public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237
@ 2024-05-24  5:44 Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg Doug Flick via groups.io
                   ` (19 more replies)
  0 siblings, 20 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Liming Gao


REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html

This patch series patches the following CVEs:
- CVE-2023-45236: Predictable TCP Initial Sequence Numbers
- CVE-2023-45237: Use of a Weak PseudoRandom Number Generator

In order to patch these CVEs, the following changes were made:
- NetworkPkg no longer performs it's own random number generation,
  instead it uses EFI_RNG_PROTOCOL provided by the plaform to
  generate random numbers.
  - This change was made such that any future random number
    generation vulnerabilities will be a result of the platforms
    implementation of the EFI_RNG_PROTOCOL and not the NetworkPkg

- NetworkPkg uses the TCP initial sequence number algorithm as described
  in RFC 6528 to generate the initial sequence number for TCP connections.
  - This change was made to ensure that the initial sequence number
    is not predictable and therefore cannot be used in a TCP hijacking
    attack.

In addition to the above changes, the following changes were made:
- EmulatorPkg OvmfPkg, and ArmVirtPkg were updated to include the
  Hash2DxeCrypto driver to support TCP ISN generation using
  EFI_HASH2_PROTOCOL

- EmulatorPkg was updated to include the
  RngDxe driver to support random number generation using the
  EFI_RNG_PROTOCOL

- OvmfPkg, and ArmVirtPkg were updated to include the
  virtio-rng-pci device to support random number generation using the
  EFI_RNG_PROTOCOL using the existing VirtioRngDxe driver

- SecurityPkg was updated to fix an incorrect limitation on the
  GetRng function in the RngDxe driver where the minimum amount of
  random data that could be requested was 32 bytes (256 bits) instead
  of what the caller requested

- MdePkg was updated to include MockUefiBootServicesTableLib,
  MockRng, and MockHash2 protocols for testing

- NetworkPkg was updated to include a test for the PxeBcDhcp6 driver
  due to underlying changes

- ArmPkg was updated to allow the SMC/HVC monitor conduit to be
  specified at runtime

- MdePkg was updated to remove an overzealous ASSERT in BaseRngLib

- ArmVirtPkg was updated to permit the use of dynamic PCDs in PEI

- ArmVirtPkg was updated to use dynamic PCDs to set the SMCCC conduit

- ArmVirtPkg was updated to add the RngDxe driver

Cc: Liming Gao <gaoliming@byosoft.com.cn>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>

Ard Biesheuvel (6):
  ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime
  MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT()
  ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI
  ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit
  ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc
  ArmVirtPkg/ArmVirtQemu: Add RngDxe driver

Doug Flick (8):
  EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg
  OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg
  NetworkPkg:: SECURITY PATCH CVE-2023-45237
  NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236
  MdePkg: : Add MockUefiBootServicesTableLib
  MdePkg: : Adds Protocol for MockRng
  MdePkg: Add MockHash2 Protocol for testing
  NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes

Flickdm (6):
  EmulatorPkg: : Add RngDxe to EmulatorPkg
  OvmfPkg:PlatformCI: Support virtio-rng-pci
  ArmVirtPkg:PlatformCI: Support virtio-rng-pci
  ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg
  SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
  ArmVirtPkg: Move PcdMonitorConduitHvc

 ArmPkg/ArmPkg.dec                                                                                 |  10 +-
 NetworkPkg/NetworkPkg.dec                                                                         |   7 +
 ArmVirtPkg/ArmVirt.dsc.inc                                                                        |   5 +-
 ArmVirtPkg/ArmVirtCloudHv.dsc                                                                     |   3 +
 ArmVirtPkg/ArmVirtKvmTool.dsc                                                                     |   4 +-
 ArmVirtPkg/ArmVirtQemu.dsc                                                                        |  20 +-
 ArmVirtPkg/ArmVirtQemuKernel.dsc                                                                  |  12 +-
 ArmVirtPkg/ArmVirtXen.dsc                                                                         |   6 +-
 EmulatorPkg/EmulatorPkg.dsc                                                                       |  14 +-
 MdePkg/Test/MdePkgHostTest.dsc                                                                    |   1 +
 NetworkPkg/Test/NetworkPkgHostTest.dsc                                                            |   1 +
 OvmfPkg/OvmfPkgIa32.dsc                                                                           |   6 +-
 OvmfPkg/OvmfPkgIa32X64.dsc                                                                        |   6 +-
 OvmfPkg/OvmfPkgX64.dsc                                                                            |   6 +-
 OvmfPkg/OvmfXen.dsc                                                                               |   5 +
 ArmVirtPkg/ArmVirtQemu.fdf                                                                        |   2 +-
 EmulatorPkg/EmulatorPkg.fdf                                                                       |  11 +-
 OvmfPkg/OvmfPkgIa32.fdf                                                                           |   5 +
 OvmfPkg/OvmfPkgIa32X64.fdf                                                                        |   5 +
 OvmfPkg/OvmfPkgX64.fdf                                                                            |   5 +
 OvmfPkg/OvmfXen.fdf                                                                               |   5 +
 ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf                                              |   1 +
 MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf |  32 +++
 NetworkPkg/Library/DxeNetLib/DxeNetLib.inf                                                        |  14 +-
 NetworkPkg/TcpDxe/TcpDxe.inf                                                                      |  11 +-
 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf                                     |   3 +-
 MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h                        |  78 +++++++
 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h                                          |  67 ++++++
 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h                                            |  48 ++++
 NetworkPkg/IScsiDxe/IScsiMisc.h                                                                   |   6 +-
 NetworkPkg/Include/Library/NetLib.h                                                               |  40 +++-
 NetworkPkg/Ip6Dxe/Ip6Nd.h                                                                         |   8 +-
 NetworkPkg/TcpDxe/TcpFunc.h                                                                       |  23 +-
 NetworkPkg/TcpDxe/TcpMain.h                                                                       |  59 ++++-
 ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c                                                      |   2 +-
 ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c                                                |  14 ++
 MdePkg/Library/BaseRngLib/AArch64/Rndr.c                                                          |   1 -
 NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c                                                                 |  10 +-
 NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c                                                                 |  11 +-
 NetworkPkg/DnsDxe/DnsDhcp.c                                                                       |  10 +-
 NetworkPkg/DnsDxe/DnsImpl.c                                                                       |  11 +-
 NetworkPkg/HttpBootDxe/HttpBootDhcp6.c                                                            |  10 +-
 NetworkPkg/IScsiDxe/IScsiCHAP.c                                                                   |  19 +-
 NetworkPkg/IScsiDxe/IScsiMisc.c                                                                   |  14 +-
 NetworkPkg/Ip4Dxe/Ip4Driver.c                                                                     |  10 +-
 NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c                                                                 |   9 +-
 NetworkPkg/Ip6Dxe/Ip6Driver.c                                                                     |  17 +-
 NetworkPkg/Ip6Dxe/Ip6If.c                                                                         |  12 +-
 NetworkPkg/Ip6Dxe/Ip6Mld.c                                                                        |  12 +-
 NetworkPkg/Ip6Dxe/Ip6Nd.c                                                                         |  33 ++-
 NetworkPkg/Library/DxeNetLib/DxeNetLib.c                                                          | 130 +++++++++--
 NetworkPkg/TcpDxe/TcpDriver.c                                                                     | 105 ++++++++-
 NetworkPkg/TcpDxe/TcpInput.c                                                                      |  13 +-
 NetworkPkg/TcpDxe/TcpMisc.c                                                                       | 244 ++++++++++++++++++--
 NetworkPkg/TcpDxe/TcpTimer.c                                                                      |   3 +-
 NetworkPkg/Udp4Dxe/Udp4Driver.c                                                                   |  10 +-
 NetworkPkg/Udp6Dxe/Udp6Driver.c                                                                   |  11 +-
 NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c                                                              |   9 +-
 NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c                                                              |  11 +-
 NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c                                                             |  12 +-
 SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c                                            |   8 -
 ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc                                                              |   6 +
 ArmVirtPkg/PlatformCI/PlatformBuildLib.py                                                         |   2 +
 MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp |  69 ++++++
 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp                                        |  27 +++
 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp                                          |  21 ++
 NetworkPkg/SecurityFixes.yaml                                                                     |  61 +++++
 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp                                       | 102 +++++++-
 OvmfPkg/PlatformCI/PlatformBuildLib.py                                                            |   2 +
 69 files changed, 1397 insertions(+), 173 deletions(-)
 create mode 100644 MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf
 create mode 100644 MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h
 create mode 100644 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h
 create mode 100644 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h
 create mode 100644 MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp
 create mode 100644 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp
 create mode 100644 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp

-- 
2.34.1

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 02/20] EmulatorPkg: : Add Hash2DxeCrypto " Doug Flick via groups.io
                   ` (18 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Andrew Fish, Ray Ni

This patch adds RngDxe to EmulatorPkg. The RngDxe is used to provide
random number generation services to the UEFI firmware.

Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
---
 EmulatorPkg/EmulatorPkg.dsc | 7 ++++++-
 EmulatorPkg/EmulatorPkg.fdf | 6 +++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 5fa1ed345a..0a66294cb7 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -127,9 +127,9 @@
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
+  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
-  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
   PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
@@ -398,6 +398,11 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf
 
+  #
+  # Rng Protocol producer
+  #
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
 !if $(SECURE_BOOT_ENABLE) == TRUE
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
 !endif
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 5420756eaa..d756c144d9 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -193,6 +193,11 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
 INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
 INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf
 
+#
+# Rng Protocol producer
+#
+INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
 #
 # Secure Boot Key Enroll
 #
@@ -320,4 +325,3 @@ INF  ShellPkg/Application/Shell/Shell.inf
     UI        STRING="$(MODULE_NAME)" Optional
     VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
   }
-
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 02/20] EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 03/20] OvmfPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
                   ` (17 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Andrew Fish, Ray Ni

From: Doug Flick <dougflick@microsoft.com>

This patch adds Hash2DxeCrypto to EmulatorPkg. The Hash2DxeCrypto is
used to provide the hashing protocol services.

Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 EmulatorPkg/EmulatorPkg.dsc | 9 +++++++--
 EmulatorPkg/EmulatorPkg.fdf | 5 +++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 0a66294cb7..1c356bc8c7 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -128,10 +128,11 @@
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
   RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
-
-!if $(SECURE_BOOT_ENABLE) == TRUE
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
   SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -402,6 +403,10 @@
   # Rng Protocol producer
   #
   SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+  #
+  # Hash2 Protocol producer
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index d756c144d9..73d5b0068d 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -198,6 +198,11 @@ INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf
 #
 INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
+#
+# Hash2 Protocol producer
+#
+INF  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 #
 # Secure Boot Key Enroll
 #
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 03/20] OvmfPkg:PlatformCI: Support virtio-rng-pci
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 02/20] EmulatorPkg: : Add Hash2DxeCrypto " Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 04/20] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg Doug Flick via groups.io
                   ` (16 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Jiewen Yao, Gerd Hoffmann

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py
This adds Rng services to the guest VM

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 OvmfPkg/PlatformCI/PlatformBuildLib.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/OvmfPkg/PlatformCI/PlatformBuildLib.py b/OvmfPkg/PlatformCI/PlatformBuildLib.py
index 00d454954b..3fe80f5c1c 100644
--- a/OvmfPkg/PlatformCI/PlatformBuildLib.py
+++ b/OvmfPkg/PlatformCI/PlatformBuildLib.py
@@ -208,6 +208,8 @@ class PlatformBuilder( UefiBuilder, BuildSettingsManager):
         args += " -net none"                                                # turn off network
         args += " -smp 4"
         args += f" -drive file=fat:rw:{VirtualDrive},format=raw,media=disk" # Mount disk with startup.nsh
+        # Provides Rng services to the Guest VM
+        args += " -device virtio-rng-pci"
 
         if (self.env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):
             args += " -display none"  # no graphics
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 04/20] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (2 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 03/20] OvmfPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 05/20] ArmVirtPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
                   ` (15 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Jiewen Yao, Gerd Hoffmann

From: Doug Flick <dougflick@microsoft.com>

This patch adds Hash2DxeCrypto to OvmfPkg. The Hash2DxeCrypto is
used to provide the hashing protocol services.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 OvmfPkg/OvmfPkgIa32.dsc    | 6 +++++-
 OvmfPkg/OvmfPkgIa32X64.dsc | 6 +++++-
 OvmfPkg/OvmfPkgX64.dsc     | 6 +++++-
 OvmfPkg/OvmfXen.dsc        | 5 +++++
 OvmfPkg/OvmfPkgIa32.fdf    | 5 +++++
 OvmfPkg/OvmfPkgIa32X64.fdf | 5 +++++
 OvmfPkg/OvmfPkgX64.fdf     | 5 +++++
 OvmfPkg/OvmfXen.fdf        | 5 +++++
 8 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 1be021be71..2ca005d768 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -229,7 +229,6 @@
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
 
-
   #
   # Network libraries
   #
@@ -858,6 +857,11 @@
   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 
+  #
+  # Hash2 Protocol producer
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # Network Support
   #
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index d27a4c7278..a39070a626 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -234,7 +234,6 @@
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
 
-
   #
   # Network libraries
   #
@@ -872,6 +871,11 @@
   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 
+  #
+  # Hash2 Protocol producer
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # Network Support
   #
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 8f5cd23b2e..1b90aa8f57 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -250,7 +250,6 @@
   VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
 
-
   #
   # Network libraries
   #
@@ -940,6 +939,11 @@
   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 
+  #
+  # Hash2 Protocol producer
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # Network Support
   #
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index fa1a570e74..7fc340d1c1 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -667,6 +667,11 @@
   MdeModulePkg/Universal/Acpi/BootScriptExecutorDxe/BootScriptExecutorDxe.inf
   MdeModulePkg/Universal/Acpi/BootGraphicsResourceTableDxe/BootGraphicsResourceTableDxe.inf
 
+  #
+  # Hash2 Protocol producer
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # Network Support
   #
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 6eb26f7d46..0d4abb50a8 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -295,6 +295,11 @@ INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 
 INF MdeModulePkg/Logo/LogoDxe.inf
 
+#
+# Hash2 Protocol producer
+#
+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 #
 # Network modules
 #
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 080784f722..23a825a012 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -296,6 +296,11 @@ INF  OvmfPkg/VirtioFsDxe/VirtioFsDxe.inf
 
 INF MdeModulePkg/Logo/LogoDxe.inf
 
+#
+# Hash2 Protocol producer
+#
+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 #
 # Network modules
 #
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index b6e8f43566..4dcd6a033c 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -329,6 +329,11 @@ INF MdeModulePkg/Logo/LogoDxe.inf
 
 INF OvmfPkg/TdxDxe/TdxDxe.inf
 
+#
+# Hash2 Protocol producer
+#
+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 #
 # Network modules
 #
diff --git a/OvmfPkg/OvmfXen.fdf b/OvmfPkg/OvmfXen.fdf
index 5770b17316..41368f37e2 100644
--- a/OvmfPkg/OvmfXen.fdf
+++ b/OvmfPkg/OvmfXen.fdf
@@ -314,6 +314,11 @@ INF  ShellPkg/Application/Shell/Shell.inf
 
 INF MdeModulePkg/Logo/LogoDxe.inf
 
+#
+# Hash2 Protocol producer
+#
+INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
 #
 # Network modules
 #
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 05/20] ArmVirtPkg:PlatformCI: Support virtio-rng-pci
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (3 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 04/20] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 06/20] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg Doug Flick via groups.io
                   ` (14 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Leif Lindholm, Sami Mujawar, Gerd Hoffmann

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py
This adds Rng services to the guest VM

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/PlatformCI/PlatformBuildLib.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ArmVirtPkg/PlatformCI/PlatformBuildLib.py b/ArmVirtPkg/PlatformCI/PlatformBuildLib.py
index 0ddaccf9c2..3abab09141 100644
--- a/ArmVirtPkg/PlatformCI/PlatformBuildLib.py
+++ b/ArmVirtPkg/PlatformCI/PlatformBuildLib.py
@@ -240,6 +240,8 @@ class PlatformBuilder(UefiBuilder, BuildSettingsManager):
         args += " -serial stdio"
         # Mount disk with startup.nsh
         args += f" -drive file=fat:rw:{VirtualDrive},format=raw,media=disk"
+        # Provides Rng services to the Guest VM
+        args += " -device virtio-rng-pci"
 
         # Conditional Args
         if (self.env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 06/20] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (4 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 05/20] ArmVirtPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng Doug Flick via groups.io
                   ` (13 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Leif Lindholm, Sami Mujawar, Gerd Hoffmann

This patch adds Hash2DxeCrypto to ArmVirtPkg. The Hash2DxeCrypto is
used to provide the hashing protocol services.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/ArmVirtQemu.dsc           | 5 +++++
 ArmVirtPkg/ArmVirtQemuKernel.dsc     | 5 +++++
 ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 7e2ff33ad1..1d3315ad3e 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -554,6 +554,11 @@
   MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 
+  #
+  # Hash2 Protocol Support
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # TPM2 support
   #
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index efe2df97bd..94f48593c2 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -461,6 +461,11 @@
   MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
   MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 
+  #
+  # Hash2 Protocol Support
+  #
+  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # ACPI Support
   #
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index c5d097ffb9..80d420023e 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -177,6 +177,11 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
   INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
 
+  #
+  # Hash2 Protocol producer
+  #
+  INF SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+
   #
   # TPM2 support
   #
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (5 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 06/20] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237 Doug Flick via groups.io
                   ` (12 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Jiewen Yao

Removed from gEfiRngAlgorithmRaw an incorrect assumption that
Raw cannot return less than 256 bits. The DRNG Algorithms
should always use a 256 bit seed as per nist standards
however a caller is free to request less than 256 bits.
>
>     //
>    // When a DRBG is used on the output of a entropy source,
>    // its security level must be at least 256 bits according to UEFI
Spec.
>    //
>    if (RNGValueLength < 32) {
>      return EFI_INVALID_PARAMETER;
>    }
>

AARCH64 platforms do not have this limitation and this brings both
implementations into alignment with each other and the spec.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
---
 SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index 7e06e16e4b..5723ed6957 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -116,14 +116,6 @@ RngGetRNG (
   // The "raw" algorithm is intended to provide entropy directly
   //
   if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) {
-    //
-    // When a DRBG is used on the output of a entropy source,
-    // its security level must be at least 256 bits according to UEFI Spec.
-    //
-    if (RNGValueLength < 32) {
-      return EFI_INVALID_PARAMETER;
-    }
-
     Status = GenerateEntropy (RNGValueLength, RNGValue);
     return Status;
   }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (6 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 09/20] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Doug Flick via groups.io
                   ` (11 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Saloni Kasbekar, Zachary Clark-williams

From: Doug Flick <dougflick@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542

Bug Overview:
PixieFail Bug #9
CVE-2023-45237
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Use of a Weak PseudoRandom Number Generator

Change Overview:

Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either

>
> EFI_STATUS
> EFIAPI
> PseudoRandomU32 (
>  OUT UINT32  *Output
>  );
>

or (depending on the use case)

>
> EFI_STATUS
> EFIAPI
> PseudoRandom (
>  OUT  VOID   *Output,
>  IN   UINTN  OutputLength
>  );
>

This is because the use of

Example:

The following code snippet PseudoRandomU32 () function is used:

>
> UINT32         Random;
>
> Status = PseudoRandomU32 (&Random);
> if (EFI_ERROR (Status)) {
>   DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n",
__func__, Status));
>   return Status;
> }
>

This also introduces a new PCD to enable/disable the use of the
secure implementation of algorithms for PseudoRandom () and
instead depend on the default implementation. This may be required for
some platforms where the UEFI Spec defined algorithms are not available.

>
> PcdEnforceSecureRngAlgorithms
>

If the platform does not have any one of the UEFI defined
secure RNG algorithms then the driver will assert.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 NetworkPkg/NetworkPkg.dec                  |   7 ++
 NetworkPkg/Library/DxeNetLib/DxeNetLib.inf |  14 ++-
 NetworkPkg/TcpDxe/TcpDxe.inf               |   3 +
 NetworkPkg/IScsiDxe/IScsiMisc.h            |   6 +-
 NetworkPkg/Include/Library/NetLib.h        |  40 ++++--
 NetworkPkg/Ip6Dxe/Ip6Nd.h                  |   8 +-
 NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c          |  10 +-
 NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c          |  11 +-
 NetworkPkg/DnsDxe/DnsDhcp.c                |  10 +-
 NetworkPkg/DnsDxe/DnsImpl.c                |  11 +-
 NetworkPkg/HttpBootDxe/HttpBootDhcp6.c     |  10 +-
 NetworkPkg/IScsiDxe/IScsiCHAP.c            |  19 ++-
 NetworkPkg/IScsiDxe/IScsiMisc.c            |  14 +--
 NetworkPkg/Ip4Dxe/Ip4Driver.c              |  10 +-
 NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c          |   9 +-
 NetworkPkg/Ip6Dxe/Ip6Driver.c              |  17 ++-
 NetworkPkg/Ip6Dxe/Ip6If.c                  |  12 +-
 NetworkPkg/Ip6Dxe/Ip6Mld.c                 |  12 +-
 NetworkPkg/Ip6Dxe/Ip6Nd.c                  |  33 ++++-
 NetworkPkg/Library/DxeNetLib/DxeNetLib.c   | 130 +++++++++++++++++---
 NetworkPkg/TcpDxe/TcpDriver.c              |  15 ++-
 NetworkPkg/Udp4Dxe/Udp4Driver.c            |  10 +-
 NetworkPkg/Udp6Dxe/Udp6Driver.c            |  11 +-
 NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c       |   9 +-
 NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c       |  11 +-
 NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c      |  12 +-
 NetworkPkg/SecurityFixes.yaml              |  39 ++++++
 27 files changed, 410 insertions(+), 83 deletions(-)

diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec
index e06f35e774..7c4289b77b 100644
--- a/NetworkPkg/NetworkPkg.dec
+++ b/NetworkPkg/NetworkPkg.dec
@@ -5,6 +5,7 @@
 #
 # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.<BR>
 # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP<BR>
+# Copyright (c) Microsoft Corporation
 #
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -130,6 +131,12 @@
   # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call.
   gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C
 
+  ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections.
+  # TRUE  - Enforce the use of Secure UEFI spec defined RNG algorithms.
+  # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider.
+  # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms.
+  gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x1000000D
+
 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
   ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355).
   # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT]
diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
index 8145d256ec..a8f534a293 100644
--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
@@ -3,6 +3,7 @@
 #
 #  Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
 #  (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
+#  Copyright (c) Microsoft Corporation
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -49,7 +50,11 @@
   gEfiSmbiosTableGuid                           ## SOMETIMES_CONSUMES  ## SystemTable
   gEfiSmbios3TableGuid                          ## SOMETIMES_CONSUMES  ## SystemTable
   gEfiAdapterInfoMediaStateGuid                 ## SOMETIMES_CONSUMES
-
+  gEfiRngAlgorithmRaw                           ## CONSUMES
+  gEfiRngAlgorithmSp80090Ctr256Guid             ## CONSUMES
+  gEfiRngAlgorithmSp80090Hmac256Guid            ## CONSUMES
+  gEfiRngAlgorithmSp80090Hash256Guid            ## CONSUMES
+  gEfiRngAlgorithmArmRndr                       ## CONSUMES
 
 [Protocols]
   gEfiSimpleNetworkProtocolGuid                 ## SOMETIMES_CONSUMES
@@ -59,3 +64,10 @@
   gEfiComponentNameProtocolGuid                 ## SOMETIMES_CONSUMES
   gEfiComponentName2ProtocolGuid                ## SOMETIMES_CONSUMES
   gEfiAdapterInformationProtocolGuid            ## SOMETIMES_CONSUMES
+  gEfiRngProtocolGuid                           ## CONSUMES
+
+[FixedPcd]
+  gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES
+
+[Depex]
+  gEfiRngProtocolGuid
diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
index c0acbdca57..cf5423f4c5 100644
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
@@ -82,5 +82,8 @@
   gEfiTcp6ProtocolGuid                          ## BY_START
   gEfiTcp6ServiceBindingProtocolGuid            ## BY_START
 
+[Depex]
+  gEfiHash2ServiceBindingProtocolGuid
+
 [UserExtensions.TianoCore."ExtraFiles"]
   TcpDxeExtra.uni
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h
index a951eee70e..91b2cd2261 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.h
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h
@@ -2,6 +2,7 @@
   Miscellaneous definitions for iSCSI driver.
 
 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -202,8 +203,11 @@ IScsiNetNtoi (
   @param[in, out]  Rand       The buffer to contain random numbers.
   @param[in]       RandLength The length of the Rand buffer.
 
+  @retval EFI_SUCCESS on success
+  @retval others      on error
+
 **/
-VOID
+EFI_STATUS
 IScsiGenRandom (
   IN OUT UINT8  *Rand,
   IN     UINTN  RandLength
diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h
index 8c0e62b388..e8108b79db 100644
--- a/NetworkPkg/Include/Library/NetLib.h
+++ b/NetworkPkg/Include/Library/NetLib.h
@@ -3,6 +3,7 @@
   It provides basic functions for the UEFI network stack.
 
 Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -539,8 +540,6 @@ extern EFI_IPv4_ADDRESS  mZeroIp4Addr;
 #define TICKS_PER_MS      10000U
 #define TICKS_PER_SECOND  10000000U
 
-#define NET_RANDOM(Seed)  ((UINT32) ((UINT32) (Seed) * 1103515245UL + 12345) % 4294967295UL)
-
 /**
   Extract a UINT32 from a byte stream.
 
@@ -580,19 +579,40 @@ NetPutUint32 (
   );
 
 /**
-  Initialize a random seed using current time and monotonic count.
+  Generate a Random output data given a length.
 
-  Get current time and monotonic count first. Then initialize a random seed
-  based on some basic mathematics operation on the hour, day, minute, second,
-  nanosecond and year of the current time and the monotonic count value.
+  @param[out] Output - The buffer to store the generated random data.
+  @param[in] OutputLength - The length of the output buffer.
 
-  @return The random seed initialized with current time.
+  @retval EFI_SUCCESS           On Success
+  @retval EFI_INVALID_PARAMETER Pointer is null or size is zero
+  @retval EFI_NOT_FOUND         RNG protocol not found
+  @retval Others                Error from RngProtocol->GetRNG()
 
+  @return Status code
 **/
-UINT32
+EFI_STATUS
 EFIAPI
-NetRandomInitSeed (
-  VOID
+PseudoRandom (
+  OUT  VOID   *Output,
+  IN   UINTN  OutputLength
+  );
+
+/**
+  Generate a 32-bit pseudo-random number.
+
+  @param[out] Output - The buffer to store the generated random number.
+
+  @retval EFI_SUCCESS           On Success
+  @retval EFI_NOT_FOUND         RNG protocol not found
+  @retval Others                Error from RngProtocol->GetRNG()
+
+  @return Status code
+**/
+EFI_STATUS
+EFIAPI
+PseudoRandomU32 (
+  OUT  UINT32  *Output
   );
 
 #define NET_LIST_USER_STRUCT(Entry, Type, Field)        \
diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h
index bf64e9114e..5795e23c7d 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Nd.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h
@@ -2,7 +2,7 @@
   Definition of Neighbor Discovery support routines.
 
   Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -780,10 +780,10 @@ Ip6OnArpResolved (
 /**
   Update the ReachableTime in IP6 service binding instance data, in milliseconds.
 
-  @param[in, out] IpSb     Points to the IP6_SERVICE.
-
+  @retval EFI_SUCCESS           ReachableTime Updated
+  @retval others                Failed to update ReachableTime
 **/
-VOID
+EFI_STATUS
 Ip6UpdateReachableTime (
   IN OUT IP6_SERVICE  *IpSb
   );
diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
index 8c37e93be3..892caee368 100644
--- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
+++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
@@ -1,6 +1,7 @@
 /** @file
 
 Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -189,6 +190,13 @@ Dhcp4CreateService (
 {
   DHCP_SERVICE  *DhcpSb;
   EFI_STATUS    Status;
+  UINT32        Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   *Service = NULL;
   DhcpSb   = AllocateZeroPool (sizeof (DHCP_SERVICE));
@@ -203,7 +211,7 @@ Dhcp4CreateService (
   DhcpSb->Image        = ImageHandle;
   InitializeListHead (&DhcpSb->Children);
   DhcpSb->DhcpState = Dhcp4Stopped;
-  DhcpSb->Xid       = NET_RANDOM (NetRandomInitSeed ());
+  DhcpSb->Xid       = Random;
   CopyMem (
     &DhcpSb->ServiceBinding,
     &mDhcp4ServiceBindingTemplate,
diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
index b591a4605b..e7f2787a98 100644
--- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
@@ -3,7 +3,7 @@
   implementation for Dhcp6 Driver.
 
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -123,6 +123,13 @@ Dhcp6CreateService (
 {
   DHCP6_SERVICE  *Dhcp6Srv;
   EFI_STATUS     Status;
+  UINT32         Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   *Service = NULL;
   Dhcp6Srv = AllocateZeroPool (sizeof (DHCP6_SERVICE));
@@ -147,7 +154,7 @@ Dhcp6CreateService (
   Dhcp6Srv->Signature  = DHCP6_SERVICE_SIGNATURE;
   Dhcp6Srv->Controller = Controller;
   Dhcp6Srv->Image      = ImageHandle;
-  Dhcp6Srv->Xid        = (0xffffff & NET_RANDOM (NetRandomInitSeed ()));
+  Dhcp6Srv->Xid        = (0xffffff & Random);
 
   CopyMem (
     &Dhcp6Srv->ServiceBinding,
diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c
index 933565a32d..9eb3c1d2d8 100644
--- a/NetworkPkg/DnsDxe/DnsDhcp.c
+++ b/NetworkPkg/DnsDxe/DnsDhcp.c
@@ -2,6 +2,7 @@
 Functions implementation related with DHCPv4/v6 for DNS driver.
 
 Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -277,6 +278,7 @@ GetDns4ServerFromDhcp4 (
   EFI_DHCP4_TRANSMIT_RECEIVE_TOKEN  Token;
   BOOLEAN                           IsDone;
   UINTN                             Index;
+  UINT32                            Random;
 
   Image      = Instance->Service->ImageHandle;
   Controller = Instance->Service->ControllerHandle;
@@ -292,6 +294,12 @@ GetDns4ServerFromDhcp4 (
   Data          = NULL;
   InterfaceInfo = NULL;
 
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
   ZeroMem ((UINT8 *)ParaList, sizeof (ParaList));
 
   ZeroMem (&MnpConfigData, sizeof (EFI_MANAGED_NETWORK_CONFIG_DATA));
@@ -467,7 +475,7 @@ GetDns4ServerFromDhcp4 (
 
   Status = Dhcp4->Build (Dhcp4, &SeedPacket, 0, NULL, 2, ParaList, &Token.Packet);
 
-  Token.Packet->Dhcp4.Header.Xid = HTONL (NET_RANDOM (NetRandomInitSeed ()));
+  Token.Packet->Dhcp4.Header.Xid = Random;
 
   Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)0x8000);
 
diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c
index d311812800..c2629bb8df 100644
--- a/NetworkPkg/DnsDxe/DnsImpl.c
+++ b/NetworkPkg/DnsDxe/DnsImpl.c
@@ -2,6 +2,7 @@
 DnsDxe support functions implementation.
 
 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -1963,6 +1964,14 @@ ConstructDNSQuery (
   NET_FRAGMENT       Frag;
   DNS_HEADER         *DnsHeader;
   DNS_QUERY_SECTION  *DnsQuery;
+  EFI_STATUS         Status;
+  UINT32             Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   //
   // Messages carried by UDP are restricted to 512 bytes (not counting the IP
@@ -1977,7 +1986,7 @@ ConstructDNSQuery (
   // Fill header
   //
   DnsHeader                    = (DNS_HEADER *)Frag.Bulk;
-  DnsHeader->Identification    = (UINT16)NET_RANDOM (NetRandomInitSeed ());
+  DnsHeader->Identification    = (UINT16)Random;
   DnsHeader->Flags.Uint16      = 0x0000;
   DnsHeader->Flags.Bits.RD     = 1;
   DnsHeader->Flags.Bits.OpCode = DNS_FLAGS_OPCODE_STANDARD;
diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
index b22cef4ff5..f964515b0f 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
@@ -2,6 +2,7 @@
   Functions implementation related with DHCPv6 for HTTP boot driver.
 
 Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -951,6 +952,7 @@ HttpBootDhcp6Sarr (
   UINT32                    OptCount;
   UINT8                     Buffer[HTTP_BOOT_DHCP6_OPTION_MAX_SIZE];
   EFI_STATUS                Status;
+  UINT32                    Random;
 
   Dhcp6 = Private->Dhcp6;
   ASSERT (Dhcp6 != NULL);
@@ -961,6 +963,12 @@ HttpBootDhcp6Sarr (
   OptCount = HttpBootBuildDhcp6Options (Private, OptList, Buffer);
   ASSERT (OptCount > 0);
 
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
   Retransmit = AllocateZeroPool (sizeof (EFI_DHCP6_RETRANSMISSION));
   if (Retransmit == NULL) {
     return EFI_OUT_OF_RESOURCES;
@@ -976,7 +984,7 @@ HttpBootDhcp6Sarr (
   Config.IaInfoEvent           = NULL;
   Config.RapidCommit           = FALSE;
   Config.ReconfigureAccept     = FALSE;
-  Config.IaDescriptor.IaId     = NET_RANDOM (NetRandomInitSeed ());
+  Config.IaDescriptor.IaId     = Random;
   Config.IaDescriptor.Type     = EFI_DHCP6_IA_TYPE_NA;
   Config.SolicitRetransmission = Retransmit;
   Retransmit->Irt              = 4;
diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index b507f11cd4..bebb1ac29b 100644
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -3,6 +3,7 @@
   Configuration.
 
 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -576,16 +577,24 @@ IScsiCHAPToSendReq (
         //
         // CHAP_I=<I>
         //
-        IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1);
+        Status = IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1);
+        if (EFI_ERROR (Status)) {
+          break;
+        }
+
         AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);
         IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);
         //
         // CHAP_C=<C>
         //
-        IScsiGenRandom (
-          (UINT8 *)AuthData->OutChallenge,
-          AuthData->Hash->DigestSize
-          );
+        Status = IScsiGenRandom (
+                   (UINT8 *)AuthData->OutChallenge,
+                   AuthData->Hash->DigestSize
+                   );
+        if (EFI_ERROR (Status)) {
+          break;
+        }
+
         BinToHexStatus = IScsiBinToHex (
                            (UINT8 *)AuthData->OutChallenge,
                            AuthData->Hash->DigestSize,
diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c
index 78dc5c73d3..2159b84949 100644
--- a/NetworkPkg/IScsiDxe/IScsiMisc.c
+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c
@@ -2,6 +2,7 @@
   Miscellaneous routines for iSCSI driver.
 
 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -474,20 +475,17 @@ IScsiNetNtoi (
   @param[in, out]  Rand       The buffer to contain random numbers.
   @param[in]       RandLength The length of the Rand buffer.
 
+  @retval EFI_SUCCESS on success
+  @retval others      on error
+
 **/
-VOID
+EFI_STATUS
 IScsiGenRandom (
   IN OUT UINT8  *Rand,
   IN     UINTN  RandLength
   )
 {
-  UINT32  Random;
-
-  while (RandLength > 0) {
-    Random  = NET_RANDOM (NetRandomInitSeed ());
-    *Rand++ = (UINT8)(Random);
-    RandLength--;
-  }
+  return PseudoRandom (Rand, RandLength);
 }
 
 /**
diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c
index ec483ff01f..683423f38d 100644
--- a/NetworkPkg/Ip4Dxe/Ip4Driver.c
+++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c
@@ -2,6 +2,7 @@
   The driver binding and service binding protocol for IP4 driver.
 
 Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
 
 SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -549,11 +550,18 @@ Ip4DriverBindingStart (
   EFI_IP4_CONFIG2_PROTOCOL  *Ip4Cfg2;
   UINTN                     Index;
   IP4_CONFIG2_DATA_ITEM     *DataItem;
+  UINT32                    Random;
 
   IpSb     = NULL;
   Ip4Cfg2  = NULL;
   DataItem = NULL;
 
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
   //
   // Test for the Ip4 service binding protocol
   //
@@ -653,7 +661,7 @@ Ip4DriverBindingStart (
   //
   // Initialize the IP4 ID
   //
-  mIp4Id = (UINT16)NET_RANDOM (NetRandomInitSeed ());
+  mIp4Id = (UINT16)Random;
 
   return Status;
 
diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
index 70e232ce6c..4c1354d26c 100644
--- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
@@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance (
   UINTN                 Index;
   UINT16                IfIndex;
   IP6_CONFIG_DATA_ITEM  *DataItem;
+  UINT32                Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   IpSb = IP6_SERVICE_FROM_IP6_CONFIG_INSTANCE (Instance);
 
@@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance (
     // The NV variable is not set, so generate a random IAID, and write down the
     // fresh new configuration as the NV variable now.
     //
-    Instance->IaId = NET_RANDOM (NetRandomInitSeed ());
+    Instance->IaId = Random;
 
     for (Index = 0; Index < IpSb->SnpMode.HwAddressSize; Index++) {
       Instance->IaId |= (IpSb->SnpMode.CurrentAddress.Addr[Index] << ((Index << 3) & 31));
diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c
index b483a7d136..cbe011dad4 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Driver.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c
@@ -3,7 +3,7 @@
 
   Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -316,7 +316,11 @@ Ip6CreateService (
   IpSb->CurHopLimit       = IP6_HOP_LIMIT;
   IpSb->LinkMTU           = IP6_MIN_LINK_MTU;
   IpSb->BaseReachableTime = IP6_REACHABLE_TIME;
-  Ip6UpdateReachableTime (IpSb);
+  Status                  = Ip6UpdateReachableTime (IpSb);
+  if (EFI_ERROR (Status)) {
+    goto ON_ERROR;
+  }
+
   //
   // RFC4861 RETRANS_TIMER: 1,000 milliseconds
   //
@@ -516,11 +520,18 @@ Ip6DriverBindingStart (
   EFI_STATUS               Status;
   EFI_IP6_CONFIG_PROTOCOL  *Ip6Cfg;
   IP6_CONFIG_DATA_ITEM     *DataItem;
+  UINT32                   Random;
 
   IpSb     = NULL;
   Ip6Cfg   = NULL;
   DataItem = NULL;
 
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
   //
   // Test for the Ip6 service binding protocol
   //
@@ -656,7 +667,7 @@ Ip6DriverBindingStart (
   //
   // Initialize the IP6 ID
   //
-  mIp6Id = NET_RANDOM (NetRandomInitSeed ());
+  mIp6Id = Random;
 
   return EFI_SUCCESS;
 
diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c
index 4629c05f25..f3d11c4d21 100644
--- a/NetworkPkg/Ip6Dxe/Ip6If.c
+++ b/NetworkPkg/Ip6Dxe/Ip6If.c
@@ -2,7 +2,7 @@
   Implement IP6 pseudo interface.
 
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -89,6 +89,14 @@ Ip6SetAddress (
   IP6_PREFIX_LIST_ENTRY  *PrefixEntry;
   UINT64                 Delay;
   IP6_DELAY_JOIN_LIST    *DelayNode;
+  EFI_STATUS             Status;
+  UINT32                 Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   NET_CHECK_SIGNATURE (Interface, IP6_INTERFACE_SIGNATURE);
 
@@ -164,7 +172,7 @@ Ip6SetAddress (
   // Thus queue the address to be processed in Duplicate Address Detection module
   // after the delay time (in milliseconds).
   //
-  Delay = (UINT64)NET_RANDOM (NetRandomInitSeed ());
+  Delay = (UINT64)Random;
   Delay = MultU64x32 (Delay, IP6_ONE_SECOND_IN_MS);
   Delay = RShiftU64 (Delay, 32);
 
diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c
index e6b2b653e2..498a118543 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Mld.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c
@@ -696,7 +696,15 @@ Ip6UpdateDelayTimer (
   IN OUT IP6_MLD_GROUP  *Group
   )
 {
-  UINT32  Delay;
+  UINT32      Delay;
+  EFI_STATUS  Status;
+  UINT32      Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   //
   // If the Query packet specifies a Maximum Response Delay of zero, perform timer
@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer (
   // is less than the remaining value of the running timer.
   //
   if ((Group->DelayTimer == 0) || (Delay < Group->DelayTimer)) {
-    Group->DelayTimer = Delay / 4294967295UL * NET_RANDOM (NetRandomInitSeed ());
+    Group->DelayTimer = Delay / 4294967295UL * Random;
   }
 
   return EFI_SUCCESS;
diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c
index c10c7017f8..72aa45c10f 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Nd.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c
@@ -2,7 +2,7 @@
   Implementation of Neighbor Discovery support routines.
 
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS  mZeroMacAddress;
 
   @param[in, out] IpSb     Points to the IP6_SERVICE.
 
+  @retval EFI_SUCCESS           ReachableTime Updated
+  @retval others                Failed to update ReachableTime
 **/
-VOID
+EFI_STATUS
 Ip6UpdateReachableTime (
   IN OUT IP6_SERVICE  *IpSb
   )
 {
-  UINT32  Random;
+  UINT32      Random;
+  EFI_STATUS  Status;
 
-  Random              = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE;
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
+  Random              = (Random / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE;
   Random              = Random + IP6_MIN_RANDOM_FACTOR_SCALED;
   IpSb->ReachableTime = (IpSb->BaseReachableTime * Random) / IP6_RANDOM_FACTOR_SCALE;
+
+  return EFI_SUCCESS;
 }
 
 /**
@@ -972,10 +983,17 @@ Ip6InitDADProcess (
   IP6_SERVICE                               *IpSb;
   EFI_STATUS                                Status;
   UINT32                                    MaxDelayTick;
+  UINT32                                    Random;
 
   NET_CHECK_SIGNATURE (IpIf, IP6_INTERFACE_SIGNATURE);
   ASSERT (AddressInfo != NULL);
 
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
   //
   // Do nothing if we have already started DAD on the address.
   //
@@ -1014,7 +1032,7 @@ Ip6InitDADProcess (
   Entry->Transmit    = 0;
   Entry->Receive     = 0;
   MaxDelayTick       = IP6_MAX_RTR_SOLICITATION_DELAY / IP6_TIMER_INTERVAL_IN_MS;
-  Entry->RetransTick = (MaxDelayTick * ((NET_RANDOM (NetRandomInitSeed ()) % 5) + 1)) / 5;
+  Entry->RetransTick = (MaxDelayTick * ((Random % 5) + 1)) / 5;
   Entry->AddressInfo = AddressInfo;
   Entry->Callback    = Callback;
   Entry->Context     = Context;
@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise (
     // in BaseReachableTime and recompute a ReachableTime.
     //
     IpSb->BaseReachableTime = ReachableTime;
-    Ip6UpdateReachableTime (IpSb);
+    Status                  = Ip6UpdateReachableTime (IpSb);
+    if (EFI_ERROR (Status)) {
+      goto Exit;
+    }
   }
 
   if (RetransTimer != 0) {
diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
index fd4a9e15a8..01c13c08d2 100644
--- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c
@@ -3,6 +3,7 @@
 
 Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
 
@@ -31,6 +32,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/DevicePathLib.h>
 #include <Library/PrintLib.h>
 #include <Library/UefiLib.h>
+#include <Protocol/Rng.h>
 
 #define NIC_ITEM_CONFIG_SIZE  (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE)
 #define DEFAULT_ZERO_START    ((UINTN) ~0)
@@ -127,6 +129,25 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH  mNetVlanDevicePathTemplate = {
   0
 };
 
+//
+// These represent UEFI SPEC defined algorithms that should be supported by
+// the RNG protocol and are generally considered secure.
+//
+// The order of the algorithms in this array is important. This order is the order
+// in which the algorithms will be tried by the RNG protocol.
+// If your platform needs to use a specific algorithm for the random number generator,
+// then you should place that algorithm first in the array.
+//
+GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID  *mSecureHashAlgorithms[] = {
+  &gEfiRngAlgorithmSp80090Ctr256Guid,  // SP800-90A DRBG CTR using AES-256
+  &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256
+  &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256
+  &gEfiRngAlgorithmArmRndr,            // unspecified SP800-90A DRBG via ARM RNDR register
+  &gEfiRngAlgorithmRaw,                // Raw data from NRBG (or TRNG)
+};
+
+#define SECURE_HASH_ALGORITHMS_SIZE  (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *))
+
 /**
   Locate the handles that support SNP, then open one of them
   to send the syslog packets. The caller isn't required to close
@@ -884,34 +905,107 @@ Ip6Swap128 (
 }
 
 /**
-  Initialize a random seed using current time and monotonic count.
+  Generate a Random output data given a length.
 
-  Get current time and monotonic count first. Then initialize a random seed
-  based on some basic mathematics operation on the hour, day, minute, second,
-  nanosecond and year of the current time and the monotonic count value.
+  @param[out] Output - The buffer to store the generated random data.
+  @param[in] OutputLength - The length of the output buffer.
 
-  @return The random seed initialized with current time.
+  @retval EFI_SUCCESS           On Success
+  @retval EFI_INVALID_PARAMETER Pointer is null or size is zero
+  @retval EFI_NOT_FOUND         RNG protocol not found
+  @retval Others                Error from RngProtocol->GetRNG()
 
+  @return Status code
 **/
-UINT32
+EFI_STATUS
 EFIAPI
-NetRandomInitSeed (
-  VOID
+PseudoRandom (
+  OUT  VOID   *Output,
+  IN   UINTN  OutputLength
   )
 {
-  EFI_TIME  Time;
-  UINT32    Seed;
-  UINT64    MonotonicCount;
+  EFI_RNG_PROTOCOL  *RngProtocol;
+  EFI_STATUS        Status;
+  UINTN             AlgorithmIndex;
+
+  if ((Output == NULL) || (OutputLength == 0)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  Status = gBS->LocateProtocol (&gEfiRngProtocolGuid, NULL, (VOID **)&RngProtocol);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Failed to locate EFI_RNG_PROTOCOL: %r\n", Status));
+    ASSERT_EFI_ERROR (Status);
+    return Status;
+  }
+
+  if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) {
+    for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) {
+      Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output);
+      if (!EFI_ERROR (Status)) {
+        //
+        // Secure Algorithm was supported on this platform
+        //
+        return EFI_SUCCESS;
+      } else if (Status == EFI_UNSUPPORTED) {
+        //
+        // Secure Algorithm was not supported on this platform
+        //
+        DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
+
+        //
+        // Try the next secure algorithm
+        //
+        continue;
+      } else {
+        //
+        // Some other error occurred
+        //
+        DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status));
+        ASSERT_EFI_ERROR (Status);
+        return Status;
+      }
+    }
+
+    //
+    // If we get here, we failed to generate random data using any secure algorithm
+    // Platform owner should ensure that at least one secure algorithm is supported
+    //
+    ASSERT_EFI_ERROR (Status);
+    return Status;
+  }
+
+  //
+  // Lets try using the default algorithm (which may not be secure)
+  //
+  Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status));
+    ASSERT_EFI_ERROR (Status);
+    return Status;
+  }
 
-  gRT->GetTime (&Time, NULL);
-  Seed  = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second);
-  Seed ^= Time.Nanosecond;
-  Seed ^= Time.Year << 7;
+  return EFI_SUCCESS;
+}
+
+/**
+  Generate a 32-bit pseudo-random number.
 
-  gBS->GetNextMonotonicCount (&MonotonicCount);
-  Seed += (UINT32)MonotonicCount;
+  @param[out] Output - The buffer to store the generated random number.
 
-  return Seed;
+  @retval EFI_SUCCESS           On Success
+  @retval EFI_NOT_FOUND         RNG protocol not found
+  @retval Others                Error from RngProtocol->GetRNG()
+
+  @return Status code
+**/
+EFI_STATUS
+EFIAPI
+PseudoRandomU32 (
+  OUT UINT32  *Output
+  )
+{
+  return PseudoRandom (Output, sizeof (*Output));
 }
 
 /**
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 98a90e0210..8fe6badd68 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -2,7 +2,7 @@
   The driver binding and service binding protocol for the TCP driver.
 
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -163,7 +163,13 @@ TcpDriverEntryPoint (
   )
 {
   EFI_STATUS  Status;
-  UINT32      Seed;
+  UINT32      Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   //
   // Install the TCP Driver Binding Protocol
@@ -203,9 +209,8 @@ TcpDriverEntryPoint (
   //
   // Initialize ISS and random port.
   //
-  Seed            = NetRandomInitSeed ();
-  mTcpGlobalIss   = NET_RANDOM (Seed) % mTcpGlobalIss;
-  mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (NET_RANDOM (Seed) % TCP_PORT_KNOWN));
+  mTcpGlobalIss   = Random % mTcpGlobalIss;
+  mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
   mTcp6RandomPort = mTcp4RandomPort;
 
   return EFI_SUCCESS;
diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c
index cb917fcfc9..c7ea16f4cd 100644
--- a/NetworkPkg/Udp4Dxe/Udp4Driver.c
+++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c
@@ -1,6 +1,7 @@
 /** @file
 
 Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -555,6 +556,13 @@ Udp4DriverEntryPoint (
   )
 {
   EFI_STATUS  Status;
+  UINT32      Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   //
   // Install the Udp4DriverBinding and Udp4ComponentName protocols.
@@ -571,7 +579,7 @@ Udp4DriverEntryPoint (
     //
     // Initialize the UDP random port.
     //
-    mUdp4RandomPort = (UINT16)(((UINT16)NetRandomInitSeed ()) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN);
+    mUdp4RandomPort = (UINT16)(((UINT16)Random) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN);
   }
 
   return Status;
diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c
index ae96fb9966..edb758d57c 100644
--- a/NetworkPkg/Udp6Dxe/Udp6Driver.c
+++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c
@@ -2,7 +2,7 @@
   Driver Binding functions and Service Binding functions for the Network driver module.
 
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -596,6 +596,13 @@ Udp6DriverEntryPoint (
   )
 {
   EFI_STATUS  Status;
+  UINT32      Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
 
   //
   // Install the Udp6DriverBinding and Udp6ComponentName protocols.
@@ -614,7 +621,7 @@ Udp6DriverEntryPoint (
     // Initialize the UDP random port.
     //
     mUdp6RandomPort = (UINT16)(
-                               ((UINT16)NetRandomInitSeed ()) %
+                               ((UINT16)Random) %
                                UDP6_PORT_KNOWN +
                                UDP6_PORT_KNOWN
                                );
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
index 91146b78cb..452038c219 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
@@ -2,7 +2,7 @@
   Functions implementation related with DHCPv4 for UefiPxeBc Driver.
 
   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover (
   UINT8                             VendorOptLen;
   UINT32                            Xid;
 
+  Status = PseudoRandomU32 (&Xid);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
   Mode   = Private->PxeBc.Mode;
   Dhcp4  = Private->Dhcp4;
   Status = EFI_SUCCESS;
@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover (
   //
   // Set fields of the token for the request packet.
   //
-  Xid                                 = NET_RANDOM (NetRandomInitSeed ());
   Token.Packet->Dhcp4.Header.Xid      = HTONL (Xid);
   Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)((IsBCast) ? 0x8000 : 0x0));
   CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS));
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
index 7fd1281c11..bcabbd2219 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
@@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover (
   UINTN                            ReadSize;
   UINT16                           OpCode;
   UINT16                           OpLen;
-  UINT32                           Xid;
+  UINT32                           Random;
   EFI_STATUS                       Status;
   UINTN                            DiscoverLenNeeded;
 
@@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover (
     return EFI_DEVICE_ERROR;
   }
 
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
   DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET);
   Discover          = AllocateZeroPool (DiscoverLenNeeded);
   if (Discover == NULL) {
@@ -2207,8 +2213,7 @@ PxeBcDhcp6Discover (
   //
   // Build the discover packet by the cached request packet before.
   //
-  Xid                     = NET_RANDOM (NetRandomInitSeed ());
-  Discover->TransactionId = HTONL (Xid);
+  Discover->TransactionId = HTONL (Random);
   Discover->MessageType   = Request->Dhcp6.Header.MessageType;
   RequestOpt              = Request->Dhcp6.Option;
   DiscoverOpt             = Discover->DhcpOptions;
diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
index d84aca7e85..4cd915b411 100644
--- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
@@ -3,6 +3,7 @@
 
   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
   Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) Microsoft Corporation
 
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
@@ -892,6 +893,13 @@ PxeBcCreateIp6Children (
   PXEBC_PRIVATE_PROTOCOL       *Id;
   EFI_SIMPLE_NETWORK_PROTOCOL  *Snp;
   UINTN                        Index;
+  UINT32                       Random;
+
+  Status = PseudoRandomU32 (&Random);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Failed to generate random number using EFI_RNG_PROTOCOL: %r\n", Status));
+    return Status;
+  }
 
   if (Private->Ip6Nic != NULL) {
     //
@@ -935,9 +943,9 @@ PxeBcCreateIp6Children (
   }
 
   //
-  // Generate a random IAID for the Dhcp6 assigned address.
+  // Set a random IAID for the Dhcp6 assigned address.
   //
-  Private->IaId = NET_RANDOM (NetRandomInitSeed ());
+  Private->IaId = Random;
   if (Private->Snp != NULL) {
     for (Index = 0; Index < Private->Snp->Mode->HwAddressSize; Index++) {
       Private->IaId |= (Private->Snp->Mode->CurrentAddress.Addr[Index] << ((Index << 3) & 31));
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
index fa42025e0d..20a4555019 100644
--- a/NetworkPkg/SecurityFixes.yaml
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -122,3 +122,42 @@ CVE_2023_45235:
     - http://www.openwall.com/lists/oss-security/2024/01/16/2
     - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
     - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45237:
+  commit_titles:
+    - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
+  cve: CVE-2023-45237
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 09 - Use of a Weak PseudoRandom Number Generator"
+  note:
+  files_impacted:
+    - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
+    - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
+    - NetworkPkg/DnsDxe/DnsDhcp.c
+    - NetworkPkg/DnsDxe/DnsImpl.c
+    - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
+    - NetworkPkg/IScsiDxe/IScsiCHAP.c
+    - NetworkPkg/IScsiDxe/IScsiMisc.c
+    - NetworkPkg/IScsiDxe/IScsiMisc.h
+    - NetworkPkg/Include/Library/NetLib.h
+    - NetworkPkg/Ip4Dxe/Ip4Driver.c
+    - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
+    - NetworkPkg/Ip6Dxe/Ip6Driver.c
+    - NetworkPkg/Ip6Dxe/Ip6If.c
+    - NetworkPkg/Ip6Dxe/Ip6Mld.c
+    - NetworkPkg/Ip6Dxe/Ip6Nd.c
+    - NetworkPkg/Ip6Dxe/Ip6Nd.h
+    - NetworkPkg/Library/DxeNetLib/DxeNetLib.c
+    - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
+    - NetworkPkg/NetworkPkg.dec
+    - NetworkPkg/TcpDxe/TcpDriver.c
+    - NetworkPkg/Udp4Dxe/Udp4Driver.c
+    - NetworkPkg/Udp6Dxe/Udp6Driver.c
+    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
+    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+    - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=4542
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45237
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 09/20] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (7 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237 Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 10/20] MdePkg: : Add MockUefiBootServicesTableLib Doug Flick via groups.io
                   ` (10 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Saloni Kasbekar, Zachary Clark-williams

From: Doug Flick <dougflick@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541
REF: https://www.rfc-editor.org/rfc/rfc1948.txt
REF: https://www.rfc-editor.org/rfc/rfc6528.txt
REF: https://www.rfc-editor.org/rfc/rfc9293.txt

Bug Overview:
PixieFail Bug #8
CVE-2023-45236
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Updates TCP ISN generation to use a cryptographic hash of the
connection's identifying parameters and a secret key.
This prevents an attacker from guessing the ISN used for some other
connection.

This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293.

RFC: 9293 Section 3.4.1.  Initial Sequence Number Selection

   A TCP implementation MUST use the above type of "clock" for clock-
   driven selection of initial sequence numbers (MUST-8), and SHOULD
   generate its initial sequence numbers with the expression:

   ISN = M + F(localip, localport, remoteip, remoteport, secretkey)

   where M is the 4 microsecond timer, and F() is a pseudorandom
   function (PRF) of the connection's identifying parameters ("localip,
   localport, remoteip, remoteport") and a secret key ("secretkey")
   (SHLD-1).  F() MUST NOT be computable from the outside (MUST-9), or
   an attacker could still guess at sequence numbers from the ISN used
   for some other connection.  The PRF could be implemented as a
   cryptographic hash of the concatenation of the TCP connection
   parameters and some secret data.  For discussion of the selection of
   a specific hash algorithm and management of the secret key data,
   please see Section 3 of [42].

   For each connection there is a send sequence number and a receive
   sequence number.  The initial send sequence number (ISS) is chosen by
   the data sending TCP peer, and the initial receive sequence number
   (IRS) is learned during the connection-establishing procedure.

   For a connection to be established or initialized, the two TCP peers
   must synchronize on each other's initial sequence numbers.  This is
   done in an exchange of connection-establishing segments carrying a
   control bit called "SYN" (for synchronize) and the initial sequence
   numbers.  As a shorthand, segments carrying the SYN bit are also
   called "SYNs".  Hence, the solution requires a suitable mechanism for
   picking an initial sequence number and a slightly involved handshake
   to exchange the ISNs.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 NetworkPkg/TcpDxe/TcpDxe.inf  |   8 +-
 NetworkPkg/TcpDxe/TcpFunc.h   |  23 +-
 NetworkPkg/TcpDxe/TcpMain.h   |  59 ++++-
 NetworkPkg/TcpDxe/TcpDriver.c |  92 +++++++-
 NetworkPkg/TcpDxe/TcpInput.c  |  13 +-
 NetworkPkg/TcpDxe/TcpMisc.c   | 244 ++++++++++++++++++--
 NetworkPkg/TcpDxe/TcpTimer.c  |   3 +-
 NetworkPkg/SecurityFixes.yaml |  22 ++
 8 files changed, 415 insertions(+), 49 deletions(-)

diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf
index cf5423f4c5..76de4cf9ec 100644
--- a/NetworkPkg/TcpDxe/TcpDxe.inf
+++ b/NetworkPkg/TcpDxe/TcpDxe.inf
@@ -6,6 +6,7 @@
 #  stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack.
 #
 #  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) Microsoft Corporation
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -68,7 +69,6 @@
   NetLib
   IpIoLib
 
-
 [Protocols]
   ## SOMETIMES_CONSUMES
   ## SOMETIMES_PRODUCES
@@ -81,6 +81,12 @@
   gEfiIp6ServiceBindingProtocolGuid             ## TO_START
   gEfiTcp6ProtocolGuid                          ## BY_START
   gEfiTcp6ServiceBindingProtocolGuid            ## BY_START
+  gEfiHash2ProtocolGuid                         ## BY_START
+  gEfiHash2ServiceBindingProtocolGuid           ## BY_START
+
+[Guids]
+  gEfiHashAlgorithmMD5Guid                      ## CONSUMES
+  gEfiHashAlgorithmSha256Guid                   ## CONSUMES
 
 [Depex]
   gEfiHash2ServiceBindingProtocolGuid
diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h
index a7af01fff2..c707bee3e5 100644
--- a/NetworkPkg/TcpDxe/TcpFunc.h
+++ b/NetworkPkg/TcpDxe/TcpFunc.h
@@ -2,7 +2,7 @@
   Declaration of external functions shared in TCP driver.
 
   Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -36,8 +36,11 @@ VOID
 
   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
 
+  @retval EFI_SUCCESS             The operation completed successfully
+  @retval others                  The underlying functions failed and could not complete the operation
+
 **/
-VOID
+EFI_STATUS
 TcpInitTcbLocal (
   IN OUT TCP_CB  *Tcb
   );
@@ -128,17 +131,6 @@ TcpCloneTcb (
   IN TCP_CB  *Tcb
   );
 
-/**
-  Compute an ISS to be used by a new connection.
-
-  @return The result ISS.
-
-**/
-TCP_SEQNO
-TcpGetIss (
-  VOID
-  );
-
 /**
   Get the local mss.
 
@@ -202,8 +194,11 @@ TcpFormatNetbuf (
   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
                                 connection.
 
+  @retval EFI_SUCCESS             The operation completed successfully
+  @retval others                  The underlying functions failed and could not complete the operation
+
 **/
-VOID
+EFI_STATUS
 TcpOnAppConnect (
   IN OUT TCP_CB  *Tcb
   );
diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h
index c0c9b7f46e..4d5566ab93 100644
--- a/NetworkPkg/TcpDxe/TcpMain.h
+++ b/NetworkPkg/TcpDxe/TcpMain.h
@@ -3,7 +3,7 @@
   It is the common head file for all Tcp*.c in TCP driver.
 
   Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -13,6 +13,7 @@
 
 #include <Protocol/ServiceBinding.h>
 #include <Protocol/DriverBinding.h>
+#include <Protocol/Hash2.h>
 #include <Library/IpIoLib.h>
 #include <Library/DevicePathLib.h>
 #include <Library/PrintLib.h>
@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE      *gTcpControllerNameTable;
 
 extern LIST_ENTRY  mTcpRunQue;
 extern LIST_ENTRY  mTcpListenQue;
-extern TCP_SEQNO   mTcpGlobalIss;
+extern TCP_SEQNO   mTcpGlobalSecret;
 extern UINT32      mTcpTick;
 
 ///
@@ -45,14 +46,6 @@ extern UINT32      mTcpTick;
 
 #define TCP_EXPIRE_TIME  65535
 
-///
-/// The implementation selects the initial send sequence number and the unit to
-/// be added when it is increased.
-///
-#define TCP_BASE_ISS         0x4d7e980b
-#define TCP_ISS_INCREMENT_1  2048
-#define TCP_ISS_INCREMENT_2  100
-
 typedef union {
   EFI_TCP4_CONFIG_DATA    Tcp4CfgData;
   EFI_TCP6_CONFIG_DATA    Tcp6CfgData;
@@ -774,4 +767,50 @@ Tcp6Poll (
   IN EFI_TCP6_PROTOCOL  *This
   );
 
+/**
+  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
+  and remote IP addresses and ports.
+
+  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
+  Where the ISN is computed as follows:
+    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
+
+  Otherwise:
+    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
+
+    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
+    connection's identifying parameters ("localip, localport, remoteip, remoteport")
+    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
+    outside (MUST-9), or an attacker could still guess at sequence numbers from the
+    ISN used for some other connection. The PRF could be implemented as a
+    cryptographic hash of the concatenation of the TCP connection parameters and some
+    secret data. For discussion of the selection of a specific hash algorithm and
+    management of the secret key data."
+
+  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
+  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
+  @param[in]       LocalPort      The local port number of the TCP connection.
+  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
+  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
+  @param[in]       RemotePort     The remote port number of the TCP connection.
+  @param[out]      Isn            A pointer to the variable that will receive the Initial
+                                  Sequence Number (ISN).
+
+  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
+                                  retrieved.
+  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
+  @retval EFI_UNSUPPORTED         The operation is not supported.
+
+**/
+EFI_STATUS
+TcpGetIsn (
+  IN UINT8       *LocalIp,
+  IN UINTN       LocalIpSize,
+  IN UINT16      LocalPort,
+  IN UINT8       *RemoteIp,
+  IN UINTN       RemoteIpSize,
+  IN UINT16      RemotePort,
+  OUT TCP_SEQNO  *Isn
+  );
+
 #endif
diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c
index 8fe6badd68..40bba4080c 100644
--- a/NetworkPkg/TcpDxe/TcpDriver.c
+++ b/NetworkPkg/TcpDxe/TcpDriver.c
@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL  gTcpServiceBinding = {
   TcpServiceBindingDestroyChild
 };
 
+//
+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces
+// if the platform does not provide one.
+//
+EFI_HANDLE  mHash2ServiceHandle = NULL;
+
 /**
   Create and start the heartbeat timer for the TCP driver.
 
@@ -165,6 +171,23 @@ TcpDriverEntryPoint (
   EFI_STATUS  Status;
   UINT32      Random;
 
+  //
+  // Initialize the Secret used for hashing TCP sequence numbers
+  //
+  // Normally this should be regenerated periodically, but since
+  // this is only used for UEFI networking and not a general purpose
+  // operating system, it is not necessary to regenerate it.
+  //
+  Status = PseudoRandomU32 (&mTcpGlobalSecret);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status));
+    return Status;
+  }
+
+  //
+  // Get a random number used to generate a random port number
+  // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret
+  //
   Status = PseudoRandomU32 (&Random);
   if (EFI_ERROR (Status)) {
     DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status));
@@ -207,9 +230,8 @@ TcpDriverEntryPoint (
   }
 
   //
-  // Initialize ISS and random port.
+  // Initialize the random port.
   //
-  mTcpGlobalIss   = Random % mTcpGlobalIss;
   mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN));
   mTcp6RandomPort = mTcp4RandomPort;
 
@@ -224,6 +246,8 @@ TcpDriverEntryPoint (
   @param[in]  IpVersion          IP_VERSION_4 or IP_VERSION_6.
 
   @retval EFI_OUT_OF_RESOURCES   Failed to allocate some resources.
+  @retval EFI_UNSUPPORTED        Service Binding Protocols are unavailable.
+  @retval EFI_ALREADY_STARTED    The TCP driver is already started on the controller.
   @retval EFI_SUCCESS            A new IP6 service binding private was created.
 
 **/
@@ -234,11 +258,13 @@ TcpCreateService (
   IN UINT8       IpVersion
   )
 {
-  EFI_STATUS        Status;
-  EFI_GUID          *IpServiceBindingGuid;
-  EFI_GUID          *TcpServiceBindingGuid;
-  TCP_SERVICE_DATA  *TcpServiceData;
-  IP_IO_OPEN_DATA   OpenData;
+  EFI_STATUS                    Status;
+  EFI_GUID                      *IpServiceBindingGuid;
+  EFI_GUID                      *TcpServiceBindingGuid;
+  TCP_SERVICE_DATA              *TcpServiceData;
+  IP_IO_OPEN_DATA               OpenData;
+  EFI_SERVICE_BINDING_PROTOCOL  *Hash2ServiceBinding;
+  EFI_HASH2_PROTOCOL            *Hash2Protocol;
 
   if (IpVersion == IP_VERSION_4) {
     IpServiceBindingGuid  = &gEfiIp4ServiceBindingProtocolGuid;
@@ -272,6 +298,33 @@ TcpCreateService (
     return EFI_UNSUPPORTED;
   }
 
+  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
+  if (EFI_ERROR (Status)) {
+    //
+    // If we can't find the Hashing protocol, then we need to create one.
+    //
+
+    //
+    // Platform is expected to publish the hash service binding protocol to support TCP.
+    //
+    Status = gBS->LocateProtocol (
+                    &gEfiHash2ServiceBindingProtocolGuid,
+                    NULL,
+                    (VOID **)&Hash2ServiceBinding
+                    );
+    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) {
+      return EFI_UNSUPPORTED;
+    }
+
+    //
+    // Create an instance of the hash protocol for this controller.
+    //
+    Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle);
+    if (EFI_ERROR (Status)) {
+      return EFI_UNSUPPORTED;
+    }
+  }
+
   //
   // Create the TCP service data.
   //
@@ -423,6 +476,7 @@ TcpDestroyService (
   EFI_STATUS                               Status;
   LIST_ENTRY                               *List;
   TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT  Context;
+  EFI_SERVICE_BINDING_PROTOCOL             *Hash2ServiceBinding;
 
   ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6));
 
@@ -439,6 +493,30 @@ TcpDestroyService (
     return EFI_SUCCESS;
   }
 
+  //
+  // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver.
+  //
+  if (mHash2ServiceHandle != NULL) {
+    Status = gBS->LocateProtocol (
+                    &gEfiHash2ServiceBindingProtocolGuid,
+                    NULL,
+                    (VOID **)&Hash2ServiceBinding
+                    );
+    if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) {
+      return EFI_UNSUPPORTED;
+    }
+
+    //
+    // Destroy the instance of the hashing protocol for this controller.
+    //
+    Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle);
+    if (EFI_ERROR (Status)) {
+      return EFI_UNSUPPORTED;
+    }
+
+    mHash2ServiceHandle = NULL;
+  }
+
   Status = gBS->OpenProtocol (
                   NicHandle,
                   ServiceBindingGuid,
diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c
index 97633a3908..a5d575ccaf 100644
--- a/NetworkPkg/TcpDxe/TcpInput.c
+++ b/NetworkPkg/TcpDxe/TcpInput.c
@@ -724,6 +724,7 @@ TcpInput (
   TCP_SEQNO   Urg;
   UINT16      Checksum;
   INT32       Usable;
+  EFI_STATUS  Status;
 
   ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6));
 
@@ -872,7 +873,17 @@ TcpInput (
       Tcb->LocalEnd.Port  = Head->DstPort;
       Tcb->RemoteEnd.Port = Head->SrcPort;
 
-      TcpInitTcbLocal (Tcb);
+      Status = TcpInitTcbLocal (Tcb);
+      if (EFI_ERROR (Status)) {
+        DEBUG (
+          (DEBUG_ERROR,
+           "TcpInput: discard a segment because failed to init local end for TCB %p\n",
+           Tcb)
+          );
+
+        goto DISCARD;
+      }
+
       TcpInitTcbPeer (Tcb, Seg, &Option);
 
       TcpSetState (Tcb, TCP_SYN_RCVD);
diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c
index c93212d47d..3310306f63 100644
--- a/NetworkPkg/TcpDxe/TcpMisc.c
+++ b/NetworkPkg/TcpDxe/TcpMisc.c
@@ -3,7 +3,7 @@
 
   (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>
   Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -20,7 +20,34 @@ LIST_ENTRY  mTcpListenQue = {
   &mTcpListenQue
 };
 
-TCP_SEQNO  mTcpGlobalIss = TCP_BASE_ISS;
+//
+// The Session secret
+// This must be initialized to a random value at boot time
+//
+TCP_SEQNO  mTcpGlobalSecret;
+
+//
+// Union to hold either an IPv4 or IPv6 address
+// This is used to simplify the ISN hash computation
+//
+typedef union {
+  UINT8    IPv4[4];
+  UINT8    IPv6[16];
+} NETWORK_ADDRESS;
+
+//
+// The ISN is computed by hashing this structure
+// It is initialized with the local and remote IP addresses and ports
+// and the secret
+//
+//
+typedef struct {
+  UINT16             LocalPort;
+  UINT16             RemotePort;
+  NETWORK_ADDRESS    LocalAddress;
+  NETWORK_ADDRESS    RemoteAddress;
+  TCP_SEQNO          Secret;
+} ISN_HASH_CTX;
 
 CHAR16  *mTcpStateName[] = {
   L"TCP_CLOSED",
@@ -41,12 +68,18 @@ CHAR16  *mTcpStateName[] = {
 
   @param[in, out]  Tcb               Pointer to the TCP_CB of this TCP instance.
 
+  @retval EFI_SUCCESS             The operation completed successfully
+  @retval others                  The underlying functions failed and could not complete the operation
+
 **/
-VOID
+EFI_STATUS
 TcpInitTcbLocal (
   IN OUT TCP_CB  *Tcb
   )
 {
+  TCP_SEQNO   Isn;
+  EFI_STATUS  Status;
+
   //
   // Compute the checksum of the fixed parts of pseudo header
   //
@@ -57,6 +90,16 @@ TcpInitTcbLocal (
                      0x06,
                      0
                      );
+
+    Status = TcpGetIsn (
+               Tcb->LocalEnd.Ip.v4.Addr,
+               sizeof (IPv4_ADDRESS),
+               Tcb->LocalEnd.Port,
+               Tcb->RemoteEnd.Ip.v4.Addr,
+               sizeof (IPv4_ADDRESS),
+               Tcb->RemoteEnd.Port,
+               &Isn
+               );
   } else {
     Tcb->HeadSum = NetIp6PseudoHeadChecksum (
                      &Tcb->LocalEnd.Ip.v6,
@@ -64,9 +107,25 @@ TcpInitTcbLocal (
                      0x06,
                      0
                      );
+
+    Status = TcpGetIsn (
+               Tcb->LocalEnd.Ip.v6.Addr,
+               sizeof (IPv6_ADDRESS),
+               Tcb->LocalEnd.Port,
+               Tcb->RemoteEnd.Ip.v6.Addr,
+               sizeof (IPv6_ADDRESS),
+               Tcb->RemoteEnd.Port,
+               &Isn
+               );
+  }
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n"));
+    ASSERT (FALSE);
+    return Status;
   }
 
-  Tcb->Iss    = TcpGetIss ();
+  Tcb->Iss    = Isn;
   Tcb->SndUna = Tcb->Iss;
   Tcb->SndNxt = Tcb->Iss;
 
@@ -82,6 +141,8 @@ TcpInitTcbLocal (
   Tcb->RetxmitSeqMax = 0;
 
   Tcb->ProbeTimerOn = FALSE;
+
+  return EFI_SUCCESS;
 }
 
 /**
@@ -506,18 +567,162 @@ TcpCloneTcb (
 }
 
 /**
-  Compute an ISS to be used by a new connection.
-
-  @return The resulting ISS.
+  Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local
+  and remote IP addresses and ports.
+
+  This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1
+  Where the ISN is computed as follows:
+    ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret)
+
+  Otherwise:
+    ISN = M + F(localip, localport, remoteip, remoteport, secretkey)
+
+    "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the
+    connection's identifying parameters ("localip, localport, remoteip, remoteport")
+    and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the
+    outside (MUST-9), or an attacker could still guess at sequence numbers from the
+    ISN used for some other connection. The PRF could be implemented as a
+    cryptographic hash of the concatenation of the TCP connection parameters and some
+    secret data. For discussion of the selection of a specific hash algorithm and
+    management of the secret key data."
+
+  @param[in]       LocalIp        A pointer to the local IP address of the TCP connection.
+  @param[in]       LocalIpSize    The size, in bytes, of the LocalIp buffer.
+  @param[in]       LocalPort      The local port number of the TCP connection.
+  @param[in]       RemoteIp       A pointer to the remote IP address of the TCP connection.
+  @param[in]       RemoteIpSize   The size, in bytes, of the RemoteIp buffer.
+  @param[in]       RemotePort     The remote port number of the TCP connection.
+  @param[out]      Isn            A pointer to the variable that will receive the Initial
+                                  Sequence Number (ISN).
+
+  @retval EFI_SUCCESS             The operation completed successfully, and the ISN was
+                                  retrieved.
+  @retval EFI_INVALID_PARAMETER   One or more of the input parameters are invalid.
+  @retval EFI_UNSUPPORTED         The operation is not supported.
 
 **/
-TCP_SEQNO
-TcpGetIss (
-  VOID
+EFI_STATUS
+TcpGetIsn (
+  IN UINT8       *LocalIp,
+  IN UINTN       LocalIpSize,
+  IN UINT16      LocalPort,
+  IN UINT8       *RemoteIp,
+  IN UINTN       RemoteIpSize,
+  IN UINT16      RemotePort,
+  OUT TCP_SEQNO  *Isn
   )
 {
-  mTcpGlobalIss += TCP_ISS_INCREMENT_1;
-  return mTcpGlobalIss;
+  EFI_STATUS          Status;
+  EFI_HASH2_PROTOCOL  *Hash2Protocol;
+  EFI_HASH2_OUTPUT    HashResult;
+  ISN_HASH_CTX        IsnHashCtx;
+  EFI_TIME            TimeStamp;
+
+  //
+  // Check that the ISN pointer is valid
+  //
+  if (Isn == NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  //
+  // The local ip may be a v4 or v6 address and may not be NULL
+  //
+  if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  //
+  // the local ip may be a v4 or v6 address
+  //
+  if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  //
+  // Locate the Hash Protocol
+  //
+  Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status));
+
+    //
+    // TcpCreateService(..) is expected to be called prior to this function
+    //
+    ASSERT_EFI_ERROR (Status);
+    return Status;
+  }
+
+  //
+  // Initialize the hash algorithm
+  //
+  Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status));
+    return Status;
+  }
+
+  IsnHashCtx.LocalPort  = LocalPort;
+  IsnHashCtx.RemotePort = RemotePort;
+  IsnHashCtx.Secret     = mTcpGlobalSecret;
+
+  //
+  // Check the IP address family and copy accordingly
+  //
+  if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) {
+    CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize);
+  } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) {
+    CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize);
+  } else {
+    return EFI_INVALID_PARAMETER; // Unsupported address size
+  }
+
+  //
+  // Repeat the process for the remote IP address
+  //
+  if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) {
+    CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize);
+  } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) {
+    CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize);
+  } else {
+    return EFI_INVALID_PARAMETER; // Unsupported address size
+  }
+
+  //
+  // Compute the hash
+  // Update the hash with the data
+  //
+  Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx));
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status));
+    return Status;
+  }
+
+  //
+  // Finalize the hash and retrieve the result
+  //
+  Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status));
+    return Status;
+  }
+
+  Status = gRT->GetTime (&TimeStamp, NULL);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  //
+  // copy the first 4 bytes of the hash result into the ISN
+  //
+  CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn));
+
+  //
+  // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250)
+  //
+  *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250;
+
+  return Status;
 }
 
 /**
@@ -721,17 +926,28 @@ TcpFormatNetbuf (
   @param[in, out]  Tcb          Pointer to the TCP_CB that wants to initiate a
                                 connection.
 
