From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 36FC8740056 for ; Mon, 22 Jul 2024 15:10:30 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=rQRi52sj97QBkZFrOqtfaXaGj4f0q8YROvWLqx1aqhM=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1721661030; v=1; b=csnnInDAZgjYvW2l1pdVV3EdO2jgAAJ/OpXuJnMu6dPalfwgGScWUdJHxM6Fs2aNNc47mWCg QfQXrknX0DS5ccItLalhk8bLKcAkAZYAixDroFuCqKhdQpqxpFFn0qty3v36fqzDqrAtfvBkDDe OglKuY+xPU0Nbfm1acT6Yq3DwcXC6WCgM7Xz2aKd1J0+sM4Y5qyKmw6vw/qlqpS+8ea+wDnrUsA kwsEWhuOTV2MF+sxVynf5/3uEHXwEM4ByKn+Ldh7HylrNwrIH3gsb6NMF30SEVdnVELZA090iMk bXQgUtY6CvqJ7mUh4+Ya8DuR0RZCL/NpzACEY2wAynikw== X-Received: by 127.0.0.2 with SMTP id bNMuYY7687511xzo2kH9DAsS; Mon, 22 Jul 2024 08:10:28 -0700 X-Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.20491.1721661028141536782 for ; Mon, 22 Jul 2024 08:10:28 -0700 X-Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 40D241007; Mon, 22 Jul 2024 08:10:53 -0700 (PDT) X-Received: from e129823.cambridge.arm.com (e129823.arm.com [10.1.197.6]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id EC0C93F5A1; Mon, 22 Jul 2024 08:10:26 -0700 (PDT) From: "levi.yun" To: devel@edk2.groups.io Cc: yeoreum.yun@arm.com, sami.mujawar@arm.com, pierre.gondois@arm.com, thomas.abraham@arm.com, nd@arm.com Subject: [edk2-devel] [PATCH edk2-platform v1 1/2] ARM/VExpressPkg: Use BaseRngLib for NetworkPkg as default Date: Mon, 22 Jul 2024 16:10:24 +0100 Message-Id: <20240722151025.936649-2-yeoreum.yun@arm.com> In-Reply-To: <20240722151025.936649-1-yeoreum.yun@arm.com> References: <20240722151025.936649-1-yeoreum.yun@arm.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 22 Jul 2024 08:10:28 -0700 Resent-From: yeoreum.yun@arm.com Reply-To: devel@edk2.groups.io,yeoreum.yun@arm.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: X7YE48psQU7TS2y4zz0aTSdSx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=csnnInDA; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=arm.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io From: "levi.yun" edk2's commit:4c4ceb2ceb80 ("NetworkPkg: SECURITY PATCH CVE-2023-45237") solved CVE-2023-45237 about usage of a weak pseudoRandom number generator and this modification add dependency for DxeNetLib with RngDxe driver. Because of new dependency, Juno failed to load Newtork related packages (i.e VlanConfigDxe, MnpDxe, ArpDxe, Dhcp4Dxe, Ip4Dxe and etc) like ... Driver E4F61863-FE2C-4B56-A8F4-08519BC439DF was discovered but not loaded= !! Driver 025BBFC7-E6A9-4B8B-82AD-6815A1AEAF4A was discovered but not loaded= !! Driver 529D3F93-E8E9-4E73-B1E1-BDF6A9D50113 was discovered but not loaded= !! ... Unfortunately for proper usage of RngDxe, Platform should support - RngLib with Rndr. - Trng. After Arm v8.5, FEAT_RNG is supported, Therefore we change default RngLib as ArmRngLib from RngTimerLib. Some platform which doesn't support both of them, should specify when build with -D ENABLE_UNSAFE_RNGLIB =3D TRUE to use NetowrkPkg with unsafe RngLib. In case of using NetworkPkg with unsafe RngLib,.this patch changes default RngTimerLib in the MdePkg to the one in the MdeModulePkg. Also, platform which supports TRNG, should specify gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms as TRUE. To use NetworkPkg with TRNG although it doesn't support safe RngLib. Signed-off-by: Levi Yun --- Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc | 35 +++++++++++++= +++++-- Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc | 7 +++- 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc b/Platform/ARM/VE= xpressPkg/ArmVExpress.dsc.inc index f7f7b39bbf58f13279c597f38f7411843520f74d..ae109bd52deb7b1b35d95c3a307= 94ea6e01418cf 100644 --- a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc +++ b/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc @@ -13,6 +13,21 @@ [Defines] INCLUDE_TFTP_COMMAND =3D TRUE=0D !endif=0D =0D + #=0D + # FEAT_RNG provides architectural support for generating random numbers = and=0D + # is present from Arm v8.5 onwards.