ovmf: update 202502 -> 202508

Remove backports.

(From OE-Core rev: 172587a0288cde8137c836147d261fd50072ff05)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

11 files changed, 43 insertions, 438 deletions

diff --git a/meta/recipes-core/ovmf/ovmf/0001-SecurityPkg-Don-t-define-bool-type-if-building-in-C2.patch b/meta/recipes-core/ovmf/ovmf/0001-SecurityPkg-Don-t-define-bool-type-if-building-in-C2.patch
deleted file mode 100644
index a555070ca5..0000000000
--- a/meta/recipes-core/ovmf/ovmf/0001-SecurityPkg-Don-t-define-bool-type-if-building-in-C2.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 772fa11ac82579a8f6fa171e6b835f68af3f64be Mon Sep 17 00:00:00 2001
-From: Rebecca Cran <rebecca@bsdio.com>
-Date: Mon, 26 May 2025 08:01:39 -0600
-Subject: [PATCH] SecurityPkg: Don't define bool type if building in C23 mode
-
-In C23 bool is a built-in type, so it's not necessary to typedef
-bool in LibspdmStdBoolAlt.h.
-
-Signed-off-by: Rebecca Cran <rebecca@bsdio.com>
-
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/772fa11ac82579a8f6fa171e6b835f68af3f64be]
-
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
----
- .../DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h     | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h b/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
-index 08af7296d0..395ef22d43 100644
---- a/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
-+++ b/SecurityPkg/DeviceSecurity/SpdmLib/Include/hal/LibspdmStdBoolAlt.h
-@@ -10,7 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
- #ifndef LIBSPDM_STDBOOL_ALT_H

- #define LIBSPDM_STDBOOL_ALT_H

- 

-+// In C23, bool is a built-in type

-+#if __STDC_VERSION__ < 202311L

- typedef BOOLEAN bool;

-+#endif

- 

- #ifndef true

- #define true  TRUE

--- 
-2.34.1
-
diff --git a/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch b/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
index cee5042846..890e586210 100644
--- a/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
+++ b/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch
@@ -1,7 +1,7 @@
-From 61583b59620946683551f43c6110e656604a252f Mon Sep 17 00:00:00 2001
+From 0f859c6de2914cd984f8a0dd61471b91a2371bfa Mon Sep 17 00:00:00 2001
 From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Date: Thu, 9 Jun 2016 02:23:01 -0700
-Subject: [PATCH 1/4] ovmf: update path to native BaseTools
+Subject: [PATCH] ovmf: update path to native BaseTools
 
 BaseTools is a set of utilities to build EDK-based firmware. These utilities
 are used during the build process. Thus, they need to be built natively.
@@ -28,6 +28,3 @@ index 279f0d099a..285f061bf4 100755
    echo $EDK_TOOLS_PATH
    source edksetup.sh BaseTools
  else
--- 
-2.39.5
-
diff --git a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
index 11d97c739a..4a55528571 100644
--- a/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
+++ b/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch
@@ -1,7 +1,7 @@
-From aacbf7c91732b9959e569e90844cf9de078b2f14 Mon Sep 17 00:00:00 2001
+From 9dbd082516fdd7100f99f0f389b8eef5ececab19 Mon Sep 17 00:00:00 2001
 From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Date: Fri, 26 Jul 2019 17:34:26 -0400
-Subject: [PATCH 2/4] BaseTools: makefile: adjust to build in under bitbake
+Subject: [PATCH] BaseTools: makefile: adjust to build in under bitbake
 
 Prepend the build flags with those of bitbake. This is to build
 using the bitbake native sysroot include and library directories.
@@ -18,10 +18,10 @@ Upstream-Status: Inappropriate [needs to be converted to in-recipe fixups]
  1 file changed, 7 insertions(+), 8 deletions(-)
 
 diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
-index d369908a09..22c670f316 100644
+index 55a7307a5e..e36e6a8f04 100644
 --- a/BaseTools/Source/C/Makefiles/header.makefile
 +++ b/BaseTools/Source/C/Makefiles/header.makefile
-@@ -85,35 +85,34 @@ endif
+@@ -154,35 +154,34 @@ endif
  

  INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT) -I $(MAKEROOT)/Include/Common -I $(MAKEROOT)/Include/ -I $(MAKEROOT)/Include/IndustryStandard -I $(MAKEROOT)/Common/ -I .. -I . $(ARCH_INCLUDE)

  INCLUDE += -I $(EDK2_PATH)/MdePkg/Include

@@ -64,6 +64,3 @@ index d369908a09..22c670f316 100644
  ifeq ($(HOST_ARCH), IA32)

  #

  # Snow Leopard  is a 32-bit and 64-bit environment. uname -m returns i386, but gcc defaults

--- 
-2.39.5
-
diff --git a/meta/recipes-core/ovmf/ovmf/0003-debug-prefix-map.patch b/meta/recipes-core/ovmf/ovmf/0003-debug-prefix-map.patch
index 4a20548c61..1e79c23ae9 100644
--- a/meta/recipes-core/ovmf/ovmf/0003-debug-prefix-map.patch
+++ b/meta/recipes-core/ovmf/ovmf/0003-debug-prefix-map.patch
@@ -1,7 +1,7 @@
-From 96fa2a7f2f54f1e6330275b5eba07e1efdbd865b Mon Sep 17 00:00:00 2001
+From eb6db21ed0a845dce149d17acf8673d5188adea4 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Mon, 14 Jun 2021 19:56:28 +0200
-Subject: [PATCH 3/4] debug prefix map
+Subject: [PATCH] debug prefix map
 
 We want to pass ${DEBUG_PREFIX_MAP} to gcc commands and also pass in
  --debug-prefix-map to nasm (we carry a patch to nasm for this). The
@@ -21,9 +21,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  BaseTools/Conf/tools_def.template | 18 +++++++++---------
  1 file changed, 9 insertions(+), 9 deletions(-)
 
+diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
+index 0caa1c9001..dd86b3249d 100755
 --- a/BaseTools/Conf/tools_def.template
 +++ b/BaseTools/Conf/tools_def.template
-@@ -920,7 +920,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG     = --a
+@@ -920,7 +920,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG     = --add-gnu-debuglink="$(DEBUG_DIR)/$(MODULE_
  *_*_*_DTC_PATH                     = DEF(DTC_BIN)

  

  # All supported GCC archs except LOONGARCH64 support -mstack-protector-guard=global, so set that on everything except LOONGARCH64

@@ -32,18 +34,18 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  DEFINE GCC_IA32_X64_CC_FLAGS       = -mstack-protector-guard=global

  DEFINE GCC_ARM_CC_FLAGS            = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie -mstack-protector-guard=global

  DEFINE GCC_LOONGARCH64_CC_FLAGS    = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections

-@@ -941,8 +941,8 @@ DEFINE GCC_ARM_ASLDLINK_FLAGS      = DEF
+@@ -938,8 +938,8 @@ DEFINE GCC_ARM_AARCH64_ASLDLINK_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0 DEF(GC
+ DEFINE GCC_ARM_ASLDLINK_FLAGS      = DEF(GCC_ARM_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT) DEF(GCC_ARM_AARCH64_ASLDLINK_FLAGS)

  DEFINE GCC_AARCH64_ASLDLINK_FLAGS  = DEF(GCC_AARCH64_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT) DEF(GCC_ARM_AARCH64_ASLDLINK_FLAGS)

  DEFINE GCC_LOONGARCH64_ASLDLINK_FLAGS = DEF(GCC_LOONGARCH64_DLINK_FLAGS) -Wl,--entry,ReferenceAcpiTable -u $(IMAGE_ENTRY_POINT)

- DEFINE GCC_IA32_X64_DLINK_FLAGS    = DEF(GCC_IA32_X64_DLINK_COMMON) --entry _$(IMAGE_ENTRY_POINT) --file-alignment 0x20 --section-alignment 0x20 -Map $(DEST_DIR_DEBUG)/$(BASE_NAME).map

 -DEFINE GCC_ASM_FLAGS               = -c -x assembler -imacros AutoGen.h

 -DEFINE GCC_PP_FLAGS                = -E -x assembler-with-cpp -include AutoGen.h

 +DEFINE GCC_ASM_FLAGS               = -c -x assembler -imacros AutoGen.h ENV(GCC_PREFIX_MAP)

