18 Mar 17:28

github-actions

4e014bd

patina-v20.1.2 Latest

Latest

What's Changed

[patina/sdk] clean up the usage of allocator @kuqin12 (#1401)
Change Details
## Description
This change guards the usage of allocators behind "alloc" to a few remaining instances in Patina SDK. So that the crate can provide more fundamental functionalities without dependencies on allocator.

In addition, it removes the extern crate alloc; within the crate and only declare it in the lib.rs, which serves as a central feature controller that governs the entirety of the crate.

Resolves #1403
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

This was tested by building a binary without global allocator and booted to UEFI shell on Q35.

Integration Instructions

Nothing in addition to building the binary with --features alloc if a binary needs allocator functionality.

[painta\_stacktrace] remove alloc usage @kuqin12 (#1411)
Change Details
## Description
Current patina_stacktrace is pulling in alloc from source code. However, as basic functionality as the crate provides, the dependency is improperly included.

This change removes the dependency.

Resolves #1410
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

The change is not a functional change and was tested with local build.

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

Check and test without default features [Rebase \& FF] @makubacki (#1404)
Change Details
## Description
Two changes. One to fix a pre-existing issue in patina_adv_logger tests. One to check and test without default features.

I'll take the Makefile.toml changes to patina-devops once they're accepted here.

patina_adv_logger: gate writer tests on the "reader" feature

writer.rs tests import crate::reader::AdvancedLogReader, but
the reader module is conditionally compiled behind
#[cfg(any(doc, feature = "reader"))].

This works when default features are enabled since the "component"
default feature transitively enables "reader".

This change gates tests on #[cfg(all(test, feature = "reader"))]
so it compiles cleanly when default features are disabled.

Makefile.toml: Check and test without default features

Without --no-default-features testing, feature-gate regressions go
undetected. Code that accidentally uses a gated module or dependency
outside its cfg fence compiles fine under default features but
breaks for consumers that disable defaults.

Since workspace crates like patina_ffs_extractors gate optional
compression backends (brotli, crc32, lzma) behind features, and
patina/patina_internal_collections gates alloc-dependent code
behind an "alloc" default, verifying the --no-default-features build
is useful to catch accidental dependencies on gated code.

Add a higher level check-no-default-features task with two parallel
subtasks:
- check-no-default-features-code:
  - cargo check --no-default-features
- check-no-default-features-tests:
  - cargo test --no-run --no-default-features
Run the task in cargo make all.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
- cargo make check
- cargo make check-no-default-features
Integration Instructions
- N/A

Ingest patina-paging 11.0.2 and use new open\_active interface @cfernald (#1408)
Change Details
## Description
Patina-paging 11.0.2 introduces support for reading/editing existing 5-level page tables on AArch64. This is required for EDK2 20511 based system that have FEAT_LPA2 support. To use this change, this commit switches to use the new open_active interface for both AArch64 and x64, which also simplifies the consumer by handling level detection in the paging library.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Boot test w/ debugger on Q35
- Boot test w/ debugger on SBSA
Integration Instructions

N/A

patina\_internal\_cpu: Allow refining impl trait in Mtrr mock @makubacki (#1400)
Change Details
## Description
patina_mtrr 1.1.5 changed the Mtrr trait's get_memory_ranges() return type from Vec<MtrrMemoryRange> to
impl IntoIterator<Item = MtrrMemoryRange>.

The mockall mock! block still uses the concrete Vec type, triggering the refining_impl_trait_internal lint. This commit adds an allow attribute to the get_memory_ranges() method in the mock to suppress the lint.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
Integration Instructions
- N/A

📖 Documentation Updates

Readme Updates [Rebase \& FF] @makubacki (#1412)
Change Details
## Description
A series of commits for small changes to the readme to clarify some topics in recent discussions.

README.md: Update code readiness status

Update the status to indicate that the repository is no longer in a
"beta" stage, but also add a note about the expected stability of the
main branch and the need to verify the readiness of new components.

CONTRIBUTING.md: Add Patina AI Policy

Closes #1414

Clarifies the expectations for contributions that are AI-assisted
to Patina.

README.md: Elaborate on key points in the Background section

Add some more detail to clarify common misunderstandings about Patina.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
Integration Instructions
- N/A
Note: A corresponding CONTRIBUTING.md change that will be synced to all Patina repos is in OpenDevicePartnership/patina-devops#99. That change is directly included here for visibility prior to the sync.

Increase Patina GUID Usage [Rebase \& FF] @makubacki (#1391)
Change Details
## Description
A series of commits to increase adoption of Patina GUID types in the codebase.

sdk: Make BinaryGuid::from_bytes() const

This function wraps efi::Guid::from_bytes() which is const. It is
made const as well.

BinaryGuid: Derive Ord and PartialOrd

Add Ord and PartialOrd derives to BinaryGuid, enabling its use as a
BTreeMap key.

Adds a test to verify BinaryGuid's derived ordering matches Guid<'a>'s
byte-order comparison for a set of GUID pairs.

guid: Convert GUID types to BinaryGuid

Resolves #1105

Converts all GUID constants, trait associated types, struct fields,
and other uses to Patina GUID types across the codebase.

Key changes:
- GUID constants mostly use BinaryGuid::from_string() since strings
  are more readable than fields. In some cases, a field may have been
  a simple numbering sequence like "123456...", in which case it may
  have been left as from_fields.
- Changed ProtocolInterface::PROTOCOL_GUID changed to use
  BinaryGuid, eliminating duplicated GUID values in implementations.
- Updated FromHob::HOB_GUID and HobParsers BTreeMap key to
  BinaryGuid.
- Updated #[repr(C)] struct fields (GuidHob, FV/FFS headers,
  MM communicate header) to use BinaryGuid since it provides
  binary-compatible GUID storage.
- Updated the FromHob proc macro to use BinaryGuid::from_string().
- Updated a lot of code to use Patina GUID types instead of the r-efi
  GUID type.
There were a few places, particularly in UEFI Spec FFI interfaces,
where the efi::Guid type is still used. This is intentional to
potentially simplify the r-efi 6.0.0 integration. In code that
interacts with those interfaces, From and Into functions are used
to simply convert between BinaryGuid and efi::Guid. Some code
that exclusively interacts with those interfaces, might also use
efi::Guid for local GUID definitions instead of Patina GUID types.
- Impacts functionality?
- Imp...

Contributors

cfernald, makubacki, and kuqin12

Assets 2

13 Mar 19:46

github-actions

patina-v20.1.1

234c321

patina-v20.1.1

What's Changed

Extended x64 exception handler to parse supervisor bit @kuqin12 (#1398)
Change Details
## Description
In the programmers' manual the exception data of page fault also defined the level of access that tripped the exception. This change adds the print message when page fault is hit based on the bit status.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

This was tested in a kernel-user mode isolated environment and printed the exception as expected.

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

Use Xorshift64starHasher for SMBIOS table modification detection @kat-perez (#1388)
Change Details
## Description
Move Xorshift64starHasher from patina_dxe_core to a shared patina::hash module and replace the simple wrapping-add checksum in SmbiosManager with the hasher. This avoids false negatives when multiple byte changes cancel each other out.

Closes #1161
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Existing tests in patina_smbios (134 passed) and patina_dxe_core (541 passed) continue to pass. New unit tests added in patina::hash covering seed behavior, determinism, and byte-swap detection.

Integration Instructions

N/A

Add From\ for efi::Status conversion @kat-perez (#1387)
Change Details
## Description
Adds impl From<SmbiosError> for efi::Status to streamline error conversion in FFI protocol functions, simplifying add_ext, update_string_ext, and remove_ext from patina::error::EfiError::from(e).into() to e.into().

Implements feedback from @Javagedes on #1384 (which auto-merged before this could be addressed).
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

cargo make all passes — all tests, clippy, fmt, deny, and doc checks clean.

Integration Instructions

N/A

Patina: Fix RAW FFS file handling and harden section parsing @vineelko (#1369)
Change Details
## Description
1. Handle RAW File types:
  - The current implementation tries to produce sections irrespective of the file
    type. This do not hold true for RAW file types. As per PI spec below,
    
    The file type EFI_FV_FILETYPE_RAW denotes a file that does not contain
    sections and is treated as a raw data file. The consumer of this type of
    file must have a priori knowledge of its format and content. Because there
    are no sections, there are no construction rules.
  - Trying to decode the body of these files as Section header can result in
    incorrect parsing.
  Fixes the following bug:
  [ INFO]: \patina\sdk\patina\src\pi\serializable\serializable_fv.rs@078: Parsing FV: d2c29ba7-3809-480f-9c3d-de389c61425a [ INFO]: \patina\sdk\patina\src\pi\serializable\serializable_fv.rs@089: Parsing file: 197db236-f856-4924-90f8-cdf12fb875f3 [ INFO]: \patina\sdk\patina\src\pi\fw_fs.rs@801: Section type 0x0 unrecognized 4 1, treating as opaque with no metadata [ERROR]: dxe_readiness_capture\src\lib.rs@031: panicked at \patina\sdk\patina\src\pi\fw_fs.rs:805:56: [ERROR]: dxe_readiness_capture\src\lib.rs@031: slice index starts at 4 but ends at 1
2. Improve safety in FFS section parsing by replacing direct slice indexing with
  bounds checked get() calls and proper error propagation when buffers are
  malformed. General code cleanup.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Booted to UEFI Shell on Q35

Integration Instructions

NA

Centralize SmbiosError to EFI Status conversion using From impl @kat-perez (#1384)
Change Details
## Description
Centralize the SmbiosError to efi::Status conversion in protocol.rs by using the existing From<SmbiosError> for EfiError impl and the EfiError → efi::Status conversion chain, instead of manual match arms in each FFI function (add_ext, update_string_ext, remove_ext).

Additionally, RecordTooSmall and StringPoolTooSmall are remapped from EfiError::InvalidParameter to EfiError::BufferTooSmall for more accurate error semantics.

Closes #1163
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Ran cargo test -p patina_smbios — all 134 tests pass, including updated assertions for the new BufferTooSmall mappings in test_smbios_error_to_efi_error_conversion.

Integration Instructions

N/A

patina\_acpi: do not specify resolver @Javagedes (#1379)
Change Details
## Description
Updates patina_acpi toml configuration to not specify the resolver version as the resolver version is specified by the workspace configuration toml and any specified resolver version in individual crates are ignored.

Clears this warning:
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

N/A

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

patina\_dxe\_core/pecoff: Add parse\_mapped() @makubacki (#1378)
Change Details
## Description
Resolves OpenDevicePartnership/patina-dxe-core-qemu#134

Right now, we have resolve_rva set to true when parsing the DXE Core using UefiPeInfo::parse().

https://github.com/OpenDevicePartnership/patina/blob/dc285f1dffa57087a72f6bfd956d36db93e8b31f/patina_dxe_core/src/gcd/spin_locked_gcd.rs#L2317-L2323

Which calls with goblin::pe::PE::parse(bytes) to parse the image.

By default, goblin will attempt to resolve RVAs to file offsets when parsing a PE file. However, since the DXE Core is already loaded into memory, we want to parse it, in this case, without resolving RVAs using PointerToRawData offsets.

Depending on the content at the resolved address, this can lead to parsing errors like:
```
Failed to parse PE info for DXE Core:
Goblin(Malformed("ImageDebugDirectory size of data seems wrong: 0"))
```
It appears that this has been present for a long time, likely since the decision (around c821bf9) to start parsing the DXE Core's own loaded PE image and a recent shift in linked contents has exposed the problem.

It is possible to disable RVA resolution by using ParseOptions with resolve_rva set to false.

A new method parse_mapped() is added to UefiPeInfo that allows sets this option and is used when parsing the DXE Core in spin_locked_gcd.rs.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Q35 and SBSA boot to EFI shell
Before the change, SBSA failed with the goblin parsing error shown in the description.

Integration Instructions
- N/A

Patina QEMU PR Workflow: Add unique comment for merged/closed PRs @makubacki (#1376)
Change Details
## Description
Updates the patina-qemu-pr-validation.yml workflow to post a comment when a PR is either merged or the PR is closed when the workflow starts.

This provides an obvious final state for the comment in those cases.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Tested the closed and merged cases in PR on fork (with a PR from another GitHub org)
- Tested the successful case (PR remains open) continues to work
Integration Instructions
- N/A
Examples of New Messages

PR Closed (Branch Deleted)

PR Merged

<img width="876" height="309" alt="image" src="https://github.com/user-attachments/assets/4d20...

Contributors

makubacki, Javagedes, and 4 other contributors

Assets 2

06 Mar 15:00

github-actions

patina-v20.1.0

b41d806

patina-v20.1.0

What's Changed

patina\_debugger: Cleanup features and feature usage @cfernald (#1372)
Change Details
## Description
This commit addresses two issues with the patina_debugger features:
1. Removes the windbg_workarounds feature. Windbg is the primary supported scenario for patina_debugger, and these workaround do not inhibit other debuggers from working. Removing the feature reduces complexity and removes the ability for users to accidentally break windbg support.
2. Removes the default features from patina_debugger for the workspace crate. This allows the features to be enabled for the appropriate core and by end platforms if applicable.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Regression tested with windbg on Q35

Integration Instructions

N/A

sdk/patina: Fix stack access violation in GuidHob test helpers @makubacki (#1363)
Change Details
## Description
gen_guid_hob() returned a (GuidHob, Box<[u8]>) tuple where the struct lived on the stack and the data lived on the heap (not contiguous in memory).

Then, HobTrait::size() for GuidHob returns header.length (struct size + data size) while as_ptr() returns the struct's start address. Any code calling from_raw_parts(as_ptr(), size()) would read past the end of the stack-allocated struct into adjacent stack memory.

This change fixes this by modifying gen_guid_hob() to return a Vec<u8> containing the GuidHob struct bytes followed by the data bytes in a single contiguous heap allocation. This matches normal firmware memory layout where GUID HOB data immediately follows the header. A new guid_hob_refs() helper extracts typed (&GuidHob, &[u8]) references from the contiguous buffer.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
Integration Instructions
- N/A - Only impacts module's unit tests

debug\_image\_info\_table: Use global test lock in tests @makubacki (#1361)
Change Details
## Description
Wraps unit tests in with_locked_state() to follow the same pattern used by other patina_dxe_core test modules.

This is done to ensure consistent test isolation under the global test lock and prevent potential non-deterministic failures if these tests or parallel tests are later extended to interact with global state.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
Integration Instructions
- N/A - Only impacts module unit tests

StackTrace: AArch64: Add Frame pointer based stack trace support for GCC compiled PE binaries @vineelko (#1317)
Change Details
## Description
Dumps the stack trace by walking the FP/LR registers, without relying on unwind information. This is an AArch64-only fallback mechanism.

For GCC built PE images, .pdata/.xdata sections are not generated, causing stack trace dumping to fail. In this case, we attempt to dump the stack trace using an FP/LR register walk with the following limitations:
1. Patina binaries produced with LLVM almost always do not save FP/LR register pairs as part of the function prologue for non-leaf functions, even though the ABI mandates it. https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst#646the-frame-pointer
2. Forcing this with the -C force-frame-pointers=yes compiler flag can produce strange results. In some cases, instead of saving fp/lr using stp x29, x30, [sp, #16]!, it saves lr/fp using stp x30, x29, [sp, #16]!, completely breaking the stack walk. https://godbolt.org/z/7s9fG9vWe
3. Due to the above reasons, the stack walk cannot be reliably terminated.
The only reason this is being introduced is to identify the driver/app causing the exception. For example, a Shell app built with GCC that triggers an assertion can still produce a reasonable stack trace.
```
Dumping stack trace with PC: 000001007AB72ED0, SP: 0000010078885D50, FP: 0000010078885D50
    # Child-SP              Return Address         Call Site
    0 0000010078885D50      000001007AB12770       Shell+66ED0
    1 0000010078885E90      0000010007B98DCC       Shell+6770
    2 0000010078885FF0      0000010007B98E54       qemu_sbsa_dxe_core+18DCC
    3 0000010007FFF4C0      0000010007B98F48       qemu_sbsa_dxe_core+18E54
    4 0000010007FFF800      000001007AF54D08       qemu_sbsa_dxe_core+18F48
    5 0000010007FFFA90      0000010007BAC388       BdsDxe+8D08
    6 0000010007FFFF80      0000000010008878       qemu_sbsa_dxe_core+2C388 --.
                                                                              |
    0:000> u qemu_sbsa_dxe_core!patina_dxe_core::call_bds                     |
    00000000`1002c1b0 f81f0ff3 str x19,[sp,#-0x10]!                           |
    00000000`1002c1b4 f90007fe str lr,[sp,#8]     <---------------------------'
    00000000`1002c1b8 d10183ff sub sp,sp,#0x60

    The FP is not saved, so the return address in frame #6 is garbage.
```
Symbol to source file resolution(Resolving frame 2): Since some modules in the stack trace are built with GCC and do not generate PDB files, their symbols must be resolved manually as shown below.
```
$ addr2line -e Shell.debug -f -C 0x6770
UefiMain
~/repos/patina-qemu/MU_BASECORE/ShellPkg/Application/Shell/Shell.c:372

   371:  ASSERT (FALSE);
 > 372:  Status = gST->ConOut->ClearScreen (gST->ConOut);
   373:  if (EFI_ERROR (Status)) {
   374:     return (Status);
   375:  }
```
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Validated on SBSA Q35.

Integration Instructions

The change is already hooked into the exception handler for AArch64.

Add call to set\_handle to add the DXE core image handle to component storage. @joschock (#1359)
Change Details
## Description
Add call to set_handle to add the DXE core image handle to component storage.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Observed that a test component with a params::Handle argument on the entry point now dispatches as expected (without this change, it did not).

Integration Instructions

N/A

Add QEMU validation pending notification workflow @makubacki (#1357)
Change Details
## Description
Add a workflow that posts a "pending" comment on PRs immediately when pushed, indicating QEMU validation is waiting for CI to complete.

This prevents prior stale results from sitting around while CI runs and lets users know QEMU validation will happen soon if the workflow has not previously been run on the PR.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Verify comment is posted/updated as expected on fork (with a PR from another fork)
Integration Instructions
- N/A

debug\_image\_info\_table: Only update capacity after successful allocation @makubacki (#1356)
Change Details
## Description
grow() updated self.capacity before verifying allocation success. If alloc_zeroed() or realloc() returned null, the struct invariants were violated since capacity indicated space that was never allocated.

If that happened, impl Drop for DebugImageInfoData would then call alloc::alloc::dealloc() with an incorrect layout against a null or stale pointer, resulting in undefined behavior.

This change:
- Defers the capacity update until after the allocation result is confirmed to be non-null.
- Adds an explicit null pointer check on the allocation results.
- Introduces a new GrowError enum type to distinguish LayoutError from allocation failures.
- Makes DEFAULT_CAPACITY less brittle in unit tests
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
Integration Instructio...

Contributors

cfernald, makubacki, and 5 other contributors

Assets 2

20 Feb 20:33

github-actions

patina-v20.0.2

2080728

patina-v20.0.2

What's Changed

patina: Only include the `alloc` crate when the `alloc` feature is en… @cfernald (#1328)
Change Details
## Description
There already exists an alloc feature, but it is not currently used for anything. This commit uses the alloc feature to gate the inclusion of the alloc crate and the modules that use it.

The current approach here is to just remove all modules that cannot compile as-is without the alloc crate and making 'alloc' a dependency for top-level features that require this functionality. In the future better top-level classification of categories of support could be created that may require the alloc feature (e.g. DXE), but this is currently pre-mature so the alloc feature alone will be used for now.

Issue #1318
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Local build and tests

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

patina\_adv\_logger: Refactor core logic from component logic @cfernald (#1323)
Change Details
## Description
Currently the adv logger crate exposes all of the component and integration test, etc. by default. However, for consumers wanting to log to the advanced from more minimal environments, this is not ideal. This commit refactors this base support to be the minimal core logic, and then a component feature on top used by DXE.

Base: Exposes the core logger logic, and nothing else. Does no use alloc.

Component: Exposes the component, protocol, and integrations test logic.

To achieve this, this refactors the write and reader into separate modules and simplifies to use a read-only and write-only paradigm to simplify the wrapper logic.

With this change, consumers can use patina_adv_logger without default features to get a minimal advanced logger implementation.

Issue #1318
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Q35 w/ integration tests
- Unit tests
Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

Update bitfield-struct dep and bump supply-chain audits and exemptions [Rebase \& FF] @makubacki (#1326)
Change Details
## Description
Cargo.toml: Update bitfield-struct from 0.10 to 0.12

Many other Patina repos are already using v0.12. This updates patina
to use 0.12 as well to prevent duplicate crate entries as noted by
cargo deny:
```
warning[duplicate]: found 2 duplicate entries for crate 'bitfield-struct'
  ┌─ C:\src\patina-dxe-core-qemu/Cargo.lock:6:1
  │
6 │ ╭ bitfield-struct 0.10.1 registry+https://github.com/rust-lang/crates.io-index
7 │ │ bitfield-struct 0.12.1 registry+https://github.com/rust-lang/crates.io-index
  │ ╰────────────────────────────────────────────────────────────────────────────┘ lock entries
```
supply-chain: Update cargo vet audits and exemptions

Run cargo vet regenerate exemptions to update audits and exemptions
for current dependencies in supply-chain.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
- cargo make vet
Integration Instructions
- N/A

patina\_dxe\_core: Serialize tests in spin\_locked\_gcd @makubacki (#1320)
Change Details
## Description
Some tests in the module are not acquiring the global test by running the test within test_support::with_global_lock().

This change wraps the test body in with_global_lock() to ensure that the global lock is held during the test preventing potential issues with global state being modified by other tests running in parallel.

While all tests use a local GCD instance right now, the static GCD instance is reset between tests as a precaution for future tests.

The diff looks like more code changed than actually did because of cargo fmt. The changes include:
- Wrap tests in spin_locked_gcd with with_locked_state()
- Call GCD.reset() (per pre-existing documentation) as a precaution for global GCD modification in tests
- Fix a typo: gdc to gcd
- cargo make fmt
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all locally
- Testing in server CI runs while PR is in draft
Integration Instructions
- N/A

[REBASE \& FF] Add an Unmerged Free Memory GCD patina\_test @os-d (#1316)
Change Details
## Description
Makefile.toml: Add --all-targets --all-features to check_test

Currently, the check_code task runs with --all-targets --all-features but the check_test task does not. This can cause errors/warnings to show up in the check_test task that should not be there.

dxe_core: Combine get_descs functions

There are currently several get_memory_descriptors() functions, one that gets all descs, one for allocated, one for mmio and reserved and a new one is needed that gets all free descs.

This commit combines all of these into one function with a filter parameter to specify which descs are needed.

dxe_core: Tests: Add Unmerged Memory Map Patina Test

This adds a new patina_test to verify the GCD has all free memory descs correctly merged.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Physical ARM64 platform, Q35.

Integration Instructions

Same as all patina_tests. Enable the feature and apply the filter.
```
  </blockquote>
  <hr>
</details>
```

Device path module reorganization [non-functional] @berlin-with0ut-return (#1293)
Change Details
## Description Move device path modules into a single unified location (in sdk). Add constructors to manage custom Device Path node types. This PR does not include any functional changes.
This is based on design described in #1269.
Resolves #1148.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Passes all existing tests.

Integration Instructions

N/A.

Integrate ACPI Rust implementation @berlin-with0ut-return (#1218)
Change Details
## Description This PR provides an integrated Rust implementation of ACPI table functionality.
- Impacts functionality? - component is not active until instantiated.
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Unit tests, SCT's, integration tests.
Boot to Windows on Q35 and SBSA..
Boots to Windows on Intel physical platform.
Boots to Windows on ARM physical platform.

Integration Instructions

The Rust ACPI implementation includes table functionality while AML functionality is preserved in C. The layout is as follows:
AcpiTableProtocol (Uninstall, Install, Publish) -> Rust
AcpiGetProtocol (custom) (Get, RegisterNotify) -> Rust
AcpiSdtProtocol (AML functionality) -> C

To fully integrate this Rust implementation, the following changes are required:
- patina: add Rust ACPI implementation (this PR and custom Get protocol (this PR)
- patina-dxe-core-qemu (or platform equivalent): turn on ACPI component (OpenDevicePartnership/patina-dxe-core-qemu#93)
- patina-edk2: integrate custom AcpiSdtDxe driver (uses Rust Get implementation, preserves C AML implementation) (OpenDevicePartnership/patina-edk2#15)
- patina-qemu (or platform equivalent): replace AcpiTableDxe with new AcpiSdtDxe driver (OpenDevicePartnership/patina-qemu#109)

patina\_dxe\_core: Add debug assert when merge free memory in memory map. @cfernald (#1315)

Change Details

## Description
This commit adds an assert when merging memory descriptors in the memory map for free memory. Conventional memory should already be coalesced and consistent, and if this is not the case then contiguous free memory cannot be allocate...

Contributors

cfernald, makubacki, and 4 other contributors

Assets 2

10 Feb 05:16

github-actions

patina-v20.0.1

4e9cc1d

patina-v20.0.1

What's Changed

patina\_adv\_logger: Add logger info v6 support @makubacki (#1296)
Change Details
## Description
Support using the v6 logger info structure for the advanced logger.

