From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id B96DED8100D for ; Sat, 17 Feb 2024 09:17:23 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=cB/0rFB1ST4xbiLbrSgGI4TXSIdEw/AkjocrKWBwskM=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1708161442; v=1; b=MADRFTKCfWrWqYLMvHNz+VyKfeKHQU6O9eFX5jSRN/zn7LZVQbc42DyCO0QZaU23TAjtlosC sdQS2FV+hHV0/rkvBinyVabtWG6fS3EWcjiAbqK4b4uGL8Z0sByWXTa3L3//CtEv4DEg90lc5qP DDNzmFSypYcI9QTRWIN/2c+4= X-Received: by 127.0.0.2 with SMTP id h99lYY7687511xeHFLMa36dp; Sat, 17 Feb 2024 01:17:22 -0800 X-Received: from mail-yb1-f172.google.com (mail-yb1-f172.google.com [209.85.219.172]) by mx.groups.io with SMTP id smtpd.web11.6907.1708161441711459049 for ; Sat, 17 Feb 2024 01:17:21 -0800 X-Received: by mail-yb1-f172.google.com with SMTP id 3f1490d57ef6-dcc6fc978ddso2260574276.0 for ; Sat, 17 Feb 2024 01:17:21 -0800 (PST) X-Gm-Message-State: bx63RZr77s74E0JPUDzqBjhax7686176AA= X-Google-Smtp-Source: AGHT+IE2x3dBwU6L3K6W11ZvnYeAcib3ZbG3y4jznN9avI9UQ07K+TZkm9MrNOeDsHTE7deAGjCkLHJ56PZToDOaYK0= X-Received: by 2002:a05:6902:250b:b0:dc6:9d15:be3f with SMTP id dt11-20020a056902250b00b00dc69d15be3fmr5871881ybb.2.1708161440738; Sat, 17 Feb 2024 01:17:20 -0800 (PST) MIME-Version: 1.0 References: <08efe7f7-b7d2-a806-39da-b3ebadd45ec4@redhat.com> <9db8ea7f-1d7d-3558-19e5-dbda730872ac@redhat.com> In-Reply-To: <9db8ea7f-1d7d-3558-19e5-dbda730872ac@redhat.com> From: "eddie wang" Date: Sat, 17 Feb 2024 17:17:09 +0800 Message-ID: Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly To: Laszlo Ersek Cc: devel@edk2.groups.io Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,qw1562435@gmail.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: multipart/alternative; boundary="000000000000e4f1810611905306" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=MADRFTKC; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none) --000000000000e4f1810611905306 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Laszlo, After digging dipper, we found that the *EVP_RAND_fetch *in "rand_new_seed= " and "rand_new_drbg" both got NULL in our case. It's meant the DRBG implementation could not be fetched. We also compared it to the case on Linux, and they could both fetched DRBG implementation correctly. Is it possible that the opensslLib 3.0.9 caused any compatibility issues with edk2? Or has anyone else encountered the same problem with these openssl services? BR, Eddie Laszlo Ersek =E6=96=BC 2024=E5=B9=B42=E6=9C=8815=E6=97= =A5 =E9=80=B1=E5=9B=9B =E4=B8=8B=E5=8D=887:48=E5=AF=AB=E9=81=93=EF=BC=9A > On 2/15/24 12:09, eddie wang wrote: > > Hi Laszlo, > > Thanks for your reply. How can I enable the DEBUGs at RandomSeed() ? Or > > any suggesting information that I can provide? > > Sorry, upon a closer look, I see you had already narrowed it down to > RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my > suggestion would amount to adding DEBUGs to OpenSSL, such as to > RAND_seed() in > "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c". > > But, I think you may be able to do just that. > "CryptoPkg/Library/Include/CrtLibSupport.h" already includes > , and DebugLib is listed under [LibraryClasses] in each > instance of OpensslLib. So if you modify your > "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally, > with the following patch: > > | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c > | index 0fcf4fe3bc1e..e5f105268f52 100644 > | --- a/crypto/rand/rand_lib.c > | +++ b/crypto/rand/rand_lib.c > | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num) > | drbg =3D RAND_get0_primary(NULL); > | if (drbg !=3D NULL && num > 0) > | EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num); > | + > | + DEBUG ((DEBUG_INFO, "%a: hello\n", __func__)); > | } > | > | void RAND_add(const void *buf, int num, double randomness) > > then you should get usable debug messages -- at least it builds for me. > > Inserting DEBUGs like this (over multiple rounds of testing / narrowing) > should lead you to the exact location that is responsible for the > initialization failure. > > You mention you have encountered the problem with a UEFI application. > That is relevant for choosing your DebugLib instance. If you already > have a function DebugLib instance for your platform (logging to the > serial port, for example), then just use that. > > Otherwise, consider building your UEFI application with a module scope > override in the DSC file, one that resolves DebugLib to > > MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf > > or > > MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf > > These will send DEBUG messages to the UEFI console or standard error > devices, respectively. > > hth > Laszlo > > > Laszlo Ersek > =E6=96=BC 2= 024=E5=B9=B42=E6=9C=88 > > 8=E6=97=A5 =E9=80=B1=E5=9B=9B =E4=B8=8A=E5=8D=885:03=E5=AF=AB=E9=81=93= =EF=BC=9A > > > > On 2/6/24 08:00, eddie wang wrote: > > > Hi all, > > > We had an UEFI application that used the EDK2(2023/12/05), and w= e > > would > > > like to take advantage of the services in BaseCryptLib .However, > > the API > > > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always > returned > > > false because of the pseudorandom number generator set up failed= . > > I am > > > not sure this issue is from the *openssl configuration in > > OpensslLib(we > > > use the default configuration)* or is from the *openssl 3.0.9*. > > > > > > Is there any comments about this issue? > > > > Can you narrow it down by inserting DEBUGs starting at RandomSeed() > > [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then > digging > > down as necessary? > > > > Laszlo > > > > > > > > =20 > > > > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#115565): https://edk2.groups.io/g/devel/message/115565 Mute This Topic: https://groups.io/mt/104198931/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --000000000000e4f1810611905306 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Laszlo,
After digging dipper,=C2=A0 we found that t= he=C2=A0EVP_RAND_fetch in "rand_new_see= d" and "rand_new_drbg"= both got NULL in our case. It's meant t= he DRBG implementation could=C2=A0
not be fetched. We also compar= ed it to the case on Linux, and they could both fetched DRBG implementation= =C2=A0correctly.=20 Is it possible that the opensslLib 3.0.9 caused any compatibility issues wi= th edk2?=C2=A0 Or has anyone else encountered the same problem with these openssl services= ?

