From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: devel@edk2.groups.io, ardb@kernel.org,
Liming Gao <gaoliming@byosoft.com.cn>,
Rebecca Cran <rebecca@bsdio.com>,
Pierre Gondois <pierre.gondois@arm.com>,
Leif Lindholm <quic_llindhol@quicinc.com>,
Sami Mujawar <sami.mujawar@arm.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [edk2-devel] [PATCH 3/3] OvmfPkg/OvmfX86: Enable RDRAND based EFI_RNG_PROTOCOL implementation
Date: Tue, 22 Nov 2022 14:10:19 +0100 [thread overview]
Message-ID: <CAHmME9o5TU9GKi8Afz9TdWcnt-thSfpnTheuBHkMGCAHQtugww@mail.gmail.com> (raw)
In-Reply-To: <CAKbZUD1hWdUVfoeqYFGxvDDgpHS6Q142ho-8w6EL+=RWR6_PQg@mail.gmail.com>
Hi Pedro,
On 11/22/22, Pedro Falcato <pedro.falcato@gmail.com> wrote:
> I am aware, but I'm more scared when it comes to very early boot (think
> linux's EFI stub or some other bootloader) I can see how
> an ill-advised RNG_PROTOCOL user can try to exclusively rely on it (if it's
> available, which I don't believe it is atm on non-virtio-rng OVMF) vs
> mixing in the few sources you can get at that point, making important
> things like KASLR addresses or possibly even a stack canary 100% guessable.
The thing is, in low-entropy early boot scenarios, the alternative
would be just having nothing. The kernel doesn't pause boot to wait
for a good source....it just uses a bad one. So adding RDRAND in EFI
helps. Really, more entropy from more sources as early as possible and
as fast as possible only ever helps here.
> also does proper sanity checking on it.
No, there's nothing "proper" about it. It's a dumb basic thing.
>
> - EFI on actual baremetal firmware, as opposed to OVMF, already provides
>> EFI, so this is par for the course.
>>
>
> Hm? What do you mean?
I meant already provides RDRAND, sorry. All x86 hardware with EFI has
this enabled.
> I know, I'm not yelling at Ard for the (questionable?) choices done in the
> BaseRngLib code, but I'm concerned this patch may negatively influence any
> sort of early boot RNG,
> particularly for the more naive users of RNG_PROTOCOL, by providing the
> possibly flawed RDRAND code. If the efi subsystem/EFISTUB code handles this
> case well by still mixing
> in whatever sources it can get before using this entropy, then that's
> great, but providing things like a non-random RNG_PROTOCOL sounds very
> broken and very unsafe to me (again invoking
> that possible KASLR at very early boot example).
Except as related several times now, it will only help and won't hurt.
If you want to improve the RDRAND DXE, do it, but aside from the CPUID
issue you raised, I don't think your "concerns" warrant holding up
this patch.
>
> Also the CPUID check seems like an important step towards
> not-breaking-old-CPUs.
Yes. If what you say is true, this should be fixed asap. Do you intend
to send a patch?
> All I'm saying is that we shouldn't just hook up the RNG DXE driver without
> carefully considering what the code is doing.
To point out again, this is already hooked up to baremetal firmware.
So if you see issues that are worth fixing, fix them, but it shouldn't
hold up Ard's patchset.
Jason
next prev parent reply other threads:[~2022-11-22 13:10 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-10 13:47 [PATCH 0/3] OVMF: support EFI_RNG_PROTOCOL without virtio-rng Ard Biesheuvel
2022-11-10 13:47 ` [PATCH 1/3] ArmPkg/ArmTrngLib: Fix incorrect GUID reference in DEBUG() output Ard Biesheuvel
2022-11-10 14:39 ` Sami Mujawar
2022-11-10 13:47 ` [PATCH 2/3] ArmVirtPkg/ArmVirtQemu: Expose TRNG hypercall via RngDxe if implemented Ard Biesheuvel
2022-11-18 16:48 ` PierreGondois
2023-01-11 16:49 ` [edk2-devel] " Ard Biesheuvel
2023-01-11 17:38 ` PierreGondois
2023-01-11 17:45 ` Ard Biesheuvel
2022-11-10 13:47 ` [PATCH 3/3] OvmfPkg/OvmfX86: Enable RDRAND based EFI_RNG_PROTOCOL implementation Ard Biesheuvel
2022-11-22 11:35 ` [edk2-devel] " Pedro Falcato
2022-11-22 12:20 ` Jason A. Donenfeld
2022-11-22 12:45 ` Pedro Falcato
2022-11-22 13:10 ` Jason A. Donenfeld [this message]
2022-11-22 14:17 ` Pedro Falcato
2022-11-22 14:21 ` Jason A. Donenfeld
2022-11-22 12:29 ` Jason A. Donenfeld
2022-11-11 0:41 ` 回复: [PATCH 0/3] OVMF: support EFI_RNG_PROTOCOL without virtio-rng gaoliming
2022-11-11 2:41 ` Jason A. Donenfeld
2022-11-11 7:47 ` Ard Biesheuvel
2022-11-11 17:03 ` Jason A. Donenfeld
[not found] ` <172660F4A69E435E.25609@groups.io>
2022-11-11 3:53 ` 回复: [edk2-devel] 回复: " gaoliming
2022-11-11 7:34 ` Ard Biesheuvel
2022-11-11 8:14 ` [edk2-devel] " Gerd Hoffmann
2023-01-10 18:19 ` Jason A. Donenfeld
2023-01-11 11:41 ` Ard Biesheuvel
2023-01-11 15:23 ` [edk2-devel] " Laszlo Ersek
2023-01-11 16:03 ` Ard Biesheuvel
2023-01-11 16:05 ` Ard Biesheuvel
2023-01-12 9:27 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9o5TU9GKi8Afz9TdWcnt-thSfpnTheuBHkMGCAHQtugww@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox