[edk2-devel] [PATCH edk2-platform v1 0/2] Fix NetworkPkg load failure on ArmJuno

[edk2-devel] [PATCH edk2-platform v1 0/2] Fix NetworkPkg load failure on ArmJuno

[levi.yun]

edk2's commit:4c4ceb2ceb80 ("NetworkPkg: SECURITY PATCH CVE-2023-45237")
solved CVE-2023-45237 about usage of a weak pseudoRandom number generator
and this modification add dependency for DxeNetLib with RngDxe driver.

Because of new dependency, Juno failed to load Newtork related packages
(i.e VlanConfigDxe, MnpDxe, ArpDxe, Dhcp4Dxe, Ip4Dxe and etc) like

  ...
  Driver E4F61863-FE2C-4B56-A8F4-08519BC439DF was discovered but not loaded!!
  Driver 025BBFC7-E6A9-4B8B-82AD-6815A1AEAF4A was discovered but not loaded!!
  Driver 529D3F93-E8E9-4E73-B1E1-BDF6A9D50113 was discovered but not loaded!!
  ...

This patch fixes NetworkPkg load failure on ArmJuno platform.


levi.yun (2):
  ARM/VExpressPkg: Use BaseRngLib for NetworkPkg as default
  ARM/JunoPkg: Use ArmTrngLib in NetworkPkg

 Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc            | 35 ++++++++++++++++++--
 Platform/ARM/JunoPkg/ArmJuno.dsc                        | 10 ++++++
 Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc |  7 +++-
 3 files changed, 49 insertions(+), 3 deletions(-)

--
Guid("CE165669-3EF3-493F-B85D-6190EE5B9759")



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120004): https://edk2.groups.io/g/devel/message/120004
Mute This Topic: https://groups.io/mt/107486795/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH edk2-platform v1 1/2] ARM/VExpressPkg: Use BaseRngLib for NetworkPkg as default

[levi.yun]

From: "levi.yun" <yeoreum.yun@arm.com>

edk2's commit:4c4ceb2ceb80 ("NetworkPkg: SECURITY PATCH CVE-2023-45237")
solved CVE-2023-45237 about usage of a weak pseudoRandom number generator
and this modification add dependency for DxeNetLib with RngDxe driver.

Because of new dependency, Juno failed to load Newtork related packages
(i.e VlanConfigDxe, MnpDxe, ArpDxe, Dhcp4Dxe, Ip4Dxe and etc) like

  ...
  Driver E4F61863-FE2C-4B56-A8F4-08519BC439DF was discovered but not loaded!!
  Driver 025BBFC7-E6A9-4B8B-82AD-6815A1AEAF4A was discovered but not loaded!!
  Driver 529D3F93-E8E9-4E73-B1E1-BDF6A9D50113 was discovered but not loaded!!
  ...

Unfortunately for proper usage of RngDxe, Platform should support
    - RngLib with Rndr.
    - Trng.

After Arm v8.5, FEAT_RNG is supported, Therefore we change default
RngLib as ArmRngLib from RngTimerLib.

Some platform which doesn't support both of them, should specify when
build with

   -D ENABLE_UNSAFE_RNGLIB = TRUE
to use NetowrkPkg with unsafe RngLib.

In case of using NetworkPkg with unsafe RngLib,.this patch
changes default RngTimerLib in the MdePkg to the one in the MdeModulePkg.

Also, platform which supports TRNG, should specify
  gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms as TRUE.

To use NetworkPkg with TRNG although it doesn't support safe RngLib.

Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
---
 Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc            | 35 ++++++++++++++++++--
 Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc |  7 +++-
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc b/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
index f7f7b39bbf58f13279c597f38f7411843520f74d..ae109bd52deb7b1b35d95c3a30794ea6e01418cf 100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
+++ b/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
@@ -13,6 +13,21 @@ [Defines]
   INCLUDE_TFTP_COMMAND  = TRUE
 !endif
 
+  #
+  # FEAT_RNG provides architectural support for generating random numbers and
+  # is present from Arm v8.5 onwards.
+  # If FEAT_RNG is not supported, a platform may use a hardware TRNG source,
+  # in which case it may implement the ARM FW TRNG interface (e.g. Juno).
+  # The Arm FW TRNG interface may require to be enabled in the EL3 firmware
+  # e.g. in TF-A.
+  #
+  # If none of the above are present, then the option ENABLE_UNSAFE_RNGLIB
+  # can be set to TRUE for non production use.
+  #
+  # Note: FEAT_RNG can be enabled in the FVP by setting cluster{x}.has_rndr=1.
+  #
+  ENABLE_UNSAFE_RNGLIB                  = FALSE
+
   #
   # Network definition
   #
@@ -157,7 +172,11 @@ [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
-  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+!if $(ENABLE_UNSAFE_RNGLIB) == TRUE
+  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+!else
+  RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+!endif
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
@@ -270,7 +289,6 @@ [LibraryClasses.AARCH64]
   # Add support for GCC stack protector
   NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
 
-
 [BuildOptions]
   GCC:RELEASE_*_*_CC_FLAGS  = -DMDEPKG_NDEBUG
 
@@ -430,6 +448,14 @@ [PcdsFixedAtBuild.common]
   #
   gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
 
+  #
+  # If platform supports FEAT_RND or Trng, please override it with TRUE
+  #
+
+!if $(ENABLE_UNSAFE_RNGLIB) == TRUE
+  gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|FALSE
+!endif
+
 [PcdsDynamicHii.common.DEFAULT]
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|10
 
@@ -451,6 +477,11 @@ [Components.common]
   Platform/ARM/VExpressPkg/Drivers/Lan91xDxe/Lan91xDxe.inf
 !endif
 
+  #
+  # NetLibDxe requires RngDxe driver.
+  #
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
   #
   # Android Fastboot
   #
diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc b/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc
index 1ee2eeab014581d4c94f5291cd275e3710324629..c7d6f45fe6d5ee4db3d29d184174cbd89240e647 100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc
+++ b/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc
@@ -1,6 +1,6 @@
 #
 #  Copyright (c) 2012-2014, ARM Limited. All rights reserved.
-#  
+#
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 
@@ -9,6 +9,11 @@
   #
 !include NetworkPkg/Network.fdf.inc
 
+  #
+  # NetLibDxe requires RngDxe driver.
+  #
+  INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
 !if $(INCLUDE_TFTP_COMMAND) == TRUE
   #
   # TFTP Shell command
--
Guid("CE165669-3EF3-493F-B85D-6190EE5B9759")



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120005): https://edk2.groups.io/g/devel/message/120005
Mute This Topic: https://groups.io/mt/107486797/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH edk2-platform v1 1/2] ARM/VExpressPkg: Use BaseRngLib for NetworkPkg as default

[Sami Mujawar]

[-- Attachment #1: Type: text/plain, Size: 774 bytes --]

Hi Levi,

Thank you for this patch.

It looks like your git settings may not be right. I was not able to apply your patch cleanly and the updated files had mixed line endings.
You may want to try running edk2\BaseTools\Scripts\SetupGit.py script in edk2 & edk2-platforms folder.

I will fix this locally before merging.

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120215): https://edk2.groups.io/g/devel/message/120215
Mute This Topic: https://groups.io/mt/107486797/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 1416 bytes --]