From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id C0459D80D75 for ; Tue, 7 May 2024 15:17:55 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=CDcFPDRBqM0k23OyfmedUxfqCE4u2TGteBOnbUeaeEU=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; s=20240206; t=1715095074; v=1; b=rwkzuvc8QtEvstaOGCUaaYiWy89HVdWUmTpWHX+/Oyn8E7duUkY5r4lSwGmhvod2R6BSEBcs gK8a1/x0OjXuSnfjCU2G6itq0MIXR83w3dWvlRfI781lBlOebm1vcd9ReTYI3b5jkcC4GXEEHpt /xt8Jj90IiOZ/xNGuCsN+eqI5IAAwf2d7z/rceHOI48FWOhCZfnqU1BVxIvdHtj8O7BikD94uJu IsdQ3Crh6QOwARSJ2cgrmRPdeI46fmKyxT3ZGwg+RXPSFzy+wwgDhuAVV/gBNOfe86onAjl+vdA cE8z9+cWpgxGr2xcluMpeM3X0hfaWjBAN/WzfHTBLyzCw== X-Received: by 127.0.0.2 with SMTP id ui49YY7687511xkhKk9fBnLQ; Tue, 07 May 2024 08:17:54 -0700 X-Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by mx.groups.io with SMTP id smtpd.web10.14459.1715095073496669521 for ; Tue, 07 May 2024 08:17:53 -0700 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id DCE61617E1 for ; Tue, 7 May 2024 15:17:52 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9310BC4AF66 for ; Tue, 7 May 2024 15:17:52 +0000 (UTC) X-Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-51f72a29f13so3995596e87.3 for ; Tue, 07 May 2024 08:17:52 -0700 (PDT) X-Gm-Message-State: gUfDhOGSYdlt1C0DVGh1OWxtx7686176AA= X-Google-Smtp-Source: AGHT+IFu6IxPXVrdjRzrlwfKQUi7CtJEDBfx2H1FP+c0RGXL7jY6DZkzmSwgURlXuYRvtCcgc2nu+GZLunRpZJLobco= X-Received: by 2002:a05:6512:68a:b0:520:76d0:b054 with SMTP id t10-20020a056512068a00b0052076d0b054mr6737510lfe.57.1715095070975; Tue, 07 May 2024 08:17:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Ard Biesheuvel" Date: Tue, 7 May 2024 17:17:39 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] Assistance Needed: ArmVirtPkg To: Doug Flick Cc: "devel@edk2.groups.io" , "ardb+tianocore@kernel.org" , "quic_llindhol@quicinc.com" , "sami.mujawar@arm.com" , "kraxel@redhat.com" Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Tue, 07 May 2024 08:17:53 -0700 Resent-From: ardb@kernel.org Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=rwkzuvc8; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none) On Tue, 7 May 2024 at 00:22, Doug Flick wrote: > > All, > > In order to patch Tianocore Bugzilla issues and CVEs: > 4541 =E2=80=93 Bug 08 - edk2/NetworkPkg: Predictable TCP ISNs (tianocore= .org) > and > 4542 =E2=80=93 Bug 09 - edk2/NetworkPkg: Use of a Weak PseudoRandom Numbe= r Generator (tianocore.org) > > I've added as a dependency Hash2CryptoDxe and RngDxe lib to NetworkPkg. I= 've been able to add the relevant libraries to the DSCs of OvmfPkg and Emul= atorPkg however I'm seeing odd behavior with ArmVirtPkg. > > Would someone more knowledgeable with ArmVirtPkg take a look this PR. > > PixieFail #8 and #9 TCBZ4541 and TCBZ4542 by Flickdm =C2=B7 Pull Request = #5582 =C2=B7 tianocore/edk2 (github.com) > > The issue was introduced in the commit "ArmVirtPkg: : Add RngDxe to ArmVi= rtPkg" > > Right now PlatformCI_ArmVirtPkg_Ubuntu_GCC5_PR is crashing You need to configure the TrngLib to use either secure monitor calls or hypervisor calls, and this might be different depending on the context: - ordinary VMs running under proper virtualization will execute at EL1 under a hypervisor that implements the TRNG service, so it can only use HVC (and SMC will trap, as you've experienced) - QEMU itself does not implement the TRNG service (to my knowledge) so running a VM under TCG emulation of EL1 will not have access to the TRNG - other emulation modes of QEMU may run the firmware in a different way, where SMC is actually appropriate, and this could be either EL1 or EL2. This makes it slightly awkward to decide whether or not to dispatch RngDxe, and this is why nobody has gotten around to it (and I forgot about this tbh) TL;DR building with --pcd PcdMonitorConduitHvc=3DTRUE will avoid the crash but may not result in a usable RngDxe It also seems to me that those network drivers will now need to DEPEX on the RNG protocol, as they may get dispatched too early otherwise: Failed to generate random data using secure algorithm 0: Unsupported Failed to generate random data using secure algorithm 1: Unsupported Failed to generate random data using secure algorithm 2: Unsupported ASSERT_EFI_ERROR (Status =3D Unsupported) ASSERT [Udp4Dxe] DxeNetLib.c(973): !(((INTN)(RETURN_STATUS)(Status)) < 0) QEMU: Terminated This is with -device virtio-rng-pci and the VirtioRngDxe driver (which is already included in OVMF and ArmVirtQemu) but the driver dispatches before the driver model can instantiate the protocol. -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118646): https://edk2.groups.io/g/devel/message/118646 Mute This Topic: https://groups.io/mt/105949609/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-