From: "Laszlo Ersek" <lersek@redhat.com>
To: eddie wang <qw1562435@gmail.com>
Cc: devel@edk2.groups.io
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly
Date: Mon, 19 Feb 2024 21:18:00 +0100 [thread overview]
Message-ID: <0d8b566a-ff75-16c2-ddf3-3ce754a66cff@redhat.com> (raw)
In-Reply-To: <CAOwpOh+XOfJ1_HG1T2U8mRcevJbc8jdy3kVsM4rLo6NUmCWiOQ@mail.gmail.com>
On 2/17/24 10:17, eddie wang wrote:
> Hi Laszlo,
> After digging dipper, we found that the *EVP_RAND_fetch *in
> "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's
> meant the DRBG implementation could
> not be fetched. We also compared it to the case on Linux, and they could
> both fetched DRBG implementation correctly. Is it possible that the
> opensslLib 3.0.9 caused any compatibility issues with edk2? Or has
> anyone else encountered the same problem with these openssl services?
Sorry, I can't say.
If you have a small reproducer UEFI application that works fine when
built with edk2-stable202305, but does not work when built against
either edk2-stable202308 or current master, then filing a TianoCore BZ
(regression) seems justified. (AFAICT it was edk2-stable202308 that
incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the
source code of the small repro application to the ticket would likely be
helpful.
Laszlo
> Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於 2024年2月
> 15日 週四 下午7:48寫道:
>
> On 2/15/24 12:09, eddie wang wrote:
> > Hi Laszlo,
> > Thanks for your reply. How can I enable the DEBUGs at RandomSeed()
> ? Or
> > any suggesting information that I can provide?
>
> Sorry, upon a closer look, I see you had already narrowed it down to
> RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> suggestion would amount to adding DEBUGs to OpenSSL, such as to
> RAND_seed() in
> "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
>
> But, I think you may be able to do just that.
> "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> instance of OpensslLib. So if you modify your
> "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> with the following patch:
>
> | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> | index 0fcf4fe3bc1e..e5f105268f52 100644
> | --- a/crypto/rand/rand_lib.c
> | +++ b/crypto/rand/rand_lib.c
> | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> | drbg = RAND_get0_primary(NULL);
> | if (drbg != NULL && num > 0)
> | EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> | +
> | + DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> | }
> |
> | void RAND_add(const void *buf, int num, double randomness)
>
> then you should get usable debug messages -- at least it builds for me.
>
> Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
> should lead you to the exact location that is responsible for the
> initialization failure.
>
> You mention you have encountered the problem with a UEFI application.
> That is relevant for choosing your DebugLib instance. If you already
> have a function DebugLib instance for your platform (logging to the
> serial port, for example), then just use that.
>
> Otherwise, consider building your UEFI application with a module scope
> override in the DSC file, one that resolves DebugLib to
>
> MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
>
> or
>
> MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
>
> These will send DEBUG messages to the UEFI console or standard error
> devices, respectively.
>
> hth
> Laszlo
>
> > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>
> <mailto:lersek@redhat.com <mailto:lersek@redhat.com>>> 於 2024年2月
> > 8日 週四 上午5:03寫道:
> >
> > On 2/6/24 08:00, eddie wang wrote:
> > > Hi all,
> > > We had an UEFI application that used the EDK2(2023/12/05),
> and we
> > would
> > > like to take advantage of the services in BaseCryptLib .However,
> > the API
> > > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> returned
> > > false because of the pseudorandom number generator set up
> failed.
> > I am
> > > not sure this issue is from the *openssl configuration in
> > OpensslLib(we
> > > use the default configuration)* or is from the *openssl 3.0.9*.
> > >
> > > Is there any comments about this issue?
> >
> > Can you narrow it down by inserting DEBUGs starting at
> RandomSeed()
> > [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then
> digging
> > down as necessary?
> >
> > Laszlo
> >
> >
> >
> >
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115599): https://edk2.groups.io/g/devel/message/115599
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2024-02-19 20:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-06 7:00 [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly eddie wang
2024-02-07 21:03 ` Laszlo Ersek
2024-02-15 11:09 ` eddie wang
2024-02-15 11:48 ` Laszlo Ersek
2024-02-17 9:17 ` eddie wang
2024-02-19 20:18 ` Laszlo Ersek [this message]
2024-02-20 1:11 ` Yao, Jiewen
2024-02-20 1:49 ` Li, Yi
2024-02-29 9:48 ` eddie wang
2024-02-29 11:23 ` Li, Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d8b566a-ff75-16c2-ddf3-3ce754a66cff@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox