public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "levi.yun" <yeoreum.yun@arm.com>
To: devel@edk2.groups.io
Cc: yeoreum.yun@arm.com, sami.mujawar@arm.com,
	pierre.gondois@arm.com, thomas.abraham@arm.com, nd@arm.com
Subject: [edk2-devel] [PATCH edk2-platform v1 1/2] ARM/VExpressPkg: Use BaseRngLib for NetworkPkg as default
Date: Mon, 22 Jul 2024 16:10:24 +0100	[thread overview]
Message-ID: <20240722151025.936649-2-yeoreum.yun@arm.com> (raw)
In-Reply-To: <20240722151025.936649-1-yeoreum.yun@arm.com>

From: "levi.yun" <yeoreum.yun@arm.com>

edk2's commit:4c4ceb2ceb80 ("NetworkPkg: SECURITY PATCH CVE-2023-45237")
solved CVE-2023-45237 about usage of a weak pseudoRandom number generator
and this modification add dependency for DxeNetLib with RngDxe driver.

Because of new dependency, Juno failed to load Newtork related packages
(i.e VlanConfigDxe, MnpDxe, ArpDxe, Dhcp4Dxe, Ip4Dxe and etc) like

  ...
  Driver E4F61863-FE2C-4B56-A8F4-08519BC439DF was discovered but not loaded!!
  Driver 025BBFC7-E6A9-4B8B-82AD-6815A1AEAF4A was discovered but not loaded!!
  Driver 529D3F93-E8E9-4E73-B1E1-BDF6A9D50113 was discovered but not loaded!!
  ...

Unfortunately for proper usage of RngDxe, Platform should support
    - RngLib with Rndr.
    - Trng.

After Arm v8.5, FEAT_RNG is supported, Therefore we change default
RngLib as ArmRngLib from RngTimerLib.

Some platform which doesn't support both of them, should specify when
build with

   -D ENABLE_UNSAFE_RNGLIB = TRUE
to use NetowrkPkg with unsafe RngLib.

In case of using NetworkPkg with unsafe RngLib,.this patch
changes default RngTimerLib in the MdePkg to the one in the MdeModulePkg.

Also, platform which supports TRNG, should specify
  gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms as TRUE.

To use NetworkPkg with TRNG although it doesn't support safe RngLib.

Signed-off-by: Levi Yun <yeoreum.yun@arm.com>
---
 Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc            | 35 ++++++++++++++++++--
 Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc |  7 +++-
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc b/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
index f7f7b39bbf58f13279c597f38f7411843520f74d..ae109bd52deb7b1b35d95c3a30794ea6e01418cf 100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
+++ b/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
@@ -13,6 +13,21 @@ [Defines]
   INCLUDE_TFTP_COMMAND  = TRUE
 !endif
 
+  #
+  # FEAT_RNG provides architectural support for generating random numbers and
+  # is present from Arm v8.5 onwards.
+  # If FEAT_RNG is not supported, a platform may use a hardware TRNG source,
+  # in which case it may implement the ARM FW TRNG interface (e.g. Juno).
+  # The Arm FW TRNG interface may require to be enabled in the EL3 firmware
+  # e.g. in TF-A.
+  #
+  # If none of the above are present, then the option ENABLE_UNSAFE_RNGLIB
+  # can be set to TRUE for non production use.
+  #
+  # Note: FEAT_RNG can be enabled in the FVP by setting cluster{x}.has_rndr=1.
+  #
+  ENABLE_UNSAFE_RNGLIB                  = FALSE
+
   #
   # Network definition
   #
@@ -157,7 +172,11 @@ [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
-  RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+!if $(ENABLE_UNSAFE_RNGLIB) == TRUE
+  RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+!else
+  RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+!endif
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
   VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
@@ -270,7 +289,6 @@ [LibraryClasses.AARCH64]
   # Add support for GCC stack protector
   NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
 
-
 [BuildOptions]
   GCC:RELEASE_*_*_CC_FLAGS  = -DMDEPKG_NDEBUG
 
@@ -430,6 +448,14 @@ [PcdsFixedAtBuild.common]
   #
   gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE
 
+  #
+  # If platform supports FEAT_RND or Trng, please override it with TRUE
+  #
+
+!if $(ENABLE_UNSAFE_RNGLIB) == TRUE
+  gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|FALSE
+!endif
+
 [PcdsDynamicHii.common.DEFAULT]
   gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVariableGuid|0x0|10
 
@@ -451,6 +477,11 @@ [Components.common]
   Platform/ARM/VExpressPkg/Drivers/Lan91xDxe/Lan91xDxe.inf
 !endif
 
+  #
+  # NetLibDxe requires RngDxe driver.
+  #
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
   #
   # Android Fastboot
   #
diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc b/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc
index 1ee2eeab014581d4c94f5291cd275e3710324629..c7d6f45fe6d5ee4db3d29d184174cbd89240e647 100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc
+++ b/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc
@@ -1,6 +1,6 @@
 #
 #  Copyright (c) 2012-2014, ARM Limited. All rights reserved.
-#  
+#
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 
@@ -9,6 +9,11 @@
   #
 !include NetworkPkg/Network.fdf.inc
 
+  #
+  # NetLibDxe requires RngDxe driver.
+  #
+  INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+
 !if $(INCLUDE_TFTP_COMMAND) == TRUE
   #
   # TFTP Shell command
--
Guid("CE165669-3EF3-493F-B85D-6190EE5B9759")



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120005): https://edk2.groups.io/g/devel/message/120005
Mute This Topic: https://groups.io/mt/107486797/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2024-07-22 15:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-22 15:10 [edk2-devel] [PATCH edk2-platform v1 0/2] Fix NetworkPkg load failure on ArmJuno levi.yun
2024-07-22 15:10 ` levi.yun [this message]
2024-08-02 16:49   ` [edk2-devel] [PATCH edk2-platform v1 1/2] ARM/VExpressPkg: Use BaseRngLib for NetworkPkg as default Sami Mujawar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240722151025.936649-2-yeoreum.yun@arm.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox