diff -Nru edk2-2020.05/debian/changelog edk2-2020.05/debian/changelog
--- edk2-2020.05/debian/changelog	2020-06-25 16:17:15.000000000 -0600
+++ edk2-2020.05/debian/changelog	2020-08-03 14:47:47.000000000 -0600
@@ -1,3 +1,9 @@
+edk2 (2020.05-2ubuntu1+4M.2) groovy; urgency=medium
+
+  * Provide 4MB firmware builds. LP: #1885662.
+
+ -- dann frazier <dannf@ubuntu.com>  Mon, 03 Aug 2020 14:47:47 -0600
+
 edk2 (2020.05-2ubuntu1) groovy; urgency=medium
 
   * Increase autopkgtest timeout from 30s to 60s. LP: #1885186.
diff -Nru edk2-2020.05/debian/descriptors/40-edk2-x86_64-secure-enrolled.json edk2-2020.05/debian/descriptors/40-edk2-x86_64-secure-enrolled.json
--- edk2-2020.05/debian/descriptors/40-edk2-x86_64-secure-enrolled.json	2020-06-11 08:40:31.000000000 -0600
+++ edk2-2020.05/debian/descriptors/40-edk2-x86_64-secure-enrolled.json	2020-08-03 14:47:36.000000000 -0600
@@ -6,11 +6,11 @@
     "mapping": {
         "device": "flash",
         "executable": {
-            "filename": "/usr/share/OVMF/OVMF_CODE.ms.fd",
+            "filename": "/usr/share/OVMF/OVMF_CODE_4M.ms.fd",
             "format": "raw"
         },
         "nvram-template": {
-            "filename": "/usr/share/OVMF/OVMF_VARS.ms.fd",
+            "filename": "/usr/share/OVMF/OVMF_VARS_4M.ms.fd",
             "format": "raw"
         }
     },
diff -Nru edk2-2020.05/debian/descriptors/50-edk2-x86_64-secure.json edk2-2020.05/debian/descriptors/50-edk2-x86_64-secure.json
--- edk2-2020.05/debian/descriptors/50-edk2-x86_64-secure.json	2020-06-11 08:40:31.000000000 -0600
+++ edk2-2020.05/debian/descriptors/50-edk2-x86_64-secure.json	2020-08-03 14:47:36.000000000 -0600
@@ -6,11 +6,11 @@
     "mapping": {
         "device": "flash",
         "executable": {
-            "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd",
+            "filename": "/usr/share/OVMF/OVMF_CODE_4M.secboot.fd",
             "format": "raw"
         },
         "nvram-template": {
-            "filename": "/usr/share/OVMF/OVMF_VARS.fd",
+            "filename": "/usr/share/OVMF/OVMF_VARS_4M.fd",
             "format": "raw"
         }
     },
diff -Nru edk2-2020.05/debian/descriptors/60-edk2-x86_64.json edk2-2020.05/debian/descriptors/60-edk2-x86_64.json
--- edk2-2020.05/debian/descriptors/60-edk2-x86_64.json	2020-06-11 08:40:31.000000000 -0600
+++ edk2-2020.05/debian/descriptors/60-edk2-x86_64.json	2020-08-03 14:47:36.000000000 -0600
@@ -6,11 +6,11 @@
     "mapping": {
         "device": "flash",
         "executable": {
-            "filename": "/usr/share/OVMF/OVMF_CODE.fd",
+            "filename": "/usr/share/OVMF/OVMF_CODE_4M.fd",
             "format": "raw"
         },
         "nvram-template": {
-            "filename": "/usr/share/OVMF/OVMF_VARS.fd",
+            "filename": "/usr/share/OVMF/OVMF_VARS_4M.fd",
             "format": "raw"
         }
     },
diff -Nru edk2-2020.05/debian/ovmf.links edk2-2020.05/debian/ovmf.links
--- edk2-2020.05/debian/ovmf.links	2020-06-11 08:40:31.000000000 -0600
+++ edk2-2020.05/debian/ovmf.links	2020-08-03 14:37:51.000000000 -0600
@@ -1,2 +1,3 @@
 usr/share/ovmf/OVMF.fd usr/share/qemu/OVMF.fd
 usr/share/OVMF/OVMF_CODE.secboot.fd usr/share/OVMF/OVMF_CODE.ms.fd
+usr/share/OVMF/OVMF_CODE_4M.secboot.fd usr/share/OVMF/OVMF_CODE_4M.ms.fd
diff -Nru edk2-2020.05/debian/README.Debian edk2-2020.05/debian/README.Debian
--- edk2-2020.05/debian/README.Debian	2020-06-11 08:40:31.000000000 -0600
+++ edk2-2020.05/debian/README.Debian	2020-08-03 14:37:51.000000000 -0600
@@ -3,39 +3,48 @@
 template images which are intended to be read-write, and therefore each
 guest should be given its own copy. Here's an overview of each of them:
 
-OVMF_CODE.fd
+OVMF_CODE_4M.fd
   Use this for booting guests in non-Secure Boot mode. While this image
   technically supports Secure Boot, it does so without requiring SMM
   support from QEMU, so it is less secure. Use the OVMF_VARS.fd template
   with this.
 
