From: "eddie wang" <qw1562435@gmail.com>
To: devel@edk2.groups.io, yi1.li@intel.com
Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly
Date: Thu, 29 Feb 2024 17:48:39 +0800 [thread overview]
Message-ID: <CAOwpOhLzf6EgBVr51HkMDe8mSjazwFkb8Dai+YrFnEuSezFXPA@mail.gmail.com> (raw)
In-Reply-To: <SJ1PR11MB6227929CC62815AD35BA5CF2C5502@SJ1PR11MB6227.namprd11.prod.outlook.com>
[-- Attachment #1.1: Type: text/plain, Size: 7661 bytes --]
Hi and many thanks to all of you,
I'm not entirely sure if it's running in a XIP environment, but I think
not. Our application executed on UEFI interactive shell and it was put in
an USB device(as the FS0 showed in the screenshot). And here's another
question as well, because I found that the drbg implementation counld not
be fetched in our case, and I discovered that our package did not include
"OpensslLibCrypto.inf." Could it be connected to our problem?
[image: 430.png]
BR,
Eddie Wang
Li, Yi <yi1.li@intel.com> 於 2024年2月20日 週二 上午9:49寫道:
> Hi Eddie,
>
> > the API in CryptPkg "RandomSeed()"(X64, in CryptRandTsc.c) always
> returned false
>
> Does your code run in a XIP environment? Such like PreMemory stage or
> other cases.
> The setup of Randlib in OpenSsl 3.0 relies on global variables, so there
> may be an error if the global variables are read-only.
>
> Regards,
> Yi
>
>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Tuesday, February 20, 2024 9:11 AM
> To: devel@edk2.groups.io; lersek@redhat.com; eddie wang <
> qw1562435@gmail.com>
> Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the
> pseudorandom number generator properly
>
> Thanks Laslo and Eddie.
>
> I am just back from Chinese New Year vocation, still checking email.
>
> If you can file a Bugzilla (https://bugzilla.tianocore.org/) with source
> code of your app, that would be very helpful for us to investigate this
> issue.
>
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo
> > Ersek
> > Sent: Tuesday, February 20, 2024 4:18 AM
> > To: eddie wang <qw1562435@gmail.com>
> > Cc: devel@edk2.groups.io
> > Subject: Re: [edk2-devel] The API in BaseCryptLib can't seed the
> > pseudorandom number generator properly
> >
> > On 2/17/24 10:17, eddie wang wrote:
> > > Hi Laszlo,
> > > After digging dipper, we found that the *EVP_RAND_fetch *in
> > > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's
> > > meant the DRBG implementation could not be fetched. We also compared
> > > it to the case on Linux, and they could both fetched DRBG
> > > implementation correctly. Is it possible that the opensslLib 3.0.9
> > > caused any compatibility issues with edk2? Or has anyone else
> > > encountered the same problem with these openssl services?
> >
> > Sorry, I can't say.
> >
> > If you have a small reproducer UEFI application that works fine when
> > built with edk2-stable202305, but does not work when built against
> > either edk2-stable202308 or current master, then filing a TianoCore BZ
> > (regression) seems justified. (AFAICT it was edk2-stable202308 that
> > incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the
> > source code of the small repro application to the ticket would likely
> > be helpful.
> >
> > Laszlo
> >
> > > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>> 於
> > > 2024年2月
> > > 15日 週四 下午7:48寫道:
> > >
> > > On 2/15/24 12:09, eddie wang wrote:
> > > > Hi Laszlo,
> > > > Thanks for your reply. How can I enable the DEBUGs at
> RandomSeed()
> > > ? Or
> > > > any suggesting information that I can provide?
> > >
> > > Sorry, upon a closer look, I see you had already narrowed it down
> to
> > > RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my
> > > suggestion would amount to adding DEBUGs to OpenSSL, such as to
> > > RAND_seed() in
> > > "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c".
