From 7f56c29653edcf5a36631480534c6b8905f1992a Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Fri, 8 May 2026 16:06:17 -0700
Subject: [PATCH 1/4] OneCryptoPkg: Enable debug logging for AARCH64
 OneCryptoBin

Enable AdvancedLogger-based debug output for the OneCryptoBinDxe
module on AARCH64 by replacing BaseDebugLibNull with
BaseDebugLibAdvancedLogger and configuring debug PCDs.

- Add PcdsPatchableInModule.AARCH64 for PcdDebugPropertyMask
- Add PcdsFixedAtBuild.AARCH64 for debug print error levels
- Add AARCH64-specific OneCryptoPkg debug property/level PCDs
- Switch OneCryptoBinDxe DebugLib to AdvancedLogger with
  required DebugPrintErrorLevelLib, AdvancedLoggerLib, and
  AssertLib library instances

Signed-off-by: Doug Flick <dougflick@microsoft.com>
---
 OneCryptoPkg/OneCryptoPkg.dsc | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/OneCryptoPkg/OneCryptoPkg.dsc b/OneCryptoPkg/OneCryptoPkg.dsc
index 917a0af9..c17d3c20 100644
--- a/OneCryptoPkg/OneCryptoPkg.dsc
+++ b/OneCryptoPkg/OneCryptoPkg.dsc
@@ -27,6 +27,9 @@
   # Enable NASM assembly source style for accelerated OpenSSL crypto
   gEfiCryptoPkgTokenSpaceGuid.PcdOpensslLibAssemblySourceStyleNasm|TRUE
 
+[PcdsPatchableInModule.AARCH64]
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17
+
 [PcdsFeatureFlag.AARCH64]
   #
   # Use the PE target assembly source files when building with the CLANGPDB
@@ -54,6 +57,23 @@
   gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000
 !endif
 
+[PcdsFixedAtBuild.AARCH64]
+  # Ensure DEBUG prints are enabled (excluding VERBOSE: 0x8040004F & ~0x00400000 = 0x8000004F)
+  gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F
+  gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x8000004F
+
+  # OneCryptoPkg Debug Configuration
+  # DEBUG builds: Enable Debug Print (BIT1) and Debug Code (BIT2) = 0x06
+  # RELEASE builds: Disable all debug features = 0x00
+  # Note: Debug Clear Memory (BIT3) is intentionally disabled for all builds
+!if $(TARGET) == DEBUG
+  gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x06
+  gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0xFFFFFFFF
+!else
+  gOneCryptoPkgTokenSpaceGuid.PcdDebugPropertyMask|0x00
+  gOneCryptoPkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x80000000
+!endif
+
 [LibraryClasses.AARCH64]
   CompilerIntrinsicsLib|MdePkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf
 
@@ -345,7 +365,10 @@
       UefiDriverEntryPoint        | MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntryPoint.inf
       UefiBootServicesTableLib    | MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf
       MemoryAllocationLib         | MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
-      DebugLib                    | MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
+      DebugLib                    | AdvLoggerPkg/Library/BaseDebugLibAdvancedLogger/BaseDebugLibAdvancedLogger.inf
+      DebugPrintErrorLevelLib     | MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
+      AdvancedLoggerLib           | AdvLoggerPkg/Library/AdvancedLoggerLib/Dxe/AdvancedLoggerLib.inf
+      AssertLib                   | AdvLoggerPkg/Library/AssertLib/AssertLib.inf
   }
 
   #############################################################################

From 62a22034c4a4271f802bbeb26fa3b8be8f82fd37 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Fri, 8 May 2026 17:49:43 -0700
Subject: [PATCH 2/4] OneCryptoPkg: Fix variadic argument forwarding in
 DebugPrint

DebugPrint was passing a VA_LIST directly to OneCryptoDebugPrint
which expects variadic arguments, not a VA_LIST. Format the
message into a local buffer with AsciiVSPrint first, then pass
the resulting string via %a to avoid variadic forwarding issues.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
---
 .../Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c b/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c
index c34a39dc..183c5e1e 100644
--- a/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c
+++ b/OneCryptoPkg/Library/DebugLibOnOneCrypto/DebugLibOnOneCrypto.c
@@ -42,10 +42,13 @@ DebugPrint (
   )
 {
   VA_LIST  Marker;
+  CHAR8    Buffer[256];
 
   VA_START (Marker, Format);
-  OneCryptoDebugPrint (ErrorLevel, Format, Marker);
+  AsciiVSPrint (Buffer, sizeof (Buffer), Format, Marker);
   VA_END (Marker);
+
+  OneCryptoDebugPrint (ErrorLevel, "%a", Buffer);
 }
 
 /**

From a4ea64d80fae0247317b8074999fb376f386bf8d Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Fri, 8 May 2026 17:54:06 -0700
Subject: [PATCH 3/4] OpensslPkg: Fix X509ConstructCertificateStackV stack
 ownership

Only free the X509 certificate stack on failure when it was newly
allocated by the function. Previously, a pre-existing stack passed
by the caller would be incorrectly freed on error. Track allocation
origin with a NewlyAllocated flag and add DEBUG logging for
diagnostic visibility.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
---
 .../Library/BaseCryptLib/Pk/CryptX509.c       | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c b/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 315bb95e..c10d6ef6 100644
--- a/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/OpensslPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -105,18 +105,25 @@ X509ConstructCertificateStackV (
   UINT8  *Cert;
   UINTN  CertSize;
   X509   *X509Cert;
+  UINTN  CertIndex; // MU_CHANGE
 
   STACK_OF (X509)  *CertStack;
   BOOLEAN  Status;
+  BOOLEAN  NewlyAllocated; // MU_CHANGE
 
   //
   // Check input parameters.
   //
   if (X509Stack == NULL) {
+    DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV X509Stack is NULL\n", gEfiCallerBaseName)); // MU_CHANGE
     return FALSE;
   }
 
   Status = FALSE;
+  // MU_CHANGE [BEGIN]
+  CertIndex      = 0;
+  NewlyAllocated = FALSE;
+  // MU_CHANGE [END]
 
   //
   // Initialize X509 stack object.
@@ -125,8 +132,11 @@ X509ConstructCertificateStackV (
   if (CertStack == NULL) {
     CertStack = sk_X509_new_null ();
     if (CertStack == NULL) {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV failed to allocate X509 stack\n", gEfiCallerBaseName)); // MU_CHANGE
       return Status;
     }
+
+    NewlyAllocated = TRUE; // MU_CHANGE
   }
 
   while (TRUE) {
@@ -135,6 +145,7 @@ X509ConstructCertificateStackV (
     //
     Cert = VA_ARG (Args, UINT8 *);
     if (Cert == NULL) {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV reached end of list after %Lu certs\n", gEfiCallerBaseName, (UINT64)CertIndex)); // MU_CHANGE
       break;
     }
 
@@ -164,10 +175,19 @@ X509ConstructCertificateStackV (
     // Insert the new X509 object into X509 stack object.
     //
     sk_X509_push (CertStack, X509Cert);
+    CertIndex++; // MU_CHANGE
   }
 
   if (!Status) {
-    sk_X509_pop_free (CertStack, X509_free);
+    // MU_CHANGE [BEGIN]
+    if (NewlyAllocated) {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV failed, freeing newly allocated stack\n", gEfiCallerBaseName));
+      sk_X509_pop_free (CertStack, X509_free);
+    } else {
+      DEBUG ((DEBUG_ERROR, "[%a] X509ConstructCertificateStackV failed, preserving pre-existing stack\n", gEfiCallerBaseName));
+    }
+
+    // MU_CHANGE [END]
   } else {
     *X509Stack = (UINT8 *)CertStack;
   }

From 8971fb665bb462a4a9da25a3925528291c7b1727 Mon Sep 17 00:00:00 2001
From: Doug Flick <dougflick@microsoft.com>
Date: Wed, 13 May 2026 10:35:25 -0700
Subject: [PATCH 4/4] OneCryptoPkg: Compute bundle SHA256 after closing zip
 file

Move log_bundle_info() call outside the zipfile context manager
so the SHA256 is computed on the finalized file. Remove the
unused zipf parameter from log_bundle_info().

Signed-off-by: Doug Flick <dougflick@microsoft.com>
---
 OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py b/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py
index 8001764a..c306c14c 100644
--- a/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py
+++ b/OneCryptoPkg/Plugin/OneCryptoBundler/OneCryptoBundler.py
@@ -50,7 +50,9 @@ def create_package(
                 for arch in architectures:
                     zip_bundle(workspace, target, arch, toolchain, zipf)
             add_log_files(workspace, zipf)
-            log_bundle_info(workspace, output_zip, targets, architectures, toolchain, zipf)
+
+        # Log after the zip is closed so the SHA256 covers the finalized file
+        log_bundle_info(workspace, output_zip, targets, architectures, toolchain)
 
 
 def zip_bundle(workspace, target, arch, toolchain, output_zip):
@@ -99,7 +101,7 @@ def add_log_files(workspace, zipf):
 
 
 
-def log_bundle_info(workspace, output_zip, targets, architectures, toolchain, zipf):
+def log_bundle_info(workspace, output_zip, targets, architectures, toolchain):
     """
     Log a packaging summary including EFI sizes, compression ratios, and SHA256.
 
@@ -109,7 +111,6 @@ def log_bundle_info(workspace, output_zip, targets, architectures, toolchain, zi
         targets: List of build targets (DEBUG, RELEASE)
         architectures: List of architectures (X64, AARCH64)
         toolchain: Toolchain used (e.g., VS2022, GCC5)
-        zipf: Open ZipFile object to read entry metadata from
     """
     logging.critical("=" * 80)
     logging.critical("OneCrypto Packaging Summary:")