-OVMF_CODE.ms.fd
-  This is a symlink to OVMF_CODE.secboot.fd. It is useful in the context
+OVMF_CODE_4M.ms.fd
+  This is a symlink to OVMF_CODE_4M.secboot.fd. It is useful in the context
   of libvirt because the included JSON firmware descriptors will tell libvirt
   to pair OVMF_VARS.ms.fd with it, which has Secure Boot pre-enabled.
 
-OVMF_CODE.secboot.fd
-  Like OVMF_CODE.fd, but will abort if QEMU does not support SMM.
+OVMF_CODE_4M.secboot.fd
+  Like OVMF_CODE_4M.fd, but will abort if QEMU does not support SMM.
   Use this for guests for which you may enable Secure Boot. Be aware
   that the included JSON firmware descriptors associate this with
-  OVMF_CODE.fd. Which means, if you specify this image in libvirt, you'll
+  OVMF_CODE_4M.fd. Which means, if you specify this image in libvirt, you'll
   get a guest that is Secure Boot-*capable*, but has Secure Boot disabled.
   To enable it, you'll need to manually import PK/KEK/DB keys and activate
   Secure Boot from the UEFI setup menu. If you want Secure Boot active from
   the start, consider using OVMF_CODE.ms.fd instead.
 
-OVMF_VARS.fd
+OVMF_VARS_4M.fd
   This is an empty variable store template, which means it has no
   built-in Secure Boot keys and Secure Boot is disabled. You can use
   it with any OVMF_CODE image, but keep in mind that if you want to
   boot in Secure Boot mode, you will have to enable it manually.
 
-OVMF_VARS.ms.fd
+OVMF_VARS_4M.ms.fd
   This template has distribution-specific PK and KEK1 keys, and
   the default Microsoft keys in KEK/DB. It also has Secure Boot
   already activated. Using this with OVMF_CODE.ms.fd will boot a
   guest directly in Secure Boot mode.
 
+OVMF_CODE.fd
+OVMF_CODE.ms.fd
+OVMF_CODE.secboot.fd
+OVMF_VARS.fd
+OVMF_VARS.ms.fd
+  These images are the same as their "4M" variants, but for use with guests
+  using a 2MB flash device. 2MB flash is no longer considered sufficient for
+  use with Secure Boot. This is provided only for backwards compatibility.
+
 OVMF_VARS.snakeoil.fd
   This image is **for testing purposes only**. It includes an insecure
   "snakeoil" key in PK, KEK & DB. The private key and cert are also
@@ -49,4 +58,4 @@
   OVMF_VARS.snakeoil.fd template. The password for the key is
   'snakeoil'.
 
- -- dann frazier <dannf@debian.org>, Tue, 31 Mar 2020 16:23:13 -0600
+ -- dann frazier <dannf@debian.org>, Mon, 03 Aug 2020 10:58:31 -0600
diff -Nru edk2-2020.05/debian/rules edk2-2020.05/debian/rules
--- edk2-2020.05/debian/rules	2020-06-11 08:40:31.000000000 -0600
+++ edk2-2020.05/debian/rules	2020-08-03 14:37:51.000000000 -0600
@@ -30,8 +30,11 @@
 endif
 
 COMMON_FLAGS = -DNETWORK_HTTP_BOOT_ENABLE=TRUE -DNETWORK_TLS_ENABLE -DSECURE_BOOT_ENABLE=TRUE
-OVMF_FLAGS   = $(COMMON_FLAGS) -DFD_SIZE_2MB -DTPM2_ENABLE=TRUE
-OVMF_SB_FLAGS = $(OVMF_FLAGS) -DSMM_REQUIRE=TRUE
+OVMF_COMMON_FLAGS = $(COMMON_FLAGS) -DTPM2_ENABLE=TRUE
+OVMF_2M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_2MB
+OVMF_4M_FLAGS = $(OVMF_COMMON_FLAGS) -DFD_SIZE_4MB
+OVMF_2M_SMM_FLAGS = $(OVMF_2M_FLAGS) -DSMM_REQUIRE=TRUE
+OVMF_4M_SMM_FLAGS = $(OVMF_4M_FLAGS) -DSMM_REQUIRE=TRUE
 AAVMF_FLAGS  = $(COMMON_FLAGS)
 
