11 Mar 03:59

mu-automation

401e480

v4.0.11 Latest

Latest

What's Changed

DfciPkg: Update CI for 202511 Branches. @apop5 (#343)
Change Details
Description

Update to use 202511 branches of mu_basecore, mu_plus.
Remove ARM target since ARM is no longer a supported architecture per EDK2.
Remove extra StackCheckLib from dsc file.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Local CI with VS2022, ClangPdb

Integration Instructions

No integration necessary.

Full Changelog: v4.0.10...v4.0.11

Contributors

apop5

Assets 2

24 Sep 23:11

github-actions

v4.0.10

4261f78

v4.0.10

What's Changed

Convert docx files to readme.md format @[copilot-swe-agent[bot]](https://github.com/apps/copilot-swe-agent) (#307)
Change Details
This PR addresses the documentation improvement request by converting the existing Microsoft Word document to markdown format for better accessibility and version control integration.
Changes Made
- Converted: DfciPkg/SettingsManager/Overview.docx → DfciPkg/SettingsManager/readme.md
- Removed: Original docx file as it's no longer needed
- Applied: Proper markdown formatting following the repository's style guidelines
Technical Details

The conversion was performed using pandoc to ensure accurate content preservation, followed by markdownlint auto-fixing to meet the repository's markdown standards defined in .markdownlint.yaml. The resulting markdown document maintains all the original technical content including:
- Microsoft Settings Manager implementation details
- File descriptions and responsibilities
- Error code definitions
- Proper hierarchical structure with headers and lists
Benefits
- Version Control Friendly: Markdown files can be properly diffed and tracked in git
- Accessibility: No special software required to view documentation
- Consistency: Aligns with the repository's existing markdown documentation standards
- Maintainability: Easier to update and maintain documentation alongside code changes
Fixes #306.
[!WARNING]
Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

esm.ubuntu.com

Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled

Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

DfciPkg: DfciMenu Fix ClangDwarf compile. @apop5 (#299)
Change Details
## Description When comping with clangdwarf, the abi defaults to system v abi. The use of VA_ARG with clang, defaults to the msabi version.
Functions that use VA_ARG should be declared as EFIAPI. In this particular case, the function is internal, and was not declared with EFIAPI. Adding the missing declaration resolves the build error.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Testing while building a platform using TOOL_CHAIN_TAG=CLANGDWARF

Integration Instructions

No integration necessary

Fix: Use raw string evaluation to prevent invalid escape sequence warning in signPfx check @abhinav-karthik (#287)
Change Details
Use raw string evaluation to prevent invalid escape sequence warning in signPfx check
Description

Replaced direct string comparison in IF condition with a raw string evaluation to avoid runtime warnings caused by invalid escape sequences.

Details:

The previous implementation:

IF "${signPfx}" == "UNSIGNED"

caused issues when ${signPfx} contained backslashes (e.g., \D), resulting in:

SyntaxWarning: invalid escape sequence '\D'

This was especially problematic in Azure Devops YAML pipelines, where the warning is treated as a failure due to being written to stderr.

To resolve this, the logic was updated as follows:
```
${is_unsigned}=    Evaluate    r"""${signPfx}""" == "UNSIGNED"
IF    ${is_unsigned}
```
Using a raw string with triple quotes ensures that any backslashes in the value are treated literally, avoiding escape sequence interpretation by Python.

For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality? No
- Impacts security? No
- Breaking change? No
- Includes tests? No
- Includes documentation? Np
How This Was Tested

Tested locally on a physical DUT

Integration Instructions

N/A

🐛 Bug Fixes

CISettings.py: Update Common/MU branch to 202502 @makubacki (#298)
Change Details
## Description
The branch is still on release/202405 while MU_BASECORE is on release/202502. Now they are both on release/202502.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Local CI
- Verify Common/MU resolves to release/202502 with stuart_ci_setup
Integration Instructions
- N/A

