diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix
index 60eaa6428d62..76d4db7d807c 100644
--- a/pkgs/applications/virtualization/OVMF/default.nix
+++ b/pkgs/applications/virtualization/OVMF/default.nix
@@ -1,5 +1,5 @@
 { stdenv, nixosTests, lib, edk2, util-linux, nasm, acpica-tools, llvmPackages
-, fetchurl, python3, pexpect, xorriso, qemu, dosfstools, mtools
+, fetchFromGitLab, python3, pexpect, xorriso, qemu, dosfstools, mtools
 , fdSize2MB ? false
 , fdSize4MB ? secureBoot
 , secureBoot ? false
@@ -12,7 +12,7 @@
 # to use as the PK and first KEK for the keystore.
 #
 # By default, we use Debian's cert. This default
-# should chnage to a NixOS cert once we have our
+# should change to a NixOS cert once we have our
 # own secure boot signing infrastructure.
 #
 # Ignored if msVarsTemplate is false.
@@ -66,9 +66,18 @@ let
 
   OvmfPkKek1AppPrefix = "4e32566d-8e9e-4f52-81d3-5bb9715f9727";
 
-  debian-edk-src = fetchurl {
-    url = "http://deb.debian.org/debian/pool/main/e/edk2/edk2_2023.11-5.debian.tar.xz";
-    sha256 = "1yxlab4md30pxvjadr6b4xn6cyfw0c292q63pyfv4vylvhsb24g4";
+  debian-edk-src = fetchFromGitLab {
+    domain = "salsa.debian.org";
+    owner = "qemu-team";
+    repo = "edk2";
+    nonConeMode = true;
+    sparseCheckout = [
+      "debian/edk2-vars-generator.py"
+      "debian/python"
+      "debian/PkKek-1-*.pem"
+    ];
+    rev = "refs/tags/debian/2024.05-1";
+    hash = "sha256-uAjXJaHOVh944ZxcA2IgCsrsncxuhc0JKlsXs0E03s0=";
   };
 
   buildPrefix = "Build/*/*";
@@ -111,7 +120,7 @@ edk2.mkDerivation projectDscPath (finalAttrs: {
   env.PYTHON_COMMAND = "python3";
 
   postUnpack = lib.optionalDrvAttr msVarsTemplate ''
-    unpackFile ${debian-edk-src}
+    ln -s ${debian-edk-src}/debian
   '';
 
   postConfigure = lib.optionalDrvAttr msVarsTemplate ''
@@ -138,7 +147,8 @@ edk2.mkDerivation projectDscPath (finalAttrs: {
   '' + lib.optionalString msVarsTemplate ''
     (
     cd ${buildPrefix}
-    python3 $NIX_BUILD_TOP/debian/edk2-vars-generator.py \
+    # locale must be set on Darwin for invocations of mtools to work correctly
+    LC_ALL=C python3 $NIX_BUILD_TOP/debian/edk2-vars-generator.py \
       --flavor ${msVarsArgs.flavor} \
       --enrolldefaultkeys ${msVarsArgs.archDir}/EnrollDefaultKeys.efi \
       --shell ${msVarsArgs.archDir}/Shell.efi \
@@ -165,7 +175,7 @@ edk2.mkDerivation projectDscPath (finalAttrs: {
     ln -sv $fd/FV/${fwPrefix}_CODE{,.ms}.fd
   '' + lib.optionalString stdenv.hostPlatform.isAarch ''
     mv -v $out/FV/QEMU_{EFI,VARS}.fd $fd/FV
-    # Add symlinks for Fedora dir layout: https://src.fedoraproject.org/cgit/rpms/edk2.git/tree/edk2.spec
+    # Add symlinks for Fedora dir layout: https://src.fedoraproject.org/rpms/edk2/blob/main/f/edk2.spec
     mkdir -vp $fd/AAVMF
     ln -s $fd/FV/AAVMF_CODE.fd $fd/AAVMF/QEMU_EFI-pflash.raw
     ln -s $fd/FV/AAVMF_VARS.fd $fd/AAVMF/vars-template-pflash.raw
@@ -179,6 +189,9 @@ edk2.mkDerivation projectDscPath (finalAttrs: {
   in {
     firmware  = "${prefix}_CODE.fd";
     variables = "${prefix}_VARS.fd";
+    variablesMs =
+      assert msVarsTemplate;
+      "${prefix}_VARS.ms.fd";
     # This will test the EFI firmware for the host platform as part of the NixOS Tests setup.
     tests.basic-systemd-boot = nixosTests.systemd-boot.basic;
     tests.secureBoot-systemd-boot = nixosTests.systemd-boot.secureBoot;
@@ -190,7 +203,7 @@ edk2.mkDerivation projectDscPath (finalAttrs: {
     homepage = "https://github.com/tianocore/tianocore.github.io/wiki/OVMF";
     license = lib.licenses.bsd2;
     platforms = metaPlatforms;
-    maintainers = with lib.maintainers; [ adamcstephens raitobezarius ];
-    broken = stdenv.isDarwin;
+    maintainers = with lib.maintainers; [ adamcstephens raitobezarius mjoerg ];
+    broken = stdenv.isDarwin && stdenv.isAarch64;
   };
 })
diff --git a/pkgs/by-name/ed/edk2/package.nix b/pkgs/by-name/ed/edk2/package.nix
index 56b6aac253f5..b6946ea11949 100644
--- a/pkgs/by-name/ed/edk2/package.nix
+++ b/pkgs/by-name/ed/edk2/package.nix
@@ -1,12 +1,12 @@
 { stdenv
 , fetchFromGitHub
 , fetchpatch
+, applyPatches
 , libuuid
 , bc
 , lib
 , buildPackages
 , nixosTests
-, runCommand
 , writeScript
 }:
 
@@ -31,45 +31,68 @@ buildType = if stdenv.isDarwin then
   else
     "GCC5";
 
-edk2 = stdenv.mkDerivation rec {
+edk2 = stdenv.mkDerivation {
   pname = "edk2";
-  version = "202402";
-
-  patches = [
-    # pass targetPrefix as an env var
-    (fetchpatch {
-      url = "https://src.fedoraproject.org/rpms/edk2/raw/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/0021-Tweak-the-tools_def-to-support-cross-compiling.patch";
-      hash = "sha256-E1/fiFNVx0aB1kOej2DJ2DlBIs9tAAcxoedym2Zhjxw=";
-    })
-    # https://github.com/tianocore/edk2/pull/5658
-    (fetchpatch {
-      url = "https://github.com/tianocore/edk2/commit/a34ff4a8f69a7b8a52b9b299153a8fac702c7df1.patch";
-      hash = "sha256-u+niqwjuLV5tNPykW4xhb7PW2XvUmXhx5uvftG1UIbU=";
-    })
-  ];
+  version = "202408";
 
   srcWithVendoring = fetchFromGitHub {
     owner = "tianocore";
     repo = "edk2";
     rev = "edk2-stable${edk2.version}";
     fetchSubmodules = true;
-    hash = "sha256-Nurm6QNKCyV6wvbj0ELdYAL7mbZ0yg/tTwnEJ+N18ng=";
+    hash = "sha256-2odaTqiAZD5xduT0dwIYWj3gY/aFPVsTFbblIsEhBiA=";
   };
 
-  # We don't want EDK2 to keep track of OpenSSL,
-  # they're frankly bad at it.
-  src = runCommand "edk2-unvendored-src" { } ''
-    cp --no-preserve=mode -r ${srcWithVendoring} $out
-    rm -rf $out/CryptoPkg/Library/OpensslLib/openssl
-    mkdir -p $out/CryptoPkg/Library/OpensslLib/openssl
-    tar --strip-components=1 -xf ${buildPackages.openssl.src} -C $out/CryptoPkg/Library/OpensslLib/openssl
-    chmod -R +w $out/
+  src = applyPatches {
+    name = "edk2-${edk2.version}-unvendored-src";
+    src = edk2.srcWithVendoring;
 
-    # Fix missing INT64_MAX include that edk2 explicitly does not provide
-    # via it's own <stdint.h>. Let's pull in openssl's definition instead:
-    sed -i $out/CryptoPkg/Library/OpensslLib/openssl/crypto/property/property_parse.c \
-        -e '1i #include "internal/numbers.h"'
-  '';
+    patches = [
+      # pass targetPrefix as an env var
+      (fetchpatch {
+        url = "https://src.fedoraproject.org/rpms/edk2/raw/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/0021-Tweak-the-tools_def-to-support-cross-compiling.patch";
+        hash = "sha256-E1/fiFNVx0aB1kOej2DJ2DlBIs9tAAcxoedym2Zhjxw=";
+      })
+      # https://github.com/tianocore/edk2/pull/5658
+      (fetchpatch {
+        name = "fix-cross-compilation-antlr-dlg.patch";
+        url = "https://github.com/tianocore/edk2/commit/a34ff4a8f69a7b8a52b9b299153a8fac702c7df1.patch";
+        hash = "sha256-u+niqwjuLV5tNPykW4xhb7PW2XvUmXhx5uvftG1UIbU=";
+      })
+    ];
+
+    postPatch = ''
+      # We don't want EDK2 to keep track of OpenSSL, they're frankly bad at it.
+      rm -r CryptoPkg/Library/OpensslLib/openssl
+      mkdir -p CryptoPkg/Library/OpensslLib/openssl
+      (
+      cd CryptoPkg/Library/OpensslLib/openssl
+      tar --strip-components=1 -xf ${buildPackages.openssl.src}
+
+      # Apply OpenSSL patches.
+      ${lib.pipe buildPackages.openssl.patches [
+        (builtins.filter (
+          patch:
+          !builtins.elem (baseNameOf patch) [
+            # Exclude patches not required in this context.
+            "nix-ssl-cert-file.patch"
+            "openssl-disable-kernel-detection.patch"
+            "use-etc-ssl-certs-darwin.patch"
+            "use-etc-ssl-certs.patch"
+          ]
+        ))
+        (map (patch: "patch -p1 < ${patch}\n"))
+        lib.concatStrings
+      ]}
+      )
+
+      # enable compilation using Clang
+      # https://bugzilla.tianocore.org/show_bug.cgi?id=4620
+      substituteInPlace BaseTools/Conf/tools_def.template --replace-fail \
+        'DEFINE CLANGPDB_WARNING_OVERRIDES    = ' \
+        'DEFINE CLANGPDB_WARNING_OVERRIDES    = -Wno-unneeded-internal-declaration '
+    '';
+  };
 
   nativeBuildInputs = [ pythonEnv ];
   depsBuildBuild = [ buildPackages.stdenv.cc buildPackages.bash ];
@@ -100,12 +123,13 @@ edk2 = stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with lib; {
+  meta = {
     description = "Intel EFI development kit";
     homepage = "https://github.com/tianocore/tianocore.github.io/wiki/EDK-II/";
     changelog = "https://github.com/tianocore/edk2/releases/tag/edk2-stable${edk2.version}";
-    license = licenses.bsd2;
-    platforms = with platforms; aarch64 ++ arm ++ i686 ++ x86_64 ++ riscv64;
+    license = lib.licenses.bsd2;
+    platforms = with lib.platforms; aarch64 ++ arm ++ i686 ++ x86_64 ++ riscv64;
+    maintainers = [ lib.maintainers.mjoerg ];
   };
 
   passthru = {
diff --git a/pkgs/tools/misc/edk2-uefi-shell/default.nix b/pkgs/tools/misc/edk2-uefi-shell/default.nix
index 7547f9b3e476..0ec010472645 100644
--- a/pkgs/tools/misc/edk2-uefi-shell/default.nix
+++ b/pkgs/tools/misc/edk2-uefi-shell/default.nix
@@ -37,6 +37,7 @@ edk2.mkDerivation "ShellPkg/ShellPkg.dsc" (finalAttrs: {
     inherit (edk2.meta) license platforms;
     description = "UEFI Shell from Tianocore EFI development kit";
     homepage = "https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg";
-    maintainers = with lib.maintainers; [ LunNova ];
+    maintainers = with lib.maintainers; [ LunNova mjoerg ];
+    broken = stdenv.isDarwin && stdenv.isAarch64;
   };
 })