+  @retval EFI_SUCCESS             The operation completed successfully
+  @retval others                  The underlying functions failed and could not complete the operation
+
 **/
-VOID
+EFI_STATUS
 TcpOnAppConnect (
   IN OUT TCP_CB  *Tcb
   )
 {
-  TcpInitTcbLocal (Tcb);
+  EFI_STATUS  Status;
+
+  Status = TcpInitTcbLocal (Tcb);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
   TcpSetState (Tcb, TCP_SYN_SENT);
 
   TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout);
   TcpToSendData (Tcb, 1);
+
+  return EFI_SUCCESS;
 }
 
 /**
diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c
index 5d2e124977..065b1bdf5f 100644
--- a/NetworkPkg/TcpDxe/TcpTimer.c
+++ b/NetworkPkg/TcpDxe/TcpTimer.c
@@ -2,7 +2,7 @@
   TCP timer related functions.
 
   Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
+  Copyright (c) Microsoft Corporation
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -483,7 +483,6 @@ TcpTickingDpc (
   INT16       Index;
 
   mTcpTick++;
-  mTcpGlobalIss += TCP_ISS_INCREMENT_2;
 
   //
   // Don't use LIST_FOR_EACH, which isn't delete safe.
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
index 20a4555019..4305328425 100644
--- a/NetworkPkg/SecurityFixes.yaml
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -122,6 +122,28 @@ CVE_2023_45235:
     - http://www.openwall.com/lists/oss-security/2024/01/16/2
     - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
     - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
+CVE_2023_45236:
+  commit_titles:
+    - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"
+  cve: CVE-2023-45236
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers"
+  note:
+  files_impacted:
+    - NetworkPkg/Include/Library/NetLib.h
+    - NetworkPkg/TcpDxe/TcpDriver.c
+    - NetworkPkg/TcpDxe/TcpDxe.inf
+    - NetworkPkg/TcpDxe/TcpFunc.h
+    - NetworkPkg/TcpDxe/TcpInput.c
+    - NetworkPkg/TcpDxe/TcpMain.h
+    - NetworkPkg/TcpDxe/TcpMisc.c
+    - NetworkPkg/TcpDxe/TcpTimer.c
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=4541
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45236
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 CVE_2023_45237:
   commit_titles:
     - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 10/20] MdePkg: : Add MockUefiBootServicesTableLib
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (8 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 09/20] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 11/20] MdePkg: : Adds Protocol for MockRng Doug Flick via groups.io
                   ` (9 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Michael D Kinney, Liming Gao, Zhiguang Liu

From: Doug Flick <dougflick@microsoft.com>

This commit adds a mock library for UefiBootServicesTableLib.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 MdePkg/Test/MdePkgHostTest.dsc                                                                    |  1 +
 MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf | 32 ++++++++
 MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h                        | 78 ++++++++++++++++++++
 MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp | 69 +++++++++++++++++
 4 files changed, 180 insertions(+)

diff --git a/MdePkg/Test/MdePkgHostTest.dsc b/MdePkg/Test/MdePkgHostTest.dsc
index e666636b7c..6a85d02236 100644
--- a/MdePkg/Test/MdePkgHostTest.dsc
+++ b/MdePkg/Test/MdePkgHostTest.dsc
@@ -43,6 +43,7 @@
   MdePkg/Library/BaseLib/UnitTestHostBaseLib.inf
   MdePkg/Test/Mock/Library/GoogleTest/MockUefiLib/MockUefiLib.inf
   MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.inf
+  MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf
   MdePkg/Test/Mock/Library/GoogleTest/MockPeiServicesLib/MockPeiServicesLib.inf
   MdePkg/Test/Mock/Library/GoogleTest/MockHobLib/MockHobLib.inf
   MdePkg/Test/Mock/Library/GoogleTest/MockFdtLib/MockFdtLib.inf
diff --git a/MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf b/MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf
new file mode 100644
index 0000000000..8b64fd195a
--- /dev/null
+++ b/MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf
@@ -0,0 +1,32 @@
+## @file
+#  Mock implementation of the UEFI Boot Services Table Library.
+#
+#  Copyright (c) Microsoft Corporation.
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = MockUefiBootServicesTableLib
+  FILE_GUID                      = 67EA4614-E276-49EC-9AE6-B97ACCEA676E
+  MODULE_TYPE                    = HOST_APPLICATION
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = UefiBootServicesTableLib|HOST_APPLICATION
+
+#
+#  VALID_ARCHITECTURES           = IA32 X64 EBC
+#
+
+[Sources]
+  MockUefiBootServicesTableLib.cpp
+
+[LibraryClasses]
+  GoogleTestLib
+
+[Packages]
+  MdePkg/MdePkg.dec
+  UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec
+
+[BuildOptions]
+  MSFT:*_*_*_CC_FLAGS = /EHsc
diff --git a/MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h b/MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h
new file mode 100644
index 0000000000..d72b941323
--- /dev/null
+++ b/MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h
@@ -0,0 +1,78 @@
+/** @file
+  Google Test mocks for UefiBootServicesTableLib
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef MOCK_UEFI_BOOT_SERVICES_TABLE_LIB_H_
+#define MOCK_UEFI_BOOT_SERVICES_TABLE_LIB_H_
+
+#include <Library/GoogleTestLib.h>
+#include <Library/FunctionMockLib.h>
+extern "C" {
+  #include <Uefi.h>
+  #include <Library/UefiBootServicesTableLib.h>
+}
+
+//
+// Declarations to handle usage of the UefiBootServiceTableLib by creating mock
+//
+struct MockUefiBootServicesTableLib {
+  MOCK_INTERFACE_DECLARATION (MockUefiBootServicesTableLib);
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    gBS_GetMemoryMap,
+    (IN OUT UINTN                 *MemoryMapSize,
+     OUT    EFI_MEMORY_DESCRIPTOR *MemoryMap,
+     OUT    UINTN                 *MapKey,
+     OUT    UINTN                 *DescriptorSize,
+     OUT    UINT32                *DescriptorVersion)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    gBS_CreateEvent,
+    (IN  UINT32           Type,
+     IN  EFI_TPL          NotifyTpl,
+     IN  EFI_EVENT_NOTIFY NotifyFunction,
+     IN  VOID             *NotifyContext,
+     OUT EFI_EVENT        *Event)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    gBS_CloseEvent,
+    (IN EFI_EVENT Event)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    gBS_HandleProtocol,
+    (IN  EFI_HANDLE Handle,
+     IN  EFI_GUID   *Protocol,
+     OUT VOID       **Interface)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    gBS_LocateProtocol,
+    (IN  EFI_GUID *Protocol,
+     IN  VOID      *Registration  OPTIONAL,
+     OUT VOID      **Interface)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    gBS_CreateEventEx,
+    (IN UINT32            Type,
+     IN EFI_TPL           NotifyTpl,
+     IN EFI_EVENT_NOTIFY  NotifyFunction OPTIONAL,
+     IN CONST VOID        *NotifyContext OPTIONAL,
+     IN CONST EFI_GUID    *EventGroup OPTIONAL,
+     OUT EFI_EVENT        *Event)
+    );
+};
+
+#endif // MOCK_UEFI_BOOT_SERVICES_TABLE_LIB_H_
diff --git a/MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp b/MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp
new file mode 100644
index 0000000000..ced6255418
--- /dev/null
+++ b/MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp
@@ -0,0 +1,69 @@
+/** @file
+  Google Test mocks for UefiBootServicesTableLib
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+#include <GoogleTest/Library/MockUefiBootServicesTableLib.h>
+
+MOCK_INTERFACE_DEFINITION (MockUefiBootServicesTableLib);
+MOCK_FUNCTION_DEFINITION (MockUefiBootServicesTableLib, gBS_GetMemoryMap, 5, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockUefiBootServicesTableLib, gBS_CreateEvent, 5, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockUefiBootServicesTableLib, gBS_CloseEvent, 1, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockUefiBootServicesTableLib, gBS_HandleProtocol, 3, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockUefiBootServicesTableLib, gBS_LocateProtocol, 3, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockUefiBootServicesTableLib, gBS_CreateEventEx, 6, EFIAPI);
+
+static EFI_BOOT_SERVICES  LocalBs = {
+  { 0, 0, 0, 0, 0 },    // EFI_TABLE_HEADER
+  NULL,                 // EFI_RAISE_TPL
+  NULL,                 // EFI_RESTORE_TPL
+  NULL,                 // EFI_ALLOCATE_PAGES
+  NULL,                 // EFI_FREE_PAGES
+  gBS_GetMemoryMap,     // EFI_GET_MEMORY_MAP
+  NULL,                 // EFI_ALLOCATE_POOL
+  NULL,                 // EFI_FREE_POOL
+  gBS_CreateEvent,      // EFI_CREATE_EVENT
+  NULL,                 // EFI_SET_TIMER
+  NULL,                 // EFI_WAIT_FOR_EVENT
+  NULL,                 // EFI_SIGNAL_EVENT
+  gBS_CloseEvent,       // EFI_CLOSE_EVENT
+  NULL,                 // EFI_CHECK_EVENT
+  NULL,                 // EFI_INSTALL_PROTOCOL_INTERFACE
+  NULL,                 // EFI_REINSTALL_PROTOCOL_INTERFACE
+  NULL,                 // EFI_UNINSTALL_PROTOCOL_INTERFACE
+  gBS_HandleProtocol,   // EFI_HANDLE_PROTOCOL
+  NULL,                 // VOID
+  NULL,                 // EFI_REGISTER_PROTOCOL_NOTIFY
+  NULL,                 // EFI_LOCATE_HANDLE
+  NULL,                 // EFI_LOCATE_DEVICE_PATH
+  NULL,                 // EFI_INSTALL_CONFIGURATION_TABLE
+  NULL,                 // EFI_IMAGE_LOAD
+  NULL,                 // EFI_IMAGE_START
+  NULL,                 // EFI_EXIT
+  NULL,                 // EFI_IMAGE_UNLOAD
+  NULL,                 // EFI_EXIT_BOOT_SERVICES
+  NULL,                 // EFI_GET_NEXT_MONOTONIC_COUNT
+  NULL,                 // EFI_STALL
+  NULL,                 // EFI_SET_WATCHDOG_TIMER
+  NULL,                 // EFI_CONNECT_CONTROLLER
+  NULL,                 // EFI_DISCONNECT_CONTROLLER
+  NULL,                 // EFI_OPEN_PROTOCOL
+  NULL,                 // EFI_CLOSE_PROTOCOL
+  NULL,                 // EFI_OPEN_PROTOCOL_INFORMATION
+  NULL,                 // EFI_PROTOCOLS_PER_HANDLE
+  NULL,                 // EFI_LOCATE_HANDLE_BUFFER
+  gBS_LocateProtocol,   // EFI_LOCATE_PROTOCOL
+  NULL,                 // EFI_INSTALL_MULTIPLE_PROTOCOL_INTERFACES
+  NULL,                 // EFI_UNINSTALL_MULTIPLE_PROTOCOL_INTERFACES
+  NULL,                 // EFI_CALCULATE_CRC32
+  NULL,                 // EFI_COPY_MEM
+  NULL,                 // EFI_SET_MEM
+  gBS_CreateEventEx     // EFI_CREATE_EVENT_EX
+};
+
+extern "C" {
+  EFI_BOOT_SERVICES  *gBS         = &LocalBs;
+  EFI_HANDLE         gImageHandle = NULL;
+  EFI_SYSTEM_TABLE   *gST         = NULL;
+}
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 11/20] MdePkg: : Adds Protocol for MockRng
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (9 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 10/20] MdePkg: : Add MockUefiBootServicesTableLib Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 12/20] MdePkg: Add MockHash2 Protocol for testing Doug Flick via groups.io
                   ` (8 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Michael D Kinney, Liming Gao, Zhiguang Liu

From: Doug Flick <dougflick@microsoft.com>

This patch adds a protocol for MockRng. This protocol is used to
mock the Rng protocol for testing purposes.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h   | 48 ++++++++++++++++++++
 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp | 21 +++++++++
 2 files changed, 69 insertions(+)

diff --git a/MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h b/MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h
new file mode 100644
index 0000000000..b54f8a234b
--- /dev/null
+++ b/MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h
@@ -0,0 +1,48 @@
+/** @file
+  This file declares a mock of Rng Protocol.
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef MOCK_RNG_H_
+#define MOCK_RNG_H_
+
+#include <Library/GoogleTestLib.h>
+#include <Library/FunctionMockLib.h>
+
+extern "C" {
+  #include <Uefi.h>
+  #include <Protocol/Rng.h>
+}
+
+struct MockRng {
+  MOCK_INTERFACE_DECLARATION (MockRng);
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    GetInfo,
+    (
+     IN EFI_RNG_PROTOCOL             *This,
+     IN OUT UINTN                    *RNGAlgorithmListSize,
+     OUT EFI_RNG_ALGORITHM           *RNGAlgorithmList
+    )
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    GetRng,
+    (
+     IN EFI_RNG_PROTOCOL            *This,
+     IN EFI_RNG_ALGORITHM           *RNGAlgorithm,
+     IN UINTN                       RNGValueLength,
+     OUT UINT8                      *RNGValue
+    )
+    );
+};
+
+extern "C" {
+  extern EFI_RNG_PROTOCOL  *gRngProtocol;
+}
+
+#endif // MOCK_RNG_H_
diff --git a/MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp b/MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp
new file mode 100644
index 0000000000..7d8b69cc86
--- /dev/null
+++ b/MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp
@@ -0,0 +1,21 @@
+/** @file MockRng.cpp
+  Google Test mock for Rng Protocol
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <GoogleTest/Protocol/MockRng.h>
+
+MOCK_INTERFACE_DEFINITION (MockRng);
+MOCK_FUNCTION_DEFINITION (MockRng, GetInfo, 3, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockRng, GetRng, 4, EFIAPI);
+
+EFI_RNG_PROTOCOL  RNG_PROTOCOL_INSTANCE = {
+  GetInfo, // EFI_RNG_GET_INFO
+  GetRng   // EFI_RNG_GET_RNG
+};
+
+extern "C" {
+  EFI_RNG_PROTOCOL  *gRngProtocol = &RNG_PROTOCOL_INSTANCE;
+}
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 12/20] MdePkg: Add MockHash2 Protocol for testing
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (10 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 11/20] MdePkg: : Adds Protocol for MockRng Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 13/20] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes Doug Flick via groups.io
                   ` (7 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Michael D Kinney, Liming Gao, Zhiguang Liu