BR,
Eddie=C2=A0

Laszlo Ersek <<= a href=3D"mailto:lersek@redhat.com">lersek@redhat.com> =E6=96=BC 202= 4=E5=B9=B42=E6=9C=8815=E6=97=A5 =E9=80=B1=E5=9B=9B =E4=B8=8B=E5=8D=887:48= =E5=AF=AB=E9=81=93=EF=BC=9A
On 2/15/24 12:09, eddie wang wrote:
> Hi Laszlo,
> Thanks for your reply. How can I enable the DEBUGs at RandomSeed() ? O= r
> any suggesting information that I can provide?

Sorry, upon a closer look, I see you had already narrowed it down to
RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
suggestion would amount to adding DEBUGs to OpenSSL, such as to
RAND_seed() in
"CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
But, I think you may be able to do just that.
"CryptoPkg/Library/Include/CrtLibSupport.h" already includes
<DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each instance of OpensslLib. So if you modify your
"CryptoPkg/Library/OpensslLib/openssl" submodule directory tree l= ocally,
with the following patch:

| diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
| index 0fcf4fe3bc1e..e5f105268f52 100644
| --- a/crypto/rand/rand_lib.c
| +++ b/crypto/rand/rand_lib.c
| @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
|=C2=A0 =C2=A0 =C2=A0 drbg =3D RAND_get0_primary(NULL);
|=C2=A0 =C2=A0 =C2=A0 if (drbg !=3D NULL && num > 0)
|=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 EVP_RAND_reseed(drbg, 0, NULL, 0, buf, = num);
| +
| +=C2=A0 =C2=A0 DEBUG ((DEBUG_INFO, "%a: hello\n", __func__)); |=C2=A0 }
|
|=C2=A0 void RAND_add(const void *buf, int num, double randomness)

then you should get usable debug messages -- at least it builds for me.

Inserting DEBUGs like this (over multiple rounds of testing / narrowing) should lead you to the exact location that is responsible for the
initialization failure.

You mention you have encountered the problem with a UEFI application.
That is relevant for choosing your DebugLib instance. If you already
have a function DebugLib instance for your platform (logging to the
serial port, for example), then just use that.

Otherwise, consider building your UEFI application with a module scope
override in the DSC file, one that resolves DebugLib to

=C2=A0 MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf

or

=C2=A0 MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf

These will send DEBUG messages to the UEFI console or standard error
devices, respectively.

hth
Laszlo

> Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> =E6=96=BC 2024=E5=B9=B42=E6=9C= =88
> 8=E6=97=A5 =E9=80=B1=E5=9B=9B =E4=B8=8A=E5=8D=885:03=E5=AF=AB=E9=81=93= =EF=BC=9A
>
>=C2=A0 =C2=A0 =C2=A0On 2/6/24 08:00, eddie wang wrote:
>=C2=A0 =C2=A0 =C2=A0> Hi all,
>=C2=A0 =C2=A0 =C2=A0> We had an UEFI application that used the EDK2(= 2023/12/05), and=C2=A0 we
>=C2=A0 =C2=A0 =C2=A0would
>=C2=A0 =C2=A0 =C2=A0> like to take advantage of the services in Base= CryptLib .However,
>=C2=A0 =C2=A0 =C2=A0the API
>=C2=A0 =C2=A0 =C2=A0> in CryptPkg "*RandomSeed()*"(X64, in= CryptRandTsc.c) always returned
>=C2=A0 =C2=A0 =C2=A0> false because of=C2=A0 the pseudorandom number= generator set up failed.
>=C2=A0 =C2=A0 =C2=A0I am
>=C2=A0 =C2=A0 =C2=A0> not sure this issue is from the *openssl confi= guration in
>=C2=A0 =C2=A0 =C2=A0OpensslLib(we
>=C2=A0 =C2=A0 =C2=A0> use the default configuration)* or is from the= *openssl 3.0.9*.
>=C2=A0 =C2=A0 =C2=A0>
>=C2=A0 =C2=A0 =C2=A0> Is there any comments about this issue?
>
>=C2=A0 =C2=A0 =C2=A0Can you narrow it down by inserting DEBUGs starting= at RandomSeed()
>=C2=A0 =C2=A0 =C2=A0[CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c= ], and then digging
>=C2=A0 =C2=A0 =C2=A0down as necessary?
>
>=C2=A0 =C2=A0 =C2=A0Laszlo
>
>
>
>=C2=A0 =C2=A0 =C2=A0
>
>

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#115565) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--000000000000e4f1810611905306--