<feed xmlns='http://www.w3.org/2005/Atom'>
<title>uefi/tianocore/edk2.git, branch mergify/configuration-deprecated-update</title>
<subtitle>EDK II</subtitle>
<id>https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/atom?h=mergify%2Fconfiguration-deprecated-update</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/atom?h=mergify%2Fconfiguration-deprecated-update'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/'/>
<updated>2026-06-15T19:51:50+00:00</updated>
<entry>
<title>.mergify/config.yml: Explicitly set reporting_method to check-runs</title>
<updated>2026-06-15T19:51:50+00:00</updated>
<author>
<name>Michael Kubacki</name>
<email>michael.kubacki@microsoft.com</email>
</author>
<published>2026-06-10T20:04:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=ee6aa71e2ca25fd0e35fa19b6468d142995b65fe'/>
<id>urn:sha1:ee6aa71e2ca25fd0e35fa19b6468d142995b65fe</id>
<content type='text'>
The default value of merge_protections_settings.reporting_method is
changing from check-runs to deployments. This commit updates the
mergify configuration to explicitly set check-runs to preserve
current behavior.

(deadline: 2026-07-31)

---

This was originally auto-generated by the Mergify bot in a PR to the
edk2 repo. That change did not comply with edk2 commit requirements
and modified the line endings of the file. It is manually recreated
here with the correct line endings and commit message format.

Signed-off-by: Michael Kubacki &lt;michael.kubacki@microsoft.com&gt;
</content>
</entry>
<entry>
<title>Maintainers.txt: Add Chris Fernald as maintainer to SecurityPkg</title>
<updated>2026-06-15T18:02:10+00:00</updated>
<author>
<name>Chris Fernald</name>
<email>chfernal@microsoft.com</email>
</author>
<published>2026-06-11T20:40:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=68df5172e57b9b671d981d01035aa8377675ec63'/>
<id>urn:sha1:68df5172e57b9b671d981d01035aa8377675ec63</id>
<content type='text'>
Signed-off-by: Chris Fernald &lt;chfernal@microsoft.com&gt;
</content>
</entry>
<entry>
<title>CryptoPkg: Added lite version openssl library</title>
<updated>2026-06-15T08:54:47+00:00</updated>
<author>
<name>Lee LonghaoX</name>
<email>longhaox.lee@intel.com</email>
</author>
<published>2026-04-15T06:31:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=eaa1e19c7a039b3d178ac960c33dc057c4d75243'/>
<id>urn:sha1:eaa1e19c7a039b3d178ac960c33dc057c4d75243</id>
<content type='text'>
Lite version OpensslLib
base on OpensslLibFull but no-camellia, no -ecx and no-dh.
It save the size about ~192KB.

REF:
Signed-off-by: Lee LonghaoX &lt;longhaox.lee@intel.com&gt;
</content>
</entry>
<entry>
<title>CryptoPkg: Log TLS handshake certificate verification error reason</title>
<updated>2026-06-15T04:47:25+00:00</updated>
<author>
<name>Jean-Tiare Le Bigot</name>
<email>jt@yadutaf.fr</email>
</author>
<published>2026-06-12T19:31:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=92b2428c063a21f1442b0bc387c8e310d4651bff'/>
<id>urn:sha1:92b2428c063a21f1442b0bc387c8e310d4651bff</id>
<content type='text'>
When the TLS error is `SSL_R_CERTIFICATE_VERIFY_FAILED`, the
verification failure reason is reported by `SSL_get_verify_result`.

Adding this reason to the debug logs is valuable to pin-point
certificate rejection that are specific to EDK II.

Signed-off-by: Jean-Tiare Le Bigot &lt;jt@yadutaf.fr&gt;
</content>
</entry>
<entry>
<title>MdeModulePkg: Display VID and DID using 4-digit hexadecimal number</title>
<updated>2026-06-15T02:25:50+00:00</updated>
<author>
<name>Qihang Gao</name>
<email>gaoqihang@loongson.cn</email>
</author>
<published>2026-06-10T09:41:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=174573b3a7270221c5851e0db63bd0e98498eb38'/>
<id>urn:sha1:174573b3a7270221c5851e0db63bd0e98498eb38</id>
<content type='text'>
No functional change.

Signed-off-by: Qihang Gao &lt;gaoqihang@loongson.cn&gt;
</content>
</entry>
<entry>
<title>OvmfPkg: Add WSMT ACPI table for SMM builds</title>
<updated>2026-06-13T15:22:58+00:00</updated>
<author>
<name>Jon Kohler</name>
<email>jon@nutanix.com</email>
</author>
<published>2026-05-27T20:16:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=837f6fce3b524f646b14ce4112770b378d779f42'/>
<id>urn:sha1:837f6fce3b524f646b14ce4112770b378d779f42</id>
<content type='text'>
Windows uses the Windows SMM Security Mitigation Table to decide
whether SMM firmware advertises the communication-buffer protections
needed by VBS [1].

WSMT ProtectionFlags represent a pinky promise that the underlying
firmware will implement various security practices [2].

Add a small DXE driver that installs a revision 1 WSMT table for the
OvmfPkgIa32X64 and OvmfPkgX64 builds.

WSMT ProtectionFlags are set to 0x3, asserting:
  EFI_WSMT_PROTECTION_FLAGS_FIXED_COMM_BUFFERS
  EFI_WSMT_PROTECTION_FLAGS_COMM_BUFFER_NESTED_PTR_PROTECTION

Note, we are intentionally not asserting
EFI_WSMT_PROTECTION_FLAGS_SYSTEM_RESOURCE_PROTECTION, as the QEMU side
is not yet tuned up to enforce this protection.