From: Doug Flick <dougflick@microsoft.com>

This commit adds a new MockHash2 protocol to the MdePkg. This allows
the unit tests to pick up the new protocol and use it for testing.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h   | 67 ++++++++++++++++++++
 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp | 27 ++++++++
 2 files changed, 94 insertions(+)

diff --git a/MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h b/MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h
new file mode 100644
index 0000000000..b44d341332
--- /dev/null
+++ b/MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h
@@ -0,0 +1,67 @@
+/** @file
+  This file declares a mock of Hash2 Protocol.
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef MOCK_HASH2_H_
+#define MOCK_HASH2_H_
+
+#include <Library/GoogleTestLib.h>
+#include <Library/FunctionMockLib.h>
+
+extern "C" {
+  #include <Uefi.h>
+  #include <Protocol/Hash2.h>
+}
+
+struct MockHash2 {
+  MOCK_INTERFACE_DECLARATION (MockHash2);
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    GetHashSize,
+    (IN CONST EFI_HASH2_PROTOCOL  *This,
+     IN CONST EFI_GUID            *HashAlgorithm,
+     OUT UINTN                    *HashSize)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    Hash,
+    (IN CONST EFI_HASH2_PROTOCOL  *This,
+     IN CONST EFI_GUID            *HashAlgorithm,
+     IN CONST UINT8               *Message,
+     IN UINTN                     MessageSize,
+     IN OUT EFI_HASH2_OUTPUT      *Hash)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    HashInit,
+    (IN CONST EFI_HASH2_PROTOCOL  *This,
+     IN CONST EFI_GUID            *HashAlgorithm)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    HashUpdate,
+    (IN CONST EFI_HASH2_PROTOCOL  *This,
+     IN CONST UINT8               *Message,
+     IN UINTN                     MessageSize)
+    );
+
+  MOCK_FUNCTION_DECLARATION (
+    EFI_STATUS,
+    HashFinal,
+    (IN CONST EFI_HASH2_PROTOCOL  *This,
+     IN OUT EFI_HASH2_OUTPUT      *Hash)
+    );
+};
+
+extern "C" {
+  extern EFI_HASH2_PROTOCOL  *gHash2Protocol;
+}
+
+#endif // MOCK_HASH2_H_
diff --git a/MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp b/MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp
new file mode 100644
index 0000000000..5cf94c43b4
--- /dev/null
+++ b/MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp
@@ -0,0 +1,27 @@
+/** @file MockHash2.cpp
+  Google Test mock for Hash2 Protocol
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <GoogleTest/Protocol/MockHash2.h>
+
+MOCK_INTERFACE_DEFINITION (MockHash2);
+MOCK_FUNCTION_DEFINITION (MockHash2, GetHashSize, 3, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockHash2, Hash, 5, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockHash2, HashInit, 2, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockHash2, HashUpdate, 3, EFIAPI);
+MOCK_FUNCTION_DEFINITION (MockHash2, HashFinal, 2, EFIAPI);
+
+EFI_HASH2_PROTOCOL  HASH2_PROTOCOL_INSTANCE = {
+  GetHashSize, // EFI_HASH2_GET_HASH_SIZE
+  Hash,        // EFI_HASH2_HASH
+  HashInit,    // EFI_HASH2_HASH_INIT
+  HashUpdate,  // EFI_HASH2_HASH_UPDATE
+  HashFinal    // EFI_HASH2_HASH_FINAL
+};
+
+extern "C" {
+  EFI_HASH2_PROTOCOL  *gHash2Protocol = &HASH2_PROTOCOL_INSTANCE;
+}
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 13/20] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (11 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 12/20] MdePkg: Add MockHash2 Protocol for testing Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 14/20] ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime Doug Flick via groups.io
                   ` (6 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Saloni Kasbekar, Zachary Clark-williams

From: Doug Flick <dougflick@microsoft.com>

This patch updates the PxeBcDhcp6GoogleTest due to the changes in the
underlying code. The changes are as follows:
 - Random now comes from the RngLib Protocol
 - The TCP ISN is now generated by the hash function

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 NetworkPkg/Test/NetworkPkgHostTest.dsc                        |   1 +
 NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf |   3 +-
 NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp   | 102 +++++++++++++++++++-
 3 files changed, 100 insertions(+), 6 deletions(-)

diff --git a/NetworkPkg/Test/NetworkPkgHostTest.dsc b/NetworkPkg/Test/NetworkPkgHostTest.dsc
index fa301a7a52..1772afb058 100644
--- a/NetworkPkg/Test/NetworkPkgHostTest.dsc
+++ b/NetworkPkg/Test/NetworkPkgHostTest.dsc
@@ -30,6 +30,7 @@
   NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf {
     <LibraryClasses>
       UefiRuntimeServicesTableLib|MdePkg/Test/Mock/Library/GoogleTest/MockUefiRuntimeServicesTableLib/MockUefiRuntimeServicesTableLib.inf
+      UefiBootServicesTableLib|MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf
   }
 
 # Despite these library classes being listed in [LibraryClasses] below, they are not needed for the host-based unit tests.
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
index 301dcdf611..8b092d9291 100644
--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
@@ -14,7 +14,7 @@ VERSION_STRING = 1.0
 #
 # The following information is for reference only and not required by the build tools.
 #
-#  VALID_ARCHITECTURES           = IA32 X64
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
 #
 
 [Sources]
@@ -23,6 +23,7 @@ VERSION_STRING = 1.0
   PxeBcDhcp6GoogleTest.h
   ../PxeBcDhcp6.c
   ../PxeBcSupport.c
+  ../../../MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp
 
 [Packages]
   MdePkg/MdePkg.dec
diff --git a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
index bd423ebadf..61736ff79e 100644
--- a/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
+++ b/NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
@@ -7,6 +7,8 @@
 #include <Library/GoogleTestLib.h>
 #include <GoogleTest/Library/MockUefiLib.h>
 #include <GoogleTest/Library/MockUefiRuntimeServicesTableLib.h>
+#include <GoogleTest/Library/MockUefiBootServicesTableLib.h>
+#include <GoogleTest/Protocol/MockRng.h>
 
 extern "C" {
   #include <Uefi.h>
@@ -165,7 +167,7 @@ protected:
 // Note:
 // Testing PxeBcHandleDhcp6Offer() is difficult because it depends on a
 // properly setup Private structure. Attempting to properly test this function
-// without a signficant refactor is a fools errand. Instead, we will test
+// without a significant refactor is a fools errand. Instead, we will test
 // that we can prevent an overflow in the function.
 TEST_F (PxeBcHandleDhcp6OfferTest, BasicUsageTest) {
   PXEBC_DHCP6_PACKET_CACHE  *Cache6 = NULL;
@@ -238,6 +240,7 @@ TEST_F (PxeBcCacheDnsServerAddressesTest, BasicUsageTest) {
     FreePool (Option);
   }
 }
+
 // Test Description
 // Test that we can prevent an overflow in the function
 TEST_F (PxeBcCacheDnsServerAddressesTest, AttemptOverflowTest) {
@@ -470,10 +473,15 @@ TEST_F (PxeBcRequestBootServiceTest, AttemptRequestOverFlowExpectFailure) {
 class PxeBcDhcp6DiscoverTest : public ::testing::Test {
 public:
   PXEBC_PRIVATE_DATA Private = { 0 };
+  // create a mock md5 hash
+  UINT8 Md5Hash[16] = { 0 };
+
   EFI_UDP6_PROTOCOL Udp6Read;
 
 protected:
   MockUefiRuntimeServicesTableLib RtServicesMock;
+  MockUefiBootServicesTableLib BsMock;
+  MockRng RngMock;
 
   // Add any setup code if needed
   virtual void
@@ -527,8 +535,21 @@ TEST_F (PxeBcDhcp6DiscoverTest, BasicOverflowTest) {
 
   Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
 
-  EXPECT_CALL (RtServicesMock, gRT_GetTime)
-    .WillOnce (::testing::Return (0));
+  EXPECT_CALL (BsMock, gBS_LocateProtocol)
+    .WillOnce (
+       ::testing::DoAll (
+                    ::testing::SetArgPointee<2> (::testing::ByRef (gRngProtocol)),
+                    ::testing::Return (EFI_SUCCESS)
+                    )
+       );
+
+  EXPECT_CALL (RngMock, GetRng)
+    .WillOnce (
+       ::testing::DoAll (
+                    ::testing::SetArgPointee<3> (::testing::ByRef (Md5Hash[0])),
+                    ::testing::Return (EFI_SUCCESS)
+                    )
+       );
 
   ASSERT_EQ (
     PxeBcDhcp6Discover (
@@ -558,8 +579,21 @@ TEST_F (PxeBcDhcp6DiscoverTest, BasicUsageTest) {
 
   Private.Dhcp6Request->Length = (UINT16)(Cursor - (UINT8 *)Private.Dhcp6Request);
 
-  EXPECT_CALL (RtServicesMock, gRT_GetTime)
-    .WillOnce (::testing::Return (0));
+  EXPECT_CALL (BsMock, gBS_LocateProtocol)
+    .WillOnce (
+       ::testing::DoAll (
+                    ::testing::SetArgPointee<2> (::testing::ByRef (gRngProtocol)),
+                    ::testing::Return (EFI_SUCCESS)
+                    )
+       );
+
+  EXPECT_CALL (RngMock, GetRng)
+    .WillOnce (
+       ::testing::DoAll (
+                    ::testing::SetArgPointee<3> (::testing::ByRef (Md5Hash[0])),
+                    ::testing::Return (EFI_SUCCESS)
+                    )
+       );
 
   ASSERT_EQ (
     PxeBcDhcp6Discover (
@@ -572,3 +606,61 @@ TEST_F (PxeBcDhcp6DiscoverTest, BasicUsageTest) {
     EFI_SUCCESS
     );
 }
+
+TEST_F (PxeBcDhcp6DiscoverTest, MultipleRequestsAttemptOverflow) {
+  EFI_IPv6_ADDRESS         DestIp     = { 0 };
+  EFI_DHCP6_PACKET_OPTION  RequestOpt = { 0 }; // the data section doesn't really matter
+
+  RequestOpt.OpCode = HTONS (0x1337);
+  RequestOpt.OpLen  = HTONS (REQUEST_OPTION_LENGTH); // this length would overflow without a check
+  UINT8  RequestOptBuffer[REQUEST_OPTION_LENGTH] = { 0 };
+
+  // make sure we have enough space for 10 of these options
+  ASSERT_TRUE (REQUEST_OPTION_LENGTH * 10 <= PACKET_SIZE);
+
+  UINT8             Index   = 0;
+  EFI_DHCP6_PACKET  *Packet = (EFI_DHCP6_PACKET *)&Private.Dhcp6Request[Index];
+  UINT8             *Cursor = (UINT8 *)(Packet->Dhcp6.Option);
+
+  // let's add 10 of these options - this should overflow
+  for (UINT8 i = 0; i < 10; i++) {
+    CopyMem (Cursor, &RequestOpt, sizeof (RequestOpt));
+    Cursor += sizeof (RequestOpt) - 1;
+    CopyMem (Cursor, RequestOptBuffer, REQUEST_OPTION_LENGTH);
+    Cursor += REQUEST_OPTION_LENGTH;
+  }
+
+  // Update the packet length
+  Packet->Length = (UINT16)(Cursor - (UINT8 *)Packet);
+  Packet->Size   = PACKET_SIZE;
+
+  // Make sure we're larger than the buffer we're trying to write into
+  ASSERT_TRUE (Packet->Length > sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET));
+
+  EXPECT_CALL (BsMock, gBS_LocateProtocol)
+    .WillOnce (
+       ::testing::DoAll (
+                    ::testing::SetArgPointee<2> (::testing::ByRef (gRngProtocol)),
+                    ::testing::Return (EFI_SUCCESS)
+                    )
+       );
+
+  EXPECT_CALL (RngMock, GetRng)
+    .WillOnce (
+       ::testing::DoAll (
+                    ::testing::SetArgPointee<3> (::testing::ByRef (Md5Hash[0])),
+                    ::testing::Return (EFI_SUCCESS)
+                    )
+       );
+
+  ASSERT_EQ (
+    PxeBcDhcp6Discover (
+      &(PxeBcDhcp6DiscoverTest::Private),
+      0,
+      NULL,
+      FALSE,
+      (EFI_IP_ADDRESS *)&DestIp
+      ),
+    EFI_OUT_OF_RESOURCES
+    );
+}
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 14/20] ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (12 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 13/20] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 15/20] ArmVirtPkg: Move PcdMonitorConduitHvc Doug Flick via groups.io
                   ` (5 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Leif Lindholm, Ard Biesheuvel, Sami Mujawar

From: Ard Biesheuvel <ardb@kernel.org>

ArmVirtQemu may execute at EL2, in which case monitor calls are
generally made using SMC instructions instead of HVC instructions.

Whether or not this is the case can only be decided at runtime, and so
the associated PCD needs to be settable at runtime, if the platform
definition chooses so. This implies a boolean PCD, given that a feature
PCD is build-time configurable only.

Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmPkg/ArmPkg.dec                            | 10 +++++-----
 ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ArmPkg/ArmPkg.dec b/ArmPkg/ArmPkg.dec
index 7fe2b9bca4..ac030e295b 100644
--- a/ArmPkg/ArmPkg.dec
+++ b/ArmPkg/ArmPkg.dec
@@ -139,11 +139,6 @@
   # Define if the GICv3 controller should use the GICv2 legacy
   gArmTokenSpaceGuid.PcdArmGicV3WithV2Legacy|FALSE|BOOLEAN|0x00000042
 
-  ## Define the conduit to use for monitor calls.
-  # Default PcdMonitorConduitHvc = FALSE, conduit = SMC
-  # If PcdMonitorConduitHvc = TRUE, conduit = HVC
-  gArmTokenSpaceGuid.PcdMonitorConduitHvc|FALSE|BOOLEAN|0x00000047
-
   # Whether to remap all unused memory NX before installing the CPU arch
   # protocol driver. This is needed on platforms that map all DRAM with RWX
   # attributes initially, and can be disabled otherwise.
@@ -317,6 +312,11 @@
   gArmTokenSpaceGuid.PcdSystemBiosRelease|0xFFFF|UINT16|0x30000058
   gArmTokenSpaceGuid.PcdEmbeddedControllerFirmwareRelease|0xFFFF|UINT16|0x30000059
 
+  ## Define the conduit to use for monitor calls.
+  # Default PcdMonitorConduitHvc = FALSE, conduit = SMC
+  # If PcdMonitorConduitHvc = TRUE, conduit = HVC
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|FALSE|BOOLEAN|0x00000047
+
 [PcdsFixedAtBuild.common, PcdsDynamic.common]
   #
   # ARM Architectural Timer
diff --git a/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c b/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
index 741f5c6157..ec5b0b6619 100644
--- a/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
+++ b/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
@@ -26,7 +26,7 @@ ArmMonitorCall (
   IN OUT ARM_MONITOR_ARGS  *Args
   )
 {
-  if (FeaturePcdGet (PcdMonitorConduitHvc)) {
+  if (PcdGetBool (PcdMonitorConduitHvc)) {
     ArmCallHvc ((ARM_HVC_ARGS *)Args);
   } else {
     ArmCallSmc ((ARM_SMC_ARGS *)Args);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 15/20] ArmVirtPkg: Move PcdMonitorConduitHvc
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (13 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 14/20] ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 16/20] MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT() Doug Flick via groups.io
                   ` (4 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Leif Lindholm, Ard Biesheuvel, Sami Mujawar

This moves the PcdMonitorConduitHvc from PcdsFeatureFlag.Common to
PcdsFixedAtBuild.Common

This is a follow on to the previous commit:
ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime

ArmVirtQemu may execute at EL2, in which case monitor calls are
generally made using SMC instructions instead of HVC instructions.

Whether or not this is the case can only be decided at runtime, and so
the associated PCD needs to be settable at runtime, if the platform
definition chooses so. This implies a boolean PCD, given that a feature
PCD is build-time configurable only.

Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/ArmVirtKvmTool.dsc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ArmVirtPkg/ArmVirtKvmTool.dsc b/ArmVirtPkg/ArmVirtKvmTool.dsc
index 20da331966..ae0dd1497f 100644
--- a/ArmVirtPkg/ArmVirtKvmTool.dsc
+++ b/ArmVirtPkg/ArmVirtKvmTool.dsc
@@ -126,8 +126,6 @@
   # Use MMIO for accessing RTC controller registers.
   gPcAtChipsetPkgTokenSpaceGuid.PcdRtcUseMmio|TRUE
 
-  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
-
 [PcdsFixedAtBuild.common]
   gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000000F
 
@@ -167,6 +165,8 @@
   #
   gEmbeddedTokenSpaceGuid.PcdPrePiCpuIoSize|16
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsPatchableInModule.common]
   #
   # This will be overridden in the code
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 16/20] MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT()
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (14 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 15/20] ArmVirtPkg: Move PcdMonitorConduitHvc Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 17/20] ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI Doug Flick via groups.io
                   ` (3 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Michael D Kinney, Liming Gao, Zhiguang Liu

From: Ard Biesheuvel <ardb@kernel.org>

BaseRngLib on AARCH64 will discover whether or not RNDR instructions are
supported, by inspecting the ISAR0 identification register, and setting
a global boolean accordingly. This boolean is used in subsequent
execution to decide whether or not to issue the instruction.

The same discovery code also ASSERT()s that RNDR instructions are
implemented, which is unnecessary, and breaks execution on systems that
incorporate the library but don't implement the instruction (or fail to
expose it to the exception level that the firmware executes at).

So drop the ASSERT().

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 MdePkg/Library/BaseRngLib/AArch64/Rndr.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/MdePkg/Library/BaseRngLib/AArch64/Rndr.c b/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
index d39db62153..3a556a2e3f 100644
--- a/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
+++ b/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
@@ -50,7 +50,6 @@ BaseRngLibConstructor (
   // MSR. A non-zero value indicates that the processor supports the RNDR instruction.
   //
   Isar0 = ArmReadIdIsar0 ();
-  ASSERT ((Isar0 & RNDR_MASK) != 0);
 
   mRndrSupported = ((Isar0 & RNDR_MASK) != 0);
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 17/20] ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (15 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 16/20] MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT() Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit Doug Flick via groups.io
                   ` (2 subsequent siblings)
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Leif Lindholm, Sami Mujawar, Gerd Hoffmann

From: Ard Biesheuvel <ardb@kernel.org>

Currently, only TPM2 builds enable the PCD PEIM, which is a prerequisite
for being able to use dynamic PCDs already at the PEI stage. This
facility will be used for other reasons too so move those pieces out of
code block that are conditional on TPM2_ENABLE

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/ArmVirtQemu.dsc | 6 +-----
 ArmVirtPkg/ArmVirtQemu.fdf | 2 +-
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 1d3315ad3e..4498ca58a8 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -318,11 +318,7 @@
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|5
 
 [LibraryClasses.common.PEI_CORE, LibraryClasses.common.PEIM]
-!if $(TPM2_ENABLE) == TRUE
   PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf
-!else
-  PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
-!endif
 
 ################################################################################
 #
@@ -339,11 +335,11 @@
   ArmVirtPkg/MemoryInitPei/MemoryInitPeim.inf
   ArmPkg/Drivers/CpuPei/CpuPei.inf
 
-!if $(TPM2_ENABLE) == TRUE
   MdeModulePkg/Universal/PCD/Pei/Pcd.inf {
     <LibraryClasses>
       PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
   }
+!if $(TPM2_ENABLE) == TRUE
   MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf {
     <LibraryClasses>
       ResetSystemLib|ArmVirtPkg/Library/ArmVirtPsciResetSystemPeiLib/ArmVirtPsciResetSystemPeiLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemu.fdf b/ArmVirtPkg/ArmVirtQemu.fdf
index 764f652afd..6073a31970 100644
--- a/ArmVirtPkg/ArmVirtQemu.fdf
+++ b/ArmVirtPkg/ArmVirtQemu.fdf
@@ -111,8 +111,8 @@ READ_LOCK_STATUS   = TRUE
   INF ArmPkg/Drivers/CpuPei/CpuPei.inf
   INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
-!if $(TPM2_ENABLE) == TRUE
   INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf
+!if $(TPM2_ENABLE) == TRUE
   INF MdeModulePkg/Universal/ResetSystemPei/ResetSystemPei.inf
   INF OvmfPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
   INF SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (16 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 17/20] ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 19/20] ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 20/20] ArmVirtPkg/ArmVirtQemu: Add RngDxe driver Doug Flick via groups.io
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Leif Lindholm, Sami Mujawar, Gerd Hoffmann

From: Ard Biesheuvel <ardb@kernel.org>

On ARM systems, whether SMC or HVC instructions need to be used to issue
monitor calls is typically dependent on the exception level, but there
are also cases where EL1 might use SMC instructions, so there is no hard
and fast rule.

For ArmVirtQemu, this does depend strictly on the exception level, so
set the default to HVC (for EL1 execution) and override it to SMC when
booted at EL2.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/ArmVirtCloudHv.dsc                        |  3 +++
 ArmVirtPkg/ArmVirtQemu.dsc                           |  4 ++++
 ArmVirtPkg/ArmVirtQemuKernel.dsc                     |  2 ++
 ArmVirtPkg/ArmVirtXen.dsc                            |  2 ++
 ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf |  1 +
 ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c   | 14 ++++++++++++++
 6 files changed, 26 insertions(+)

diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
index 5cb2a609b1..d5055a0341 100644
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@@ -201,6 +201,9 @@
 [PcdsDynamicHii]
   gUefiOvmfPkgTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gOvmfVariableGuid|0x0|FALSE|NV,BS
 
+[PcdsPatchableInModule.common]
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 4498ca58a8..80dd4fbb14 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -293,6 +293,10 @@
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
 
+  # whether to use HVC or SMC to issue monitor calls - this typically depends
+  # on the exception level at which the UEFI system firmware executes
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
   #
   # TPM2 support
   #
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 94f48593c2..2700b97d09 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -203,6 +203,8 @@
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|3
 
diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
index 5809832e66..ceb37f8a2d 100644
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@@ -120,6 +120,8 @@
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]
 
   gArmTokenSpaceGuid.PcdArmArchTimerSecIntrNum|0x0
diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
index e9a34b6e2e..a38b89c103 100644
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
@@ -45,6 +45,7 @@
 
 [Pcd]
   gArmTokenSpaceGuid.PcdFvBaseAddress
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress             ## SOMETIMES_PRODUCES
   gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
 
diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
index 7ab4aa2d6b..b8e9208301 100644
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
@@ -18,6 +18,8 @@
 #include <Library/FdtSerialPortAddressLib.h>
 #include <libfdt.h>
 
+#include <Chipset/AArch64.h>
+
 #include <Guid/EarlyPL011BaseAddress.h>
 #include <Guid/FdtHob.h>
 
@@ -224,5 +226,17 @@ PlatformPeim (
 
   BuildFvHob (PcdGet64 (PcdFvBaseAddress), PcdGet32 (PcdFvSize));
 
+ #ifdef MDE_CPU_AARCH64
+  //
+  // Set the SMCCC conduit to SMC if executing at EL2, which is typically the
+  // exception level that services HVCs rather than the one that invokes them.
+  //
+  if (ArmReadCurrentEL () == AARCH64_EL2) {
+    Status = PcdSetBoolS (PcdMonitorConduitHvc, FALSE);
+    ASSERT_EFI_ERROR (Status);
+  }
+
+ #endif
+
   return EFI_SUCCESS;
 }
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 19/20] ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (17 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 20/20] ArmVirtPkg/ArmVirtQemu: Add RngDxe driver Doug Flick via groups.io
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Leif Lindholm, Sami Mujawar, Gerd Hoffmann

From: Ard Biesheuvel <ardb@kernel.org>

MdeLibs.inc sets default library class resolutions which are much more
general than the ones that might be specified in ArmVirt.dsc.inc. So the
latter should be included *after* MdeLibs.inc to ensure that its
definitions take precedence.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/ArmVirtQemu.dsc       | 4 ++--
 ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++--
 ArmVirtPkg/ArmVirtXen.dsc        | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 80dd4fbb14..e40ade230c 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -49,10 +49,10 @@
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc
 
+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses.common]
   ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
   ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 2700b97d09..6f1b81427e 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -46,10 +46,10 @@
 
 !include NetworkPkg/NetworkDefines.dsc.inc
 
-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc
 
+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses.common]
   ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
   ArmMmuLib|ArmPkg/Library/ArmMmuLib/ArmMmuBaseLib.inf
diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
index ceb37f8a2d..1505709a29 100644
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@@ -23,10 +23,10 @@
   SKUID_IDENTIFIER               = DEFAULT
   FLASH_DEFINITION               = ArmVirtPkg/ArmVirtXen.fdf
 
-!include ArmVirtPkg/ArmVirt.dsc.inc
-
 !include MdePkg/MdeLibs.dsc.inc
 
+!include ArmVirtPkg/ArmVirt.dsc.inc
+
 [LibraryClasses]
   SerialPortLib|OvmfPkg/Library/XenConsoleSerialPortLib/XenConsoleSerialPortLib.inf
 !if $(TARGET) != RELEASE
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 20/20] ArmVirtPkg/ArmVirtQemu: Add RngDxe driver
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
                   ` (18 preceding siblings ...)
  2024-05-24  5:44 ` [edk2-devel] [PATCH v3 19/20] ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc Doug Flick via groups.io
@ 2024-05-24  5:44 ` Doug Flick via groups.io
  19 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:44 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Leif Lindholm, Sami Mujawar, Gerd Hoffmann

From: Ard Biesheuvel <ardb@kernel.org>

Add the RngDxe driver to the build, backed by either RNDR or TRNG, one
of which is expected to be available in most cases:
- RNDR is implemented by the 'max' CPU that QEMU implements in TCG mode
- TRNG is implemented by the KVM hypervisor, which backs QEMU's 'host'
  CPU

Other TCG modes (e.g., the 'cortex-a*' CPUs) implement neither, which
should prevent the RngDxe driver from dispatching entirely, resulting
in the same situation as before.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/ArmVirt.dsc.inc           | 5 ++++-
 ArmVirtPkg/ArmVirtQemu.dsc           | 1 +
 ArmVirtPkg/ArmVirtQemuKernel.dsc     | 1 +
 ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 +
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 2bc6a29eb1..7044790a1e 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -156,7 +156,9 @@
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
 !endif
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+  RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+  ArmTrngLib|ArmPkg/Library/ArmTrngLib/ArmTrngLib.inf
+  ArmMonitorLib|ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
 
   #
   # Secure Boot dependencies
@@ -266,6 +268,7 @@
 
 [LibraryClasses.ARM]
   ArmSoftFloatLib|ArmPkg/Library/ArmSoftFloatLib/ArmSoftFloatLib.inf
+  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
 
 [BuildOptions]
   GCC:RELEASE_*_*_CC_FLAGS  = -DMDEPKG_NDEBUG
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index e40ade230c..64aa4e96e5 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -432,6 +432,7 @@
       BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
   }
   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
   #
   # Status Code Routing
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 6f1b81427e..2cf96accbd 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -341,6 +341,7 @@
       BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
   }
   MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
   #
   # Status Code Routing
diff --git a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
index 80d420023e..38906004d7 100644
--- a/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
+++ b/ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
@@ -75,6 +75,7 @@ READ_LOCK_STATUS   = TRUE
   INF ArmPkg/Drivers/TimerDxe/TimerDxe.inf
   INF OvmfPkg/VirtNorFlashDxe/VirtNorFlashDxe.inf
   INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
+  INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
 
   #
   # FAT filesystem + GPT/MBR partitioning + UDF filesystem + virtio-fs
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 22+ messages in thread

* [edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit
  2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
@ 2024-05-24  5:45 ` Doug Flick via groups.io
  0 siblings, 0 replies; 22+ messages in thread
From: Doug Flick via groups.io @ 2024-05-24  5:45 UTC (permalink / raw)
  To: devel; +Cc: Ard Biesheuvel, Leif Lindholm, Sami Mujawar, Gerd Hoffmann

From: Ard Biesheuvel <ardb@kernel.org>

On ARM systems, whether SMC or HVC instructions need to be used to issue
monitor calls is typically dependent on the exception level, but there
are also cases where EL1 might use SMC instructions, so there is no hard
and fast rule.

For ArmVirtQemu, this does depend strictly on the exception level, so
set the default to HVC (for EL1 execution) and override it to SMC when
booted at EL2.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>

Committed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 ArmVirtPkg/ArmVirtCloudHv.dsc                        |  3 +++
 ArmVirtPkg/ArmVirtQemu.dsc                           |  4 ++++
 ArmVirtPkg/ArmVirtQemuKernel.dsc                     |  2 ++
 ArmVirtPkg/ArmVirtXen.dsc                            |  2 ++
 ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf |  1 +
 ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c   | 14 ++++++++++++++
 6 files changed, 26 insertions(+)

diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
index 5cb2a609b1..d5055a0341 100644
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@@ -201,6 +201,9 @@
 [PcdsDynamicHii]
   gUefiOvmfPkgTokenSpaceGuid.PcdForceNoAcpi|L"ForceNoAcpi"|gOvmfVariableGuid|0x0|FALSE|NV,BS
 
+[PcdsPatchableInModule.common]
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 ################################################################################
 #
 # Components Section - list of all EDK II Modules needed by this Platform
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 4498ca58a8..80dd4fbb14 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -293,6 +293,10 @@
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv4PXESupport|0x01
   gEfiNetworkPkgTokenSpaceGuid.PcdIPv6PXESupport|0x01
 
+  # whether to use HVC or SMC to issue monitor calls - this typically depends
+  # on the exception level at which the UEFI system firmware executes
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
   #
   # TPM2 support
   #
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 94f48593c2..2700b97d09 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -203,6 +203,8 @@
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|3
 
diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
index 5809832e66..ceb37f8a2d 100644
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@@ -120,6 +120,8 @@
   gArmTokenSpaceGuid.PcdFdBaseAddress|0x0
   gArmTokenSpaceGuid.PcdFvBaseAddress|0x0
 
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE
+
 [PcdsDynamicDefault.common]
 
   gArmTokenSpaceGuid.PcdArmArchTimerSecIntrNum|0x0
diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
index e9a34b6e2e..a38b89c103 100644
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
@@ -45,6 +45,7 @@
 
 [Pcd]
   gArmTokenSpaceGuid.PcdFvBaseAddress
+  gArmTokenSpaceGuid.PcdMonitorConduitHvc
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress             ## SOMETIMES_PRODUCES
   gUefiOvmfPkgTokenSpaceGuid.PcdDeviceTreeInitialBaseAddress
 
diff --git a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
index 7ab4aa2d6b..b8e9208301 100644
--- a/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
+++ b/ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
@@ -18,6 +18,8 @@
 #include <Library/FdtSerialPortAddressLib.h>
 #include <libfdt.h>
 
+#include <Chipset/AArch64.h>
+
 #include <Guid/EarlyPL011BaseAddress.h>
 #include <Guid/FdtHob.h>
 
@@ -224,5 +226,17 @@ PlatformPeim (
 
   BuildFvHob (PcdGet64 (PcdFvBaseAddress), PcdGet32 (PcdFvSize));
 
+ #ifdef MDE_CPU_AARCH64
+  //
+  // Set the SMCCC conduit to SMC if executing at EL2, which is typically the
+  // exception level that services HVCs rather than the one that invokes them.
+  //
+  if (ArmReadCurrentEL () == AARCH64_EL2) {
+    Status = PcdSetBoolS (PcdMonitorConduitHvc, FALSE);
+    ASSERT_EFI_ERROR (Status);
+  }
+
+ #endif
+
   return EFI_SUCCESS;
 }
-- 
2.34.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119245): https://edk2.groups.io/g/devel/message/119245
Mute This Topic: https://groups.io/mt/106276870/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply related	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2024-05-24  5:45 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 02/20] EmulatorPkg: : Add Hash2DxeCrypto " Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 03/20] OvmfPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 04/20] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 05/20] ArmVirtPkg:PlatformCI: Support virtio-rng-pci Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 06/20] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237 Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 09/20] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 10/20] MdePkg: : Add MockUefiBootServicesTableLib Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 11/20] MdePkg: : Adds Protocol for MockRng Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 12/20] MdePkg: Add MockHash2 Protocol for testing Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 13/20] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 14/20] ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 15/20] ArmVirtPkg: Move PcdMonitorConduitHvc Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 16/20] MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT() Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 17/20] ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 19/20] ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc Doug Flick via groups.io
2024-05-24  5:44 ` [edk2-devel] [PATCH v3 20/20] ArmVirtPkg/ArmVirtQemu: Add RngDxe driver Doug Flick via groups.io
  -- strict thread matches above, loose matches on Subject: below --
2024-05-24  5:44 [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237 Doug Flick via groups.io
2024-05-24  5:45 ` [edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit Doug Flick via groups.io

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox