From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.27694.1673453010648425628 for ; Wed, 11 Jan 2023 08:03:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bO/k2S7c; spf=pass (domain: kernel.org, ip: 145.40.68.75, mailfrom: ardb@kernel.org) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9C9C0B81C4D for ; Wed, 11 Jan 2023 16:03:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5B638C433F2 for ; Wed, 11 Jan 2023 16:03:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1673453007; bh=ebA5Cvql5xJLAPU4KZBhJmS9ijg4uUpwS0+UIWIDl2k=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=bO/k2S7cAVS5c+i1ooBr9rR73lHbxTdb6vPJGOiXnYI1QE3oY7MeImo1AyRkP7d2e 2TBPDc7or7b3xcWV+RnsrKeoSxxNdrsYX7nzVhHHluHNq8D+fOZhiBs4bMD5KJ1YcY 8MeGWS0oUEUJinC9Ngo1ncmg69zJ8ysorrFgpFz84TgF6GT4sqmj63y9yUvnQf19bl wfFCODWv09kDZ3u0ON6L8YxiW+s/RY/vhpmlVkV/KFDL8VytDnrdeGA26xa1YXsK/p E00hhoo1mrXrjUkbnA1g02fygaPx6jRI+JMxLy/pr6Ko+9nh7xtdj/flVQzyjifKUB bTsqO9xmEsFrg== Received: by mail-lj1-f178.google.com with SMTP id q2so16477368ljp.6 for ; Wed, 11 Jan 2023 08:03:27 -0800 (PST) X-Gm-Message-State: AFqh2kqK7dgQ2aah3RS820il2hJ4atLzb1D2WqLUDl0xxsaOZ3BTK8Zb wu0wdeumwwnqV4yImMKTKT0SE9YrL25qR/ej3Ew= X-Google-Smtp-Source: AMrXdXs50S221cSSuQqlw2uy4N9KRYjMFwN/ZVOLwXYJ4o/JAK+xY9fVAF49liA9eJar/z3ceQOeUu/+YNvIFswKsjo= X-Received: by 2002:a2e:a901:0:b0:27f:ef88:3ecb with SMTP id j1-20020a2ea901000000b0027fef883ecbmr1597599ljq.189.1673453005344; Wed, 11 Jan 2023 08:03:25 -0800 (PST) MIME-Version: 1.0 References: <20221110134738.3798618-1-ardb@kernel.org> In-Reply-To: From: "Ard Biesheuvel" Date: Wed, 11 Jan 2023 17:03:13 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH 0/3] OVMF: support EFI_RNG_PROTOCOL without virtio-rng To: Laszlo Ersek Cc: devel@edk2.groups.io, Jason@zx2c4.com, Liming Gao , Rebecca Cran , Pierre Gondois , Leif Lindholm , Sami Mujawar , Gerd Hoffmann , pedro.falcato@gmail.com Content-Type: text/plain; charset="UTF-8" On Wed, 11 Jan 2023 at 16:23, Laszlo Ersek wrote: > > On 1/10/23 19:19, Jason A. Donenfeld via groups.io wrote: > > Could we get this merged? > > Sorry to barge in -- I have *zero* complaints regarding this particular > series, so whatever I'm about to say regards *further* BDS > customizations. Please feel free to go ahead with merging this one, as > far as I'm concerned. > Thanks. > So, picking up the thread at > . > The argument in that thread was made that "RDRAND-based protocol is > better than nothing". However, the most recent idea, favoring the > RDRAND-based protocol implementation over the virtio-rng-based one, > seems to enable a degradation too, of EFI-time randomness. > > Most commonly, virtio-rng is fed on the host side from /dev/urandom, > which *I think* means that the EFI_RNG_PROTOCOL from VirtioRngDxe will > expose all the "good quality entropy", pre-boot, that the host-side > Linux kernel collects from *multiple* sources. If the consumer of > EFI_RNG_PROTOCOL in the guest doesn't do its own mixing, it sill gets > the good stuff. That could potentially be degraded by relying on RDRAND > only, in the guest. > Indeed. > I can't propose any particular priority ordering mechanism for the > platform firmware to produce exactly one EFI_RNG_PROTOCOL. > > Normally I'd suggest any viable mechanism for the platform to block or > to delay "SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf" -- > introducing a new dynamic PCD for early exit, adding a new protocol > dependency to its DEPEX, postponing its protocol installation to an > event group notification function or a protocol installation > notification. Note that RngDxe.inf is a DXE_DRIVER, so it produces its > protocol in its entry point function, so for blocking it or > short-circuiting it, one of these measures would be needed. It could > even be turned into a UEFI_DRIVER, one that would bind a synthetic VenHw > device path. > > But, I'm not proposing any of those right now, because I imagine there > are advantages to having EFI_RNG_PROTOCOL in the DXE phase, that is, > *before* the BDS phase. > > VirtioRngDxe is a UEFI_DRIVER module that follows the UEFI driver model; > in other words, it won't do anything beyond exposing the > EFI_DRIVER_BINDING_PROTOCOL until BDS connects it. I think that should > be sufficient for most cases, even (for example) possibly providing > randomness for TLS in UEFI HTTPS Boot. But I vaguely remember we had > wished for randomness being available earlier than BDS. > "SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf" can fill that > role, VirtioRngDxe can't. > > So best would be if both could coexist, and VirtioRngDxe took effect > *whenever* it were available. Of course the UEFI spec allows for a > client to collect all instances of EFI_RNG_PROTOCOL, and then to call > GetInfo() on each, but that's hardly enough for a client to pick the one > it thinks is "more secure". So one way or another we might want to > control this still at the platform level, where we can form ideas about > both protocol providers, *and* perhaps even determine if we *actually > need* pre-BDS randomness. > > BDS could try connecting the virtio-rng device. If that failed, it could > try "unblocking" RngDxe. If RngDxe were a UEFI driver following the UEFI > driver model (see the VenHw option above), this would not be hard to do, > with a "fallback" gBS->ConnectController() call. > > (Regarding VenHw vs. VenMedia vs. VenMsg -- RngDxe uses an RNG that's > built into the processor, wich is arguably "inside the resource domain" > of the system. So VenHw seems the right choice.) > > RngDxe could perhaps be restructured for the addition of a new entry > point (new INF file and new entry point C file), so that it remain > compatible with existent platforms that already consume it (and want it > to remain a DXE_DRIVER). > > BDS could also signal an event group or install a synthetic protocol, so > that the notification function in RngDxe expose EFI_RNG_PROTOCOL in > response. > > Unblocking a DXE_DRIVER's DEPEX from BDS seems more cumbersome, by > installing a dependend-upon synthetic protocol; I believe we might have > to call gDS->Dispatch() manually then. > > And if a dynamic PCD caused RngDxe to exit early, we couldn't undo that > from BDS at all. > One option that might be feasible would be to modify VIrtioRngDxe so it: - installs a RNG protocol implementation solely based on [Base]RngLib when it is dispatched - uninstalls it again when it binds to the first virtio-rng device - reinstalls it when it unbinds from the last virtio-rng device it was bound to - installs the virtio-rng backed flavor of the RNG protocol when binding to a device (- mixes the output of the latter with the RngLIb based implementation) I think this would address all of these concerns, assuming that the mixing is done correctly. *However*, I am not convinced that any of this is worth the hassle, tbh. If you don't trust your CPU, all bets are off anyway - the only thing we'd need to cater for is an explicit opt-out for known broken implementations of RdRand.