From: "eddie wang" <qw1562435@gmail.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: devel@edk2.groups.io
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly
Date: Sat, 17 Feb 2024 17:17:09 +0800 [thread overview]
Message-ID: <CAOwpOh+XOfJ1_HG1T2U8mRcevJbc8jdy3kVsM4rLo6NUmCWiOQ@mail.gmail.com> (raw)
In-Reply-To: <9db8ea7f-1d7d-3558-19e5-dbda730872ac@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 4233 bytes --]
Hi Laszlo,
After digging dipper, we found that the *EVP_RAND_fetch *in "rand_new_seed"
and "rand_new_drbg" both got NULL in our case. It's meant the DRBG
implementation could
not be fetched. We also compared it to the case on Linux, and they could
both fetched DRBG implementation correctly. Is it possible that the
opensslLib 3.0.9 caused any compatibility issues with edk2? Or has anyone
else encountered the same problem with these openssl services?
BR,
Eddie
Laszlo Ersek <lersek@redhat.com> 於 2024年2月15日 週四 下午7:48寫道:
> On 2/15/24 12:09, eddie wang wrote:
> > Hi Laszlo,
> > Thanks for your reply. How can I enable the DEBUGs at RandomSeed() ? Or
> > any suggesting information that I can provide?
>
> Sorry, upon a closer look, I see you had already narrowed it down to
> RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> suggestion would amount to adding DEBUGs to OpenSSL, such as to
> RAND_seed() in
> "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
>
> But, I think you may be able to do just that.
> "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> instance of OpensslLib. So if you modify your
> "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally,
> with the following patch:
>
> | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> | index 0fcf4fe3bc1e..e5f105268f52 100644
> | --- a/crypto/rand/rand_lib.c
> | +++ b/crypto/rand/rand_lib.c
> | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> | drbg = RAND_get0_primary(NULL);
> | if (drbg != NULL && num > 0)
> | EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> | +
> | + DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> | }
> |
> | void RAND_add(const void *buf, int num, double randomness)
>
> then you should get usable debug messages -- at least it builds for me.
>
> Inserting DEBUGs like this (over multiple rounds of testing / narrowing)
> should lead you to the exact location that is responsible for the
> initialization failure.
>
> You mention you have encountered the problem with a UEFI application.
> That is relevant for choosing your DebugLib instance. If you already
> have a function DebugLib instance for your platform (logging to the
> serial port, for example), then just use that.
>
> Otherwise, consider building your UEFI application with a module scope
> override in the DSC file, one that resolves DebugLib to
>
> MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
>
> or
>
> MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
>
> These will send DEBUG messages to the UEFI console or standard error
> devices, respectively.
>
> hth
> Laszlo
>
> > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於 2024年2月
> > 8日 週四 上午5:03寫道:
> >
> > On 2/6/24 08:00, eddie wang wrote:
> > > Hi all,
> > > We had an UEFI application that used the EDK2(2023/12/05), and we
> > would
> > > like to take advantage of the services in BaseCryptLib .However,
> > the API
> > > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> returned
> > > false because of the pseudorandom number generator set up failed.
> > I am
> > > not sure this issue is from the *openssl configuration in
> > OpensslLib(we
> > > use the default configuration)* or is from the *openssl 3.0.9*.
> > >
> > > Is there any comments about this issue?
> >
> > Can you narrow it down by inserting DEBUGs starting at RandomSeed()
> > [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then
> digging
> > down as necessary?
> >
> > Laszlo
> >
> >
> >
> >
> >
> >
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115565): https://edk2.groups.io/g/devel/message/115565
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 5666 bytes --]
next prev parent reply other threads:[~2024-02-17 9:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-06 7:00 [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly eddie wang
2024-02-07 21:03 ` Laszlo Ersek
2024-02-15 11:09 ` eddie wang
2024-02-15 11:48 ` Laszlo Ersek
2024-02-17 9:17 ` eddie wang [this message]
2024-02-19 20:18 ` Laszlo Ersek
2024-02-20 1:11 ` Yao, Jiewen
2024-02-20 1:49 ` Li, Yi
2024-02-29 9:48 ` eddie wang
2024-02-29 11:23 ` Li, Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOwpOh+XOfJ1_HG1T2U8mRcevJbc8jdy3kVsM4rLo6NUmCWiOQ@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox