[edk2-devel] Assistance Needed: ArmVirtPkg

[edk2-devel] Assistance Needed: ArmVirtPkg

[Doug Flick via groups.io]

[-- Attachment #1: Type: text/plain, Size: 4409 bytes --]

All,

In order to patch Tianocore Bugzilla issues and CVEs:
 4541 – Bug 08 - edk2/NetworkPkg: Predictable TCP ISNs (tianocore.org)<https://bugzilla.tianocore.org/show_bug.cgi?id=4541>
and
4542 – Bug 09 - edk2/NetworkPkg: Use of a Weak PseudoRandom Number Generator (tianocore.org)<https://bugzilla.tianocore.org/show_bug.cgi?id=4542>

I've added as a dependency Hash2CryptoDxe and RngDxe lib to NetworkPkg. I've been able to add the relevant libraries to the DSCs of OvmfPkg and EmulatorPkg however I'm seeing odd behavior with ArmVirtPkg.

Would someone more knowledgeable with ArmVirtPkg take a look this PR.

PixieFail #8 and #9 TCBZ4541 and TCBZ4542 by Flickdm · Pull Request #5582 · tianocore/edk2 (github.com)<https://github.com/tianocore/edk2/pull/5582>

The issue was introduced in the commit "ArmVirtPkg: : Add RngDxe to ArmVirtPkg<https://github.com/tianocore/edk2/pull/5582/commits/03148ed3fe87ceb1c5ce9f53e08d5d0c93c169cf>"

Right now PlatformCI_ArmVirtPkg_Ubuntu_GCC5_PR is crashing with

INFO - Synchronous Exception at 0x000000007FBE35BC
INFO - PC 0x00007FBE35BC (0x00007FBE0000+0x000035BC) [ 0] RngDxe.dll
INFO - PC 0x00007FBE2430 (0x00007FBE0000+0x00002430) [ 0] RngDxe.dll
INFO - PC 0x00007FBE2E14 (0x00007FBE0000+0x00002E14) [ 0] RngDxe.dll
INFO - PC 0x00004748CCFC (0x000047485000+0x00007CFC) [ 1] DxeCore.dll
INFO - PC 0x00004749A6C4 (0x000047485000+0x000156C4) [ 1] DxeCore.dll
INFO - PC 0x0000474904F0 (0x000047485000+0x0000B4F0) [ 1] DxeCore.dll
INFO -
INFO - [ 0] /__w/1/s/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/AARCH64/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe/DEBUG/RngDxe.dll
INFO - [ 1] /__w/1/s/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll
INFO -
INFO -   X0 0x0000000080000000   X1 0x0000000000000000   X2 0x0000000000000000   X3 0x0000000000000000
INFO -   X4 0x0000000000000000   X5 0x0000000000000000   X6 0x0000000000000000   X7 0x0000000000000000
INFO -   X8 0x000000007FFFF008   X9 0x0000000700000000  X10 0x000000007EA47000  X11 0x000000007EA54FFF
INFO -  X12 0x0000000000000000  X13 0x0000000000000008  X14 0x0000000000000000  X15 0x0000000000000000
INFO -  X16 0x0000000047484D70  X17 0x00000000474CC000  X18 0x0000000000000000  X19 0x000000007FFD0018
INFO -  X20 0x0000000000000001  X21 0x000000007EA55D98  X22 0x000000007FBE5000  X23 0x0000000000000030
INFO -  X24 0x0000000000000000  X25 0x000000007FBE5000  X26 0x0000000000000000  X27 0x00000000474B0000
INFO -  X28 0x0000000000000001   FP 0x0000000047484C50   LR 0x000000007FBE2430
INFO -
INFO -   V0 0x0000000000000000 0000000000000000   V1 0x0000000000000000 0000000000000000
INFO -   V2 0x0000000000000000 0000000000000000   V3 0x0000000000000000 0000000000000000
INFO -   V4 0x0000000000000000 0000000000000000   V5 0x0000000000000000 0000000000000000
INFO -   V6 0x0000000000000000 0000000000000000   V7 0x0000000000000000 0000000000000000
INFO -   V8 0x0000000000000000 0000000000000000   V9 0x0000000000000000 0000000000000000
INFO -  V10 0x0000000000000000 0000000000000000  V11 0x0000000000000000 0000000000000000
INFO -  V12 0x0000000000000000 0000000000000000  V13 0x0000000000000000 0000000000000000
INFO -  V14 0x0000000000000000 0000000000000000  V15 0x0000000000000000 0000000000000000
INFO -  V16 0x0000000000000000 0000000000000000  V17 0x0000000000000000 0000000000000000
INFO -  V18 0x0000000000000000 0000000000000000  V19 0x0000000000000000 0000000000000000
INFO -  V20 0x0000000000000000 0000000000000000  V21 0x0000000000000000 0000000000000000
INFO -  V22 0x0000000000000000 0000000000000000  V23 0x0000000000000000 0000000000000000
INFO -  V24 0x0000000000000000 0000000000000000  V25 0x0000000000000000 0000000000000000
INFO -  V26 0x0000000000000000 0000000000000000  V27 0x0000000000000000 0000000000000000
INFO -  V28 0x0000000000000000 0000000000000000  V29 0x0000000000000000 0000000000000000
INFO -  V30 0x0000000000000000 0000000000000000  V31 0x0000000000000000 0000000000000000


Thanks!


  *
Doug



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118615): https://edk2.groups.io/g/devel/message/118615
Mute This Topic: https://groups.io/mt/105949609/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 19378 bytes --]

Re: [edk2-devel] Assistance Needed: ArmVirtPkg

[Gerd Hoffmann]

On Mon, May 06, 2024 at 10:22:07PM GMT, Doug Flick wrote:
> All,
> 
> In order to patch Tianocore Bugzilla issues and CVEs:
>  4541 – Bug 08 - edk2/NetworkPkg: Predictable TCP ISNs (tianocore.org)<https://bugzilla.tianocore.org/show_bug.cgi?id=4541>
> and
> 4542 – Bug 09 - edk2/NetworkPkg: Use of a Weak PseudoRandom Number Generator (tianocore.org)<https://bugzilla.tianocore.org/show_bug.cgi?id=4542>
> 
> I've added as a dependency Hash2CryptoDxe and RngDxe lib to NetworkPkg. I've been able to add the relevant libraries to the DSCs of OvmfPkg and EmulatorPkg however I'm seeing odd behavior with ArmVirtPkg.
> 
> Would someone more knowledgeable with ArmVirtPkg take a look this PR.

Both OVMF and ArmVirt use the virtio random number device as
source for random numbers.

Driver: OvmfPkg/VirtioRngDxe
Some Background: https://wiki.qemu.org/Features/VirtIORNG

Typically the virtio rng device is present in virtual machine
configurations.  It might be missing though.

I'd recommend:
  (1) Do *not* add RngDxe to OvmfPkg and ArmVirtPkg dsc files, instead
      continue to depend on VirtioRngDxe.
  (2) Keep the time-based not-really-random RNG generator as fallback in
      case EFI_RNG_PROTOCOL is not present (possibly requiring a PCD
      being set so the fallback option can be disabled at build time).

HTH & take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118642): https://edk2.groups.io/g/devel/message/118642
Mute This Topic: https://groups.io/mt/105949609/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Assistance Needed: ArmVirtPkg

[Ard Biesheuvel]

On Tue, 7 May 2024 at 00:22, Doug Flick <dougflick@microsoft.com> wrote:
>
> All,
>
> In order to patch Tianocore Bugzilla issues and CVEs:
>  4541 – Bug 08 - edk2/NetworkPkg: Predictable TCP ISNs (tianocore.org)
> and
> 4542 – Bug 09 - edk2/NetworkPkg: Use of a Weak PseudoRandom Number Generator (tianocore.org)
>
> I've added as a dependency Hash2CryptoDxe and RngDxe lib to NetworkPkg. I've been able to add the relevant libraries to the DSCs of OvmfPkg and EmulatorPkg however I'm seeing odd behavior with ArmVirtPkg.
>
> Would someone more knowledgeable with ArmVirtPkg take a look this PR.
>
> PixieFail #8 and #9 TCBZ4541 and TCBZ4542 by Flickdm · Pull Request #5582 · tianocore/edk2 (github.com)
>
> The issue was introduced in the commit "ArmVirtPkg: : Add RngDxe to ArmVirtPkg"
>
> Right now PlatformCI_ArmVirtPkg_Ubuntu_GCC5_PR is crashing

You need to configure the TrngLib to use either secure monitor calls
or hypervisor calls, and this might be different depending on the
context:

- ordinary VMs running under proper virtualization will execute at EL1
under a hypervisor that implements the TRNG service, so it can only
use HVC (and SMC will trap, as you've experienced)

- QEMU itself does not implement the TRNG service (to my knowledge) so
running a VM under TCG emulation of EL1 will not have access to the
TRNG

- other emulation modes of QEMU may run the firmware in a different
way, where SMC is actually appropriate, and this could be either EL1
or EL2.

