From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (EUR05-VI1-obe.outbound.protection.outlook.com [40.107.21.62])
 by mx.groups.io with SMTP id smtpd.web09.14434.1633016474017549043
 for <devel@edk2.groups.io>;
 Thu, 30 Sep 2021 08:41:14 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=CdbR1LcK;
 spf=pass (domain: arm.com, ip: 40.107.21.62, mailfrom: sami.mujawar@arm.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;
 s=selector2-armh-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=p6JhvCjo59bf93LTkD8I71T4gGXx2QudePiVa7FiZYk=;
 b=CdbR1LcKzS5/32j7V+EAYPd6Q4a1eyqCg2s5YjTWg3JFHBETH/TvFEv4mXRs35xAuz538Dv87VC5LgqPUK9VFMmn4n24FMYJjbGLFOQhtXRQVWh+mEJWImk8GR1VVAMislPwYFtyyuzxNYniAaZ3xDxOhV9P/83IdBKnRiMsv6g=
Received: from DB8PR06CA0014.eurprd06.prod.outlook.com (2603:10a6:10:100::27)
 by AM0PR08MB5345.eurprd08.prod.outlook.com (2603:10a6:208:18c::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.14; Thu, 30 Sep
 2021 15:41:10 +0000
Received: from DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:10:100:cafe::eb) by DB8PR06CA0014.outlook.office365.com
 (2603:10a6:10:100::27) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.14 via Frontend
 Transport; Thu, 30 Sep 2021 15:41:10 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
 smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified)
 header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=pass action=none
 header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 63.35.35.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
 DB5EUR03FT032.mail.protection.outlook.com (10.152.20.162) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4566.14 via Frontend Transport; Thu, 30 Sep 2021 15:41:10 +0000
Received: ("Tessian outbound a77cafe56b47:v103"); Thu, 30 Sep 2021 15:41:10 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 6dcd7b79597f4bab
X-CR-MTA-TID: 64aa7808
Received: from 95dc3a3cb880.1
	by 64aa7808-outbound-1.mta.getcheckrecipient.com id 00B01390-6698-46CA-87FC-E673E296383D.1;
	Thu, 30 Sep 2021 15:40:55 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com
    by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 95dc3a3cb880.1
    (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
    Thu, 30 Sep 2021 15:40:55 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=aiXb3zNsP8jX7scIgWgG/ar7AYXXQuMuJg8mvftb1XDm6ni+VHS5ur3fCGFzyMm2O1QMQQ48PZGG++gN6AxqpPNBPfD0hKyWSW2u8fbcNuaX+WU1P9uzTRWpDcf3rAPLmH4t6Jq9yULCgQjQPbPbgxzIYeMjzEIKed2zXG+uLoznEB+ysw8+rqS9EVI61+jc+nROA8bdGG5BFGgFSPgC0KNlbmQ/RiheAnzIopHi0ZWkn3/c6lMB2l52OgbAWvTCLTpHzoPO+ZIX10r/gHpZk+msGOPiFzL004/5EuvVBOQyZxqtFH+PDPo3FxH0yI18ZNz+pOyg8I4ckagyT5TFJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=p6JhvCjo59bf93LTkD8I71T4gGXx2QudePiVa7FiZYk=;
 b=hrF0nf+/0hzLdi5L1mRLUn8kEvI0uXYEu3KCzaTfXeRqfFXoaoMz0K5mQL9NUGygCRBQQWJ7BvywoG67WpljoYp66hOOxfU+jtUAO/7YZugFKjA40RuGdUN/YJ51Ul3sgiZ2bmGF5XeG6G6NUznigg0mOmi8Niw2/GqVg46tBTKgIpcqKt1Ut+lWiPd6v+sRsgwxlpP/5OWcHT1zt4J+rv37tXIQuq2tR/D2C2UtyjvDkICse6qSAo7h8+WK9kCigBLGa4/ds2ki70EYvr2k0vGULC3rSlXtwmjjqUPmlJestFLbyphlIquM9DgcCY1v+FlFs1RAXucPaoP5b78t8g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com;
 dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;
 s=selector2-armh-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=p6JhvCjo59bf93LTkD8I71T4gGXx2QudePiVa7FiZYk=;
 b=CdbR1LcKzS5/32j7V+EAYPd6Q4a1eyqCg2s5YjTWg3JFHBETH/TvFEv4mXRs35xAuz538Dv87VC5LgqPUK9VFMmn4n24FMYJjbGLFOQhtXRQVWh+mEJWImk8GR1VVAMislPwYFtyyuzxNYniAaZ3xDxOhV9P/83IdBKnRiMsv6g=
Received: from DB6PR07CA0078.eurprd07.prod.outlook.com (2603:10a6:6:2b::16) by
 DB8PR08MB5068.eurprd08.prod.outlook.com (2603:10a6:10:e9::12) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4544.21; Thu, 30 Sep 2021 15:40:51 +0000
Received: from DB5EUR03FT050.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:6:2b:cafe::10) by DB6PR07CA0078.outlook.office365.com
 (2603:10a6:6:2b::16) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.7 via Frontend
 Transport; Thu, 30 Sep 2021 15:40:51 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234)
 smtp.mailfrom=arm.com; edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 40.67.248.234 as permitted sender) receiver=protection.outlook.com;
 client-ip=40.67.248.234; helo=nebula.arm.com;
Received: from nebula.arm.com (40.67.248.234) by
 DB5EUR03FT050.mail.protection.outlook.com (10.152.21.128) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.4566.14 via Frontend Transport; Thu, 30 Sep 2021 15:40:51 +0000
Received: from AZ-NEU-EX03.Arm.com (10.251.24.31) by AZ-NEU-EX04.Arm.com
 (10.251.24.32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.14; Thu, 30 Sep
 2021 15:40:51 +0000
Received: from E114225.Arm.com (10.1.196.43) by mail.arm.com (10.251.24.31)
 with Microsoft SMTP Server id 15.1.2308.14 via Frontend Transport; Thu, 30
 Sep 2021 15:40:51 +0000
From: "Sami Mujawar" <sami.mujawar@arm.com>
To: <devel@edk2.groups.io>
CC: Sami Mujawar <sami.mujawar@arm.com>, <ardb+tianocore@kernel.org>,
	<leif@nuviainc.com>, <rebecca@bsdio.com>, <kraxel@redhat.com>,
	<michael.d.kinney@intel.com>, <gaoliming@byosoft.com.cn>,
	<zhiguang.liu@intel.com>, <jiewen.yao@intel.com>, <jian.j.wang@intel.com>,
	<Matteo.Carlini@arm.com>, <Akanksha.Jain2@arm.com>, <Ben.Adderson@arm.com>,
	<nd@arm.com>
Subject: [PATCH v1 8/9] SecurityPkg: Add RawAlgorithm support using TRNG library
Date: Thu, 30 Sep 2021 16:40:43 +0100
Message-ID: <20210930154044.37336-9-sami.mujawar@arm.com>
X-Mailer: git-send-email 2.16.2.windows.1
In-Reply-To: <20210930154044.37336-1-sami.mujawar@arm.com>
References: <20210930154044.37336-1-sami.mujawar@arm.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ed14579b-2354-46cc-e050-08d98428b9d8
X-MS-TrafficTypeDiagnostic: DB8PR08MB5068:|AM0PR08MB5345:
X-Microsoft-Antispam-PRVS: 
	<AM0PR08MB534552566254E32DA55B3FF084AA9@AM0PR08MB5345.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
NoDisclaimer: true
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 
 1GpRqM3YNNvi1WvtpqOnODv+maSpTMwiCZEzChRrKabJRk1dr6vgva6tiQmBwUShf10FSimbW3eVgHYZ5hEcbRhPVVEjY+Xm5bcnF58wqM6mNmHhyMUmNXfFbUJRWTY0sF+IpSrUNXiHyaDc6KSCoBRa4+YP7EdJlctyAf2/rq66VUY9C9Z/HSEB9xpQEW7ysZ+WUYIVa5wrUxhe2m6kZwUw9LOahp2DPiAhCreuNxedWZFNRBBe9ao1CuLSzYp43oc1sgJ9mhs1SqGYsTio/MPOhDxfN2FAGcvMPXAYSPeZ+p06o63RAdl/MDPlVtQXXbgHIonRn3z7VIQgpkg+KwH0CdKiRlVgEh5AxFde5JEWZ4GlCUxtNHRfYBsR3vEGKSi9lexv5EY4X76JJLOCYVJGFGSzdWbF8MZxqOBSIiF2IlUM9uW08NPtchaw/MAHOUEdnzRuWIM2ilYQ274+IyliPDR8U8jvJ/aqc9FY5/Dg7aNOx2GnRINW9mMfmaR1CPqEbwnlkJ/UtY3o7vTzI2+C0V4Nq5FWaai4L2J5KwXh0wbDfHcpIW8vOLxO/CkVeWcBIYl6MmNtqxB9E5oxkG2JbcIZRJY9EaLo/F63+Vcfma43e0OI3oazoY3/UyWJ1Qq6d/Xt0H/ttTrhvHnnakFruKg30TcMYUYgQMLJneBgabS/KQVZHMpej56GqVrGVgzszSxrd/9Xd+8Nbs70urKgh6lqvJ8Khb7gfuESFohQShhIZyVqRi2iqo+NstlvwDxNopFaFLB0//eY3LjP3IXRk0P1GTyviYS2JTrbs7Ahpk7W5z+y23fZ4Zq+6Uub
X-Forefront-Antispam-Report-Untrusted: 
 CIP:40.67.248.234;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:nebula.arm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(4636009)(46966006)(36840700001)(47076005)(186003)(5660300002)(54906003)(356005)(19627235002)(70206006)(86362001)(30864003)(26005)(70586007)(8936002)(7696005)(36860700001)(81166007)(36756003)(83380400001)(44832011)(316002)(8676002)(4326008)(7416002)(6666004)(2906002)(2616005)(82310400003)(6916009)(426003)(336012)(1076003)(15650500001)(508600001)(36900700001);DIR:OUT;SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5068
Return-Path: Sami.Mujawar@arm.com
X-MS-Exchange-Transport-CrossTenantHeadersStripped: 
 DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 
	5b7a8bd0-1b02-4a32-a3e5-08d98428aefd
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	FpZEpiqCuaKWLH+EFyo3TJeUeAA2aKemlpQOgDp07rJZiwKg+XiNWAg1CfE8GAmUsvekuRG2f6N18RYE2FwM9/Clrcyl4kXjPZVYDbZy0IckY+Ga6r7JU6QK2H6t2IbAE4vI/bzC8e82Xvbd4qH/kjEVxgwIx+Z1T3mAnD8/OHBTVVlJUqnNOLmzW3vbEUJC+D9I7DOA5141pF+1Ez3aZj1ADQ4+MA0j5F1gp/IHp8e+b5f/SGPNfiMg2Kxbb8DNT3+jbg2vkriwFzr2dFohVkCrnbx4NpfEfz3dGx+lHPk0mHhx6MsnGgE/+OEPgrLj/CNCJxWNasyCq/p3qhLsO+8cxHf/lbLVf7W1oy8zt35PmhGQ2KtdBDWEpSpd2NoSTzH+MLKxhfQ7QQ+oiwnAwd/01d1oNhxxDa6ZCamNDyXLVDQI61COWfLRZ2sM+GUB8xBQJEQ33uyPzzCVo0DbLfM8wjl6fvtaPHs+YgfXJfJJjK7JXeelBKWHt5IIDhPCHjhXiSqoKVcYprBNXKvpSe9h3NdmtiHn7dg0c7EjdC7Tj6nJpJe7Aq03aW7D8DHuaNhyBRvo/yWqLJ5bTL8bCIvk5Ah/7sV2ULXPjN4QDasDQZXBIWiLIrA1MObwzF8awl4oPpIxjhtgTcIvYGH5jpnk1u8gcM3zqglG3EXMGu6sSPdx7daXZyC30CFHlBSOIdmoD1RcKr+cYkgYBPlABhreoi2t45O1HSur2OLLBnrTZhvMaWQHnseebHctpI0xN9fDyAjlg5c5sFHlzeCRbCoJmTk2QDyyG+m/Jx5ZvKM=
X-Forefront-Antispam-Report: 
	CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(4636009)(46966006)(36840700001)(81166007)(47076005)(83380400001)(2906002)(36860700001)(15650500001)(8936002)(316002)(54906003)(70206006)(70586007)(7696005)(44832011)(8676002)(19627235002)(26005)(186003)(4326008)(86362001)(508600001)(2616005)(6916009)(30864003)(336012)(6666004)(426003)(5660300002)(1076003)(36756003)(82310400003);DIR:OUT;SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Sep 2021 15:41:10.1112
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ed14579b-2354-46cc-e050-08d98428b9d8
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB5345
Content-Type: text/plain

Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)

RawAlgorithm is used to provide access to entropy that is suitable
for cryptographic applications. Therefore, add RawAlgorithm support
that provides access to entropy using the TRNG library interface.

Signed-off-by: Sami Mujawar <sami.mujawar@arm.com>
---
 SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c  |  79 ++++++++--
 SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c      | 164 ++++++++++++++++++++
 SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c         |  61 ++++++++
 SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c          |   2 +-
 SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf        |  12 +-
 SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h |   1 +
 SecurityPkg/SecurityPkg.dsc                                |  12 +-
 7 files changed, 318 insertions(+), 13 deletions(-)

diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index 282fdca9d334b77e02ca47734df08729e0f4fd31..bae15adf3435897cdb7e781bfb27e2932b5a7dd7 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -1,11 +1,12 @@
 /** @file
   RNG Driver to produce the UEFI Random Number Generator protocol.
 
-  The driver will use the RNDR instruction to produce random numbers.
+  The driver will use the RNDR instruction to produce random numbers. It also
+  uses the Arm FW-TRNG interface to implement EFI_RNG_ALGORITHM_RAW.
 
   RNG Algorithms defined in UEFI 2.4:
    - EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID
-   - EFI_RNG_ALGORITHM_RAW                    - Unsupported
+   - EFI_RNG_ALGORITHM_RAW
    - EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID
    - EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID
    - EFI_RNG_ALGORITHM_X9_31_3DES_GUID        - Unsupported
@@ -14,15 +15,17 @@
   Copyright (c) 2021, NUVIA Inc. All rights reserved.<BR>
   Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
+  Copyright (c) 2021, Arm Limited. All rights reserved.<BR>
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 
+#include <Guid/NullGuid.h>
 #include <Library/BaseLib.h>
 #include <Library/BaseMemoryLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/TimerLib.h>
+#include <Library/DebugLib.h>
+#include <Library/TrngLib.h>
 #include <Protocol/Rng.h>
 
 #include "RngDxeInternals.h"
@@ -58,7 +61,9 @@ RngGetRNG (
   OUT UINT8                      *RNGValue
   )
 {
-  EFI_STATUS    Status;
+  EFI_STATUS  Status;
+  UINT16      MajorRevision;
+  UINT16      MinorRevision;
 
   if ((RNGValueLength == 0) || (RNGValue == NULL)) {
     return EFI_INVALID_PARAMETER;
@@ -76,6 +81,17 @@ RngGetRNG (
     return Status;
   }
 
+  //
+  // The "raw" algorithm is intended to provide entropy directly
+  //
+  if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) {
+    Status = GetTrngVersion (&MajorRevision, &MinorRevision);
+    if (EFI_ERROR (Status)) {
+      return EFI_UNSUPPORTED;
+    }
+    return GenerateEntropy (RNGValueLength, RNGValue);
+  }
+
   //
   // Other algorithms are unsupported by this driver.
   //
@@ -97,8 +113,9 @@ RngGetRNG (
                                       is the default algorithm for the driver.
 
   @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
+  @retval EFI_UNSUPPORTED             No supported algorithms found.
   @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small to hold the result.
-
+  @retval EFI_INVALID_PARAMETER       The pointer to the buffer RNGAlgorithmList is invalid.
 **/
 UINTN
 EFIAPI
@@ -107,19 +124,61 @@ ArchGetSupportedRngAlgorithms (
   OUT    EFI_RNG_ALGORITHM         *RNGAlgorithmList
   )
 {
-  UINTN RequiredSize;
+  EFI_STATUS  Status;
+  UINT16      MajorRevision;
+  UINT16      MinorRevision;
+  UINTN       RequiredSize;
+  BOOLEAN     CpuRngAlgorithmSupported;
+  BOOLEAN     RawAlgorithmSupported;
+  UINTN       Index;
   EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
 
-  RequiredSize = sizeof (EFI_RNG_ALGORITHM);
+  RequiredSize = 0;
+  CpuRngAlgorithmSupported = FALSE;
+  RawAlgorithmSupported = FALSE;
+
+  CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
+  if (!CompareGuid (CpuRngSupportedAlgorithm, &gNullGuid)) {
+    CpuRngAlgorithmSupported = TRUE;
+    RequiredSize += sizeof (EFI_RNG_ALGORITHM);
+  }
+
+  Status = GetTrngVersion (&MajorRevision, &MinorRevision);
+  if (!EFI_ERROR (Status)) {
+    RawAlgorithmSupported = TRUE;
+    RequiredSize += sizeof (EFI_RNG_ALGORITHM);
+  }
 
   if (*RNGAlgorithmListSize < RequiredSize) {
     *RNGAlgorithmListSize = RequiredSize;
     return EFI_BUFFER_TOO_SMALL;
   }
 