Previously, only v5 was supported, in this change only v6 is supported. A future change may add support for both.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Verify advanced logger HOB is loaded during initialization
- Dump memory log at EFI shell to verify log contents
Integration Instructions
- This must be paired with the V6 logger changes in microsoft/mu_plus#826

Update gic\_manager to only initialize the current CPU's redistributor. @joschock (#1300)
Change Details
## Description
This change updates the GIC setup to only configure the GIC Redistrubtor associated with the boot core. Previously, the implementation called gic_v3.setup(), which attempted to initialize all GIC Redistributor instances. Initializing the Redistributor instances associated with unused cores resulted in instability and is unnecessary for the Patina interrupt model; this also aligns with existing EDK2 ArmGicDxe behavior.

Also opportunistically updates arm-gic crate to 0.7.2.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Boot testing on an arm hardware platform; confirmed GIC initialization and interrupts work as expected.

Integration Instructions

N/A

Cargo.toml: Require time crate version 0.3.47 or higher @makubacki (#1297)

Change Details

## Description

The following security vulnerability exists in versions 0.3.45 or lower:

├ ID: RUSTSEC-2026-0009
├ Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009
├ ## Impact

  When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of
  service attack via stack exhaustion is possible. The attack relies on formally deprecated and
  rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary,
  non-malicious input will never encounter this scenario.

  ## Patches

  A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned
  rather than exhausting the stack.

  ## Workarounds

  Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of
  the stack consumed would be at most a factor of the length of the input.
├ Announcement: https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05

Comes in through:

    ├ time v0.3.45
      └── compile-time v0.2.0
          └── patina_dxe_core v20.0.0
              ├── (dev) patina_adv_logger v20.0.0
              └── (dev) patina_mm v20.0.0
                  └── patina_performance v20.0.0
                      └── patina_dxe_core v20.0.0 (*)

Since 0.3.47 is available, this requires that patch version or higher.

How This Was Tested

cargo update
cargo make deny

Integration Instructions

N/A
```
</blockquote>
<hr>
```

dxe\_core: Add get\_existent\_memory\_descriptor\_for\_address() Helper Function @os-d (#1294)
Change Details
## Description
Currently, get_memory_descriptor_for_address() returns any descriptor found, including NonExistent descriptors. Because this function is used by the PI spec GetMemorySpaceDescriptor(), it needs to do that.

However, for the majority of Patina usage, we only want existent descriptors. Most of the cases using it is to apply attributes and we cannot do that on non-existent memory. We also would miss cases where we'd search for something, e.g. the stack region, and just move on if we found any descriptor, not specifically an existent one.

This commit adds a new helper function to return NotFound if get_memory_descriptor_for_address() returns a NonExistent descriptor. Usage across the tree is updated.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Booting Q35 and SBSA to Windows. Observed a unit test not failing when it should have because the stack memory region was not present in the GCD. After this fix the test fails as expected.

Integration Instructions

N/A.
```
  </blockquote>
  <hr>
</details>
```

patina\_debugger: Issue Breakpoint Only When Debugger Initialized @os-d (#1287)
Change Details
## Description
Currently, patina_debugger has two breakpoint fns: breakpoint() and breakpoint_unchecked(). breakpoint() only issues a breakpoint if the debugger is enabled and breakpoint_unchecked() always issues a breakpoint.

However, there is a time window where the debugger is enabled but not yet initialized where calling breakpoint() will cause an unhandled exception.

This commit adds a new check to breakpoint() to ensure that the debugger is also initialized when that function is called before issuing the breakpoint. If the debugger is not initialized, but is enabled, an error log will be printed to alert the developer in case they want to cause an unhandled exception; they should use breakpoint_unchecked() if so.

It was considered to not check for enabled() and only check for initialized(), as the former depends upon the latter, but the debugger is obviously not a hot path and the extra layer of safety was kept.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Using patina_debugger::breakpoint() before and after the debugger is initialized and seeing that it just logged the first time and broke in the second time.

Integration Instructions

Use patina_debugger::breakpoint() when wanting to break into the debugger with a breakpoint and patina_debugger::breakpoint_unchecked() when wanting to cause an exception no matter what.
```
  </blockquote>
  <hr>
</details>
```

patina\_dxe\_core: Prevent loading images for wrong machine type @makubacki (#1289)
Change Details
## Description
Fixes #1288

Check the machine type in the PE/COFF header against the architecture of the firmware. If they don't match, skip loading the image.

The same check is performed in the EDK II C DXE Core.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all (unit tests)
- Attempt to load a AARCH64 EFI application in Q35 (X64)
- Image rejected:
```
ERROR - core_load_pe_image failed: AdvancedLogDumper.efi unsupported machine type 0xaa64 (expected 0x8664)
```
Integration Instructions
- N/A

🐛 Bug Fixes

dxe\_core: Ensure Stack Guard Is Enabled When Init'ing Paging @os-d (#1277)
Change Details
## Description
Currently, the init_paging routine doesn't know about the stack guard, which is set up earlier. It ends up wiping this.

This commit moves the stack guard setup to init_paging to take it into account.

It was considered to make this more generic, to take already set attributes, but the number of cases where we expect access attributes to be set should just be the null page and stack guard page, so handle them explicitly.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Tested on Q35 and SBSA with the memory protections test failing and then succeeding.