🔐 Security Impacting

DfciPkg/DfciRecoveryLib: Add support for Arm RNDR RNG algorithm @makubacki (#297)
Change Details
## Description
1. Consolidate logic for determining whether the RNG protocol is available and a secure algorithm is supported by the platform in DfciRecoveryLib.c.
2. Update the list of algorithms that are considered secure for the purposes of DFCI usage to include gEfiRngAlgorithmArmRndr for a DRBG via the Arm RNDR register.
Platforms producing gEfiRngAlgorithmArmRndr should ensure it supports NIST SP800-90B compliance as described in https://developer.arm.com/documentation/100685/0000/Overview-of-Arm-True-Random-Number-Generator--TRNG-.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- CI
- Platform test in progress
Integration Instructions
- gEfiRngAlgorithmArmRndr will be used if present in the RNG algorithm.

Full Changelog: v4.0.9...v4.0.10

Contributors

makubacki, apop5, and abhinav-karthik

Assets 2

30 Apr 23:17

github-actions

v4.0.9

006fdf6

v4.0.9

What's Changed

CI: Change to using 202502 Branches. @apop5 (#279)
Change Details
## Description
Change to using 202502 Branches.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Ran CI build.

Integration Instructions

No integration necessary.

CI: Limit CI runs to AARCH64, IA32, X64. @apop5 (#271)
Change Details
## Description Remove ARM as a target for CI runs.
Only target AARCH64, IA32, X64 for GCC CI.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
- Backport to release branch?
How This Was Tested

Local CI builds.

Integration Instructions

Not Applicable since it is a CI change.

update CI branches to release/202405 @apop5 (#245)
Change Details
## Description
Update the CI branches to release/202405
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

CI

Integration Instructions

N/A

🐛 Bug Fixes

Fix for Unsigned setting packets flow @liqiqiii (#278)
Change Details
## Description
Fix for Unsigned setting packets flow
Unsigned setting packet feature is added a while ago but no one ever used it.
In implementation of this feature I found bugs that will block it from working.
The Genusb.bat that used for creating bins and dfis were updated and the ValidateSettingsPacket
needs to be updated to proper handle unsigned packets which doesn't have a signature and do
need the enddata.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Tested by setting the DfciSettingRequest variable using bin data created from Genusb.bat, settings are configured successfully
and the toggling in frontpage changed as expected.
```
  </blockquote>
  <hr>
</details>
```

Full Changelog: v4.0.8...v4.0.9

Contributors

apop5 and liqiqiii

Assets 2

06 Aug 14:16

github-actions

v4.0.7

2dd22c3

v4.0.7

What's Changed

DfciPkg/DfciSettings.h: Add new DFCI settings @damonhunka (#240)
Change Details
## Description
Adding DFCI settings for two more power policies: After Power Loss, and Always on.
- After Power Loss will boot the device back to the previous state before power loss.
- Always on will always boot the device up to S0.
The difference between the behaviors of the two modes is Always On will boot it up even if power was yanked in the shutdown state.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?

Full Changelog: v4.0.6...v4.0.7

Contributors

damonhunka

Assets 2

17 May 22:45

github-actions

v4.0.6

ba354bc

v4.0.6

What's Changed

Update DfciUpdate.c to avoid unsigned comparison checking greater than zero @spbrogan (#215)
Change Details
# Description
Resolve a CodeQL identified issue where an unsigned type was being checked against greater than or equal to zero. This will always be true and thus provides no value
- Impacts functionality?
  - Functionality - Does the change ultimately impact how firmware functions?
  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
  - Security - Does the change have a direct security impact on an application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- Breaking change?
  - Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  - Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
- Includes tests?
  - Tests - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
  - Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  - Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...
How This Was Tested

Was not tested other than basic CI

Integration Instructions

NA

Fixes the Deprecation Warning for return in Robot Framework @Flickdm (#205)
Change Details
Description

Corrects deprecation warning in Robot Framework

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
  - All tests were updated
- Includes documentation?
How This Was Tested

Ran before change - warnings
Ran after change - no warnins

Integration Instructions

N / A

🔐 Security Impacting

Update/tls ciphers @Flickdm (#206)
Change Details
# Preface
Description

This change limits the TLS Ciphers provided by the Docker Container to strictly the four TLSv1.2 Ciphers that Intune currently uses.

