From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 1D9E6D806DA for ; Fri, 10 May 2024 21:12:36 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=SYHJMtaKXfcq57eGMrcvYOKUVnhdewLPPJTxXoexYx4=; c=relaxed/simple; d=groups.io; h=Subject:To:From:User-Agent:MIME-Version:Date:References:In-Reply-To:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20240206; t=1715375554; v=1; b=NblejKhDlfqnFUHjVpuOslw6/OEjVCDd9U2jIAAaUXLnS0Rms60A7i0fqarMzOqbYbWZiuNv gs7g5J77X/0JVPQuv4kqLi1g8aPdVdklTfMk5L+eIUo9gPvXjnNyRwPkjhazC+cRiNxmH8GMVcj 1D3SltKMVP42yexYPl4NheenlIxf+DuGqshXXGXLZs20pr+GfnN7VQJkOqyrFoOMLZAH9+J3X9u NViihge7g2mg3lS9GmNmuZ+yC7hF7c+o9VGeHBeigs+ZMSFNrMK6QwG8Ojdgj4fKz+8N66AmPDA sGBIeLjpctmABKLI0ZqyQ8DkjAnelUNoRFJBSvTFyq1lA== X-Received: by 127.0.0.2 with SMTP id o8yAYY7687511xrhgIZPdXYP; Fri, 10 May 2024 14:12:34 -0700 Subject: Re: [edk2-devel] [PATCH v2 07/13] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng To: "Yao, Jiewen" , devel@edk2.groups.io From: "Doug Flick via groups.io" X-Originating-Location: Tacoma, Washington, US (67.160.15.86) X-Originating-Platform: Windows Chrome 124 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Fri, 10 May 2024 14:12:28 -0700 References: In-Reply-To: Message-ID: <28887.1715375548214810238@groups.io> Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: lcsAdPRNjCSNE7H5OqTI1ZEux7686176AA= Content-Type: multipart/alternative; boundary="V7NV8TBPDsMZNQ1fTO0Z" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=NblejKhD; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=pass (policy=none) header.from=groups.io --V7NV8TBPDsMZNQ1fTO0Z Content-Type: text/plain; charset="utf-8"; markup=markdown Content-Transfer-Encoding: quoted-printable So, I'm trying to consult with some RNG experts because I'm by no means an = expert and anything I say should be taken with huge grain of salt. When I g= et the experts take, I'll share it. Basically, the way I read this code is that it by no means tries to enforce= any entropy requirement outside of what you ask for. My understanding is the 256 Bit Entropy requirements comes from when you ar= e using a DRNG algorithm such as: ``` #define EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID \ {0xa7af67cb, 0x603b, 0x4d42,\ {0xba, 0x21, 0x70, 0xbf, 0xb6, 0x29, 0x3f, 0x96}} #define EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID \ {0xc5149b43, 0xae85, 0x4f53,\ {0x99, 0x82, 0xb9, 0x43, 0x35, 0xd3, 0xa9, 0xe7}} #define EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID \ {0x44f0de6e, 0x4d8c, 0x4045, \ {0xa8, 0xc7, 0x4d, 0xd1, 0x68, 0x85, 0x6b, 0x9e}} ``` > "When a Deterministic Random Bit Generator (DRBG) is used on the output o= f a (raw) entropy source, its security level must be at least 256 bits."=20 https://uefi.org/specs/UEFI/2.10/37_Secure_Technologies.html#random-number-= generator-protocol That is, the seed of these algorithms must be at a minimum 256 bits from yo= ur entropy source.=20 Now when you call for instance EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID On an INTEL CPU it uses the Intel RDRAND Instruction https://github.com/tianocore/edk2/blob/4b6ee06a090d956f80b4a92fb9bf03098a37= 2f39/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c#L108C45-L108C51 Which from what I can tell the generator takes pairs of 256-bit raw entropy= samples generated by the hardware entropy source and applies them to an Ad= vanced Encryption Standard (AES) (in CBC-MAC mode) conditioner which reduce= s them to a single 256-bit conditioned entropy sample. https://en.wikipedia.org/wiki/RDRAND https://www.intel.com/content/www/us/en/developer/articles/guide/intel-digi= tal-random-number-generator-drng-software-implementation-guide.html Which means, if you are implementing these algorithms in software, you must= comply with the 256 bit entropy requirement for your source. However in ou= r case the CPU is performing that requirement for us.=20 Again I'm no expert. So if an expert is reading this and I'm completely wro= ng please let me know :) -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118827): https://edk2.groups.io/g/devel/message/118827 Mute This Topic: https://groups.io/mt/105996584/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --V7NV8TBPDsMZNQ1fTO0Z Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

So, I'm trying to consult with some RNG experts because I'm by no means = an expert and anything I say should be taken with huge grain of salt. When = I get the experts take, I'll share it.

Basically, the way I read this code is that it by no means tries to enfo= rce any entropy requirement outside of what you ask for.

My understanding is the 256 Bit Entropy requirements comes from when you= are using a DRNG algorithm such as:

#define EFI_RNG=
_ALGORITHM_SP800_90_HASH_256_GUID \
 {0xa7af67cb, 0x603b, 0x4d42,\
 {0xba, 0x21, 0x70, 0xbf, 0xb6, 0x29, 0x3f, 0x96}}

#define EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID \
 {0xc5149b43, 0xae85, 0x4f53,\
 {0x99, 0x82, 0xb9, 0x43, 0x35, 0xd3, 0xa9, 0xe7}}

#define EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID \
 {0x44f0de6e, 0x4d8c, 0x4045, \
 {0xa8, 0xc7, 0x4d, 0xd1, 0x68, 0x85, 0x6b, 0x9e}}

"When a Deterministic Random Bit Generator (DRBG) is used on the ou= tput of a (raw) entropy source, its security level must be at least 256 bit= s."

https://uefi.org/specs/= UEFI/2.10/37_Secure_Technologies.html#random-number-generator-protocol<= /p>

That is, the seed of these algorithms must be at a minimum 256 bits from= your entropy source.

Now when you call for instance EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID

On an INTEL CPU it uses the Intel RDRAND Instruction

https://github.com/tianocore/edk2/blob/4b= 6ee06a090d956f80b4a92fb9bf03098a372f39/SecurityPkg/RandomNumberGenerator/Rn= gDxe/Rand/RngDxe.c#L108C45-L108C51

Which from what I can tell the generator takes pairs of 256-bit raw entr= opy samples generated by the hardware entropy source and applies them to an= Advanced Encryption Standard (AES) (in CBC-MAC mode) conditioner which red= uces them to a single 256-bit conditioned entropy sample.

https= ://en.wikipedia.org/wiki/RDRAND

https://www.intel.com/content/www/us/en/developer= /articles/guide/intel-digital-random-number-generator-drng-software-impleme= ntation-guide.html

Which means, if you are implementing these algorithms in software, you m= ust comply with the 256 bit entropy requirement for your source. However in= our case the CPU is performing that requirement for us.

Again I'm no expert. So if an expert is reading this and I'm completely = wrong please let me know :)

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#118827) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--V7NV8TBPDsMZNQ1fTO0Z--