Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MdePkg/DxeRngLib: Refactoring and improvements #6158

Merged
merged 5 commits into from
Sep 13, 2024
Merged

MdePkg/DxeRngLib: Refactoring and improvements #6158

merged 5 commits into from
Sep 13, 2024

Conversation

pierregondois
Copy link
Contributor

Description

Improve the DxeRngLib so that:

  • the RNG prototocol is located only once instead of at each
    random number generation

  • algorithms that are not available on a platform are not called
    when trying to generate a random number

  • gEfiRngAlgorithmArmRndr support is added

  • PcdEnforceSecureRngAlgorithms can be set to allow/avoid non-secure
    algorithms

  • Breaking change?

    • Breaking change - Does this PR cause a break in build or boot behavior?
    • Examples: Does it add a new library class or move a module to a different repo.

  • Impacts security?

    • Security - Does this PR have a direct security impact?
    • Examples: Crypto algorithm change or buffer overflow fix.

  • Includes tests?

    • Tests - Does this PR include any explicit test code?
    • Examples: Unit tests or integration tests.

How This Was Tested

Tested on a Juno. Associated patches to be provided.

@pierregondois
Copy link
Contributor Author

Associated edk2-platforms PR: tianocore/edk2-platforms#185

mdkinney
mdkinney reviewed Sep 3, 2024
View reviewed changes
MdePkg/MdePkg.dsc Outdated Show resolved Hide resolved
samimujawar
samimujawar reviewed Sep 4, 2024
View reviewed changes
MdePkg/Library/DxeRngLib/DxeRngLib.c Outdated Show resolved Hide resolved
MdePkg/Library/DxeRngLib/DxeRngLib.inf Outdated Show resolved Hide resolved
MdePkg/Library/DxeRngLib/DxeRngLib.c Outdated Show resolved Hide resolved
@lgao4 lgao4 added the push Auto push patch series in PR if all checks pass label Sep 13, 2024
@mergify Mergify
Copy link

mergify bot commented Sep 13, 2024

PR can not be merged due to conflict. Please rebase and resubmit

@pierregondois
MdePkg: Move PcdEnforceSecureRngAlgorithms from NetworkPkg
58931d7 
The PcdEnforceSecureRngAlgorithms Pcd enforces the use of RNG
algorithms defined by the UEFI spec. To re-use the Pcd in other
packages and have a generic mean to control the usage of unsecure
algorithms, move the Pcd to the MdePkg.

Continuous-integration-options: PatchCheck.ignore-multi-package
Signed-off-by: Pierre Gondois <[email protected]>
@pierregondois
MdePkg/DxeRngLib: Refactor Rng algorithm selection
4162980 
Add a library constructor which:
- locate the RNG prototocol and keep a reference to it in order to avoid
  locating it multiple times (for each random number generation)
- check which secure algorithm is available on the platform.
  This avoids to try each secure algorithm until finding one
  available for each random number generation call.

Signed-off-by: Pierre Gondois <[email protected]>
@pierregondois
MdePkg/DxeRngLib: Use PcdEnforceSecureRngAlgorithms for default algor…
9ee1e9a 
…ithm

Use PcdEnforceSecureRngAlgorithms to allow using the Rng protocol
with the default algorithm. All previous call to the Rng protocol
are requesting a secure Rng algorithm.
Not specifying the Rng algorithm GUID to use is considered unsecure.

Signed-off-by: Pierre Gondois <[email protected]>
@pierregondois
MdePkg/DxeRngLib: Add gEfiRngAlgorithmArmRndr to the secure algorithms
066da6b 
DxeRngLib iterates over a list of secure algorithms before trying
to use the default algorithm provided by the Rng protocol. Add
gEfiRngAlgorithmArmRndr to this list. The algorithm represented by
this GUID is a secure DRBG of an unknown type, implemented by the
aarch64 RNDR instruction.
On AARCH64 platform, use the RNDR instruction as the first option
if it is available.

Signed-off-by: Pierre Gondois <[email protected]>
@mergify mergify bot merged commit 273f43c into tianocore:master Sep 13, 2024
126 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdkinney mdkinney mdkinney left review comments

@samimujawar samimujawar samimujawar left review comments

@lgao4 lgao4 lgao4 approved these changes

@kraxel kraxel kraxel approved these changes

@ardbiesheuvel ardbiesheuvel Awaiting requested review from ardbiesheuvel

@ajfish ajfish Awaiting requested review from ajfish

@leiflindholm leiflindholm Awaiting requested review from leiflindholm

@LiuZhiguang001 LiuZhiguang001 Awaiting requested review from LiuZhiguang001

@SaloniKasbekar SaloniKasbekar Awaiting requested review from SaloniKasbekar

@Zclarkwilliams Zclarkwilliams Awaiting requested review from Zclarkwilliams

@jyao1 jyao1 Awaiting requested review from jyao1

Assignees
No one assigned
Labels
push Auto push patch series in PR if all checks pass
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pierregondois @kraxel @lgao4 @samimujawar @mdkinney