedDataSize), FALSE);
 }

+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceRsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Rsa.Services.RsaOaepEncrypt, RsaOaepEncrypt, (RsaContext, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServicePkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs1v2Decrypt, Pkcs1v2Decrypt, (PrivateKey, PrivateKeySize, EncryptedData, EncryptedDataSize, OutData, OutDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceRsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Rsa.Services.RsaOaepDecrypt, RsaOaepDecrypt, (RsaContext, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize), FALSE);
+}
+
 /**
  Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
  Cryptographic Message Syntax Standard". The input signed data could be wrapped
@ -6987,5 +7112,8 @@ const EDKII_CRYPTO_PROTOCOL  mEdkiiCrypto = {
  CryptoServiceX509VerifyCertChain,
  CryptoServiceX509GetCertFromCertChain,
  CryptoServiceAsn1GetTag,
-  CryptoServiceX509GetExtendedBasicConstraints
+  CryptoServiceX509GetExtendedBasicConstraints,
+  CryptoServicePkcs1v2Decrypt,
+  CryptoServiceRsaOaepEncrypt,
+  CryptoServiceRsaOaepDecrypt,
 };
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@ -5,6 +5,7 @@
  functionality enabling.

 Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation. All rights reserved.
 SPDX-License-Identifier: BSD-2-Clause-Patent

 **/
@ -2147,6 +2148,122 @@ Pkcs1v2Encrypt (
  OUT  UINTN        *EncryptedDataSize
  );

+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  );
+
 /**
  The 3rd parameter of Pkcs7GetSigners will return all embedded
  X.509 certificate in one given PKCS7 signature. The format is:
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@ -23,6 +23,7 @@
  * Sha1 family

  Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
  SPDX-License-Identifier: BSD-2-Clause-Patent

 **/
@ -124,6 +125,7 @@ typedef struct {
      UINT8    Pkcs7GetCertificatesList   : 1;
      UINT8    AuthenticodeVerify         : 1;
      UINT8    ImageTimestampVerify       : 1;
+      UINT8    Pkcs1v2Decrypt             : 1;
    } Services;
    UINT32    Family;
  } Pkcs;
@ -158,6 +160,8 @@ typedef struct {
      UINT8    Pkcs1Verify          : 1;
      UINT8    GetPrivateKeyFromPem : 1;
      UINT8    GetPublicKeyFromX509 : 1;
+      UINT8    RsaOaepEncrypt       : 1;
+      UINT8    RsaOaepDecrypt       : 1;
    } Services;
    UINT32    Family;
  } Rsa;
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
@ -3,7 +3,7 @@

  SPDX-License-Identifier: BSD-2-Clause-Patent

-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>

 **/
@ -14,6 +14,37 @@
 #include <openssl/x509.h>
 #include <Library/MemoryAllocationLib.h>

+/**
+  Retrieve a pointer to EVP message digest object.
+
+  @param[in]  DigestLen   Length of the message digest.
+
+**/
+STATIC
+const
+EVP_MD *
+GetEvpMD (
+  IN UINT16  DigestLen
+  )
+{
+  switch (DigestLen) {
+    case SHA1_DIGEST_SIZE:
+      return EVP_sha1 ();
+      break;
+    case SHA256_DIGEST_SIZE:
+      return EVP_sha256 ();
+      break;
+    case SHA384_DIGEST_SIZE:
+      return EVP_sha384 ();
+      break;
+    case SHA512_DIGEST_SIZE:
+      return EVP_sha512 ();
+      break;
+    default:
+      return NULL;
+  }
+}
+
 /**
  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
  encrypted message in a newly allocated buffer.
@ -26,15 +57,20 @@
  - Data size is too large for the provided key size (max size is a function of key size
    and hash digest size).

-  @param[in]  PublicKey           A pointer to the DER-encoded X509 certificate that
+  @param[in]  Pkey                A pointer to an EVP_PKEY struct that
                                  will be used to encrypt the data.
-  @param[in]  PublicKeySize       Size of the X509 cert buffer.
  @param[in]  InData              Data to be encrypted.
  @param[in]  InDataSize          Size of the data buffer.
  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
                                  to be used when initializing the PRNG. NULL otherwise.
  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
                                  message.
  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
@ -45,50 +81,35 @@
 **/
 BOOLEAN
 EFIAPI
-Pkcs1v2Encrypt (
-  IN   CONST UINT8  *PublicKey,
-  IN   UINTN        PublicKeySize,
+InternalPkcs1v2Encrypt (
+  EVP_PKEY          *Pkey,
  IN   UINT8        *InData,
  IN   UINTN        InDataSize,
  IN   CONST UINT8  *PrngSeed   OPTIONAL,
  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
  OUT  UINT8        **EncryptedData,
  OUT  UINTN        *EncryptedDataSize
  )
 {
  BOOLEAN       Result;
-  CONST UINT8   *TempPointer;
-  X509          *CertData;
-  EVP_PKEY      *InternalPublicKey;
  EVP_PKEY_CTX  *PkeyCtx;
  UINT8         *OutData;
  UINTN         OutDataSize;
+  CONST EVP_MD  *HashAlg;

  //
  // Check input parameters.
  //
-  if ((PublicKey == NULL) || (InData == NULL) ||
+  if ((Pkey == NULL) || (InData == NULL) ||
      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
  {
    return FALSE;
  }

-  //
-  // Check public key size.
-  //
-  if (PublicKeySize > 0xFFFFFFFF) {
-    //
-    // Public key size is too large for implementation.
-    //
-    return FALSE;
-  }
-
  *EncryptedData     = NULL;
  *EncryptedDataSize = 0;
  Result             = FALSE;
-  TempPointer        = NULL;
-  CertData           = NULL;
-  InternalPublicKey  = NULL;
  PkeyCtx            = NULL;
  OutData            = NULL;
  OutDataSize        = 0;
@ -104,34 +125,10 @@ Pkcs1v2Encrypt (
    RandomSeed (NULL, 0);
  }

-  //
-  // Parse the X509 cert and extract the public key.
-  //
-  TempPointer = PublicKey;
-  CertData    = d2i_X509 (&CertData, &TempPointer, (UINT32)PublicKeySize);
-  if (CertData == NULL) {
-    //
-    // Fail to parse X509 cert.
-    //
-    goto _Exit;
-  }
-
-  //
-  // Extract the public key from the x509 cert in a format that
-  // OpenSSL can use.
-  //
-  InternalPublicKey = X509_get_pubkey (CertData);
-  if (InternalPublicKey == NULL) {
-    //
-    // Fail to extract public key.
-    //
-    goto _Exit;
-  }
-
  //
  // Create a context for the public key operation.
  //
-  PkeyCtx = EVP_PKEY_CTX_new (InternalPublicKey, NULL);
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
  if (PkeyCtx == NULL) {
    //
    // Fail to create contex.
@ -151,6 +148,21 @@ Pkcs1v2Encrypt (
    goto _Exit;
  }

+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+  }
+
  //
  // Determine the required buffer length for malloc'ing.
  //
@ -196,17 +208,507 @@ _Exit:
  //
  // Release Resources
  //
-  if (CertData != NULL) {
-    X509_free (CertData);
-  }
-
-  if (InternalPublicKey != NULL) {
-    EVP_PKEY_free (InternalPublicKey);
-  }
-
  if (PkeyCtx != NULL) {
    EVP_PKEY_CTX_free (PkeyCtx);
  }

  return Result;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to parse X509 certificate.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  PublicKey           A pointer to the DER-encoded X509 certificate that
+                                  will be used to encrypt the data.
+  @param[in]  PublicKeySize       Size of the X509 cert buffer.
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Encrypt (
+  IN   CONST UINT8  *PublicKey,
+  IN   UINTN        PublicKeySize,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN      Result;
+  CONST UINT8  *TempPointer;
+  X509         *CertData;
+  EVP_PKEY     *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if ((PublicKey == NULL) || (InData == NULL) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  //
+  // Check public key size.
+  //
+  if (PublicKeySize > 0xFFFFFFFF) {
+    //
+    // Public key size is too large for implementation.
+    //
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  TempPointer        = NULL;
+  CertData           = NULL;
+  Pkey               = NULL;
+
+  //
+  // Parse the X509 cert and extract the public key.
+  //
+  TempPointer = PublicKey;
+  CertData    = d2i_X509 (&CertData, &TempPointer, (UINT32)PublicKeySize);
+  if (CertData == NULL) {
+    //
+    // Fail to parse X509 cert.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Extract the public key from the x509 cert in a format that
+  // OpenSSL can use.
+  //
+  Pkey = X509_get_pubkey (CertData);
+  if (Pkey == NULL) {
+    //
+    // Fail to extract public key.
+    //
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, 0, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (CertData != NULL) {
+    X509_free (CertData);
+  }
+
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if (((RsaContext == NULL) || (InData == NULL)) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  Pkey               = NULL;
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  Pkey                A pointer to an EVP_PKEY which will decrypt that data.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+InternalPkcs1v2Decrypt (
+  EVP_PKEY     *Pkey,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN       Result;
+  EVP_PKEY_CTX  *PkeyCtx;
+  UINT8         *TempData;
+  UINTN         TempDataSize;
+  INTN          ReturnCode;
+  CONST EVP_MD  *HashAlg;
+
+  //
+  // Check input parameters.
+  //
+  if ((Pkey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result       = FALSE;
+  PkeyCtx      = NULL;
+  TempData     = NULL;
+  TempDataSize = 0;
+
+  //
+  // Create a context for the decryption operation.
+  //
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
+  if (PkeyCtx == NULL) {
+    //
+    // Fail to create contex.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_CTK_new() failed\n", __func__));
+    goto _Exit;
+  }
+
+  //
+  // Initialize the context and set the desired padding.
+  //
+  if ((EVP_PKEY_decrypt_init (PkeyCtx) <= 0) ||
+      (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0))
+  {
+    //
+    // Fail to initialize the context.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt_init() failed\n", __func__));
+    goto _Exit;
+  }
+
+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+  }
+
+  //
+  // Determine the required buffer length for malloc'ing.
+  //
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, NULL, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
+    //
+    // Fail to determine output buffer size.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt() failed to determine output buffer size (rc=%d)\n", __func__, ReturnCode));
+    goto _Exit;
+  }
+
+  //
+  // Allocate a buffer for the output data.
+  //
+  TempData = AllocatePool (TempDataSize);
+  if (TempData == NULL) {
+    //
+    // Fail to allocate the output buffer.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Decrypt Data.
+  //
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, TempData, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
+    //
+    // Fail to decrypt data, need to free the output buffer.
+    //
+    FreePool (TempData);
+    TempData     = NULL;
+    TempDataSize = 0;
+
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt(TempData) failed to decrypt (rc=%d)\n", __func__, ReturnCode));
+    goto _Exit;
+  }
+
+  //
+  // Decrypt done.
+  //
+  *OutData     = TempData;
+  *OutDataSize = TempDataSize;
+  Result       = TRUE;
+
+_Exit:
+  if (PkeyCtx != NULL) {
+    EVP_PKEY_CTX_free (PkeyCtx);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  BOOLEAN      Result;
+  EVP_PKEY     *Pkey;
+  CONST UINT8  *TempPointer;
+
+  //
+  // Check input parameters.
+  //
+  if ((PrivateKey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result      = FALSE;
+  Pkey        = NULL;
+  TempPointer = NULL;
+
+  //
+  // Parse the private key.
+  //
+  TempPointer = PrivateKey;
+  Pkey        = d2i_PrivateKey (EVP_PKEY_RSA, &Pkey, &TempPointer, (UINT32)PrivateKeySize);
+  if (Pkey == NULL) {
+    //
+    // Fail to parse private key.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] d2i_PrivateKey() failed\n", __func__));
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, 0, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if ((RsaContext == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result = FALSE;
+  Pkey   = NULL;
+
+  //
+  // Create a context for the decryption operation.
+  //
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
@ -3,7 +3,7 @@

  SPDX-License-Identifier: BSD-2-Clause-Patent

-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>

 **/
@ -48,3 +48,131 @@ Pkcs1v2Encrypt (
  ASSERT (FALSE);
  return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c
@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #include "InternalCryptLib.h"
 #include <mbedtls/md5.h>
-#include <mbedtls/compat-2.x.h>

 #ifdef ENABLE_MD5_DEPRECATED_INTERFACES

@ -56,7 +55,7 @@ Md5Init (

  mbedtls_md5_init (Md5Context);

-  Ret = mbedtls_md5_starts_ret (Md5Context);
+  Ret = mbedtls_md5_starts (Md5Context);
  if (Ret != 0) {
    return FALSE;
  }
@ -129,7 +128,7 @@ Md5Update (
    return FALSE;
  }

-  Ret = mbedtls_md5_update_ret (Md5Context, Data, DataSize);
+  Ret = mbedtls_md5_update (Md5Context, Data, DataSize);
  if (Ret != 0) {
    return FALSE;
  }
@ -170,7 +169,7 @@ Md5Final (
    return FALSE;
  }

-  Ret = mbedtls_md5_finish_ret (Md5Context, HashValue);
+  Ret = mbedtls_md5_finish (Md5Context, HashValue);
  mbedtls_md5_free (Md5Context);
  if (Ret != 0) {
    return FALSE;
@ -215,7 +214,7 @@ Md5HashAll (
    return FALSE;
  }

-  Ret = mbedtls_md5_ret (Data, DataSize, HashValue);
+  Ret = mbedtls_md5 (Data, DataSize, HashValue);
  if (Ret != 0) {
    return FALSE;
  }
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c
@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #include "InternalCryptLib.h"
 #include <mbedtls/sha1.h>
-#include <mbedtls/compat-2.x.h>

 #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES

@ -56,7 +55,7 @@ Sha1Init (

  mbedtls_sha1_init (Sha1Context);

-  Ret = mbedtls_sha1_starts_ret (Sha1Context);
+  Ret = mbedtls_sha1_starts (Sha1Context);
  if (Ret != 0) {
    return FALSE;
  }
@ -129,7 +128,7 @@ Sha1Update (
    return FALSE;
  }

-  Ret = mbedtls_sha1_update_ret (Sha1Context, Data, DataSize);
+  Ret = mbedtls_sha1_update (Sha1Context, Data, DataSize);
  if (Ret != 0) {
    return FALSE;
  }
@ -170,7 +169,7 @@ Sha1Final (
    return FALSE;
  }

-  Ret = mbedtls_sha1_finish_ret (Sha1Context, HashValue);
+  Ret = mbedtls_sha1_finish (Sha1Context, HashValue);
  mbedtls_sha1_free (Sha1Context);
  if (Ret != 0) {
    return FALSE;
@ -215,7 +214,7 @@ Sha1HashAll (
    return FALSE;
  }

-  Ret = mbedtls_sha1_ret (Data, DataSize, HashValue);
+  Ret = mbedtls_sha1 (Data, DataSize, HashValue);
  if (Ret != 0) {
    return FALSE;
  }
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c
@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #include "InternalCryptLib.h"
 #include <mbedtls/sha256.h>
-#include <mbedtls/compat-2.x.h>

 /**
  Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
@ -51,7 +50,7 @@ Sha256Init (

  mbedtls_sha256_init (Sha256Context);

-  Ret = mbedtls_sha256_starts_ret (Sha256Context, FALSE);
+  Ret = mbedtls_sha256_starts (Sha256Context, FALSE);
  if (Ret != 0) {
    return FALSE;
  }
@ -124,7 +123,7 @@ Sha256Update (
    return FALSE;
  }

-  Ret = mbedtls_sha256_update_ret (Sha256Context, Data, DataSize);
+  Ret = mbedtls_sha256_update (Sha256Context, Data, DataSize);
  if (Ret != 0) {
    return FALSE;
  }
@ -165,7 +164,7 @@ Sha256Final (
    return FALSE;
  }

-  Ret = mbedtls_sha256_finish_ret (Sha256Context, HashValue);
+  Ret = mbedtls_sha256_finish (Sha256Context, HashValue);
  mbedtls_sha256_free (Sha256Context);
  if (Ret != 0) {
    return FALSE;
@ -210,7 +209,7 @@ Sha256HashAll (
    return FALSE;
  }

-  Ret = mbedtls_sha256_ret (Data, DataSize, HashValue, FALSE);
+  Ret = mbedtls_sha256 (Data, DataSize, HashValue, FALSE);
  if (Ret != 0) {
    return FALSE;
  }
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c
@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #include "InternalCryptLib.h"
 #include <mbedtls/sha512.h>
-#include <mbedtls/compat-2.x.h>

 /**
  Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations.
@ -51,7 +50,7 @@ Sha384Init (

  mbedtls_sha512_init (Sha384Context);

-  Ret = mbedtls_sha512_starts_ret (Sha384Context, TRUE);
+  Ret = mbedtls_sha512_starts (Sha384Context, TRUE);
  if (Ret != 0) {
    return FALSE;
  }
@ -126,7 +125,7 @@ Sha384Update (
    return FALSE;
  }

-  Ret = mbedtls_sha512_update_ret (Sha384Context, Data, DataSize);
+  Ret = mbedtls_sha512_update (Sha384Context, Data, DataSize);
  if (Ret != 0) {
    return FALSE;
  }
@ -167,7 +166,7 @@ Sha384Final (
    return FALSE;
  }

-  Ret = mbedtls_sha512_finish_ret (Sha384Context, HashValue);
+  Ret = mbedtls_sha512_finish (Sha384Context, HashValue);
  mbedtls_sha512_free (Sha384Context);
  if (Ret != 0) {
    return FALSE;
@ -212,7 +211,7 @@ Sha384HashAll (
    return FALSE;
  }

-  Ret = mbedtls_sha512_ret (Data, DataSize, HashValue, TRUE);
+  Ret = mbedtls_sha512 (Data, DataSize, HashValue, TRUE);
  if (Ret != 0) {
    return FALSE;
  }
@ -261,7 +260,7 @@ Sha512Init (

  mbedtls_sha512_init (Sha512Context);

-  Ret = mbedtls_sha512_starts_ret (Sha512Context, FALSE);
+  Ret = mbedtls_sha512_starts (Sha512Context, FALSE);
  if (Ret != 0) {
    return FALSE;
  }
@ -336,7 +335,7 @@ Sha512Update (
    return FALSE;
  }

-  Ret = mbedtls_sha512_update_ret (Sha512Context, Data, DataSize);
+  Ret = mbedtls_sha512_update (Sha512Context, Data, DataSize);
  if (Ret != 0) {
    return FALSE;
  }
@ -377,7 +376,7 @@ Sha512Final (
    return FALSE;
  }

-  Ret = mbedtls_sha512_finish_ret (Sha512Context, HashValue);
+  Ret = mbedtls_sha512_finish (Sha512Context, HashValue);
  mbedtls_sha512_free (Sha512Context);
  if (Ret != 0) {
    return FALSE;
@ -422,7 +421,7 @@ Sha512HashAll (
    return FALSE;
  }

-  Ret = mbedtls_sha512_ret (Data, DataSize, HashValue, FALSE);
+  Ret = mbedtls_sha512 (Data, DataSize, HashValue, FALSE);
  if (Ret != 0) {
    return FALSE;
  }
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c
@ -4,6 +4,7 @@
  SPDX-License-Identifier: BSD-2-Clause-Patent

  Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
  SPDX-License-Identifier: BSD-2-Clause-Patent
 **/

@ -38,10 +39,8 @@ Pkcs1v2Encrypt (
  IN   UINTN        PublicKeySize,
  IN   UINT8        *InData,
  IN   UINTN        InDataSize,
-  IN   CONST UINT8  *PrngSeed,
-  OPTIONAL
-  IN   UINTN        PrngSeedSize,
-  OPTIONAL
+  IN   CONST UINT8  *PrngSeed  OPTIONAL,
+  IN   UINTN        PrngSeedSize  OPTIONAL,
  OUT  UINT8        **EncryptedData,
  OUT  UINTN        *EncryptedDataSize
  )
@ -49,3 +48,131 @@ Pkcs1v2Encrypt (
  ASSERT (FALSE);
  return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c
@ -11,6 +11,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #include "InternalCryptLib.h"
 #include <mbedtls/rsa.h>
+#include <mbedtls/sha256.h>
+#include <mbedtls/sha512.h>

 /**
  Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
@ -43,11 +45,8 @@ RsaPssVerify (
  )
 {
  INT32                Ret;
-  mbedtls_md_type_t    md_alg;
+  mbedtls_md_type_t    MdAlg;
  UINT8                HashValue[SHA512_DIGEST_SIZE];
-  BOOLEAN              Status;
-  UINTN                ShaCtxSize;
-  VOID                 *ShaCtx;
  mbedtls_rsa_context  *RsaKey;

  if (RsaContext == NULL) {
@ -75,78 +74,27 @@ RsaPssVerify (

  switch (DigestLen) {
    case SHA256_DIGEST_SIZE:
-      md_alg     = MBEDTLS_MD_SHA256;
-      ShaCtxSize = Sha256GetContextSize ();
-      ShaCtx     = AllocateZeroPool (ShaCtxSize);
-
-      Status = Sha256Init (ShaCtx);
-      if (!Status) {
+      MdAlg = MBEDTLS_MD_SHA256;
+      if (mbedtls_sha256 (Message, MsgSize, HashValue, FALSE) != 0) {
        return FALSE;
      }

-      Status = Sha256Update (ShaCtx, Message, MsgSize);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      Status = Sha256Final (ShaCtx, HashValue);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      FreePool (ShaCtx);
      break;

    case SHA384_DIGEST_SIZE:
-      md_alg     = MBEDTLS_MD_SHA384;
-      ShaCtxSize = Sha384GetContextSize ();
-      ShaCtx     = AllocateZeroPool (ShaCtxSize);
-
-      Status = Sha384Init (ShaCtx);
-      if (!Status) {
+      MdAlg = MBEDTLS_MD_SHA384;
+      if (mbedtls_sha512 (Message, MsgSize, HashValue, TRUE) != 0) {
        return FALSE;
      }

-      Status = Sha384Update (ShaCtx, Message, MsgSize);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      Status = Sha384Final (ShaCtx, HashValue);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      FreePool (ShaCtx);
      break;

    case SHA512_DIGEST_SIZE:
-      md_alg     = MBEDTLS_MD_SHA512;
-      ShaCtxSize = Sha512GetContextSize ();
-      ShaCtx     = AllocateZeroPool (ShaCtxSize);
-
-      Status = Sha512Init (ShaCtx);
-      if (!Status) {
+      MdAlg = MBEDTLS_MD_SHA512;
+      if (mbedtls_sha512 (Message, MsgSize, HashValue, FALSE) != 0) {
        return FALSE;
      }

-      Status = Sha512Update (ShaCtx, Message, MsgSize);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      Status = Sha512Final (ShaCtx, HashValue);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      FreePool (ShaCtx);
      break;

    default:
@ -157,11 +105,11 @@ RsaPssVerify (
    return FALSE;
  }

-  mbedtls_rsa_set_padding (RsaContext, MBEDTLS_RSA_PKCS_V21, md_alg);
+  mbedtls_rsa_set_padding (RsaContext, MBEDTLS_RSA_PKCS_V21, MdAlg);

  Ret = mbedtls_rsa_rsassa_pss_verify (
          RsaContext,
-          md_alg,
+          MdAlg,
          (UINT32)DigestLen,
          HashValue,
          Signature
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c
@ -377,8 +377,7 @@ EFIAPI
 X509GetSerialNumber (
  IN      CONST UINT8  *Cert,
  IN      UINTN        CertSize,
-  OUT     UINT8        *SerialNumber,
-  OPTIONAL
+  OUT     UINT8        *SerialNumber  OPTIONAL,
  IN OUT  UINTN        *SerialNumberSize
  )
 {
@ -441,8 +440,7 @@ EFIAPI
 X509GetSignatureAlgorithm (
  IN CONST UINT8  *Cert,
  IN       UINTN  CertSize,
-  OUT   UINT8     *Oid,
-  OPTIONAL
+  OUT   UINT8     *Oid  OPTIONAL,
  IN OUT   UINTN  *OidSize
  )
 {
--- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c
@ -3,7 +3,7 @@

  SPDX-License-Identifier: BSD-2-Clause-Patent

-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>

 **/
@ -48,3 +48,131 @@ Pkcs1v2Encrypt (
  ASSERT (FALSE);
  return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@ -2825,6 +2825,119 @@ Pkcs1v2Encrypt (
  CALL_CRYPTO_SERVICE (Pkcs1v2Encrypt, (PublicKey, PublicKeySize, InData, InDataSize, PrngSeed, PrngSeedSize, EncryptedData, EncryptedDataSize), FALSE);
 }

+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (Pkcs1v2Decrypt, (PrivateKey, PrivateKeySize, EncryptedData, EncryptedDataSize, OutData, OutDataSize), FALSE);
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepEncrypt, (RsaContext, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepDecrypt, (RsaContext, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize), FALSE);
+}
+
 /**
  Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
  Cryptographic Message Syntax Standard". The input signed data could be wrapped
@ -2850,6 +2963,7 @@ Pkcs1v2Encrypt (
  @retval  FALSE           Error occurs during the operation.
  @retval  FALSE           This interface is not supported.

+
 **/
 BOOLEAN
 EFIAPI
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@ -21,7 +21,7 @@
 /// the EDK II Crypto Protocol is extended, this version define must be
 /// increased.
 ///
-#define EDKII_CRYPTO_VERSION  16
+#define EDKII_CRYPTO_VERSION  17

 ///
 /// EDK II Crypto Protocol forward declaration
@ -688,6 +688,110 @@ BOOLEAN
  OUT  UINTN                         *EncryptedDataSize
  );

+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_PKCS1V2_DECRYPT)(
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_RSA_OAEP_ENCRYPT)(
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_RSA_OAEP_DECRYPT)(
+  IN   VOID         *RsaContext,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
 // ---------------------------------------------
 // PKCS5

@ -5603,6 +5707,9 @@ struct _EDKII_CRYPTO_PROTOCOL {
  EDKII_CRYPTO_X509_GET_CERT_FROM_CERT_CHAIN          X509GetCertFromCertChain;
  EDKII_CRYPTO_ASN1_GET_TAG                           Asn1GetTag;
  EDKII_CRYPTO_X509_GET_EXTENDED_BASIC_CONSTRAINTS    X509GetExtendedBasicConstraints;
+  EDKII_CRYPTO_PKCS1V2_DECRYPT                        Pkcs1v2Decrypt;
+  EDKII_CRYPTO_RSA_OAEP_ENCRYPT                       RsaOaepEncrypt;
+  EDKII_CRYPTO_RSA_OAEP_DECRYPT                       RsaOaepDecrypt;
 };

 extern GUID  gEdkiiCryptoProtocolGuid;
--- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c
+++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c
@ -1,20 +1,21 @@
 /** @file
-  This is a unit test for RSA OAEP encrypt.
+  This is a unit test for RSA OAEP encrypt/decrypt.

  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
  SPDX-License-Identifier: BSD-2-Clause-Patent
 **/

 #include "TestBaseCryptLib.h"

-CONST  UINT8  RandSeed[] = "This is the random seed for PRNG verification.";
+STATIC CONST  UINT8  RandSeed[] = "This is the random seed for PRNG verification.";

 //
 // Self signed X509 certificate
 // CN = ca.self
 // O = Intel
 //
-GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  SelfTestCert[] = {
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  SelfTestCert[] = {
  0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0x02, 0x09, 0x00, 0xE4, 0xDF, 0x47, 0x80, 0xEF,
  0x4B, 0x3C, 0x6D, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
  0x05, 0x00, 0x30, 0x81, 0x89, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
@ -75,7 +76,7 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  SelfTestCert[] = {
  0x5B, 0x64, 0x81, 0x13,
 };

-GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  PrivateKey[] = {
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  PrivateKey[] = {
  0x30, 0x82, 0x04, 0xA4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBC, 0xE4, 0x67, 0xDC,
  0xC7, 0xEA, 0x6F, 0x8A, 0xA7, 0xCC, 0xB2, 0x54, 0x47, 0x48, 0x6A, 0xE2, 0x39, 0xFF, 0xC2, 0x48,
  0x58, 0x34, 0x07, 0x03, 0x6D, 0x39, 0xB3, 0x67, 0x46, 0x4C, 0xBC, 0xA0, 0xFA, 0x4E, 0x64, 0x23,
@ -153,114 +154,442 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  PrivateKey[] = {
  0x86, 0x10, 0x09, 0x88, 0x6C, 0x35, 0x60, 0xF2,
 };

+// The following RSA key componets were extracted from the above private key with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaN[] = {
+  0x00,
+  0xbc,0xe4,  0x67, 0xdc, 0xc7, 0xea, 0x6f, 0x8a, 0xa7, 0xcc, 0xb2, 0x54, 0x47, 0x48, 0x6a, 0xe2,
+  0x39,0xff,  0xc2, 0x48, 0x58, 0x34, 0x07, 0x03, 0x6d, 0x39, 0xb3, 0x67, 0x46, 0x4c, 0xbc, 0xa0,
+  0xfa,0x4e,  0x64, 0x23, 0x56, 0x47, 0x7b, 0xc9, 0x1a, 0x2a, 0x55, 0x42, 0x54, 0x10, 0x18, 0x30,
+  0x92,0x60,  0x30, 0x5b, 0x9e, 0xc0, 0x65, 0xd2, 0xd4, 0x05, 0x4a, 0xa6, 0x10, 0x66, 0x04, 0xa9,
+  0x54,0x4e,  0xee, 0x49, 0x39, 0x43, 0x65, 0x1e, 0x2e, 0x28, 0xde, 0x79, 0x24, 0xa9, 0x7e, 0xd8,
+  0x5b,0xbc,  0x2f, 0x46, 0x6a, 0xb7, 0xb6, 0x0d, 0x17, 0x88, 0x37, 0x52, 0x5c, 0xfe, 0x93, 0xc0,
+  0xe2,0xfd,  0x6a, 0x08, 0x1b, 0xfb, 0xd1, 0x87, 0xbd, 0xbd, 0x58, 0x57, 0x2c, 0x06, 0x5d, 0xd2,
+  0x7d,0x52,  0xe2, 0x49, 0x8e, 0xdc, 0xe5, 0x26, 0xbd, 0x92, 0x60, 0xb0, 0x3f, 0x58, 0x5e, 0x52,
+  0xd7,0x91,  0xda, 0x93, 0x62, 0x8d, 0x71, 0x80, 0x53, 0xba, 0x15, 0xc4, 0x1f, 0xf3, 0xbd, 0xe0,
+  0xc5,0xa4,  0xb8, 0xd3, 0x64, 0x12, 0x14, 0x1b, 0x11, 0x6b, 0x7b, 0xc2, 0x92, 0xc7, 0xe2, 0x94,
+  0x0b,0xb8,  0x67, 0x38, 0x48, 0x63, 0x11, 0x74, 0x25, 0x7c, 0x37, 0xc3, 0xb2, 0xae, 0xd9, 0xa7,
+  0x17,0x9c,  0x4b, 0x9d, 0x6c, 0x27, 0xb0, 0x87, 0x16, 0x6b, 0xf2, 0x96, 0xe5, 0x1d, 0x37, 0x27,
+  0xde,0xf2,  0x98, 0xb7, 0x81, 0x08, 0xd9, 0x7a, 0xba, 0x84, 0x14, 0x61, 0x60, 0x48, 0xce, 0xce,
+  0x51,0x73,  0xf4, 0xdb, 0xf1, 0x5f, 0x7a, 0x17, 0x71, 0x4f, 0xc1, 0x0b, 0xce, 0xc7, 0x31, 0xc1,
+  0x4e,0xa3,  0xee, 0x6f, 0x72, 0x97, 0x90, 0xfb, 0x8b, 0x54, 0x9f, 0x82, 0x5b, 0x48, 0x5a, 0xf1,
+  0xad,0x8b,  0x3a, 0xcd, 0xca, 0xb2, 0x8b, 0x7a, 0x53, 0xd4, 0xf7, 0x71, 0x16, 0x75, 0xa7, 0x35,
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaE[] = {
+  0x01, 0x00, 0x01
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaD[] = {
+  0x13, 0xf7, 0xd1, 0x42, 0xf5, 0x9f, 0x42, 0xcb, 0x55, 0x91, 0xbe, 0x08, 0x4a, 0xc0, 0xcd, 0x0b,
+  0xbd, 0x35, 0xdc, 0x43, 0xe9, 0x8f, 0x16, 0x6e, 0xb6, 0x4d, 0x33, 0x39, 0xe7, 0xa4, 0x95, 0x0c,
+  0x2f, 0x69, 0xba, 0x0c, 0x42, 0x42, 0xac, 0x43, 0x46, 0x10, 0xd3, 0x92, 0x7f, 0x70, 0x74, 0x1e,
+  0x2e, 0x5b, 0x1c, 0xc1, 0x92, 0xb6, 0xa4, 0x0c, 0xf5, 0x7c, 0xd9, 0xb7, 0x54, 0x64, 0x74, 0x79,
+  0xb1, 0xff, 0xe6, 0x10, 0xb7, 0x8c, 0xf8, 0x53, 0x88, 0x6d, 0xa9, 0x97, 0x04, 0xd9, 0x26, 0x1f,
+  0x99, 0x12, 0xfb, 0xac, 0x65, 0xfb, 0xa5, 0xb3, 0x1c, 0x99, 0xb9, 0xbf, 0x6b, 0x35, 0x3e, 0x49,
+  0x55, 0xb5, 0x94, 0x4f, 0xe7, 0x25, 0x67, 0xb1, 0x01, 0xcd, 0xd2, 0x58, 0xe4, 0xbe, 0x87, 0x8c,
+  0x88, 0xd3, 0x0a, 0x38, 0xdc, 0x71, 0x5d, 0x88, 0x0a, 0xe2, 0x3e, 0x76, 0x63, 0x3b, 0xe4, 0x3c,
+  0x8f, 0x2f, 0x29, 0x1d, 0xd1, 0x66, 0x8d, 0xc0, 0x4a, 0x68, 0x15, 0x90, 0x4c, 0x95, 0x61, 0xf4,
+  0xfd, 0xe8, 0xfa, 0x9c, 0x6c, 0x00, 0x22, 0x23, 0xd5, 0x17, 0x6e, 0xee, 0xa8, 0xd8, 0x70, 0xc5,
+  0x74, 0xea, 0x09, 0x13, 0x7f, 0x0c, 0x37, 0x4d, 0x50, 0xcd, 0xe9, 0x16, 0xc2, 0xd5, 0xde, 0x5e,
+  0xc3, 0xfc, 0x46, 0x08, 0xf1, 0x99, 0xc0, 0xb4, 0x28, 0xfd, 0x2b, 0x29, 0xef, 0x76, 0xd7, 0x04,
+  0x4f, 0x02, 0x54, 0x16, 0x54, 0x55, 0x20, 0xec, 0xbc, 0xbf, 0x85, 0x5f, 0x12, 0xcc, 0xfc, 0x0d,
+  0xf2, 0xef, 0xfc, 0x4d, 0x3e, 0xa2, 0x5e, 0x97, 0xfe, 0x35, 0x10, 0x0f, 0x53, 0x1f, 0x80, 0xd5,
+  0xc0, 0xb4, 0xe9, 0xe9, 0x31, 0x4c, 0x89, 0x14, 0x72, 0x39, 0x65, 0x89, 0xef, 0x7a, 0x51, 0x4a,
+  0xb9, 0xa9, 0xcc, 0x1b, 0x52, 0xb0, 0x02, 0x52, 0x65, 0x2f, 0x0b, 0x89, 0x41, 0x70, 0x1e, 0x01,
+};
+
+// test case = "123\0"
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Msg1230[] = {
+  0x31, 0x32, 0x33, 0x00
+};
+
+// Ciphertext of the test case using RSAES-OAEP2048 with SHA1 MD/BGF1 created with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Ct1230RsaesOaepMdSha1Mgf1Sha1[] = {
+  0x88, 0x5d, 0xf3, 0x00, 0x66, 0x77, 0x91, 0x94, 0x5c, 0x8d, 0x45, 0xb6, 0xb2, 0x24, 0x26, 0x26,
+  0x37, 0xbe, 0xe0, 0x87, 0x4f, 0x50, 0xbf, 0x88, 0xde, 0x5d, 0xe9, 0xe0, 0xb2, 0x7e, 0x66, 0xfa,
+  0x6c, 0xfd, 0x0d, 0x19, 0x48, 0x41, 0xfe, 0x7a, 0x86, 0xa8, 0x28, 0xc2, 0x01, 0xcf, 0x76, 0xd7,
+  0xea, 0xab, 0x6d, 0xc3, 0x5e, 0x2c, 0x36, 0x04, 0xc0, 0x54, 0xc2, 0x68, 0x67, 0xe7, 0x04, 0x27,
+  0x56, 0xbe, 0x53, 0xb5, 0x80, 0x94, 0xd8, 0xde, 0x8c, 0x75, 0x69, 0x42, 0xba, 0x55, 0xd6, 0x2c,
+  0xda, 0x22, 0xe6, 0x09, 0xf6, 0x90, 0x27, 0x4b, 0x10, 0x54, 0x40, 0xa0, 0x74, 0x31, 0xdb, 0x5f,
+  0x80, 0x06, 0xc7, 0x67, 0x96, 0xe8, 0x45, 0xea, 0x7f, 0x72, 0x18, 0x24, 0xe8, 0x0d, 0x46, 0xc2,
+  0xa0, 0x83, 0xca, 0x71, 0xca, 0x91, 0x4b, 0x89, 0x80, 0x61, 0x01, 0x8e, 0xcf, 0xa1, 0x68, 0x81,
+  0x2d, 0xf2, 0x08, 0xd2, 0x02, 0x9e, 0xc0, 0xa4, 0x91, 0x71, 0x90, 0x84, 0x2f, 0x4e, 0x18, 0x37,
+  0x9b, 0x61, 0x0b, 0xf5, 0x88, 0xf7, 0x6b, 0x87, 0xb9, 0x4e, 0x31, 0xda, 0xf3, 0xb5, 0xe2, 0x60,
+  0x4d, 0xd9, 0x52, 0x99, 0x6b, 0x19, 0x98, 0xa2, 0x28, 0xaa, 0xeb, 0x5a, 0x33, 0xef, 0xf1, 0x4e,
+  0x29, 0x86, 0xbf, 0x70, 0x08, 0xfd, 0x34, 0x8a, 0x8c, 0x6d, 0xef, 0xc4, 0xa1, 0xfe, 0xdf, 0x4d,
+  0xeb, 0xf0, 0x2c, 0x4c, 0xf5, 0xb3, 0xe8, 0xf8, 0xc3, 0x45, 0xc7, 0x6b, 0x59, 0x1c, 0x9b, 0xd9,
+  0x52, 0xdf, 0x65, 0x87, 0x18, 0xd2, 0x6d, 0xff, 0x8b, 0x98, 0x2a, 0x97, 0xeb, 0x93, 0xea, 0x6a,
+  0x23, 0x23, 0xc6, 0x32, 0xf5, 0xea, 0x45, 0xe3, 0x99, 0xa0, 0x4d, 0x4b, 0x8f, 0xf8, 0x1d, 0xad,
+  0xa9, 0x97, 0xa2, 0xd6, 0xaf, 0x5e, 0x11, 0xf7, 0x5f, 0x28, 0xfb, 0x38, 0x80, 0x38, 0x50, 0xc4,
+};
+
+// Ciphertext of the test case using RSAES-OAEP2048 with SHA256 MD/BGF1 created with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Ct1230RsaesOaep2048MdSha256Mgf1Sha256[] = {
+  0xa7, 0x20, 0xa9, 0x31, 0xb5, 0xad, 0x83, 0x0a, 0x07, 0xee, 0x36, 0x46, 0xa5, 0x78, 0x3a, 0xda,
+  0x9d, 0xdf, 0xe6, 0x05, 0x0f, 0x7c, 0x46, 0xfe, 0x5f, 0xd6, 0x58, 0x16, 0xb6, 0xaa, 0x82, 0x7c,
+  0x58, 0x8a, 0x52, 0x14, 0x12, 0x29, 0x6f, 0x62, 0x80, 0xa7, 0x61, 0xfe, 0x29, 0x72, 0x6f, 0x73,
+  0xf6, 0x2f, 0x54, 0x38, 0x58, 0x7b, 0xbd, 0xa1, 0x2f, 0x9d, 0x12, 0x83, 0x72, 0xbc, 0x3d, 0x29,
+  0x65, 0x39, 0xcb, 0x93, 0x95, 0x3e, 0x73, 0xc9, 0x6f, 0xb9, 0xe8, 0xd5, 0x8b, 0x91, 0x0d, 0x87,
+  0x7e, 0x22, 0xb5, 0x93, 0x3d, 0xa8, 0x4a, 0xd9, 0x1a, 0x13, 0xf7, 0xf4, 0x7f, 0x16, 0x42, 0xfe,
+  0x63, 0x10, 0x7e, 0xa1, 0xe5, 0x04, 0xcf, 0xed, 0x93, 0x2d, 0x16, 0x3b, 0x79, 0x1f, 0x53, 0x41,
+  0xe3, 0xca, 0x69, 0x18, 0x6a, 0xe5, 0xec, 0x9a, 0xce, 0xbc, 0x47, 0xf6, 0x77, 0x9a, 0x5c, 0xea,
+  0xac, 0x7e, 0x28, 0xeb, 0x1e, 0xfe, 0x75, 0xa6, 0xbf, 0x1e, 0xfd, 0x1c, 0x63, 0x69, 0x47, 0x04,
+  0xaf, 0x69, 0x7e, 0x1c, 0xa1, 0x7f, 0x00, 0xcf, 0xec, 0x16, 0x34, 0xd9, 0xde, 0x91, 0x0e, 0x0f,
+  0x0b, 0x1e, 0x66, 0xc3, 0x41, 0x88, 0x43, 0xbe, 0xa3, 0x2a, 0x7c, 0x87, 0xff, 0xc0, 0x67, 0xdc,
+  0xc7, 0xeb, 0x28, 0x07, 0x00, 0x72, 0x85, 0x17, 0xca, 0x05, 0x9f, 0x29, 0x6b, 0xad, 0xc6, 0xae,
+  0x1c, 0x4a, 0xf2, 0xfe, 0x97, 0xc7, 0x6e, 0x4b, 0xbf, 0xfd, 0x46, 0xbe, 0xf8, 0x76, 0xc9, 0x70,
+  0x58, 0x3a, 0x73, 0xcc, 0x34, 0xda, 0xfe, 0x5b, 0x6d, 0x98, 0x74, 0x95, 0x85, 0xc7, 0xc9, 0x84,
+  0x02, 0xa8, 0x97, 0x13, 0xa3, 0x83, 0xcb, 0x28, 0x3d, 0xbb, 0x2b, 0x3b, 0x45, 0xf1, 0x6e, 0xc5,
+  0x37, 0x23, 0x21, 0xe6, 0x74, 0x2d, 0x48, 0x19, 0x97, 0xaf, 0xee, 0x3d, 0x9b, 0xd0, 0x05, 0xc7
+};
+
+typedef struct _OAEP_ENC_DEC_TEST_CONTEXT OAEP_ENC_DEC_TEST_CONTEXT;
+typedef
+BOOLEAN
+(EFIAPI *OAEP_TEST_ENCRYPT)(
+  IN      OAEP_ENC_DEC_TEST_CONTEXT *TestContext,
+  IN      CONST UINT8 *ClearText,
+  IN      UINTN       ClearTextSize,
+  IN      CONST UINT8 *PrngSeed,
+  IN      UINTN       PrngSeedSize,
+  IN      UINT16      DigestLen,
+  OUT     UINT8       **CipherText,
+  OUT     UINTN       *CipherTextSize
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *OAEP_TEST_DECRYPT)(
+  IN      OAEP_ENC_DEC_TEST_CONTEXT *TestContext,
+  IN      CONST UINT8 *CipherText,
+  IN      UINTN       CipherTextSize,
+  IN      UINT16      DigestLen,
+  OUT     UINT8       **ClearText,
+  OUT     UINTN       *ClearTextSize
+  );
+
+typedef struct _OAEP_ENC_DEC_TEST_CONTEXT {
+  CONST UINT8          *SelfTestCert;
+  UINTN                SelfTestCertSize;
+  CONST UINT8          *PrivateKey;
+  UINTN                PrivateKeySize;
+  CONST UINT8          *RsaN;
+  UINTN                RsaNSize;
+  CONST UINT8          *RsaE;
+  UINTN                RsaESize;
+  CONST UINT8          *RsaD;
+  UINTN                RsaDSize;
+  CONST UINT8          *PrngSeed;
+  UINTN                PrngSeedSize;
+  CONST UINT8          *ClearText;
+  UINTN                ClearTextSize;
+  CONST UINT8          *CipherText;
+  UINTN                CipherTextSize;
+  UINT16               DigestLen;
+  OAEP_TEST_ENCRYPT    Encrypt;
+  OAEP_TEST_DECRYPT    Decrypt;
+  UNIT_TEST_STATUS     Expect;
+} OAEP_ENC_DEC_TEST_CONTEXT;
+
+BOOLEAN
+EFIAPI
+CallPkcs1v2Encrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *ClearText,
+  UINTN                      ClearTextSize,
+  CONST UINT8                *PrngSeed,
+  UINTN                      PrngSeedSize,
+  UINT16                     DigestLen,
+  UINT8                      **CipherText,
+  UINTN                      *CipherTextSize
+  )
+{
+  BOOLEAN  Status;
+
+  Status = Pkcs1v2Encrypt (
+             TestCtx->SelfTestCert,
+             TestCtx->SelfTestCertSize,
+             (UINT8 *)ClearText,
+             ClearTextSize,
+             PrngSeed,
+             PrngSeedSize,
+             CipherText,
+             CipherTextSize
+             );
+
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallPkcs1v2Decrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *CipherText,
+  UINTN                      CipherTextSize,
+  UINT16                     DigestLen,
+  UINT8                      **ClearText,
+  UINTN                      *ClearTextSize
+  )
+{
+  BOOLEAN  Status;
+
+  Status = Pkcs1v2Decrypt (
+             TestCtx->PrivateKey,
+             TestCtx->PrivateKeySize,
+             (UINT8 *)CipherText,
+             CipherTextSize,
+             ClearText,
+             ClearTextSize
+             );
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallRsaOaepEncrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *ClearText,
+  UINTN                      ClearTextSize,
+  CONST UINT8                *RandSeedIn,
+  UINTN                      RandSeedSizeIn,
+  UINT16                     DigestLen,
+  UINT8                      **CipherText,
+  UINTN                      *CipherTextSize
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, TestCtx->RsaN, TestCtx->RsaNSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, TestCtx->RsaE, TestCtx->RsaESize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)ClearText,
+             ClearTextSize,
+             RandSeedIn,
+             RandSeedSizeIn,
+             DigestLen,
+             CipherText,
+             CipherTextSize
+             );
+
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallRsaOaepDecrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *CipherText,
+  UINTN                      CipherTextSize,
+  UINT16                     DigestLen,
+  UINT8                      **ClearText,
+  UINTN                      *ClearTextSize
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, TestCtx->RsaN, TestCtx->RsaNSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, TestCtx->RsaE, TestCtx->RsaESize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyD, TestCtx->RsaD, TestCtx->RsaDSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepDecrypt (
+             RsaContext,
+             (UINT8 *)CipherText,
+             CipherTextSize,
+             DigestLen,
+             ClearText,
+             ClearTextSize
+             );
+
+  return Status;
+}
+
 UNIT_TEST_STATUS
 EFIAPI
-TestVerifyOaepEncrypt (
+TestVerifyEncrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *OutBuffer     = NULL;
+  UINTN                      OutBufferSize  = 0;
+  UINT8                      *OutBuffer2    = NULL;
+  UINTN                      OutBuffer2Size = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = (OAEP_ENC_DEC_TEST_CONTEXT *)Context;
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer,
+                      &OutBufferSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer2,
+                      &OutBuffer2Size
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect.
+  Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0);
+  UT_ASSERT_FALSE (Status);
+
+  if (OutBuffer) {
+    FreePool (OutBuffer);
+    OutBuffer     = NULL;
+    OutBufferSize = 0;
+  }
+
+  if (OutBuffer2) {
+    FreePool (OutBuffer2);
+    OutBuffer2     = NULL;
+    OutBuffer2Size = 0;
+  }
+
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyDecrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *OutBuffer    = NULL;
+  UINTN                      OutBufferSize = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = Context;
+
+  Status = TestCtx->Decrypt (
+                      TestCtx,
+                      TestCtx->CipherText,
+                      TestCtx->CipherTextSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer,
+                      &OutBufferSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  UT_ASSERT_TRUE (CompareMem (OutBuffer, TestCtx->ClearText, OutBufferSize >= TestCtx->ClearTextSize ? OutBufferSize : TestCtx->ClearTextSize) == 0);
+  UT_ASSERT_TRUE (OutBufferSize == TestCtx->ClearTextSize);
+
+  if (OutBuffer) {
+    FreePool (OutBuffer);
+    OutBuffer     = NULL;
+    OutBufferSize = 0;
+  }
+
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyEncryptDecrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *ClearText     = NULL;
+  UINTN                      ClearTextSize  = 0;
+  UINT8                      *CipherText    = NULL;
+  UINTN                      CipherTextSize = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = Context;
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &CipherText,
+                      &CipherTextSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  Status = TestCtx->Decrypt (
+                      TestCtx,
+                      CipherText,
+                      CipherTextSize,
+                      TestCtx->DigestLen,
+                      &ClearText,
+                      &ClearTextSize
+                      );
+
+  if (TestCtx->Expect == UNIT_TEST_PASSED) {
+    UT_ASSERT_TRUE (Status);
+  } else {
+    UT_ASSERT_FALSE (Status);
+  }
+
+  if (TestCtx->Expect == UNIT_TEST_PASSED) {
+    UT_ASSERT_TRUE (CompareMem (ClearText, TestCtx->ClearText, ClearTextSize >= TestCtx->ClearTextSize ? ClearTextSize : TestCtx->ClearTextSize) == 0);
+    UT_ASSERT_TRUE (ClearTextSize == TestCtx->ClearTextSize);
+  }
+
+  if (CipherText) {
+    FreePool (CipherText);
+    CipherText     = NULL;
+    CipherTextSize = 0;
+  }
+
+  if (ClearText) {
+    FreePool (ClearText);
+    ClearText     = NULL;
+    ClearTextSize = 0;
+  }
+
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyPkcs1v2EncryptInterface (
  IN UNIT_TEST_CONTEXT  Context
  )
 {
  BOOLEAN  Status;
-  UINT8    File[4];
  UINT8    *OutBuffer;
  UINTN    OutBufferSize;
-  UINT8    *OutBuffer2;
-  UINTN    OutBuffer2Size;
-
-  // Create a file and add content '123' in it
-  File[0] = '1';
-  File[1] = '2';
-  File[2] = '3';
-  File[3] = 0;
-
-  OutBuffer      = NULL;
-  OutBufferSize  = 0;
-  OutBuffer2     = NULL;
-  OutBuffer2Size = 0;
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)sizeof (File),
-             NULL,
-             0,
-             &OutBuffer,
-             (UINTN *)&OutBufferSize
-             );
-  UT_ASSERT_TRUE (Status);
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             NULL,
-             0,
-             &OutBuffer2,
-             (UINTN *)&OutBuffer2Size
-             );
-  UT_ASSERT_TRUE (Status);
-
-  // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect.
-  Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0);
-  UT_ASSERT_FALSE (Status);
-
-  if (OutBuffer) {
-    FreePool (OutBuffer);
-    OutBuffer     = NULL;
-    OutBufferSize = 0;
-  }
-
-  if (OutBuffer2) {
-    FreePool (OutBuffer2);
-    OutBuffer2     = NULL;
-    OutBuffer2Size = 0;
-  }
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             RandSeed,
-             (UINTN)sizeof (RandSeed),
-             &OutBuffer,
-             (UINTN *)&OutBufferSize
-             );
-  UT_ASSERT_TRUE (Status);
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             RandSeed,
-             (UINTN)sizeof (RandSeed),
-             &OutBuffer2,
-             (UINTN *)&OutBuffer2Size
-             );
-  UT_ASSERT_TRUE (Status);
-
-  // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect.
-  Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0);
-  UT_ASSERT_FALSE (Status);
-
-  if (OutBuffer) {
-    FreePool (OutBuffer);
-    OutBuffer     = NULL;
-    OutBufferSize = 0;
-  }
-
-  if (OutBuffer2) {
-    FreePool (OutBuffer2);
-    OutBuffer2     = NULL;
-    OutBuffer2Size = 0;
-  }

  Status = Pkcs1v2Encrypt (
             NULL,
             (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
             (UINTN)4,
             NULL,
             0,
@ -272,7 +601,7 @@ TestVerifyOaepEncrypt (
  Status = Pkcs1v2Encrypt (
             SelfTestCert,
             (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
             (UINTN)4,
             NULL,
             0,
@ -284,7 +613,7 @@ TestVerifyOaepEncrypt (
  Status = Pkcs1v2Encrypt (
             SelfTestCert,
             (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
             (UINTN)4,
             NULL,
             0,
@ -296,11 +625,298 @@ TestVerifyOaepEncrypt (
  return UNIT_TEST_PASSED;
 }