-  CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
+  if (RequiredSize == 0) {
+    // No supported algorithms found.
+    return EFI_UNSUPPORTED;
+  }
 
-  CopyMem(&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof (EFI_RNG_ALGORITHM));
+  if (RNGAlgorithmList == NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  Index = 0;
+  if (CpuRngAlgorithmSupported) {
+    CopyMem (
+      &RNGAlgorithmList[Index++],
+      CpuRngSupportedAlgorithm,
+      sizeof (EFI_RNG_ALGORITHM)
+      );
+  }
+
+  if (RawAlgorithmSupported) {
+    CopyMem (
+      &RNGAlgorithmList[Index++],
+      &gEfiRngAlgorithmRaw,
+      sizeof (EFI_RNG_ALGORITHM)
+      );
+  }
 
   *RNGAlgorithmListSize = RequiredSize;
   return EFI_SUCCESS;
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c
new file mode 100644
index 0000000000000000000000000000000000000000..1f03beec5e5766bb9ca749ad15106928b092c1c3
--- /dev/null
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c
@@ -0,0 +1,164 @@
+/** @file
+  RNG Driver to produce the UEFI Random Number Generator protocol.
+
+  The driver implements the EFI_RNG_ALGORITHM_RAW using the FW-TRNG
+  interface to provide entropy.
+
+  RNG Algorithms defined in UEFI 2.4:
+   - EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID
+   - EFI_RNG_ALGORITHM_RAW
+   - EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID
+   - EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID
+   - EFI_RNG_ALGORITHM_X9_31_3DES_GUID        - Unsupported
+   - EFI_RNG_ALGORITHM_X9_31_AES_GUID         - Unsupported
+
+  Copyright (c) 2021, Arm Limited. All rights reserved.<BR>
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Guid/NullGuid.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/TrngLib.h>
+#include <Protocol/Rng.h>
+
+#include "RngDxeInternals.h"
+
+/**
+  Produces and returns an RNG value using either the default or specified
+  RNG algorithm.
+
+  @param[in]  This                  A pointer to the EFI_RNG_PROTOCOL instance.
+  @param[in]  RNGAlgorithm          A pointer to the EFI_RNG_ALGORITHM that
+                                    identifies the RNG algorithm to use. May be
+                                    NULL in which case the function will use its
+                                    default RNG algorithm.
+  @param[in]  RNGValueLength        The length in bytes of the memory buffer
+                                    pointed to by RNGValue. The driver shall
+                                    return exactly this numbers of bytes.
+  @param[out] RNGValue              A caller-allocated memory buffer filled by
+                                    the driver with the resulting RNG value.
+
+  @retval EFI_SUCCESS               The RNG value was returned successfully.
+  @retval EFI_UNSUPPORTED           The algorithm specified by RNGAlgorithm is
+                                    not supported by this driver.
+  @retval EFI_DEVICE_ERROR          An RNG value could not be retrieved due to
+                                    a hardware or firmware error.
+  @retval EFI_NOT_READY             There is not enough random data available
+                                    to satisfy the length requested by
+                                    RNGValueLength.
+  @retval EFI_INVALID_PARAMETER     RNGValue is NULL or RNGValueLength is zero.
+
+**/
+EFI_STATUS
+EFIAPI
+RngGetRNG (
+  IN EFI_RNG_PROTOCOL            *This,
+  IN EFI_RNG_ALGORITHM           *RNGAlgorithm, OPTIONAL
+  IN UINTN                       RNGValueLength,
+  OUT UINT8                      *RNGValue
+  )
+{
+  EFI_STATUS  Status;
+  UINT16      MajorRevision;
+  UINT16      MinorRevision;
+
+  if ((RNGValueLength == 0) || (RNGValue == NULL)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  if (RNGAlgorithm == NULL) {
+    //
+    // Use the default RNG algorithm if RNGAlgorithm is NULL.
+    //
+    RNGAlgorithm = &gEfiRngAlgorithmRaw;
+  }
+
+  //
+  // The "raw" algorithm is intended to provide entropy directly
+  //
+  if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) {
+    Status = GetTrngVersion (&MajorRevision, &MinorRevision);
+    if (EFI_ERROR (Status)) {
+      return EFI_UNSUPPORTED;
+    }
+    return GenerateEntropy (RNGValueLength, RNGValue);
+  }
+
+  //
+  // Other algorithms are unsupported by this driver.
+  //
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Returns information about the random number generation implementation.
+
+  @param[in,out] RNGAlgorithmListSize On input, the size in bytes of
+                                      RNGAlgorithmList.
+                                      On output with a return code of
+                                      EFI_SUCCESS, the size in bytes of the
+                                      data returned in RNGAlgorithmList.
+                                      On output with a return code of
+                                      EFI_BUFFER_TOO_SMALL, the size of
+                                      RNGAlgorithmList required to obtain the
+                                      list.
+  @param[out] RNGAlgorithmList        A caller-allocated memory buffer filled
+                                      by the driver with one EFI_RNG_ALGORITHM
+                                      element for each supported RNG algorithm.
+                                      The list must not change across multiple
+                                      calls to the same driver. The first
+                                      algorithm in the list is the default
+                                      algorithm for the driver.
+
+  @retval EFI_SUCCESS                 The RNG algorithm list was returned
+                                      successfully.
+  @retval EFI_UNSUPPORTED             No supported algorithms found.
+  @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small
+                                      to hold the result.
+  @retval EFI_INVALID_PARAMETER       The pointer to the buffer RNGAlgorithmList
+                                      is invalid.
+**/
+UINTN
+EFIAPI
+ArchGetSupportedRngAlgorithms (
+  IN OUT UINTN                     *RNGAlgorithmListSize,
+  OUT    EFI_RNG_ALGORITHM         *RNGAlgorithmList
+  )
+{
+  EFI_STATUS  Status;
+  UINTN       RequiredSize;
+  UINT16      MajorRevision;
+  UINT16      MinorRevision;
+
+  RequiredSize = 0;
+
+  Status = GetTrngVersion (&MajorRevision, &MinorRevision);
+  if (EFI_ERROR (Status)) {
+    // No supported algorithms found.
+    return EFI_UNSUPPORTED;
+  }
+
+  RequiredSize += sizeof (EFI_RNG_ALGORITHM);
+
+  if (*RNGAlgorithmListSize < RequiredSize) {
+    *RNGAlgorithmListSize = RequiredSize;
+    return EFI_BUFFER_TOO_SMALL;
+  }
+
+  if (RNGAlgorithmList == NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  CopyMem (
+    &RNGAlgorithmList[0],
+    &gEfiRngAlgorithmRaw,
+    sizeof (EFI_RNG_ALGORITHM)
+    );
+
+  *RNGAlgorithmListSize = RequiredSize;
+  return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
new file mode 100644
index 0000000000000000000000000000000000000000..8df37d82e2051854f74816711a14ee23472f6b41
--- /dev/null
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
@@ -0,0 +1,61 @@
+/** @file
+  Arm FW-TRNG interface helper common for AArch32 and AArch64.
+
+  Copyright (c) 2021, Arm Limited. All rights reserved.<BR>
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/TrngLib.h>
+
+/**
+  Generate high-quality entropy source using a TRNG.
+
+  @param[in]   Length        Size of the buffer, in bytes, to fill with.
+  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
+
+  @retval EFI_SUCCESS        Entropy generation succeeded.
+  @retval EFI_NOT_READY      Failed to request random data.
+
+**/
+EFI_STATUS
+EFIAPI
+GenerateEntropy (
+  IN  UINTN        Length,
+  OUT UINT8        *Entropy
+  )
+{
+  EFI_STATUS  Status;
+  UINTN       CollectedEntropyBits;
+  UINTN       RequiredEntropyBits;
+  UINTN       EntropyBits;
+  UINTN       Index;
+  UINTN       MaxBits;
+
+  ZeroMem (Entropy, Length);
+
+  RequiredEntropyBits = (Length << 3);
+  Index = 0;
+  CollectedEntropyBits = 0;
+  MaxBits = GetTrngMaxSupportedEntropyBits ();
+  while (CollectedEntropyBits < RequiredEntropyBits) {
+    EntropyBits = MIN ((RequiredEntropyBits - CollectedEntropyBits), MaxBits);
+    Status = GetEntropy (
+               EntropyBits,
+               &Entropy[Index],
+               (Length - Index)
+               );
+    if (EFI_ERROR (Status)) {
+      // Discard the collected bits.
+      ZeroMem (Entropy, Length);
+      return Status;
+    }
+    CollectedEntropyBits += EntropyBits;
+    Index += (EntropyBits >> 3);
+  } // while
+
+  return Status;
+}
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
index 2e3b714bc691e4e517866369c034b721fbccfa24..b7ac0baf3f8216c9a86029b3037bfe4fd59269f6 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
@@ -45,7 +45,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
                                       is the default algorithm for the driver.
 
