From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id DFC29D811EE for ; Fri, 24 May 2024 07:01:52 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=tVi0VbcgKOkRTFJ7tXL7clgyI846UekwYNV2ma6m1r0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID:MIME-Version:Thread-Index:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding:Content-Language; s=20240206; t=1716534111; v=1; b=233/CcMpRvcEXdgZlj7+tTJg9Wn9jDYRi3Gh7+eKfg2rmkW4bsfPebmsGGpxoElrXfKsQqLy QiUzutkrCrWpPVjlzExSeP+wEZmo/iGqo2FA6dcpSCaispKIyR33N2uGZ99HBYOdwQ3NxVvt5HB XnhgYSHiMLMBlg6dPkMIhCfKTTNKaXdSYqioQkNKn5c8WpiMot8/Mzs0zzzGkJoOxoW7dc824WT naWWYa4mvpLMm8qCSfyjUmwmUTz+86gWbJfaZXbfNCPqWcMJSsO9JPvmSgTXPHxOswMHzNqJfE4 7yJTWZpCLSdoJbdAalV4vu0R651ricTG3M9bYM5lSRG6w== X-Received: by 127.0.0.2 with SMTP id uQdSYY7687511xcOomLJfFnj; Fri, 24 May 2024 00:01:51 -0700 X-Received: from cxsh.intel-email.com (cxsh.intel-email.com [121.46.250.151]) by mx.groups.io with SMTP id smtpd.web10.10286.1716534104564858089 for ; Fri, 24 May 2024 00:01:45 -0700 X-Received: from cxsh.intel-email.com (localhost [127.0.0.1]) by cxsh.intel-email.com (Postfix) with ESMTP id 1B8E6DDA7F9 for ; Fri, 24 May 2024 15:01:40 +0800 (CST) X-Received: from localhost (localhost [127.0.0.1]) by cxsh.intel-email.com (Postfix) with ESMTP id 16D89DDA7EE for ; Fri, 24 May 2024 15:01:40 +0800 (CST) X-Received: from mail.byosoft.com.cn (mail.byosoft.com.cn [58.240.74.242]) by cxsh.intel-email.com (Postfix) with SMTP id 6591CDDA7D0 for ; Fri, 24 May 2024 15:01:36 +0800 (CST) X-Received: from DESKTOPS6D0PVI ([58.246.60.130]) (envelope-sender ) by 192.168.6.13 with ESMTP(SSL) for ; Fri, 24 May 2024 15:01:29 +0800 X-WM-Sender: gaoliming@byosoft.com.cn X-Originating-IP: 58.246.60.130 X-WM-AuthFlag: YES X-WM-AuthUser: gaoliming@byosoft.com.cn From: "gaoliming via groups.io" To: , , , Cc: "'Michael D Kinney'" , "'Andrew Fish'" , References: <20240524054512.523329-1-douglas.flick@microsoft.com> In-Reply-To: <20240524054512.523329-1-douglas.flick@microsoft.com> Subject: =?UTF-8?B?5Zue5aSNOiBbZWRrMi1kZXZlbF0gW1BBVENIIHYzIDAwLzIwXSBOZXR3b3JrUGtnOiBDVkUtMjAyMy00NTIzNiBhbmQgQ1ZFLTIwMjMtNDUyMzc=?= Date: Fri, 24 May 2024 15:01:31 +0800 Message-ID: <001001daada8$358301a0$a08904e0$@byosoft.com.cn> MIME-Version: 1.0 Thread-Index: AQKDb+eujiMXEG5By6JZvHytBKYtfLBUb6dA Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 24 May 2024 00:01:45 -0700 Resent-From: gaoliming@byosoft.com.cn Reply-To: devel@edk2.groups.io,gaoliming@byosoft.com.cn List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: ToUT4H7ISoWYtH2u9U68ZSQxx7686176AA= Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable Content-Language: zh-cn X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b="233/CcMp"; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=pass (policy=none) header.from=groups.io Ard and Gerd: Doug updated this patch set based on your suggestion. Could you give reviewed-by or acked-by for the changes in OvmfPkg and ArmVirtPkg if you have no other comments? Thanks Liming > -----=D3=CA=BC=FE=D4=AD=BC=FE----- > =B7=A2=BC=FE=C8=CB: devel@edk2.groups.io =B4=FA=B1= =ED Doug Flick via > groups.io > =B7=A2=CB=CD=CA=B1=BC=E4: 2024=C4=EA5=D4=C224=C8=D5 13:45 > =CA=D5=BC=FE=C8=CB: devel@edk2.groups.io > =B3=AD=CB=CD: Liming Gao > =D6=F7=CC=E2: [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 an= d > CVE-2023-45237 >=20 >=20 > REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores= - edk-ii- > ipv6-network-stack.html >=20 > This patch series patches the following CVEs: > - CVE-2023-45236: Predictable TCP Initial Sequence Numbers > - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator >=20 > In order to patch these CVEs, the following