=0D + # If FEAT_RNG is not supported, a platform may use a hardware TRNG sourc= e,=0D + # in which case it may implement the ARM FW TRNG interface (e.g. Juno).= =0D + # The Arm FW TRNG interface may require to be enabled in the EL3 firmwar= e=0D + # e.g. in TF-A.=0D + #=0D + # If none of the above are present, then the option ENABLE_UNSAFE_RNGLIB= =0D + # can be set to TRUE for non production use.=0D + #=0D + # Note: FEAT_RNG can be enabled in the FVP by setting cluster{x}.has_rnd= r=3D1.=0D + #=0D + ENABLE_UNSAFE_RNGLIB =3D FALSE=0D +=0D #=0D # Network definition=0D #=0D @@ -157,7 +172,11 @@ [LibraryClasses.common] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf=0D IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf=0D OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf=0D - RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf=0D +!if $(ENABLE_UNSAFE_RNGLIB) =3D=3D TRUE=0D + RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf=0D +!else=0D + RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf=0D +!endif=0D VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseV= ariableFlashInfoLib.inf=0D VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf=0D @@ -270,7 +289,6 @@ [LibraryClasses.AARCH64] # Add support for GCC stack protector=0D NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf=0D =0D -=0D [BuildOptions]=0D GCC:RELEASE_*_*_CC_FLAGS =3D -DMDEPKG_NDEBUG=0D =0D @@ -430,6 +448,14 @@ [PcdsFixedAtBuild.common] #=0D gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack|TRUE=0D =0D + #=0D + # If platform supports FEAT_RND or Trng, please override it with TRUE=0D + #=0D +=0D +!if $(ENABLE_UNSAFE_RNGLIB) =3D=3D TRUE=0D + gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|FALSE=0D +!endif=0D +=0D [PcdsDynamicHii.common.DEFAULT]=0D gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|L"Timeout"|gEfiGlobalVar= iableGuid|0x0|10=0D =0D @@ -451,6 +477,11 @@ [Components.common] Platform/ARM/VExpressPkg/Drivers/Lan91xDxe/Lan91xDxe.inf=0D !endif=0D =0D + #=0D + # NetLibDxe requires RngDxe driver.=0D + #=0D + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf=0D +=0D #=0D # Android Fastboot=0D #=0D diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc b/Plat= form/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc index 1ee2eeab014581d4c94f5291cd275e3710324629..c7d6f45fe6d5ee4db3d29d18417= 4cbd89240e647 100644 --- a/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc +++ b/Platform/ARM/VExpressPkg/ArmVExpress-networking.fdf.inc @@ -1,6 +1,6 @@ #=0D # Copyright (c) 2012-2014, ARM Limited. All rights reserved.=0D -# =0D +#=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D =0D @@ -9,6 +9,11 @@ #=0D !include NetworkPkg/Network.fdf.inc=0D =0D + #=0D + # NetLibDxe requires RngDxe driver.=0D + #=0D + INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf=0D +=0D !if $(INCLUDE_TFTP_COMMAND) =3D=3D TRUE=0D #=0D # TFTP Shell command=0D -- Guid("CE165669-3EF3-493F-B85D-6190EE5B9759") -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#120005): https://edk2.groups.io/g/devel/message/120005 Mute This Topic: https://groups.io/mt/107486797/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-