This will force firmware to OpenSSL TLSv1.2 and strictly the four algorithms currently supported

namely
```
    cipher_list = [b'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
                 b'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
                 b'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 
                 b'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256']
```
For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)
- [ ] Impacts functionality?
- Impacts security?
  - Yes this will force the firmware to use the above mentioned ciphers
    validation improvement, ...
- Breaking change?
- [] Includes tests?
- [] Includes documentation?
How This Was Tested

This nmap script can confirm the ssl siphers are what are expected
```
nmap --script ssl-enum-ciphers -p 443 127.0.0.1
```
Integration Instructions

N/A

📖 Documentation Updates

Update/tls ciphers @Flickdm (#206)
Change Details
# Preface
Description

This change limits the TLS Ciphers provided by the Docker Container to strictly the four TLSv1.2 Ciphers that Intune currently uses.

This will force firmware to OpenSSL TLSv1.2 and strictly the four algorithms currently supported

namely
```
    cipher_list = [b'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
                 b'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
                 b'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 
                 b'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256']
```
For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)
- [ ] Impacts functionality?
- Impacts security?
  - Yes this will force the firmware to use the above mentioned ciphers
    validation improvement, ...
- Breaking change?
- [] Includes tests?
- [] Includes documentation?
How This Was Tested

This nmap script can confirm the ssl siphers are what are expected
```
nmap --script ssl-enum-ciphers -p 443 127.0.0.1
```
Integration Instructions

N/A

Full Changelog: v4.0.5...v4.0.6

Contributors

spbrogan and Flickdm

Assets 2

06 Feb 02:39

github-actions

v4.0.4

ae7a47f

v4.0.4

What's Changed

Update pip-requirements.txt @Javagedes (#190)
Change Details
## Description
Updates edk2-pytool-extensions and edk2-pytool-library to work with the latest commit of MU_BASECORE

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)
- Impacts functionality?
  - Functionality - Does the change ultimately impact how firmware functions?
  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
  - Security - Does the change have a direct security impact on an application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- Breaking change?
  - Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  - Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
- Includes tests?
  - Tests - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
  - Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  - Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...
How This Was Tested

N/A

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

DfciPkg: Drop IntrinsicLib @makubacki (#185)
Change Details
## Description
Drop the library instance in the DSC due to recent refactor in
CryptoPkg in Mu Basecore.
- Impacts functionality?
  - Functionality - Does the change ultimately impact how firmware functions?
  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
  - Security - Does the change have a direct security impact on an application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- Breaking change?
  - Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  - Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
- Includes tests?
  - Tests - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
  - Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  - Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...
How This Was Tested
- DfciPkg build.
Integration Instructions

N/A - Only local package build is affected.

.git-blame-ignore-revs: Ignore Line Ending and Uncrustify only commits @makubacki (#182)
Change Details
## Description
Adds commits that only applied Uncrustify formatting or converted
line endings to a .git-blame-ignore-revs file so they are ignored
by git blame. This is supported by GitHub:
https://github.blog/changelog/2022-03-24-ignore-commits-in-the-blame-view-beta/

This helps clean up git blame by filtering out these changes.

Note: This file needs to be updated on rebase branches. Processes
like filter-branch can automatically update relevant SHAs.
- Impacts functionality?
  - Functionality - Does the change ultimately impact how firmware functions?
  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
  - Security - Does the change have a direct security impact on an application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- Breaking change?
  - Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  - Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
- Includes tests?
  - Tests - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
  - Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  - Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...
How This Was Tested
- git blame
Integration Instructions

N/A

Add missing library header guards @makubacki (#181)
Change Details
## Description
All header files should include header guards.

Some header files, such as those which define structures,
cannot be included more than once within a translation unit, as doing
so would cause a redefinition error. Such headers must be guarded to
prevent ill-effects from multiple inclusion. Similarly, if header
files include other header files, and this inclusion graph contains
a cycle, then at least one file within the cycle must contain header
guards in order to break the cycle. Because of cases like these, all
headers should be guarded as a matter of good practice, even if they
do not strictly need to be.

Furthermore, most modern compilers contain optimizations which are
triggered by header guards. If the header guard strictly conforms
to the pattern that compilers expect, then inclusions of that
header other than the first have absolutely no effect: the file
isn't re-read from disk, nor is it re-tokenised or re-preprocessed.
This can result in a noticeable, albeit minor, improvement to
compilation time.
- Impacts functionality?
  - Functionality - Does the change ultimately impact how firmware functions?
  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
  - Security - Does the change have a direct security impact on an application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- Breaking change?
  - Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  - Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
- Includes tests?
  - Tests - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
  - Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  - Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...
How This Was Tested
- Compilation
- CodeQL
Integration Instructions

N/A

Full Changelog: v4.0.3...v4.0.4

Contributors

makubacki and Javagedes

Assets 2

06 Dec 23:14

github-actions

v4.0.3

8978086

v4.0.3

What's Changed

🐛 Bug Fixes

Fix invalid access of NewRecoveryChallenge when memory allocation fails @Nishanth1311 (#168)
Change Details
## Description If memory allocation for the NewChallenge variable should not be used. It will result in Invalid access at the following line. NewChallenge->SerialNumber = 0;
With this change if memory allocation for the NewChallenge variable fails, EFI_OUT_OF_RESOURCES is returned
- Impacts functionality? No
- Impacts security? No
- Breaking change? No
- Includes tests? No
- Includes documentation? No
How This Was Tested

Build passes with this change

Integration Instructions

N/A

Full Changelog: v4.0.2...v4.0.3

Contributors

Nishanth1311

Assets 2

05 Dec 22:08

github-actions

v4.0.2

b1ffd4d

v4.0.2

What's Changed

🔐 Security Impacting

Use New Stack Cookie Library @TaylorBeebe (#162)
Change Details
## Description
Update DFCI DSC file to use the new stack cookie library.
- Impacts functionality?
  - Functionality - Does the change ultimately impact how firmware functions?
  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
- Impacts security?
  - Security - Does the change have a direct security impact on an application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- Breaking change?
  - Breaking change - Will anyone consuming this change experience a break
    in build or boot behavior?
  - Examples: Add a new library class, move a module to a different repo, call
    a function in a new library class in a pre-existing module, ...
- Includes tests?
  - Tests - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- Includes documentation?
  - Documentation - Does the change contain explicit documentation additions
    outside direct code modifications (and comments)?
  - Examples: Update readme file, add feature readme file, link to documentation
    on an a separate Web page, ...
How This Was Tested

Tested on Q35 GCC and MSVC builds

Integration Instructions

N/A

Full Changelog: v4.0.1...v4.0.2

Contributors

TaylorBeebe

Assets 2

Releases: microsoft/mu_feature_dfci

v4.0.11

What's Changed

Description

How This Was Tested

Integration Instructions

Contributors

Uh oh!

v4.0.10

What's Changed

Changes Made

Technical Details

Benefits

I tried to connect to the following addresses, but was blocked by firewall rules:

How This Was Tested

Integration Instructions

Description

How This Was Tested

Integration Instructions

🐛 Bug Fixes

How This Was Tested

Integration Instructions

🔐 Security Impacting

How This Was Tested

Integration Instructions

Contributors

Uh oh!

v4.0.9

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

🐛 Bug Fixes

How This Was Tested

Contributors

Uh oh!

v4.0.8

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

Contributors

Uh oh!

v4.0.7

What's Changed

Contributors

Uh oh!

v4.0.6

What's Changed

How This Was Tested

Integration Instructions

Description

How This Was Tested

Integration Instructions

🔐 Security Impacting

Description

[ ] Impacts functionality?

How This Was Tested

Integration Instructions

📖 Documentation Updates

Description

[ ] Impacts functionality?

How This Was Tested

Integration Instructions

Contributors

Uh oh!

v4.0.5

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

Contributors

Uh oh!

v4.0.4

What's Changed