 OVMF_VARS_GENERATOR = ./qemu-ovmf-secureboot-1-1-3/ovmf-vars-generator
@@ -59,11 +62,11 @@
 OVMF_BUILD_DIR = Build/OvmfX64/RELEASE_$(EDK2_TOOLCHAIN)
 OVMF_ENROLL = $(OVMF_BUILD_DIR)/X64/EnrollDefaultKeys.efi
 OVMF_SHELL =  $(OVMF_BUILD_DIR)/X64/Shell.efi
-OVMF_IMAGES := OVMF_CODE.fd OVMF_CODE.secboot.fd OVMF_VARS.fd
+OVMF_IMAGES := OVMF_CODE.fd OVMF_CODE_4M.fd OVMF_CODE.secboot.fd OVMF_CODE_4M.secboot.fd OVMF_VARS.fd OVMF_VARS_4M.fd
 OVMF_BINARIES = $(OVMF_ENROLL) $(OVMF_SHELL)
 OVMF_BINARIES += $(prefix debian/ovmf-install/,$(OVMF_IMAGES))
 
-build-ovmf: $(OVMF_BINARIES) debian/ovmf-install/OVMF_VARS.ms.fd debian/ovmf-install/OVMF_VARS.snakeoil.fd
+build-ovmf: $(OVMF_BINARIES) debian/ovmf-install/OVMF_VARS.ms.fd debian/ovmf-install/OVMF_VARS_4M.ms.fd debian/ovmf-install/OVMF_VARS.snakeoil.fd
 
 $(OVMF_BINARIES): EDK2_ARCH_DIR=X64
 $(OVMF_BINARIES): EDK2_HOST_ARCH=X64
@@ -75,16 +78,35 @@
 		build -a $(EDK2_HOST_ARCH) \
 			-t $(EDK2_TOOLCHAIN) \
 			-p OvmfPkg/OvmfPkgX64.dsc \
-			$(OVMF_FLAGS) -b RELEASE; \
-		cp $(OVMF_BUILD_DIR)/FV/OVMF*.fd \
+			$(OVMF_2M_FLAGS) -b RELEASE; \
+		cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \
+			$(OVMF_BUILD_DIR)/FV/OVMF.fd \
+			debian/ovmf-install/; \
+		cp $(OVMF_BUILD_DIR)/FV/OVMF_VARS.fd \
 			debian/ovmf-install/; \
 		rm -rf Build/Ovmf$(EDK2_HOST_ARCH); \
 		build -a $(EDK2_HOST_ARCH) \
 			-t $(EDK2_TOOLCHAIN) \
 			-p OvmfPkg/OvmfPkgX64.dsc \
-			$(OVMF_SB_FLAGS) -b RELEASE; \
+			$(OVMF_4M_FLAGS) -b RELEASE; \
+		cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \
+			debian/ovmf-install/OVMF_CODE_4M.fd; \
+		cp $(OVMF_BUILD_DIR)/FV/OVMF_VARS.fd \
+			debian/ovmf-install/OVMF_VARS_4M.fd; \
+		rm -rf Build/Ovmf$(EDK2_HOST_ARCH); \
+		build -a $(EDK2_HOST_ARCH) \
+			-t $(EDK2_TOOLCHAIN) \
+			-p OvmfPkg/OvmfPkgX64.dsc \
+			$(OVMF_2M_SMM_FLAGS) -b RELEASE; \
+		cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \
+			debian/ovmf-install/OVMF_CODE.secboot.fd; \
+		rm -rf Build/Ovmf$(EDK2_HOST_ARCH); \
+		build -a $(EDK2_HOST_ARCH) \
+			-t $(EDK2_TOOLCHAIN) \
+			-p OvmfPkg/OvmfPkgX64.dsc \
+			$(OVMF_4M_SMM_FLAGS) -b RELEASE; \
 		cp $(OVMF_BUILD_DIR)/FV/OVMF_CODE.fd \
-			debian/ovmf-install/OVMF_CODE.secboot.fd
+			debian/ovmf-install/OVMF_CODE_4M.secboot.fd; \
 
 dpkg_vendor = $(shell dpkg-vendor --query vendor)
 debian/oem-string-vendor: debian/PkKek-1-$(dpkg_vendor).pem
@@ -110,14 +132,14 @@
 	xorriso --as mkisofs -input-charset ASCII -J -rational-rock \
 		-e `basename $<` -no-emul-boot -o $@ `dirname $<`
 
-debian/ovmf-install/OVMF_VARS.ms.fd: debian/UefiShell.iso debian/oem-string-vendor
+%.ms.fd: %.fd debian/UefiShell.iso debian/oem-string-vendor
 	python3 $(OVMF_VARS_GENERATOR) --qemu-binary /usr/bin/qemu-system-x86_64 \
 		--print-output \
 		--disable-smm \
 		--skip-testing \
 		--oem-string `< debian/oem-string-vendor` \
-		--ovmf-binary debian/ovmf-install/OVMF_CODE.fd \
-		--ovmf-template-vars debian/ovmf-install/OVMF_VARS.fd \
+		--ovmf-binary $(subst VARS,CODE,$<) \
+		--ovmf-template-vars $< \
 		--uefi-shell-iso debian/UefiShell.iso $@
 
 debian/ovmf-install/OVMF_VARS.snakeoil.fd: debian/UefiShell.iso debian/oem-string-snakeoil