Integration Instructions

N/A.
```
  </blockquote>
  <hr>
</details>
```

[REBASE \& FF] patina\_dxe\_core: Fix inconsistent attributes and capabilities on initial memory @cfernald (#1292)

Change Details

## Description
This commit modified the memory block init code to use the memory policy attributes for the initial free memory block rather than explicitly only RP. This ensur...

Contributors

cfernald, makubacki, and 2 other contributors

Assets 2

03 Feb 17:20

github-actions

patina-v20.0.0

a62f178

patina-v20.0.0

What's Changed

Cargo.toml: Update ruint to 1.17.1 @makubacki (#1265)

Change Details

## Description

Ensure a version is used that patches a Rust security vulnerability.

│ ruint 1.16.0 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2025-0137
    ├ Advisory: https://rustsec.org/advisories/RUSTSEC-2025-0137
    ├ The function `reciprocal_mg10` is marked as safe but can trigger
      undefined behavior (out-of-bounds access) because it relies on
      `debug_assert!` for safety checks instead of `assert!`.

      When compiled in release mode, the `debug_assert!` is optimized
      out, potentially allowing invalid inputs to cause memory
      corruption.
    ├ Announcement: https://github.com/recmo/uint/issues/550
    ├ Solution: Upgrade to >=1.17.1 (try `cargo update -p ruint`)
    ├ ruint v1.16.0
      └── (dev) patina_internal_collections v19.0.5
          └── patina_dxe_core v19.0.5
              ├── (dev) patina_adv_logger v19.0.5
              └── (dev) patina_mm v19.0.5
                  └── patina_performance v19.0.5
                      └── patina_dxe_core v19.0.5 (*)

This will use ruint version 1.17.1 or later (up to 2.0.0), so the fix is included in future compatible updates.

How This Was Tested

cargo make all

Integration Instructions

Add Guards for Test Cleanup [Rebase \& FF] @makubacki (#1266)
Change Details
## Description
Run test cleanup logic on panics

Many tests in patina_dxe_core have standardized on wrapping unit tests
with with_global_lock() to execute the test within a global lock.

Modules have often added their own test support functions that wrap
with_global_lock() to provide additional setup/teardown logic for
tests such as with_locked_state() in allocator.rs.

Teardown logic is less consistent. When tests manipulate global state,
they are often relying on reset functionality in the "prelude" of
their with_global_lock() closure to reset state. This works in most
cases, but it still leaves state polluted across test execution.
This can be become more of an issue depending on test order and what
tests may execute later that rely on global state and if they cleanup
state properly before they execute.

In tpl_mutex specifially, the with_global_lock() implementation
intends to ensure tests are run at TPL_APPLICATION and restore back
to TPL_APPLICATION after the test executes.

However, if a test panics (which many intentionally do), the TPL
state is not restored. This can leave the TPL in an unexpected
state depending on order that tests are run.

The Drop trait is implemented for a simple guard struct that
restores TPL to APPLICATION level when it goes out of scope. This
executes and runs the TPL restoration code even if the test panics.

patina_dxe_core/allocator: Standardize test init and cleanup

The GCD is currently initialized in two different ways in the tests
for the allocator module.
1. When a HOB list is needed: gcd::init_gcd(physical_hob_list)
2. When a HOB list is not needed: test_support::init_test_gcd(Some(gcd_size))
This has led to tests for (1) not using with_locked_state and
reimplementing test init and cleanup logic and tests for (2) using it.

This adds unnecessary boilerplate to (1) and leads to inconsistencies
for initializing and cleaning up the GCD between tests.

This change allows with_locked_state() to be called in either case
and simply returns a HOB list pointer for case (1).
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- cargo make all
- Please debug breakpoint on code that restores TPL in previous code in with_reset_state() in tpl_mutex.rs:
  raise_tpl(efi::TPL_HIGH_LEVEL); restore_tpl(efi::TPL_APPLICATION); f(); raise_tpl(efi::TPL_HIGH_LEVEL); // -> Breakpoint here restore_tpl(efi::TPL_APPLICATIO);
  Confirm that breakpoint does not hit on test panic. Breakpoint in TPL guard runs on panic and restores TPL.
Integration Instructions
- N/A

.git-blame-ignore-revs: Add recent Safety -> SAFETY commit @makubacki (#1263)

Change Details

## Description
Prevent the word replacement from showing up in git blame instead of the original change that modified/added the safety comment.

Impacts functionality?

Impacts security?

Breaking change?

Includes tests?

Includes documentation?

How This Was Tested

Run git blame on a modified line:

Before
git blame -L 108,108 core\patina_internal_cpu\src\interrupts\aarch64\gic_manager.rs
db4636d3b3 (sherry fan 2026-01-22 09:51:17 -0800 108)         // SAFETY: function safety requirements guarantee exclusive access to the GICR registers.
After
git blame -L 108,108 core\patina_internal_cpu\src\interrupts\aarch64\gic_manager.rs
163e0a56de (John Schock 2025-11-17 16:43:49 -0800 108)         // SAFETY: function safety requirements guarantee exclusive access to the GICR registers.
Integration Instructions

