Re: [edk2-devel] [PATCH v1 07/14] NetworkPkg:: SECURITY PATCH CVE-2023-45237

["Michael Brown" <mcb30@ipxe.org>]

On 08/05/2024 22:19, Ard Biesheuvel wrote:
> I've always found that logic rather bizarre - there is no way the
> implementation of the raw protocol can ensure that the caller uses it
> correctly, and so enforcing a minimum read size is pointless and
> arbitrary. And as you note, it has no basis in the UEFI spec either.
> 
> So this should just be removed imo.

For what it's worth, I agree that it should be removed.

iPXE has the following comment:

/** Minimum number of bytes to request from RNG
  *
  * The UEFI spec states (for no apparently good reason) that "When a
  * Deterministic Random Bit Generator (DRBG) is used on the output of
  * a (raw) entropy source, its security level must be at least 256
  * bits."  The EDK2 codebase (mis)interprets this to mean that the
  * call to GetRNG() should fail if given a buffer less than 32 bytes.
  *
  * Incidentally, nothing in the EFI RNG protocol provides any way to
  * report the actual amount of entropy returned by GetRNG().
  */
#define EFIRNG_LEN 32

Michael



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118705): https://edk2.groups.io/g/devel/message/118705
Mute This Topic: https://groups.io/mt/105983246/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-