ArmVirtPkg/ArmVirtQemu: Add RngDxe driver

Add the RngDxe driver to the build, backed by either RNDR or TRNG, one
of which is expected to be available in most cases:
- RNDR is implemented by the 'max' CPU that QEMU implements in TCG mode
- TRNG is implemented by the KVM hypervisor, which backs QEMU's 'host'
  CPU

Other TCG modes (e.g., the 'cortex-a*' CPUs) implement neither, which
should prevent the RngDxe driver from dispatching entirely, resulting
in the same situation as before.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>

.github/workflows/codeql.yml

@@ -79,7 +79,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Install Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: '3.11'
         cache: 'pip'
@@ -136,15 +136,26 @@ jobs:
             print(f'ci_setup_supported={str(ci_setup_supported).lower()}', file=fh)
             print(f'setup_supported={str(setup_supported).lower()}', file=fh)
 
+    - name: Convert Arch to Log Format
+      id: convert_arch_hyphen
+      env:
+        ARCH_LIST: ${{ matrix.ArchList }}
+      shell: python
+      run: |
+        import os
+
+        with open(os.environ['GITHUB_OUTPUT'], 'a') as fh:
+            print(f'arch_list={os.environ["ARCH_LIST"].replace(",", "-")}', file=fh)
+
     - name: Setup
       if: steps.get_ci_file_operations.outputs.setup_supported == 'true'
       run: stuart_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
 
     - name: Upload Setup Log As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: (success() || failure()) && steps.get_ci_file_operations.outputs.setup_supported == 'true'
       with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Setup-Log
         path: |
           **/SETUPLOG.txt
           retention-days: 7
@@ -155,10 +166,10 @@ jobs:
       run: stuart_ci_setup -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
 
     - name: Upload CI Setup Log As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: (success() || failure()) && steps.get_ci_file_operations.outputs.ci_setup_supported == 'true'
       with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-CI-Setup-Log
         path: |
           **/CISETUP.txt
           retention-days: 7
@@ -168,10 +179,10 @@ jobs:
       run: stuart_update -c .pytool/CISettings.py -t DEBUG -a ${{ matrix.ArchList }} TOOL_CHAIN_TAG=VS2019
 
     - name: Upload Update Log As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: success() || failure()
       with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Update-Log
         path: |
           **/UPDATE_LOG.txt
         retention-days: 7
@@ -228,7 +239,7 @@ jobs:
 
     - name: Attempt to Load CodeQL CLI From Cache
       id: codeqlcli_cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ${{ steps.cache_key_gen.outputs.codeql_cli_ext_dep_dir }}
         key: ${{ steps.cache_key_gen.outputs.codeql_cli_cache_key }}
@@ -284,10 +295,10 @@ jobs:
         delete_dirs(build_path)
 
     - name: Upload Build Logs As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: success() || failure()
       with:
-        name: ${{ matrix.Package }}-Logs
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-Build-Logs
         path: |
           **/BUILD_REPORT.TXT
           **/OVERRIDELOG.TXT
@@ -329,10 +340,10 @@ jobs:
                 print(f'upload_sarif_file=false', file=fh)
 
     - name: Upload CodeQL Results (SARIF) As An Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: steps.env_data.outputs.upload_sarif_file == 'true'
       with:
-        name: ${{ matrix.Package }}-CodeQL-SARIF
+        name: ${{ matrix.Package }}-${{ steps.convert_arch_hyphen.outputs.arch_list }}-CodeQL-SARIF
         path: |
           ${{ steps.env_data.outputs.emacs_file_path }}
           ${{ steps.env_data.outputs.sarif_file_path }}
@@ -340,7 +351,7 @@ jobs:
         if-no-files-found: warn
 
     - name: Upload CodeQL Results (SARIF) To GitHub Code Scanning
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
       if: steps.env_data.outputs.upload_sarif_file == 'true'
       with:
         # Path to SARIF file relative to the root of the repository.

.gitmodules

@@ -35,3 +35,6 @@
 [submodule "CryptoPkg/Library/MbedTlsLib/mbedtls"]
 	path = CryptoPkg/Library/MbedTlsLib/mbedtls
 	url = https://github.com/ARMmbed/mbedtls
+[submodule "SecurityPkg/DeviceSecurity/SpdmLib/libspdm"]
+	path = SecurityPkg/DeviceSecurity/SpdmLib/libspdm
+	url = https://github.com/DMTF/libspdm.git

.pytool/CISettings.py

@@ -237,6 +237,8 @@ class Settings(CiBuildSettingsManager, UpdateSettingsManager, SetupSettingsManag
             "MdePkg/Library/MipiSysTLib/mipisyst", False))
         rs.append(RequiredSubmodule(
             "CryptoPkg/Library/MbedTlsLib/mbedtls", False))
+        rs.append(RequiredSubmodule(
+            "SecurityPkg/DeviceSecurity/SpdmLib/libspdm", False))
         return rs
 
     def GetName(self):

ArmPkg/ArmPkg.dec

@@ -139,11 +139,6 @@
   # Define if the GICv3 controller should use the GICv2 legacy
   gArmTokenSpaceGuid.PcdArmGicV3WithV2Legacy|FALSE|BOOLEAN|0x00000042
 
-  ## Define the conduit to use for monitor calls.
-  # Default PcdMonitorConduitHvc = FALSE, conduit = SMC
-  # If PcdMonitorConduitHvc = TRUE, conduit = HVC
-  gArmTokenSpaceGuid.PcdMonitorConduitHvc|FALSE|BOOLEAN|0x00000047
-
   # Whether to remap all unused memory NX before installing the CPU arch
   # protocol driver. This is needed on platforms that map all DRAM with RWX
   # attributes initially, and can be disabled otherwise.
@@ -317,6 +312,11 @@
   gArmTokenSpaceGuid.PcdSystemBiosRelease|0xFFFF|UINT16|0x30000058
   gArmTokenSpaceGuid.PcdEmbeddedControllerFirmwareRelease|0xFFFF|UINT16|0x30000059
 
+  ## Define the conduit to use for monitor calls.
+  # Default PcdMonitorConduitHvc = FALSE, conduit = SMC
+  # If PcdMonitorConduitHvc = TRUE, conduit = HVC
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|FALSE|BOOLEAN|0x00000047
+
 [PcdsFixedAtBuild.common, PcdsDynamic.common]
   #
   # ARM Architectural Timer

ArmPkg/Include/Chipset/ArmCortexA5x.h

@@ -1,44 +0,0 @@
-/** @file
-
-  Copyright (c) 2012 - 2021, Arm Limited. All rights reserved.<BR>
-
-  SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef ARM_CORTEX_A5X_H_
-#define ARM_CORTEX_A5X_H_
-
-//
-// Cortex A5x feature bit definitions
-//
-#define A5X_FEATURE_SMP  (1 << 6)
-
-//
-// Helper functions to access CPU Extended Control Register
-//
-UINT64
-EFIAPI
-ArmReadCpuExCr (
-  VOID
-  );
-
-VOID
-EFIAPI
-ArmWriteCpuExCr (
-  IN  UINT64  Val
-  );
-
-VOID
-EFIAPI
-ArmSetCpuExCrBit (
-  IN  UINT64  Bits
-  );
-
-VOID
-EFIAPI
-ArmUnsetCpuExCrBit (
-  IN  UINT64  Bits
-  );
-
-#endif // ARM_CORTEX_A5X_H_

ArmPkg/Include/Chipset/ArmCortexA9.h

@@ -1,57 +0,0 @@
-/** @file
-
-  Copyright (c) 2011, ARM Limited. All rights reserved.
-
-  SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef ARM_CORTEX_A9_H_
-#define ARM_CORTEX_A9_H_
-
-#include <Chipset/ArmV7.h>
-
-//
-// Cortex A9 feature bit definitions
-//
-#define A9_FEATURE_PARITY  (1<<9)
-#define A9_FEATURE_AOW     (1<<8)
-#define A9_FEATURE_EXCL    (1<<7)
-#define A9_FEATURE_SMP     (1<<6)
-#define A9_FEATURE_FOZ     (1<<3)
-#define A9_FEATURE_DPREF   (1<<2)
-#define A9_FEATURE_HINT    (1<<1)
-#define A9_FEATURE_FWD     (1<<0)
-
-//
-// Cortex A9 Watchdog
-//
-#define ARM_A9_WATCHDOG_REGION  0x600
-
-#define ARM_A9_WATCHDOG_LOAD_REGISTER     0x20
-#define ARM_A9_WATCHDOG_CONTROL_REGISTER  0x28
-
-#define ARM_A9_WATCHDOG_WATCHDOG_MODE  (1 << 3)
-#define ARM_A9_WATCHDOG_TIMER_MODE     (0 << 3)
-#define ARM_A9_WATCHDOG_SINGLE_SHOT    (0 << 1)
-#define ARM_A9_WATCHDOG_AUTORELOAD     (1 << 1)
-#define ARM_A9_WATCHDOG_ENABLE         1
-
-//
-// SCU register offsets & masks
-//
-#define A9_SCU_CONTROL_OFFSET     0x0
-#define A9_SCU_CONFIG_OFFSET      0x4
-#define A9_SCU_INVALL_OFFSET      0xC
-#define A9_SCU_FILT_START_OFFSET  0x40
-#define A9_SCU_FILT_END_OFFSET    0x44
-#define A9_SCU_SACR_OFFSET        0x50
-#define A9_SCU_SSACR_OFFSET       0x54
-
-UINTN
-EFIAPI
-ArmGetScuBaseAddress (
-  VOID
-  );
-
-#endif // ARM_CORTEX_A9_H_

ArmPkg/Include/Library/ArmGicArchLib.h

@@ -1,9 +1,15 @@
 /** @file
 *
 *  Copyright (c) 2015, Linaro Ltd. All rights reserved.
+*  Copyright (c) 2024, Arm Limited. All rights reserved.
 *
 *  SPDX-License-Identifier: BSD-2-Clause-Patent
 *
+*  @par Reference(s):
+*  - Arm Generic Interrupt Controller Architecture Specification,
+*    Issue H, January 2022.
+*    (https://developer.arm.com/documentation/ihi0069/)
+*
 **/
 
 #ifndef ARM_GIC_ARCH_LIB_H_
@@ -23,4 +29,12 @@ ArmGicGetSupportedArchRevision (
   VOID
   );
 
+//
+// GIC SPI and extended SPI ranges
+//
+#define ARM_GIC_ARCH_SPI_MIN      32
+#define ARM_GIC_ARCH_SPI_MAX      1019
+#define ARM_GIC_ARCH_EXT_SPI_MIN  4096
+#define ARM_GIC_ARCH_EXT_SPI_MAX  5119
+
 #endif // ARM_GIC_ARCH_LIB_H_

ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c

@@ -26,7 +26,7 @@ ArmMonitorCall (
   IN OUT ARM_MONITOR_ARGS  *Args
   )
 {
-  if (FeaturePcdGet (PcdMonitorConduitHvc)) {
+  if (PcdGetBool (PcdMonitorConduitHvc)) {
     ArmCallHvc ((ARM_HVC_ARGS *)Args);
   } else {
     ArmCallSmc ((ARM_SMC_ARGS *)Args);

ArmPlatformPkg/PrePeiCore/PrePeiCore.h

@@ -73,14 +73,4 @@ PeiCommonExceptionEntry (
   IN UINTN   LR
   );
 
-/*
- * Autogenerated function that calls the library constructors for all of the
- * module's dependent libraries.
- */
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 #endif

ArmPlatformPkg/PrePeiCore/PrePeiCoreMPCore.inf

@@ -8,7 +8,7 @@
 #**/
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = ArmPlatformPrePeiCore
   FILE_GUID                      = b78d02bb-d0b5-4389-bc7f-b39ee846c784
   MODULE_TYPE                    = SEC

ArmPlatformPkg/PrePeiCore/PrePeiCoreUniCore.inf

@@ -8,7 +8,7 @@
 #**/
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = ArmPlatformPrePeiCore
   FILE_GUID                      = 469fc080-aec1-11df-927c-0002a5d5c51b
   MODULE_TYPE                    = SEC

ArmPlatformPkg/PrePi/PeiMPCore.inf

@@ -8,7 +8,7 @@
 #**/
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = ArmPlatformPrePiMPCore
   FILE_GUID                      = d959e387-7b91-452c-90e0-a1dbac90ddb8
   MODULE_TYPE                    = SEC

ArmPlatformPkg/PrePi/PeiUniCore.inf

@@ -9,7 +9,7 @@
 #**/
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = ArmPlatformPrePiUniCore
   FILE_GUID                      = 3e401783-cc94-4fcd-97bc-bd35ac369d2f
   MODULE_TYPE                    = SEC

ArmPlatformPkg/PrePi/PrePi.h

@@ -79,10 +79,4 @@ ArchInitialize (
   VOID
   );
 
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 #endif /* _PREPI_H_ */

ArmVirtPkg/ArmVirt.dsc.inc

@@ -156,7 +156,9 @@
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
 !endif
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+  RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+  ArmTrngLib|ArmPkg/Library/ArmTrngLib/ArmTrngLib.inf
+  ArmMonitorLib|ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
 
   #
   # Secure Boot dependencies
@@ -266,6 +268,7 @@
 
 [LibraryClasses.ARM]
   ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf
+  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
 
 [BuildOptions]
   GCC:RELEASE_*_*_CC_FLAGS  = -DMDEPKG_NDEBUG

ArmVirtPkg/ArmVirtCloudHv.dsc

@@ -201,6 +201,9 @@
 [PcdsDynamicHii]
   gUefiOvmfPkgTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gOvmfVariableGuid|0x0|FALSE|NV,BS
 
+[PcdsPatchableInModule.common]
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform

ArmVirtPkg/ArmVirtKvmTool.dsc

@@ -126,8 +126,6 @@
   # Use MMIO for accessing RTC controller registers.
   gPcAtChipsetPkgTokenSpaceGuid.PcdRtcUseMmio|TRUE
 
-  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
-
 [PcdsFixedAtBuild.common]
   gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000000F
 
@@ -167,6 +165,8 @@
   #
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsPatchableInModule.common]
   #
   # This will be overridden in the code

ArmVirtPkg/ArmVirtQemu.dsc

@@ -49,10 +49,10 @@
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc
 
+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses.common]
   ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
   ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
@@ -60,7 +60,7 @@
   # Virtio Support
   VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
   VirtioMmioDeviceLib|OvmfPkg/Library/VirtioMmioDeviceLib/VirtioMmioDeviceLib.inf
-  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibMmio.inf
+  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgMmioDxeLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/BaseQemuFwCfgS3LibNull.inf
   QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
   QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
@@ -124,8 +124,6 @@
 [BuildOptions]
 !if $(CAVIUM_ERRATUM_27456) == TRUE
   GCC:*_*_AARCH64_PP_FLAGS = -DCAVIUM_ERRATUM_27456
-!else
-  GCC:*_*_AARCH64_CC_XIPFLAGS ==
 !endif
 
 !include NetworkPkg/NetworkBuildOptions.dsc.inc
@@ -295,6 +293,10 @@
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
 
+  # whether to use HVC or SMC to issue monitor calls - this typically depends
+  # on the exception level at which the UEFI system firmware executes
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
   #
   # TPM2 support
   #
@@ -320,11 +322,7 @@
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|5
 
 [LibraryClasses.common.PEI_CORE, LibraryClasses.common.PEIM]
-!if $(TPM2_ENABLE) == TRUE
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
-!else
-  PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
-!endif
 
 ################################################################################
 #
@@ -341,11 +339,11 @@
   ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf
   ArmPkg/Drivers/CpuPei/CpuPei.inf
 
-!if $(TPM2_ENABLE) == TRUE
   MdeModulePkg/Universal/PCD/Pei/Pcd.inf {
     <LibraryClasses>
       PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
   }
+!if $(TPM2_ENABLE) == TRUE
   MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
     <LibraryClasses>
       ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
@@ -434,6 +432,7 @@
       BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
   }
   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
   #
   # Status Code Routing
@@ -556,6 +555,11 @@
   MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 
+  #
+  # Hash2 Protocol Support
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # TPM2 support
   #

ArmVirtPkg/ArmVirtQemu.fdf

@@ -111,8 +111,8 @@ READ_LOCK_STATUS   = TRUE
   INF ArmPkg/Drivers/CpuPei/CpuPei.inf
   INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
-!if $(TPM2_ENABLE) == TRUE
   INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf
+!if $(TPM2_ENABLE) == TRUE
   INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
   INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
   INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf

ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc

@@ -75,6 +75,7 @@ READ_LOCK_STATUS   = TRUE
   INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf
   INF OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
   INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
   #
   # FAT filesystem + GPT/MBR partitioning + UDF filesystem + virtio-fs
@@ -177,6 +178,11 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
   INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 
+  #
+  # Hash2 Protocol producer
+  #
+  INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # TPM2 support
   #

ArmVirtPkg/ArmVirtQemuKernel.dsc

@@ -46,10 +46,10 @@
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc
 
+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses.common]
   ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
   ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
@@ -57,7 +57,7 @@
   # Virtio Support
   VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf
   VirtioMmioDeviceLib|OvmfPkg/Library/VirtioMmioDeviceLib/VirtioMmioDeviceLib.inf
-  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibMmio.inf
+  QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgMmioDxeLib.inf
   QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/BaseQemuFwCfgS3LibNull.inf
   QemuFwCfgSimpleParserLib|OvmfPkg/Library/QemuFwCfgSimpleParserLib/QemuFwCfgSimpleParserLib.inf
   QemuLoadImageLib|OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.inf
@@ -203,6 +203,8 @@
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|3
 
@@ -339,6 +341,7 @@
       BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
   }
   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
   #
   # Status Code Routing
@@ -461,6 +464,11 @@
   MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 
+  #
+  # Hash2 Protocol Support
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # ACPI Support
   #

ArmVirtPkg/ArmVirtXen.dsc

@@ -23,10 +23,10 @@
   SKUID_IDENTIFIER               = DEFAULT
   FLASH_DEFINITION               = ArmVirtPkg/ArmVirtXen.fdf
 
-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc
 
+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses]
   SerialPortLib|OvmfPkg/Library/XenConsoleSerialPortLib/XenConsoleSerialPortLib.inf
 !if $(TARGET) != RELEASE
@@ -120,6 +120,8 @@
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]
 
   gArmTokenSpaceGuid.PcdArmArchTimerSecIntrNum|0x0

ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c

@@ -18,6 +18,8 @@
 #include <Library/FdtSerialPortAddressLib.h>
 #include <libfdt.h>
 
+#include <Chipset/AArch64.h>
+
 #include <Guid/EarlyPL011BaseAddress.h>
 #include <Guid/FdtHob.h>
 
@@ -224,5 +226,17 @@ PlatformPeim (
 
   BuildFvHob (PcdGet64 (PcdFvBaseAddress), PcdGet32 (PcdFvSize));
 
+ #ifdef MDE_CPU_AARCH64
+  //
+  // Set the SMCCC conduit to SMC if executing at EL2, which is typically the
+  // exception level that services HVCs rather than the one that invokes them.
+  //
+  if (ArmReadCurrentEL () == AARCH64_EL2) {
+    Status = PcdSetBoolS (PcdMonitorConduitHvc, FALSE);
+    ASSERT_EFI_ERROR (Status);
+  }
+
+ #endif
+
   return EFI_SUCCESS;
 }

ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf

@@ -45,6 +45,7 @@
 
 [Pcd]
   gArmTokenSpaceGuid.PcdFvBaseAddress
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress             ## SOMETIMES_PRODUCES
   gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
 

ArmVirtPkg/PlatformCI/PlatformBuildLib.py

@@ -240,6 +240,8 @@ class PlatformBuilder(UefiBuilder, BuildSettingsManager):
         args += " -serial stdio"
         # Mount disk with startup.nsh
         args += f" -drive file=fat:rw:{VirtualDrive},format=raw,media=disk"
+        # Provides Rng services to the Guest VM
+        args += " -device virtio-rng-pci"
 
         # Conditional Args
         if (self.env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):

ArmVirtPkg/PrePi/ArmVirtPrePiUniCoreRelocatable.inf

@@ -8,7 +8,7 @@
 #**/
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = ArmVirtPrePiUniCoreRelocatable
   FILE_GUID                      = f7d9fd14-9335-4389-80c5-334d6abfcced
   MODULE_TYPE                    = SEC

ArmVirtPkg/PrePi/PrePi.c

@@ -22,12 +22,6 @@
 
 #include "PrePi.h"
 
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 VOID
 PrePiMain (
   IN  UINTN   UefiMemoryBase,

ArmVirtPkg/XenAcpiPlatformDxe/XenAcpiPlatformDxe.c

@@ -128,10 +128,12 @@ InstallXenArmTables (
   EFI_ACPI_DESCRIPTION_HEADER                   *Xsdt;
   EFI_ACPI_2_0_FIXED_ACPI_DESCRIPTION_TABLE     *FadtTable;
   EFI_ACPI_DESCRIPTION_HEADER                   *DsdtTable;
+  EFI_ACPI_3_0_FIRMWARE_ACPI_CONTROL_STRUCTURE  *FacsTable;
 
   XenAcpiRsdpStructurePtr = NULL;
   FadtTable               = NULL;
   DsdtTable               = NULL;
+  FacsTable               = NULL;
   TableHandle             = 0;
   NumberOfTableEntries    = 0;
 
@@ -191,6 +193,8 @@ InstallXenArmTables (
         FadtTable = (EFI_ACPI_2_0_FIXED_ACPI_DESCRIPTION_TABLE *)
                     (UINTN)CurrentTablePointer;
         DsdtTable = (EFI_ACPI_DESCRIPTION_HEADER *)(UINTN)FadtTable->Dsdt;
+        FacsTable = (EFI_ACPI_3_0_FIRMWARE_ACPI_CONTROL_STRUCTURE *)
+                    (UINTN)FadtTable->FirmwareCtrl;
       }
     }
   }
@@ -198,14 +202,31 @@ InstallXenArmTables (
   //
   // Install DSDT table.
   //
-  Status = AcpiProtocol->InstallAcpiTable (
+  if (DsdtTable != NULL) {
-                           AcpiProtocol,
+    Status = AcpiProtocol->InstallAcpiTable (
-                           DsdtTable,
+                             AcpiProtocol,
-                           DsdtTable->Length,
+                             DsdtTable,
-                           &TableHandle
+                             DsdtTable->Length,
-                           );
+                             &TableHandle
-  if (EFI_ERROR (Status)) {
+                             );
-    return Status;
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  //
+  // Install FACS table.
+  //
+  if (FacsTable != NULL) {
+    Status = AcpiProtocol->InstallAcpiTable (
+                             AcpiProtocol,
+                             FacsTable,
+                             FacsTable->Length,
+                             &TableHandle
+                             );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
   }
 
   return EFI_SUCCESS;

BaseTools/Plugin/CodeQL/codeqlcli_ext_dep.yaml

@@ -16,9 +16,9 @@
   "scope": "codeql-ext-dep",
   "type": "web",
   "name": "codeql_cli",
-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.12.4/codeql.zip",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql.zip",
-  "version": "2.12.4",
+  "version": "2.17.3",
-  "sha256": "f682f1155d627ad97f10b1bcad97f682011986717bd3823e9cf831ed83ac96e7",
+  "sha256": "e5ac1d87ab38e405c9af5db234a338b10dffabc98a648903f1664dd2a566dfd5",
   "compression_type": "zip",
   "internal_path": "/codeql/",
   "flags": ["set_shell_var", ],

BaseTools/Plugin/CodeQL/codeqlcli_linux_ext_dep.yaml

@@ -14,9 +14,9 @@
   "scope": "codeql-linux-ext-dep",
   "type": "web",
   "name": "codeql_linux_cli",
-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.14.5/codeql-linux64.zip",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql-linux64.zip",
-  "version": "2.14.5",
+  "version": "2.17.3",
-  "sha256": "72aa5d748ff9ab57cfd86045560683bdc4897e0fe6d9f9a2786d9394674ae733",
+  "sha256": "9fba000c4b821534d354bc16821aa066fdb1304446226ea449870e64a8ad3c7a",
   "compression_type": "zip",
   "internal_path": "/codeql/",
   "flags": ["set_shell_var", ],

BaseTools/Plugin/CodeQL/codeqlcli_windows_ext_dep.yaml

@@ -14,9 +14,9 @@
   "scope": "codeql-windows-ext-dep",
   "type": "web",
   "name": "codeql_windows_cli",
-  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.14.5/codeql-win64.zip",
+  "source": "https://github.com/github/codeql-cli-binaries/releases/download/v2.17.3/codeql-win64.zip",
-  "version": "2.14.5",
+  "version": "2.17.3",
-  "sha256": "861fcb38365cc311efee0c3a28c77494e93c69a969885b72e53173ad473f61aa",
+  "sha256": "4c6fbf2ea2eaf0f47bf0347eacf54c6b9d6bdf7acb6b63e17f9e6f2dd83b34e7",
   "compression_type": "zip",
   "internal_path": "/codeql/",
   "flags": ["set_shell_var", ],

BaseTools/Scripts/GetUtcDateTime.py

@@ -29,7 +29,7 @@ def Main():
         print ("ERROR: At least one argument is required!\n")
         PARSER.print_help()
 
-    today = datetime.datetime.utcnow()
+    today = datetime.datetime.now(datetime.timezone.utc)
     if ARGS.year:
         ReversedNumber = str(today.year)[::-1]
         print (''.join(hex(ord(HexString))[2:] for HexString in ReversedNumber))

BaseTools/Scripts/PatchCheck.py

@@ -28,6 +28,7 @@ class Verbose:
 
 class PatchCheckConf:
     ignore_change_id = False
+    ignore_multi_package = False
 
 class EmailAddressCheck:
     """Checks an email address."""
@@ -85,7 +86,11 @@ class EmailAddressCheck:
             self.error("The email address cannot contain a space: " +
                        mo.group(3))
 
-        if ' via Groups.Io' in name and mo.group(3).endswith('@groups.io'):
+        if mo.group(3) == 'devel@edk2.groups.io':
+            self.error("Email rewritten by lists DMARC / DKIM / SPF: " +
+                       email)
+
+        if ' via groups.io' in name.lower() and mo.group(3).endswith('@groups.io'):
             self.error("Email rewritten by lists DMARC / DKIM / SPF: " +
                        email)
 
@@ -94,6 +99,7 @@ class CommitMessageCheck:
 
     def __init__(self, subject, message, author_email):
         self.ok = True
+        self.ignore_multi_package = False
 
         if subject is None and  message is None:
             self.error('Commit message is missing!')
@@ -116,6 +122,7 @@ class CommitMessageCheck:
             self.check_overall_format()
             if not PatchCheckConf.ignore_change_id:
                 self.check_change_id_format()
+            self.check_ci_options_format()
         self.report_message_result()
 
     url = 'https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Format'
@@ -198,7 +205,7 @@ class CommitMessageCheck:
             if s[2] != ' ':
                 self.error("There should be a space after '" + sig + ":'")
 
-            EmailAddressCheck(s[3], sig)
+            self.ok &= EmailAddressCheck(s[3], sig).ok
 
         return sigs
 
@@ -225,8 +232,10 @@ class CommitMessageCheck:
         )
 
     def check_misc_signatures(self):
-        for sig in self.sig_types:
+        for sigtype in self.sig_types:
-            self.find_signatures(sig)
+            sigs = self.find_signatures(sigtype)
+            if sigtype == 'Cc' and len(sigs) == 0:
+                self.error('No Cc: tags for maintainers/reviewers found!')
 
     cve_re = re.compile('CVE-[0-9]{4}-[0-9]{5}[^0-9]')
 
@@ -318,6 +327,15 @@ class CommitMessageCheck:
             self.error('\"%s\" found in commit message:' % cid)
             return
 
+    def check_ci_options_format(self):
+        cio='Continuous-integration-options:'
+        for line in self.msg.splitlines():
+            if not line.startswith(cio):
+                continue
+            options = line.split(':', 1)[1].split()
+            if 'PatchCheck.ignore-multi-package' in options:
+                self.ignore_multi_package = True
+
 (START, PRE_PATCH, PATCH) = range(3)
 
 class GitDiffCheck:
@@ -555,6 +573,7 @@ class CheckOnePatch:
 
         msg_check = CommitMessageCheck(self.commit_subject, self.commit_msg, self.author_email)
         msg_ok = msg_check.ok
+        self.ignore_multi_package = msg_check.ignore_multi_package
 
         diff_ok = True
         if self.diff is not None:
@@ -665,6 +684,7 @@ class CheckGitCommits:
     """
 
     def __init__(self, rev_spec, max_count):
+        dec_files = self.read_dec_files_from_git()
         commits = self.read_commit_list_from_git(rev_spec, max_count)
         if len(commits) == 1 and Verbose.level > Verbose.ONELINE:
             commits = [ rev_spec ]
@@ -680,10 +700,66 @@ class CheckGitCommits:
             email = self.read_committer_email_address_from_git(commit)
             self.ok &= EmailAddressCheck(email, 'Committer').ok
             patch = self.read_patch_from_git(commit)
-            self.ok &= CheckOnePatch(commit, patch).ok
+            check_patch = CheckOnePatch(commit, patch)
+            self.ok &= check_patch.ok
+            ignore_multi_package = check_patch.ignore_multi_package
+            if PatchCheckConf.ignore_multi_package:
+                ignore_multi_package = True
+            prefix = 'WARNING: ' if ignore_multi_package else ''
+            check_parent = self.check_parent_packages (dec_files, commit, prefix)
+            if not ignore_multi_package:
+                self.ok &= check_parent
+
         if not commits:
             print("Couldn't find commit matching: '{}'".format(rev_spec))
 
+    def check_parent_packages(self, dec_files, commit, prefix):
+        ok = True
+        modified = self.get_parent_packages (dec_files, commit, 'AM')
+        if len (modified) > 1:
+            print("{}The commit adds/modifies files in multiple packages:".format(prefix))
+            print(" *", '\n * '.join(modified))
+            ok = False
+        deleted = self.get_parent_packages (dec_files, commit, 'D')
+        if len (deleted) > 1:
+            print("{}The commit deletes files from multiple packages:".format(prefix))
+            print(" *", '\n * '.join(deleted))
+            ok = False
+        return ok
+
+    def get_parent_packages(self, dec_files, commit, filter):
+        filelist = self.read_files_modified_from_git (commit, filter)
+        parents = set()
+        for file in filelist:
+            dec_found = False
+            for dec_file in dec_files:
+                if os.path.commonpath([dec_file, file]):
+                    dec_found = True
+                    parents.add(dec_file)
+            if not dec_found and os.path.dirname (file):
+                # No DEC file found and file is in a subdir
+                # Covers BaseTools, .github, .azurepipelines, .pytool
+                parents.add(file.split('/')[0])
+        return list(parents)
+
+    def read_dec_files_from_git(self):
+        # run git ls-files *.dec
+        out = self.run_git('ls-files', '*.dec')
+        # return list of .dec files
+        try:
+            return out.split()
+        except:
+            return []
+
+    def read_files_modified_from_git(self, commit, filter):
+        # run git diff-tree --no-commit-id --name-only -r <commit>
+        out = self.run_git('diff-tree', '--no-commit-id', '--name-only',
+                           '--diff-filter=' + filter, '-r', commit)
+        try:
+            return out.split()
+        except:
+            return []
+
     def read_commit_list_from_git(self, rev_spec, max_count):
         # Run git to get the commit patch
         cmd = [ 'rev-list', '--abbrev-commit', '--no-walk' ]
@@ -794,6 +870,9 @@ class PatchCheckApp:
         group.add_argument("--ignore-change-id",
                            action="store_true",
                            help="Ignore the presence of 'Change-Id:' tags in commit message")
+        group.add_argument("--ignore-multi-package",
+                           action="store_true",
+                           help="Ignore if commit modifies files in multiple packages")
         self.args = parser.parse_args()
         if self.args.oneline:
             Verbose.level = Verbose.ONELINE
@@ -801,6 +880,8 @@ class PatchCheckApp:
             Verbose.level = Verbose.SILENT
         if self.args.ignore_change_id:
             PatchCheckConf.ignore_change_id = True
+        if self.args.ignore_multi_package:
+            PatchCheckConf.ignore_multi_package = True
 
 if __name__ == "__main__":
     sys.exit(PatchCheckApp().retval)

BaseTools/Source/C/Include/Common/UefiInternalFormRepresentation.h

@@ -1556,7 +1556,17 @@ typedef enum {
   EfiKeyF12,
   EfiKeyPrint,
   EfiKeySLck,
-  EfiKeyPause
+  EfiKeyPause,
+  EfiKeyIntl0,
+  EfiKeyIntl1,
+  EfiKeyIntl2,
+  EfiKeyIntl3,
+  EfiKeyIntl4,
+  EfiKeyIntl5,
+  EfiKeyIntl6,
+  EfiKeyIntl7,
+  EfiKeyIntl8,
+  EfiKeyIntl9
 } EFI_KEY;
 
 typedef struct {

BaseTools/Source/Python/AutoGen/GenC.py

@@ -1371,6 +1371,14 @@ def CreateLibraryConstructorCode(Info, AutoGenC, AutoGenH):
     else:
         if Info.ModuleType in [SUP_MODULE_BASE, SUP_MODULE_SEC, SUP_MODULE_USER_DEFINED, SUP_MODULE_HOST_APPLICATION]:
             AutoGenC.Append(gLibraryString[SUP_MODULE_BASE].Replace(Dict))
+            if Info.ModuleType == SUP_MODULE_SEC and Info.AutoGenVersion >= 0x0001001E:
+                AutoGenH.Append(("\n"
+                                 "// ProcessLibraryConstructorList() declared here because SEC has no standard entry point.\n"
+                                 "VOID\n"
+                                 "EFIAPI\n"
+                                 "ProcessLibraryConstructorList (\n"
+                                 "  VOID\n"
+                                 "  );\n"))
         elif Info.ModuleType in SUP_MODULE_SET_PEI:
             AutoGenC.Append(gLibraryString['PEI'].Replace(Dict))
         elif Info.ModuleType in [SUP_MODULE_DXE_CORE, SUP_MODULE_DXE_DRIVER, SUP_MODULE_DXE_SMM_DRIVER, SUP_MODULE_DXE_RUNTIME_DRIVER,

BaseTools/Source/Python/FMMT/FMMT.py

@@ -37,7 +37,7 @@ parser.add_argument("-l", "--LayoutFileName", dest="LayoutFileName", nargs='+',
                         the file will be generated with default name (Layout_'InputFileName'.txt). \
                         Currently supports two formats: json, txt. More formats will be added in the future")
 parser.add_argument("-c", "--ConfigFilePath", dest="ConfigFilePath", nargs='+',
-                    help="Provide the target FmmtConf.ini file path: '-c C:\Code\FmmtConf.ini' \
+                    help="Provide the target FmmtConf.ini file path: '-c C:\\Code\\FmmtConf.ini' \
                         FmmtConf file saves the target guidtool used in compress/uncompress process.\
                         If do not provide, FMMT tool will search the inputfile folder for FmmtConf.ini firstly, if not found,\
                         the FmmtConf.ini saved in FMMT tool's folder will be used as default.")

BaseTools/Source/Python/GenFds/Capsule.py

@@ -1,6 +1,7 @@
 ## @file
 # generate capsule
 #
+#  Copyright (C) 2024 Advanced Micro Devices, Inc. All rights reserved.<BR>
 #  Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -78,6 +79,8 @@ class Capsule (CapsuleClassObject):
                     Flags |= 0x00010000
                 elif flag == 'InitiateReset':
                     Flags |= 0x00040000
+        if 'OEM_CAPSULE_FLAGS' in self.TokensDict:
+            Flags |= int(self.TokensDict['OEM_CAPSULE_FLAGS'],16)
         Header.write(pack('=I', Flags))
         #
         # typedef struct {

BaseTools/Source/Python/GenFds/FfsInfStatement.py

@@ -19,6 +19,7 @@ from .GenFdsGlobalVariable import GenFdsGlobalVariable
 from .Ffs import SectionSuffix,FdfFvFileTypeToFileType
 import subprocess
 import sys
+from pathlib import Path
 from . import Section
 from . import RuleSimpleFile
 from . import RuleComplexFile
@@ -92,7 +93,7 @@ class FfsInfStatement(FfsInfStatementClassObject):
 
                 if ModuleType != SUP_MODULE_USER_DEFINED and ModuleType != SUP_MODULE_HOST_APPLICATION:
                     for LibraryClass in PlatformDataBase.LibraryClasses.GetKeys():
-                        if LibraryClass.startswith("NULL") and PlatformDataBase.LibraryClasses[LibraryClass, ModuleType]:
+                        if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit() and PlatformDataBase.LibraryClasses[LibraryClass, ModuleType]:
                             self.InfModule.LibraryClasses[LibraryClass] = PlatformDataBase.LibraryClasses[LibraryClass, ModuleType]
 
                 StrModule = str(self.InfModule)
@@ -100,7 +101,7 @@ class FfsInfStatement(FfsInfStatementClassObject):
                 if StrModule in PlatformDataBase.Modules:
                     PlatformModule = PlatformDataBase.Modules[StrModule]
                     for LibraryClass in PlatformModule.LibraryClasses:
-                        if LibraryClass.startswith("NULL"):
+                        if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit():
                             self.InfModule.LibraryClasses[LibraryClass] = PlatformModule.LibraryClasses[LibraryClass]
 
                 DependencyList = [self.InfModule]
@@ -156,7 +157,12 @@ class FfsInfStatement(FfsInfStatementClassObject):
         if len(self.InfFileName) > 1 and self.InfFileName[0] == '\\' and self.InfFileName[1] == '\\':
             pass
         elif self.InfFileName[0] == '\\' or self.InfFileName[0] == '/' :
-            self.InfFileName = self.InfFileName[1:]
+            ws_path = Path(GenFdsGlobalVariable.WorkSpaceDir)
+            inf_path = Path(self.InfFileName)
+            if ws_path in inf_path.parents:
+                self.InfFileName = str(inf_path.relative_to(ws_path))
+            else:
+                self.InfFileName = self.InfFileName[1:]
 
         if self.InfFileName.find('$') == -1:
             InfPath = NormPath(self.InfFileName)

BaseTools/Source/Python/Workspace/DscBuildData.py

@@ -3033,7 +3033,7 @@ class DscBuildData(PlatformBuildClassObject):
             StructuredPcdsData["OBJECTS"][include_file] = os.path.getmtime(include_file)
             MakeApp += "$(OBJECTS) : %s\n" % include_file
         if sys.platform == "win32":
-            PcdValueCommonPath = os.path.normpath(mws.join(GlobalData.gGlobalDefines["EDK_TOOLS_PATH"], "Source\C\Common\PcdValueCommon.c"))
+            PcdValueCommonPath = os.path.normpath(mws.join(GlobalData.gGlobalDefines["EDK_TOOLS_PATH"], "Source\\C\\Common\\PcdValueCommon.c"))
             MakeApp = MakeApp + '%s\\PcdValueCommon.c : %s\n' % (self.OutputPath, PcdValueCommonPath)
             MakeApp = MakeApp + '\tcopy /y %s $@\n' % (PcdValueCommonPath)
         else:

BaseTools/Source/Python/Workspace/WorkspaceCommon.py

@@ -102,12 +102,12 @@ def GetModuleLibInstances(Module, Platform, BuildDatabase, Arch, Target, Toolcha
     #
     if Module.ModuleType != SUP_MODULE_USER_DEFINED:
         for LibraryClass in Platform.LibraryClasses.GetKeys():
-            if LibraryClass.startswith("NULL") and Platform.LibraryClasses[LibraryClass, Module.ModuleType]:
+            if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit() and Platform.LibraryClasses[LibraryClass, Module.ModuleType]:
                 Module.LibraryClasses[LibraryClass] = Platform.LibraryClasses[LibraryClass, Module.ModuleType]
 
     # add forced library instances (specified in module overrides)
     for LibraryClass in Platform.Modules[str(Module)].LibraryClasses:
-        if LibraryClass.startswith("NULL"):
+        if LibraryClass.startswith("NULL") and LibraryClass[4:].isdigit():
             Module.LibraryClasses[LibraryClass] = Platform.Modules[str(Module)].LibraryClasses[LibraryClass]
 
     # EdkII module
@@ -123,6 +123,8 @@ def GetModuleLibInstances(Module, Platform, BuildDatabase, Arch, Target, Toolcha
     while len(LibraryConsumerList) > 0:
         M = LibraryConsumerList.pop()
         for LibraryClassName in M.LibraryClasses:
+            if LibraryClassName.startswith("NULL") and LibraryClassName[4:].isdigit() and bool(M.LibraryClass):
+                continue
             if LibraryClassName not in LibraryInstance:
                 # override library instance for this module
                 LibraryPath = Platform.Modules[str(Module)].LibraryClasses.get(LibraryClassName,Platform.LibraryClasses[LibraryClassName, ModuleType])
@@ -139,7 +141,7 @@ def GetModuleLibInstances(Module, Platform, BuildDatabase, Arch, Target, Toolcha
 
                 LibraryModule = BuildDatabase[LibraryPath, Arch, Target, Toolchain]
                 # for those forced library instance (NULL library), add a fake library class
-                if LibraryClassName.startswith("NULL"):
+                if LibraryClassName.startswith("NULL") and LibraryClassName[4:].isdigit():
                     LibraryModule.LibraryClass.append(LibraryClassObject(LibraryClassName, [ModuleType]))
                 elif LibraryModule.LibraryClass is None \
                      or len(LibraryModule.LibraryClass) == 0 \

CryptoPkg/Driver/Crypto.c

@@ -3589,6 +3589,131 @@ CryptoServicePkcs1v2Encrypt (
   return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs1v2Encrypt, Pkcs1v2Encrypt, (PublicKey, PublicKeySize, InData, InDataSize, PrngSeed, PrngSeedSize, EncryptedData, EncryptedDataSize), FALSE);
 }
 
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceRsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Rsa.Services.RsaOaepEncrypt, RsaOaepEncrypt, (RsaContext, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServicePkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs1v2Decrypt, Pkcs1v2Decrypt, (PrivateKey, PrivateKeySize, EncryptedData, EncryptedDataSize, OutData, OutDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServiceRsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  return CALL_BASECRYPTLIB (Rsa.Services.RsaOaepDecrypt, RsaOaepDecrypt, (RsaContext, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize), FALSE);
+}
+
 /**
   Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
   Cryptographic Message Syntax Standard". The input signed data could be wrapped
@@ -6987,5 +7112,8 @@ const EDKII_CRYPTO_PROTOCOL  mEdkiiCrypto = {
   CryptoServiceX509VerifyCertChain,
   CryptoServiceX509GetCertFromCertChain,
   CryptoServiceAsn1GetTag,
-  CryptoServiceX509GetExtendedBasicConstraints
+  CryptoServiceX509GetExtendedBasicConstraints,
+  CryptoServicePkcs1v2Decrypt,
+  CryptoServiceRsaOaepEncrypt,
+  CryptoServiceRsaOaepDecrypt,
 };

CryptoPkg/Include/Library/BaseCryptLib.h

@@ -5,6 +5,7 @@
   functionality enabling.
 
 Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation. All rights reserved.
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -2147,6 +2148,122 @@ Pkcs1v2Encrypt (
   OUT  UINTN        *EncryptedDataSize
   );
 
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  );
+
 /**
   The 3rd parameter of Pkcs7GetSigners will return all embedded
   X.509 certificate in one given PKCS7 signature. The format is:

CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h

@@ -23,6 +23,7 @@
   * Sha1 family
 
   Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -124,6 +125,7 @@ typedef struct {
       UINT8    Pkcs7GetCertificatesList   : 1;
       UINT8    AuthenticodeVerify         : 1;
       UINT8    ImageTimestampVerify       : 1;
+      UINT8    Pkcs1v2Decrypt             : 1;
     } Services;
     UINT32    Family;
   } Pkcs;
@@ -158,6 +160,8 @@ typedef struct {
       UINT8    Pkcs1Verify          : 1;
       UINT8    GetPrivateKeyFromPem : 1;
       UINT8    GetPublicKeyFromX509 : 1;
+      UINT8    RsaOaepEncrypt       : 1;
+      UINT8    RsaOaepDecrypt       : 1;
     } Services;
     UINT32    Family;
   } Rsa;

CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c

@@ -3,7 +3,7 @@
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
 **/
@@ -14,6 +14,37 @@
 #include <openssl/x509.h>
 #include <Library/MemoryAllocationLib.h>
 
+/**
+  Retrieve a pointer to EVP message digest object.
+
+  @param[in]  DigestLen   Length of the message digest.
+
+**/
+STATIC
+const
+EVP_MD *
+GetEvpMD (
+  IN UINT16  DigestLen
+  )
+{
+  switch (DigestLen) {
+    case SHA1_DIGEST_SIZE:
+      return EVP_sha1 ();
+      break;
+    case SHA256_DIGEST_SIZE:
+      return EVP_sha256 ();
+      break;
+    case SHA384_DIGEST_SIZE:
+      return EVP_sha384 ();
+      break;
+    case SHA512_DIGEST_SIZE:
+      return EVP_sha512 ();
+      break;
+    default:
+      return NULL;
+  }
+}
+
 /**
   Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
   encrypted message in a newly allocated buffer.
@@ -26,15 +57,20 @@
   - Data size is too large for the provided key size (max size is a function of key size
     and hash digest size).
 
-  @param[in]  PublicKey           A pointer to the DER-encoded X509 certificate that
+  @param[in]  Pkey                A pointer to an EVP_PKEY struct that
                                   will be used to encrypt the data.
-  @param[in]  PublicKeySize       Size of the X509 cert buffer.
   @param[in]  InData              Data to be encrypted.
   @param[in]  InDataSize          Size of the data buffer.
   @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
                                   to be used when initializing the PRNG. NULL otherwise.
   @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
                                   0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
   @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
                                   message.
   @param[out] EncryptedDataSize   Size of the encrypted message buffer.
@@ -45,50 +81,35 @@
 **/
 BOOLEAN
 EFIAPI
-Pkcs1v2Encrypt (
+InternalPkcs1v2Encrypt (
-  IN   CONST UINT8  *PublicKey,
+  EVP_PKEY          *Pkey,
-  IN   UINTN        PublicKeySize,
   IN   UINT8        *InData,
   IN   UINTN        InDataSize,
   IN   CONST UINT8  *PrngSeed   OPTIONAL,
   IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
   OUT  UINT8        **EncryptedData,
   OUT  UINTN        *EncryptedDataSize
   )
 {
   BOOLEAN       Result;
-  CONST UINT8   *TempPointer;
-  X509          *CertData;
-  EVP_PKEY      *InternalPublicKey;
   EVP_PKEY_CTX  *PkeyCtx;
   UINT8         *OutData;
   UINTN         OutDataSize;
+  CONST EVP_MD  *HashAlg;
 
   //
   // Check input parameters.
   //
-  if ((PublicKey == NULL) || (InData == NULL) ||
+  if ((Pkey == NULL) || (InData == NULL) ||
       (EncryptedData == NULL) || (EncryptedDataSize == NULL))
   {
     return FALSE;
   }
 
-  //
-  // Check public key size.
-  //
-  if (PublicKeySize > 0xFFFFFFFF) {
-    //
-    // Public key size is too large for implementation.
-    //
-    return FALSE;
-  }
-
   *EncryptedData     = NULL;
   *EncryptedDataSize = 0;
   Result             = FALSE;
-  TempPointer        = NULL;
-  CertData           = NULL;
-  InternalPublicKey  = NULL;
   PkeyCtx            = NULL;
   OutData            = NULL;
   OutDataSize        = 0;
@@ -104,34 +125,10 @@ Pkcs1v2Encrypt (
     RandomSeed (NULL, 0);
   }
 
-  //
-  // Parse the X509 cert and extract the public key.
-  //
-  TempPointer = PublicKey;
-  CertData    = d2i_X509 (&CertData, &TempPointer, (UINT32)PublicKeySize);
-  if (CertData == NULL) {
-    //
-    // Fail to parse X509 cert.
-    //
-    goto _Exit;
-  }
-
-  //
-  // Extract the public key from the x509 cert in a format that
-  // OpenSSL can use.
-  //
-  InternalPublicKey = X509_get_pubkey (CertData);
-  if (InternalPublicKey == NULL) {
-    //
-    // Fail to extract public key.
-    //
-    goto _Exit;
-  }
-
   //
   // Create a context for the public key operation.
   //
-  PkeyCtx = EVP_PKEY_CTX_new (InternalPublicKey, NULL);
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
   if (PkeyCtx == NULL) {
     //
     // Fail to create contex.
@@ -151,6 +148,21 @@ Pkcs1v2Encrypt (
     goto _Exit;
   }
 
+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+  }
+
   //
   // Determine the required buffer length for malloc'ing.
   //
@@ -196,17 +208,507 @@ _Exit:
   //
   // Release Resources
   //
-  if (CertData != NULL) {
-    X509_free (CertData);
-  }
-
-  if (InternalPublicKey != NULL) {
-    EVP_PKEY_free (InternalPublicKey);
-  }
-
   if (PkeyCtx != NULL) {
     EVP_PKEY_CTX_free (PkeyCtx);
   }
 
   return Result;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to parse X509 certificate.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  PublicKey           A pointer to the DER-encoded X509 certificate that
+                                  will be used to encrypt the data.
+  @param[in]  PublicKeySize       Size of the X509 cert buffer.
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Encrypt (
+  IN   CONST UINT8  *PublicKey,
+  IN   UINTN        PublicKeySize,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN      Result;
+  CONST UINT8  *TempPointer;
+  X509         *CertData;
+  EVP_PKEY     *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if ((PublicKey == NULL) || (InData == NULL) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  //
+  // Check public key size.
+  //
+  if (PublicKeySize > 0xFFFFFFFF) {
+    //
+    // Public key size is too large for implementation.
+    //
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  TempPointer        = NULL;
+  CertData           = NULL;
+  Pkey               = NULL;
+
+  //
+  // Parse the X509 cert and extract the public key.
+  //
+  TempPointer = PublicKey;
+  CertData    = d2i_X509 (&CertData, &TempPointer, (UINT32)PublicKeySize);
+  if (CertData == NULL) {
+    //
+    // Fail to parse X509 cert.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Extract the public key from the x509 cert in a format that
+  // OpenSSL can use.
+  //
+  Pkey = X509_get_pubkey (CertData);
+  if (Pkey == NULL) {
+    //
+    // Fail to extract public key.
+    //
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, 0, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (CertData != NULL) {
+    X509_free (CertData);
+  }
+
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if (((RsaContext == NULL) || (InData == NULL)) ||
+      (EncryptedData == NULL) || (EncryptedDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  *EncryptedData     = NULL;
+  *EncryptedDataSize = 0;
+  Result             = FALSE;
+  Pkey               = NULL;
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Encrypt (Pkey, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize);
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  Pkey                A pointer to an EVP_PKEY which will decrypt that data.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+InternalPkcs1v2Decrypt (
+  EVP_PKEY     *Pkey,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN       Result;
+  EVP_PKEY_CTX  *PkeyCtx;
+  UINT8         *TempData;
+  UINTN         TempDataSize;
+  INTN          ReturnCode;
+  CONST EVP_MD  *HashAlg;
+
+  //
+  // Check input parameters.
+  //
+  if ((Pkey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result       = FALSE;
+  PkeyCtx      = NULL;
+  TempData     = NULL;
+  TempDataSize = 0;
+
+  //
+  // Create a context for the decryption operation.
+  //
+  PkeyCtx = EVP_PKEY_CTX_new (Pkey, NULL);
+  if (PkeyCtx == NULL) {
+    //
+    // Fail to create contex.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_CTK_new() failed\n", __func__));
+    goto _Exit;
+  }
+
+  //
+  // Initialize the context and set the desired padding.
+  //
+  if ((EVP_PKEY_decrypt_init (PkeyCtx) <= 0) ||
+      (EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0))
+  {
+    //
+    // Fail to initialize the context.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt_init() failed\n", __func__));
+    goto _Exit;
+  }
+
+  if (DigestLen != 0) {
+    HashAlg = GetEvpMD (DigestLen);
+    if (HashAlg == NULL) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_oaep_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+
+    if (EVP_PKEY_CTX_set_rsa_mgf1_md (PkeyCtx, HashAlg) <= 0) {
+      goto _Exit;
+    }
+  }
+
+  //
+  // Determine the required buffer length for malloc'ing.
+  //
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, NULL, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
+    //
+    // Fail to determine output buffer size.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt() failed to determine output buffer size (rc=%d)\n", __func__, ReturnCode));
+    goto _Exit;
+  }
+
+  //
+  // Allocate a buffer for the output data.
+  //
+  TempData = AllocatePool (TempDataSize);
+  if (TempData == NULL) {
+    //
+    // Fail to allocate the output buffer.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Decrypt Data.
+  //
+  ReturnCode = EVP_PKEY_decrypt (PkeyCtx, TempData, &TempDataSize, EncryptedData, EncryptedDataSize);
+  if (ReturnCode <= 0) {
+    //
+    // Fail to decrypt data, need to free the output buffer.
+    //
+    FreePool (TempData);
+    TempData     = NULL;
+    TempDataSize = 0;
+
+    DEBUG ((DEBUG_ERROR, "[%a] EVP_PKEY_decrypt(TempData) failed to decrypt (rc=%d)\n", __func__, ReturnCode));
+    goto _Exit;
+  }
+
+  //
+  // Decrypt done.
+  //
+  *OutData     = TempData;
+  *OutDataSize = TempDataSize;
+  Result       = TRUE;
+
+_Exit:
+  if (PkeyCtx != NULL) {
+    EVP_PKEY_CTX_free (PkeyCtx);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  BOOLEAN      Result;
+  EVP_PKEY     *Pkey;
+  CONST UINT8  *TempPointer;
+
+  //
+  // Check input parameters.
+  //
+  if ((PrivateKey == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result      = FALSE;
+  Pkey        = NULL;
+  TempPointer = NULL;
+
+  //
+  // Parse the private key.
+  //
+  TempPointer = PrivateKey;
+  Pkey        = d2i_PrivateKey (EVP_PKEY_RSA, &Pkey, &TempPointer, (UINT32)PrivateKeySize);
+  if (Pkey == NULL) {
+    //
+    // Fail to parse private key.
+    //
+    DEBUG ((DEBUG_ERROR, "[%a] d2i_PrivateKey() failed\n", __func__));
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, 0, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  BOOLEAN   Result;
+  EVP_PKEY  *Pkey;
+
+  //
+  // Check input parameters.
+  //
+  if ((RsaContext == NULL) || (EncryptedData == NULL) ||
+      (OutData == NULL) || (OutDataSize == NULL))
+  {
+    return FALSE;
+  }
+
+  Result = FALSE;
+  Pkey   = NULL;
+
+  //
+  // Create a context for the decryption operation.
+  //
+
+  Pkey = EVP_PKEY_new ();
+  if (Pkey == NULL) {
+    goto _Exit;
+  }
+
+  if (EVP_PKEY_set1_RSA (Pkey, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
+
+  Result = InternalPkcs1v2Decrypt (Pkey, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize);
+
+_Exit:
+  if (Pkey != NULL) {
+    EVP_PKEY_free (Pkey);
+  }
+
+  return Result;
+}

CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c

@@ -3,7 +3,7 @@
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
 **/
@@ -48,3 +48,131 @@ Pkcs1v2Encrypt (
   ASSERT (FALSE);
   return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}

CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c

@@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include "InternalCryptLib.h"
 #include <mbedtls/md5.h>
-#include <mbedtls/compat-2.x.h>
 
 #ifdef ENABLE_MD5_DEPRECATED_INTERFACES
 
@@ -56,7 +55,7 @@ Md5Init (
 
   mbedtls_md5_init (Md5Context);
 
-  Ret = mbedtls_md5_starts_ret (Md5Context);
+  Ret = mbedtls_md5_starts (Md5Context);
   if (Ret != 0) {
     return FALSE;
   }
@@ -129,7 +128,7 @@ Md5Update (
     return FALSE;
   }
 
-  Ret = mbedtls_md5_update_ret (Md5Context, Data, DataSize);
+  Ret = mbedtls_md5_update (Md5Context, Data, DataSize);
   if (Ret != 0) {
     return FALSE;
   }
@@ -170,7 +169,7 @@ Md5Final (
     return FALSE;
   }
 
-  Ret = mbedtls_md5_finish_ret (Md5Context, HashValue);
+  Ret = mbedtls_md5_finish (Md5Context, HashValue);
   mbedtls_md5_free (Md5Context);
   if (Ret != 0) {
     return FALSE;
@@ -215,7 +214,7 @@ Md5HashAll (
     return FALSE;
   }
 
-  Ret = mbedtls_md5_ret (Data, DataSize, HashValue);
+  Ret = mbedtls_md5 (Data, DataSize, HashValue);
   if (Ret != 0) {
     return FALSE;
   }

CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c

@@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include "InternalCryptLib.h"
 #include <mbedtls/sha1.h>
-#include <mbedtls/compat-2.x.h>
 
 #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
 
@@ -56,7 +55,7 @@ Sha1Init (
 
   mbedtls_sha1_init (Sha1Context);
 
-  Ret = mbedtls_sha1_starts_ret (Sha1Context);
+  Ret = mbedtls_sha1_starts (Sha1Context);
   if (Ret != 0) {
     return FALSE;
   }
@@ -129,7 +128,7 @@ Sha1Update (
     return FALSE;
   }
 
-  Ret = mbedtls_sha1_update_ret (Sha1Context, Data, DataSize);
+  Ret = mbedtls_sha1_update (Sha1Context, Data, DataSize);
   if (Ret != 0) {
     return FALSE;
   }
@@ -170,7 +169,7 @@ Sha1Final (
     return FALSE;
   }
 
-  Ret = mbedtls_sha1_finish_ret (Sha1Context, HashValue);
+  Ret = mbedtls_sha1_finish (Sha1Context, HashValue);
   mbedtls_sha1_free (Sha1Context);
   if (Ret != 0) {
     return FALSE;
@@ -215,7 +214,7 @@ Sha1HashAll (
     return FALSE;
   }
 
-  Ret = mbedtls_sha1_ret (Data, DataSize, HashValue);
+  Ret = mbedtls_sha1 (Data, DataSize, HashValue);
   if (Ret != 0) {
     return FALSE;
   }

CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c

@@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include "InternalCryptLib.h"
 #include <mbedtls/sha256.h>
-#include <mbedtls/compat-2.x.h>
 
 /**
   Retrieves the size, in bytes, of the context buffer required for SHA-256 hash operations.
@@ -51,7 +50,7 @@ Sha256Init (
 
   mbedtls_sha256_init (Sha256Context);
 
-  Ret = mbedtls_sha256_starts_ret (Sha256Context, FALSE);
+  Ret = mbedtls_sha256_starts (Sha256Context, FALSE);
   if (Ret != 0) {
     return FALSE;
   }
@@ -124,7 +123,7 @@ Sha256Update (
     return FALSE;
   }
 
-  Ret = mbedtls_sha256_update_ret (Sha256Context, Data, DataSize);
+  Ret = mbedtls_sha256_update (Sha256Context, Data, DataSize);
   if (Ret != 0) {
     return FALSE;
   }
@@ -165,7 +164,7 @@ Sha256Final (
     return FALSE;
   }
 
-  Ret = mbedtls_sha256_finish_ret (Sha256Context, HashValue);
+  Ret = mbedtls_sha256_finish (Sha256Context, HashValue);
   mbedtls_sha256_free (Sha256Context);
   if (Ret != 0) {
     return FALSE;
@@ -210,7 +209,7 @@ Sha256HashAll (
     return FALSE;
   }
 
-  Ret = mbedtls_sha256_ret (Data, DataSize, HashValue, FALSE);
+  Ret = mbedtls_sha256 (Data, DataSize, HashValue, FALSE);
   if (Ret != 0) {
     return FALSE;
   }

CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c

@@ -8,7 +8,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include "InternalCryptLib.h"
 #include <mbedtls/sha512.h>
-#include <mbedtls/compat-2.x.h>
 
 /**
   Retrieves the size, in bytes, of the context buffer required for SHA-384 hash operations.
@@ -51,7 +50,7 @@ Sha384Init (
 
   mbedtls_sha512_init (Sha384Context);
 
-  Ret = mbedtls_sha512_starts_ret (Sha384Context, TRUE);
+  Ret = mbedtls_sha512_starts (Sha384Context, TRUE);
   if (Ret != 0) {
     return FALSE;
   }
@@ -126,7 +125,7 @@ Sha384Update (
     return FALSE;
   }
 
-  Ret = mbedtls_sha512_update_ret (Sha384Context, Data, DataSize);
+  Ret = mbedtls_sha512_update (Sha384Context, Data, DataSize);
   if (Ret != 0) {
     return FALSE;
   }
@@ -167,7 +166,7 @@ Sha384Final (
     return FALSE;
   }
 
-  Ret = mbedtls_sha512_finish_ret (Sha384Context, HashValue);
+  Ret = mbedtls_sha512_finish (Sha384Context, HashValue);
   mbedtls_sha512_free (Sha384Context);
   if (Ret != 0) {
     return FALSE;
@@ -212,7 +211,7 @@ Sha384HashAll (
     return FALSE;
   }
 
-  Ret = mbedtls_sha512_ret (Data, DataSize, HashValue, TRUE);
+  Ret = mbedtls_sha512 (Data, DataSize, HashValue, TRUE);
   if (Ret != 0) {
     return FALSE;
   }
@@ -261,7 +260,7 @@ Sha512Init (
 
   mbedtls_sha512_init (Sha512Context);
 
-  Ret = mbedtls_sha512_starts_ret (Sha512Context, FALSE);
+  Ret = mbedtls_sha512_starts (Sha512Context, FALSE);
   if (Ret != 0) {
     return FALSE;
   }
@@ -336,7 +335,7 @@ Sha512Update (
     return FALSE;
   }
 
-  Ret = mbedtls_sha512_update_ret (Sha512Context, Data, DataSize);
+  Ret = mbedtls_sha512_update (Sha512Context, Data, DataSize);
   if (Ret != 0) {
     return FALSE;
   }
@@ -377,7 +376,7 @@ Sha512Final (
     return FALSE;
   }
 
-  Ret = mbedtls_sha512_finish_ret (Sha512Context, HashValue);
+  Ret = mbedtls_sha512_finish (Sha512Context, HashValue);
   mbedtls_sha512_free (Sha512Context);
   if (Ret != 0) {
     return FALSE;
@@ -422,7 +421,7 @@ Sha512HashAll (
     return FALSE;
   }
 
-  Ret = mbedtls_sha512_ret (Data, DataSize, HashValue, FALSE);
+  Ret = mbedtls_sha512 (Data, DataSize, HashValue, FALSE);
   if (Ret != 0) {
     return FALSE;
   }

CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c

@@ -4,6 +4,7 @@
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
   Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
 
@@ -38,10 +39,8 @@ Pkcs1v2Encrypt (
   IN   UINTN        PublicKeySize,
   IN   UINT8        *InData,
   IN   UINTN        InDataSize,
-  IN   CONST UINT8  *PrngSeed,
+  IN   CONST UINT8  *PrngSeed  OPTIONAL,
-  OPTIONAL
+  IN   UINTN        PrngSeedSize  OPTIONAL,
-  IN   UINTN        PrngSeedSize,
-  OPTIONAL
   OUT  UINT8        **EncryptedData,
   OUT  UINTN        *EncryptedDataSize
   )
@@ -49,3 +48,131 @@ Pkcs1v2Encrypt (
   ASSERT (FALSE);
   return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}

CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c

@@ -11,6 +11,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include "InternalCryptLib.h"
 #include <mbedtls/rsa.h>
+#include <mbedtls/sha256.h>
+#include <mbedtls/sha512.h>
 
 /**
   Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
@@ -43,11 +45,8 @@ RsaPssVerify (
   )
 {
   INT32                Ret;
-  mbedtls_md_type_t    md_alg;
+  mbedtls_md_type_t    MdAlg;
   UINT8                HashValue[SHA512_DIGEST_SIZE];
-  BOOLEAN              Status;
-  UINTN                ShaCtxSize;
-  VOID                 *ShaCtx;
   mbedtls_rsa_context  *RsaKey;
 
   if (RsaContext == NULL) {
@@ -75,78 +74,27 @@ RsaPssVerify (
 
   switch (DigestLen) {
     case SHA256_DIGEST_SIZE:
-      md_alg     = MBEDTLS_MD_SHA256;
+      MdAlg = MBEDTLS_MD_SHA256;
-      ShaCtxSize = Sha256GetContextSize ();
+      if (mbedtls_sha256 (Message, MsgSize, HashValue, FALSE) != 0) {
-      ShaCtx     = AllocateZeroPool (ShaCtxSize);
-
-      Status = Sha256Init (ShaCtx);
-      if (!Status) {
         return FALSE;
       }
 
-      Status = Sha256Update (ShaCtx, Message, MsgSize);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      Status = Sha256Final (ShaCtx, HashValue);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      FreePool (ShaCtx);
       break;
 
     case SHA384_DIGEST_SIZE:
-      md_alg     = MBEDTLS_MD_SHA384;
+      MdAlg = MBEDTLS_MD_SHA384;
-      ShaCtxSize = Sha384GetContextSize ();
+      if (mbedtls_sha512 (Message, MsgSize, HashValue, TRUE) != 0) {
-      ShaCtx     = AllocateZeroPool (ShaCtxSize);
-
-      Status = Sha384Init (ShaCtx);
-      if (!Status) {
         return FALSE;
       }
 
-      Status = Sha384Update (ShaCtx, Message, MsgSize);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      Status = Sha384Final (ShaCtx, HashValue);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      FreePool (ShaCtx);
       break;
 
     case SHA512_DIGEST_SIZE:
-      md_alg     = MBEDTLS_MD_SHA512;
+      MdAlg = MBEDTLS_MD_SHA512;
-      ShaCtxSize = Sha512GetContextSize ();
+      if (mbedtls_sha512 (Message, MsgSize, HashValue, FALSE) != 0) {
-      ShaCtx     = AllocateZeroPool (ShaCtxSize);
-
-      Status = Sha512Init (ShaCtx);
-      if (!Status) {
         return FALSE;
       }
 
-      Status = Sha512Update (ShaCtx, Message, MsgSize);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      Status = Sha512Final (ShaCtx, HashValue);
-      if (!Status) {
-        FreePool (ShaCtx);
-        return FALSE;
-      }
-
-      FreePool (ShaCtx);
       break;
 
     default:
@@ -157,11 +105,11 @@ RsaPssVerify (
     return FALSE;
   }
 
-  mbedtls_rsa_set_padding (RsaContext, MBEDTLS_RSA_PKCS_V21, md_alg);
+  mbedtls_rsa_set_padding (RsaContext, MBEDTLS_RSA_PKCS_V21, MdAlg);
 
   Ret = mbedtls_rsa_rsassa_pss_verify (
           RsaContext,
-          md_alg,
+          MdAlg,
           (UINT32)DigestLen,
           HashValue,
           Signature

CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c

@@ -377,8 +377,7 @@ EFIAPI
 X509GetSerialNumber (
   IN      CONST UINT8  *Cert,
   IN      UINTN        CertSize,
-  OUT     UINT8        *SerialNumber,
+  OUT     UINT8        *SerialNumber  OPTIONAL,
-  OPTIONAL
   IN OUT  UINTN        *SerialNumberSize
   )
 {
@@ -441,8 +440,7 @@ EFIAPI
 X509GetSignatureAlgorithm (
   IN CONST UINT8  *Cert,
   IN       UINTN  CertSize,
-  OUT   UINT8     *Oid,
+  OUT   UINT8     *Oid  OPTIONAL,
-  OPTIONAL
   IN OUT   UINTN  *OidSize
   )
 {

CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs1OaepNull.c

@@ -3,7 +3,7 @@
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
-  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
 
 **/
@@ -48,3 +48,131 @@ Pkcs1v2Encrypt (
   ASSERT (FALSE);
   return FALSE;
 }
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}

CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c

@@ -2825,6 +2825,119 @@ Pkcs1v2Encrypt (
   CALL_CRYPTO_SERVICE (Pkcs1v2Encrypt, (PublicKey, PublicKeySize, InData, InDataSize, PrngSeed, PrngSeedSize, EncryptedData, EncryptedDataSize), FALSE);
 }
 
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Decrypt (
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (Pkcs1v2Decrypt, (PrivateKey, PrivateKeySize, EncryptedData, EncryptedDataSize, OutData, OutDataSize), FALSE);
+}
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepEncrypt (
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepEncrypt, (RsaContext, InData, InDataSize, PrngSeed, PrngSeedSize, DigestLen, EncryptedData, EncryptedDataSize), FALSE);
+}
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+BOOLEAN
+EFIAPI
+RsaOaepDecrypt (
+  IN   VOID    *RsaContext,
+  IN   UINT8   *EncryptedData,
+  IN   UINTN   EncryptedDataSize,
+  IN   UINT16  DigestLen   OPTIONAL,
+  OUT  UINT8   **OutData,
+  OUT  UINTN   *OutDataSize
+  )
+{
+  CALL_CRYPTO_SERVICE (RsaOaepDecrypt, (RsaContext, EncryptedData, EncryptedDataSize, DigestLen, OutData, OutDataSize), FALSE);
+}
+
 /**
   Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
   Cryptographic Message Syntax Standard". The input signed data could be wrapped
@@ -2850,6 +2963,7 @@ Pkcs1v2Encrypt (
   @retval  FALSE           Error occurs during the operation.
   @retval  FALSE           This interface is not supported.
 
+
 **/
 BOOLEAN
 EFIAPI

CryptoPkg/Private/Protocol/Crypto.h

@@ -21,7 +21,7 @@
 /// the EDK II Crypto Protocol is extended, this version define must be
 /// increased.
 ///
-#define EDKII_CRYPTO_VERSION  16
+#define EDKII_CRYPTO_VERSION  17
 
 ///
 /// EDK II Crypto Protocol forward declaration
@@ -688,6 +688,110 @@ BOOLEAN
   OUT  UINTN                         *EncryptedDataSize
   );
 
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  PrivateKey          A pointer to the DER-encoded private key.
+  @param[in]  PrivateKeySize      Size of the private key buffer.
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_PKCS1V2_DECRYPT)(
+  IN   CONST UINT8  *PrivateKey,
+  IN   UINTN        PrivateKeySize,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a public key using RsaSetKey().
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_RSA_OAEP_ENCRYPT)(
+  IN   VOID         *RsaContext,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed   OPTIONAL,
+  IN   UINTN        PrngSeedSize   OPTIONAL,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  );
+
+/**
+  Decrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  decrypted message in a newly allocated buffer.
+  Things that can cause a failure include:
+  - Fail to parse private key.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  @param[in]  RsaContext          A pointer to an RSA context created by RsaNew() and
+                                  provisioned with a private key using RsaSetKey().
+  @param[in]  EncryptedData       Data to be decrypted.
+  @param[in]  EncryptedDataSize   Size of the encrypted buffer.
+  @param[in]  DigestLen           [Optional] If provided, size of the hash used:
+                                  SHA1_DIGEST_SIZE
+                                  SHA256_DIGEST_SIZE
+                                  SHA384_DIGEST_SIZE
+                                  SHA512_DIGEST_SIZE
+                                  0 to use default (SHA1)
+  @param[out] OutData             Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] OutDataSize         Size of the encrypted message buffer.
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_RSA_OAEP_DECRYPT)(
+  IN   VOID         *RsaContext,
+  IN   UINT8        *EncryptedData,
+  IN   UINTN        EncryptedDataSize,
+  IN   UINT16       DigestLen   OPTIONAL,
+  OUT  UINT8        **OutData,
+  OUT  UINTN        *OutDataSize
+  );
+
 // ---------------------------------------------
 // PKCS5
 
@@ -5603,6 +5707,9 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_X509_GET_CERT_FROM_CERT_CHAIN          X509GetCertFromCertChain;
   EDKII_CRYPTO_ASN1_GET_TAG                           Asn1GetTag;
   EDKII_CRYPTO_X509_GET_EXTENDED_BASIC_CONSTRAINTS    X509GetExtendedBasicConstraints;
+  EDKII_CRYPTO_PKCS1V2_DECRYPT                        Pkcs1v2Decrypt;
+  EDKII_CRYPTO_RSA_OAEP_ENCRYPT                       RsaOaepEncrypt;
+  EDKII_CRYPTO_RSA_OAEP_DECRYPT                       RsaOaepDecrypt;
 };
 
 extern GUID  gEdkiiCryptoProtocolGuid;

CryptoPkg/Test/UnitTest/Library/BaseCryptLib/OaepEncryptTests.c

@@ -1,20 +1,21 @@
 /** @file
-  This is a unit test for RSA OAEP encrypt.
+  This is a unit test for RSA OAEP encrypt/decrypt.
 
   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation. All rights reserved.
   SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
 
 #include "TestBaseCryptLib.h"
 
-CONST  UINT8  RandSeed[] = "This is the random seed for PRNG verification.";
+STATIC CONST  UINT8  RandSeed[] = "This is the random seed for PRNG verification.";
 
 //
 // Self signed X509 certificate
 // CN = ca.self
 // O = Intel
 //
-GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  SelfTestCert[] = {
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  SelfTestCert[] = {
   0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0x02, 0x09, 0x00, 0xE4, 0xDF, 0x47, 0x80, 0xEF,
   0x4B, 0x3C, 0x6D, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
   0x05, 0x00, 0x30, 0x81, 0x89, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
@@ -75,7 +76,7 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  SelfTestCert[] = {
   0x5B, 0x64, 0x81, 0x13,
 };
 
-GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  PrivateKey[] = {
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  PrivateKey[] = {
   0x30, 0x82, 0x04, 0xA4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xBC, 0xE4, 0x67, 0xDC,
   0xC7, 0xEA, 0x6F, 0x8A, 0xA7, 0xCC, 0xB2, 0x54, 0x47, 0x48, 0x6A, 0xE2, 0x39, 0xFF, 0xC2, 0x48,
   0x58, 0x34, 0x07, 0x03, 0x6D, 0x39, 0xB3, 0x67, 0x46, 0x4C, 0xBC, 0xA0, 0xFA, 0x4E, 0x64, 0x23,
@@ -153,114 +154,442 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8  PrivateKey[] = {
   0x86, 0x10, 0x09, 0x88, 0x6C, 0x35, 0x60, 0xF2,
 };
 
+// The following RSA key componets were extracted from the above private key with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaN[] = {
+  0x00,
+  0xbc,0xe4,  0x67, 0xdc, 0xc7, 0xea, 0x6f, 0x8a, 0xa7, 0xcc, 0xb2, 0x54, 0x47, 0x48, 0x6a, 0xe2,
+  0x39,0xff,  0xc2, 0x48, 0x58, 0x34, 0x07, 0x03, 0x6d, 0x39, 0xb3, 0x67, 0x46, 0x4c, 0xbc, 0xa0,
+  0xfa,0x4e,  0x64, 0x23, 0x56, 0x47, 0x7b, 0xc9, 0x1a, 0x2a, 0x55, 0x42, 0x54, 0x10, 0x18, 0x30,
+  0x92,0x60,  0x30, 0x5b, 0x9e, 0xc0, 0x65, 0xd2, 0xd4, 0x05, 0x4a, 0xa6, 0x10, 0x66, 0x04, 0xa9,
+  0x54,0x4e,  0xee, 0x49, 0x39, 0x43, 0x65, 0x1e, 0x2e, 0x28, 0xde, 0x79, 0x24, 0xa9, 0x7e, 0xd8,
+  0x5b,0xbc,  0x2f, 0x46, 0x6a, 0xb7, 0xb6, 0x0d, 0x17, 0x88, 0x37, 0x52, 0x5c, 0xfe, 0x93, 0xc0,
+  0xe2,0xfd,  0x6a, 0x08, 0x1b, 0xfb, 0xd1, 0x87, 0xbd, 0xbd, 0x58, 0x57, 0x2c, 0x06, 0x5d, 0xd2,
+  0x7d,0x52,  0xe2, 0x49, 0x8e, 0xdc, 0xe5, 0x26, 0xbd, 0x92, 0x60, 0xb0, 0x3f, 0x58, 0x5e, 0x52,
+  0xd7,0x91,  0xda, 0x93, 0x62, 0x8d, 0x71, 0x80, 0x53, 0xba, 0x15, 0xc4, 0x1f, 0xf3, 0xbd, 0xe0,
+  0xc5,0xa4,  0xb8, 0xd3, 0x64, 0x12, 0x14, 0x1b, 0x11, 0x6b, 0x7b, 0xc2, 0x92, 0xc7, 0xe2, 0x94,
+  0x0b,0xb8,  0x67, 0x38, 0x48, 0x63, 0x11, 0x74, 0x25, 0x7c, 0x37, 0xc3, 0xb2, 0xae, 0xd9, 0xa7,
+  0x17,0x9c,  0x4b, 0x9d, 0x6c, 0x27, 0xb0, 0x87, 0x16, 0x6b, 0xf2, 0x96, 0xe5, 0x1d, 0x37, 0x27,
+  0xde,0xf2,  0x98, 0xb7, 0x81, 0x08, 0xd9, 0x7a, 0xba, 0x84, 0x14, 0x61, 0x60, 0x48, 0xce, 0xce,
+  0x51,0x73,  0xf4, 0xdb, 0xf1, 0x5f, 0x7a, 0x17, 0x71, 0x4f, 0xc1, 0x0b, 0xce, 0xc7, 0x31, 0xc1,
+  0x4e,0xa3,  0xee, 0x6f, 0x72, 0x97, 0x90, 0xfb, 0x8b, 0x54, 0x9f, 0x82, 0x5b, 0x48, 0x5a, 0xf1,
+  0xad,0x8b,  0x3a, 0xcd, 0xca, 0xb2, 0x8b, 0x7a, 0x53, 0xd4, 0xf7, 0x71, 0x16, 0x75, 0xa7, 0x35,
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaE[] = {
+  0x01, 0x00, 0x01
+};
+
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  RsaD[] = {
+  0x13, 0xf7, 0xd1, 0x42, 0xf5, 0x9f, 0x42, 0xcb, 0x55, 0x91, 0xbe, 0x08, 0x4a, 0xc0, 0xcd, 0x0b,
+  0xbd, 0x35, 0xdc, 0x43, 0xe9, 0x8f, 0x16, 0x6e, 0xb6, 0x4d, 0x33, 0x39, 0xe7, 0xa4, 0x95, 0x0c,
+  0x2f, 0x69, 0xba, 0x0c, 0x42, 0x42, 0xac, 0x43, 0x46, 0x10, 0xd3, 0x92, 0x7f, 0x70, 0x74, 0x1e,
+  0x2e, 0x5b, 0x1c, 0xc1, 0x92, 0xb6, 0xa4, 0x0c, 0xf5, 0x7c, 0xd9, 0xb7, 0x54, 0x64, 0x74, 0x79,
+  0xb1, 0xff, 0xe6, 0x10, 0xb7, 0x8c, 0xf8, 0x53, 0x88, 0x6d, 0xa9, 0x97, 0x04, 0xd9, 0x26, 0x1f,
+  0x99, 0x12, 0xfb, 0xac, 0x65, 0xfb, 0xa5, 0xb3, 0x1c, 0x99, 0xb9, 0xbf, 0x6b, 0x35, 0x3e, 0x49,
+  0x55, 0xb5, 0x94, 0x4f, 0xe7, 0x25, 0x67, 0xb1, 0x01, 0xcd, 0xd2, 0x58, 0xe4, 0xbe, 0x87, 0x8c,
+  0x88, 0xd3, 0x0a, 0x38, 0xdc, 0x71, 0x5d, 0x88, 0x0a, 0xe2, 0x3e, 0x76, 0x63, 0x3b, 0xe4, 0x3c,
+  0x8f, 0x2f, 0x29, 0x1d, 0xd1, 0x66, 0x8d, 0xc0, 0x4a, 0x68, 0x15, 0x90, 0x4c, 0x95, 0x61, 0xf4,
+  0xfd, 0xe8, 0xfa, 0x9c, 0x6c, 0x00, 0x22, 0x23, 0xd5, 0x17, 0x6e, 0xee, 0xa8, 0xd8, 0x70, 0xc5,
+  0x74, 0xea, 0x09, 0x13, 0x7f, 0x0c, 0x37, 0x4d, 0x50, 0xcd, 0xe9, 0x16, 0xc2, 0xd5, 0xde, 0x5e,
+  0xc3, 0xfc, 0x46, 0x08, 0xf1, 0x99, 0xc0, 0xb4, 0x28, 0xfd, 0x2b, 0x29, 0xef, 0x76, 0xd7, 0x04,
+  0x4f, 0x02, 0x54, 0x16, 0x54, 0x55, 0x20, 0xec, 0xbc, 0xbf, 0x85, 0x5f, 0x12, 0xcc, 0xfc, 0x0d,
+  0xf2, 0xef, 0xfc, 0x4d, 0x3e, 0xa2, 0x5e, 0x97, 0xfe, 0x35, 0x10, 0x0f, 0x53, 0x1f, 0x80, 0xd5,
+  0xc0, 0xb4, 0xe9, 0xe9, 0x31, 0x4c, 0x89, 0x14, 0x72, 0x39, 0x65, 0x89, 0xef, 0x7a, 0x51, 0x4a,
+  0xb9, 0xa9, 0xcc, 0x1b, 0x52, 0xb0, 0x02, 0x52, 0x65, 0x2f, 0x0b, 0x89, 0x41, 0x70, 0x1e, 0x01,
+};
+
+// test case = "123\0"
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Msg1230[] = {
+  0x31, 0x32, 0x33, 0x00
+};
+
+// Ciphertext of the test case using RSAES-OAEP2048 with SHA1 MD/BGF1 created with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Ct1230RsaesOaepMdSha1Mgf1Sha1[] = {
+  0x88, 0x5d, 0xf3, 0x00, 0x66, 0x77, 0x91, 0x94, 0x5c, 0x8d, 0x45, 0xb6, 0xb2, 0x24, 0x26, 0x26,
+  0x37, 0xbe, 0xe0, 0x87, 0x4f, 0x50, 0xbf, 0x88, 0xde, 0x5d, 0xe9, 0xe0, 0xb2, 0x7e, 0x66, 0xfa,
+  0x6c, 0xfd, 0x0d, 0x19, 0x48, 0x41, 0xfe, 0x7a, 0x86, 0xa8, 0x28, 0xc2, 0x01, 0xcf, 0x76, 0xd7,
+  0xea, 0xab, 0x6d, 0xc3, 0x5e, 0x2c, 0x36, 0x04, 0xc0, 0x54, 0xc2, 0x68, 0x67, 0xe7, 0x04, 0x27,
+  0x56, 0xbe, 0x53, 0xb5, 0x80, 0x94, 0xd8, 0xde, 0x8c, 0x75, 0x69, 0x42, 0xba, 0x55, 0xd6, 0x2c,
+  0xda, 0x22, 0xe6, 0x09, 0xf6, 0x90, 0x27, 0x4b, 0x10, 0x54, 0x40, 0xa0, 0x74, 0x31, 0xdb, 0x5f,
+  0x80, 0x06, 0xc7, 0x67, 0x96, 0xe8, 0x45, 0xea, 0x7f, 0x72, 0x18, 0x24, 0xe8, 0x0d, 0x46, 0xc2,
+  0xa0, 0x83, 0xca, 0x71, 0xca, 0x91, 0x4b, 0x89, 0x80, 0x61, 0x01, 0x8e, 0xcf, 0xa1, 0x68, 0x81,
+  0x2d, 0xf2, 0x08, 0xd2, 0x02, 0x9e, 0xc0, 0xa4, 0x91, 0x71, 0x90, 0x84, 0x2f, 0x4e, 0x18, 0x37,
+  0x9b, 0x61, 0x0b, 0xf5, 0x88, 0xf7, 0x6b, 0x87, 0xb9, 0x4e, 0x31, 0xda, 0xf3, 0xb5, 0xe2, 0x60,
+  0x4d, 0xd9, 0x52, 0x99, 0x6b, 0x19, 0x98, 0xa2, 0x28, 0xaa, 0xeb, 0x5a, 0x33, 0xef, 0xf1, 0x4e,
+  0x29, 0x86, 0xbf, 0x70, 0x08, 0xfd, 0x34, 0x8a, 0x8c, 0x6d, 0xef, 0xc4, 0xa1, 0xfe, 0xdf, 0x4d,
+  0xeb, 0xf0, 0x2c, 0x4c, 0xf5, 0xb3, 0xe8, 0xf8, 0xc3, 0x45, 0xc7, 0x6b, 0x59, 0x1c, 0x9b, 0xd9,
+  0x52, 0xdf, 0x65, 0x87, 0x18, 0xd2, 0x6d, 0xff, 0x8b, 0x98, 0x2a, 0x97, 0xeb, 0x93, 0xea, 0x6a,
+  0x23, 0x23, 0xc6, 0x32, 0xf5, 0xea, 0x45, 0xe3, 0x99, 0xa0, 0x4d, 0x4b, 0x8f, 0xf8, 0x1d, 0xad,
+  0xa9, 0x97, 0xa2, 0xd6, 0xaf, 0x5e, 0x11, 0xf7, 0x5f, 0x28, 0xfb, 0x38, 0x80, 0x38, 0x50, 0xc4,
+};
+
+// Ciphertext of the test case using RSAES-OAEP2048 with SHA256 MD/BGF1 created with openssl.
+GLOBAL_REMOVE_IF_UNREFERENCED STATIC CONST UINT8  Ct1230RsaesOaep2048MdSha256Mgf1Sha256[] = {
+  0xa7, 0x20, 0xa9, 0x31, 0xb5, 0xad, 0x83, 0x0a, 0x07, 0xee, 0x36, 0x46, 0xa5, 0x78, 0x3a, 0xda,
+  0x9d, 0xdf, 0xe6, 0x05, 0x0f, 0x7c, 0x46, 0xfe, 0x5f, 0xd6, 0x58, 0x16, 0xb6, 0xaa, 0x82, 0x7c,
+  0x58, 0x8a, 0x52, 0x14, 0x12, 0x29, 0x6f, 0x62, 0x80, 0xa7, 0x61, 0xfe, 0x29, 0x72, 0x6f, 0x73,
+  0xf6, 0x2f, 0x54, 0x38, 0x58, 0x7b, 0xbd, 0xa1, 0x2f, 0x9d, 0x12, 0x83, 0x72, 0xbc, 0x3d, 0x29,
+  0x65, 0x39, 0xcb, 0x93, 0x95, 0x3e, 0x73, 0xc9, 0x6f, 0xb9, 0xe8, 0xd5, 0x8b, 0x91, 0x0d, 0x87,
+  0x7e, 0x22, 0xb5, 0x93, 0x3d, 0xa8, 0x4a, 0xd9, 0x1a, 0x13, 0xf7, 0xf4, 0x7f, 0x16, 0x42, 0xfe,
+  0x63, 0x10, 0x7e, 0xa1, 0xe5, 0x04, 0xcf, 0xed, 0x93, 0x2d, 0x16, 0x3b, 0x79, 0x1f, 0x53, 0x41,
+  0xe3, 0xca, 0x69, 0x18, 0x6a, 0xe5, 0xec, 0x9a, 0xce, 0xbc, 0x47, 0xf6, 0x77, 0x9a, 0x5c, 0xea,
+  0xac, 0x7e, 0x28, 0xeb, 0x1e, 0xfe, 0x75, 0xa6, 0xbf, 0x1e, 0xfd, 0x1c, 0x63, 0x69, 0x47, 0x04,
+  0xaf, 0x69, 0x7e, 0x1c, 0xa1, 0x7f, 0x00, 0xcf, 0xec, 0x16, 0x34, 0xd9, 0xde, 0x91, 0x0e, 0x0f,
+  0x0b, 0x1e, 0x66, 0xc3, 0x41, 0x88, 0x43, 0xbe, 0xa3, 0x2a, 0x7c, 0x87, 0xff, 0xc0, 0x67, 0xdc,
+  0xc7, 0xeb, 0x28, 0x07, 0x00, 0x72, 0x85, 0x17, 0xca, 0x05, 0x9f, 0x29, 0x6b, 0xad, 0xc6, 0xae,
+  0x1c, 0x4a, 0xf2, 0xfe, 0x97, 0xc7, 0x6e, 0x4b, 0xbf, 0xfd, 0x46, 0xbe, 0xf8, 0x76, 0xc9, 0x70,
+  0x58, 0x3a, 0x73, 0xcc, 0x34, 0xda, 0xfe, 0x5b, 0x6d, 0x98, 0x74, 0x95, 0x85, 0xc7, 0xc9, 0x84,
+  0x02, 0xa8, 0x97, 0x13, 0xa3, 0x83, 0xcb, 0x28, 0x3d, 0xbb, 0x2b, 0x3b, 0x45, 0xf1, 0x6e, 0xc5,
+  0x37, 0x23, 0x21, 0xe6, 0x74, 0x2d, 0x48, 0x19, 0x97, 0xaf, 0xee, 0x3d, 0x9b, 0xd0, 0x05, 0xc7
+};
+
+typedef struct _OAEP_ENC_DEC_TEST_CONTEXT OAEP_ENC_DEC_TEST_CONTEXT;
+typedef
+BOOLEAN
+(EFIAPI *OAEP_TEST_ENCRYPT)(
+  IN      OAEP_ENC_DEC_TEST_CONTEXT *TestContext,
+  IN      CONST UINT8 *ClearText,
+  IN      UINTN       ClearTextSize,
+  IN      CONST UINT8 *PrngSeed,
+  IN      UINTN       PrngSeedSize,
+  IN      UINT16      DigestLen,
+  OUT     UINT8       **CipherText,
+  OUT     UINTN       *CipherTextSize
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *OAEP_TEST_DECRYPT)(
+  IN      OAEP_ENC_DEC_TEST_CONTEXT *TestContext,
+  IN      CONST UINT8 *CipherText,
+  IN      UINTN       CipherTextSize,
+  IN      UINT16      DigestLen,
+  OUT     UINT8       **ClearText,
+  OUT     UINTN       *ClearTextSize
+  );
+
+typedef struct _OAEP_ENC_DEC_TEST_CONTEXT {
+  CONST UINT8          *SelfTestCert;
+  UINTN                SelfTestCertSize;
+  CONST UINT8          *PrivateKey;
+  UINTN                PrivateKeySize;
+  CONST UINT8          *RsaN;
+  UINTN                RsaNSize;
+  CONST UINT8          *RsaE;
+  UINTN                RsaESize;
+  CONST UINT8          *RsaD;
+  UINTN                RsaDSize;
+  CONST UINT8          *PrngSeed;
+  UINTN                PrngSeedSize;
+  CONST UINT8          *ClearText;
+  UINTN                ClearTextSize;
+  CONST UINT8          *CipherText;
+  UINTN                CipherTextSize;
+  UINT16               DigestLen;
+  OAEP_TEST_ENCRYPT    Encrypt;
+  OAEP_TEST_DECRYPT    Decrypt;
+  UNIT_TEST_STATUS     Expect;
+} OAEP_ENC_DEC_TEST_CONTEXT;
+
+BOOLEAN
+EFIAPI
+CallPkcs1v2Encrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *ClearText,
+  UINTN                      ClearTextSize,
+  CONST UINT8                *PrngSeed,
+  UINTN                      PrngSeedSize,
+  UINT16                     DigestLen,
+  UINT8                      **CipherText,
+  UINTN                      *CipherTextSize
+  )
+{
+  BOOLEAN  Status;
+
+  Status = Pkcs1v2Encrypt (
+             TestCtx->SelfTestCert,
+             TestCtx->SelfTestCertSize,
+             (UINT8 *)ClearText,
+             ClearTextSize,
+             PrngSeed,
+             PrngSeedSize,
+             CipherText,
+             CipherTextSize
+             );
+
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallPkcs1v2Decrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *CipherText,
+  UINTN                      CipherTextSize,
+  UINT16                     DigestLen,
+  UINT8                      **ClearText,
+  UINTN                      *ClearTextSize
+  )
+{
+  BOOLEAN  Status;
+
+  Status = Pkcs1v2Decrypt (
+             TestCtx->PrivateKey,
+             TestCtx->PrivateKeySize,
+             (UINT8 *)CipherText,
+             CipherTextSize,
+             ClearText,
+             ClearTextSize
+             );
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallRsaOaepEncrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *ClearText,
+  UINTN                      ClearTextSize,
+  CONST UINT8                *RandSeedIn,
+  UINTN                      RandSeedSizeIn,
+  UINT16                     DigestLen,
+  UINT8                      **CipherText,
+  UINTN                      *CipherTextSize
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, TestCtx->RsaN, TestCtx->RsaNSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, TestCtx->RsaE, TestCtx->RsaESize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)ClearText,
+             ClearTextSize,
+             RandSeedIn,
+             RandSeedSizeIn,
+             DigestLen,
+             CipherText,
+             CipherTextSize
+             );
+
+  return Status;
+}
+
+BOOLEAN
+EFIAPI
+CallRsaOaepDecrypt (
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx,
+  CONST UINT8                *CipherText,
+  UINTN                      CipherTextSize,
+  UINT16                     DigestLen,
+  UINT8                      **ClearText,
+  UINTN                      *ClearTextSize
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, TestCtx->RsaN, TestCtx->RsaNSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, TestCtx->RsaE, TestCtx->RsaESize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyD, TestCtx->RsaD, TestCtx->RsaDSize);
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepDecrypt (
+             RsaContext,
+             (UINT8 *)CipherText,
+             CipherTextSize,
+             DigestLen,
+             ClearText,
+             ClearTextSize
+             );
+
+  return Status;
+}
+
 UNIT_TEST_STATUS
 EFIAPI
-TestVerifyOaepEncrypt (
+TestVerifyEncrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *OutBuffer     = NULL;
+  UINTN                      OutBufferSize  = 0;
+  UINT8                      *OutBuffer2    = NULL;
+  UINTN                      OutBuffer2Size = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = (OAEP_ENC_DEC_TEST_CONTEXT *)Context;
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer,
+                      &OutBufferSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer2,
+                      &OutBuffer2Size
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect.
+  Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0);
+  UT_ASSERT_FALSE (Status);
+
+  if (OutBuffer) {
+    FreePool (OutBuffer);
+    OutBuffer     = NULL;
+    OutBufferSize = 0;
+  }
+
+  if (OutBuffer2) {
+    FreePool (OutBuffer2);
+    OutBuffer2     = NULL;
+    OutBuffer2Size = 0;
+  }
+
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyDecrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *OutBuffer    = NULL;
+  UINTN                      OutBufferSize = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = Context;
+
+  Status = TestCtx->Decrypt (
+                      TestCtx,
+                      TestCtx->CipherText,
+                      TestCtx->CipherTextSize,
+                      TestCtx->DigestLen,
+                      &OutBuffer,
+                      &OutBufferSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  UT_ASSERT_TRUE (CompareMem (OutBuffer, TestCtx->ClearText, OutBufferSize >= TestCtx->ClearTextSize ? OutBufferSize : TestCtx->ClearTextSize) == 0);
+  UT_ASSERT_TRUE (OutBufferSize == TestCtx->ClearTextSize);
+
+  if (OutBuffer) {
+    FreePool (OutBuffer);
+    OutBuffer     = NULL;
+    OutBufferSize = 0;
+  }
+
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyEncryptDecrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN                    Status;
+  UINT8                      *ClearText     = NULL;
+  UINTN                      ClearTextSize  = 0;
+  UINT8                      *CipherText    = NULL;
+  UINTN                      CipherTextSize = 0;
+  OAEP_ENC_DEC_TEST_CONTEXT  *TestCtx;
+
+  TestCtx = Context;
+
+  Status = TestCtx->Encrypt (
+                      TestCtx,
+                      TestCtx->ClearText,
+                      TestCtx->ClearTextSize,
+                      TestCtx->PrngSeed,
+                      TestCtx->PrngSeedSize,
+                      TestCtx->DigestLen,
+                      &CipherText,
+                      &CipherTextSize
+                      );
+  UT_ASSERT_TRUE (Status);
+
+  Status = TestCtx->Decrypt (
+                      TestCtx,
+                      CipherText,
+                      CipherTextSize,
+                      TestCtx->DigestLen,
+                      &ClearText,
+                      &ClearTextSize
+                      );
+
+  if (TestCtx->Expect == UNIT_TEST_PASSED) {
+    UT_ASSERT_TRUE (Status);
+  } else {
+    UT_ASSERT_FALSE (Status);
+  }
+
+  if (TestCtx->Expect == UNIT_TEST_PASSED) {
+    UT_ASSERT_TRUE (CompareMem (ClearText, TestCtx->ClearText, ClearTextSize >= TestCtx->ClearTextSize ? ClearTextSize : TestCtx->ClearTextSize) == 0);
+    UT_ASSERT_TRUE (ClearTextSize == TestCtx->ClearTextSize);
+  }
+
+  if (CipherText) {
+    FreePool (CipherText);
+    CipherText     = NULL;
+    CipherTextSize = 0;
+  }
+
+  if (ClearText) {
+    FreePool (ClearText);
+    ClearText     = NULL;
+    ClearTextSize = 0;
+  }
+
+  return UNIT_TEST_PASSED;
+}
+
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyPkcs1v2EncryptInterface (
   IN UNIT_TEST_CONTEXT  Context
   )
 {
   BOOLEAN  Status;
-  UINT8    File[4];
   UINT8    *OutBuffer;
   UINTN    OutBufferSize;
-  UINT8    *OutBuffer2;
-  UINTN    OutBuffer2Size;
-
-  // Create a file and add content '123' in it
-  File[0] = '1';
-  File[1] = '2';
-  File[2] = '3';
-  File[3] = 0;
-
-  OutBuffer      = NULL;
-  OutBufferSize  = 0;
-  OutBuffer2     = NULL;
-  OutBuffer2Size = 0;
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)sizeof (File),
-             NULL,
-             0,
-             &OutBuffer,
-             (UINTN *)&OutBufferSize
-             );
-  UT_ASSERT_TRUE (Status);
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             NULL,
-             0,
-             &OutBuffer2,
-             (UINTN *)&OutBuffer2Size
-             );
-  UT_ASSERT_TRUE (Status);
-
-  // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect.
-  Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0);
-  UT_ASSERT_FALSE (Status);
-
-  if (OutBuffer) {
-    FreePool (OutBuffer);
-    OutBuffer     = NULL;
-    OutBufferSize = 0;
-  }
-
-  if (OutBuffer2) {
-    FreePool (OutBuffer2);
-    OutBuffer2     = NULL;
-    OutBuffer2Size = 0;
-  }
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             RandSeed,
-             (UINTN)sizeof (RandSeed),
-             &OutBuffer,
-             (UINTN *)&OutBufferSize
-             );
-  UT_ASSERT_TRUE (Status);
-
-  Status = Pkcs1v2Encrypt (
-             SelfTestCert,
-             (UINTN)sizeof (SelfTestCert),
-             File,
-             (UINTN)4,
-             RandSeed,
-             (UINTN)sizeof (RandSeed),
-             &OutBuffer2,
-             (UINTN *)&OutBuffer2Size
-             );
-  UT_ASSERT_TRUE (Status);
-
-  // TRUE - the two OutBuffers are indentical. That means the Oaep encrypt result is incorrect.
-  Status = (CompareMem (OutBuffer, OutBuffer2, OutBufferSize >= OutBuffer2Size ? OutBufferSize : OutBuffer2Size) == 0);
-  UT_ASSERT_FALSE (Status);
-
-  if (OutBuffer) {
-    FreePool (OutBuffer);
-    OutBuffer     = NULL;
-    OutBufferSize = 0;
-  }
-
-  if (OutBuffer2) {
-    FreePool (OutBuffer2);
-    OutBuffer2     = NULL;
-    OutBuffer2Size = 0;
-  }
 
   Status = Pkcs1v2Encrypt (
              NULL,
              (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
              (UINTN)4,
              NULL,
              0,
@@ -272,7 +601,7 @@ TestVerifyOaepEncrypt (
   Status = Pkcs1v2Encrypt (
              SelfTestCert,
              (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
              (UINTN)4,
              NULL,
              0,
@@ -284,7 +613,7 @@ TestVerifyOaepEncrypt (
   Status = Pkcs1v2Encrypt (
              SelfTestCert,
              (UINTN)sizeof (SelfTestCert),
-             File,
+             (UINT8 *)Msg1230,
              (UINTN)4,
              NULL,
              0,
@@ -296,11 +625,298 @@ TestVerifyOaepEncrypt (
   return UNIT_TEST_PASSED;
 }
 
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyRsaOaepEncryptInterface (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  VOID     *RsaContext = NULL;
+  BOOLEAN  Status;
+  UINT8    *OutBuffer;
+  UINTN    OutBufferSize;
+
+  RsaContext = RsaNew ();
+  UT_ASSERT_FALSE (RsaContext == NULL);
+
+  Status = RsaSetKey (RsaContext, RsaKeyN, RsaN, sizeof (RsaN));
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaSetKey (RsaContext, RsaKeyE, RsaE, sizeof (RsaE));
+  UT_ASSERT_TRUE (Status);
+
+  Status = RsaOaepEncrypt (
+             NULL,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             &OutBuffer,
+             (UINTN *)&OutBufferSize
+             );
+  UT_ASSERT_FALSE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             (UINT8 **)NULL,
+             (UINTN *)&OutBufferSize
+             );
+  UT_ASSERT_FALSE (Status);
+
+  Status = RsaOaepEncrypt (
+             RsaContext,
+             (UINT8 *)Msg1230,
+             (UINTN)4,
+             NULL,
+             0,
+             0,
+             &OutBuffer,
+             (UINTN *)NULL
+             );
+  UT_ASSERT_FALSE (Status);
+
+  return UNIT_TEST_PASSED;
+}
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2Msg1230 = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = NULL,
+  .RsaNSize         = 0,
+  .RsaE             = NULL,
+  .RsaESize         = 0,
+  .RsaD             = NULL,
+  .RsaDSize         = 0,
+  .PrngSeed         = NULL,
+  .PrngSeedSize     = 0,
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2Msg1230PrngSeed = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = NULL,
+  .RsaNSize         = 0,
+  .RsaE             = NULL,
+  .RsaESize         = 0,
+  .RsaD             = NULL,
+  .RsaDSize         = 0,
+  .PrngSeed         = RandSeed,
+  .PrngSeedSize     = sizeof (RandSeed),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepMsg1230 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .PrngSeed         = NULL,
+  .PrngSeedSize     = 0,
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepMsg1230PrngSeed = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .PrngSeed         = RandSeed,
+  .PrngSeedSize     = sizeof (RandSeed),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyPkcs1v2EncryptRsaOaepDecrypt = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallPkcs1v2Encrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaOaepEncryptPkcs1v2Decrypt = {
+  .SelfTestCert     = SelfTestCert,
+  .SelfTestCertSize = sizeof (SelfTestCert),
+  .PrivateKey       = PrivateKey,
+  .PrivateKeySize   = sizeof (PrivateKey),
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallPkcs1v2Decrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdDefaultBgf1Default = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = 0,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaepMdSha1Mgf1Sha1,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaepMdSha1Mgf1Sha1),
+  .DigestLen        = SHA1_DIGEST_SIZE,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
+OAEP_ENC_DEC_TEST_CONTEXT  mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256 = {
+  .SelfTestCert     = NULL,
+  .SelfTestCertSize = 0,
+  .PrivateKey       = NULL,
+  .PrivateKeySize   = 0,
+  .RsaN             = RsaN,
+  .RsaNSize         = sizeof (RsaN),
+  .RsaE             = RsaE,
+  .RsaESize         = sizeof (RsaE),
+  .RsaD             = RsaD,
+  .RsaDSize         = sizeof (RsaD),
+  .ClearText        = Msg1230,
+  .ClearTextSize    = sizeof (Msg1230),
+  .CipherText       = Ct1230RsaesOaep2048MdSha256Mgf1Sha256,
+  .CipherTextSize   = sizeof (Ct1230RsaesOaep2048MdSha256Mgf1Sha256),
+  .DigestLen        = SHA256_DIGEST_SIZE,
+  .Encrypt          = CallRsaOaepEncrypt,
+  .Decrypt          = CallRsaOaepDecrypt,
+  .Expect           = UNIT_TEST_PASSED
+};
+
 TEST_DESC  mOaepTest[] = {
   //
   // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context
   //
-  { "TestVerifyOaepEncrypt()", "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt", TestVerifyOaepEncrypt, NULL, NULL, NULL },
+  // Pkcs1v2Encrypt / Decrypt
+  { "Pkcs1v2Encrypt (Interface)",                   "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.Interface",                   TestVerifyPkcs1v2EncryptInterface, NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2Encrypt (NoSeed)",                      "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.NoSeed",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2Encrypt (Seeded)",                      "CryptoPkg.BaseCryptLib.Pkcs1v2Encrypt.Seeded",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230PrngSeed            },
+  { "Pkcs1v2Decrypt",                               "CryptoPkg.BaseCryptLib.Pkcs1v2Decrypt",                             TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+  { "Pkcs1v2EncryptDecrypt",                        "CryptoPkg.BaseCryptLib.Pkcs1v2EncryptDecrypt",                      TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyPkcs1v2Msg1230                    },
+
+  // RsaOaepEncrypt / Decrypt
+  { "RsaOaepEncrypt (Interface)",                   "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.Interface",                   TestVerifyRsaOaepEncryptInterface, NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncrypt (NoSeed)",                      "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.NoSeed",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncrypt (Seeded)",                      "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.Seeded",                      TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230PrngSeed            },
+  { "RsaOaepDecrypt",                               "CryptoPkg.BaseCryptLib.RsaOaepDecrypt",                             TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+  { "RsaOaepEncryptDecrypt",                        "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt",                      TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaOaepMsg1230                    },
+
+  // Mix interfaces
+  { "RsaOaepEncryptPkcs1v2Decrypt",                 "CryptoPkg.BaseCryptLib.RsaOaepEncryptPkcs1v2Decrypt",               TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaOaepEncryptPkcs1v2Decrypt      },
+  { "Pkcs1v2EncryptRsaOaepDecrypt",                 "CryptoPkg.BaseCryptLib.Pkcs1v2EncryptRsaOaepDecrypt",               TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyPkcs1v2EncryptRsaOaepDecrypt      },
+
+  // Message digest default / MGF1 default (SHA1)
+  { "RsaOaepEncrypt (MdDefaultMgf1Default)",        "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdDefaultMgf1Default",        TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+  { "RsaOaepDecrypt (MdDefaultMgf1Default)",        "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdDefaultMgf1Default",        TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+  { "RsaOaepEncryptDecrypt (MdDefaultMgf1Default)", "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt.MdDefaultMgf1Default", TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdDefaultBgf1Default },
+
+  // Message digest SHA1 / MGF1 SHA1
+  { "RsaOaepEncrypt (MdSha1Bgf1Sha1",               "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdSha1Bgf1Sha1",              TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+  { "RsaOaepDecrypt (MdSha1Bgf1Sha1)",              "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdSha1Bgf1Sha1",              TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+  { "RsaOaepEncryptDecrypt (MdSha1Bgf1Sha1)",       "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecrypt.MdSha1Bgf1Sha1",       TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdSha1Mgf1Sha1       },
+
+  // Message digest SHA256 / MGF1 SHA256
+  { "RsaOaepEncrypt (MdSha256Bgf1Sha256)",          "CryptoPkg.BaseCryptLib.RsaOaepEncrypt.MdSha256Bgf1Sha256",          TestVerifyEncrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
+  { "RsaOaepDecrypt (MdSha256Bgf1Sha256)",          "CryptoPkg.BaseCryptLib.RsaOaepDecrypt.MdSha256Bgf1Sha256",          TestVerifyDecrypt,                 NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
+  { "RsaOaepEncryptDecrypt (MdSha256Bgf1Sha256)",   "CryptoPkg.BaseCryptLib.RsaOaepEncryptDecryptMdSha256Bgf1Sha256",    TestVerifyEncryptDecrypt,          NULL, NULL, &mTestVerifyRsaesOaep2048MdSha256Mgf1Sha256   },
 };
 
 UINTN  mOaepTestNum = ARRAY_SIZE (mOaepTest);

DynamicTablesPkg/Include/ArmNameSpaceObjects.h

@@ -1,6 +1,6 @@
 /** @file
 
-  Copyright (c) 2017 - 2023, Arm Limited. All rights reserved.<BR>
+  Copyright (c) 2017 - 2024, Arm Limited. All rights reserved.<BR>
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -317,7 +317,10 @@ typedef struct CmArmSerialPortInfo {
   /// The physical base address for the serial port
   UINT64    BaseAddress;
 
-  /// The serial port interrupt
+  /** The serial port interrupt.
+      0 indicates that the serial port does not
+      have an interrupt wired.
+  */
   UINT32    Interrupt;
 
   /// The serial port baud rate

DynamicTablesPkg/Include/Library/AmlLib/AmlLib.h

@@ -2,7 +2,7 @@
   AML Lib.
 
   Copyright (c) 2019 - 2023, Arm Limited. All rights reserved.<BR>
-  Copyright (C) 2023 Advanced Micro Devices, Inc. All rights reserved.<BR>
+  Copyright (C) 2023 - 2024, Advanced Micro Devices, Inc. All rights reserved.<BR>
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
@@ -1743,6 +1743,45 @@ AmlAddNameStringToNamedPackage (
   IN AML_OBJECT_NODE_HANDLE  NamedNode
   );
 
+/** Add an integer value to the named package node.
+
+  AmlCodeGenNamePackage ("_CID", NULL, &PackageNode);
+  AmlGetEisaIdFromString ("PNP0A03", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+  AmlGetEisaIdFromString ("PNP0A08", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+
+  equivalent of the following ASL code:
+  Name (_CID, Package (0x02)  // _CID: Compatible ID
+  {
+      EisaId ("PNP0A03"),
+      EisaId ("PNP0A08")
+  })
+
+  The package is added at the tail of the list of the input package node
+  name:
+    Name ("NamePackageNode", Package () {
+      [Pre-existing package entries],
+      [Newly created integer entry]
+    })
+
+
+  @ingroup CodeGenApis
+
+  @param [in]       Integer       Integer value that need to be added to package node.
+  @param [in, out]  NameNode      Package named node to add the object to.
+
+  @retval EFI_SUCCESS             Success.
+  @retval EFI_INVALID_PARAMETER   Invalid parameter.
+  @retval Others                  Error occurred during the operation.
+**/
+EFI_STATUS
+EFIAPI
+AmlAddIntegerToNamedPackage (
+  IN        UINT32                  Integer,
+  IN  OUT   AML_OBJECT_NODE_HANDLE  NameNode
+  );
+
 /** AML code generation to invoke/call another method.
 
   This method is a subset implementation of MethodInvocation

DynamicTablesPkg/Library/Acpi/Arm/AcpiSsdtCpuTopologyLibArm/SsdtCpuTopologyGenerator.c

@@ -1072,6 +1072,7 @@ CreateAmlProcessorContainer (
   @param [in]  IsLeaf           The ProcNode is a leaf.
   @param [in]  NodeToken        NodeToken of the ProcNode.
   @param [in]  ParentNodeToken  Parent NodeToken of the ProcNode.
+  @param [in]  PackageNodeSeen  A parent of the ProcNode has the physical package flag set.
 
   @retval EFI_SUCCESS             Success.
   @retval EFI_INVALID_PARAMETER   Invalid parameter.
@@ -1083,23 +1084,24 @@ CheckProcNode (
   UINT32           NodeFlags,
   BOOLEAN          IsLeaf,
   CM_OBJECT_TOKEN  NodeToken,
-  CM_OBJECT_TOKEN  ParentNodeToken
+  CM_OBJECT_TOKEN  ParentNodeToken,
+  BOOLEAN          PackageNodeSeen
   )
 {
   BOOLEAN  InvalidFlags;
   BOOLEAN  HasPhysicalPackageBit;
-  BOOLEAN  IsTopLevelNode;
 
   HasPhysicalPackageBit = (NodeFlags & EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL) ==
                           EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL;
-  IsTopLevelNode = (ParentNodeToken == CM_NULL_TOKEN);
 
-  // A top-level node is a Physical Package and conversely.
+  // Only one Physical Package flag is allowed in the hierarchy
-  InvalidFlags = HasPhysicalPackageBit ^ IsTopLevelNode;
+  InvalidFlags = HasPhysicalPackageBit && PackageNodeSeen;
 
   // Check Leaf specific flags.
   if (IsLeaf) {
     InvalidFlags |= ((NodeFlags & PPTT_LEAF_MASK) != PPTT_LEAF_MASK);
+    // Must have Physical Package flag somewhere in the hierarchy
+    InvalidFlags |= !(HasPhysicalPackageBit || PackageNodeSeen);
   } else {
     InvalidFlags |= ((NodeFlags & PPTT_LEAF_MASK) != 0);
   }
@@ -1130,6 +1132,7 @@ CheckProcNode (
                                       node to.
   @param [in,out] ProcContainerIndex  Pointer to the current processor container
                                       index to be used as UID.
+  @param [in]  PackageNodeSeen        A parent of the ProcNode has the physical package flag set.
 
   @retval EFI_SUCCESS             Success.
   @retval EFI_INVALID_PARAMETER   Invalid parameter.
@@ -1143,7 +1146,8 @@ CreateAmlCpuTopologyTree (
   IN  CONST EDKII_CONFIGURATION_MANAGER_PROTOCOL  *CONST  CfgMgrProtocol,
   IN        CM_OBJECT_TOKEN                               NodeToken,
   IN        AML_NODE_HANDLE                               ParentNode,
-  IN OUT    UINT32                                        *ProcContainerIndex
+  IN OUT    UINT32                                        *ProcContainerIndex,
+  IN        BOOLEAN                                       PackageNodeSeen
   )
 {
   EFI_STATUS              Status;
@@ -1153,6 +1157,7 @@ CreateAmlCpuTopologyTree (
   AML_OBJECT_NODE_HANDLE  ProcContainerNode;
   UINT32                  Uid;
   UINT16                  Name;
+  BOOLEAN                 HasPhysicalPackageBit;
 
   ASSERT (Generator != NULL);
   ASSERT (Generator->ProcNodeList != NULL);
@@ -1175,7 +1180,8 @@ CreateAmlCpuTopologyTree (
                    Generator->ProcNodeList[Index].Flags,
                    TRUE,
                    Generator->ProcNodeList[Index].Token,
-                   NodeToken
+                   NodeToken,
+                   PackageNodeSeen
                    );
         if (EFI_ERROR (Status)) {
           ASSERT (0);
@@ -1208,7 +1214,8 @@ CreateAmlCpuTopologyTree (
                    Generator->ProcNodeList[Index].Flags,
                    FALSE,
                    Generator->ProcNodeList[Index].Token,
-                   NodeToken
+                   NodeToken,
+                   PackageNodeSeen
                    );
         if (EFI_ERROR (Status)) {
           ASSERT (0);
@@ -1249,13 +1256,17 @@ CreateAmlCpuTopologyTree (
           ProcContainerName++;
         }
 
+        HasPhysicalPackageBit = (Generator->ProcNodeList[Index].Flags & EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL) ==
+                                EFI_ACPI_6_3_PPTT_PACKAGE_PHYSICAL;
+
         // Recursively continue creating an AML tree.
         Status = CreateAmlCpuTopologyTree (
                    Generator,
                    CfgMgrProtocol,
                    Generator->ProcNodeList[Index].Token,
                    ProcContainerNode,
-                   ProcContainerIndex
+                   ProcContainerIndex,
+                   (PackageNodeSeen || HasPhysicalPackageBit)
                    );
         if (EFI_ERROR (Status)) {
           ASSERT (0);
@@ -1311,7 +1322,8 @@ CreateTopologyFromProcHierarchy (
              CfgMgrProtocol,
              CM_NULL_TOKEN,
              ScopeNode,
-             &ProcContainerIndex
+             &ProcContainerIndex,
+             FALSE
              );
   if (EFI_ERROR (Status)) {
     ASSERT (0);

DynamicTablesPkg/Library/Common/AmlLib/CodeGen/AmlCodeGen.c

@@ -3871,6 +3871,73 @@ exit_handler:
   return Status;
 }
 
+/** Add an integer value to the named package node.
+
+  AmlCodeGenNamePackage ("_CID", NULL, &PackageNode);
+  AmlGetEisaIdFromString ("PNP0A03", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+  AmlGetEisaIdFromString ("PNP0A08", &EisaId);
+  AmlAddIntegerToNamedPackage (EisaId, NameNode);
+
+  equivalent of the following ASL code:
+  Name (_CID, Package (0x02)  // _CID: Compatible ID
+  {
+      EisaId ("PNP0A03"),
+      EisaId ("PNP0A08")
+  })
+
+  The package is added at the tail of the list of the input package node
+  name:
+    Name ("NamePackageNode", Package () {
+      [Pre-existing package entries],
+      [Newly created integer entry]
+    })
+
+
+  @ingroup CodeGenApis
+
+  @param [in]       Integer       Integer value that need to be added to package node.
+  @param [in, out]  NameNode      Package named node to add the object to.
+
+  @retval EFI_SUCCESS             Success.
+  @retval EFI_INVALID_PARAMETER   Invalid parameter.
+  @retval Others                  Error occurred during the operation.
+**/
+EFI_STATUS
+EFIAPI
+AmlAddIntegerToNamedPackage (
+  IN        UINT32                  Integer,
+  IN  OUT   AML_OBJECT_NODE_HANDLE  NameNode
+  )
+{
+  EFI_STATUS       Status;
+  AML_OBJECT_NODE  *PackageNode;
+
+  if (NameNode == NULL) {
+    ASSERT_EFI_ERROR (FALSE);
+    return EFI_INVALID_PARAMETER;
+  }
+
+  PackageNode = (AML_OBJECT_NODE_HANDLE)AmlGetFixedArgument (
+                                          NameNode,
+                                          EAmlParseIndexTerm1
+                                          );
+  if ((PackageNode == NULL)                                              ||
+      (AmlGetNodeType ((AML_NODE_HANDLE)PackageNode) != EAmlNodeObject)  ||
+      (!AmlNodeHasOpCode (PackageNode, AML_PACKAGE_OP, 0)))
+  {
+    ASSERT_EFI_ERROR (FALSE);
+    return EFI_INVALID_PARAMETER;
+  }
+
+  Status = AmlAddRegisterOrIntegerToPackage (NULL, Integer, PackageNode);
+  if (EFI_ERROR (Status)) {
+    ASSERT_EFI_ERROR (Status);
+  }
+
+  return Status;
+}
+
 /** AML code generation to invoke/call another method.
 
   This method is a subset implementation of MethodInvocation

DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortFixupLib.c

@@ -1,7 +1,7 @@
 /** @file
   SSDT Serial Port Fixup Library.
 
-  Copyright (c) 2019 - 2021, Arm Limited. All rights reserved.<BR>
+  Copyright (c) 2019 - 2024, Arm Limited. All rights reserved.<BR>
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -9,6 +9,9 @@
   - Arm Server Base Boot Requirements (SBBR), s4.2.1.8 "SPCR".
   - Microsoft Debug Port Table 2 (DBG2) Specification - December 10, 2015.
   - ACPI for Arm Components 1.0 - 2020
+  - Arm Generic Interrupt Controller Architecture Specification,
+    Issue H, January 2022.
+    (https://developer.arm.com/documentation/ihi0069/)
 **/
 
 #include <IndustryStandard/DebugPort2Table.h>
@@ -27,6 +30,10 @@
 #include <Library/AmlLib/AmlLib.h>
 #include <Protocol/ConfigurationManagerProtocol.h>
 
+#if defined (MDE_CPU_ARM) || defined (MDE_CPU_AARCH64)
+  #include <Library/ArmGicArchLib.h>
+#endif
+
 /** C array containing the compiled AML template.
     This symbol is defined in the auto generated C file
     containing the AML bytecode array.
@@ -100,6 +107,26 @@ ValidateSerialPortInfo (
       return EFI_INVALID_PARAMETER;
     }
 
+ #if defined (MDE_CPU_ARM) || defined (MDE_CPU_AARCH64)
+    // If an interrupt is not wired to the serial port, the Configuration
+    // Manager specifies the interrupt as 0.
+    // Any other value must be within the SPI or extended SPI range.
+    if ((SerialPortInfo->Interrupt != 0) &&
+        !(((SerialPortInfo->Interrupt >= ARM_GIC_ARCH_SPI_MIN) &&
+           (SerialPortInfo->Interrupt <= ARM_GIC_ARCH_SPI_MAX)) ||
+          ((SerialPortInfo->Interrupt >= ARM_GIC_ARCH_EXT_SPI_MIN) &&
+           (SerialPortInfo->Interrupt <= ARM_GIC_ARCH_EXT_SPI_MAX))))
+    {
+      DEBUG ((
+        DEBUG_ERROR,
+        "ERROR: Invalid UART port interrupt ID. Interrupt = %lu\n",
+        SerialPortInfo->Interrupt
+        ));
+      return EFI_INVALID_PARAMETER;
+    }
+
+ #endif
+
     DEBUG ((DEBUG_INFO, "UART Configuration:\n"));
     DEBUG ((
       DEBUG_INFO,
@@ -270,7 +297,6 @@ FixupCrs (
   EFI_STATUS              Status;
   AML_OBJECT_NODE_HANDLE  NameOpCrsNode;
   AML_DATA_NODE_HANDLE    QWordRdNode;
-  AML_DATA_NODE_HANDLE    InterruptRdNode;
 
   // Get the "_CRS" object defined by the "Name ()" statement.
   Status = AmlFindNode (
@@ -303,20 +329,22 @@ FixupCrs (
     return Status;
   }
 
-  // Get the Interrupt node.
+  // Generate an interrupt node as the second Resource Data element in the
-  // It is the second Resource Data element in the NameOpCrsNode's
+  // NameOpCrsNode, if the interrupt for the serial-port is a valid SPI from
-  // variable list of arguments.
+  // Table 2-1 in Arm Generic Interrupt Controller Architecture Specification.
-  Status = AmlNameOpGetNextRdNode (QWordRdNode, &InterruptRdNode);
+  Status = AmlCodeGenRdInterrupt (
-  if (EFI_ERROR (Status)) {
+             TRUE,                  // Resource Consumer
-    return Status;
+             FALSE,                 // Level Triggered
-  }
+             FALSE,                 // Active High
+             FALSE,                 // Exclusive
+             (UINT32 *)&SerialPortInfo->Interrupt,
+             1,
+             NameOpCrsNode,
+             NULL
+             );
+  ASSERT_EFI_ERROR (Status);
 
-  if (InterruptRdNode == NULL) {
+  return Status;
-    return EFI_INVALID_PARAMETER;
-  }
-
-  // Update the interrupt number.
-  return AmlUpdateRdInterrupt (InterruptRdNode, SerialPortInfo->Interrupt);
 }
 
 /** Fixup the Serial Port device name.

DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortFixupLib.inf

@@ -18,12 +18,15 @@
   SsdtSerialPortFixupLib.c
   SsdtSerialPortTemplate.asl
 
-[Packages]
+[Packages.common]
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
   EmbeddedPkg/EmbeddedPkg.dec
   DynamicTablesPkg/DynamicTablesPkg.dec
 
+[Packages.ARM, Packages.AARCH64]
+  ArmPkg/ArmPkg.dec
+
 [LibraryClasses]
   AcpiHelperLib
   AmlLib

DynamicTablesPkg/Library/Common/SsdtSerialPortFixupLib/SsdtSerialPortTemplate.asl

@@ -1,7 +1,7 @@
 /** @file
   SSDT Serial Template
 
-  Copyright (c) 2019 - 2020, Arm Limited. All rights reserved.<BR>
+  Copyright (c) 2019 - 2024, Arm Limited. All rights reserved.<BR>
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -10,6 +10,7 @@
 
   @par Glossary:
     - {template} - Data fixed up using AML Fixup APIs.
+    - {codegen}  - Data generated using AML Codegen APIs.
 **/
 
 DefinitionBlock ("SsdtSerialPortTemplate.aml", "SSDT", 2, "ARMLTD", "SERIAL", 1) {
@@ -43,17 +44,21 @@ DefinitionBlock ("SsdtSerialPortTemplate.aml", "SSDT", 2, "ARMLTD", "SERIAL", 1)
           ,                   // MemoryRangeType
                               // TranslationType
         ) // QWordMemory
-        Interrupt (
+
-          ResourceConsumer,   // ResourceUsage
+        // The Interrupt information is generated using AmlCodegen.
-          Level,              // EdgeLevel
+        //
-          ActiveHigh,         // ActiveLevel
+        // Interrupt (                                    // {codegen}
-          Exclusive,          // Shared
+        //  ResourceConsumer, // ResourceUsage
-          ,                   // ResourceSourceIndex
+        //  Level,            // EdgeLevel
-          ,                   // ResourceSource
+        //  ActiveHigh,       // ActiveLevel
-                              // DescriptorName
+        //  Exclusive,        // Shared
-          ) {
+        //  ,                 // ResourceSourceIndex
-            0xA5                                          // {template}
+        //  ,                 // ResourceSource
-        } // Interrupt
+        //                    // DescriptorName
+        //  ) {
+        //    <IRQ>           // <spi>
+        // } // Interrupt
+
       }) // Name
     } // Device
   } // Scope (_SB)

EmbeddedPkg/Drivers/NonCoherentIoMmuDxe/NonCoherentIoMmuDxe.c

@@ -70,7 +70,7 @@ NonCoherentIoMmuSetAttribute (
   IN UINT64                IoMmuAccess
   )
 {
-  return EFI_UNSUPPORTED;
+  return EFI_SUCCESS;
 }
 
 /**

EmbeddedPkg/Drivers/VirtualKeyboardDxe/VirtualKeyboard.c

@@ -694,11 +694,12 @@ KeyboardReadKeyStrokeWorker (
 /**
   Read out the scan code of the key that has just been stroked.
 
-  @param  This        Pointer of simple text Protocol.
+  @param  This              Pointer of simple text Protocol.
-  @param  Key         Pointer for store the key that read out.
+  @param  Key               Pointer for store the key that read out.
 
-  @retval EFI_SUCCESS The key is read out successfully.
+  @retval EFI_SUCCESS       The key is read out successfully.
-  @retval other       The key reading failed.
+  @retval other             The key reading failed.
+  @retval EFI_UNSUPPORTED   The device does not support the ability to read keystroke data.
 
 **/
 EFI_STATUS
@@ -752,6 +753,7 @@ VirtualKeyboardReadKeyStroke (
   @retval  EFI_DEVICE_ERROR      The keystroke information was not returned
                                  due to hardware errors.
   @retval  EFI_INVALID_PARAMETER KeyData is NULL.
+  @retval  EFI_UNSUPPORTED       The device does not support the ability to read keystroke data.
 
 **/
 EFI_STATUS

EmbeddedPkg/Drivers/VirtualKeyboardDxe/VirtualKeyboard.h

@@ -496,11 +496,12 @@ KeyNotifyProcessHandler (
 /**
   Read out the scan code of the key that has just been stroked.
 
-  @param  This        Pointer of simple text Protocol.
+  @param  This              Pointer of simple text Protocol.
-  @param  Key         Pointer for store the key that read out.
+  @param  Key               Pointer for store the key that read out.
 
-  @retval EFI_SUCCESS The key is read out successfully.
+  @retval EFI_SUCCESS       The key is read out successfully.
-  @retval other       The key reading failed.
+  @retval other             The key reading failed.
+  @retval EFI_UNSUPPORTED   The device does not support the ability to read keystroke data.
 
 **/
 EFI_STATUS
@@ -523,6 +524,7 @@ VirtualKeyboardReadKeyStroke (
   @retval  EFI_DEVICE_ERROR      The keystroke information was not returned due to
                                  hardware errors.
   @retval  EFI_INVALID_PARAMETER KeyData is NULL.
+  @retval  EFI_UNSUPPORTED       The device does not support the ability to read keystroke data.
 
 **/
 EFI_STATUS

EmbeddedPkg/Scripts/LauterbachT32/EfiLoadDxe.cmm

@@ -1,79 +1,22 @@
 ;
+; Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 ; Copyright (c) 2011, Hewlett-Packard Company. All rights reserved.<BR>
 ; 
 ; SPDX-License-Identifier: BSD-2-Clause-Patent
 ; 
 
-  LOCAL &maxmem &systbl &memsize
+  PARAMETERS &systbl
-  
+
-  &memsize=0x20000000   ; default to 512MB
+  gosub FindDebugInfo &systbl
-  
-  gosub FindSystemTable &memsize
-  ENTRY &systbl
-  
-  if &systbl!=0
-  (
-    print "found system table at &systbl"
-    gosub FindDebugInfo &systbl
-  )
-  else
-  (
-    print "ERROR: system table not found, check memory size"
-  )
   enddo
 
-FindSystemTable:
-  LOCAL   &TopOfRam &offset
-  ENTRY   &TopOfRam
-  
-  print "FindSystemTable"
-  print "top of mem is &TopOfRam$"
-  
-  &offset=&TopOfRam
-  
-  ; align to highest 4MB boundary
-  &offset=&offset&0xFFC00000
-  
-  ; start at top and look on 4MB boundaries for system table ptr structure
-  while &offset>0
-  (
-    ; low signature match
-    if Data.Long(a:&offset)==0x20494249
-    (
-      ; high signature match
-      if Data.Long(a:&offset+4)==0x54535953
-      (
-        ; less than 4GB?
-        if Data.Long(a:&offset+0x0c)==0
-        (
-          ; less than top of ram?
-          if Data.Long(a:&offset+8)<&TopOfRam
-          (
-            return Data.Long(a:&offset+8)
-          )
-        )
-      )
-    )
-   
-    if &offset<0x400000
-    (
-      return 0
-    )
-    &offset=&offset-0x400000
-  )
-  
-  return 0
-
-
 FindDebugInfo:
   LOCAL   &SystemTable &CfgTableEntries &ConfigTable &i &offset &dbghdr &dbgentries &dbgptr &dbginfo &loadedimg
   ENTRY   &SystemTable
   
-  print "FindDebugInfo"
-  
   &dbgentries=0
-  &CfgTableEntries=Data.Long(a:&SystemTable+0x40)
+  &CfgTableEntries=Data.Long(a:&SystemTable+0x68)
-  &ConfigTable=Data.Long(a:&SystemTable+0x44)
+  &ConfigTable=Data.Long(a:&SystemTable+0x70)
   
   print "config table is at &ConfigTable (&CfgTableEntries entries)"
   
@@ -82,7 +25,7 @@ FindDebugInfo:
   &i=0
   while &i<&CfgTableEntries
   (
-    &offset=&ConfigTable+(&i*0x14)
+    &offset=&ConfigTable+(&i*0x18)
     if Data.Long(a:&offset)==0x49152E77
     (
       if Data.Long(a:&offset+4)==0x47641ADA
@@ -120,8 +63,10 @@ FindDebugInfo:
     (
       if Data.Long(a:&dbginfo)==1 ; normal debug info type
       (
-        &loadedimg=Data.Long(a:&dbginfo+4)
+        &loadedimg=Data.Long(a:&dbginfo+8)
-        do EfiProcessPeImage Data.Long(a:&loadedimg+0x20)
+        &imagebaseptr=&loadedimg+0x40
+        &imagebase=Data.Long(a:&imagebaseptr)
+        do ~~~~/EfiProcessPeImage.cmm "&imagebase"
       )
     )
     &i=&i+1

EmbeddedPkg/Scripts/LauterbachT32/EfiProcessPeImage.cmm

@@ -1,4 +1,5 @@
 ;
+; Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 ; Copyright (c) 2011, Hewlett-Packard Company. All rights reserved.<BR>
 ; 
 ; SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -10,11 +11,11 @@
   &imgstart=&imgstart
   print "PE32 image found at &imgstart"
 
-  ; offset from dos hdr to PE file hdr
+  ; offset from dos hdr to PE file hdr (i.e. 'PE\0\0' signature)
   &filehdrstart=&imgstart+Data.Long(c:&imgstart+0x3C)
 
   ; offset to debug dir in PE hdrs
-  &debugdirentryrva=Data.Long(c:&filehdrstart+0xA8)
+  &debugdirentryrva=Data.Long(c:&imgstart+0xf10)
   if &debugdirentryrva==0
   (
     print "no debug dir for image at &imgstart"
@@ -62,7 +63,7 @@
     &elfbase=&baseofdata;
   )
 
-  print "found path &elfpath"
+  print "found path &elfpath with address &elfbase"
         ON ERROR GOSUB
               return
   data.load.elf &elfpath &elfbase /NOCODE /NOCLEAR

EmbeddedPkg/Scripts/LauterbachT32/Readme.md

@@ -1,10 +1,10 @@
 # DXE Phase Debug
-Update the memsize variable in EfiLoadDxe.cmm for the actual amount of memory
+Allow your system to boot to the point that the DXE
-available in your system.  Allow your system to boot to the point that the DXE
 core is initialized (so that the System Table and Debug Information table is
 present in memory) and execute this script (using the toolbar button or
-'do EfiLoadDxe' from the command area).  It will scan memory for the debug info
+'do EfiLoadDxe "0xGST_ADDRESS"' from the command area). 'GST_ADDRESS' is the
-table and load modules in it.
+address of the EFI_SYSTEM_TABLE, and can be found by the global `gST`.
+The script will scan memory for the debug info table and load modules in it.
 
 # SEC/PEI Phase Debug
 There is no way to autodetect where these images reside so you must pass an

EmulatorPkg/EmuGopDxe/GopInput.c

@@ -156,6 +156,7 @@ EmuGopSimpleTextInReset (
   @retval EFI_NOT_READY    There was no keystroke data available.
   @retval EFI_DEVICE_ERROR The keystroke information was not returned due to
                            hardware errors.
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.
 
 **/
 EFI_STATUS
@@ -339,6 +340,7 @@ EmuGopSimpleTextInExResetEx (
                           EFI_DEVICE_ERROR The keystroke
                           information was not returned due to
                           hardware errors.
+  @retval EFI_UNSUPPORTED The device does not support the ability to read keystroke data.
 
 
 **/

EmulatorPkg/EmulatorPkg.dsc

@@ -127,11 +127,12 @@
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
-
-!if $(SECURE_BOOT_ENABLE) == TRUE
   RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
   SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -278,6 +279,27 @@
   gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExServiceDevicePath.DevicePath|{DEVICE_PATH("MAC(000000000000,0x1)")}
   gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExServiceAccessModeInBand|False
   gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDiscoverAccessModeInBand|False
+
+  gEmulatorPkgTokenSpaceGuid.PcdRedfishServiceStopIfSecureBootDisabled|False
+  gEmulatorPkgTokenSpaceGuid.PcdRedfishServiceStopIfExitbootService|False
+
+  gEfiRedfishClientPkgTokenSpaceGuid.PcdRedfishServiceEtagSupported|False
+
+  #
+  # Redfish Debug enablement
+  #
+  # 0x0000000000000001  RedfishPlatformConfigDxe driver debug enabled.
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishDebugCategory|0
+  #   0x00000001  x-uefi-redfish string database message enabled
+  #   0x00000002  Debug Message for dumping formset
+  #   0x00000004  Debug Message for x-uefi-redfish searching result
+  #   0x00000008  Debug Message for x-uefi-redfish Regular Expression searching result
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishPlatformConfigDebugProperty|0
+
+  # Redfish Platform Configure DXE driver feature enablement
+  #   0x00000001  Enable building Redfish Attribute Registry menu path.
+  #   0x00000002  Allow supressed HII option to be exposed on Redfish.
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishPlatformConfigFeatureProperty|0
 !endif
 
 [PcdsDynamicDefault.common.DEFAULT]
@@ -377,6 +399,15 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf
 
+  #
+  # Rng Protocol producer
+  #
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+  #
+  # Hash2 Protocol producer
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 !if $(SECURE_BOOT_ENABLE) == TRUE
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif

EmulatorPkg/EmulatorPkg.fdf

@@ -193,6 +193,16 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
 INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
 INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf
 
+#
+# Rng Protocol producer
+#
+INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
+#
+# Hash2 Protocol producer
+#
+INF  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 #
 # Secure Boot Key Enroll
 #
@@ -320,4 +330,3 @@ INF  ShellPkg/Application/Shell/Shell.inf
     UI        STRING="$(MODULE_NAME)" Optional
     VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
   }
-

EmulatorPkg/Sec/Sec.h

@@ -20,15 +20,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include <Ppi/TemporaryRamSupport.h>
 
-//
-// I think this should be defined in a MdePkg include file?
-//
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 EFI_STATUS
 EFIAPI
 SecTemporaryRamSupport (

EmulatorPkg/Sec/Sec.inf

@@ -11,7 +11,7 @@
 ##
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = EmuSec
   FILE_GUID                      = BCAF98C9-22B0-3B4F-9CBD-C8A6B4DBCEE9
   MODULE_TYPE                    = SEC

IntelFsp2Pkg/FspSecCore/Fsp24SecCoreM.inf

@@ -8,7 +8,7 @@
 ##
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = Fsp24SecCoreM
   FILE_GUID                      = C5BC0719-4A23-4F6E-94DA-05FB6A0DFA9C
   MODULE_TYPE                    = SEC
@@ -60,6 +60,7 @@
   FspSecPlatformLib
   CpuLib
   FspMultiPhaseLib
+  FspPlatformLib
 
 [Pcd]
   gIntelFsp2PkgTokenSpaceGuid.PcdTemporaryRamBase              ## CONSUMES

IntelFsp2Pkg/FspSecCore/FspSecCoreM.inf

@@ -8,7 +8,7 @@
 ##
 
 [Defines]
-  INF_VERSION                    = 0x00010005
+  INF_VERSION                    = 1.30
   BASE_NAME                      = FspSecCoreM
   FILE_GUID                      = C2F9AE46-3437-4FEF-9CB1-9A568B282FEE
   MODULE_TYPE                    = SEC
@@ -59,6 +59,7 @@
   FspCommonLib
   FspSecPlatformLib
   CpuLib
+  FspPlatformLib
 
 [Pcd]
   gIntelFsp2PkgTokenSpaceGuid.PcdTemporaryRamBase              ## CONSUMES

IntelFsp2Pkg/FspSecCore/Ia32/Fsp24ApiEntryM.nasm

@@ -11,7 +11,6 @@
 ; Following are fixed PCDs
 ;
 extern   ASM_PFX(PcdGet32(PcdTemporaryRamBase))
-extern   ASM_PFX(PcdGet32(PcdTemporaryRamSize))
 extern   ASM_PFX(PcdGet32(PcdFspTemporaryRamSize))
 extern   ASM_PFX(PcdGet8 (PcdFspHeapSizePercentage))
 

IntelFsp2Pkg/FspSecCore/Ia32/FspApiEntryM.nasm

@@ -11,7 +11,6 @@
 ; Following are fixed PCDs
 ;
 extern   ASM_PFX(PcdGet32(PcdTemporaryRamBase))
-extern   ASM_PFX(PcdGet32(PcdTemporaryRamSize))
 extern   ASM_PFX(PcdGet32(PcdFspTemporaryRamSize))
 extern   ASM_PFX(PcdGet8 (PcdFspHeapSizePercentage))
 

IntelFsp2Pkg/FspSecCore/Ia32/FspApiEntryT.nasm

@@ -109,7 +109,8 @@ struc LoadMicrocodeParamsFsp24
     .FsptArchReserved:        resb    3
     .FsptArchLength:          resd    1
     .FspDebugHandler          resq    1
-    .FsptArchUpd:             resd    4
+    .FspTemporaryRamSize:     resd    1  ; Supported only if ArchRevison is >= 3
+    .FsptArchUpd:             resd    3
     ; }
     ; FSPT_CORE_UPD {
     .MicrocodeCodeAddr:       resq    1
@@ -267,7 +268,7 @@ ASM_PFX(LoadMicrocodeDefault):
    cmp    byte [esp + LoadMicrocodeParamsFsp22.FspUpdHeaderRevision], 2
    jb     Fsp20UpdHeader
    cmp    byte [esp + LoadMicrocodeParamsFsp22.FsptArchRevision], 2
-   je     Fsp24UpdHeader
+   jae    Fsp24UpdHeader
    jmp    Fsp22UpdHeader
 
 Fsp20UpdHeader:
@@ -405,7 +406,7 @@ CheckAddress:
    cmp   byte [esp + LoadMicrocodeParamsFsp22.FspUpdHeaderRevision], 2
    jb     Fsp20UpdHeader1
    cmp    byte [esp + LoadMicrocodeParamsFsp22.FsptArchRevision], 2
-   je     Fsp24UpdHeader1;
+   jae    Fsp24UpdHeader1;
    jmp    Fsp22UpdHeader1
 
 Fsp20UpdHeader1:
@@ -497,7 +498,8 @@ ASM_PFX(EstablishStackFsp):
   ; Enable FSP STACK
   ;
   mov       esp, DWORD [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]
-  add       esp, DWORD [ASM_PFX(PcdGet32 (PcdTemporaryRamSize))]
+  LOAD_TEMPORARY_RAM_SIZE ecx
+  add       esp, ecx
 
   push      DATA_LEN_OF_MCUD     ; Size of the data region
   push      4455434Dh            ; Signature of the  data region 'MCUD'
@@ -506,7 +508,7 @@ ASM_PFX(EstablishStackFsp):
   cmp       byte [edx + LoadMicrocodeParamsFsp22.FspUpdHeaderRevision], 2
   jb        Fsp20UpdHeader2
   cmp       byte [esp + LoadMicrocodeParamsFsp22.FsptArchRevision], 2
-  je        Fsp24UpdHeader2
+  jae       Fsp24UpdHeader2
   jmp       Fsp22UpdHeader2
 
 Fsp20UpdHeader2:
@@ -554,12 +556,13 @@ ContinueAfterUpdPush:
   ;
   ; Set ECX/EDX to the BootLoader temporary memory range
   ;
-  mov       ecx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]
+  mov       edx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]
-  mov       edx, ecx
+  LOAD_TEMPORARY_RAM_SIZE ecx
-  add       edx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamSize))]
+  add       edx, ecx
   sub       edx,  [ASM_PFX(PcdGet32 (PcdFspReservedBufferSize))]
+  mov       ecx,  [ASM_PFX(PcdGet32 (PcdTemporaryRamBase))]
 
-  cmp       ecx, edx        ;If PcdFspReservedBufferSize >= PcdTemporaryRamSize, then error.
+  cmp       ecx, edx        ;If PcdFspReservedBufferSize >= TemporaryRamSize, then error.
   jb        EstablishStackFspSuccess
   mov       eax, 80000003h  ;EFI_UNSUPPORTED
   jmp       EstablishStackFspExit
@@ -599,6 +602,45 @@ ASM_PFX(TempRamInitApi):
   CALL_EBP  ASM_PFX(LoadUpdPointerToECX) ; ECX for UPD param
   SAVE_ECX                               ; save UPD param to slot 3 in xmm6
 
+  mov       edx, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
+  mov       edx, DWORD [edx]
+  ;
+  ; Read Fsp Arch2 revision
+  ;
+  cmp       byte [ecx + LoadMicrocodeParamsFsp24.FsptArchRevision], 3
+  jb        UseTemporaryRamSizePcd
+  ;
+  ; Read ARCH2 UPD input value.
+  ;
+  mov       ebx, DWORD [ecx + LoadMicrocodeParamsFsp24.FspTemporaryRamSize]
+  ;
+  ; As per spec, if Bootloader pass zero, use Fsp defined Size
+  ;
+  cmp       ebx, 0
+  jz        UseTemporaryRamSizePcd
+
+  xor       eax, eax
+  mov       ax,  WORD [esi + 020h]      ; Read ImageAttribute
+  test      ax,  16                     ; check if Bit4 is set
+  jnz       ConsumeInputConfiguration
+  ;
+  ; Sometimes user may change input value even if it is not supported
+  ; return error if input is Non-Zero and not same as PcdTemporaryRamSize.
+  ;
+  cmp       ebx, edx
+  je        UseTemporaryRamSizePcd
+  mov       eax, 080000002h      ; RETURN_INVALID_PARAMETER
+  jmp       TempRamInitExit
+ConsumeInputConfiguration:
+  ;
+  ; Read ARCH2 UPD value and Save.
+  ;
+  SAVE_TEMPORARY_RAM_SIZE ebx
+  jmp       GotTemporaryRamSize
+UseTemporaryRamSizePcd:
+  SAVE_TEMPORARY_RAM_SIZE edx
+GotTemporaryRamSize:
+  LOAD_ECX
   ;
   ; Sec Platform Init
   ;

IntelFsp2Pkg/FspSecCore/Ia32/SaveRestoreSseNasm.inc

@@ -128,6 +128,17 @@
   SXMMN      xmm5, 1, eax
              %endmacro
 
+;
+; XMM5 slot 2 for TemporaryRamSize
+;
+%macro LOAD_TEMPORARY_RAM_SIZE    1
+  LXMMN      xmm5, %1, 2
+             %endmacro
+
+%macro SAVE_TEMPORARY_RAM_SIZE    1
+  SXMMN      xmm5, 2, %1
+             %endmacro
+
 %macro ENABLE_SSE   0
             ;
             ; Initialize floating point units

IntelFsp2Pkg/FspSecCore/SecFsp.c

@@ -54,6 +54,7 @@ SecGetPlatformData (
   UINT32         TopOfCar;
   UINT32         *StackPtr;
   UINT32         DwordSize;
+  UINT32         TemporaryRamSize;
 
   FspPlatformData = &FspData->PlatformData;
 
@@ -67,12 +68,20 @@ SecGetPlatformData (
   FspPlatformData->MicrocodeRegionSize = 0;
   FspPlatformData->CodeRegionBase      = 0;
   FspPlatformData->CodeRegionSize      = 0;
+  TemporaryRamSize                     = 0;
 
   //
   // Pointer to the size field
   //
   TopOfCar = PcdGet32 (PcdTemporaryRamBase) + PcdGet32 (PcdTemporaryRamSize);
   StackPtr = (UINT32 *)(TopOfCar - sizeof (UINT32));
+  if ((*(StackPtr - 1) != FSP_MCUD_SIGNATURE) && (FspData->FspInfoHeader->ImageAttribute & BIT4)) {
+    ReadTemporaryRamSize (PcdGet32 (PcdTemporaryRamBase), &TemporaryRamSize);
+    if (TemporaryRamSize) {
+      TopOfCar = PcdGet32 (PcdTemporaryRamBase) + TemporaryRamSize;
+      StackPtr = (UINT32 *)(TopOfCar - sizeof (UINT32));
+    }
+  }
 
   if (*(StackPtr - 1) == FSP_MCUD_SIGNATURE) {
     while (*StackPtr != 0) {

IntelFsp2Pkg/FspSecCore/SecFsp.h

@@ -17,6 +17,7 @@
 #include <Library/BaseMemoryLib.h>
 #include <Library/FspCommonLib.h>
 #include <Library/FspSecPlatformLib.h>
+#include <Library/FspPlatformLib.h>
 
 #define FSP_MCUD_SIGNATURE  SIGNATURE_32 ('M', 'C', 'U', 'D')
 #define FSP_PER0_SIGNATURE  SIGNATURE_32 ('P', 'E', 'R', '0')

IntelFsp2Pkg/FspSecCore/SecMain.h

@@ -110,18 +110,6 @@ SecStartup (
   IN UINT32          ApiIdx
   );
 
-/**
-  Autogenerated function that calls the library constructors for all of the module's
-  dependent libraries.  This function must be called by the SEC Core once a stack has
-  been established.
-
-**/
-VOID
-EFIAPI
-ProcessLibraryConstructorList (
-  VOID
-  );
-
 /**
 
   Return value of esp.

IntelFsp2Pkg/FspSecCore/X64/FspApiEntryT.nasm

@@ -76,7 +76,8 @@ struc LoadMicrocodeParamsFsp24
     .FsptArchReserved:        resb    3
     .FsptArchLength:          resd    1
     .FspDebugHandler          resq    1
-    .FsptArchUpd:             resd    4
+    .FspTemporaryRamSize:     resd    1 ; Supported only if ArchRevison is >= 3
+    .FsptArchUpd:             resd    3
     ; }
     ; FSPT_CORE_UPD {
     .MicrocodeCodeAddr:       resq    1
@@ -163,7 +164,7 @@ ASM_PFX(LoadMicrocodeDefault):
    cmp    byte [rsp + LoadMicrocodeParamsFsp24.FspUpdHeaderRevision], 2
    jb     ParamError
    cmp    byte [rsp + LoadMicrocodeParamsFsp24.FsptArchRevision], 2
-   jne    ParamError
+   jb     ParamError
 
    ; UPD structure is compliant with FSP spec 2.4
    mov    rax, qword [rsp + LoadMicrocodeParamsFsp24.MicrocodeCodeSize]
@@ -273,7 +274,7 @@ CheckAddress:
    cmp   byte [rsp + LoadMicrocodeParamsFsp24.FspUpdHeaderRevision], 2
    jb    ParamError
    cmp   byte [rsp + LoadMicrocodeParamsFsp24.FsptArchRevision], 2
-   jne   ParamError
+   jb    ParamError
 
    ; UPD structure is compliant with FSP spec 2.4
    ; Is automatic size detection ?
@@ -337,8 +338,8 @@ ASM_PFX(EstablishStackFsp):
   ;
   mov       rax, ASM_PFX(PcdGet32 (PcdTemporaryRamBase))
   mov       esp, DWORD[rax]
-  mov       rax, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
+  LOAD_TEMPORARY_RAM_SIZE rax
-  add       esp, DWORD[rax]
+  add       esp, eax
 
   sub       esp, 4
   mov       dword[esp], DATA_LEN_OF_MCUD ; Size of the data region
@@ -349,7 +350,7 @@ ASM_PFX(EstablishStackFsp):
   cmp       byte [rdx + LoadMicrocodeParamsFsp24.FspUpdHeaderRevision], 2
   jb        ParamError1
   cmp       byte [rdx + LoadMicrocodeParamsFsp24.FsptArchRevision], 2
-  je        Fsp24UpdHeader
+  jnb       Fsp24UpdHeader
 
 ParamError1:
   mov       rax, 08000000000000002h
@@ -397,8 +398,8 @@ ContinueAfterUpdPush:
   ;
   mov       rcx, ASM_PFX(PcdGet32 (PcdTemporaryRamBase))
   mov       edx, [ecx]
-  mov       rcx, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
+  LOAD_TEMPORARY_RAM_SIZE rcx
-  add       edx, [ecx]
+  add       edx, ecx
   mov       rcx, ASM_PFX(PcdGet32 (PcdFspReservedBufferSize))
   sub       edx, [ecx]
   mov       rcx, ASM_PFX(PcdGet32 (PcdTemporaryRamBase))
@@ -439,6 +440,14 @@ ASM_PFX(TempRamInitApi):
   ;
   SAVE_BFV  rbp
 
+  ;
+  ; Save timestamp into YMM6
+  ;
+  rdtsc
+  shl       rdx, 32
+  or        rax, rdx
+  SAVE_TS   rax
+
   ;
   ; Save Input Parameter in YMM10
   ;
@@ -455,14 +464,46 @@ ASM_PFX(TempRamInitApi):
 ParamValid:
   SAVE_RCX
 
+  mov       rdx, ASM_PFX(PcdGet32 (PcdTemporaryRamSize))
+  mov       edx, DWORD [rdx]
   ;
-  ; Save timestamp into YMM6
+  ; Read Fsp Arch2 revision
   ;
-  rdtsc
+  cmp       byte [ecx + LoadMicrocodeParamsFsp24.FsptArchRevision], 3
-  shl       rdx, 32
+  jb        UseTemporaryRamSizePcd
-  or        rax, rdx
+  ;
-  SAVE_TS   rax
+  ; Read ARCH2 UPD input value.
+  ;
+  mov       ebx, DWORD [ecx + LoadMicrocodeParamsFsp24.FspTemporaryRamSize]
+  ;
+  ; As per spec, if Bootloader pass zero, use Fsp defined Size
+  ;
+  cmp       ebx, 0
+  jz        UseTemporaryRamSizePcd
 
+  xor       rax, rax
+  mov       ax,  WORD [rsi + 020h]      ; Read ImageAttribute
+  test      ax,  16                     ; check if Bit4 is set
+  jnz       ConsumeInputConfiguration
+  ;
+  ; Sometimes user may change input value even if it is not supported
+  ; return error if input is Non-Zero and not same as PcdTemporaryRamSize.
+  ;
+  cmp       ebx, edx
+  je        UseTemporaryRamSizePcd
+  mov       rax, 08000000000000002h      ; RETURN_INVALID_PARAMETER
+  jmp       TempRamInitExit
+ConsumeInputConfiguration:
+  ;
+  ; Read ARCH2 UPD value and Save.
+  ; Only low-32 bits of rbx/rdx holds the temporary ram size.
+  ;
+  SAVE_TEMPORARY_RAM_SIZE rbx
+  jmp       GotTemporaryRamSize
+UseTemporaryRamSizePcd:
+  SAVE_TEMPORARY_RAM_SIZE rdx
+
+GotTemporaryRamSize:
   ;
   ; Sec Platform Init
   ;

IntelFsp2Pkg/Include/FspEas/FspApi.h

@@ -139,7 +139,7 @@ typedef struct {
 ///
 typedef struct {
   ///
-  /// Revision of the structure is 2 for this version of the specification.
+  /// Revision of the structure is 3 for this version of the specification.
   ///
   UINT8                   Revision;
   UINT8                   Reserved[3];
@@ -152,7 +152,15 @@ typedef struct {
   /// occurring during FSP execution.
   ///
   EFI_PHYSICAL_ADDRESS    FspDebugHandler;
-  UINT8                   Reserved1[16];
+  ///
+  /// FspTemporaryRamSize is Optional & valid only when
+  /// FSP image attribute (BIT4) is set. If Programmed as Zero, Platform
+  /// recommended value will be used, otherwise input value will be used
+  /// to configure TemporaryRamSize. Refer FSP Integration guide for valid
+  /// TemporaryRamSize range for each platform.
+  ///
+  UINT32                  FspTemporaryRamSize;
+  UINT8                   Reserved1[12];
 } FSPT_ARCH2_UPD;
 
 ///

IntelFsp2Pkg/Include/Library/FspPlatformLib.h

@@ -121,4 +121,17 @@ FspTempRamExitDone2 (
   IN EFI_STATUS  Status
   );
 
+/**
+  Calculate TemporaryRam Size using Base address.
+
+  @param[in]  TemporaryRamBase         the address of target memory
+  @param[out] TemporaryRamSize         the size of target memory
+**/
+VOID
+EFIAPI
+ReadTemporaryRamSize (
+  IN  UINT32  TemporaryRamBase,
+  OUT UINT32  *TemporaryRamSize
+  );
+
 #endif

IntelFsp2Pkg/Include/SaveRestoreSseAvxNasm.inc

@@ -201,6 +201,27 @@
             movq    rcx,  xmm5
             %endmacro
 
+;
+; Save TemporaryRamSize to YMM10[192:255]
+; arg 1:general purpose register which holds TemporaryRamSize
+; Modified: XMM5 and YMM10[192:255]
+;
+%macro SAVE_TEMPORARY_RAM_SIZE     1
+            LYMMN   ymm10, xmm5, 1
+            SXMMN   xmm5, 1, %1
+            SYMMN   ymm10, 1, xmm5
+            %endmacro
+
+;
+; Restore TemporaryRamSize from YMM10[192:255]
+; arg 1:general purpose register where to save TemporaryRamSize
+; Modified: XMM5 and %1
+;
+%macro LOAD_TEMPORARY_RAM_SIZE     1
+            LYMMN   ymm10, xmm5, 1
+            LXMMN   xmm5, %1, 1
+            %endmacro
+
 ;
 ; YMM7[128:191] for calling stack
 ; arg 1:Entry

IntelFsp2Pkg/IntelFsp2Pkg.dsc

@@ -46,9 +46,9 @@
   FspSecPlatformLib|IntelFsp2Pkg/Library/SecFspSecPlatformLibNull/SecFspSecPlatformLibNull.inf
   FspMultiPhaseLib|IntelFsp2Pkg/Library/BaseFspMultiPhaseLib/BaseFspMultiPhaseLib.inf
 
-[LibraryClasses.common.PEIM]
+[LibraryClasses.common.PEIM, LibraryClasses.common.SEC]
   PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
-  PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLib/PeiServicesTablePointerLib.inf
+  PeiServicesTablePointerLib|MdePkg/Library/PeiServicesTablePointerLibIdt/PeiServicesTablePointerLibIdt.inf
   PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf
   MemoryAllocationLib|MdePkg/Library/PeiMemoryAllocationLib/PeiMemoryAllocationLib.inf
   ExtractGuidedSectionLib|MdePkg/Library/PeiExtractGuidedSectionLib/PeiExtractGuidedSectionLib.inf

IntelFsp2Pkg/Library/BaseFspPlatformLib/FspPlatformMemory.c

@@ -6,6 +6,7 @@
 **/
 
 #include <PiPei.h>
+#include <Register/Intel/Msr.h>
 #include <Library/BaseLib.h>
 #include <Library/BaseMemoryLib.h>
 #include <Library/MemoryAllocationLib.h>
@@ -119,3 +120,40 @@ FspGetSystemMemorySize (
     Hob.Raw = GET_NEXT_HOB (Hob);
   }
 }
+
+/**
+  Calculate TemporaryRam Size using Base address.
+
+  @param[in]  TemporaryRamBase         the address of target memory
+  @param[out] TemporaryRamSize         the size of target memory
+**/
+VOID
+EFIAPI
+ReadTemporaryRamSize (
+  IN  UINT32  TemporaryRamBase,
+  OUT UINT32  *TemporaryRamSize
+  )
+{
+  MSR_IA32_MTRRCAP_REGISTER  Msr;
+  UINT32                     MsrNum;
+  UINT32                     MsrNumEnd;
+
+  if (TemporaryRamBase == 0) {
+    return;
+  }
+
+  *TemporaryRamSize = 0;
+  Msr.Uint64        = AsmReadMsr64 (MSR_IA32_MTRRCAP);
+  MsrNumEnd         = MSR_IA32_MTRR_PHYSBASE0 + (2 * (Msr.Bits.VCNT));
+
+  for (MsrNum = MSR_IA32_MTRR_PHYSBASE0; MsrNum < MsrNumEnd; MsrNum += 2) {
+    if ((AsmReadMsr64 (MsrNum+1) & BIT11) != 0 ) {
+      if (TemporaryRamBase == (AsmReadMsr64 (MsrNum) & 0xFFFFF000)) {
+        *TemporaryRamSize = (~(AsmReadMsr64 (MsrNum + 1) & 0xFFFFF000) + 1);
+        break;
+      }
+    }
+  }
+
+  return;
+}

IntelFsp2Pkg/Tools/GenCfgOpt.py

@@ -136,7 +136,7 @@ class CLogicalExpression:
         var = var.strip()
         if   re.match('^0x[a-fA-F0-9]+$', var):
             value = int(var, 16)
-        elif re.match('^[+-]?\d+$', var):
+        elif re.match(r'^[+-]?\d+$', var):
             value = int(var, 10)
         else:
             value = None
@@ -147,7 +147,7 @@ class CLogicalExpression:
         var = ''
         while not self.isLast():
             char = self.getCurr()
-            if re.match('^[\w.]', char):
+            if re.match(r'^[\w.]', char):
                 var += char
                 self.moveNext()
             else:
@@ -161,7 +161,7 @@ class CLogicalExpression:
 
     def parseSingleOp(self):
         self.skipSpace()
-        if re.match('^NOT\W', self.getCurr(-1)):
+        if re.match(r'^NOT\W', self.getCurr(-1)):
             self.moveNext(3)
             op  = self.parseBrace()
             val = self.getNumber (op)
@@ -225,7 +225,7 @@ class CLogicalExpression:
         value = self.parseCompare()
         while True:
             self.skipSpace()
-            if re.match('^AND\W', self.getCurr(-1)):
+            if re.match(r'^AND\W', self.getCurr(-1)):
                 self.moveNext(3)
                 result = self.parseCompare()
                 test = self.getNonNumber(result, value)
@@ -243,10 +243,10 @@ class CLogicalExpression:
         while True:
             self.skipSpace()
             op = None
-            if re.match('^XOR\W', self.getCurr(-1)):
+            if re.match(r'^XOR\W', self.getCurr(-1)):
                 self.moveNext(3)
                 op = '^'
-            elif re.match('^OR\W', self.getCurr(-1)):
+            elif re.match(r'^OR\W', self.getCurr(-1)):
                 self.moveNext(2)
                 op = '|'
             else:
@@ -330,11 +330,11 @@ EndList
                     continue
             if IsExpression:
                 IsExpression = False
-                Match = re.match("(\w+)=(.+)", Macro)
+                Match = re.match(r"(\w+)=(.+)", Macro)
                 if Match:
                     self._MacroDict[Match.group(1)] = Match.group(2)
                 else:
-                    Match = re.match("(\w+)", Macro)
+                    Match = re.match(r"(\w+)", Macro)
                     if Match:
                         self._MacroDict[Match.group(1)] = ''
         if len(self._MacroDict) == 0:
@@ -355,7 +355,7 @@ EndList
 
     def ExpandMacros (self, Input, Preserve = False):
         Line = Input
-        Match = re.findall("\$\(\w+\)", Input)
+        Match = re.findall(r"\$\(\w+\)", Input)
         if Match:
             for Each in Match:
               Variable = Each[2:-1]
@@ -370,7 +370,7 @@ EndList
 
     def ExpandPcds (self, Input):
         Line = Input
-        Match = re.findall("(\w+\.\w+)", Input)
+        Match = re.findall(r"(\w+\.\w+)", Input)
         if Match:
             for PcdName in Match:
               if PcdName in self._PcdsDict:
@@ -390,7 +390,7 @@ EndList
         return Result
 
     def ValueToByteArray (self, ValueStr, Length):
-        Match = re.match("\{\s*FILE:(.+)\}", ValueStr)
+        Match = re.match(r"\{\s*FILE:(.+)\}", ValueStr)
         if Match:
           FileList = Match.group(1).split(',')
           Result  = bytearray()
@@ -427,7 +427,7 @@ EndList
                     if Each[0] in ['"', "'"]:
                         Result.extend(list(bytearray(Each[1:-1], 'utf-8')))
                     elif ':' in Each:
-                        Match    = re.match("(.+):(\d+)b", Each)
+                        Match    = re.match(r"(.+):(\d+)b", Each)
                         if Match is None:
                             raise Exception("Invald value list format '%s' !" % Each)
                         InBitField = True
@@ -539,7 +539,7 @@ EndList
               continue
 
             Handle   = False
-            Match    = re.match("^\[(.+)\]", DscLine)
+            Match    = re.match(r"^\[(.+)\]", DscLine)
             if Match is not None:
                 IsDefSect = False
                 IsPcdSect = False
@@ -575,7 +575,7 @@ EndList
 
                     Match = False if DscLine[0] != '!' else True
                     if Match:
-                        Match = re.match("^!(else|endif|ifdef|ifndef|if|elseif|include)\s*(.+)?$", DscLine.split("#")[0])
+                        Match = re.match(r"^!(else|endif|ifdef|ifndef|if|elseif|include)\s*(.+)?$", DscLine.split("#")[0])
                     Keyword   = Match.group(1) if Match else ''
                     Remaining = Match.group(2) if Match else ''
                     Remaining = '' if Remaining is None else Remaining.strip()
@@ -620,7 +620,7 @@ EndList
                         else:
                             Handle = True
                         if Handle:
-                            Match = re.match("!include\s+(.+)", DscLine)
+                            Match = re.match(r"!include\s+(.+)", DscLine)
                             if Match:
                                 IncludeFilePath = Match.group(1)
                                 IncludeFilePath = self.ExpandMacros(IncludeFilePath)
@@ -660,7 +660,7 @@ EndList
                 #DEFINE FSP_T_UPD_TOOL_GUID = 34686CA3-34F9-4901-B82A-BA630F0714C6
                 #DEFINE FSP_M_UPD_TOOL_GUID = 39A250DB-E465-4DD1-A2AC-E2BD3C0E2385
                 #DEFINE FSP_S_UPD_TOOL_GUID = CAE3605B-5B34-4C85-B3D7-27D54273C40F
-                Match = re.match("^\s*(?:DEFINE\s+)*(\w+)\s*=\s*(.+)", DscLine)
+                Match = re.match(r"^\s*(?:DEFINE\s+)*(\w+)\s*=\s*(.+)", DscLine)
                 if Match:
                     self._MacroDict[Match.group(1)] = self.ExpandMacros(Match.group(2))
                     if self.Debug:
@@ -668,21 +668,21 @@ EndList
             elif IsPcdSect:
                 #gSiPkgTokenSpaceGuid.PcdTxtEnable|FALSE
                 #gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
-                Match = re.match("^\s*([\w\.]+)\s*\|\s*(\w+)", DscLine)
+                Match = re.match(r"^\s*([\w\.]+)\s*\|\s*(\w+)", DscLine)
                 if Match:
                     self._PcdsDict[Match.group(1)] = Match.group(2)
                     if self.Debug:
                         print ("INFO : PCD %s = [ %s ]" % (Match.group(1), Match.group(2)))
                     i = 0
                     while i < len(BuildOptionPcd):
-                        Match = re.match("\s*([\w\.]+)\s*\=\s*(\w+)", BuildOptionPcd[i])
+                        Match = re.match(r"\s*([\w\.]+)\s*\=\s*(\w+)", BuildOptionPcd[i])
                         if Match:
                             self._PcdsDict[Match.group(1)] = Match.group(2)
                         i += 1
 
             elif IsTmpSect:
                 # !BSF DEFT:{GPIO_TMPL:START}
-                Match = re.match("^\s*#\s+(!BSF)\s+DEFT:{(.+?):(START|END)}", DscLine)
+                Match = re.match(r"^\s*#\s+(!BSF)\s+DEFT:{(.+?):(START|END)}", DscLine)
                 if Match:
                     if Match.group(3) == 'START' and not TemplateName:
                         TemplateName = Match.group(2).strip()
@@ -691,33 +691,33 @@ EndList
                         TemplateName = ''
                 else:
                     if TemplateName:
-                        Match = re.match("^!include\s*(.+)?$", DscLine)
+                        Match = re.match(r"^!include\s*(.+)?$", DscLine)
                         if Match:
                             continue
                         self._BsfTempDict[TemplateName].append(DscLine)
 
             else:
-                Match = re.match("^\s*#\s+(!BSF|@Bsf|!HDR)\s+(.+)", DscLine)
+                Match = re.match(r"^\s*#\s+(!BSF|@Bsf|!HDR)\s+(.+)", DscLine)
                 if Match:
                     Remaining = Match.group(2)
                     if Match.group(1) == '!BSF' or Match.group(1) == '@Bsf':
-                        Match = re.match("(?:^|.+\s+)PAGES:{(.+?)}", Remaining)
+                        Match = re.match(r"(?:^|.+\s+)PAGES:{(.+?)}", Remaining)
                         if Match:
                             # !BSF PAGES:{HSW:"Haswell System Agent", LPT:"Lynx Point PCH"}
                             PageList = Match.group(1).split(',')
                             for Page in PageList:
                                 Page  = Page.strip()
-                                Match = re.match("(\w+):\"(.+)\"", Page)
+                                Match = re.match(r"(\w+):\"(.+)\"", Page)
                                 if Match != None:
                                     self._CfgPageDict[Match.group(1)] = Match.group(2)
 
-                        Match = re.match("(?:^|.+\s+)BLOCK:{NAME:\"(.+)\"\s*,\s*VER:\"(.+)\"\s*}", Remaining)
+                        Match = re.match(r"(?:^|.+\s+)BLOCK:{NAME:\"(.+)\"\s*,\s*VER:\"(.+)\"\s*}", Remaining)
                         if Match:
                             self._CfgBlkDict['name'] = Match.group(1)
                             self._CfgBlkDict['ver']  = Match.group(2)
 
                         for Key in self._BsfKeyList:
-                            Match = re.match("(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
+                            Match = re.match(r"(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
                             if Match:
                                 if Key in ['NAME', 'HELP', 'OPTION'] and Match.group(1).startswith('+'):
                                     ConfigDict[Key.lower()] += Match.group(1)[1:]
@@ -725,15 +725,15 @@ EndList
                                     ConfigDict[Key.lower()]  = Match.group(1)
                     else:
                         for Key in self._HdrKeyList:
-                            Match = re.match("(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
+                            Match = re.match(r"(?:^|.+\s+)%s:{(.+?)}" % Key, Remaining)
                             if Match:
                                 ConfigDict[Key.lower()]  = Match.group(1)
 
-                Match = re.match("^\s*#\s+@Prompt\s+(.+)", DscLine)
+                Match = re.match(r"^\s*#\s+@Prompt\s+(.+)", DscLine)
                 if Match:
                     ConfigDict['name'] = Match.group(1)
 
-                Match = re.match("^\s*#\s*@ValidList\s*(.+)\s*\|\s*(.+)\s*\|\s*(.+)\s*", DscLine)
+                Match = re.match(r"^\s*#\s*@ValidList\s*(.+)\s*\|\s*(.+)\s*\|\s*(.+)\s*", DscLine)
                 if Match:
                     if Match.group(2).strip() in self._BuidinOption:
                         ConfigDict['option'] = Match.group(2).strip()
@@ -749,22 +749,22 @@ EndList
                                  ConfigDict['option'] += ', '
                     ConfigDict['type'] = "Combo"
 
-                Match = re.match("^\s*#\s*@ValidRange\s*(.+)\s*\|\s*(.+)\s*-\s*(.+)\s*", DscLine)
+                Match = re.match(r"^\s*#\s*@ValidRange\s*(.+)\s*\|\s*(.+)\s*-\s*(.+)\s*", DscLine)
                 if Match:
                     if "0x" in Match.group(2) or "0x" in Match.group(3):
                         ConfigDict['type'] = "EditNum, HEX, (%s,%s)" % (Match.group(2), Match.group(3))
                     else:
                         ConfigDict['type'] = "EditNum, DEC, (%s,%s)" % (Match.group(2), Match.group(3))
 
-                Match = re.match("^\s*##\s+(.+)", DscLine)
+                Match = re.match(r"^\s*##\s+(.+)", DscLine)
                 if Match:
                     ConfigDict['help'] = Match.group(1)
 
                 # Check VPD/UPD
                 if IsUpdSect:
-                    Match = re.match("^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+|\*)\s*\|\s*(\d+|0x[0-9a-fA-F]+)\s*\|\s*(.+)",DscLine)
+                    Match = re.match(r"^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+|\*)\s*\|\s*(\d+|0x[0-9a-fA-F]+)\s*\|\s*(.+)",DscLine)
                 else:
-                    Match = re.match("^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+)(?:\s*\|\s*(.+))?",  DscLine)
+                    Match = re.match(r"^([_a-zA-Z0-9]+).([_a-zA-Z0-9]+)\s*\|\s*(0x[0-9A-F]+)(?:\s*\|\s*(.+))?",  DscLine)
                 if Match:
                     ConfigDict['space']  = Match.group(1)
                     ConfigDict['cname']  = Match.group(2)
@@ -796,13 +796,13 @@ EndList
                             Value = ''
                         Value = Value.strip()
                         if '|' in Value:
-                            Match = re.match("^.+\s*\|\s*(.+)", Value)
+                            Match = re.match(r"^.+\s*\|\s*(.+)", Value)
                             if Match:
                                 Value = Match.group(1)
                         Length = -1
 
                     ConfigDict['length'] = Length
-                    Match = re.match("\$\((\w+)\)", Value)
+                    Match = re.match(r"\$\((\w+)\)", Value)
                     if Match:
                         if Match.group(1) in self._MacroDict:
                             Value = self._MacroDict[Match.group(1)]
@@ -879,7 +879,7 @@ EndList
                     # !BSF FIELD:{SerialDebugPortAddress0:1}
                     # or
                     # @Bsf FIELD:{SerialDebugPortAddress0:1b}
-                    Match = re.match("^\s*#\s+(!BSF|@Bsf)\s+FIELD:{(.+):(\d+)([Bb])?}", DscLine)
+                    Match = re.match(r"^\s*#\s+(!BSF|@Bsf)\s+FIELD:{(.+):(\d+)([Bb])?}", DscLine)
                     if Match:
                         SubCfgDict = ConfigDict.copy()
                         if (Match.group(4) == None) or (Match.group(4) == 'B'):
@@ -1023,7 +1023,7 @@ EndList
             self._VarDict['_LENGTH_'] = '%d' % (Item['offset'] + Item['length'])
         for Item in self._CfgItemList:
             Embed = Item['embed']
-            Match = re.match("^(\w+):(\w+):(START|END)", Embed)
+            Match = re.match(r"^(\w+):(\w+):(START|END)", Embed)
             if Match:
                 StructName = Match.group(1)
                 VarName = '_%s_%s_' % (Match.group(3), StructName)
@@ -1215,7 +1215,7 @@ EndList
         IsUpdHeader = False
         for Line in TextBody:
            SplitToLines = Line.splitlines()
-           MatchComment = re.match("^/\*\sCOMMENT:(\w+):([\w|\W|\s]+)\s\*/\s([\s\S]*)", SplitToLines[0])
+           MatchComment = re.match(r"^/\*\sCOMMENT:(\w+):([\w|\W|\s]+)\s\*/\s([\s\S]*)", SplitToLines[0])
            if MatchComment:
               if MatchComment.group(1) == 'FSP_UPD_HEADER':
                   IsUpdHeader = True
@@ -1226,7 +1226,7 @@ EndList
                 NewTextBody.append("/**" + CommentLine + "**/\n")
               Line = Line[(len(SplitToLines[0]) + 1):]
 
-           Match = re.match("^/\*\sEMBED_STRUCT:(\w+):(\w+):(START|END)\s\*/\s([\s\S]*)", Line)
+           Match = re.match(r"^/\*\sEMBED_STRUCT:(\w+):(\w+):(START|END)\s\*/\s([\s\S]*)", Line)
            if Match:
                Line = Match.group(4)
                if Match.group(1) == 'FSP_UPD_HEADER':
@@ -1239,7 +1239,7 @@ EndList
                    NewTextBody.append ('typedef struct {\n')
                StructName   = Match.group(1)
                VariableName = Match.group(2)
-               MatchOffset = re.search('/\*\*\sOffset\s0x([a-fA-F0-9]+)', Line)
+               MatchOffset = re.search(r'/\*\*\sOffset\s0x([a-fA-F0-9]+)', Line)
                if MatchOffset:
                    Offset = int(MatchOffset.group(1), 16)
                else:
@@ -1318,12 +1318,12 @@ EndList
                 CommentLine = ""
                 for Item in self._CfgItemList:
                     if Item["comment"] != '' and Item["offset"] >= UpdOffsetTable[UpdIdx]:
-                        MatchComment = re.match("^(U|V)PD_DATA_REGION:([\w|\W|\s]+)", Item["comment"])
+                        MatchComment = re.match(r"^(U|V)PD_DATA_REGION:([\w|\W|\s]+)", Item["comment"])
                         if MatchComment and MatchComment.group(1) == Region[0]:
                             CommentLine = " " + MatchComment.group(2) + "\n"
                             TxtBody.append("/**" + CommentLine + "**/\n")
                     elif Item["offset"] >= UpdOffsetTable[UpdIdx] and Item["comment"] == '':
-                        Match = re.match("^FSP([\w|\W|\s])_UPD", UpdStructure[UpdIdx])
+                        Match = re.match(r"^FSP([\w|\W|\s])_UPD", UpdStructure[UpdIdx])
                         if Match:
                             TxtBody.append("/** Fsp " + Match.group(1) + " UPD Configuration\n**/\n")
                 TxtBody.append("typedef struct {\n")
@@ -1441,7 +1441,7 @@ EndList
 
             Export = False
             for Line in IncLines:
-                Match = re.search ("!EXPORT\s+([A-Z]+)\s+EXTERNAL_BOOTLOADER_STRUCT_(BEGIN|END)\s+", Line)
+                Match = re.search (r"!EXPORT\s+([A-Z]+)\s+EXTERNAL_BOOTLOADER_STRUCT_(BEGIN|END)\s+", Line)
                 if Match:
                     if Match.group(2) == "BEGIN" and Match.group(1) == UpdRegionCheck[item]:
                         Export = True
@@ -1464,7 +1464,7 @@ EndList
                 Match = re.match("(typedef struct {)", Line)
                 if Match:
                     StartIndex = Index - 1
-                Match = re.match("}\s([_A-Z0-9]+);", Line)
+                Match = re.match(r"}\s([_A-Z0-9]+);", Line)
                 if Match and (UpdRegionCheck[item] in Match.group(1) or UpdConfigCheck[item] in Match.group(1)) and (ExcludedSpecificUpd[item] not in Match.group(1)) and (ExcludedSpecificUpd1[item] not in Match.group(1)):
                     EndIndex = Index
                     StructStart.append(StartIndex)
@@ -1474,7 +1474,7 @@ EndList
                 Index += 1
                 for Item in range(len(StructStart)):
                     if Index == StructStart[Item]:
-                        Match = re.match("^(/\*\*\s*)", Line)
+                        Match = re.match(r"^(/\*\*\s*)", Line)
                         if Match:
                             StructStartWithComment.append(StructStart[Item])
                         else:
@@ -1510,7 +1510,7 @@ EndList
                 Match = re.match("(typedef struct {)", Line)
                 if Match:
                     StartIndex = Index - 1
-                Match = re.match("#define\s([_A-Z0-9]+)\s*", Line)
+                Match = re.match(r"#define\s([_A-Z0-9]+)\s*", Line)
                 if Match and (UpdSignatureCheck[item] in Match.group(1) or UpdSignatureCheck[item] in Match.group(1)):
                     StructStart.append(Index - 1)
                     StructEnd.append(Index)
@@ -1519,7 +1519,7 @@ EndList
                 Index += 1
                 for Item in range(len(StructStart)):
                     if Index == StructStart[Item]:
-                        Match = re.match("^(/\*\*\s*)", Line)
+                        Match = re.match(r"^(/\*\*\s*)", Line)
                         if Match:
                             StructStartWithComment.append(StructStart[Item])
                         else:
@@ -1543,7 +1543,7 @@ EndList
         else:
             Space = Item['space']
         Line = "    $%s_%s" % (Space, Item['cname'])
-        Match = re.match("\s*\{([x0-9a-fA-F,\s]+)\}\s*", Item['value'])
+        Match = re.match(r"\s*\{([x0-9a-fA-F,\s]+)\}\s*", Item['value'])
         if Match:
             DefaultValue = Match.group(1).strip()
         else:
@@ -1576,7 +1576,7 @@ EndList
             BsfFd.write('    %s $%s, "%s", &%s,\n' % (Item['type'], PcdName, Item['name'], Options))
             WriteHelp = 1
         elif Item['type'].startswith("EditNum"):
-            Match = re.match("EditNum\s*,\s*(HEX|DEC)\s*,\s*\((\d+|0x[0-9A-Fa-f]+)\s*,\s*(\d+|0x[0-9A-Fa-f]+)\)", Item['type'])
+            Match = re.match(r"EditNum\s*,\s*(HEX|DEC)\s*,\s*\((\d+|0x[0-9A-Fa-f]+)\s*,\s*(\d+|0x[0-9A-Fa-f]+)\)", Item['type'])
             if Match:
                 BsfFd.write('    EditNum $%s, "%s", %s,\n' % (PcdName, Item['name'], Match.group(1)))
                 WriteHelp = 2

IntelFsp2Pkg/Tools/PatchFv.py

@@ -143,7 +143,7 @@ class Symbols:
         fdIn.close()
         fvInfo['Base'] = 0
         for rptLine in rptLines:
-            match = re.match("^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
+            match = re.match(r"^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
             if match:
                 fvInfo['Base'] = int(match.group(1), 16)
                 break
@@ -312,7 +312,7 @@ class Symbols:
         self.fdBase = 0xFFFFFFFF
         while (rptLine != "" ):
             #EFI_BASE_ADDRESS = 0xFFFDF400
-            match = re.match("^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
+            match = re.match(r"^EFI_BASE_ADDRESS\s*=\s*(0x[a-fA-F0-9]+)", rptLine)
             if match is not None:
                 self.fdBase = int(match.group(1), 16) - fvOffset
                 break
@@ -340,7 +340,7 @@ class Symbols:
         fdIn     = open(fvTxtFile, "r")
         rptLine  = fdIn.readline()
         while (rptLine != "" ):
-            match = re.match("(0x[a-fA-F0-9]+)\s([0-9a-fA-F\-]+)", rptLine)
+            match = re.match(r"(0x[a-fA-F0-9]+)\s([0-9a-fA-F\-]+)", rptLine)
             if match is not None:
                 if match.group(2) in self.dictFfsOffset:
                     self.dictFfsOffset[fvName + ':' + match.group(2)] = "0x%08X" % (int(match.group(1), 16) + fvOffset)
@@ -374,10 +374,10 @@ class Symbols:
         while (rptLine != "" ):
             if rptLine[0] != ' ':
                 #DxeIpl (Fixed Flash Address, BaseAddress=0x00fffb4310, EntryPoint=0x00fffb4958,Type=PE)
-                match = re.match("([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+),\s*Type=\w+\)", rptLine)
+                match = re.match(r"([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+),\s*Type=\w+\)", rptLine)
                 if match is None:
                     #DxeIpl (Fixed Flash Address, BaseAddress=0x00fffb4310, EntryPoint=0x00fffb4958)
-                    match = re.match("([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+)\)", rptLine)
+                    match = re.match(r"([_a-zA-Z0-9\-]+)\s\(.+BaseAddress=(0x[0-9a-fA-F]+),\s+EntryPoint=(0x[0-9a-fA-F]+)\)", rptLine)
                 if match is not None:
                     foundModHdr = True
                     modName = match.group(1)
@@ -386,7 +386,7 @@ class Symbols:
                     self.dictModBase['%s:BASE'  % modName] = int (match.group(2), 16)
                     self.dictModBase['%s:ENTRY' % modName] = int (match.group(3), 16)
                 #(GUID=86D70125-BAA3-4296-A62F-602BEBBB9081 .textbaseaddress=0x00fffb4398 .databaseaddress=0x00fffb4178)
-                match = re.match("\(GUID=([A-Z0-9\-]+)\s+\.textbaseaddress=(0x[0-9a-fA-F]+)\s+\.databaseaddress=(0x[0-9a-fA-F]+)\)", rptLine)
+                match = re.match(r"\(GUID=([A-Z0-9\-]+)\s+\.textbaseaddress=(0x[0-9a-fA-F]+)\s+\.databaseaddress=(0x[0-9a-fA-F]+)\)", rptLine)
                 if match is not None:
                     if foundModHdr:
                         foundModHdr = False
@@ -399,7 +399,7 @@ class Symbols:
             else:
                 #   0x00fff8016c    __ModuleEntryPoint
                 foundModHdr = False
-                match = re.match("^\s+(0x[a-z0-9]+)\s+([_a-zA-Z0-9]+)", rptLine)
+                match = re.match(r"^\s+(0x[a-z0-9]+)\s+([_a-zA-Z0-9]+)", rptLine)
                 if match is not None:
                     self.dictSymbolAddress["%s:%s"%(modName, match.group(2))] = match.group(1)
             rptLine  = fdIn.readline()
@@ -432,14 +432,14 @@ class Symbols:
         if reportLine.strip().find("Archive member included") != -1:
             #GCC
             #                0x0000000000001d55                IoRead8
-            patchMapFileMatchString = "\s+(0x[0-9a-fA-F]{16})\s+([^\s][^0x][_a-zA-Z0-9\-]+)\s"
+            patchMapFileMatchString = r"\s+(0x[0-9a-fA-F]{8,16})\s+([^\s][^0x][_a-zA-Z0-9\-]+)\s"
             matchKeyGroupIndex = 2
             matchSymbolGroupIndex  = 1
             prefix = '_'
         else:
             #MSFT
             #0003:00000190       _gComBase                  00007a50     SerialPo
-            patchMapFileMatchString =  "^\s[0-9a-fA-F]{4}:[0-9a-fA-F]{8}\s+(\w+)\s+([0-9a-fA-F]{8,16}\s+)"
+            patchMapFileMatchString =  r"^\s[0-9a-fA-F]{4}:[0-9a-fA-F]{8}\s+(\w+)\s+([0-9a-fA-F]{8,16}\s+)"
             matchKeyGroupIndex = 1
             matchSymbolGroupIndex  = 2
             prefix = ''
@@ -458,11 +458,11 @@ class Symbols:
                 if handleNext:
                     handleNext = False
                     pcdName = match.group(1)
-                    match   = re.match("\s+(0x[0-9a-fA-F]{16})\s+", reportLine)
+                    match   = re.match(r"\s+(0x[0-9a-fA-F]{16})\s+", reportLine)
                     if match is not None:
                         modSymbols[prefix + pcdName] = match.group(1)
                 else:
-                    match = re.match("^\s\.data\.(_gPcd_BinaryPatch[_a-zA-Z0-9\-]+)", reportLine)
+                    match = re.match(r"^\s\.data\.(_gPcd_BinaryPatch[_a-zA-Z0-9\-]+)", reportLine)
                     if match is not None:
                         handleNext = True
                         continue
@@ -507,7 +507,7 @@ class Symbols:
         fdIn     = open(xrefFile, "r")
         rptLine  = fdIn.readline()
         while (rptLine != "" ):
-            match = re.match("([0-9a-fA-F\-]+)\s([_a-zA-Z0-9]+)", rptLine)
+            match = re.match(r"([0-9a-fA-F\-]+)\s([_a-zA-Z0-9]+)", rptLine)
             if match is not None:
                 self.dictGuidNameXref[match.group(1).upper()] = match.group(2)
             rptLine  = fdIn.readline()

IntelFsp2WrapperPkg/FspmWrapperPeim/FspmWrapperPeim.c

@@ -197,12 +197,20 @@ FspmWrapperInit (
 
   MeasurementExcludedFvPpi = AllocatePool (sizeof (*MeasurementExcludedFvPpi));
   ASSERT (MeasurementExcludedFvPpi != NULL);
+  if (MeasurementExcludedFvPpi == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
   MeasurementExcludedFvPpi->Count          = 1;
   MeasurementExcludedFvPpi->Fv[0].FvBase   = PcdGet32 (PcdFspmBaseAddress);
   MeasurementExcludedFvPpi->Fv[0].FvLength = ((EFI_FIRMWARE_VOLUME_HEADER *)(UINTN)PcdGet32 (PcdFspmBaseAddress))->FvLength;
 
   MeasurementExcludedPpiList = AllocatePool (sizeof (*MeasurementExcludedPpiList));
   ASSERT (MeasurementExcludedPpiList != NULL);
+  if (MeasurementExcludedPpiList == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
   MeasurementExcludedPpiList->Flags = EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST;
   MeasurementExcludedPpiList->Guid  = &gEfiPeiFirmwareVolumeInfoMeasurementExcludedPpiGuid;
   MeasurementExcludedPpiList->Ppi   = MeasurementExcludedFvPpi;

IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/FspMeasurementLib.c

@@ -197,6 +197,10 @@ MeasureFspFirmwareBlobWithCfg (
              (UINTN)sizeof (DigestList),
              EDKII_TCG_PRE_HASH_LOG_ONLY
              );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "TpmMeasureAndLogDataWithFlags failed - %r\n", Status));
+    return Status;
+  }
 
   Status = TpmMeasureAndLogData (
              1,

IntelFsp2WrapperPkg/Library/SecFspWrapperPlatformSecLibSample/SecRamInitData.c

@@ -34,8 +34,11 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST FSPT_UPD_CORE_DATA  FsptUpdDataPtr = {
     // UPD header revision must be equal or greater than 2 when the structure is compliant with FSP spec 2.2.
     //
     0x02,
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    {
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00
+    }
   },
   //
   // If FSP spec version < 2.2, remove FSPT_ARCH_UPD structure.
@@ -43,14 +46,15 @@ GLOBAL_REMOVE_IF_UNREFERENCED CONST FSPT_UPD_CORE_DATA  FsptUpdDataPtr = {
   // Else, use FSPT_ARCH2_UPD structure.
   //
   {
-    0x02,
+    0x03,
     {
       0x00, 0x00, 0x00
     },
     0x00000020,
     0x00000000,
+    0x00000000,
     {
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00
     }
   },

Maintainers.txt

@@ -151,7 +151,6 @@ ArmVirtPkg
 F: ArmVirtPkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/ArmVirtPkg
 M: Ard Biesheuvel <ardb+tianocore@kernel.org> [ardbiesheuvel]
-M: Laszlo Ersek <lersek@redhat.com> [lersek]
 R: Leif Lindholm <quic_llindhol@quicinc.com> [leiflindholm]
 R: Sami Mujawar <sami.mujawar@arm.com> [samimujawar]
 R: Gerd Hoffmann <kraxel@redhat.com> [kraxel]
@@ -418,6 +417,11 @@ M: Abner Chang <abner.chang@amd.com> [changab]
 R: Abdul Lateef Attar <AbdulLateef.Attar@amd.com> [abdattar]
 R: Nickle Wang <nicklew@nvidia.com> [nicklela]
 
+MdeModulePkg: SPI driver stack
+F: MdeModulePkg/Bus/Spi/
+M: Abner Chang <abner.chang@amd.com> [changab]
+R: Brit Chesley <brit.chesley@amd.com> [BritChesley]
+
 MdePkg
 F: MdePkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/MdePkg
@@ -451,6 +455,12 @@ M: Abner Chang <abner.chang@amd.com> [changab]
 R: Abdul Lateef Attar <AbdulLateef.Attar@amd.com> [abdattar]
 R: Nickle Wang <nicklew@nvidia.com> [nicklela]
 
+MdePkg: SPI related C header files
+F: MdePkg/Include/Protocol/Spi*.h
+F: MdePkg/Include/IndustryStandard/SpiNorFlashJedecSfdp.h
+M: Abner Chang <abner.chang@amd.com> [changab]
+R: Brit Chesley <brit.chesley@amd.com> [BritChesley]
+
 NetworkPkg
 F: NetworkPkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/NetworkPkg
@@ -462,7 +472,6 @@ F: OvmfPkg/
 W: http://www.tianocore.org/ovmf/
 M: Ard Biesheuvel <ardb+tianocore@kernel.org> [ardbiesheuvel]
 M: Jiewen Yao <jiewen.yao@intel.com> [jyao1]
-M: Laszlo Ersek <lersek@redhat.com> [lersek]
 R: Gerd Hoffmann <kraxel@redhat.com> [kraxel]
 S: Maintained
 
@@ -558,7 +567,7 @@ F: OvmfPkg/XenIoPvhDxe/
 F: OvmfPkg/XenPlatformPei/
 F: OvmfPkg/XenPvBlkDxe/
 F: OvmfPkg/XenResetVector/
-R: Anthony Perard <anthony.perard@citrix.com> [tperard]
+R: Anthony Perard <anthony@xenproject.org> [tperard]
 
 OvmfPkg: RISC-V Qemu Virt Platform
 F: OvmfPkg/RiscVVirt
@@ -617,14 +626,15 @@ F: StandaloneMmPkg/
 M: Ard Biesheuvel <ardb+tianocore@kernel.org> [ardbiesheuvel]
 M: Sami Mujawar <sami.mujawar@arm.com> [samimujawar]
 M: Ray Ni <ray.ni@intel.com> [niruiyu]
+R: Jiaxin Wu <jiaxin.wu@intel.com> [jiaxinwu]
 
 UefiCpuPkg
 F: UefiCpuPkg/
 W: https://github.com/tianocore/tianocore.github.io/wiki/UefiCpuPkg
 M: Ray Ni <ray.ni@intel.com> [niruiyu]
-M: Laszlo Ersek <lersek@redhat.com> [lersek]
 R: Rahul Kumar <rahul1.kumar@intel.com> [rahul1-kumar]
 R: Gerd Hoffmann <kraxel@redhat.com> [kraxel]
+R: Jiaxin Wu <jiaxin.wu@intel.com> [jiaxinwu]
 
 UefiCpuPkg: Sec related modules
 F: UefiCpuPkg/SecCore/

MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.c

@@ -1483,7 +1483,9 @@ AtaDiskInfoWhichIde (
   function shall return EFI_DEVICE_ERROR.
 
   @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
   @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                        of the security protocol command. A Timeout value of 0
                                        means that this function will wait indefinitely for the
@@ -1600,7 +1602,9 @@ AtaStorageSecurityReceiveData (
   shall return EFI_DEVICE_ERROR.
 
   @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
   @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                        of the security protocol command. A Timeout value of 0
                                        means that this function will wait indefinitely for the

MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.h

@@ -927,7 +927,9 @@ AtaDiskInfoWhichIde (
   function shall return EFI_DEVICE_ERROR.
 
   @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
   @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                        of the security protocol command. A Timeout value of 0
                                        means that this function will wait indefinitely for the
@@ -1007,7 +1009,9 @@ AtaStorageSecurityReceiveData (
   shall return EFI_DEVICE_ERROR.
 
   @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
   @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                        of the security protocol command. A Timeout value of 0
                                        means that this function will wait indefinitely for the

MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c

@@ -258,7 +258,8 @@ KeyboardEfiReset (
   @param This    Pointer to instance of EFI_SIMPLE_TEXT_INPUT_PROTOCOL
   @param Key     The output buffer for key value
 
-  @retval EFI_SUCCESS success to read key stroke
+  @retval EFI_SUCCESS      success to read key stroke
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.
 **/
 EFI_STATUS
 EFIAPI
@@ -433,6 +434,7 @@ KeyboardEfiResetEx (
     @retval EFI_DEVICE_ERROR      The keystroke information was not returned due to
                                   hardware errors.
     @retval EFI_INVALID_PARAMETER KeyData is NULL.
+    @retval EFI_UNSUPPORTED       The device does not support the ability to read keystroke data.
 
 **/
 EFI_STATUS

MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2Keyboard.h

@@ -338,6 +338,7 @@ KeyboardEfiReset (
   @param Key     The output buffer for key value
 
   @retval EFI_SUCCESS success to read key stroke
+  @retval EFI_UNSUPPORTED  The device does not support the ability to read keystroke data.
 **/
 EFI_STATUS
 EFIAPI
@@ -441,6 +442,8 @@ KeyboardEfiResetEx (
     @retval EFI_DEVICE_ERROR      - The keystroke information was not returned due to
                             hardware errors.
     @retval EFI_INVALID_PARAMETER - KeyData is NULL.
+    @retval EFI_UNSUPPORTED       - The device does not support the ability to read
+                            keystroke data.
 
 **/
 EFI_STATUS

MdeModulePkg/Bus/Pci/NvmExpressDxe/NvmExpressBlockIo.c

@@ -1699,7 +1699,9 @@ TrustTransferNvmeDevice (
   function shall return EFI_DEVICE_ERROR.
 
   @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
   @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                        of the security protocol command. A Timeout value of 0
                                        means that this function will wait indefinitely for the
@@ -1812,7 +1814,9 @@ NvmeStorageSecurityReceiveData (
   shall return EFI_DEVICE_ERROR.
 
   @param  This                         Indicates a pointer to the calling context.
-  @param  MediaId                      ID of the medium to receive data from.
+  @param  MediaId                      ID of the medium to receive data from. If there is no
+                                       block IO protocol supported by the physical device, the
+                                       value of MediaId is undefined.
   @param  Timeout                      The timeout, in 100ns units, to use for the execution
                                        of the security protocol command. A Timeout value of 0
                                        means that this function will wait indefinitely for the