Fix X509ConstructCertificateStackV #255
Merged
Flickdm merged 4 commits intoMay 13, 2026
Merged
Conversation
mu-automation
Bot
added
impact:non-functional
Flickdm
force-pushed
the
fix/X509ConstructCertificateStack
branch
from
db9fbf9 to
bd9d211
Compare
Enable AdvancedLogger-based debug output for the OneCryptoBinDxe module on AARCH64 by replacing BaseDebugLibNull with BaseDebugLibAdvancedLogger and configuring debug PCDs. - Add PcdsPatchableInModule.AARCH64 for PcdDebugPropertyMask - Add PcdsFixedAtBuild.AARCH64 for debug print error levels - Add AARCH64-specific OneCryptoPkg debug property/level PCDs - Switch OneCryptoBinDxe DebugLib to AdvancedLogger with required DebugPrintErrorLevelLib, AdvancedLoggerLib, and AssertLib library instances Signed-off-by: Doug Flick <dougflick@microsoft.com>
DebugPrint was passing a VA_LIST directly to OneCryptoDebugPrint which expects variadic arguments, not a VA_LIST. Format the message into a local buffer with AsciiVSPrint first, then pass the resulting string via %a to avoid variadic forwarding issues. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Only free the X509 certificate stack on failure when it was newly allocated by the function. Previously, a pre-existing stack passed by the caller would be incorrectly freed on error. Track allocation origin with a NewlyAllocated flag and add DEBUG logging for diagnostic visibility. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Move log_bundle_info() call outside the zipfile context manager so the SHA256 is computed on the finalized file. Remove the unused zipf parameter from log_bundle_info(). Signed-off-by: Doug Flick <dougflick@microsoft.com>
Flickdm
force-pushed
the
fix/X509ConstructCertificateStack
branch
from
bd9d211 to
8971fb6
Compare
Javagedes
approved these changes
May 13, 2026
apop5
approved these changes
May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This actually has a collection of changes that while not necessarily related to fixing X509ConstructCertificateStackV appeared during review and should be merged in as commits during rebasing.
There are additional changes needed on the MU_BASECORE side after this goes in to workaround the bug found with VA_LIST in X509ConstructCertificateStackV
This pull request introduces several improvements to debugging and logging for the OneCrypto and CryptX509 codebases, as well as updates to the package configuration for AARCH64 builds. The most significant changes include enhanced debug output, improved error handling and diagnostics, and more robust logging during packaging. The changes are grouped below by theme.
Debugging and Logging Enhancements
DebugPrintfunction inDebugLibOnOneCrypto.cnow formats the message into a buffer before printing, ensuring that all debug output is consistently formatted and easier to trace.CryptX509.c, additional debug messages have been added toX509ConstructCertificateStackVto provide detailed error reporting, including when the X509 stack is null, allocation failures, and the number of processed certificates. The function also distinguishes between freeing a newly allocated stack and preserving an existing one on failure.Packaging and Logging Improvements
OneCryptoBundler.py) now logs bundle information only after the zip file is finalized, ensuring the SHA256 hash covers the complete file. The code also removes the unnecessaryzipfparameter fromlog_bundle_info.AARCH64 Debug Configuration
OneCryptoPkg.dscconfiguration has been updated to set appropriate debug property masks and error levels for AARCH64 builds, with clear separation between DEBUG and RELEASE targets. This ensures debug prints and code are enabled or disabled as intended for each build type. [Library and Dependency Updates
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
<Describe the test(s) that were run to verify the changes.>
Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>