   @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
-  @retval EFI_UNSUPPORTED             The services is not supported by this driver.
+  @retval EFI_UNSUPPORTED             No supported algorithms found.
   @retval EFI_DEVICE_ERROR            The list of algorithms could not be retrieved due to a
                                       hardware or firmware error.
   @retval EFI_INVALID_PARAMETER       One or more of the parameters are incorrect.
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index ef5cd73273e68c67bec7411279bb8433c45ab2d4..6c78948f4659f93203abde1de8bfbd280ea47e29 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -10,6 +10,7 @@
 #
 #  Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
 #  (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
+#  Copyright (c) 2021, Arm Limited. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -26,7 +27,7 @@ [Defines]
 #
 # The following information is for reference only and not required by the build tools.
 #
-#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64 ARM
 #
 
 [Sources.common]
@@ -41,6 +42,11 @@ [Sources.IA32, Sources.X64]
 
 [Sources.AARCH64]
   AArch64/RngDxe.c
+  ArmTrng.c
+
+[Sources.ARM]
+  Arm/RngDxe.c
+  ArmTrng.c
 
 [Packages]
   MdePkg/MdePkg.dec
@@ -55,6 +61,9 @@ [LibraryClasses]
   TimerLib
   RngLib
 
+[LibraryClasses.AARCH64, LibraryClasses.ARM]
+  TrngLib
+
 [Guids]
   gEfiRngAlgorithmSp80090Hash256Guid  ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
   gEfiRngAlgorithmSp80090Hmac256Guid  ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
@@ -62,6 +71,7 @@ [Guids]
   gEfiRngAlgorithmX9313DesGuid        ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
   gEfiRngAlgorithmX931AesGuid         ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
   gEfiRngAlgorithmRaw                 ## SOMETIMES_PRODUCES    ## GUID        # Unique ID of the algorithm for RNG
+  gNullGuid                           ## CONSUMES
 
 [Protocols]
   gEfiRngProtocolGuid                ## PRODUCES
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
index 37c27c4094e5302dfe2e7d9bbeef33a24b0c73ea..8978d54f51d4e72ad881ee584e16dcdda72a66ae 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
@@ -89,6 +89,7 @@ RngGetRNG (
                                       is the default algorithm for the driver.
 
   @retval EFI_SUCCESS                 The RNG algorithm list was returned successfully.
+  @retval EFI_UNSUPPORTED             No supported algorithms found.
   @retval EFI_BUFFER_TOO_SMALL        The buffer RNGAlgorithmList is too small to hold the result.
   @retval EFI_INVALID_PARAMETER       The pointer to the buffer RNGAlgorithmList is invalid.
 **/
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index f1f678c492b343651c63c075a1d601385d1c2b06..28c9d4328069a8457e5591a05e5dab8d3a8262d8 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -3,6 +3,7 @@
 #
 # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.<BR>
 # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP<BR>
+# Copyright (c) 2021, Arm Limited. All rights reserved.<BR>
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -84,6 +85,15 @@ [LibraryClasses.ARM, LibraryClasses.AARCH64]
   # Add support for GCC stack protector
   NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
 
+  # Arm FW-TRNG interface library.
+  TrngLib|ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf
+  ArmSmcLib|ArmPkg/Library/ArmSmcLib/ArmSmcLib.inf
+  ArmHvcLib|ArmPkg/Library/ArmHvcLib/ArmHvcLib.inf
+
+[LibraryClasses.ARM]
+  ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf
+  RngLib|MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf
+
 [LibraryClasses.common.PEIM]
   PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
   PeiServicesLib|MdePkg/Library/PeiServicesLib/PeiServicesLib.inf
@@ -268,7 +278,7 @@ [Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
   SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 
-[Components.IA32, Components.X64, Components.AARCH64]
+[Components.IA32, Components.X64, Components.AARCH64, Components.ARM]
   #
   # Random Number Generator
   #
-- 
'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'