From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR04-VI1-obe.outbound.protection.outlook.com (EUR04-VI1-obe.outbound.protection.outlook.com [40.107.8.59]) by mx.groups.io with SMTP id smtpd.web10.8754.1637062408518693623 for ; Tue, 16 Nov 2021 03:33:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=UPnsFGYS; spf=pass (domain: arm.com, ip: 40.107.8.59, mailfrom: sami.mujawar@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LdtEmakL7VobbuelFHSGht6ks1rDOhx5+LTqhguCXak=; b=UPnsFGYSeHF6qJ3yjOSkkDUb9XJ8wM7vHbio5tsWGzz5yKJeZQ95/nUaC/A9NMp/a5/jbmWiN0pzc4vYGJu6XvfMnjvxZksZITkX1iacJWV/QQ73kmRpmzi0rcSigfRGamDUa6ci+XXR1cXjkc/xodq0+AW0CUjM3HPyr9sSMmk= Received: from AM9P193CA0011.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:21e::16) by AM4PR0802MB2291.eurprd08.prod.outlook.com (2603:10a6:200:5e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.16; Tue, 16 Nov 2021 11:33:25 +0000 Received: from VE1EUR03FT048.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:21e:cafe::80) by AM9P193CA0011.outlook.office365.com (2603:10a6:20b:21e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.27 via Frontend Transport; Tue, 16 Nov 2021 11:33:24 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT048.mail.protection.outlook.com (10.152.19.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.20 via Frontend Transport; Tue, 16 Nov 2021 11:33:24 +0000 Received: ("Tessian outbound c61f076cbd30:v110"); Tue, 16 Nov 2021 11:33:24 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: 0900c155886d1757 X-CR-MTA-TID: 64aa7808 Received: from 050cd6d199f3.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id CE57262B-BE7C-418A-BC44-E4CB9F0F5D15.1; Tue, 16 Nov 2021 11:33:15 +0000 Received: from EUR03-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 050cd6d199f3.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 16 Nov 2021 11:33:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JnPv0E99h3+4aRzhE+sKadlUt19snXOaaNUbDKrU8cUuKq3SkpW368rsNovq+c51UvUdjmA7u57lBD4bd//RoY80rPqqQUBvg5aFl/5bVDRfAJ33qm8/g6LlizJ7Oh0vmxhqnlK7YBoEZUysprpdHyF73cmDh9ivaV5iFPA5KwZwGdrla2IYi40DyNPhXbljuqMoJ7n/rRvAlN7EfeHKtATu50/v34w8IbnxNViZvMt90OWpYmKubocXUJjqWOWBFNObRlKReLP00qzRWfBlSUB3crMuugvZPUPhBkJ7zphLAJRko97ITQ4WFtdrBF5I3cKBVmmenJtnaYecQgKcDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LdtEmakL7VobbuelFHSGht6ks1rDOhx5+LTqhguCXak=; b=kg02rRkO0b5GZMhd+OwiQPR8Kje9zq0mlpRI9jhZzq5KgrSzUkgBBsYla92HGuJzNQVWouCHihbfo/wI5q+iBZ4DljMeP+rZYkr4j2LcOtsB24F+mTAVC0azYzDO8v9eTyfYldT/qsoPXmhGis9gQ2QI4y1QtLT3qreM4snN1fA2acncApEaI1KOPsziECkeo70NDQo53pOYVbWzf8dt1f73ypXeXvUeAimtGAN+Nu3eHvT/0E8t/pP2zWrbM94RA4kC8ybLhcz8qXJpTdVxBE/BpjhVumMyXMKDasY8TPXZyjUh1yqu+JRbZZ/GSoM0LqumFjEa0DCvysCvhzGsCg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 40.67.248.234) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LdtEmakL7VobbuelFHSGht6ks1rDOhx5+LTqhguCXak=; b=UPnsFGYSeHF6qJ3yjOSkkDUb9XJ8wM7vHbio5tsWGzz5yKJeZQ95/nUaC/A9NMp/a5/jbmWiN0pzc4vYGJu6XvfMnjvxZksZITkX1iacJWV/QQ73kmRpmzi0rcSigfRGamDUa6ci+XXR1cXjkc/xodq0+AW0CUjM3HPyr9sSMmk= Received: from AS9PR05CA0040.eurprd05.prod.outlook.com (2603:10a6:20b:489::23) by AM0PR08MB4355.eurprd08.prod.outlook.com (2603:10a6:208:13a::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.16; Tue, 16 Nov 2021 11:33:12 +0000 Received: from VE1EUR03FT029.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:489:cafe::48) by AS9PR05CA0040.outlook.office365.com (2603:10a6:20b:489::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4713.19 via Frontend Transport; Tue, 16 Nov 2021 11:33:12 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234) smtp.mailfrom=arm.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 40.67.248.234 as permitted sender) receiver=protection.outlook.com; client-ip=40.67.248.234; helo=nebula.arm.com; Received: from nebula.arm.com (40.67.248.234) by VE1EUR03FT029.mail.protection.outlook.com (10.152.18.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4690.20 via Frontend Transport; Tue, 16 Nov 2021 11:33:12 +0000 Received: from AZ-NEU-EX03.Arm.com (10.251.24.31) by AZ-NEU-EX03.Arm.com (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Tue, 16 Nov 2021 11:32:56 +0000 Received: from E114225.Arm.com (10.1.196.43) by mail.arm.com (10.251.24.31) with Microsoft SMTP Server id 15.1.2308.20 via Frontend Transport; Tue, 16 Nov 2021 11:32:56 +0000 From: "Sami Mujawar" To: CC: Sami Mujawar , , , , , , , , , , , , , Subject: [PATCH v2 7/8] SecurityPkg: Add RawAlgorithm support using TRNG library Date: Tue, 16 Nov 2021 11:32:59 +0000 Message-ID: <20211116113301.31088-8-sami.mujawar@arm.com> X-Mailer: git-send-email 2.16.2.windows.1 In-Reply-To: <20211116113301.31088-1-sami.mujawar@arm.com> References: <20211116113301.31088-1-sami.mujawar@arm.com> MIME-Version: 1.0 X-EOPAttributedMessage: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5f2dc340-5571-4156-5b99-08d9a8f4e697 X-MS-TrafficTypeDiagnostic: AM0PR08MB4355:|AM4PR0802MB2291: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:8273;OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: aeRWvfI/uB0WopLLxh99Dk4TBPbIqGmFyuqbXHJqtKmkUn78Zruezz9e4OpJNyJXsD+ko+5nWH14RoBw/95EzT0G7F3rfqNOMj8YZx6TKrPUitBdzeEfi/3RqlpmV2/Wo4QYxTm51FyU+CZl3DJGP7GBMiVI2WbQ10jCv6Q0xG6eUWTr3X6bmWSyuqes9jZ4NkNC/mTI+8nLVtQ/BIWjZVWNf9PZ+vnBqZExjwjXMGso0tOICPVBM0xl/SV/b8EWX1NW5HaE0EeO7t8JAIDhQ2qvi1bYr+otPEImilft/Y7hCIHnnW+e6OUbxtb9pG129+HBOcs6JlHVuRJp3nfXNUWWI4vPIby+2gMCdVCrgJmay9nYF+7PIZPK9obMq3jigHtGTtoFxpaZTxT+aYIjOhwvZyhcG6Is98mMLFWZtghuHJugc8J0aTlWXSMP6rd/EAZwA7iWQhUsYvOWZb2fS3QUX0d9TgS9j+6xuO+6+JJw7+P/9PvZo1jsZkh1Q7h9tQC5MuQ0AWrIj0rnVsdXuem51tZByGS44OD473UKhpCM7wRtTtBkxuf48TXCilFpMjraEP4j98d6I01NG1T2Xl9il7/WLZX9Ouwy13Qj9lHqbZgawDWuSlGc5aPnrDsnVCrvV4xu/z+USg4dHUGOL327IPflGBDmMBMgCsw3QGTS76ezAKC6MFpTPwIsjNDS8FJCQzdqq2ElOpNlkCEImQZiE1mfSXC9Hxqfo8y51HO+RSQbwJD9WESxTvMcYTyeQucWrs02wh1yRBgjCik1O/pq6+vGQw65oKsQcD290OlL9KVmJ+46JXO+lqHqGhUG X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:nebula.arm.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(4636009)(36840700001)(46966006)(83380400001)(19627235002)(54906003)(7416002)(186003)(8676002)(6916009)(82310400003)(316002)(44832011)(30864003)(2616005)(26005)(36860700001)(426003)(8936002)(336012)(15650500001)(356005)(508600001)(47076005)(1076003)(5660300002)(81166007)(4326008)(86362001)(2906002)(7696005)(36756003)(70206006)(70586007)(36900700001);DIR:OUT;SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4355 Return-Path: Sami.Mujawar@arm.com X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT048.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 13385be7-d5c5-44e6-1ad2-08d9a8f4df80 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: t5Xy6eVLQYiEoIHp3cJWcJN6UAg/9EIkEmSRbBK7BM6NXydPao58foFw8O+n+WzC5yIOZNfBjiDBFBY+2aAf68QtusQKSpqLNu7nWZdr7hcMqyNMBoAaZRPWr9JLewPPmPY3tKKw5E1ttTYePwfHuanFZ4SZgt2bvfGOXDzJHCrLR0nxwdBPen8YyoQXf/pp91fRFzsyamlw04ISyjUzuN3Pd8JbW0BNcj/eAqbQUoTJ35fcaB1yKJzHWsdnuXOJuhITm0BoCj/Oh5SvRDQ9n16iudW1vo80JaypdR4lCy8EGf0dtfjT2isExoUKRweewIhwi/jzIiJHeynvn+8dx0pbOmZBZeQe//Y0Z2Jz5uThXx6+tLa5wQAz1ZSvfCP/Gltz2LgVgoQTM/2aGVLQqWFzciWqe71ypARMiTg35jpd3moPlKKCo6gST16Tstt2folUcMA9Z8w5Exe1I+Bad2HgzdEgAliWjWs63E2GPRglvVcSmNvdNN8n07forM3QbIqd+n8rQUuOcX5n43vDmt0+GC5Wmdu1HbmB0K27b6sPyxI7CI5QnLLZLnZKtlL552UKfGzdkaci2q2oH1mhzZ1fkl5UEl3+oxsyI57RWSuS1SewMZC/1QULRgUtkK8QiRhlj1Rni6ljLcHooylgQgRn/dTOjMgFcO7WN7lxmvjwT/qXmS9RS+cgn71UKsts2EGNmJYXGvV2kbfNIBs+VBvdefNcOVuCc//+CJYje4W3P7A/NjiawCvCUjolryipih1y4xpW2WeLgSzDD6pCh+M4/dh7duhibtMl5Y2T11U= X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(4636009)(36840700001)(46966006)(82310400003)(426003)(54906003)(6916009)(86362001)(7696005)(36756003)(2906002)(30864003)(2616005)(36860700001)(44832011)(47076005)(70206006)(19627235002)(316002)(508600001)(186003)(8936002)(15650500001)(26005)(83380400001)(1076003)(4326008)(5660300002)(70586007)(336012)(81166007)(8676002);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Nov 2021 11:33:24.2382 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5f2dc340-5571-4156-5b99-08d9a8f4e697 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT048.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0802MB2291 Content-Type: text/plain Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668) RawAlgorithm is used to provide access to entropy that is suitable for cryptographic applications. Therefore, add RawAlgorithm support that provides access to entropy using the TRNG library interface. Signed-off-by: Sami Mujawar --- Notes: v2: - MdeModulePkg\Include\Guid\ZeroGuid.h has defined [LIMING] gZeroGuid. You don't define it again. - Replaced use of gNullGuid with gZeroGuid. [SAMI] SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 79 ++++++++-- SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c | 163 ++++++++++++++++++++ SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c | 61 ++++++++ SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c | 2 +- SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf | 13 +- SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h | 1 + SecurityPkg/SecurityPkg.dsc | 8 +- 7 files changed, 314 insertions(+), 13 deletions(-) diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c index 282fdca9d334b77e02ca47734df08729e0f4fd31..d1c8f4c69b4d65c10141da320d44cd8f01bb0c74 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c @@ -1,11 +1,12 @@ /** @file RNG Driver to produce the UEFI Random Number Generator protocol. - The driver will use the RNDR instruction to produce random numbers. + The driver will use the RNDR instruction to produce random numbers. It also + uses the Arm FW-TRNG interface to implement EFI_RNG_ALGORITHM_RAW. RNG Algorithms defined in UEFI 2.4: - EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID - - EFI_RNG_ALGORITHM_RAW - Unsupported + - EFI_RNG_ALGORITHM_RAW - EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID - EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID - EFI_RNG_ALGORITHM_X9_31_3DES_GUID - Unsupported @@ -14,15 +15,17 @@ Copyright (c) 2021, NUVIA Inc. All rights reserved.
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2015 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2021, Arm Limited. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include #include #include -#include -#include +#include +#include #include #include "RngDxeInternals.h" @@ -58,7 +61,9 @@ RngGetRNG ( OUT UINT8 *RNGValue ) { - EFI_STATUS Status; + EFI_STATUS Status; + UINT16 MajorRevision; + UINT16 MinorRevision; if ((RNGValueLength == 0) || (RNGValue == NULL)) { return EFI_INVALID_PARAMETER; @@ -76,6 +81,17 @@ RngGetRNG ( return Status; } + // + // The "raw" algorithm is intended to provide entropy directly + // + if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) { + Status = GetTrngVersion (&MajorRevision, &MinorRevision); + if (EFI_ERROR (Status)) { + return EFI_UNSUPPORTED; + } + return GenerateEntropy (RNGValueLength, RNGValue); + } + // // Other algorithms are unsupported by this driver. // @@ -97,8 +113,9 @@ RngGetRNG ( is the default algorithm for the driver. @retval EFI_SUCCESS The RNG algorithm list was returned successfully. + @retval EFI_UNSUPPORTED No supported algorithms found. @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small to hold the result. - + @retval EFI_INVALID_PARAMETER The pointer to the buffer RNGAlgorithmList is invalid. **/ UINTN EFIAPI @@ -107,19 +124,61 @@ ArchGetSupportedRngAlgorithms ( OUT EFI_RNG_ALGORITHM *RNGAlgorithmList ) { - UINTN RequiredSize; + EFI_STATUS Status; + UINT16 MajorRevision; + UINT16 MinorRevision; + UINTN RequiredSize; + BOOLEAN CpuRngAlgorithmSupported; + BOOLEAN RawAlgorithmSupported; + UINTN Index; EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm; - RequiredSize = sizeof (EFI_RNG_ALGORITHM); + RequiredSize = 0; + CpuRngAlgorithmSupported = FALSE; + RawAlgorithmSupported = FALSE; + + CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm); + if (!CompareGuid (CpuRngSupportedAlgorithm, &gZeroGuid)) { + CpuRngAlgorithmSupported = TRUE; + RequiredSize += sizeof (EFI_RNG_ALGORITHM); + } + + Status = GetTrngVersion (&MajorRevision, &MinorRevision); + if (!EFI_ERROR (Status)) { + RawAlgorithmSupported = TRUE; + RequiredSize += sizeof (EFI_RNG_ALGORITHM); + } if (*RNGAlgorithmListSize < RequiredSize) { *RNGAlgorithmListSize = RequiredSize; return EFI_BUFFER_TOO_SMALL; } - CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm); + if (RequiredSize == 0) { + // No supported algorithms found. + return EFI_UNSUPPORTED; + } - CopyMem(&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof (EFI_RNG_ALGORITHM)); + if (RNGAlgorithmList == NULL) { + return EFI_INVALID_PARAMETER; + } + + Index = 0; + if (CpuRngAlgorithmSupported) { + CopyMem ( + &RNGAlgorithmList[Index++], + CpuRngSupportedAlgorithm, + sizeof (EFI_RNG_ALGORITHM) + ); + } + + if (RawAlgorithmSupported) { + CopyMem ( + &RNGAlgorithmList[Index++], + &gEfiRngAlgorithmRaw, + sizeof (EFI_RNG_ALGORITHM) + ); + } *RNGAlgorithmListSize = RequiredSize; return EFI_SUCCESS; diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c new file mode 100644 index 0000000000000000000000000000000000000000..cba9883e50cefbb22495190d17de99bfeab33cf3 --- /dev/null +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Arm/RngDxe.c @@ -0,0 +1,163 @@ +/** @file + RNG Driver to produce the UEFI Random Number Generator protocol. + + The driver implements the EFI_RNG_ALGORITHM_RAW using the FW-TRNG + interface to provide entropy. + + RNG Algorithms defined in UEFI 2.4: + - EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID + - EFI_RNG_ALGORITHM_RAW + - EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID + - EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID + - EFI_RNG_ALGORITHM_X9_31_3DES_GUID - Unsupported + - EFI_RNG_ALGORITHM_X9_31_AES_GUID - Unsupported + + Copyright (c) 2021, Arm Limited. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include + +#include "RngDxeInternals.h" + +/** + Produces and returns an RNG value using either the default or specified + RNG algorithm. + + @param[in] This A pointer to the EFI_RNG_PROTOCOL instance. + @param[in] RNGAlgorithm A pointer to the EFI_RNG_ALGORITHM that + identifies the RNG algorithm to use. May be + NULL in which case the function will use its + default RNG algorithm. + @param[in] RNGValueLength The length in bytes of the memory buffer + pointed to by RNGValue. The driver shall + return exactly this numbers of bytes. + @param[out] RNGValue A caller-allocated memory buffer filled by + the driver with the resulting RNG value. + + @retval EFI_SUCCESS The RNG value was returned successfully. + @retval EFI_UNSUPPORTED The algorithm specified by RNGAlgorithm is + not supported by this driver. + @retval EFI_DEVICE_ERROR An RNG value could not be retrieved due to + a hardware or firmware error. + @retval EFI_NOT_READY There is not enough random data available + to satisfy the length requested by + RNGValueLength. + @retval EFI_INVALID_PARAMETER RNGValue is NULL or RNGValueLength is zero. + +**/ +EFI_STATUS +EFIAPI +RngGetRNG ( + IN EFI_RNG_PROTOCOL *This, + IN EFI_RNG_ALGORITHM *RNGAlgorithm, OPTIONAL + IN UINTN RNGValueLength, + OUT UINT8 *RNGValue + ) +{ + EFI_STATUS Status; + UINT16 MajorRevision; + UINT16 MinorRevision; + + if ((RNGValueLength == 0) || (RNGValue == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if (RNGAlgorithm == NULL) { + // + // Use the default RNG algorithm if RNGAlgorithm is NULL. + // + RNGAlgorithm = &gEfiRngAlgorithmRaw; + } + + // + // The "raw" algorithm is intended to provide entropy directly + // + if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) { + Status = GetTrngVersion (&MajorRevision, &MinorRevision); + if (EFI_ERROR (Status)) { + return EFI_UNSUPPORTED; + } + return GenerateEntropy (RNGValueLength, RNGValue); + } + + // + // Other algorithms are unsupported by this driver. + // + return EFI_UNSUPPORTED; +} + +/** + Returns information about the random number generation implementation. + + @param[in,out] RNGAlgorithmListSize On input, the size in bytes of + RNGAlgorithmList. + On output with a return code of + EFI_SUCCESS, the size in bytes of the + data returned in RNGAlgorithmList. + On output with a return code of + EFI_BUFFER_TOO_SMALL, the size of + RNGAlgorithmList required to obtain the + list. + @param[out] RNGAlgorithmList A caller-allocated memory buffer filled + by the driver with one EFI_RNG_ALGORITHM + element for each supported RNG algorithm. + The list must not change across multiple + calls to the same driver. The first + algorithm in the list is the default + algorithm for the driver. + + @retval EFI_SUCCESS The RNG algorithm list was returned + successfully. + @retval EFI_UNSUPPORTED No supported algorithms found. + @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small + to hold the result. + @retval EFI_INVALID_PARAMETER The pointer to the buffer RNGAlgorithmList + is invalid. +**/ +UINTN +EFIAPI +ArchGetSupportedRngAlgorithms ( + IN OUT UINTN *RNGAlgorithmListSize, + OUT EFI_RNG_ALGORITHM *RNGAlgorithmList + ) +{ + EFI_STATUS Status; + UINTN RequiredSize; + UINT16 MajorRevision; + UINT16 MinorRevision; + + RequiredSize = 0; + + Status = GetTrngVersion (&MajorRevision, &MinorRevision); + if (EFI_ERROR (Status)) { + // No supported algorithms found. + return EFI_UNSUPPORTED; + } + + RequiredSize += sizeof (EFI_RNG_ALGORITHM); + + if (*RNGAlgorithmListSize < RequiredSize) { + *RNGAlgorithmListSize = RequiredSize; + return EFI_BUFFER_TOO_SMALL; + } + + if (RNGAlgorithmList == NULL) { + return EFI_INVALID_PARAMETER; + } + + CopyMem ( + &RNGAlgorithmList[0], + &gEfiRngAlgorithmRaw, + sizeof (EFI_RNG_ALGORITHM) + ); + + *RNGAlgorithmListSize = RequiredSize; + return EFI_SUCCESS; +} diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c new file mode 100644 index 0000000000000000000000000000000000000000..8df37d82e2051854f74816711a14ee23472f6b41 --- /dev/null +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c @@ -0,0 +1,61 @@ +/** @file + Arm FW-TRNG interface helper common for AArch32 and AArch64. + + Copyright (c) 2021, Arm Limited. All rights reserved.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +/** + Generate high-quality entropy source using a TRNG. + + @param[in] Length Size of the buffer, in bytes, to fill with. + @param[out] Entropy Pointer to the buffer to store the entropy data. + + @retval EFI_SUCCESS Entropy generation succeeded. + @retval EFI_NOT_READY Failed to request random data. + +**/ +EFI_STATUS +EFIAPI +GenerateEntropy ( + IN UINTN Length, + OUT UINT8 *Entropy + ) +{ + EFI_STATUS Status; + UINTN CollectedEntropyBits; + UINTN RequiredEntropyBits; + UINTN EntropyBits; + UINTN Index; + UINTN MaxBits; + + ZeroMem (Entropy, Length); + + RequiredEntropyBits = (Length << 3); + Index = 0; + CollectedEntropyBits = 0; + MaxBits = GetTrngMaxSupportedEntropyBits (); + while (CollectedEntropyBits < RequiredEntropyBits) { + EntropyBits = MIN ((RequiredEntropyBits - CollectedEntropyBits), MaxBits); + Status = GetEntropy ( + EntropyBits, + &Entropy[Index], + (Length - Index) + ); + if (EFI_ERROR (Status)) { + // Discard the collected bits. + ZeroMem (Entropy, Length); + return Status; + } + CollectedEntropyBits += EntropyBits; + Index += (EntropyBits >> 3); + } // while + + return Status; +} diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c index 2e3b714bc691e4e517866369c034b721fbccfa24..b7ac0baf3f8216c9a86029b3037bfe4fd59269f6 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c @@ -45,7 +45,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent is the default algorithm for the driver. @retval EFI_SUCCESS The RNG algorithm list was returned successfully. - @retval EFI_UNSUPPORTED The services is not supported by this driver. + @retval EFI_UNSUPPORTED No supported algorithms found. @retval EFI_DEVICE_ERROR The list of algorithms could not be retrieved due to a hardware or firmware error. @retval EFI_INVALID_PARAMETER One or more of the parameters are incorrect. diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf index ef5cd73273e68c67bec7411279bb8433c45ab2d4..9f2e92512bfa48bd772c7f887a23453756421b80 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf @@ -10,6 +10,7 @@ # # Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP
+# Copyright (c) 2021, Arm Limited. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -26,7 +27,7 @@ [Defines] # # The following information is for reference only and not required by the build tools. # -# VALID_ARCHITECTURES = IA32 X64 AARCH64 +# VALID_ARCHITECTURES = IA32 X64 AARCH64 ARM # [Sources.common] @@ -41,8 +42,14 @@ [Sources.IA32, Sources.X64] [Sources.AARCH64] AArch64/RngDxe.c + ArmTrng.c + +[Sources.ARM] + Arm/RngDxe.c + ArmTrng.c [Packages] + MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec SecurityPkg/SecurityPkg.dec @@ -55,6 +62,9 @@ [LibraryClasses] TimerLib RngLib +[LibraryClasses.AARCH64, LibraryClasses.ARM] + TrngLib + [Guids] gEfiRngAlgorithmSp80090Hash256Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID of the algorithm for RNG gEfiRngAlgorithmSp80090Hmac256Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID of the algorithm for RNG @@ -62,6 +72,7 @@ [Guids] gEfiRngAlgorithmX9313DesGuid ## SOMETIMES_PRODUCES ## GUID # Unique ID of the algorithm for RNG gEfiRngAlgorithmX931AesGuid ## SOMETIMES_PRODUCES ## GUID # Unique ID of the algorithm for RNG gEfiRngAlgorithmRaw ## SOMETIMES_PRODUCES ## GUID # Unique ID of the algorithm for RNG + gZeroGuid ## CONSUMES [Protocols] gEfiRngProtocolGuid ## PRODUCES diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h index 37c27c4094e5302dfe2e7d9bbeef33a24b0c73ea..8978d54f51d4e72ad881ee584e16dcdda72a66ae 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h @@ -89,6 +89,7 @@ RngGetRNG ( is the default algorithm for the driver. @retval EFI_SUCCESS The RNG algorithm list was returned successfully. + @retval EFI_UNSUPPORTED No supported algorithms found. @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small to hold the result. @retval EFI_INVALID_PARAMETER The pointer to the buffer RNGAlgorithmList is invalid. **/ diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 73a93c2285b13a2e0ce45b08a1230a766e0d759a..63da3d8c92e5a2c559b7731dd6dc0654caab30b8 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -3,6 +3,7 @@ # # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
# (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP
+# Copyright (c) 2021, Arm Limited. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -86,6 +87,11 @@ [LibraryClasses.ARM, LibraryClasses.AARCH64] ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf + # Arm FW-TRNG interface library. + TrngLib|ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf + ArmSmcLib|ArmPkg/Library/ArmSmcLib/ArmSmcLib.inf + ArmHvcLib|ArmPkg/Library/ArmHvcLib/ArmHvcLib.inf + [LibraryClasses.ARM] RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf @@ -277,7 +283,7 @@ [Components.IA32, Components.X64, Components.ARM, Components.AARCH64] SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf -[Components.IA32, Components.X64, Components.AARCH64] +[Components.IA32, Components.X64, Components.AARCH64, Components.ARM] # # Random Number Generator # -- 'Guid(CE165669-3EF3-493F-B85D-6190EE5B9759)'