N/A

Remove expected error messages for performance logging @liqiqiii (#1261)
Change Details
## Description
Remove expected error messages for performance logging
We are seeing ERROR - Failed to log performance measurement: Efi(NotReady) on all platforms.
The NotReady errors observed during early boot are expected behavior. These errors occur because perf_function_begin() and perf_function_end() are called at function entry/exit points (such as core_dispatcher() and pi_dispatcher()) that execute before the Performance component has been dispatched and initialized. The Performance component's entry_point() calls set_static_state() to initialize the performance measurement subsystem and installs the EDKII_PERFORMANCE_MEASUREMENT_PROTOCOL, but this only happens inside the component_dispatcher.dispatch() loop after the Timer architectural protocol dependency is satisfied. Boot logs show 6 NotReady errors in non-perf-enabled builds and 3 errors in perf-enabled builds, with no further errors appearing after the Performance component loads. The Performance component is either not loaded at all in non-perf builds or loaded very late in the dispatch sequence due to its Timer dependency, which is the root cause of these initial measurement failures.
Remove these perf entries as they will never work and provide error noise for platforms.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Tested on patina enabled platforms, no more errors seen.
```
  </blockquote>
  <hr>
</details>
```

Clean up component params tests @kat-perez (#1259)

Change Details

## Summary - Rename `test_config_can_be_accessed_while_unlocked` to `test_config_can_be_accessed_when_locked` (configs are locked by default when using `Config::init_state()`) - Simplify `test_boot_services_can_be_retrieved` and `test_runtime_services_can_be_retrieved` to use `MaybeUninit::zeroed().as_mut_ptr()` for consistency with the rest of the codebase

Standardize SAFETY formatting @berlin-with0ut-return (#1257)
Change Details
## Description `// Safety` -> `// SAFETY`
Fix markdown formatting.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Passes formatting checks.

Integration Instructions

N/A.

Allow consumer to pass in Smbios handle (not FFFEh) as stated in PI spec EFI\_SMBIOS\_PROTOCOL.Add() @AnhDLuong (#1221)
Change Details
## Description
Allow consumer to pass in Smbios handle instead of always assigning a unique Smbios handle.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Boot to shell.

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

[patina\_dxe\_core...

Contributors

makubacki, joschock, and 8 other contributors

Assets 2

21 Jan 17:49

github-actions

patina-v19.0.5

cccab68

patina-v19.0.5

What's Changed

patina\_test: Disable Timer Tests at Ready To Boot @os-d (#1254)
Change Details
## Description
The bootloader takes over after ready to boot, so we should disable our timer based tests then. Some bootloaders (e.g. grub) don't disable interrupts when executing, so our tests can continue to execute and have spurious results.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Booting Q35 to Linux.

Integration Instructions

N/A.

Full Changelog: patina-v19.0.4...v19.0.5

Contributors

os-d

Assets 2

18 Jan 22:03

github-actions

patina-v19.0.4

1045104

patina-v19.0.4

What's Changed

Fix safety comment and other clippy issues @cfernald (#1248)
Change Details
## Description
With the recent change to include clippy in the architecture aware runs, clippy issues with aarch64 were exposed. This commit resolves various clippy issues
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Local clippy run

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

patina\_dxe\_core: Fix memory allocation tests for aarch64 runtime types @cfernald (#1241)
Change Details
## Description
Current implementations of several tests and hob construction logic use a single page for runtime memory types. On aarch64, the runtime page allocation granularity is 64kb, so all of these memory regions are dropped causing the tests to fail.

Contributes to #1071
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Unit tests

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

patina\_internal\_cpu: remove page table creation test @cfernald (#1242)
Change Details
## Description
This removes a test that causes exception on aarch64 targets. This test attempts to create an offline page table from user-mode which is not currently supported by the patina-paging crate as it will access system registers during table initialization. No equivalent test exists for x64.

Contributes to #1071
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

Unit tests

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

🐛 Bug Fixes

bugfix: Enable compat mode for EFI\_APPLICATION @Javagedes (#1249)
Change Details
## Description
In bde612d (written by me), I updated the logic around when to apply compatibility mode from being for a EFI_APPLICATION to a EFI_RUNTIME_DRIVER. Not sure how or why, but it was completely my fault. This fixes that.

This was caught during my work to created nightly "boot to os" github workflow.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested

N/A

Integration Instructions

N/A
```
  </blockquote>
  <hr>
</details>
```

patina\_internal\_collections: Prevent out-of-bounds access in resize() @makubacki (#1243)
Change Details
## Description
Add bounds checking before accessing buffer[idx] in Storage::resize().

When resizing to a buffer with no free space (idx >= buffer.len()), set available to null instead of attempting to access out-of-bounds memory.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
- Unit tests (cargo make all)
- patina-qemu boot to EFI shell
Integration Instructions
- N/A

Full Changelog: patina-v19.0.3...v19.0.4

Contributors

cfernald, makubacki, and Javagedes

Assets 2

Releases: OpenDevicePartnership/patina

patina-v20.1.2

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

📖 Documentation Updates

How This Was Tested

Integration Instructions

Contributors

Uh oh!

patina-v20.1.1

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

Examples of New Messages

Contributors

Uh oh!

patina-v20.1.0

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructio...

Contributors

Uh oh!

patina-v20.0.3

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions

📖 Documentation Updates

How This Was Tested

Integration Instructions

Contributors

Uh oh!

patina-v20.0.2

What's Changed

How This Was Tested

Integration Instructions

How This Was Tested

Integration Instructions