From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.web11.6004.1669156267934916637 for ; Tue, 22 Nov 2022 14:31:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=EIRfJnHB; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: pedro.falcato@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id h126-20020a1c2184000000b003d03017c6efso133732wmh.4 for ; Tue, 22 Nov 2022 14:31:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GkzzhdPKC1NdigtZ5Dw5Y1WloxCe1v+XQfzvYqDtitk=; b=EIRfJnHBJMCpxIVjvSDT1qxLcArmra99jWTAWLdIKPa5xwVqaf5BUufbC7bPfZWVof cqHPPFxYbOiQBdgT7hI7ugYP4wTFhBTZd97uJJShMLXgulGGuMFBGMoNA72xP63UH5/8 0Zyd85zVe+Kzd4EKdZMy6RGFAArkwWd790D4Uux7mEtkGljUtHt++5lrij2KB9yAepNU +sGddQvldFFA4VbWqb5l6iH4rdJ80YrebLrnKcp9Qet1CucaP79ZBd1emJin/qoBCuK4 9803chhL6I3S05R6ow2nNTUB9jMK2bmJYhxbc8h3BAZwlV1bDaJGg1prqMi4xzatdkaM LI+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GkzzhdPKC1NdigtZ5Dw5Y1WloxCe1v+XQfzvYqDtitk=; b=sl5h3NvUyDAFNMBUnOlqGFAPRqsPT3RSbtqHYuw2Bg+eNd+kA93/5zmgCry9rckUsN FB0b6XEyoz3EjlCBfk1JmCJcwIPJi+UB3+FNrKBmuHWK6TOg3LBO6MSIl4kquVQ5TfMi R/zSwKlO67p7w37pzzXRjE39fX786TCqBSpPgzxip4a+QrjX08cbfds6vUzk6odVl9ug bcB52KKGuHzx3zic7BiYINfnL5q6FS6NVlmdkzsqMHiKgMUrzLp/q4x2DFGxP9jLv9c4 IAoA3oDTYBZcGB06S+6KikrD6ojnNTfsf3NBAZ3ehAveHj5NUrxmP7CMe01vbQyt2v9F KfVA== X-Gm-Message-State: ANoB5pk4Lkg5QKqb4pKJaAYWbFhtZCjGkJinL6he0MVmiMAEOl0bodZv v2o+eOoVZERkQJkxtoi2nbqyaH8CRK+5tYgc X-Google-Smtp-Source: AA0mqf4MO2mwV00B3bET1c+6yktz/YG2ErQ8VQsnPiJoNOw8g997sDqK3eBAoOBv6OB2nIGvxQumUA== X-Received: by 2002:a05:600c:1ca4:b0:3cf:7125:fc1d with SMTP id k36-20020a05600c1ca400b003cf7125fc1dmr4396550wms.70.1669156266004; Tue, 22 Nov 2022 14:31:06 -0800 (PST) Return-Path: Received: from PC-PEDRO-ARCH.lan ([2001:8a0:7280:5801:9441:3dce:686c:bfc7]) by smtp.gmail.com with ESMTPSA id m1-20020a05600c4f4100b003b4fe03c881sm64863wmq.48.2022.11.22.14.31.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Nov 2022 14:31:05 -0800 (PST) From: "Pedro Falcato" To: devel@edk2.groups.io Cc: Pedro Falcato , Michael D Kinney , Liming Gao , Zhiguang Liu , "Jason A . Donenfeld" Subject: [PATCH v4 1/1] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID Date: Tue, 22 Nov 2022 22:31:03 +0000 Message-Id: <20221122223103.597984-1-pedro.falcato@gmail.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit RDRAND has notoriously been broken many times over its lifespan. Add a smoketest to RDRAND, in order to better sniff out potential security concerns. Also add a proper CPUID test in order to support older CPUs which may not have it; it was previously being tested but then promptly ignored. Testing algorithm inspired by linux's arch/x86/kernel/cpu/rdrand.c :x86_init_rdrand() per commit 049f9ae9.. Many thanks to Jason Donenfeld for relicensing his linux RDRAND detection code to MIT and the public domain. >On Tue, Nov 22, 2022 at 2:21 PM Jason A. Donenfeld wrote: <..> > I (re)wrote that function in Linux. I hereby relicense it as MIT, and > also place it into public domain. Do with it what you will now. > > Jason BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4163 Signed-off-by: Pedro Falcato Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Cc: Jason A. Donenfeld --- v4: Added a doxygen comment to the TestRdRand() function v3: Addressed mailing list comments v2: Replaced the original v1 naive detection with a better, although still not great, detection. MdePkg/Library/BaseRngLib/Rand/RdRand.c | 99 +++++++++++++++++++++++-- 1 file changed, 91 insertions(+), 8 deletions(-) diff --git a/MdePkg/Library/BaseRngLib/Rand/RdRand.c b/MdePkg/Library/BaseRngLib/Rand/RdRand.c index 070d41e2555f..ff99436dbbbd 100644 --- a/MdePkg/Library/BaseRngLib/Rand/RdRand.c +++ b/MdePkg/Library/BaseRngLib/Rand/RdRand.c @@ -2,6 +2,7 @@ Random number generator services that uses RdRand instruction access to provide high-quality random numbers. +Copyright (c) 2022, Pedro Falcato. All rights reserved.
Copyright (c) 2021, NUVIA Inc. All rights reserved.
Copyright (c) 2015, Intel Corporation. All rights reserved.
@@ -22,6 +23,88 @@ SPDX-License-Identifier: BSD-2-Clause-Patent STATIC BOOLEAN mRdRandSupported; +// +// Intel SDM says 10 tries is good enough for reliable RDRAND usage. +// +#define RDRAND_RETRIES 10 + +#define RDRAND_TEST_SAMPLES 8 + +#define RDRAND_MIN_CHANGE 5 + +// +// Add a define for native-word RDRAND, just for the test. +// +#ifdef MDE_CPU_X64 +#define AsmRdRand AsmRdRand64 +#else +#define AsmRdRand AsmRdRand32 +#endif + +/** + Tests RDRAND for broken implementations. + + @retval TRUE RDRAND is reliable (and hopefully safe). + @retval FALSE RDRAND is unreliable and should be disabled, despite CPUID. + +**/ +STATIC +BOOLEAN +TestRdRand ( + VOID + ) +{ + // + // Test for notoriously broken rdrand implementations that always return the same + // value, like the Zen 3 uarch (all-1s) or other several AMD families on suspend/resume (also all-1s). + // Note that this should be expanded to extensively test for other sorts of possible errata. + // + + // + // Our algorithm samples rdrand $RDRAND_TEST_SAMPLES times and expects + // a different result $RDRAND_MIN_CHANGE times for reliable RDRAND usage. + // + UINTN Prev; + UINT8 Idx; + UINT8 TestIteration; + UINT32 Changed; + + Changed = 0; + + for (TestIteration = 0; TestIteration < RDRAND_TEST_SAMPLES; TestIteration++) { + UINTN Sample; + // + // Note: We use a retry loop for rdrand. Normal users get this in BaseRng.c + // Any failure to get a random number will assume RDRAND does not work. + // + for (Idx = 0; Idx < RDRAND_RETRIES; Idx++) { + if (AsmRdRand (&Sample)) { + break; + } + } + + if (Idx == RDRAND_RETRIES) { + DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: Failed to get an RDRAND random number - disabling\n")); + return FALSE; + } + + if (TestIteration != 0) { + Changed += Sample != Prev; + } + + Prev = Sample; + } + + if (Changed < RDRAND_MIN_CHANGE) { + DEBUG ((DEBUG_ERROR, "BaseRngLib/x86: CPU BUG: RDRAND not reliable - disabling\n")); + return FALSE; + } + + return TRUE; +} + +#undef AsmRdRand + /** The constructor function checks whether or not RDRAND instruction is supported by the host hardware. @@ -46,10 +129,13 @@ BaseRngLibConstructor ( // CPUID. A value of 1 indicates that processor support RDRAND instruction. // AsmCpuid (1, 0, 0, &RegEcx, 0); - ASSERT ((RegEcx & RDRAND_MASK) == RDRAND_MASK); mRdRandSupported = ((RegEcx & RDRAND_MASK) == RDRAND_MASK); + if (mRdRandSupported) { + mRdRandSupported = TestRdRand (); + } + return EFI_SUCCESS; } @@ -68,6 +154,7 @@ ArchGetRandomNumber16 ( OUT UINT16 *Rand ) { + ASSERT (mRdRandSupported); return AsmRdRand16 (Rand); } @@ -86,6 +173,7 @@ ArchGetRandomNumber32 ( OUT UINT32 *Rand ) { + ASSERT (mRdRandSupported); return AsmRdRand32 (Rand); } @@ -104,6 +192,7 @@ ArchGetRandomNumber64 ( OUT UINT64 *Rand ) { + ASSERT (mRdRandSupported); return AsmRdRand64 (Rand); } @@ -120,11 +209,5 @@ ArchIsRngSupported ( VOID ) { - /* - Existing software depends on this always returning TRUE, so for - now hard-code it. - - return mRdRandSupported; - */ - return TRUE; + return mRdRandSupported; } -- 2.38.1