[edk2-devel] Non-obvious network boot stack issues in OVMF after 4c4ceb2 (NetworkPkg: SECURITY PATCH CVE-2023-45237)

[edk2-devel] Non-obvious network boot stack issues in OVMF after 4c4ceb2 (NetworkPkg: SECURITY PATCH CVE-2023-45237)

[Mike Beaton]

The network boot stack fails to load in OVMF after
4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 (NetworkPkg: SECURITY PATCH
CVE-2023-45237): https://bugzilla.tianocore.org/show_bug.cgi?id=4827

I have now understood that this is because the network stack drivers
have been updated to require an instance of gEfiRngProtocolGuid, so
OVMF now requires the `-device virtio-rng-pci` qemu option in order
for the network stack to load (this flag is required in order for
VirtioRngDxe to be able to provide the required protocol).

Two issues:

1. This is rather non-obvious - previously, the user set the
compilation options for the network stack, and the network stack
started. Ideally, perhaps, this would be fixed by adding some
documentation somewhere easily found, but I am not sure where. (By the
way, we don't get any helpful asserts which would lead us in the right
direction; the depex is never satisfied, so the network stack drivers
just never load.)

2. I also spotted that OvmfXen has neither RngDxe nor VirtioRngDxe - I
have never used OvmfXen, so I am not sure about this but (since these
seem to be the only two drivers which produce gEfiRngProtocolGuid) at
least at first glance it looks as if OvmfXen won't have any RNG for
the network stack now, so that it's network stack would not start?


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120312): https://edk2.groups.io/g/devel/message/120312
Mute This Topic: https://groups.io/mt/107822587/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Non-obvious network boot stack issues in OVMF after 4c4ceb2 (NetworkPkg: SECURITY PATCH CVE-2023-45237)

[Gerd Hoffmann]

On Sat, Aug 10, 2024 at 10:08:20AM GMT, Mike Beaton wrote:
> The network boot stack fails to load in OVMF after
> 4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 (NetworkPkg: SECURITY PATCH
> CVE-2023-45237): https://bugzilla.tianocore.org/show_bug.cgi?id=4827
> 
> I have now understood that this is because the network stack drivers
> have been updated to require an instance of gEfiRngProtocolGuid, so
> OVMF now requires the `-device virtio-rng-pci` qemu option in order
> for the network stack to load (this flag is required in order for
> VirtioRngDxe to be able to provide the required protocol).

FYI: With the upcoming 2024-08 stable tag this will be relaxed,
a CPU with rdrand instruction support will work too as source
for random numbers.

See https://github.com/tianocore/edk2/pull/5714 for details.

> 1. This is rather non-obvious - previously, the user set the
> compilation options for the network stack, and the network stack
> started. Ideally, perhaps, this would be fixed by adding some
> documentation somewhere easily found, but I am not sure where. (By the
> way, we don't get any helpful asserts which would lead us in the right
> direction; the depex is never satisfied, so the network stack drivers
> just never load.)

Yep.  When it comes to diagnostics there is clearly room for
improvement.

> 2. I also spotted that OvmfXen has neither RngDxe nor VirtioRngDxe - I
> have never used OvmfXen, so I am not sure about this but (since these
> seem to be the only two drivers which produce gEfiRngProtocolGuid) at
> least at first glance it looks as if OvmfXen won't have any RNG for
> the network stack now, so that it's network stack would not start?

There is a patch for that too in master branch, so upcoming 2024-08
should be fine here.

It has been somewhat bumpy road due to the last minute merge of the
fixes so some fallout has been fixed only after the 2024-05 stable tag.

HTH & take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120387): https://edk2.groups.io/g/devel/message/120387
Mute This Topic: https://groups.io/mt/107822587/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] Non-obvious network boot stack issues in OVMF after 4c4ceb2 (NetworkPkg: SECURITY PATCH CVE-2023-45237)

[Mike Beaton]

On Wed, 21 Aug 2024 at 11:38, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> On Sat, Aug 10, 2024 at 10:08:20AM GMT, Mike Beaton wrote:
> > The network boot stack fails to load in OVMF after
> > 4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 (NetworkPkg: SECURITY PATCH
> > CVE-2023-45237): https://bugzilla.tianocore.org/show_bug.cgi?id=4827
> >
> > I have now understood that this is because the network stack drivers
> > have been updated to require an instance of gEfiRngProtocolGuid, so
> > OVMF now requires the `-device virtio-rng-pci` qemu option in order
> > for the network stack to load (this flag is required in order for
> > VirtioRngDxe to be able to provide the required protocol).
>
> FYI: With the upcoming 2024-08 stable tag this will be relaxed,
> a CPU with rdrand instruction support will work too as source
> for random numbers.
>
> See https://github.com/tianocore/edk2/pull/5714 for details.
>
> > 1. This is rather non-obvious - previously, the user set the
> > compilation options for the network stack, and the network stack
> > started. Ideally, perhaps, this would be fixed by adding some
> > documentation somewhere easily found, but I am not sure where. (By the
> > way, we don't get any helpful asserts which would lead us in the right
> > direction; the depex is never satisfied, so the network stack drivers
> > just never load.)
>
> Yep.  When it comes to diagnostics there is clearly room for
> improvement.
>
> > 2. I also spotted that OvmfXen has neither RngDxe nor VirtioRngDxe - I
> > have never used OvmfXen, so I am not sure about this but (since these
> > seem to be the only two drivers which produce gEfiRngProtocolGuid) at
> > least at first glance it looks as if OvmfXen won't have any RNG for
> > the network stack now, so that it's network stack would not start?
>
> There is a patch for that too in master branch, so upcoming 2024-08
> should be fine here.
>
> It has been somewhat bumpy road due to the last minute merge of the
> fixes so some fallout has been fixed only after the 2024-05 stable tag.
>
> HTH & take care,
>   Gerd

Thank you for these clarifications, that is helpful. Appreciated!

Mike


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120388): https://edk2.groups.io/g/devel/message/120388
Mute This Topic: https://groups.io/mt/107822587/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-