Note: when Windows Hypervisor Enforced Code Integrity is enabled,
Windows msinfo -&gt; Virtualization-based security Available Security
Properties will NOT include "SMM Security Mitigations 1.0", due to
the missing SYSTEM_RESOURCE_PROTECTION flag. Note, WSMT is required
for default enablement of HVCI [3], so we're taking a step in the right
direction here, but not yet 100% complete as of this patch.

References:
[1] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
[2] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-uefi-wsmt
[3] https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement#check-results-of-memory-integrity-default-enablement

Cc: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Signed-off-by: Jon Kohler &lt;jon@nutanix.com&gt;
</content>
</entry>
<entry>
<title>MdePkg: Update WSMT (Windows SMM Security Mitigation Table) Docs</title>
<updated>2026-06-13T15:22:58+00:00</updated>
<author>
<name>Jon Kohler</name>
<email>jon@nutanix.com</email>
</author>
<published>2026-05-27T20:28:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=92fea5c9c1a42542f25b4f897ced7ae082e8c0c7'/>
<id>urn:sha1:92fea5c9c1a42542f25b4f897ced7ae082e8c0c7</id>
<content type='text'>
The WSMT table ProtectionFlags represent a pinky promise from the
firmware that it will implement various secure processes and features,
but we should know what that pinky promise actually represents with
in-code documentation.

Revise the documentation for the Windows SMM Security Mitigation Table
to include detailed descriptions of the Protection Flags, which are
directly drawn from Microsoft's docs.

Update the stable URL to the latest Microsoft docs for cross reference.

Cc: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
Signed-off-by: Jon Kohler &lt;jon@nutanix.com&gt;
</content>
</entry>
<entry>
<title>EmbeddedPkg, OvmfPkg: Produce FV3 HOBs for Extracted FVs</title>
<updated>2026-06-13T09:06:33+00:00</updated>
<author>
<name>Oliver Smith-Denny</name>
<email>osde@microsoft.com</email>
</author>
<published>2026-06-12T14:50:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=c6c02f8cae2642b9a8987ef14b1606afb0688b1e'/>
<id>urn:sha1:c6c02f8cae2642b9a8987ef14b1606afb0688b1e</id>
<content type='text'>
EmbeddedPkg's PrePiLib and OvmfPkg's PeilessStartupLib (which
uses PrePiLib) only produce FV2 HOBs for extracted FVs. However,
FV3 HOBs have superceded FV2 HOBs for describing extracted FVs.

This commit updates both of these libs to also produce FV3 HOBs,
following PEI's pattern of producing an FV, FV2, and FV3 HOB for
each extracted FV.

Eventually, only FV3 HOBs will be produced, so this paves the way
for that.

Continuous-integration-options: PatchCheck.ignore-multi-package

Signed-off-by: Oliver Smith-Denny &lt;osde@microsoft.com&gt;
</content>
</entry>
<entry>
<title>OvmfPkg: PeilessStartupLib: Fix FV2 HOB Production</title>
<updated>2026-06-13T09:06:33+00:00</updated>
<author>
<name>Oliver Smith-Denny</name>
<email>osde@microsoft.com</email>
</author>
<published>2026-06-12T16:53:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=6683b764976c3e87a1161e21554540f8dffd86b4'/>
<id>urn:sha1:6683b764976c3e87a1161e21554540f8dffd86b4</id>
<content type='text'>
PeilessStartupLib is incorrectly producing FV2 HOBs.
The FvName field of the FV2 HOB is intended to be the
parent FV's name. This way the HOB consumer phase can
identify when an FV has already been extracted: if the
file name of the extracted FV and the parent FV name
match in the FV2 HOB.

With the incorrect FvName, DXE will re-extract the already
extracted FV, which can be a large performance hit (some platforms
we have seen ~1 second).

Signed-off-by: Oliver Smith-Denny &lt;osde@microsoft.com&gt;
</content>
</entry>
<entry>
<title>EmbeddedPkg, OvmfPkg: PrePiLib: Use Correct FvName in FV2 HOB Production</title>
<updated>2026-06-13T09:06:33+00:00</updated>
<author>
<name>Dmitry Antipov</name>
<email>dmanti@microsoft.com</email>
</author>
<published>2019-08-12T22:57:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/bootloaders/uefi/tianocore/edk2.git/commit/?id=7ad30b28b2e86ccc9cab9917d272f486140323bb'/>
<id>urn:sha1:7ad30b28b2e86ccc9cab9917d272f486140323bb</id>
<content type='text'>
PrePiLib is incorrectly producing FV2 HOBs. The FvName field of
the FV2 HOB is intended to be the parent FV's name. This way the
HOB consumer phase can identify when an FV has already been
extracted: if the file name of the extracted FV and the parent
FV name match in the FV2 HOB.

With the incorrect FvName, DXE will re-extract the already
extracted FV, which can be a large performance hit (some platforms
we have seen ~1 second).

This requires an update to FfsProcessFvFile to pass the parent
FV handle through so the FV2 HOB can be correctly produced.
OvmfPkg consumers are also updated.

Continuous-integration-options: PatchCheck.ignore-multi-package

Signed-off-by: Oliver Smith-Denny &lt;osde@microsoft.com&gt;
</content>
</entry>
</feed>