+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyRsaOaepEncryptInterface (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+  UINT8    *OutBuffer;
+  UINTN    OutBufferSize;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, RsaN, sizeof (RsaN));
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, RsaE, sizeof (RsaE));
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepEncrypt (
+             NULL,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             &OutBuffer,
+             (UINTN *)&OutBufferSize
+             );
+  UT_ASSERT_FALSE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             (UINT8 **)NULL,
+             (UINTN *)&OutBufferSize
+             );
+  UT_ASSERT_FALSE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             &OutBuffer,
+             (UINTN *)NULL
+             );
+  UT_ASSERT_FALSE (Status);
+
+  return UNIT_TEST_PASSED;
+}
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2Msg1230 = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = NULL,
+  .RsaNSize         = 0,
+  .RsaE             = NULL,
+  .RsaESize         = 0,
+  .RsaD             = NULL,
+  .RsaDSize         = 0,
+  .PrngSeed         = NULL,
+  .PrngSeedSize     = 0,
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2Msg1230PrngSeed = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = NULL,
+  .RsaNSize         = 0,
+  .RsaE             = NULL,
+  .RsaESize         = 0,
+  .RsaD             = NULL,
+  .RsaDSize         = 0,
+  .PrngSeed         = RandSeed,
+  .PrngSeedSize     = sizeof (RandSeed),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepMsg1230 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .PrngSeed         = NULL,
+  .PrngSeedSize     = 0,
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepMsg1230PrngSeed = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .PrngSeed         = RandSeed,
+  .PrngSeedSize     = sizeof (RandSeed),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2EncryptRsaOaepDecrypt = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepEncryptPkcs1v2Decrypt = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdDefaultBgf1Default = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = SHA1_DIGEST_SIZE,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaep2048MdSha256Mgf1Sha256,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaep2048MdSha256Mgf1Sha256),
+  .DigestLen        = SHA256_DIGEST_SIZE,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
 TEST_DESC  mOaepTest[] = {
  //
  // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context
  //
-  { "TestVerifyOaepEncrypt()", "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt", TestVerifyOaepEncrypt, NULL, NULL, NULL },
+  // Pkcs1v2Encrypt / Decrypt
+  { "Pkcs1v2Encrypt (Interface)",                   "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.Interface",                   TestVerifyPkcs1v2EncryptInterface, NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2Encrypt (NoSeed)",                      "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.NoSeed",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2Encrypt (Seeded)",                      "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.Seeded",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230PrngSeed            },
+  { "Pkcs1v2Decrypt",                               "CryptoPkg.BaseCryptLib.Pkcs1v2Decrypt",                             TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2EncryptDecrypt",                        "CryptoPkg.BaseCryptLib.Pkcs1v2EncryptDecrypt",                      TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+
+  // RsaOaepEncrypt / Decrypt
+  { "RsaOaepEncrypt (Interface)",                   "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.Interface",                   TestVerifyRsaOaepEncryptInterface, NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncrypt (NoSeed)",                      "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.NoSeed",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncrypt (Seeded)",                      "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.Seeded",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230PrngSeed            },
+  { "RsaOaepDecrypt",                               "CryptoPkg.BaseCryptLib.RsaOaepDecrypt",                             TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncryptDecrypt",                        "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt",                      TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+
+  // Mix interfaces
+  { "RsaOaepEncryptPkcs1v2Decrypt",                 "CryptoPkg.BaseCryptLib.RsaOaepEncryptPkcs1v2Decrypt",               TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaOaepEncryptPkcs1v2Decrypt      },
+  { "Pkcs1v2EncryptRsaOaepDecrypt",                 "CryptoPkg.BaseCryptLib.Pkcs1v2EncryptRsaOaepDecrypt",               TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyPkcs1v2EncryptRsaOaepDecrypt      },
+
+  // Message digest default / MGF1 default (SHA1)
+  { "RsaOaepEncrypt (MdDefaultMgf1Default)",        "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdDefaultMgf1Default",        TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+  { "RsaOaepDecrypt (MdDefaultMgf1Default)",        "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdDefaultMgf1Default",        TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+  { "RsaOaepEncryptDecrypt (MdDefaultMgf1Default)", "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt.MdDefaultMgf1Default", TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+
+  // Message digest SHA1 / MGF1 SHA1
+  { "RsaOaepEncrypt (MdSha1Bgf1Sha1",               "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdSha1Bgf1Sha1",              TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+  { "RsaOaepDecrypt (MdSha1Bgf1Sha1)",              "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdSha1Bgf1Sha1",              TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+  { "RsaOaepEncryptDecrypt (MdSha1Bgf1Sha1)",       "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt.MdSha1Bgf1Sha1",       TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+
+  // Message digest SHA256 / MGF1 SHA256
+  { "RsaOaepEncrypt (MdSha256Bgf1Sha256)",          "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdSha256Bgf1Sha256",          TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
+  { "RsaOaepDecrypt (MdSha256Bgf1Sha256)",          "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdSha256Bgf1Sha256",          TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
+  { "RsaOaepEncryptDecrypt (MdSha256Bgf1Sha256)",   "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecryptMdSha256Bgf1Sha256",    TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
 };

 UINTN  mOaepTestNum = ARRAY_SIZE (mOaepTest);
--- a/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
+++ b/DynamicTablesPkg/Include/ArmNameSpaceObjects.h
@ -1,6 +1,6 @@
 /** @file

-  Copyright (c) 2017 - 2023, Arm Limited. All rights reserved.<BR>
+  Copyright (c) 2017 - 2024, Arm Limited. All rights reserved.<BR>

  SPDX-License-Identifier: BSD-2-Clause-Patent

@ -317,7 +317,10 @@ typedef struct CmArmSerialPortInfo {
  /// The physical base address for the serial port
  UINT64    BaseAddress;

-  /// The serial port interrupt
+  /** The serial port interrupt.
+      0 indicates that the serial port does not
+      have an interrupt wired.
+  */
  UINT32    Interrupt;

  /// The serial port baud rate
--- a/DynamicTablesPkg/Include/Library/AmlLib/AmlLib.h
+++ b/DynamicTablesPkg/Include/Library/AmlLib/AmlLib.h
@ -2,7 +2,7 @@
  AML Lib.

  Copyright (c) 2019 - 2023, Arm Limited. All rights reserved.<BR>
-  Copyright (C) 2023 Advanced Micro Devices, Inc. All rights reserved.<BR>
+  Copyright (C) 2023 - 2024, Advanced Micro Devices, Inc. All rights reserved.<BR>

  SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
@ -1743,6 +1743,45 @@ AmlAddNameStringToNamedPackage (
  IN AML_OBJECT_NODE_HANDLE  NamedNode
  );

+/** Add an integer value to the named package node.
+
+  AmlCodeGenNamePackage ("_CID", NULL, &PackageNode);
+  AmlGetEisaIdFromString ("PNP0A03", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+  AmlGetEisaIdFromString ("PNP0A08", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+
+  equivalent of the following ASL code:
+  Name (_CID, Package (0x02)  // _CID: Compatible ID
+  {
+      EisaId ("PNP0A03"),
+      EisaId ("PNP0A08")
+  })
+
+  The package is added at the tail of the list of the input package node
+  name:
+    Name ("NamePackageNode", Package () {
+      [Pre-existing package entries],
+      [Newly created integer entry]
+    })
+
+
+  @ingroup CodeGenApis
+
+  @param [in]       Integer       Integer value that need to be added to package node.
+  @param [in, out]  NameNode      Package named node to add the object to.
+
+  @retval EFI_SUCCESS             Success.
+  @retval EFI_INVALID_PARAMETER   Invalid parameter.
+  @retval Others                  Error occurred during the operation.
+**/
+EFI_STATUS
+EFIAPI
+AmlAddIntegerToNamedPackage (
+  IN        UINT32                  Integer,
+  IN  OUT   AML_OBJECT_NODE_HANDLE  NameNode
+  );
+
 /** AML code generation to invoke/call another method.

  This method is a subset implementation of MethodInvocation
--- a/DynamicTablesPkg/Library/Acpi/Arm/AcpiSsdtCpuTopologyLibArm/SsdtCpuTopologyGenerator.c
+++ b/DynamicTablesPkg/Library/Acpi/Arm/AcpiSsdtCpuTopologyLibArm/SsdtCpuTopologyGenerator.c
@ -1072,6 +1072,7 @@ CreateAmlProcessorContainer (
  @param [in]  IsLeaf           The ProcNode is a leaf.
  @param [in]  NodeToken        NodeToken of the ProcNode.
  @param [in]  ParentNodeToken  Parent NodeToken of the ProcNode.
+  @param [in]  PackageNodeSeen  A parent of the ProcNode has the physical package flag set.

  @retval EFI_SUCCESS             Success.
  @retval EFI_INVALID_PARAMETER   Invalid parameter.
@ -1083,23 +1084,24 @@ CheckProcNode (
  UINT32           NodeFlags,
  BOOLEAN          IsLeaf,
  CM_OBJECT_TOKEN  NodeToken,
-  CM_OBJECT_TOKEN  ParentNodeToken
+  CM_OBJECT_TOKEN  ParentNodeToken,
+  BOOLEAN          PackageNodeSeen
  )
 {
  BOOLEAN  InvalidFlags;
  BOOLEAN  HasPhysicalPackageBit;
-  BOOLEAN  IsTopLevelNode;

  HasPhysicalPackageBit = (NodeFlags & EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL) ==
                          EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL;
-  IsTopLevelNode = (ParentNodeToken == CM_NULL_TOKEN);

-  // A top-level node is a Physical Package and conversely.
-  InvalidFlags = HasPhysicalPackageBit ^ IsTopLevelNode;
+  // Only one Physical Package flag is allowed in the hierarchy
+  InvalidFlags = HasPhysicalPackageBit && PackageNodeSeen;

  // Check Leaf specific flags.
  if (IsLeaf) {
    InvalidFlags |= ((NodeFlags & PPTT_LEAF_MASK) != PPTT_LEAF_MASK);
+    // Must have Physical Package flag somewhere in the hierarchy
+    InvalidFlags |= !(HasPhysicalPackageBit || PackageNodeSeen);
  } else {
    InvalidFlags |= ((NodeFlags & PPTT_LEAF_MASK) != 0);
  }
@ -1130,6 +1132,7 @@ CheckProcNode (
                                      node to.
  @param [in,out] ProcContainerIndex  Pointer to the current processor container
                                      index to be used as UID.
+  @param [in]  PackageNodeSeen        A parent of the ProcNode has the physical package flag set.

  @retval EFI_SUCCESS             Success.
  @retval EFI_INVALID_PARAMETER   Invalid parameter.
@ -1143,7 +1146,8 @@ CreateAmlCpuTopologyTree (
  IN  CONST EDKII_CONFIGURATION_MANAGER_PROTOCOL  *CONST  CfgMgrProtocol,
  IN        CM_OBJECT_TOKEN                               NodeToken,
  IN        AML_NODE_HANDLE                               ParentNode,
-  IN OUT    UINT32                                        *ProcContainerIndex
+  IN OUT    UINT32                                        *ProcContainerIndex,
+  IN        BOOLEAN                                       PackageNodeSeen
  )
 {
  EFI_STATUS              Status;
@ -1153,6 +1157,7 @@ CreateAmlCpuTopologyTree (
  AML_OBJECT_NODE_HANDLE  ProcContainerNode;
  UINT32                  Uid;
  UINT16                  Name;
+  BOOLEAN                 HasPhysicalPackageBit;

  ASSERT (Generator != NULL);
  ASSERT (Generator->ProcNodeList != NULL);
@ -1175,7 +1180,8 @@ CreateAmlCpuTopologyTree (
                   Generator->ProcNodeList[Index].Flags,
                   TRUE,
                   Generator->ProcNodeList[Index].Token,
-                   NodeToken
+                   NodeToken,
+                   PackageNodeSeen
                   );
        if (EFI_ERROR (Status)) {
          ASSERT (0);
@ -1208,7 +1214,8 @@ CreateAmlCpuTopologyTree (
                   Generator->ProcNodeList[Index].Flags,
                   FALSE,
                   Generator->ProcNodeList[Index].Token,
-                   NodeToken
+                   NodeToken,
+                   PackageNodeSeen
                   );
        if (EFI_ERROR (Status)) {
          ASSERT (0);
@ -1249,13 +1256,17 @@ CreateAmlCpuTopologyTree (
          ProcContainerName++;
        }

+        HasPhysicalPackageBit = (Generator->ProcNodeList[Index].Flags & EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL) ==
+                                EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL;
+
        // Recursively continue creating an AML tree.
        Status = CreateAmlCpuTopologyTree (
                   Generator,
                   CfgMgrProtocol,
                   Generator->ProcNodeList[Index].Token,
                   ProcContainerNode,
-                   ProcContainerIndex
+                   ProcContainerIndex,
+                   (PackageNodeSeen || HasPhysicalPackageBit)
                   );
        if (EFI_ERROR (Status)) {
          ASSERT (0);
@ -1311,7 +1322,8 @@ CreateTopologyFromProcHierarchy (
             CfgMgrProtocol,
             CM_NULL_TOKEN,
             ScopeNode,
-             &ProcContainerIndex
+             &ProcContainerIndex,
+             FALSE
             );
  if (EFI_ERROR (Status)) {
    ASSERT (0);
--- a/DynamicTablesPkg/Library/Common/AmlLib/CodeGen/AmlCodeGen.c
+++ b/DynamicTablesPkg/Library/Common/AmlLib/CodeGen/AmlCodeGen.c
@ -3871,6 +3871,73 @@ exit_handler:
  return Status;
 }

+/** Add an integer value to the named package node.
+
+  AmlCodeGenNamePackage ("_CID", NULL, &PackageNode);
+  AmlGetEisaIdFromString ("PNP0A03", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+  AmlGetEisaIdFromString ("PNP0A08", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+
+  equivalent of the following ASL code:
+  Name (_CID, Package (0x02)  // _CID: Compatible ID
+  {
+      EisaId ("PNP0A03"),
+      EisaId ("PNP0A08")
+  })
+
+  The package is added at the tail of the list of the input package node
+  name:
+    Name ("NamePackageNode", Package () {
+      [Pre-existing package entries],
+      [Newly created integer entry]
+    })
+
+
+  @ingroup CodeGenApis
+
+  @param [in]       Integer       Integer value that need to be added to package node.
+  @param [in, out]  NameNode      Package named node to add the object to.
+
+  @retval EFI_SUCCESS             Success.
+  @retval EFI_INVALID_PARAMETER   Invalid parameter.
+  @retval Others                  Error occurred during the operation.
+**/
+EFI_STATUS
+EFIAPI
+AmlAddIntegerToNamedPackage (
+  IN        UINT32                  Integer,
+  IN  OUT   AML_OBJECT_NODE_HANDLE  NameNode
+  )
+{
+  EFI_STATUS       Status;
+  AML_OBJECT_NODE  *PackageNode;
+
+  if (NameNode == NULL) {
+    ASSERT_EFI_ERROR (FALSE);
+    return EFI_INVALID_PARAMETER;
+  }
+
+  PackageNode = (AML_OBJECT_NODE_HANDLE)AmlGetFixedArgument (
+                                          NameNode,
+                                          EAmlParseIndexTerm1
+                                          );
+  if ((PackageNode == NULL)                                              ||
+      (AmlGetNodeType ((AML_NODE_HANDLE)PackageNode) != EAmlNodeObject)  ||
+      (!AmlNodeHasOpCode (PackageNode, AML_PACKAGE_OP, 0)))
+  {
+    ASSERT_EFI_ERROR (FALSE);
+    return EFI_INVALID_PARAMETER;
+  }
+
+  Status = AmlAddRegisterOrIntegerToPackage (NULL, Integer, PackageNode);
+  if (EFI_ERROR (Status)) {
+    ASSERT_EFI_ERROR (Status);
+  }
+
+  return Status;
+}
+
 /** AML code generation to invoke/call another method.

  This method is a subset implementation of MethodInvocation
--- a/DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortFixupLib.c
+++ b/DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortFixupLib.c
@ -1,7 +1,7 @@
 /** @file
  SSDT Serial Port Fixup Library.

-  Copyright (c) 2019 - 2021, Arm Limited. All rights reserved.<BR>
+  Copyright (c) 2019 - 2024, Arm Limited. All rights reserved.<BR>

  SPDX-License-Identifier: BSD-2-Clause-Patent

@ -9,6 +9,9 @@
  - Arm Server Base Boot Requirements (SBBR), s4.2.1.8 "SPCR".
  - Microsoft Debug Port Table 2 (DBG2) Specification - December 10, 2015.
  - ACPI for Arm Components 1.0 - 2020
+  - Arm Generic Interrupt Controller Architecture Specification,
+    Issue H, January 2022.
+    (https://developer.arm.com/documentation/ihi0069/)
 **/

 #include <IndustryStandard/DebugPort2Table.h>
@ -27,6 +30,10 @@
 #include <Library/AmlLib/AmlLib.h>
 #include <Protocol/ConfigurationManagerProtocol.h>

+#if defined (MDE_CPU_ARM) || defined (MDE_CPU_AARCH64)
+  #include <Library/ArmGicArchLib.h>
+#endif
+
 /** C array containing the compiled AML template.
    This symbol is defined in the auto generated C file
    containing the AML bytecode array.
@ -100,6 +107,26 @@ ValidateSerialPortInfo (
      return EFI_INVALID_PARAMETER;
    }

+ #if defined (MDE_CPU_ARM) || defined (MDE_CPU_AARCH64)
+    // If an interrupt is not wired to the serial port, the Configuration
+    // Manager specifies the interrupt as 0.
+    // Any other value must be within the SPI or extended SPI range.
+    if ((SerialPortInfo->Interrupt != 0) &&
+        !(((SerialPortInfo->Interrupt >= ARM_GIC_ARCH_SPI_MIN) &&
+           (SerialPortInfo->Interrupt <= ARM_GIC_ARCH_SPI_MAX)) ||
+          ((SerialPortInfo->Interrupt >= ARM_GIC_ARCH_EXT_SPI_MIN) &&
+           (SerialPortInfo->Interrupt <= ARM_GIC_ARCH_EXT_SPI_MAX))))
+    {
+      DEBUG ((
+        DEBUG_ERROR,
+        "ERROR: Invalid UART port interrupt ID. Interrupt = %lu\n",
+        SerialPortInfo->Interrupt
+        ));
+      return EFI_INVALID_PARAMETER;
+    }
+
+ #endif
+
    DEBUG ((DEBUG_INFO, "UART Configuration:\n"));
    DEBUG ((
      DEBUG_INFO,
@ -270,7 +297,6 @@ FixupCrs (
  EFI_STATUS              Status;
  AML_OBJECT_NODE_HANDLE  NameOpCrsNode;
  AML_DATA_NODE_HANDLE    QWordRdNode;
-  AML_DATA_NODE_HANDLE    InterruptRdNode;

  // Get the "_CRS" object defined by the "Name ()" statement.
  Status = AmlFindNode (
@ -303,20 +329,22 @@ FixupCrs (
    return Status;
  }

-  // Get the Interrupt node.
-  // It is the second Resource Data element in the NameOpCrsNode's
-  // variable list of arguments.
-  Status = AmlNameOpGetNextRdNode (QWordRdNode, &InterruptRdNode);
-  if (EFI_ERROR (Status)) {
-    return Status;
-  }
+  // Generate an interrupt node as the second Resource Data element in the
+  // NameOpCrsNode, if the interrupt for the serial-port is a valid SPI from
+  // Table 2-1 in Arm Generic Interrupt Controller Architecture Specification.
+  Status = AmlCodeGenRdInterrupt (
+             TRUE,                  // Resource Consumer
+             FALSE,                 // Level Triggered
+             FALSE,                 // Active High
+             FALSE,                 // Exclusive
+             (UINT32 *)&SerialPortInfo->Interrupt,
+             1,
+             NameOpCrsNode,
+             NULL
+             );
+  ASSERT_EFI_ERROR (Status);

-  if (InterruptRdNode == NULL) {
-    return EFI_INVALID_PARAMETER;
-  }
-
-  // Update the interrupt number.
-  return AmlUpdateRdInterrupt (InterruptRdNode, SerialPortInfo->Interrupt);
+  return Status;
 }

 /** Fixup the Serial Port device name.
--- a/DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortFixupLib.inf
+++ b/DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortFixupLib.inf
@ -18,12 +18,15 @@
  SsdtSerialPortFixupLib.c
  SsdtSerialPortTemplate.asl