 +DEFINE GCC_PP_FLAGS                = -E -x assembler-with-cpp -include AutoGen.h ENV(GCC_PREFIX_MAP)

- DEFINE GCC_VFRPP_FLAGS             = -x c -E -P -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h

+ DEFINE GCC_VFRPP_FLAGS             = -x c -E -DVFRCOMPILE --include $(MODULE_NAME)StrDefs.h

  DEFINE GCC_ASLPP_FLAGS             = -x c -E -include AutoGen.h

  DEFINE GCC_ASLCC_FLAGS             = -x c

-@@ -1095,7 +1095,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS
+@@ -1092,7 +1092,7 @@ DEFINE GCC5_LOONGARCH64_PP_FLAGS           = -mabi=lp64d -march=loongarch64 DEF(
  *_GCC48_IA32_DLINK2_FLAGS         = DEF(GCC48_IA32_DLINK2_FLAGS)

  *_GCC48_IA32_RC_FLAGS             = DEF(GCC_IA32_RC_FLAGS)

  *_GCC48_IA32_OBJCOPY_FLAGS        =

@@ -52,7 +54,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  

    DEBUG_GCC48_IA32_CC_FLAGS       = DEF(GCC48_IA32_CC_FLAGS)

  RELEASE_GCC48_IA32_CC_FLAGS       = DEF(GCC48_IA32_CC_FLAGS) -Wno-unused-but-set-variable

-@@ -1123,7 +1123,7 @@ RELEASE_GCC48_IA32_CC_FLAGS       = DEF(
+@@ -1120,7 +1120,7 @@ RELEASE_GCC48_IA32_CC_FLAGS       = DEF(GCC48_IA32_CC_FLAGS) -Wno-unused-but-set
  *_GCC48_X64_DLINK2_FLAGS         = DEF(GCC48_X64_DLINK2_FLAGS)

  *_GCC48_X64_RC_FLAGS             = DEF(GCC_X64_RC_FLAGS)

  *_GCC48_X64_OBJCOPY_FLAGS        =

@@ -61,7 +63,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  

    DEBUG_GCC48_X64_CC_FLAGS       = DEF(GCC48_X64_CC_FLAGS)

  RELEASE_GCC48_X64_CC_FLAGS       = DEF(GCC48_X64_CC_FLAGS) -Wno-unused-but-set-variable

-@@ -1232,7 +1232,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS   = DEF(G
+@@ -1229,7 +1229,7 @@ RELEASE_GCC48_AARCH64_CC_FLAGS   = DEF(GCC48_AARCH64_CC_FLAGS) -Wno-unused-but-s
  *_GCC49_IA32_DLINK2_FLAGS         = DEF(GCC49_IA32_DLINK2_FLAGS)

  *_GCC49_IA32_RC_FLAGS             = DEF(GCC_IA32_RC_FLAGS)

  *_GCC49_IA32_OBJCOPY_FLAGS        =

@@ -70,7 +72,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  

    DEBUG_GCC49_IA32_CC_FLAGS       = DEF(GCC49_IA32_CC_FLAGS)

  RELEASE_GCC49_IA32_CC_FLAGS       = DEF(GCC49_IA32_CC_FLAGS) -Wno-unused-but-set-variable -Wno-unused-const-variable

-@@ -1260,7 +1260,7 @@ RELEASE_GCC49_IA32_CC_FLAGS       = DEF(
+@@ -1257,7 +1257,7 @@ RELEASE_GCC49_IA32_CC_FLAGS       = DEF(GCC49_IA32_CC_FLAGS) -Wno-unused-but-set
  *_GCC49_X64_DLINK2_FLAGS         = DEF(GCC49_X64_DLINK2_FLAGS)

  *_GCC49_X64_RC_FLAGS             = DEF(GCC_X64_RC_FLAGS)

  *_GCC49_X64_OBJCOPY_FLAGS        =

@@ -79,7 +81,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  

    DEBUG_GCC49_X64_CC_FLAGS       = DEF(GCC49_X64_CC_FLAGS)

  RELEASE_GCC49_X64_CC_FLAGS       = DEF(GCC49_X64_CC_FLAGS) -Wno-unused-but-set-variable -Wno-unused-const-variable

-@@ -1519,7 +1519,7 @@ RELEASE_GCCNOLTO_AARCH64_DLINK_XIPFLAGS
+@@ -1516,7 +1516,7 @@ RELEASE_GCCNOLTO_AARCH64_DLINK_XIPFLAGS = -z common-page-size=0x20
  *_GCC5_IA32_DLINK2_FLAGS         = DEF(GCC5_IA32_DLINK2_FLAGS) -no-pie

  *_GCC5_IA32_RC_FLAGS             = DEF(GCC_IA32_RC_FLAGS)

  *_GCC5_IA32_OBJCOPY_FLAGS        =

@@ -88,7 +90,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  

    DEBUG_GCC5_IA32_CC_FLAGS       = DEF(GCC5_IA32_CC_FLAGS) -flto

    DEBUG_GCC5_IA32_DLINK_FLAGS    = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,-m,elf_i386,--oformat=elf32-i386

-@@ -1551,7 +1551,7 @@ RELEASE_GCC5_IA32_DLINK_FLAGS    = DEF(G
+@@ -1548,7 +1548,7 @@ RELEASE_GCC5_IA32_DLINK_FLAGS    = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto -Os -Wl,
  *_GCC5_X64_DLINK2_FLAGS          = DEF(GCC5_X64_DLINK2_FLAGS)

  *_GCC5_X64_RC_FLAGS              = DEF(GCC_X64_RC_FLAGS)

  *_GCC5_X64_OBJCOPY_FLAGS         =

diff --git a/meta/recipes-core/ovmf/ovmf/0004-reproducible.patch b/meta/recipes-core/ovmf/ovmf/0004-reproducible.patch
index 0ddb86f530..73f242321e 100644
--- a/meta/recipes-core/ovmf/ovmf/0004-reproducible.patch
+++ b/meta/recipes-core/ovmf/ovmf/0004-reproducible.patch
@@ -1,7 +1,7 @@
-From fc2d3c17ff2a7b39e8d47b788eeaac5e1487cdee Mon Sep 17 00:00:00 2001
+From 0d22e07cd9cc35ede04c01d3141068db744d7677 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Mon, 14 Jun 2021 19:57:30 +0200
-Subject: [PATCH 4/4] reproducible
+Subject: [PATCH] reproducible
 
 This patch fixes various things which make the build more reproducible. Some changes
 here only change intermediate artefacts but that means when you have two build trees
@@ -34,9 +34,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  .../Source/Python/AutoGen/ModuleAutoGen.py    |  5 +++-
  4 files changed, 24 insertions(+), 16 deletions(-)
 
+diff --git a/BaseTools/Source/C/GenFw/Elf64Convert.c b/BaseTools/Source/C/GenFw/Elf64Convert.c
+index 18594122ea..92b5f13cf6 100644
 --- a/BaseTools/Source/C/GenFw/Elf64Convert.c
 +++ b/BaseTools/Source/C/GenFw/Elf64Convert.c
-@@ -15,6 +15,8 @@ SPDX-License-Identifier: BSD-2-Clause-Pa
+@@ -15,6 +15,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
  #include <windows.h>

  #undef RUNTIME_FUNCTION

  #include <io.h>

@@ -54,7 +56,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  

    //

    // Add more space in the .debug data region for the DllCharacteristicsEx

-@@ -2310,7 +2312,7 @@ WriteDebug64 (
+@@ -2322,7 +2324,7 @@ WriteDebug64 (
    EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY         *Nb10;

    EFI_IMAGE_DEBUG_EX_DLLCHARACTERISTICS_ENTRY *DllEntry;

  

@@ -63,7 +65,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  

    NtHdr = (EFI_IMAGE_OPTIONAL_HEADER_UNION *)(mCoffFile + mNtHdrOffset);

    DataDir = &NtHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_DEBUG];

-@@ -2343,7 +2345,7 @@ WriteDebug64 (
+@@ -2355,7 +2357,7 @@ WriteDebug64 (
  

    Nb10 = (EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY*)(Dir + 1);

    Nb10->Signature = CODEVIEW_SIGNATURE_NB10;

@@ -72,6 +74,8 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  }

  

  STATIC

+diff --git a/BaseTools/Source/Python/AutoGen/BuildEngine.py b/BaseTools/Source/Python/AutoGen/BuildEngine.py
+index b829a2503c..afe826b78f 100644
 --- a/BaseTools/Source/Python/AutoGen/BuildEngine.py
 +++ b/BaseTools/Source/Python/AutoGen/BuildEngine.py
 @@ -70,6 +70,9 @@ class TargetDescBlock(object):
@@ -84,9 +88,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
      def AddInput(self, Input):

          if Input not in self.Inputs:

              self.Inputs.append(Input)

+diff --git a/BaseTools/Source/Python/AutoGen/GenMake.py b/BaseTools/Source/Python/AutoGen/GenMake.py
+index e5f282c4ac..27a34ef7c6 100755
 --- a/BaseTools/Source/Python/AutoGen/GenMake.py
 +++ b/BaseTools/Source/Python/AutoGen/GenMake.py
-@@ -576,7 +576,7 @@ cleanlib:
+@@ -571,7 +571,7 @@ cleanlib:
                  os.remove(RespFileList)

  

          # convert source files and binary files to build targets

@@ -95,7 +101,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
          if len(self.ResultFileList) == 0 and len(MyAgo.SourceFileList) != 0:

              EdkLogger.error("build", AUTOGEN_ERROR, "Nothing to build",

                              ExtraData="[%s]" % str(MyAgo))

-@@ -727,7 +727,7 @@ cleanlib:
+@@ -722,7 +722,7 @@ cleanlib:
          OutputFile = ''

          DepsFileList = []

  

@@ -104,7 +110,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
              if Cmd[2]:

                  for CopyCmd in Cmd[2]:

                      Src, Dst = CopyCmd

-@@ -760,7 +760,7 @@ cleanlib:
+@@ -755,7 +755,7 @@ cleanlib:
              self.BuildTargetList.append('\t%s' % CmdString)

  

              self.ParseSecCmd(DepsFileList, Cmd[1])

@@ -113,7 +119,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
                  self.BuildTargetList.append('%s : %s' % (self.ReplaceMacro(SecOutputFile), self.ReplaceMacro(SecDepsFile)))

                  self.BuildTargetList.append('\t%s' % self.ReplaceMacro(SecCmd))

              self.FfsOutputFileList = []

-@@ -799,13 +799,13 @@ cleanlib:
+@@ -794,13 +794,13 @@ cleanlib:
  

      def CommandExceedLimit(self):

          FlagDict = {

@@ -134,7 +140,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
                     }

  

          RespDict = {}

-@@ -1019,9 +1019,9 @@ cleanlib:
+@@ -1014,9 +1014,9 @@ cleanlib:
                  if not self.ObjTargetDict.get(T.Target.SubDir):

                      self.ObjTargetDict[T.Target.SubDir] = set()

                  self.ObjTargetDict[T.Target.SubDir].add(NewFile)

@@ -146,9 +152,11 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
                  # Generate related macros if needed

                  if T.GenFileListMacro and T.FileListMacro not in self.FileListMacros:

                      self.FileListMacros[T.FileListMacro] = []

+diff --git a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
+index aa0b71632e..57c9cad117 100755
 --- a/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
 +++ b/BaseTools/Source/Python/AutoGen/ModuleAutoGen.py
-@@ -1474,6 +1474,9 @@ class ModuleAutoGen(AutoGen):
+@@ -1429,6 +1429,9 @@ class ModuleAutoGen(AutoGen):
              for File in Files:

                  if File.lower().endswith('.pdb'):

                      AsBuiltInfDict['binary_item'].append('DISPOSABLE|' + File)

@@ -158,7 +166,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
          HeaderComments = self.Module.HeaderComments

          StartPos = 0

          for Index in range(len(HeaderComments)):

-@@ -1749,7 +1752,7 @@ class ModuleAutoGen(AutoGen):
+@@ -1704,7 +1707,7 @@ class ModuleAutoGen(AutoGen):
              if os.path.exists (self.TimeStampPath):

                  os.remove (self.TimeStampPath)