changes were made: > - NetworkPkg no longer performs it's own random number generation, > instead it uses EFI_RNG_PROTOCOL provided by the plaform to > generate random numbers. > - This change was made such that any future random number > generation vulnerabilities will be a result of the platforms > implementation of the EFI_RNG_PROTOCOL and not the NetworkPkg >=20 > - NetworkPkg uses the TCP initial sequence number algorithm as described > in RFC 6528 to generate the initial sequence number for TCP connections= . > - This change was made to ensure that the initial sequence number > is not predictable and therefore cannot be used in a TCP hijacking > attack. >=20 > In addition to the above changes, the following changes were made: > - EmulatorPkg OvmfPkg, and ArmVirtPkg were updated to include the > Hash2DxeCrypto driver to support TCP ISN generation using > EFI_HASH2_PROTOCOL >=20 > - EmulatorPkg was updated to include the > RngDxe driver to support random number generation using the > EFI_RNG_PROTOCOL >=20 > - OvmfPkg, and ArmVirtPkg were updated to include the > virtio-rng-pci device to support random number generation using the > EFI_RNG_PROTOCOL using the existing VirtioRngDxe driver >=20 > - SecurityPkg was updated to fix an incorrect limitation on the > GetRng function in the RngDxe driver where the minimum amount of > random data that could be requested was 32 bytes (256 bits) instead > of what the caller requested >=20 > - MdePkg was updated to include MockUefiBootServicesTableLib, > MockRng, and MockHash2 protocols for testing >=20 > - NetworkPkg was updated to include a test for the PxeBcDhcp6 driver > due to underlying changes >=20 > - ArmPkg was updated to allow the SMC/HVC monitor conduit to be > specified at runtime >=20 > - MdePkg was updated to remove an overzealous ASSERT in BaseRngLib >=20 > - ArmVirtPkg was updated to permit the use of dynamic PCDs in PEI >=20 > - ArmVirtPkg was updated to use dynamic PCDs to set the SMCCC conduit >=20 > - ArmVirtPkg was updated to add the RngDxe driver >=20 > Cc: Liming Gao >=20 > Signed-off-by: Doug Flick [MSFT] >=20 > Ard Biesheuvel (6): > ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime > MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT() > ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI > ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit > ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc > ArmVirtPkg/ArmVirtQemu: Add RngDxe driver >=20 > Doug Flick (8): > EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg > OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg > NetworkPkg:: SECURITY PATCH CVE-2023-45237 > NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 > MdePkg: : Add MockUefiBootServicesTableLib > MdePkg: : Adds Protocol for MockRng > MdePkg: Add MockHash2 Protocol for testing > NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes >=20 > Flickdm (6): > EmulatorPkg: : Add RngDxe to EmulatorPkg > OvmfPkg:PlatformCI: Support virtio-rng-pci > ArmVirtPkg:PlatformCI: Support virtio-rng-pci > ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg > SecurityPkg: RngDxe: Remove incorrect limitation on GetRng > ArmVirtPkg: Move PcdMonitorConduitHvc >=20 > ArmPkg/ArmPkg.dec > | 10 +- > NetworkPkg/NetworkPkg.dec > | 7 + > ArmVirtPkg/ArmVirt.dsc.inc > | 5 +- > ArmVirtPkg/ArmVirtCloudHv.dsc > | 3 + > ArmVirtPkg/ArmVirtKvmTool.dsc > | 4 +- > ArmVirtPkg/ArmVirtQemu.dsc > | 20 +- > ArmVirtPkg/ArmVirtQemuKernel.dsc > | 12 +- > ArmVirtPkg/ArmVirtXen.dsc > | 6 +- > EmulatorPkg/EmulatorPkg.dsc > | 14 +- > MdePkg/Test/MdePkgHostTest.dsc > | 1 + > NetworkPkg/Test/NetworkPkgHostTest.dsc > | 1 + > OvmfPkg/OvmfPkgIa32.dsc > | 6 +- > OvmfPkg/OvmfPkgIa32X64.dsc > | 6 +- > OvmfPkg/OvmfPkgX64.dsc > | 6 +- > OvmfPkg/OvmfXen.dsc > | 5 + > ArmVirtPkg/ArmVirtQemu.fdf > | 2 +- > EmulatorPkg/EmulatorPkg.fdf > | 11 +- > OvmfPkg/OvmfPkgIa32.fdf > | 5 + > OvmfPkg/OvmfPkgIa32X64.fdf > | 5 + > OvmfPkg/OvmfPkgX64.fdf > | 5 + > OvmfPkg/OvmfXen.fdf > | 5 + > ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf > | 1 + >=20 > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.inf | 32 +++ > NetworkPkg/Library/DxeNetLib/DxeNetLib.inf > | 14 +- > NetworkPkg/TcpDxe/TcpDxe.inf > | 11 +- > NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf > | 3 +- >=20 > MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib. > h | 78 +++++++ > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h > | 67 ++++++ > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h > | 48 ++++ > NetworkPkg/IScsiDxe/IScsiMisc.h > | 6 +- > NetworkPkg/Include/Library/NetLib.h > | 40 +++- > NetworkPkg/Ip6Dxe/Ip6Nd.h > | 8 +- > NetworkPkg/TcpDxe/TcpFunc.h > | 23 +- > NetworkPkg/TcpDxe/TcpMain.h > | 59 ++++- > ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c > | 2 +- > ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c > | 14 ++ > MdePkg/Library/BaseRngLib/AArch64/Rndr.c > | 1 - > NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c > | 10 +- > NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c > | 11 +- > NetworkPkg/DnsDxe/DnsDhcp.c > | 10 +- > NetworkPkg/DnsDxe/DnsImpl.c > | 11 +- > NetworkPkg/HttpBootDxe/HttpBootDhcp6.c > | 10 +- > NetworkPkg/IScsiDxe/IScsiCHAP.c > | 19 +- > NetworkPkg/IScsiDxe/IScsiMisc.c > | 14 +- > NetworkPkg/Ip4Dxe/Ip4Driver.c > | 10 +- > NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c > | 9 +- > NetworkPkg/Ip6Dxe/Ip6Driver.c > | 17 +- > NetworkPkg/Ip6Dxe/Ip6If.c > | 12 +- > NetworkPkg/Ip6Dxe/Ip6Mld.c > | 12 +- > NetworkPkg/Ip6Dxe/Ip6Nd.c > | 33 ++- > NetworkPkg/Library/DxeNetLib/DxeNetLib.c > | 130 +++++++++-- > NetworkPkg/TcpDxe/TcpDriver.c > | 105 ++++++++- > NetworkPkg/TcpDxe/TcpInput.c > | 13 +- > NetworkPkg/TcpDxe/TcpMisc.c > | 244 ++++++++++++++++++-- > NetworkPkg/TcpDxe/TcpTimer.c > | 3 +- > NetworkPkg/Udp4Dxe/Udp4Driver.c > | 10 +- > NetworkPkg/Udp6Dxe/Udp6Driver.c > | 11 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c > | 9 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c > | 11 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c > | 12 +- > SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > | 8 - > ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc > | 6 + > ArmVirtPkg/PlatformCI/PlatformBuildLib.py > | 2 + >=20 > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.cpp | 69 ++++++ > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp > | 27 +++ > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp > | 21 ++ > NetworkPkg/SecurityFixes.yaml > | 61 +++++ > NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp > | 102 +++++++- > OvmfPkg/PlatformCI/PlatformBuildLib.py > | 2 + > 69 files changed, 1397 insertions(+), 173 deletions(-) > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.inf > create mode 100644 > MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib. > h > create mode 100644 > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h > create mode 100644 > MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe > fiBootServicesTableLib.cpp > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp > create mode 100644 > MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp >=20 > -- > 2.34.1 >=20 >=20 >=20 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119248): https://edk2.groups.io/g/devel/message/119248 Mute This Topic: https://groups.io/mt/106277402/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-