-[Packages]
+[Packages.common]
  MdePkg/MdePkg.dec
  MdeModulePkg/MdeModulePkg.dec
  EmbeddedPkg/EmbeddedPkg.dec
  DynamicTablesPkg/DynamicTablesPkg.dec

+[Packages.ARM, Packages.AARCH64]
+  ArmPkg/ArmPkg.dec
+
 [LibraryClasses]
  AcpiHelperLib
  AmlLib
--- a/DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortTemplate.asl
+++ b/DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortTemplate.asl
@ -1,7 +1,7 @@
 /** @file
  SSDT Serial Template

-  Copyright (c) 2019 - 2020, Arm Limited. All rights reserved.<BR>
+  Copyright (c) 2019 - 2024, Arm Limited. All rights reserved.<BR>

  SPDX-License-Identifier: BSD-2-Clause-Patent

@ -10,6 +10,7 @@

  @par Glossary:
    - {template} - Data fixed up using AML Fixup APIs.
+    - {codegen}  - Data generated using AML Codegen APIs.
 **/

 DefinitionBlock ("SsdtSerialPortTemplate.aml", "SSDT", 2, "ARMLTD", "SERIAL", 1) {
@ -43,17 +44,21 @@ DefinitionBlock ("SsdtSerialPortTemplate.aml", "SSDT", 2, "ARMLTD", "SERIAL", 1)
          ,                   // MemoryRangeType
                              // TranslationType
        ) // QWordMemory
-        Interrupt (
-          ResourceConsumer,   // ResourceUsage
-          Level,              // EdgeLevel
-          ActiveHigh,         // ActiveLevel
-          Exclusive,          // Shared
-          ,                   // ResourceSourceIndex
-          ,                   // ResourceSource
-                              // DescriptorName
-          ) {
-            0xA5                                          // {template}
-        } // Interrupt
+
+        // The Interrupt information is generated using AmlCodegen.
+        //
+        // Interrupt (                                    // {codegen}
+        //  ResourceConsumer, // ResourceUsage
+        //  Level,            // EdgeLevel
+        //  ActiveHigh,       // ActiveLevel
+        //  Exclusive,        // Shared
+        //  ,                 // ResourceSourceIndex
+        //  ,                 // ResourceSource
+        //                    // DescriptorName
+        //  ) {
+        //    <IRQ>           // <spi>
+        // } // Interrupt
+
      }) // Name
    } // Device
  } // Scope (_SB)
--- a/EmbeddedPkg/Drivers/NonCoherentIoMmuDxe/NonCoherentIoMmuDxe.c
+++ b/EmbeddedPkg/Drivers/NonCoherentIoMmuDxe/NonCoherentIoMmuDxe.c
@ -70,7 +70,7 @@ NonCoherentIoMmuSetAttribute (
  IN UINT64                IoMmuAccess
  )
 {
-  return EFI_UNSUPPORTED;
+  return EFI_SUCCESS;
 }

 /**
--- a/EmbeddedPkg/Drivers/VirtualKeyboardDxe/VirtualKeyboard.c
+++ b/EmbeddedPkg/Drivers/VirtualKeyboardDxe/VirtualKeyboard.c
@ -694,11 +694,12 @@ KeyboardReadKeyStrokeWorker (
 /**
  Read out the scan code of the key that has just been stroked.

-  @param  This        Pointer of simple text Protocol.
-  @param  Key         Pointer for store the key that read out.
+  @param  This              Pointer of simple text Protocol.
+  @param  Key               Pointer for store the key that read out.

-  @retval EFI_SUCCESS The key is read out successfully.
-  @retval other       The key reading failed.
+  @retval EFI_SUCCESS       The key is read out successfully.
+  @retval other             The key reading failed.
+  @retval EFI_UNSUPPORTED   The device does not support the ability to read keystroke data.

 **/
 EFI_STATUS
@ -752,6 +753,7 @@ VirtualKeyboardReadKeyStroke (
  @retval  EFI_DEVICE_ERROR      The keystroke information was not returned
                                 due to hardware errors.
  @retval  EFI_INVALID_PARAMETER KeyData is NULL.
+  @retval  EFI_UNSUPPORTED       The device does not support the ability to read keystroke data.

 **/
 EFI_STATUS
--- a/EmbeddedPkg/Drivers/VirtualKeyboardDxe/VirtualKeyboard.h
+++ b/EmbeddedPkg/Drivers/VirtualKeyboardDxe/VirtualKeyboard.h
@ -496,11 +496,12 @@ KeyNotifyProcessHandler (
 /**
  Read out the scan code of the key that has just been stroked.

-  @param  This        Pointer of simple text Protocol.
-  @param  Key         Pointer for store the key that read out.
+  @param  This              Pointer of simple text Protocol.
+  @param  Key               Pointer for store the key that read out.

-  @retval EFI_SUCCESS The key is read out successfully.
-  @retval other       The key reading failed.
+  @retval EFI_SUCCESS       The key is read out successfully.
+  @retval other             The key reading failed.
+  @retval EFI_UNSUPPORTED   The device does not support the ability to read keystroke data.

 **/
 EFI_STATUS
@ -523,6 +524,7 @@ VirtualKeyboardReadKeyStroke (
  @retval  EFI_DEVICE_ERROR      The keystroke information was not returned due to
                                 hardware errors.
  @retval  EFI_INVALID_PARAMETER KeyData is NULL.
+  @retval  EFI_UNSUPPORTED       The device does not support the ability to read keystroke data.

 **/
 EFI_STATUS
--- a/EmbeddedPkg/Scripts/LauterbachT32/EfiLoadDxe.cmm
+++ b/EmbeddedPkg/Scripts/LauterbachT32/EfiLoadDxe.cmm
@ -1,79 +1,22 @@
 ;
+; Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 ; Copyright (c) 2011, Hewlett-Packard Company. All rights reserved.<BR>
 ; 
 ; SPDX-License-Identifier: BSD-2-Clause-Patent
 ; 

-  LOCAL &maxmem &systbl &memsize
-  
-  &memsize=0x20000000   ; default to 512MB
-  
-  gosub FindSystemTable &memsize
-  ENTRY &systbl
-  
-  if &systbl!=0
-  (
-    print "found system table at &systbl"
-    gosub FindDebugInfo &systbl
-  )
-  else
-  (
-    print "ERROR: system table not found, check memory size"
-  )
+  PARAMETERS &systbl
+
+  gosub FindDebugInfo &systbl
  enddo

-FindSystemTable:
-  LOCAL   &TopOfRam &offset
-  ENTRY   &TopOfRam
-  
-  print "FindSystemTable"
-  print "top of mem is &TopOfRam$"
-  
-  &offset=&TopOfRam
-  
-  ; align to highest 4MB boundary
-  &offset=&offset&0xFFC00000
-  
-  ; start at top and look on 4MB boundaries for system table ptr structure
-  while &offset>0
-  (
-    ; low signature match
-    if Data.Long(a:&offset)==0x20494249
-    (
-      ; high signature match
-      if Data.Long(a:&offset+4)==0x54535953
-      (
-        ; less than 4GB?
-        if Data.Long(a:&offset+0x0c)==0
-        (
-          ; less than top of ram?
-          if Data.Long(a:&offset+8)<&TopOfRam
-          (
-            return Data.Long(a:&offset+8)
-          )
-        )
-      )
-    )
-   
-    if &offset<0x400000
-    (
-      return 0
-    )
-    &offset=&offset-0x400000
-  )
-  
-  return 0
-
-
 FindDebugInfo:
  LOCAL   &SystemTable &CfgTableEntries &ConfigTable &i &offset &dbghdr &dbgentries &dbgptr &dbginfo &loadedimg
  ENTRY   &SystemTable
  
-  print "FindDebugInfo"
-  
  &dbgentries=0
-  &CfgTableEntries=Data.Long(a:&SystemTable+0x40)
-  &ConfigTable=Data.Long(a:&SystemTable+0x44)
+  &CfgTableEntries=Data.Long(a:&SystemTable+0x68)
+  &ConfigTable=Data.Long(a:&SystemTable+0x70)
  
  print "config table is at &ConfigTable (&CfgTableEntries entries)"
  
@ -82,7 +25,7 @@ FindDebugInfo:
  &i=0
  while &i<&CfgTableEntries
  (
-    &offset=&ConfigTable+(&i*0x14)
+    &offset=&ConfigTable+(&i*0x18)
    if Data.Long(a:&offset)==0x49152E77
    (
      if Data.Long(a:&offset+4)==0x47641ADA
@ -120,8 +63,10 @@ FindDebugInfo:
    (
      if Data.Long(a:&dbginfo)==1 ; normal debug info type
      (
-        &loadedimg=Data.Long(a:&dbginfo+4)
-        do EfiProcessPeImage Data.Long(a:&loadedimg+0x20)
+        &loadedimg=Data.Long(a:&dbginfo+8)
+        &imagebaseptr=&loadedimg+0x40
+        &imagebase=Data.Long(a:&imagebaseptr)
+        do ~~~~/EfiProcessPeImage.cmm "&imagebase"
      )
    )
    &i=&i+1
--- a/EmbeddedPkg/Scripts/LauterbachT32/EfiProcessPeImage.cmm
+++ b/EmbeddedPkg/Scripts/LauterbachT32/EfiProcessPeImage.cmm
@ -1,4 +1,5 @@
 ;
+; Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 ; Copyright (c) 2011, Hewlett-Packard Company. All rights reserved.<BR>
 ; 
 ; SPDX-License-Identifier: BSD-2-Clause-Patent
@ -10,11 +11,11 @@
  &imgstart=&imgstart
  print "PE32 image found at &imgstart"

-  ; offset from dos hdr to PE file hdr
+  ; offset from dos hdr to PE file hdr (i.e. 'PE\0\0' signature)
  &filehdrstart=&imgstart+Data.Long(c:&imgstart+0x3C)

  ; offset to debug dir in PE hdrs
-  &debugdirentryrva=Data.Long(c:&filehdrstart+0xA8)
+  &debugdirentryrva=Data.Long(c:&imgstart+0xf10)
  if &debugdirentryrva==0
  (
    print "no debug dir for image at &imgstart"
@ -62,7 +63,7 @@
    &elfbase=&baseofdata;
  )

-  print "found path &elfpath"
+  print "found path &elfpath with address &elfbase"
        ON ERROR GOSUB
              return
  data.load.elf &elfpath &elfbase /NOCODE /NOCLEAR
--- a/EmbeddedPkg/Scripts/LauterbachT32/Readme.md
+++ b/EmbeddedPkg/Scripts/LauterbachT32/Readme.md
@ -1,10 +1,10 @@
 # DXE Phase Debug
-Update the memsize variable in EfiLoadDxe.cmm for the actual amount of memory
-available in your system.  Allow your system to boot to the point that the DXE
+Allow your system to boot to the point that the DXE
 core is initialized (so that the System Table and Debug Information table is
 present in memory) and execute this script (using the toolbar button or
-'do EfiLoadDxe' from the command area).  It will scan memory for the debug info
-table and load modules in it.
+'do EfiLoadDxe "0xGST_ADDRESS"' from the command area). 'GST_ADDRESS' is the
+address of the EFI_SYSTEM_TABLE, and can be found by the global `gST`.
+The script will scan memory for the debug info table and load modules in it.

 # SEC/PEI Phase Debug
 There is no way to autodetect where these images reside so you must pass an
--- a/EmulatorPkg/EmuGopDxe/GopInput.c
+++ b/EmulatorPkg/EmuGopDxe/GopInput.c
@ -156,6 +156,7 @@ EmuGopSimpleTextInReset (
  @retval EFI_NOT_READY    There was no keystroke data available.
  @retval EFI_DEVICE_ERROR The keystroke information was not returned due to
                           hardware errors.
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.

 **/
 EFI_STATUS
@ -339,6 +340,7 @@ EmuGopSimpleTextInExResetEx (
                          EFI_DEVICE_ERROR The keystroke
                          information was not returned due to
                          hardware errors.
+  @retval EFI_UNSUPPORTED The device does not support the ability to read keystroke data.


 **/
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@ -127,11 +127,12 @@
  ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
  FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
  ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
-
-!if $(SECURE_BOOT_ENABLE) == TRUE
  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@ -278,6 +279,27 @@
  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExServiceDevicePath.DevicePath|{DEVICE_PATH("MAC(000000000000,0x1)")}
  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExServiceAccessModeInBand|False
  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDiscoverAccessModeInBand|False
+
+  gEmulatorPkgTokenSpaceGuid.PcdRedfishServiceStopIfSecureBootDisabled|False
+  gEmulatorPkgTokenSpaceGuid.PcdRedfishServiceStopIfExitbootService|False
+
+  gEfiRedfishClientPkgTokenSpaceGuid.PcdRedfishServiceEtagSupported|False
+
+  #
+  # Redfish Debug enablement
+  #
+  # 0x0000000000000001  RedfishPlatformConfigDxe driver debug enabled.
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDebugCategory|0
+  #   0x00000001  x-uefi-redfish string database message enabled
+  #   0x00000002  Debug Message for dumping formset
+  #   0x00000004  Debug Message for x-uefi-redfish searching result
+  #   0x00000008  Debug Message for x-uefi-redfish Regular Expression searching result
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishPlatformConfigDebugProperty|0
+
+  # Redfish Platform Configure DXE driver feature enablement
+  #   0x00000001  Enable building Redfish Attribute Registry menu path.
+  #   0x00000002  Allow supressed HII option to be exposed on Redfish.
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishPlatformConfigFeatureProperty|0
 !endif

 [PcdsDynamicDefault.common.DEFAULT]
@ -377,6 +399,15 @@
  EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
  EmulatorPkg/TimerDxe/Timer.inf

+  #
+  # Rng Protocol producer
+  #
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+  #
+  # Hash2 Protocol producer
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 !if $(SECURE_BOOT_ENABLE) == TRUE
  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@ -193,6 +193,16 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
 INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
 INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

+#
+# Rng Protocol producer
+#
+INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
+#
+# Hash2 Protocol producer
+#
+INF  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 #
 # Secure Boot Key Enroll
 #
@ -320,4 +330,3 @@ INF  ShellPkg/Application/Shell/Shell.inf
    UI        STRING="$(MODULE_NAME)" Optional
    VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
  }
-
--- a/EmulatorPkg/Sec/Sec.h
+++ b/EmulatorPkg/Sec/Sec.h
@ -20,15 +20,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #include <Ppi/TemporaryRamSupport.h>

-//
-// I think this should be defined in a MdePkg include file?
-//
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 EFI_STATUS
 EFIAPI
 SecTemporaryRamSupport (
--- a/EmulatorPkg/Sec/Sec.inf
+++ b/EmulatorPkg/Sec/Sec.inf
@ -11,7 +11,7 @@
 ##

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = EmuSec
  FILE_GUID                      = BCAF98C9-22B0-3B4F-9CBD-C8A6B4DBCEE9
  MODULE_TYPE                    = SEC
--- a/IntelFsp2Pkg/FspSecCore/Fsp24SecCoreM.inf
+++ b/IntelFsp2Pkg/FspSecCore/Fsp24SecCoreM.inf
@ -8,7 +8,7 @@
 ##

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = Fsp24SecCoreM
  FILE_GUID                      = C5BC0719-4A23-4F6E-94DA-05FB6A0DFA9C
  MODULE_TYPE                    = SEC
@ -60,6 +60,7 @@
  FspSecPlatformLib
  CpuLib
  FspMultiPhaseLib
+  FspPlatformLib

 [Pcd]
  gIntelFsp2PkgTokenSpaceGuid.PcdTemporaryRamBase              ## CONSUMES
--- a/IntelFsp2Pkg/FspSecCore/FspSecCoreM.inf
+++ b/IntelFsp2Pkg/FspSecCore/FspSecCoreM.inf
@ -8,7 +8,7 @@
 ##

 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
  BASE_NAME                      = FspSecCoreM
  FILE_GUID                      = C2F9AE46-3437-4FEF-9CB1-9A568B282FEE
  MODULE_TYPE                    = SEC
@ -59,6 +59,7 @@
  FspCommonLib
  FspSecPlatformLib
  CpuLib
+  FspPlatformLib

 [Pcd]
  gIntelFsp2PkgTokenSpaceGuid.PcdTemporaryRamBase              ## CONSUMES
--- a/IntelFsp2Pkg/FspSecCore/Ia32/Fsp24ApiEntryM.nasm
+++ b/IntelFsp2Pkg/FspSecCore/Ia32/Fsp24ApiEntryM.nasm
@ -11,7 +11,6 @@
 ; Following are fixed PCDs
 ;
 extern   ASM_PFX(PcdGet32(PcdTemporaryRamBase))
-extern   ASM_PFX(PcdGet32(PcdTemporaryRamSize))
 extern   ASM_PFX(PcdGet32(PcdFspTemporaryRamSize))
 extern   ASM_PFX(PcdGet8 (PcdFspHeapSizePercentage))

--- a/IntelFsp2Pkg/FspSecCore/Ia32/FspApiEntryM.nasm
+++ b/IntelFsp2Pkg/FspSecCore/Ia32/FspApiEntryM.nasm
@ -11,7 +11,6 @@
 ; Following are fixed PCDs
 ;
 extern   ASM_PFX(PcdGet32(PcdTemporaryRamBase))
-extern   ASM_PFX(PcdGet32(PcdTemporaryRamSize))
 extern   ASM_PFX(PcdGet32(PcdFspTemporaryRamSize))
 extern   ASM_PFX(PcdGet8 (PcdFspHeapSizePercentage))

--- a/IntelFsp2Pkg/FspSecCore/Ia32/FspApiEntryT.nasm
+++ b/IntelFsp2Pkg/FspSecCore/Ia32/FspApiEntryT.nasm
@ -109,7 +109,8 @@ struc LoadMicrocodeParamsFsp24
    .FsptArchReserved:        resb    3
    .FsptArchLength:          resd    1
    .FspDebugHandler          resq    1
-    .FsptArchUpd:             resd    4
+    .FspTemporaryRamSize:     resd    1  ; Supported only if ArchRevison is >= 3
+    .FsptArchUpd:             resd    3
    ; }
    ; FSPT_CORE_UPD {
    .MicrocodeCodeAddr:       resq    1
@ -267,7 +268,7 @@ ASM_PFX(LoadMicrocodeDefault):
   cmp    byte [esp + LoadMicrocodeParamsFsp22.FspUpdHeaderRevision], 2
   jb     Fsp20UpdHeader
   cmp    byte [esp + LoadMicrocodeParamsFsp22.FsptArchRevision], 2
-   je     Fsp24UpdHeader
+   jae    Fsp24UpdHeader
   jmp    Fsp22UpdHeader

 Fsp20UpdHeader:
@ -405,7 +406,7 @@ CheckAddress:
   cmp   byte [esp + LoadMicrocodeParamsFsp22.FspUpdHeaderRevision], 2
   jb     Fsp20UpdHeader1
   cmp    byte [esp + LoadMicrocodeParamsFsp22.FsptArchRevision], 2
-   je     Fsp24UpdHeader1;
+   jae    Fsp24UpdHeader1;
   jmp    Fsp22UpdHeader1

 Fsp20UpdHeader1:
@ -497,7 +498,8 @@ ASM_PFX(EstablishStackFsp):
  ; Enable FSP STACK
  ;
  mov       esp, DWORD [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]
-  add       esp, DWORD [ASM_PFX(PcdGet32 (PcdTemporaryRamSize))]
+  LOAD_TEMPORARY_RAM_SIZE ecx
+  add       esp, ecx

  push      DATA_LEN_OF_MCUD     ; Size of the data region
  push      4455434Dh            ; Signature of the  data region 'MCUD'
@ -506,7 +508,7 @@ ASM_PFX(EstablishStackFsp):
  cmp       byte [edx + LoadMicrocodeParamsFsp22.FspUpdHeaderRevision], 2
  jb        Fsp20UpdHeader2
  cmp       byte [esp + LoadMicrocodeParamsFsp22.FsptArchRevision], 2
-  je        Fsp24UpdHeader2
+  jae       Fsp24UpdHeader2
  jmp       Fsp22UpdHeader2

 Fsp20UpdHeader2:
@ -554,12 +556,13 @@ ContinueAfterUpdPush:
  ;
  ; Set ECX/EDX to the BootLoader temporary memory range
  ;
-  mov       ecx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]
-  mov       edx, ecx
-  add       edx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamSize))]
+  mov       edx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]
+  LOAD_TEMPORARY_RAM_SIZE ecx
+  add       edx, ecx
  sub       edx,  [ASM_PFX(PcdGet32 (PcdFspReservedBufferSize))]
+  mov       ecx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]

-  cmp       ecx, edx        ;If PcdFspReservedBufferSize >= PcdTemporaryRamSize, then error.
+  cmp       ecx, edx        ;If PcdFspReservedBufferSize >= TemporaryRamSize, then error.
  jb        EstablishStackFspSuccess
  mov       eax, 80000003h  ;EFI_UNSUPPORTED
  jmp       EstablishStackFspExit
@ -599,6 +602,45 @@ ASM_PFX(TempRamInitApi):
  CALL_EBP  ASM_PFX(LoadUpdPointerToECX) ; ECX for UPD param
  SAVE_ECX                               ; save UPD param to slot 3 in xmm6

+  mov       edx, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
+  mov       edx, DWORD [edx]
+  ;
+  ; Read Fsp Arch2 revision
+  ;
+  cmp       byte [ecx + LoadMicrocodeParamsFsp24.FsptArchRevision], 3
+  jb        UseTemporaryRamSizePcd
+  ;
+  ; Read ARCH2 UPD input value.
+  ;
+  mov       ebx, DWORD [ecx + LoadMicrocodeParamsFsp24.FspTemporaryRamSize]
+  ;
+  ; As per spec, if Bootloader pass zero, use Fsp defined Size
+  ;
+  cmp       ebx, 0
+  jz        UseTemporaryRamSizePcd
+
+  xor       eax, eax
+  mov       ax,  WORD [esi + 020h]      ; Read ImageAttribute
+  test      ax,  16                     ; check if Bit4 is set
+  jnz       ConsumeInputConfiguration
+  ;
+  ; Sometimes user may change input value even if it is not supported
+  ; return error if input is Non-Zero and not same as PcdTemporaryRamSize.
+  ;
+  cmp       ebx, edx
+  je        UseTemporaryRamSizePcd
+  mov       eax, 080000002h      ; RETURN_INVALID_PARAMETER
+  jmp       TempRamInitExit
+ConsumeInputConfiguration:
+  ;
+  ; Read ARCH2 UPD value and Save.
+  ;
+  SAVE_TEMPORARY_RAM_SIZE ebx
+  jmp       GotTemporaryRamSize
+UseTemporaryRamSizePcd:
+  SAVE_TEMPORARY_RAM_SIZE edx
+GotTemporaryRamSize:
+  LOAD_ECX
  ;
  ; Sec Platform Init
  ;
--- a/IntelFsp2Pkg/FspSecCore/Ia32/SaveRestoreSseNasm.inc
+++ b/IntelFsp2Pkg/FspSecCore/Ia32/SaveRestoreSseNasm.inc
@ -128,6 +128,17 @@
  SXMMN      xmm5, 1, eax
             %endmacro

+;
+; XMM5 slot 2 for TemporaryRamSize
+;
+%macro LOAD_TEMPORARY_RAM_SIZE    1
+  LXMMN      xmm5, %1, 2
+             %endmacro
+
+%macro SAVE_TEMPORARY_RAM_SIZE    1
+  SXMMN      xmm5, 2, %1
+             %endmacro
+
 %macro ENABLE_SSE   0
            ;
            ; Initialize floating point units
--- a/IntelFsp2Pkg/FspSecCore/SecFsp.c
+++ b/IntelFsp2Pkg/FspSecCore/SecFsp.c
@ -54,6 +54,7 @@ SecGetPlatformData (
  UINT32         TopOfCar;
  UINT32         *StackPtr;
  UINT32         DwordSize;
+  UINT32         TemporaryRamSize;

  FspPlatformData = &FspData->PlatformData;

@ -67,12 +68,20 @@ SecGetPlatformData (
  FspPlatformData->MicrocodeRegionSize = 0;
  FspPlatformData->CodeRegionBase      = 0;
  FspPlatformData->CodeRegionSize      = 0;
+  TemporaryRamSize                     = 0;

  //
  // Pointer to the size field
  //
  TopOfCar = PcdGet32 (PcdTemporaryRamBase) + PcdGet32 (PcdTemporaryRamSize);
  StackPtr = (UINT32 *)(TopOfCar - sizeof (UINT32));
+  if ((*(StackPtr - 1) != FSP_MCUD_SIGNATURE) && (FspData->FspInfoHeader->ImageAttribute & BIT4)) {
+    ReadTemporaryRamSize (PcdGet32 (PcdTemporaryRamBase), &TemporaryRamSize);
+    if (TemporaryRamSize) {
+      TopOfCar = PcdGet32 (PcdTemporaryRamBase) + TemporaryRamSize;
+      StackPtr = (UINT32 *)(TopOfCar - sizeof (UINT32));
+    }
+  }

  if (*(StackPtr - 1) == FSP_MCUD_SIGNATURE) {
    while (*StackPtr != 0) {
--- a/IntelFsp2Pkg/FspSecCore/SecFsp.h
+++ b/IntelFsp2Pkg/FspSecCore/SecFsp.h
@ -17,6 +17,7 @@
 #include <Library/BaseMemoryLib.h>
 #include <Library/FspCommonLib.h>
 #include <Library/FspSecPlatformLib.h>
+#include <Library/FspPlatformLib.h>

 #define FSP_MCUD_SIGNATURE  SIGNATURE_32 ('M', 'C', 'U', 'D')
 #define FSP_PER0_SIGNATURE  SIGNATURE_32 ('P', 'E', 'R', '0')
--- a/IntelFsp2Pkg/FspSecCore/SecMain.h
+++ b/IntelFsp2Pkg/FspSecCore/SecMain.h
@ -110,18 +110,6 @@ SecStartup (
  IN UINT32          ApiIdx
  );

-/**
-  Autogenerated function that calls the library constructors for all of the module's
-  dependent libraries.  This function must be called by the SEC Core once a stack has
-  been established.
-
-**/
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 /**

  Return value of esp.
--- a/IntelFsp2Pkg/FspSecCore/X64/FspApiEntryT.nasm
+++ b/IntelFsp2Pkg/FspSecCore/X64/FspApiEntryT.nasm
@ -76,7 +76,8 @@ struc LoadMicrocodeParamsFsp24
    .FsptArchReserved:        resb    3
    .FsptArchLength:          resd    1
    .FspDebugHandler          resq    1
-    .FsptArchUpd:             resd    4
+    .FspTemporaryRamSize:     resd    1 ; Supported only if ArchRevison is >= 3
+    .FsptArchUpd:             resd    3
    ; }
    ; FSPT_CORE_UPD {
    .MicrocodeCodeAddr:       resq    1
@ -163,7 +164,7 @@ ASM_PFX(LoadMicrocodeDefault):
   cmp    byte [rsp + LoadMicrocodeParamsFsp24.FspUpdHeaderRevision], 2
   jb     ParamError
   cmp    byte [rsp + LoadMicrocodeParamsFsp24.FsptArchRevision], 2
-   jne    ParamError
+   jb     ParamError

   ; UPD structure is compliant with FSP spec 2.4
   mov    rax, qword [rsp + LoadMicrocodeParamsFsp24.MicrocodeCodeSize]
@ -273,7 +274,7 @@ CheckAddress:
   cmp   byte [rsp + LoadMicrocodeParamsFsp24.FspUpdHeaderRevision], 2
   jb    ParamError
   cmp   byte [rsp + LoadMicrocodeParamsFsp24.FsptArchRevision], 2
-   jne   ParamError
+   jb    ParamError

   ; UPD structure is compliant with FSP spec 2.4
   ; Is automatic size detection ?
@ -337,8 +338,8 @@ ASM_PFX(EstablishStackFsp):
  ;
  mov       rax, ASM_PFX(PcdGet32 (PcdTemporaryRamBase))
  mov       esp, DWORD[rax]
-  mov       rax, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
-  add       esp, DWORD[rax]
+  LOAD_TEMPORARY_RAM_SIZE rax
+  add       esp, eax

  sub       esp, 4
  mov       dword[esp], DATA_LEN_OF_MCUD ; Size of the data region
@ -349,7 +350,7 @@ ASM_PFX(EstablishStackFsp):
  cmp       byte [rdx + LoadMicrocodeParamsFsp24.FspUpdHeaderRevision], 2
  jb        ParamError1
  cmp       byte [rdx + LoadMicrocodeParamsFsp24.FsptArchRevision], 2
-  je        Fsp24UpdHeader
+  jnb       Fsp24UpdHeader

 ParamError1:
  mov       rax, 08000000000000002h
@ -397,8 +398,8 @@ ContinueAfterUpdPush:
  ;
  mov       rcx, ASM_PFX(PcdGet32 (PcdTemporaryRamBase))
  mov       edx, [ecx]
-  mov       rcx, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
-  add       edx, [ecx]
+  LOAD_TEMPORARY_RAM_SIZE rcx
+  add       edx, ecx
  mov       rcx, ASM_PFX(PcdGet32 (PcdFspReservedBufferSize))
  sub       edx, [ecx]
  mov       rcx, ASM_PFX(PcdGet32 (PcdTemporaryRamBase))
@ -439,6 +440,14 @@ ASM_PFX(TempRamInitApi):
  ;
  SAVE_BFV  rbp

+  ;
+  ; Save timestamp into YMM6
+  ;
+  rdtsc
+  shl       rdx, 32
+  or        rax, rdx
+  SAVE_TS   rax
+
  ;
  ; Save Input Parameter in YMM10
  ;
@ -455,14 +464,46 @@ ASM_PFX(TempRamInitApi):
 ParamValid:
  SAVE_RCX

+  mov       rdx, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
+  mov       edx, DWORD [rdx]
  ;
-  ; Save timestamp into YMM6
+  ; Read Fsp Arch2 revision
  ;
-  rdtsc
-  shl       rdx, 32
-  or        rax, rdx
-  SAVE_TS   rax
+  cmp       byte [ecx + LoadMicrocodeParamsFsp24.FsptArchRevision], 3
+  jb        UseTemporaryRamSizePcd
+  ;
+  ; Read ARCH2 UPD input value.
+  ;
+  mov       ebx, DWORD [ecx + LoadMicrocodeParamsFsp24.FspTemporaryRamSize]
+  ;
+  ; As per spec, if Bootloader pass zero, use Fsp defined Size
+  ;
+  cmp       ebx, 0
+  jz        UseTemporaryRamSizePcd

+  xor       rax, rax
+  mov       ax,  WORD [rsi + 020h]      ; Read ImageAttribute
+  test      ax,  16                     ; check if Bit4 is set
+  jnz       ConsumeInputConfiguration
+  ;
+  ; Sometimes user may change input value even if it is not supported
+  ; return error if input is Non-Zero and not same as PcdTemporaryRamSize.
+  ;
+  cmp       ebx, edx
+  je        UseTemporaryRamSizePcd
+  mov       rax, 08000000000000002h      ; RETURN_INVALID_PARAMETER
+  jmp       TempRamInitExit
+ConsumeInputConfiguration:
+  ;
+  ; Read ARCH2 UPD value and Save.
+  ; Only low-32 bits of rbx/rdx holds the temporary ram size.
+  ;
+  SAVE_TEMPORARY_RAM_SIZE rbx
+  jmp       GotTemporaryRamSize
+UseTemporaryRamSizePcd:
+  SAVE_TEMPORARY_RAM_SIZE rdx
+
+GotTemporaryRamSize:
  ;
  ; Sec Platform Init
  ;
--- a/IntelFsp2Pkg/Include/FspEas/FspApi.h
+++ b/IntelFsp2Pkg/Include/FspEas/FspApi.h
@ -139,7 +139,7 @@ typedef struct {
 ///
 typedef struct {
  ///
-  /// Revision of the structure is 2 for this version of the specification.
+  /// Revision of the structure is 3 for this version of the specification.
  ///
  UINT8                   Revision;
  UINT8                   Reserved[3];
@ -152,7 +152,15 @@ typedef struct {
  /// occurring during FSP execution.
  ///
  EFI_PHYSICAL_ADDRESS    FspDebugHandler;
-  UINT8                   Reserved1[16];
+  ///
+  /// FspTemporaryRamSize is Optional & valid only when
+  /// FSP image attribute (BIT4) is set. If Programmed as Zero, Platform
+  /// recommended value will be used, otherwise input value will be used
+  /// to configure TemporaryRamSize. Refer FSP Integration guide for valid
+  /// TemporaryRamSize range for each platform.
+  ///
+  UINT32                  FspTemporaryRamSize;
+  UINT8                   Reserved1[12];
 } FSPT_ARCH2_UPD;

 ///
--- a/IntelFsp2Pkg/Include/Library/FspPlatformLib.h
+++ b/IntelFsp2Pkg/Include/Library/FspPlatformLib.h
@ -121,4 +121,17 @@ FspTempRamExitDone2 (
  IN EFI_STATUS  Status
  );

+/**
+  Calculate TemporaryRam Size using Base address.
+
+  @param[in]  TemporaryRamBase         the address of target memory
+  @param[out] TemporaryRamSize         the size of target memory
+**/
+VOID
+EFIAPI
+ReadTemporaryRamSize (
+  IN  UINT32  TemporaryRamBase,
+  OUT UINT32  *TemporaryRamSize
+  );
+
 #endif
--- a/IntelFsp2Pkg/Include/SaveRestoreSseAvxNasm.inc
+++ b/IntelFsp2Pkg/Include/SaveRestoreSseAvxNasm.inc
@ -201,6 +201,27 @@
            movq    rcx,  xmm5
            %endmacro

+;
+; Save TemporaryRamSize to YMM10[192:255]
+; arg 1:general purpose register which holds TemporaryRamSize
+; Modified: XMM5 and YMM10[192:255]
+;
+%macro SAVE_TEMPORARY_RAM_SIZE     1
+            LYMMN   ymm10, xmm5, 1
+            SXMMN   xmm5, 1, %1
+            SYMMN   ymm10, 1, xmm5
+            %endmacro
+
+;
+; Restore TemporaryRamSize from YMM10[192:255]
+; arg 1:general purpose register where to save TemporaryRamSize
+; Modified: XMM5 and %1
+;
+%macro LOAD_TEMPORARY_RAM_SIZE     1
+            LYMMN   ymm10, xmm5, 1
+            LXMMN   xmm5, %1, 1
+            %endmacro
+
 ;
 ; YMM7[128:191] for calling stack
 ; arg 1:Entry
--- a/IntelFsp2Pkg/IntelFsp2Pkg.dsc
+++ b/IntelFsp2Pkg/IntelFsp2Pkg.dsc
@ -46,9 +46,9 @@
  FspSecPlatformLib|IntelFsp2Pkg/Library/SecFspSecPlatformLibNull/SecFspSecPlatformLibNull.inf
  FspMultiPhaseLib|IntelFsp2Pkg/Library/BaseFspMultiPhaseLib/BaseFspMultiPhaseLib.inf

-[LibraryClasses.common.PEIM]
+[LibraryClasses.common.PEIM, LibraryClasses.common.SEC]
  PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
-  PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLib/PeiServicesTablePointerLib.inf
+  PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLibIdt/PeiServicesTablePointerLibIdt.inf
  PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf
  MemoryAllocationLib|MdePkg/Library/PeiMemoryAllocationLib/PeiMemoryAllocationLib.inf
  ExtractGuidedSectionLib|MdePkg/Library/PeiExtractGuidedSectionLib/PeiExtractGuidedSectionLib.inf
--- a/IntelFsp2Pkg/Library/BaseFspPlatformLib/FspPlatformMemory.c
+++ b/IntelFsp2Pkg/Library/BaseFspPlatformLib/FspPlatformMemory.c
@ -6,6 +6,7 @@
 **/

 #include <PiPei.h>
+#include <Register/Intel/Msr.h>
 #include <Library/BaseLib.h>
 #include <Library/BaseMemoryLib.h>
 #include <Library/MemoryAllocationLib.h>
@ -119,3 +120,40 @@ FspGetSystemMemorySize (
    Hob.Raw = GET_NEXT_HOB (Hob);
  }
 }
+
+/**
+  Calculate TemporaryRam Size using Base address.
+
+  @param[in]  TemporaryRamBase         the address of target memory
+  @param[out] TemporaryRamSize         the size of target memory
+**/
+VOID
+EFIAPI
+ReadTemporaryRamSize (
+  IN  UINT32  TemporaryRamBase,
+  OUT UINT32  *TemporaryRamSize
+  )
+{
+  MSR_IA32_MTRRCAP_REGISTER  Msr;
+  UINT32                     MsrNum;
+  UINT32                     MsrNumEnd;
+
+  if (TemporaryRamBase == 0) {
+    return;
+  }
+
+  *TemporaryRamSize = 0;
+  Msr.Uint64        = AsmReadMsr64 (MSR_IA32_MTRRCAP);
+  MsrNumEnd         = MSR_IA32_MTRR_PHYSBASE0 + (2 * (Msr.Bits.VCNT));
+
+  for (MsrNum = MSR_IA32_MTRR_PHYSBASE0; MsrNum < MsrNumEnd; MsrNum += 2) {
+    if ((AsmReadMsr64 (MsrNum+1) & BIT11) != 0 ) {
+      if (TemporaryRamBase == (AsmReadMsr64 (MsrNum) & 0xFFFFF000)) {
+        *TemporaryRamSize = (~(AsmReadMsr64 (MsrNum + 1) & 0xFFFFF000) + 1);
+        break;
+      }
+    }
+  }
+
+  return;
+}
--- a/IntelFsp2Pkg/Tools/GenCfgOpt.py
+++ b/IntelFsp2Pkg/Tools/GenCfgOpt.py
@ -136,7 +136,7 @@ class CLogicalExpression:
        var = var.strip()
        if   re.match('^0x[a-fA-F0-9]+$', var):
            value = int(var, 16)
-        elif re.match('^[+-]?\d+$', var):
+        elif re.match(r'^[+-]?\d+$', var):
            value = int(var, 10)
        else:
            value = None
@ -147,7 +147,7 @@ class CLogicalExpression:
        var = ''
        while not self.isLast():
            char = self.getCurr()
-            if re.match('^[\w.]', char):
+            if re.match(r'^[\w.]', char):
                var += char
                self.moveNext()
            else:
@ -161,7 +161,7 @@ class CLogicalExpression:

    def parseSingleOp(self):
        self.skipSpace()
-        if re.match('^NOT\W', self.getCurr(-1)):
+        if re.match(r'^NOT\W', self.getCurr(-1)):
            self.moveNext(3)
            op  = self.parseBrace()
            val = self.getNumber (op)
@ -225,7 +225,7 @@ class CLogicalExpression:
        value = self.parseCompare()
        while True:
            self.skipSpace()
-            if re.match('^AND\W', self.getCurr(-1)):
+            if re.match(r'^AND\W', self.getCurr(-1)):
                self.moveNext(3)
                result = self.parseCompare()
                test = self.getNonNumber(result, value)
@ -243,10 +243,10 @@ class CLogicalExpression:
        while True:
            self.skipSpace()
            op = None
-            if re.match('^XOR\W', self.getCurr(-1)):
+            if re.match(r'^XOR\W', self.getCurr(-1)):
                self.moveNext(3)
                op = '^'
-            elif re.match('^OR\W', self.getCurr(-1)):
+            elif re.match(r'^OR\W', self.getCurr(-1)):
                self.moveNext(2)
                op = '|'
            else:
@ -330,11 +330,11 @@ EndList
                    continue
            if IsExpression:
                IsExpression = False
-                Match = re.match("(\w+)=(.+)", Macro)
+                Match = re.match(r"(\w+)=(.+)", Macro)
                if Match:
                    self._MacroDict[Match.group(1)] = Match.group(2)
                else:
-                    Match = re.match("(\w+)", Macro)
+                    Match = re.match(r"(\w+)", Macro)
                    if Match:
                        self._MacroDict[Match.group(1)] = ''
        if len(self._MacroDict) == 0:
@ -355,7 +355,7 @@ EndList

    def ExpandMacros (self, Input, Preserve = False):
        Line = Input
-        Match = re.findall("\$\(\w+\)", Input)
+        Match = re.findall(r"\$\(\w+\)", Input)
        if Match:
            for Each in Match:
              Variable = Each[2:-1]
@ -370,7 +370,7 @@ EndList

    def ExpandPcds (self, Input):
        Line = Input
-        Match = re.findall("(\w+\.\w+)", Input)
+        Match = re.findall(r"(\w+\.\w+)", Input)
        if Match:
            for PcdName in Match:
              if PcdName in self._PcdsDict:
@ -390,7 +390,7 @@ EndList
        return Result

    def ValueToByteArray (self, ValueStr, Length):
-        Match = re.match("\{\s*FILE:(.+)\}", ValueStr)
+        Match = re.match(r"\{\s*FILE:(.+)\}", ValueStr)
        if Match:
          FileList = Match.group(1).split(',')
          Result  = bytearray()
@ -427,7 +427,7 @@ EndList
                    if Each[0] in ['"', "'"]:
                        Result.extend(list(bytearray(Each[1:-1], 'utf-8')))
                    elif ':' in Each:
-                        Match    = re.match("(.+):(\d+)b", Each)
+                        Match    = re.match(r"(.+):(\d+)b", Each)
                        if Match is None:
                            raise Exception("Invald value list format '%s' !" % Each)
                        InBitField = True
@ -539,7 +539,7 @@ EndList
              continue

            Handle   = False
-            Match    = re.match("^\[(.+)\]", DscLine)
+            Match    = re.match(r"^\[(.+)\]", DscLine)
            if Match is not None:
                IsDefSect = False
                IsPcdSect = False
@ -575,7 +575,7 @@ EndList

                    Match = False if DscLine[0] != '!' else True
                    if Match:
-                        Match = re.match("^!(else|endif|ifdef|ifndef|if|elseif|include)\s*(.+)?$", DscLine.split("#")[0])
+                        Match = re.match(r"^!(else|endif|ifdef|ifndef|if|elseif|include)\s*(.+)?$", DscLine.split("#")[0])
                    Keyword   = Match.group(1) if Match else ''
                    Remaining = Match.group(2) if Match else ''
                    Remaining = '' if Remaining is None else Remaining.strip()
@ -620,7 +620,7 @@ EndList
                        else:
                            Handle = True
                        if Handle:
-                            Match = re.match("!include\s+(.+)", DscLine)
+                            Match = re.match(r"!include\s+(.+)", DscLine)
                            if Match:
                                IncludeFilePath = Match.group(1)
                                IncludeFilePath = self.ExpandMacros(IncludeFilePath)
@ -660,7 +660,7 @@ EndList
                #DEFINE FSP_T_UPD_TOOL_GUID = 34686CA3-34F9-4901-B82A-BA630F0714C6
                #DEFINE FSP_M_UPD_TOOL_GUID = 39A250DB-E465-4DD1-A2AC-E2BD3C0E2385
                #DEFINE FSP_S_UPD_TOOL_GUID = CAE3605B-5B34-4C85-B3D7-27D54273C40F
-                Match = re.match("^\s*(?:DEFINE\s+)*(\w+)\s*=\s*(.+)", DscLine)
+                Match = re.match(r"^\s*(?:DEFINE\s+)*(\w+)\s*=\s*(.+)", DscLine)
                if Match:
                    self._MacroDict[Match.group(1)] = self.ExpandMacros(Match.group(2))
                    if self.Debug:
@ -668,21 +668,21 @@ EndList
            elif IsPcdSect:
                #gSiPkgTokenSpaceGuid.PcdTxtEnable|FALSE
                #gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
-                Match = re.match("^\s*([\w\.]+)\s*\|\s*(\w+)", DscLine)
+                Match = re.match(r"^\s*([\w\.]+)\s*\|\s*(\w+)", DscLine)
                if Match:
                    self._PcdsDict[Match.group(1)] = Match.group(2)
                    if self.Debug:
                        print ("INFO : PCD %s = [ %s ]" % (Match.group(1), Match.group(2)))
                    i = 0
                    while i < len(BuildOptionPcd):
-                        Match = re.match("\s*([\w\.]+)\s*\=\s*(\w+)", BuildOptionPcd[i])
+                        Match = re.match(r"\s*([\w\.]+)\s*\=\s*(\w+)", BuildOptionPcd[i])
                        if Match:
                            self._PcdsDict[Match.group(1)] = Match.group(2)
                        i += 1

            elif IsTmpSect:
                # !BSF DEFT:{GPIO_TMPL:START}
-                Match = re.match("^\s*#\s+(!BSF)\s+DEFT:{(.+?):(START|END)}", DscLine)
+                Match = re.match(r"^\s*#\s+(!BSF)\s+DEFT:{(.+?):(START|END)}", DscLine)
                if Match:
                    if Match.group(3) == 'START' and not TemplateName:
                        TemplateName = Match.group(2).strip()
@ -691,33 +691,33 @@ EndList
                        TemplateName = ''
                else:
                    if TemplateName:
-                        Match = re.match("^!include\s*(.+)?$", DscLine)
+                        Match = re.match(r"^!include\s*(.+)?$", DscLine)
                        if Match:
                            continue
                        self._BsfTempDict[TemplateName].append(DscLine)

            else:
-                Match = re.match("^\s*#\s+(!BSF|@Bsf|!HDR)\s+(.+)", DscLine)
+                Match = re.match(r"^\s*#\s+(!BSF|@Bsf|!HDR)\s+(.+)", DscLine)
                if Match:
                    Remaining = Match.group(2)
                    if Match.group(1) == '!BSF' or Match.group(1) == '@Bsf':
-                        Match = re.match("(?:^|.+\s+)PAGES:{(.+?)}", Remaining)
+                        Match = re.match(r"(?:^|.+\s+)PAGES:{(.+?)}", Remaining)
                        if Match:
                            # !BSF PAGES:{HSW:"Haswell System Agent", LPT:"Lynx Point PCH"}
                            PageList = Match.group(1).split(',')
                            for Page in PageList:
                                Page  = Page.strip()
-                                Match = re.match("(\w+):\"(.+)\"", Page)
+                                Match = re.match(r"(\w+):\"(.+)\"", Page)
                                if Match != None:
                                    self._CfgPageDict[Match.group(1)] = Match.group(2)

-                        Match = re.match("(?:^|.+\s+)BLOCK:{NAME:\"(.+)\"\s*,\s*VER:\"(.+)\"\s*}", Remaining)
+                        Match = re.match(r"(?:^|.+\s+)BLOCK:{NAME:\"(.+)\"\s*,\s*VER:\"(.+)\"\s*}", Remaining)
                        if Match:
                            self._CfgBlkDict['name'] = Match.group(1)
                            self._CfgBlkDict['ver']  = Match.group(2)

                        for Key in self._BsfKeyList:
-                            Match = re.match("(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
+                            Match = re.match(r"(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
                            if Match:
                                if Key in ['NAME', 'HELP', 'OPTION'] and Match.group(1).startswith('+'):
                                    ConfigDict[Key.lower()] += Match.group(1)[1:]
@ -725,15 +725,15 @@ EndList
                                    ConfigDict[Key.lower()]  = Match.group(1)
                    else:
                        for Key in self._HdrKeyList:
-                            Match = re.match("(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
+                            Match = re.match(r"(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
                            if Match:
                                ConfigDict[Key.lower()]  = Match.group(1)

-                Match = re.match("^\s*#\s+@Prompt\s+(.+)", DscLine)
+                Match = re.match(r"^\s*#\s+@Prompt\s+(.+)", DscLine)
                if Match:
                    ConfigDict['name'] = Match.group(1)

-                Match = re.match("^\s*#\s*@ValidList\s*(.+)\s*\|\s*(.+)\s*\|\s*(.+)\s*", DscLine)
+                Match = re.match(r"^\s*#\s*@ValidList\s*(.+)\s*\|\s*(.+)\s*\|\s*(.+)\s*", DscLine)
                if Match:
                    if Match.group(2).strip() in self._BuidinOption:
                        ConfigDict['option'] = Match.group(2).strip()
@ -749,22 +749,22 @@ EndList
                                 ConfigDict['option'] += ', '
                    ConfigDict['type'] = "Combo"

-                Match = re.match("^\s*#\s*@ValidRange\s*(.+)\s*\|\s*(.+)\s*-\s*(.+)\s*", DscLine)
+                Match = re.match(r"^\s*#\s*@ValidRange\s*(.+)\s*\|\s*(.+)\s*-\s*(.+)\s*", DscLine)
                if Match:
                    if "0x" in Match.group(2) or "0x" in Match.group(3):
                        ConfigDict['type'] = "EditNum, HEX, (%s,%s)" % (Match.group(2), Match.group(3))
                    else:
                        ConfigDict['type'] = "EditNum, DEC, (%s,%s)" % (Match.group(2), Match.group(3))

-                Match = re.match("^\s*##\s+(.+)", DscLine)
+                Match = re.match(r"^\s*##\s+(.+)", DscLine)
                if Match:
                    ConfigDict['help'] = Match.group(1)

                # Check VPD/UPD
                if IsUpdSect:
-                    Match = re.match("^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+|\*)\s*\|\s*(\d+|0x[0-9a-fA-F]+)\s*\|\s*(.+)",DscLine)
+                    Match = re.match(r"^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+|\*)\s*\|\s*(\d+|0x[0-9a-fA-F]+)\s*\|\s*(.+)",DscLine)
                else:
-                    Match = re.match("^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+)(?:\s*\|\s*(.+))?",  DscLine)
+                    Match = re.match(r"^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+)(?:\s*\|\s*(.+))?",  DscLine)
                if Match:
                    ConfigDict['space']  = Match.group(1)
                    ConfigDict['cname']  = Match.group(2)
@ -796,13 +796,13 @@ EndList
                            Value = ''
                        Value = Value.strip()
                        if '|' in Value:
-                            Match = re.match("^.+\s*\|\s*(.+)", Value)
+                            Match = re.match(r"^.+\s*\|\s*(.+)", Value)
                            if Match:
                                Value = Match.group(1)
                        Length = -1

                    ConfigDict['length'] = Length
-                    Match = re.match("\$\((\w+)\)", Value)
+                    Match = re.match(r"\$\((\w+)\)", Value)
                    if Match:
                        if Match.group(1) in self._MacroDict:
                            Value = self._MacroDict[Match.group(1)]
@ -879,7 +879,7 @@ EndList
                    # !BSF FIELD:{SerialDebugPortAddress0:1}
                    # or
                    # @Bsf FIELD:{SerialDebugPortAddress0:1b}
-                    Match = re.match("^\s*#\s+(!BSF|@Bsf)\s+FIELD:{(.+):(\d+)([Bb])?}", DscLine)
+                    Match = re.match(r"^\s*#\s+(!BSF|@Bsf)\s+FIELD:{(.+):(\d+)([Bb])?}", DscLine)
                    if Match:
                        SubCfgDict = ConfigDict.copy()
                        if (Match.group(4) == None) or (Match.group(4) == 'B'):
@ -1023,7 +1023,7 @@ EndList
            self._VarDict['_LENGTH_'] = '%d' % (Item['offset'] + Item['length'])
        for Item in self._CfgItemList:
            Embed = Item['embed']
-            Match = re.match("^(\w+):(\w+):(START|END)", Embed)
+            Match = re.match(r"^(\w+):(\w+):(START|END)", Embed)
            if Match:
                StructName = Match.group(1)
                VarName = '_%s_%s_' % (Match.group(3), StructName)
@ -1215,7 +1215,7 @@ EndList
        IsUpdHeader = False
        for Line in TextBody:
           SplitToLines = Line.splitlines()
-           MatchComment = re.match("^/\*\sCOMMENT:(\w+):([\w|\W|\s]+)\s\*/\s([\s\S]*)", SplitToLines[0])
+           MatchComment = re.match(r"^/\*\sCOMMENT:(\w+):([\w|\W|\s]+)\s\*/\s([\s\S]*)", SplitToLines[0])
           if MatchComment:
              if MatchComment.group(1) == 'FSP_UPD_HEADER':
                  IsUpdHeader = True
@ -1226,7 +1226,7 @@ EndList
                NewTextBody.append("/**" + CommentLine + "**/\n")
              Line = Line[(len(SplitToLines[0]) + 1):]

-           Match = re.match("^/\*\sEMBED_STRUCT:(\w+):(\w+):(START|END)\s\*/\s([\s\S]*)", Line)
+           Match = re.match(r"^/\*\sEMBED_STRUCT:(\w+):(\w+):(START|END)\s\*/\s([\s\S]*)", Line)
           if Match:
               Line = Match.group(4)
               if Match.group(1) == 'FSP_UPD_HEADER':
@ -1239,7 +1239,7 @@ EndList
                   NewTextBody.append ('typedef struct {\n')
               StructName   = Match.group(1)
               VariableName = Match.group(2)
-               MatchOffset = re.search('/\*\*\sOffset\s0x([a-fA-F0-9]+)', Line)
+               MatchOffset = re.search(r'/\*\*\sOffset\s0x([a-fA-F0-9]+)', Line)
               if MatchOffset:
                   Offset = int(MatchOffset.group(1), 16)
               else:
@ -1318,12 +1318,12 @@ EndList
                CommentLine = ""
                for Item in self._CfgItemList:
                    if Item["comment"] != '' and Item["offset"] >= UpdOffsetTable[UpdIdx]:
-                        MatchComment = re.match("^(U|V)PD_DATA_REGION:([\w|\W|\s]+)", Item["comment"])
+                        MatchComment = re.match(r"^(U|V)PD_DATA_REGION:([\w|\W|\s]+)", Item["comment"])
                        if MatchComment and MatchComment.group(1) == Region[0]:
                            CommentLine = " " + MatchComment.group(2) + "\n"
                            TxtBody.append("/**" + CommentLine + "**/\n")
                    elif Item["offset"] >= UpdOffsetTable[UpdIdx] and Item["comment"] == '':
-                        Match = re.match("^FSP([\w|\W|\s])_UPD", UpdStructure[UpdIdx])
+                        Match = re.match(r"^FSP([\w|\W|\s])_UPD", UpdStructure[UpdIdx])
                        if Match:
                            TxtBody.append("/** Fsp " + Match.group(1) + " UPD Configuration\n**/\n")
                TxtBody.append("typedef struct {\n")
@ -1441,7 +1441,7 @@ EndList