> > >
> > > But, I think you may be able to do just that.
> > > "CryptoPkg/Library/Include/CrtLibSupport.h" already includes
> > > <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each
> > > instance of OpensslLib. So if you modify your
> > > "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree
> locally,
> > > with the following patch:
> > >
> > > | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
> > > | index 0fcf4fe3bc1e..e5f105268f52 100644
> > > | --- a/crypto/rand/rand_lib.c
> > > | +++ b/crypto/rand/rand_lib.c
> > > | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num)
> > > | drbg = RAND_get0_primary(NULL);
> > > | if (drbg != NULL && num > 0)
> > > | EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num);
> > > | +
> > > | + DEBUG ((DEBUG_INFO, "%a: hello\n", __func__));
> > > | }
> > > |
> > > | void RAND_add(const void *buf, int num, double randomness)
> > >
> > > then you should get usable debug messages -- at least it builds
> for me.
> > >
> > > Inserting DEBUGs like this (over multiple rounds of testing /
> narrowing)
> > > should lead you to the exact location that is responsible for the
> > > initialization failure.
> > >
> > > You mention you have encountered the problem with a UEFI
> application.
> > > That is relevant for choosing your DebugLib instance. If you
> already
> > > have a function DebugLib instance for your platform (logging to the
> > > serial port, for example), then just use that.
> > >
> > > Otherwise, consider building your UEFI application with a module
> scope
> > > override in the DSC file, one that resolves DebugLib to
> > >
> > > MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf
> > >
> > > or
> > >
> > > MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf
> > >
> > > These will send DEBUG messages to the UEFI console or standard
> error
> > > devices, respectively.
> > >
> > > hth
> > > Laszlo
> > >
> > > > Laszlo Ersek <lersek@redhat.com <mailto:lersek@redhat.com>
> > > <mailto:lersek@redhat.com <mailto:lersek@redhat.com>>> 於 2024年2月
> > > > 8日 週四 上午5:03寫道:
> > > >
> > > > On 2/6/24 08:00, eddie wang wrote:
> > > > > Hi all,
> > > > > We had an UEFI application that used the EDK2(2023/12/05),
> > > and we
> > > > would
> > > > > like to take advantage of the services in BaseCryptLib
> .However,
> > > > the API
> > > > > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always
> > > returned
> > > > > false because of the pseudorandom number generator set up
> > > failed.
> > > > I am
> > > > > not sure this issue is from the *openssl configuration in
> > > > OpensslLib(we
> > > > > use the default configuration)* or is from the *openssl
> 3.0.9*.
> > > > >
> > > > > Is there any comments about this issue?
> > > >
> > > > Can you narrow it down by inserting DEBUGs starting at
> > > RandomSeed()
> > > > [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and
> then
> > > digging
> > > > down as necessary?
> > > >
> > > > Laszlo
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116156): https://edk2.groups.io/g/devel/message/116156
Mute This Topic: https://groups.io/mt/104198931/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #1.2: Type: text/html, Size: 11080 bytes --]
[-- Attachment #2: 430.png --]
[-- Type: image/png, Size: 49151 bytes --]
next prev parent reply other threads:[~2024-02-29 9:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-06 7:00 [edk2-devel] The API in BaseCryptLib can't seed the pseudorandom number generator properly eddie wang
2024-02-07 21:03 ` Laszlo Ersek
2024-02-15 11:09 ` eddie wang
2024-02-15 11:48 ` Laszlo Ersek
2024-02-17 9:17 ` eddie wang
2024-02-19 20:18 ` Laszlo Ersek
2024-02-20 1:11 ` Yao, Jiewen
2024-02-20 1:49 ` Li, Yi
2024-02-29 9:48 ` eddie wang [this message]
2024-02-29 11:23 ` Li, Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOwpOhLzf6EgBVr51HkMDe8mSjazwFkb8Dai+YrFnEuSezFXPA@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox