Hi Ard, Given this patch plus the corresponding linux-efi patches wrt RNG, I'm mildly concerned about buggy RDRAND implementations compromising the kernel's RNG. Is this not a concern? It's also worth noting that MdePkg/Library/BaseRngLib skips the CPUID bit check in ArchIsRngSupported for $REASON, which I assume will crash pre-RDRAND VMs. We should probably also test for stupidly broken rdrand implementations like the notorious Zen 3 which always return 0xFFFFFFFF (per xkcd 221 ;)). Thanks, Pedro On Thu, Nov 10, 2022 at 1:48 PM Ard Biesheuvel wrote: > Expose the EFI_RNG_PROTOCOL based on RdRand, so that we don't have to > rely on QEMU providing a virtio-rng device in order to implement this > protocol. > > Signed-off-by: Ard Biesheuvel > --- > OvmfPkg/OvmfPkgIa32.dsc | 1 + > OvmfPkg/OvmfPkgIa32.fdf | 1 + > OvmfPkg/OvmfPkgIa32X64.dsc | 1 + > OvmfPkg/OvmfPkgIa32X64.fdf | 1 + > OvmfPkg/OvmfPkgX64.dsc | 1 + > OvmfPkg/OvmfPkgX64.fdf | 1 + > 6 files changed, 6 insertions(+) > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index e9ba491237ae..18c1e7255812 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -941,6 +941,7 @@ [Components] > } > !endif > > + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf > index 7023ade8cebe..34f27ca832bc 100644 > --- a/OvmfPkg/OvmfPkgIa32.fdf > +++ b/OvmfPkg/OvmfPkgIa32.fdf > @@ -248,6 +248,7 @@ [FV.DXEFV] > INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf > !endif > > + INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > INF > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > !endif > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index af566b953f36..e9a199c9f490 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -955,6 +955,7 @@ [Components.X64] > } > !endif > > + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf > index 80de4fa2c0df..33cc163e596e 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.fdf > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf > @@ -249,6 +249,7 @@ [FV.DXEFV] > INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf > !endif > > + INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > INF > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > !endif > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index f39d9cd117e6..5572cb82998f 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -1023,6 +1023,7 @@ [Components] > } > !endif > > + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf > index c0f5a1ef3c30..d42deebe3f8f 100644 > --- a/OvmfPkg/OvmfPkgX64.fdf > +++ b/OvmfPkg/OvmfPkgX64.fdf > @@ -274,6 +274,7 @@ [FV.DXEFV] > INF OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf > !endif > > +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > INF > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > !endif > -- > 2.35.1 > > > > ------------ > Groups.io Links: You receive all messages sent to this group. > View/Reply Online (#96191): https://edk2.groups.io/g/devel/message/96191 > Mute This Topic: https://groups.io/mt/94935843/5946980 > Group Owner: devel+owner@edk2.groups.io > Unsubscribe: https://edk2.groups.io/g/devel/unsub [pedro.falcato@gmail.com > ] > ------------ > > > -- Pedro Falcato