            Export = False
            for Line in IncLines:
-                Match = re.search ("!EXPORT\s+([A-Z]+)\s+EXTERNAL_BOOTLOADER_STRUCT_(BEGIN|END)\s+", Line)
+                Match = re.search (r"!EXPORT\s+([A-Z]+)\s+EXTERNAL_BOOTLOADER_STRUCT_(BEGIN|END)\s+", Line)
                if Match:
                    if Match.group(2) == "BEGIN" and Match.group(1) == UpdRegionCheck[item]:
                        Export = True
@ -1464,7 +1464,7 @@ EndList
                Match = re.match("(typedef struct {)", Line)
                if Match:
                    StartIndex = Index - 1
-                Match = re.match("}\s([_A-Z0-9]+);", Line)
+                Match = re.match(r"}\s([_A-Z0-9]+);", Line)
                if Match and (UpdRegionCheck[item] in Match.group(1) or UpdConfigCheck[item] in Match.group(1)) and (ExcludedSpecificUpd[item] not in Match.group(1)) and (ExcludedSpecificUpd1[item] not in Match.group(1)):
                    EndIndex = Index
                    StructStart.append(StartIndex)
@ -1474,7 +1474,7 @@ EndList
                Index += 1
                for Item in range(len(StructStart)):
                    if Index == StructStart[Item]:
-                        Match = re.match("^(/\*\*\s*)", Line)
+                        Match = re.match(r"^(/\*\*\s*)", Line)
                        if Match:
                            StructStartWithComment.append(StructStart[Item])
                        else:
@ -1510,7 +1510,7 @@ EndList
                Match = re.match("(typedef struct {)", Line)
                if Match:
                    StartIndex = Index - 1
-                Match = re.match("#define\s([_A-Z0-9]+)\s*", Line)
+                Match = re.match(r"#define\s([_A-Z0-9]+)\s*", Line)
                if Match and (UpdSignatureCheck[item] in Match.group(1) or UpdSignatureCheck[item] in Match.group(1)):
                    StructStart.append(Index - 1)
                    StructEnd.append(Index)
@ -1519,7 +1519,7 @@ EndList
                Index += 1
                for Item in range(len(StructStart)):
                    if Index == StructStart[Item]:
-                        Match = re.match("^(/\*\*\s*)", Line)
+                        Match = re.match(r"^(/\*\*\s*)", Line)
                        if Match:
                            StructStartWithComment.append(StructStart[Item])
                        else:
@ -1543,7 +1543,7 @@ EndList
        else:
            Space = Item['space']
        Line = "    $%s_%s" % (Space, Item['cname'])
-        Match = re.match("\s*\{([x0-9a-fA-F,\s]+)\}\s*", Item['value'])
+        Match = re.match(r"\s*\{([x0-9a-fA-F,\s]+)\}\s*", Item['value'])
        if Match:
            DefaultValue = Match.group(1).strip()
        else:
@ -1576,7 +1576,7 @@ EndList
            BsfFd.write('    %s $%s, "%s", &%s,\n' % (Item['type'], PcdName, Item['name'], Options))
            WriteHelp = 1
        elif Item['type'].startswith("EditNum"):
-            Match = re.match("EditNum\s*,\s*(HEX|DEC)\s*,\s*\((\d+|0x[0-9A-Fa-f]+)\s*,\s*(\d+|0x[0-9A-Fa-f]+)\)", Item['type'])
+            Match = re.match(r"EditNum\s*,\s*(HEX|DEC)\s*,\s*\((\d+|0x[0-9A-Fa-f]+)\s*,\s*(\d+|0x[0-9A-Fa-f]+)\)", Item['type'])
            if Match:
                BsfFd.write('    EditNum $%s, "%s", %s,\n' % (PcdName, Item['name'], Match.group(1)))
                WriteHelp = 2
--- a/IntelFsp2Pkg/Tools/PatchFv.py
+++ b/IntelFsp2Pkg/Tools/PatchFv.py
@ -143,7 +143,7 @@ class Symbols:
        fdIn.close()
        fvInfo['Base'] = 0
        for rptLine in rptLines:
-            match = re.match("^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
+            match = re.match(r"^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
            if match:
                fvInfo['Base'] = int(match.group(1), 16)
                break
@ -312,7 +312,7 @@ class Symbols:
        self.fdBase = 0xFFFFFFFF
        while (rptLine != "" ):
            #EFI_BASE_ADDRESS = 0xFFFDF400
-            match = re.match("^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
+            match = re.match(r"^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
            if match is not None:
                self.fdBase = int(match.group(1), 16) - fvOffset
                break
@ -340,7 +340,7 @@ class Symbols:
        fdIn     = open(fvTxtFile, "r")
        rptLine  = fdIn.readline()
        while (rptLine != "" ):
-            match = re.match("(0x[a-fA-F0-9]+)\s([0-9a-fA-F\-]+)", rptLine)
+            match = re.match(r"(0x[a-fA-F0-9]+)\s([0-9a-fA-F\-]+)", rptLine)
            if match is not None:
                if match.group(2) in self.dictFfsOffset:
                    self.dictFfsOffset[fvName + ':' + match.group(2)] = "0x%08X" % (int(match.group(1), 16) + fvOffset)
@ -374,10 +374,10 @@ class Symbols:
        while (rptLine != "" ):
            if rptLine[0] != ' ':
                #DxeIpl (Fixed Flash Address, BaseAddress=0x00fffb4310, EntryPoint=0x00fffb4958,Type=PE)
-                match = re.match("([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+),\s*Type=\w+\)", rptLine)
+                match = re.match(r"([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+),\s*Type=\w+\)", rptLine)
                if match is None:
                    #DxeIpl (Fixed Flash Address, BaseAddress=0x00fffb4310, EntryPoint=0x00fffb4958)
-                    match = re.match("([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+)\)", rptLine)
+                    match = re.match(r"([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+)\)", rptLine)
                if match is not None:
                    foundModHdr = True
                    modName = match.group(1)
@ -386,7 +386,7 @@ class Symbols:
                    self.dictModBase['%s:BASE'  % modName] = int (match.group(2), 16)
                    self.dictModBase['%s:ENTRY' % modName] = int (match.group(3), 16)
                #(GUID=86D70125-BAA3-4296-A62F-602BEBBB9081 .textbaseaddress=0x00fffb4398 .databaseaddress=0x00fffb4178)
-                match = re.match("\(GUID=([A-Z0-9\-]+)\s+\.textbaseaddress=(0x[0-9a-fA-F]+)\s+\.databaseaddress=(0x[0-9a-fA-F]+)\)", rptLine)
+                match = re.match(r"\(GUID=([A-Z0-9\-]+)\s+\.textbaseaddress=(0x[0-9a-fA-F]+)\s+\.databaseaddress=(0x[0-9a-fA-F]+)\)", rptLine)
                if match is not None:
                    if foundModHdr:
                        foundModHdr = False
@ -399,7 +399,7 @@ class Symbols:
            else:
                #   0x00fff8016c    __ModuleEntryPoint
                foundModHdr = False
-                match = re.match("^\s+(0x[a-z0-9]+)\s+([_a-zA-Z0-9]+)", rptLine)
+                match = re.match(r"^\s+(0x[a-z0-9]+)\s+([_a-zA-Z0-9]+)", rptLine)
                if match is not None:
                    self.dictSymbolAddress["%s:%s"%(modName, match.group(2))] = match.group(1)
            rptLine  = fdIn.readline()
@ -432,14 +432,14 @@ class Symbols:
        if reportLine.strip().find("Archive member included") != -1:
            #GCC
            #                0x0000000000001d55                IoRead8
-            patchMapFileMatchString = "\s+(0x[0-9a-fA-F]{16})\s+([^\s][^0x][_a-zA-Z0-9\-]+)\s"
+            patchMapFileMatchString = r"\s+(0x[0-9a-fA-F]{8,16})\s+([^\s][^0x][_a-zA-Z0-9\-]+)\s"
            matchKeyGroupIndex = 2
            matchSymbolGroupIndex  = 1
            prefix = '_'
        else:
            #MSFT
            #0003:00000190       _gComBase                  00007a50     SerialPo
-            patchMapFileMatchString =  "^\s[0-9a-fA-F]{4}:[0-9a-fA-F]{8}\s+(\w+)\s+([0-9a-fA-F]{8,16}\s+)"
+            patchMapFileMatchString =  r"^\s[0-9a-fA-F]{4}:[0-9a-fA-F]{8}\s+(\w+)\s+([0-9a-fA-F]{8,16}\s+)"
            matchKeyGroupIndex = 1
            matchSymbolGroupIndex  = 2
            prefix = ''
@ -458,11 +458,11 @@ class Symbols:
                if handleNext:
                    handleNext = False
                    pcdName = match.group(1)
-                    match   = re.match("\s+(0x[0-9a-fA-F]{16})\s+", reportLine)
+                    match   = re.match(r"\s+(0x[0-9a-fA-F]{16})\s+", reportLine)
                    if match is not None:
                        modSymbols[prefix + pcdName] = match.group(1)
                else:
-                    match = re.match("^\s\.data\.(_gPcd_BinaryPatch[_a-zA-Z0-9\-]+)", reportLine)
+                    match = re.match(r"^\s\.data\.(_gPcd_BinaryPatch[_a-zA-Z0-9\-]+)", reportLine)
                    if match is not None:
                        handleNext = True
                        continue
@ -507,7 +507,7 @@ class Symbols:
        fdIn     = open(xrefFile, "r")
        rptLine  = fdIn.readline()
        while (rptLine != "" ):
-            match = re.match("([0-9a-fA-F\-]+)\s([_a-zA-Z0-9]+)", rptLine)
+            match = re.match(r"([0-9a-fA-F\-]+)\s([_a-zA-Z0-9]+)", rptLine)
            if match is not None:
                self.dictGuidNameXref[match.group(1).upper()] = match.group(2)
            rptLine  = fdIn.readline()
--- a/IntelFsp2WrapperPkg/FspmWrapperPeim/FspmWrapperPeim.c
+++ b/IntelFsp2WrapperPkg/FspmWrapperPeim/FspmWrapperPeim.c
@ -197,12 +197,20 @@ FspmWrapperInit (

  MeasurementExcludedFvPpi = AllocatePool (sizeof (*MeasurementExcludedFvPpi));
  ASSERT (MeasurementExcludedFvPpi != NULL);
+  if (MeasurementExcludedFvPpi == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
  MeasurementExcludedFvPpi->Count          = 1;
  MeasurementExcludedFvPpi->Fv[0].FvBase   = PcdGet32 (PcdFspmBaseAddress);
  MeasurementExcludedFvPpi->Fv[0].FvLength = ((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)PcdGet32 (PcdFspmBaseAddress))->FvLength;

  MeasurementExcludedPpiList = AllocatePool (sizeof (*MeasurementExcludedPpiList));
  ASSERT (MeasurementExcludedPpiList != NULL);
+  if (MeasurementExcludedPpiList == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
  MeasurementExcludedPpiList->Flags = EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST;
  MeasurementExcludedPpiList->Guid  = &gEfiPeiFirmwareVolumeInfoMeasurementExcludedPpiGuid;
  MeasurementExcludedPpiList->Ppi   = MeasurementExcludedFvPpi;
--- a/IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/FspMeasurementLib.c
+++ b/IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/FspMeasurementLib.c
@ -197,6 +197,10 @@ MeasureFspFirmwareBlobWithCfg (
             (UINTN)sizeof (DigestList),
             EDKII_TCG_PRE_HASH_LOG_ONLY
             );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "TpmMeasureAndLogDataWithFlags failed - %r\n", Status));
+    return Status;
+  }

  Status = TpmMeasureAndLogData (
             1,
--- a/IntelFsp2WrapperPkg/Library/SecFspWrapperPlatformSecLibSample/SecRamInitData.c
+++ b/IntelFsp2WrapperPkg/Library/SecFspWrapperPlatformSecLibSample/SecRamInitData.c
@ -34,8 +34,11 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST FSPT_UPD_CORE_DATA  FsptUpdDataPtr = {
    // UPD header revision must be equal or greater than 2 when the structure is compliant with FSP spec 2.2.
    //
    0x02,
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    {
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00
+    }
  },
  //
  // If FSP spec version < 2.2, remove FSPT_ARCH_UPD structure.
@ -43,14 +46,15 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST FSPT_UPD_CORE_DATA  FsptUpdDataPtr = {
  // Else, use FSPT_ARCH2_UPD structure.
  //
  {
-    0x02,
+    0x03,
    {
      0x00, 0x00, 0x00
    },
    0x00000020,
    0x00000000,
+    0x00000000,
    {
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00
    }
  },
--- a/Maintainers.txt
+++ b/Maintainers.txt
@ -151,7 +151,6 @@ ArmVirtPkg
 F: ArmVirtPkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/ArmVirtPkg
 M: Ard Biesheuvel <ardb+tianocore@kernel.org> [ardbiesheuvel]
-M: Laszlo Ersek <lersek@redhat.com> [lersek]
 R: Leif Lindholm <quic_llindhol@quicinc.com> [leiflindholm]
 R: Sami Mujawar <sami.mujawar@arm.com> [samimujawar]
 R: Gerd Hoffmann <kraxel@redhat.com> [kraxel]
@ -418,6 +417,11 @@ M: Abner Chang <abner.chang@amd.com> [changab]
 R: Abdul Lateef Attar <AbdulLateef.Attar@amd.com> [abdattar]
 R: Nickle Wang <nicklew@nvidia.com> [nicklela]

+MdeModulePkg: SPI driver stack
+F: MdeModulePkg/Bus/Spi/
+M: Abner Chang <abner.chang@amd.com> [changab]
+R: Brit Chesley <brit.chesley@amd.com> [BritChesley]
+
 MdePkg
 F: MdePkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/MdePkg
@ -451,6 +455,12 @@ M: Abner Chang <abner.chang@amd.com> [changab]
 R: Abdul Lateef Attar <AbdulLateef.Attar@amd.com> [abdattar]
 R: Nickle Wang <nicklew@nvidia.com> [nicklela]

+MdePkg: SPI related C header files
+F: MdePkg/Include/Protocol/Spi*.h
+F: MdePkg/Include/IndustryStandard/SpiNorFlashJedecSfdp.h
+M: Abner Chang <abner.chang@amd.com> [changab]
+R: Brit Chesley <brit.chesley@amd.com> [BritChesley]
+
 NetworkPkg
 F: NetworkPkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/NetworkPkg
@ -462,7 +472,6 @@ F: OvmfPkg/
 W: http://www.tianocore.org/ovmf/
 M: Ard Biesheuvel <ardb+tianocore@kernel.org> [ardbiesheuvel]
 M: Jiewen Yao <jiewen.yao@intel.com> [jyao1]
-M: Laszlo Ersek <lersek@redhat.com> [lersek]
 R: Gerd Hoffmann <kraxel@redhat.com> [kraxel]
 S: Maintained

@ -558,7 +567,7 @@ F: OvmfPkg/XenIoPvhDxe/
 F: OvmfPkg/XenPlatformPei/
 F: OvmfPkg/XenPvBlkDxe/
 F: OvmfPkg/XenResetVector/
-R: Anthony Perard <anthony.perard@citrix.com> [tperard]
+R: Anthony Perard <anthony@xenproject.org> [tperard]

 OvmfPkg: RISC-V Qemu Virt Platform
 F: OvmfPkg/RiscVVirt
@ -617,14 +626,15 @@ F: StandaloneMmPkg/
 M: Ard Biesheuvel <ardb+tianocore@kernel.org> [ardbiesheuvel]
 M: Sami Mujawar <sami.mujawar@arm.com> [samimujawar]
 M: Ray Ni <ray.ni@intel.com> [niruiyu]
+R: Jiaxin Wu <jiaxin.wu@intel.com> [jiaxinwu]

 UefiCpuPkg
 F: UefiCpuPkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/UefiCpuPkg
 M: Ray Ni <ray.ni@intel.com> [niruiyu]
-M: Laszlo Ersek <lersek@redhat.com> [lersek]
 R: Rahul Kumar <rahul1.kumar@intel.com> [rahul1-kumar]
 R: Gerd Hoffmann <kraxel@redhat.com> [kraxel]
+R: Jiaxin Wu <jiaxin.wu@intel.com> [jiaxinwu]

 UefiCpuPkg: Sec related modules
 F: UefiCpuPkg/SecCore/
--- a/MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.c
+++ b/MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.c
@ -1483,7 +1483,9 @@ AtaDiskInfoWhichIde (
  function shall return EFI_DEVICE_ERROR.

  @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
  @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                       of the security protocol command. A Timeout value of 0
                                       means that this function will wait indefinitely for the
@ -1600,7 +1602,9 @@ AtaStorageSecurityReceiveData (
  shall return EFI_DEVICE_ERROR.

  @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
  @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                       of the security protocol command. A Timeout value of 0
                                       means that this function will wait indefinitely for the
--- a/MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.h
+++ b/MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.h
@ -927,7 +927,9 @@ AtaDiskInfoWhichIde (
  function shall return EFI_DEVICE_ERROR.

  @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
  @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                       of the security protocol command. A Timeout value of 0
                                       means that this function will wait indefinitely for the
@ -1007,7 +1009,9 @@ AtaStorageSecurityReceiveData (
  shall return EFI_DEVICE_ERROR.

  @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
  @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                       of the security protocol command. A Timeout value of 0
                                       means that this function will wait indefinitely for the
--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
@ -258,7 +258,8 @@ KeyboardEfiReset (
  @param This    Pointer to instance of EFI_SIMPLE_TEXT_INPUT_PROTOCOL
  @param Key     The output buffer for key value

-  @retval EFI_SUCCESS success to read key stroke
+  @retval EFI_SUCCESS      success to read key stroke
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.
 **/
 EFI_STATUS
 EFIAPI
@ -433,6 +434,7 @@ KeyboardEfiResetEx (
    @retval EFI_DEVICE_ERROR      The keystroke information was not returned due to
                                  hardware errors.
    @retval EFI_INVALID_PARAMETER KeyData is NULL.
+    @retval EFI_UNSUPPORTED       The device does not support the ability to read keystroke data.

 **/
 EFI_STATUS
--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2Keyboard.h
+++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2Keyboard.h
@ -338,6 +338,7 @@ KeyboardEfiReset (
  @param Key     The output buffer for key value

  @retval EFI_SUCCESS success to read key stroke
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.
 **/
 EFI_STATUS
 EFIAPI
@ -441,6 +442,8 @@ KeyboardEfiResetEx (
    @retval EFI_DEVICE_ERROR      - The keystroke information was not returned due to
                            hardware errors.
    @retval EFI_INVALID_PARAMETER - KeyData is NULL.
+    @retval EFI_UNSUPPORTED       - The device does not support the ability to read
+                            keystroke data.

 **/
 EFI_STATUS
--- a/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressBlockIo.c
+++ b/MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressBlockIo.c
@ -1699,7 +1699,9 @@ TrustTransferNvmeDevice (
  function shall return EFI_DEVICE_ERROR.

  @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
  @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                       of the security protocol command. A Timeout value of 0
                                       means that this function will wait indefinitely for the
@ -1812,7 +1814,9 @@ NvmeStorageSecurityReceiveData (
  shall return EFI_DEVICE_ERROR.

  @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
  @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                       of the security protocol command. A Timeout value of 0
                                       means that this function will wait indefinitely for the
--- a/Show More
+++ b/Show More