  

diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
deleted file mode 100644
index 066dfa0ff0..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 2c8fb3e5164effc8a370e800fe91db7341e69116 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Mon, 7 Apr 2025 11:23:41 -0700
-Subject: [PATCH 1/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
-
-This commit updates the SecurityFixes.yaml file to include
-information about the CVE-2024-38797 vulnerability.
-
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/519366f542e9370bee982b1c3687ffedb5cabc21]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- SecurityPkg/SecurityFixes.yaml | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
-index b4006b4..06b597a 100644
---- a/SecurityPkg/SecurityFixes.yaml
-+++ b/SecurityPkg/SecurityFixes.yaml
-@@ -40,3 +40,18 @@ CVE_2022_36764:
-     - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c

-   links:

-     - https://bugzilla.tianocore.org/show_bug.cgi?id=4118

-+CVE_2024_38797:

-+  commit-titles:

-+    - "SecurityPkg: Out of bound read in HashPeImageByType()"

-+    - "SecurityPkg: Improving HashPeImageByType () logic"

-+    - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"

-+  cve: CVE-2024-38797

-+  date_reported: 2024-06-04 12:00 UTC

-+  description: Out of bound read in HashPeImageByType()

-+  note:

-+  files_impacted:

-+    - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c

-+    - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c

-+  links:

-+    - https://bugzilla.tianocore.org/show_bug.cgi?id=2214

-+    - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf

--- 
-2.34.1
-
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
deleted file mode 100644
index 9bf6645681..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 1a7be26382c4a34504875f094e15fe371d44192e Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Thu, 3 Oct 2024 09:37:18 -0700
-Subject: [PATCH 2/4] SecurityPkg: Out of bound read in HashPeImageByType()
-
-In HashPeImageByType(), the hash of PE/COFF image is calculated.
-This function may get untrusted input.
-
-Inside this function, the following code verifies the loaded image has
-the correct format, by reading the second byte of the buffer.
-
-```c
-  if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
-        ...
-  }
-```
-
-The input image is not trusted and that may not have the second byte to
-read. So this poses an out of bound read error.
-
-With below fix we are assuring that we don't do out of bound read. i.e,
-we make sure that AuthDataSize is greater than 1.
-
-```c
-  if (AuthDataSize > 1
-      && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
-    ...
-  }
-```
-
-AuthDataSize size is verified before reading the second byte.
-So if AuthDataSize is less than 2, the second byte will not be read, and
-the out of bound read situation won't occur.
-
-Tested the patch on real platform with and without TPM connected and
-verified image is booting fine.
-
-Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-index b05da19..2afa2c9 100644
---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-@@ -642,7 +642,7 @@ HashPeImageByType (
-     //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

-     //    Fixed offset (+32) is calculated based on two bytes of length encoding.

-     //

--    if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {

-+    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

-       //

-       // Only support two bytes of Long Form of Length Encoding.

-       //

--- 
-2.34.1
-
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
deleted file mode 100644
index 169c78daab..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 4db363db013a92937431234252fc9d84e44fc120 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Thu, 3 Oct 2024 10:16:57 -0700
-Subject: [PATCH 3/4] SecurityPkg: Improving HashPeImageByType () logic
-
-Namely:
-
-(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
-    to TRUE for Index==0, then it will evaluate to TRUE for all other
-    Index values as well. As a result, the (Index == HASHALG_MAX)
-    condition will fire after the loop, and we'll return
-    EFI_UNSUPPORTED.
-
-    While this is correct, functionally speaking, it is wasteful to
-    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
-    should be made at the top of the function, and EFI_UNSUPPORTED
-    should be returned at once, if appropriate.
-
-(2) If the hash algorithm selected by Index has such a large OID that
-    the OID comparison cannot even be performed (because AuthDataSize
-    is not large enough for containing the OID in question, starting
-    at offset 32), then the function returns EFI_UNSUPPORTED at once.
-
-    This is bogus; this case should simply be treated as an OID
-    mismatch, and the loop should advance to the next Index value /
-    hash algorithm candidate. A remaining hash algo may have a shorter
-    OID and yield an OID match.
-
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/5df518ec510324f48ed1cf0376150960644b41f0]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- .../DxeImageVerificationLib.c                 | 37 ++++++++++---------
- 1 file changed, 19 insertions(+), 18 deletions(-)
-
-diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-index 2afa2c9..2eca39d 100644
---- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
-@@ -618,6 +618,7 @@ Done:
-   @param[in]  AuthDataSize        Size of the Authenticode Signature in bytes.

- 

-   @retval EFI_UNSUPPORTED             Hash algorithm is not supported.

-+  @retval EFI_BAD_BUFFER_SIZE         AuthData provided is invalid size.

-   @retval EFI_SUCCESS                 Hash successfully.

- 

- **/

-@@ -629,28 +630,28 @@ HashPeImageByType (
- {

-   UINT8  Index;

- 

--  for (Index = 0; Index < HASHALG_MAX; Index++) {

-+  //

-+  // Check the Hash algorithm in PE/COFF Authenticode.

-+  //    According to PKCS#7 Definition:

-+  //        SignedData ::= SEQUENCE {

-+  //            version Version,

-+  //            digestAlgorithms DigestAlgorithmIdentifiers,

-+  //            contentInfo ContentInfo,

-+  //            .... }

-+  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

-+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

-+  //    Fixed offset (+32) is calculated based on two bytes of length encoding.

-+  //

-+  if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

-     //

--    // Check the Hash algorithm in PE/COFF Authenticode.

--    //    According to PKCS#7 Definition:

--    //        SignedData ::= SEQUENCE {

--    //            version Version,

--    //            digestAlgorithms DigestAlgorithmIdentifiers,

--    //            contentInfo ContentInfo,

--    //            .... }

--    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

--    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

--    //    Fixed offset (+32) is calculated based on two bytes of length encoding.

-+    // Only support two bytes of Long Form of Length Encoding.

-     //

--    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

--      //

--      // Only support two bytes of Long Form of Length Encoding.

--      //

--      continue;

--    }

-+    return EFI_BAD_BUFFER_SIZE;

-+  }

- 

-+  for (Index = 0; Index < HASHALG_MAX; Index++) {

-     if (AuthDataSize < 32 + mHash[Index].OidLength) {

--      return EFI_UNSUPPORTED;

-+      continue;

-     }

- 

-     if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {

--- 
-2.34.1
-
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
deleted file mode 100644
index 86bc950e7d..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From cb3342702c5c1f8a4ddbb6d503a98ed720d14eb3 Mon Sep 17 00:00:00 2001
-From: Doug Flick <dougflick@microsoft.com>
-Date: Fri, 17 Jan 2025 11:30:17 -0800
-Subject: [PATCH 4/4] SecurityPkg: Improving
- SecureBootConfigImpl:HashPeImageByType () logic
-
-Namely:
-
-(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
-    to TRUE for Index==0, then it will evaluate to TRUE for all other
-    Index values as well. As a result, the (Index == HASHALG_MAX)
-    condition will fire after the loop, and we'll return
-    EFI_UNSUPPORTED.
-
-    While this is correct, functionally speaking, it is wasteful to
-    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
-    should be made at the top of the function, and EFI_UNSUPPORTED
-    should be returned at once, if appropriate.
-
-(2) If the hash algorithm selected by Index has such a large OID that
-    the OID comparison cannot even be performed (because AuthDataSize
-    is not large enough for containing the OID in question, starting
-    at offset 32), then the function returns EFI_UNSUPPORTED at once.
-
-    This is bogus; this case should simply be treated as an OID
-    mismatch, and the loop should advance to the next Index value /
-    hash algorithm candidate. A remaining hash algo may have a shorter
-    OID and yield an OID match.
-
-Signed-off-by: Doug Flick <DougFlick@microsoft.com>
-
-CVE: CVE-2024-38797
-Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/8676572908b950dd4d1f8985006011be99c0a5b6]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- .../SecureBootConfigImpl.c                    | 37 +++++++++++--------
- 1 file changed, 21 insertions(+), 16 deletions(-)
-
-diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
-index 6d4560c..155e755 100644
---- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
-+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
-@@ -2096,30 +2096,35 @@ HashPeImageByType (
- {

-   UINT8                     Index;

-   WIN_CERTIFICATE_EFI_PKCS  *PkcsCertData;

-+  UINT32                    PkcsCertSize;

- 

-   PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset);

-+  PkcsCertSize = mSecDataDir->SizeOfCert;

- 

--  for (Index = 0; Index < HASHALG_MAX; Index++) {

-+  //

-+  // Check the Hash algorithm in PE/COFF Authenticode.

-+  //    According to PKCS#7 Definition:

-+  //        SignedData ::= SEQUENCE {

-+  //            version Version,

-+  //            digestAlgorithms DigestAlgorithmIdentifiers,

-+  //            contentInfo ContentInfo,

-+  //            .... }

-+  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

-+  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

-+  //    Fixed offset (+32) is calculated based on two bytes of length encoding.

-+  //

-+  if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

-     //

--    // Check the Hash algorithm in PE/COFF Authenticode.

--    //    According to PKCS#7 Definition:

--    //        SignedData ::= SEQUENCE {

--    //            version Version,

--    //            digestAlgorithms DigestAlgorithmIdentifiers,

--    //            contentInfo ContentInfo,

--    //            .... }

--    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

--    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

--    //    Fixed offset (+32) is calculated based on two bytes of length encoding.

-+    // Only support two bytes of Long Form of Length Encoding.

-     //

--    if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {

--      //

--      // Only support two bytes of Long Form of Length Encoding.

--      //

-+    return EFI_BAD_BUFFER_SIZE;

-+  }

-+

-+  for (Index = 0; Index < HASHALG_MAX; Index++) {

-+    if (PkcsCertSize < 32 + mHash[Index].OidLength) {

-       continue;

-     }

- 

--    //

-     if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {

-       break;

-     }

--- 
-2.34.1
-
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
deleted file mode 100644
index 038a3f2dbc..0000000000
--- a/meta/recipes-core/ovmf/ovmf/CVE-2025-2295.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 4b028816b5619ede6c3720664478055e09151516 Mon Sep 17 00:00:00 2001
-From: Madhavan <madavtechy@gmail.com>
-Date: Fri, 14 Mar 2025 14:15:13 -0400
-Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
- bz4206
-
-Used SafeUint32Add to calculate and validate OutTransferLength with
-boundary check in IScsiOnR2TRcvd to avoid integer overflow
-
-Signed-off-by: Madhavan <madavtechy@gmail.com>
-
-CVE: CVE-2025-2295
-Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
-index ef587649a0..fb48e6304d 100644
---- a/NetworkPkg/IScsiDxe/IScsiProto.c
-+++ b/NetworkPkg/IScsiDxe/IScsiProto.c
-@@ -1,7 +1,7 @@
- /** @file

-   The implementation of iSCSI protocol based on RFC3720.

- 

--Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>

-+Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>

- SPDX-License-Identifier: BSD-2-Clause-Patent

- 

- **/

-@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
-   EFI_STATUS               Status;

-   ISCSI_XFER_CONTEXT       *XferContext;

-   UINT8                    *Data;

-+  UINT32                   TransferLength;

- 

-   R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);

-   if (R2THdr == NULL) {

-@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
-   XferContext->Offset            = R2THdr->BufferOffset;

-   XferContext->DesiredLength     = R2THdr->DesiredDataTransferLength;

- 

--  if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||

-+  Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);

-+  if (EFI_ERROR (Status)) {

-+    return EFI_PROTOCOL_ERROR;

-+  }

-+

-+  if ((TransferLength > Packet->OutTransferLength) ||

-       (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)

-       )

-   {

--- 
-2.48.1
-
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index a8efcc2a46..577310a678 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -20,21 +20,15 @@ PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,,"
 #see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch
 BUILD_CFLAGS += "-Wno-error=stringop-overflow"
 
-SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
+SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https;tag=${PV} \
            file://0001-ovmf-update-path-to-native-BaseTools.patch \
            file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
            file://0003-debug-prefix-map.patch \
            file://0004-reproducible.patch \
-           file://CVE-2025-2295.patch \
-           file://CVE-2024-38797-1.patch \
-           file://CVE-2024-38797-2.patch \
-           file://CVE-2024-38797-3.patch \
-           file://CVE-2024-38797-4.patch \
-           file://0001-SecurityPkg-Don-t-define-bool-type-if-building-in-C2.patch \
            "
 
-PV = "edk2-stable202502"
-SRCREV = "fbe0805b2091393406952e84724188f8c1941837"
+PV = "edk2-stable202508"
+SRCREV = "d46aa46c8361194521391aa581593e556c707c6e"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
 
 CVE_PRODUCT = "edk2"