This makes it slightly awkward to decide whether or not to dispatch
RngDxe, and this is why nobody has gotten around to it (and I forgot
about this tbh)


TL;DR

building with --pcd PcdMonitorConduitHvc=TRUE will avoid the crash but
may not result in a usable RngDxe


It also seems to me that those network drivers will now need to DEPEX
on the RNG protocol, as they may get dispatched too early otherwise:

Failed to generate random data using secure algorithm 0: Unsupported
Failed to generate random data using secure algorithm 1: Unsupported
Failed to generate random data using secure algorithm 2: Unsupported

ASSERT_EFI_ERROR (Status = Unsupported)
ASSERT [Udp4Dxe] DxeNetLib.c(973): !(((INTN)(RETURN_STATUS)(Status)) < 0)
QEMU: Terminated

This is with -device virtio-rng-pci and the VirtioRngDxe driver (which
is already included in OVMF and ArmVirtQemu) but the driver dispatches
before the driver model can instantiate the protocol.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118646): https://edk2.groups.io/g/devel/message/118646
Mute This Topic: https://groups.io/mt/105949609/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Assistance Needed: ArmVirtPkg

[Doug Flick via groups.io]

[-- Attachment #1: Type: text/plain, Size: 771 bytes --]

Thanks Ard for the explanation! 
Would you be able to tell me the exact changes you made to get to this point and if that would be an acceptable change to make to get these CVE patches on the mailing list? I'm happy adding the depex but fundamentally I think the goal is get these patches into this release. My attempts to rollback some of my changes and use VirtioRngDxe have been unsuccessful so far.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118647): https://edk2.groups.io/g/devel/message/118647
Mute This Topic: https://groups.io/mt/105949609/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 1189 bytes --]

Re: [edk2-devel] Assistance Needed: ArmVirtPkg

[Ard Biesheuvel]

There are no code changes, the only difference is adding the --pcd
PcdMonitorConduitHvc=TRUE option to the build.sh command line, and
running QEMU with -device virtio-rng-pci (which we should be doing in
any case, IMO)

The DEPEX might fix this, and this is actually the appropriate thing
to do if the driver cannot even be dispatched without the RNG protocol
available. However, I'm not convinced this is the right approach - I
think dispatching the driver but failing in the Supported() call on a
missing RNG protocol would be less disruptive, and give more
opportunity for a meaningful warning/error message to the actual user.

But I must admit I have only taken a very cursory look at the
underlying CVE and your proposed mitigation.



On Wed, 8 May 2024 at 00:28, Doug Flick via groups.io
<dougflick=microsoft.com@groups.io> wrote:
>
> Thanks Ard for the explanation! Would you be able to tell me the exact changes you made to get to this point and if that would be an acceptable change to make to get these CVE patches on the mailing list? I'm happy adding the depex but fundamentally I think the goal is get these patches into this release. My attempts to rollback some of my changes and use VirtioRngDxe have been unsuccessful so far.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118649): https://edk2.groups.io/g/devel/message/118649
Mute This Topic: https://groups.io/mt/105949609/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Assistance Needed: ArmVirtPkg

[Doug Flick via groups.io]

[-- Attachment #1: Type: text/plain, Size: 995 bytes --]

Thanks!

I figured out out what I was missing (a mistake on my end) and I now have it booting to shell! I'll make the required changes to OvmfPkg and ArmVirtPkg based on your suggestions and put the Patch Series on the mailing list.

The assert you were seeing was the patch attempting to use the EDK2 Nist algorithms where VirtioRngDxe doesn't supply them. In that case, I created a PCD to disable the attempt to use the Nist algorithms and just take whichever algorithm the Rng Producer provides. This allows a platform to implement however they deem fit and puts the responsibility of secure algorithms on the platform. 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118650): https://edk2.groups.io/g/devel/message/118650
Mute This Topic: https://groups.io/mt/105949609/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 1427 bytes --]