* [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND @ 2023-04-25 17:09 Benjamin Doron 2023-04-25 17:09 ` [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Benjamin Doron 2023-04-26 12:33 ` [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND Sean Rhodes 0 siblings, 2 replies; 10+ messages in thread From: Benjamin Doron @ 2023-04-25 17:09 UTC (permalink / raw) To: devel; +Cc: Guo Dong, Ray Ni, Sean Rhodes, James Lu, Gua Guo From: Benjamin Doron <benjamin.doron@9elements.com> Presently, `ArchIsRngSupported()` always returns TRUE, per https://github.com/tianocore/edk2/blob/1eeca0750af5af2f0e78437bf791ac2de74bde74/MdePkg/Library/BaseRngLib/Rand/RdRand.c#L124-L125. Therefore, `BaseRngLibConstructor()` should continue to assert RDRAND support. However, older platforms do not support RDRAND, such as QEMU in some configurations. Therefore, define an RngLib library class for such systems, using a new flag. Maintain current behaviour by default. Note that this is less secure behaviour, and should be avoided in production. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index 9847f189fff5..1e803ba01567 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -130,6 +130,7 @@ # This is how BaseCpuTimerLib works, and a recommended way to get Frequence, so set the default value as TRUE. # Note: for emulation platform such as QEMU, this may not work and should set it as FALSE DEFINE CPU_TIMER_LIB_ENABLE = TRUE + DEFINE CPU_RNG_ENABLE = TRUE DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE @@ -204,7 +205,11 @@ !endif IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf +!if $(CPU_RNG_ENABLE) == TRUE RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf +!else + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf +!endif HobLib|UefiPayloadPkg/Library/DxeHobLib/DxeHobLib.inf # -- 2.39.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-25 17:09 [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND Benjamin Doron @ 2023-04-25 17:09 ` Benjamin Doron 2023-04-26 12:33 ` Sean Rhodes 2023-04-26 18:07 ` [edk2-devel][PATCH " Pedro Falcato 2023-04-26 12:33 ` [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND Sean Rhodes 1 sibling, 2 replies; 10+ messages in thread From: Benjamin Doron @ 2023-04-25 17:09 UTC (permalink / raw) To: devel; +Cc: Guo Dong, Ray Ni, Sean Rhodes, James Lu, Gua Guo From: Benjamin Doron <benjamin.doron@9elements.com> Uses CPU RDRAND support and installs the EfiRngProtocol. The protocol may be used by iPXE or the Linux kernel to gather entropy. Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Sean Rhodes <sean@starlabs.systems> Cc: James Lu <james.lu@intel.com> Cc: Gua Guo <gua.guo@intel.com> Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 3 +++ UefiPayloadPkg/UefiPayloadPkg.fdf | 3 +++ 2 files changed, 6 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index 1e803ba01567..486af2396731 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -634,6 +634,9 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif UefiCpuPkg/CpuDxe/CpuDxe.inf +!if $(CPU_RNG_ENABLE) == TRUE + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +!endif MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) MdeModulePkg/Logo/LogoDxe.inf diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index f8c2aa8c4a02..53add65a6a40 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -157,6 +157,9 @@ INF CryptoPkg/Driver/CryptoDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif INF UefiCpuPkg/CpuDxe/CpuDxe.inf +!if $(CPU_RNG_ENABLE) == TRUE +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +!endif INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf -- 2.39.2 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-25 17:09 ` [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Benjamin Doron @ 2023-04-26 12:33 ` Sean Rhodes 2023-04-26 12:55 ` Guo, Gua 2023-04-26 13:09 ` [edk2-devel] [PATCH " Sheng Lean Tan 2023-04-26 18:07 ` [edk2-devel][PATCH " Pedro Falcato 1 sibling, 2 replies; 10+ messages in thread From: Sean Rhodes @ 2023-04-26 12:33 UTC (permalink / raw) To: Benjamin Doron; +Cc: devel, Guo Dong, Ray Ni, James Lu, Gua Guo [-- Attachment #1: Type: text/plain, Size: 1895 bytes --] Reviewed-by: Sean Rhodes <sean@starlabs.systems> On Tue, 25 Apr 2023 at 18:09, Benjamin Doron <benjamin.doron00@gmail.com> wrote: > From: Benjamin Doron <benjamin.doron@9elements.com> > > Uses CPU RDRAND support and installs the EfiRngProtocol. > The protocol may be used by iPXE or the Linux kernel to gather entropy. > > Cc: Guo Dong <guo.dong@intel.com> > Cc: Ray Ni <ray.ni@intel.com> > Cc: Sean Rhodes <sean@starlabs.systems> > Cc: James Lu <james.lu@intel.com> > Cc: Gua Guo <gua.guo@intel.com> > Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com> > --- > UefiPayloadPkg/UefiPayloadPkg.dsc | 3 +++ > UefiPayloadPkg/UefiPayloadPkg.fdf | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc > b/UefiPayloadPkg/UefiPayloadPkg.dsc > index 1e803ba01567..486af2396731 100644 > --- a/UefiPayloadPkg/UefiPayloadPkg.dsc > +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc > @@ -634,6 +634,9 @@ > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > UefiCpuPkg/CpuDxe/CpuDxe.inf > +!if $(CPU_RNG_ENABLE) == TRUE > + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > +!endif > MdeModulePkg/Universal/BdsDxe/BdsDxe.inf > !if $(BOOTSPLASH_IMAGE) > MdeModulePkg/Logo/LogoDxe.inf > diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf > b/UefiPayloadPkg/UefiPayloadPkg.fdf > index f8c2aa8c4a02..53add65a6a40 100644 > --- a/UefiPayloadPkg/UefiPayloadPkg.fdf > +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf > @@ -157,6 +157,9 @@ INF CryptoPkg/Driver/CryptoDxe.inf > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > INF UefiCpuPkg/CpuDxe/CpuDxe.inf > +!if $(CPU_RNG_ENABLE) == TRUE > +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > +!endif > > INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf > INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf > -- > 2.39.2 > > [-- Attachment #2: Type: text/html, Size: 2823 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-26 12:33 ` Sean Rhodes @ 2023-04-26 12:55 ` Guo, Gua 2023-04-26 13:10 ` Sheng Lean Tan 2023-04-26 13:09 ` [edk2-devel] [PATCH " Sheng Lean Tan 1 sibling, 1 reply; 10+ messages in thread From: Guo, Gua @ 2023-04-26 12:55 UTC (permalink / raw) To: devel@edk2.groups.io, Rhodes, Sean, Benjamin Doron Cc: Dong, Guo, Ni, Ray, Lu, James [-- Attachment #1: Type: text/plain, Size: 2722 bytes --] Do we separate these Security Driver into separate FV ? I really don’t want to see gather everything into uefi_fv. Separate it into a lot of fv, we can easy to plug in and plug out. Thanks, Gua From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sean Rhodes Sent: Wednesday, April 26, 2023 8:33 PM To: Benjamin Doron <benjamin.doron00@gmail.com> Cc: devel@edk2.groups.io; Dong, Guo <guo.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Lu, James <james.lu@intel.com>; Guo, Gua <gua.guo@intel.com> Subject: Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Reviewed-by: Sean Rhodes <sean@starlabs.systems<mailto:sean@starlabs.systems>> On Tue, 25 Apr 2023 at 18:09, Benjamin Doron <benjamin.doron00@gmail.com<mailto:benjamin.doron00@gmail.com>> wrote: From: Benjamin Doron <benjamin.doron@9elements.com<mailto:benjamin.doron@9elements.com>> Uses CPU RDRAND support and installs the EfiRngProtocol. The protocol may be used by iPXE or the Linux kernel to gather entropy. Cc: Guo Dong <guo.dong@intel.com<mailto:guo.dong@intel.com>> Cc: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> Cc: Sean Rhodes <sean@starlabs.systems<mailto:sean@starlabs.systems>> Cc: James Lu <james.lu@intel.com<mailto:james.lu@intel.com>> Cc: Gua Guo <gua.guo@intel.com<mailto:gua.guo@intel.com>> Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com<mailto:benjamin.doron@9elements.com>> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 3 +++ UefiPayloadPkg/UefiPayloadPkg.fdf | 3 +++ 2 files changed, 6 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index 1e803ba01567..486af2396731 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -634,6 +634,9 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif UefiCpuPkg/CpuDxe/CpuDxe.inf +!if $(CPU_RNG_ENABLE) == TRUE + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +!endif MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) MdeModulePkg/Logo/LogoDxe.inf diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index f8c2aa8c4a02..53add65a6a40 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -157,6 +157,9 @@ INF CryptoPkg/Driver/CryptoDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif INF UefiCpuPkg/CpuDxe/CpuDxe.inf +!if $(CPU_RNG_ENABLE) == TRUE +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +!endif INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf -- 2.39.2 [-- Attachment #2: Type: text/html, Size: 6657 bytes --] ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-26 12:55 ` Guo, Gua @ 2023-04-26 13:10 ` Sheng Lean Tan 2023-04-26 22:43 ` Guo, Gua 0 siblings, 1 reply; 10+ messages in thread From: Sheng Lean Tan @ 2023-04-26 13:10 UTC (permalink / raw) To: devel, gua.guo Cc: Rhodes, Sean, Benjamin Doron, Dong, Guo, Ni, Ray, Lu, James [-- Attachment #1: Type: text/plain, Size: 2863 bytes --] Hi Gua, Thanks for the review. Do you have a proposal or small example on how you want to separate into another FV? Thanks, Sheng On Wed, 26 Apr 2023 at 14:55, Guo, Gua <gua.guo@intel.com> wrote: > Do we separate these Security Driver into separate FV ? > > > > I really don’t want to see gather everything into uefi_fv. > > Separate it into a lot of fv, we can easy to plug in and plug out. > > > > Thanks, > > Gua > > > > *From:* devel@edk2.groups.io <devel@edk2.groups.io> * On Behalf Of *Sean > Rhodes > *Sent:* Wednesday, April 26, 2023 8:33 PM > *To:* Benjamin Doron <benjamin.doron00@gmail.com> > *Cc:* devel@edk2.groups.io; Dong, Guo <guo.dong@intel.com>; Ni, Ray < > ray.ni@intel.com>; Lu, James <james.lu@intel.com>; Guo, Gua < > gua.guo@intel.com> > *Subject:* Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG > support > > > > Reviewed-by: Sean Rhodes <sean@starlabs.systems> > > > > On Tue, 25 Apr 2023 at 18:09, Benjamin Doron <benjamin.doron00@gmail.com> > wrote: > > From: Benjamin Doron <benjamin.doron@9elements.com> > > Uses CPU RDRAND support and installs the EfiRngProtocol. > The protocol may be used by iPXE or the Linux kernel to gather entropy. > > Cc: Guo Dong <guo.dong@intel.com> > Cc: Ray Ni <ray.ni@intel.com> > Cc: Sean Rhodes <sean@starlabs.systems> > Cc: James Lu <james.lu@intel.com> > Cc: Gua Guo <gua.guo@intel.com> > Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com> > --- > UefiPayloadPkg/UefiPayloadPkg.dsc | 3 +++ > UefiPayloadPkg/UefiPayloadPkg.fdf | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc > b/UefiPayloadPkg/UefiPayloadPkg.dsc > index 1e803ba01567..486af2396731 100644 > --- a/UefiPayloadPkg/UefiPayloadPkg.dsc > +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc > @@ -634,6 +634,9 @@ > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > UefiCpuPkg/CpuDxe/CpuDxe.inf > +!if $(CPU_RNG_ENABLE) == TRUE > + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > +!endif > MdeModulePkg/Universal/BdsDxe/BdsDxe.inf > !if $(BOOTSPLASH_IMAGE) > MdeModulePkg/Logo/LogoDxe.inf > diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf > b/UefiPayloadPkg/UefiPayloadPkg.fdf > index f8c2aa8c4a02..53add65a6a40 100644 > --- a/UefiPayloadPkg/UefiPayloadPkg.fdf > +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf > @@ -157,6 +157,9 @@ INF CryptoPkg/Driver/CryptoDxe.inf > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > INF UefiCpuPkg/CpuDxe/CpuDxe.inf > +!if $(CPU_RNG_ENABLE) == TRUE > +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > +!endif > > INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf > INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf > -- > 2.39.2 > > > > [-- Attachment #2: Type: text/html, Size: 5824 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-26 13:10 ` Sheng Lean Tan @ 2023-04-26 22:43 ` Guo, Gua 0 siblings, 0 replies; 10+ messages in thread From: Guo, Gua @ 2023-04-26 22:43 UTC (permalink / raw) To: devel@edk2.groups.io, Tan, Lean Sheng Cc: Rhodes, Sean, Benjamin Doron, Dong, Guo, Ni, Ray, Lu, James [-- Attachment #1.1: Type: text/plain, Size: 3716 bytes --] You can check with network_fv or bds_fv [cid:image001.png@01D978D3.909189F0] Thanks, Gua From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sheng Lean Tan Sent: Wednesday, April 26, 2023 9:11 PM To: devel@edk2.groups.io; Guo, Gua <gua.guo@intel.com> Cc: Rhodes, Sean <sean@starlabs.systems>; Benjamin Doron <benjamin.doron00@gmail.com>; Dong, Guo <guo.dong@intel.com>; Ni, Ray <ray.ni@intel.com>; Lu, James <james.lu@intel.com> Subject: Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Hi Gua, Thanks for the review. Do you have a proposal or small example on how you want to separate into another FV? Thanks, Sheng On Wed, 26 Apr 2023 at 14:55, Guo, Gua <gua.guo@intel.com<mailto:gua.guo@intel.com>> wrote: Do we separate these Security Driver into separate FV ? I really don’t want to see gather everything into uefi_fv. Separate it into a lot of fv, we can easy to plug in and plug out. Thanks, Gua From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Sean Rhodes Sent: Wednesday, April 26, 2023 8:33 PM To: Benjamin Doron <benjamin.doron00@gmail.com<mailto:benjamin.doron00@gmail.com>> Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Dong, Guo <guo.dong@intel.com<mailto:guo.dong@intel.com>>; Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; Lu, James <james.lu@intel.com<mailto:james.lu@intel.com>>; Guo, Gua <gua.guo@intel.com<mailto:gua.guo@intel.com>> Subject: Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Reviewed-by: Sean Rhodes <sean@starlabs.systems<mailto:sean@starlabs.systems>> On Tue, 25 Apr 2023 at 18:09, Benjamin Doron <benjamin.doron00@gmail.com<mailto:benjamin.doron00@gmail.com>> wrote: From: Benjamin Doron <benjamin.doron@9elements.com<mailto:benjamin.doron@9elements.com>> Uses CPU RDRAND support and installs the EfiRngProtocol. The protocol may be used by iPXE or the Linux kernel to gather entropy. Cc: Guo Dong <guo.dong@intel.com<mailto:guo.dong@intel.com>> Cc: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> Cc: Sean Rhodes <sean@starlabs.systems<mailto:sean@starlabs.systems>> Cc: James Lu <james.lu@intel.com<mailto:james.lu@intel.com>> Cc: Gua Guo <gua.guo@intel.com<mailto:gua.guo@intel.com>> Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com<mailto:benjamin.doron@9elements.com>> --- UefiPayloadPkg/UefiPayloadPkg.dsc | 3 +++ UefiPayloadPkg/UefiPayloadPkg.fdf | 3 +++ 2 files changed, 6 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index 1e803ba01567..486af2396731 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -634,6 +634,9 @@ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif UefiCpuPkg/CpuDxe/CpuDxe.inf +!if $(CPU_RNG_ENABLE) == TRUE + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +!endif MdeModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(BOOTSPLASH_IMAGE) MdeModulePkg/Logo/LogoDxe.inf diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf index f8c2aa8c4a02..53add65a6a40 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.fdf +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf @@ -157,6 +157,9 @@ INF CryptoPkg/Driver/CryptoDxe.inf INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif INF UefiCpuPkg/CpuDxe/CpuDxe.inf +!if $(CPU_RNG_ENABLE) == TRUE +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +!endif INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf -- 2.39.2 [-- Attachment #1.2: Type: text/html, Size: 9972 bytes --] [-- Attachment #2: image001.png --] [-- Type: image/png, Size: 77716 bytes --] ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-26 12:33 ` Sean Rhodes 2023-04-26 12:55 ` Guo, Gua @ 2023-04-26 13:09 ` Sheng Lean Tan 1 sibling, 0 replies; 10+ messages in thread From: Sheng Lean Tan @ 2023-04-26 13:09 UTC (permalink / raw) To: Sean Rhodes, devel [-- Attachment #1: Type: text/plain, Size: 144 bytes --] Hi Gua, Thanks for the review. Do you have a proposal or small example on how you want to see to separate into another FV? Thanks, Sheng [-- Attachment #2: Type: text/html, Size: 273 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-25 17:09 ` [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Benjamin Doron 2023-04-26 12:33 ` Sean Rhodes @ 2023-04-26 18:07 ` Pedro Falcato 2023-04-26 21:24 ` [edk2-devel] [PATCH " Benjamin Doron 1 sibling, 1 reply; 10+ messages in thread From: Pedro Falcato @ 2023-04-26 18:07 UTC (permalink / raw) To: devel, benjamin.doron00; +Cc: Guo Dong, Ray Ni, Sean Rhodes, James Lu, Gua Guo On Tue, Apr 25, 2023 at 6:09 PM Benjamin Doron <benjamin.doron00@gmail.com> wrote: > > From: Benjamin Doron <benjamin.doron@9elements.com> > > Uses CPU RDRAND support and installs the EfiRngProtocol. > The protocol may be used by iPXE or the Linux kernel to gather entropy. > > Cc: Guo Dong <guo.dong@intel.com> > Cc: Ray Ni <ray.ni@intel.com> > Cc: Sean Rhodes <sean@starlabs.systems> > Cc: James Lu <james.lu@intel.com> > Cc: Gua Guo <gua.guo@intel.com> > Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com> > --- > UefiPayloadPkg/UefiPayloadPkg.dsc | 3 +++ > UefiPayloadPkg/UefiPayloadPkg.fdf | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc > index 1e803ba01567..486af2396731 100644 > --- a/UefiPayloadPkg/UefiPayloadPkg.dsc > +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc > @@ -634,6 +634,9 @@ > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > UefiCpuPkg/CpuDxe/CpuDxe.inf > +!if $(CPU_RNG_ENABLE) == TRUE > + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > +!endif > MdeModulePkg/Universal/BdsDxe/BdsDxe.inf > !if $(BOOTSPLASH_IMAGE) > MdeModulePkg/Logo/LogoDxe.inf > diff --git a/UefiPayloadPkg/UefiPayloadPkg.fdf b/UefiPayloadPkg/UefiPayloadPkg.fdf > index f8c2aa8c4a02..53add65a6a40 100644 > --- a/UefiPayloadPkg/UefiPayloadPkg.fdf > +++ b/UefiPayloadPkg/UefiPayloadPkg.fdf > @@ -157,6 +157,9 @@ INF CryptoPkg/Driver/CryptoDxe.inf > INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > INF UefiCpuPkg/CpuDxe/CpuDxe.inf > +!if $(CPU_RNG_ENABLE) == TRUE > +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf Friendly reminder: https://bugzilla.tianocore.org/show_bug.cgi?id=4163 Which ended up never getting merged. Do check if this affects you (particularly as coreboot is used by a lot of older devices). -- Pedro ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH v1 2/2] UefiPayloadPkg: Enable RNG support 2023-04-26 18:07 ` [edk2-devel][PATCH " Pedro Falcato @ 2023-04-26 21:24 ` Benjamin Doron 0 siblings, 0 replies; 10+ messages in thread From: Benjamin Doron @ 2023-04-26 21:24 UTC (permalink / raw) To: Pedro Falcato, devel [-- Attachment #1: Type: text/plain, Size: 509 bytes --] I hadn't seen the bugzilla yet, though I know the issue. See patch 1/2, the current approach is to use RngLibTimerLib if the build-time configuration indicates. This isn't recommended but sufficient for building for platforms which require the library class - I think OpensslLib has a dependency. For the same reason, the RngDxe driver is only compiled with the same build definition, because there's no good point to advertising RNG support through the protocol when it's low quality. Regards, Benjamin [-- Attachment #2: Type: text/html, Size: 521 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND 2023-04-25 17:09 [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND Benjamin Doron 2023-04-25 17:09 ` [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Benjamin Doron @ 2023-04-26 12:33 ` Sean Rhodes 1 sibling, 0 replies; 10+ messages in thread From: Sean Rhodes @ 2023-04-26 12:33 UTC (permalink / raw) To: Benjamin Doron; +Cc: devel, Guo Dong, Ray Ni, James Lu, Gua Guo [-- Attachment #1: Type: text/plain, Size: 2102 bytes --] Reviewed-by: Sean Rhodes <sean@starlabs.systems> On Tue, 25 Apr 2023 at 18:09, Benjamin Doron <benjamin.doron00@gmail.com> wrote: > From: Benjamin Doron <benjamin.doron@9elements.com> > > Presently, `ArchIsRngSupported()` always returns TRUE, per > > https://github.com/tianocore/edk2/blob/1eeca0750af5af2f0e78437bf791ac2de74bde74/MdePkg/Library/BaseRngLib/Rand/RdRand.c#L124-L125 > . > Therefore, `BaseRngLibConstructor()` should continue to assert RDRAND > support. > > However, older platforms do not support RDRAND, such as QEMU in some > configurations. Therefore, define an RngLib library class for such > systems, using a new flag. Maintain current behaviour by default. > > Note that this is less secure behaviour, and should be avoided in > production. > > Cc: Guo Dong <guo.dong@intel.com> > Cc: Ray Ni <ray.ni@intel.com> > Cc: Sean Rhodes <sean@starlabs.systems> > Cc: James Lu <james.lu@intel.com> > Cc: Gua Guo <gua.guo@intel.com> > Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com> > --- > UefiPayloadPkg/UefiPayloadPkg.dsc | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc > b/UefiPayloadPkg/UefiPayloadPkg.dsc > index 9847f189fff5..1e803ba01567 100644 > --- a/UefiPayloadPkg/UefiPayloadPkg.dsc > +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc > @@ -130,6 +130,7 @@ > # This is how BaseCpuTimerLib works, and a recommended way to get > Frequence, so set the default value as TRUE. > # Note: for emulation platform such as QEMU, this may not work and > should set it as FALSE > DEFINE CPU_TIMER_LIB_ENABLE = TRUE > + DEFINE CPU_RNG_ENABLE = TRUE > > DEFINE MULTIPLE_DEBUG_PORT_SUPPORT = FALSE > > @@ -204,7 +205,11 @@ > !endif > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > +!if $(CPU_RNG_ENABLE) == TRUE > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf > +!else > + RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf > +!endif > HobLib|UefiPayloadPkg/Library/DxeHobLib/DxeHobLib.inf > > # > -- > 2.39.2 > > [-- Attachment #2: Type: text/html, Size: 3221 bytes --] ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-04-26 22:43 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-04-25 17:09 [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND Benjamin Doron 2023-04-25 17:09 ` [edk2-devel][PATCH v1 2/2] UefiPayloadPkg: Enable RNG support Benjamin Doron 2023-04-26 12:33 ` Sean Rhodes 2023-04-26 12:55 ` Guo, Gua 2023-04-26 13:10 ` Sheng Lean Tan 2023-04-26 22:43 ` Guo, Gua 2023-04-26 13:09 ` [edk2-devel] [PATCH " Sheng Lean Tan 2023-04-26 18:07 ` [edk2-devel][PATCH " Pedro Falcato 2023-04-26 21:24 ` [edk2-devel] [PATCH " Benjamin Doron 2023-04-26 12:33 ` [edk2-devel][PATCH v1 1/2] UefiPayloadPkg: Define RngLibTimerLib for systems without RDRAND Sean Rhodes
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox
![[-- Attachment #2: image001.png --] [-- Type: image/png, Size: 77716 bytes --]](../../BL1PR11MB54787697A221EA51B4FFF227EF659@BL1PR11MB5478.namprd11.prod.outlook.com/2-image001.png){kind=link}