From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id C9B40D80CAA for ; Fri, 10 May 2024 10:23:43 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=O10BUP5vpuDfWbgXeOSOLbRLtlhyQuZYfeGgzYGNTow=; c=relaxed/simple; d=groups.io; h=From:To:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20240206; t=1715336622; v=1; b=3mzqaabbFBizg8Bxce1rnSQAUEWM5oqQHlGhIWXOFPXFGCPObiWImLxDAzaCT3jxlMU4MChX jxtjpynLEAWroof3y/NQyF6f6c96twn8xflwT5lb9BaXq7VyPL2aPDk2rvb/DvLBlkCv7MvwXL7 n9yv5sl3rgeaiZXv55nmePYL+iYzkRRianngK2wR1yCN7/faxKYGwwFMF5xDgY/gVN4lgc7GkpK nIwa84fYQWjYR6SkNsENZwuHAC5SHjrneERR53kM1C/pbOz0NtuVT6zrg/l22jQDJveDghjB/GU 0ua4t3n5r3G8ZJ+HKUC+j+/Zy04M8nRpGpt3bgtdbljFQ== X-Received: by 127.0.0.2 with SMTP id 1efjYY7687511xU43D8TnarT; Fri, 10 May 2024 03:23:42 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) by mx.groups.io with SMTP id smtpd.web10.9665.1715336621494107718 for ; Fri, 10 May 2024 03:23:41 -0700 X-CSE-ConnectionGUID: 5BF6CyukQnK95fp/sEe7Cg== X-CSE-MsgGUID: E9AnqKrJR2SGb1T0KzA/jg== X-IronPort-AV: E=McAfee;i="6600,9927,11068"; a="11522219" X-IronPort-AV: E=Sophos;i="6.08,150,1712646000"; d="scan'208";a="11522219" X-Received: from fmviesa006.fm.intel.com ([10.60.135.146]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 May 2024 03:23:41 -0700 X-CSE-ConnectionGUID: 5bTnzA7oQjiWHIOpPccbvA== X-CSE-MsgGUID: 682CDp7IQG2cPGad3szjog== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,150,1712646000"; d="scan'208";a="29592126" X-Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by fmviesa006.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 10 May 2024 03:23:41 -0700 X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 10 May 2024 03:23:40 -0700 X-Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 10 May 2024 03:23:40 -0700 X-Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Fri, 10 May 2024 03:23:40 -0700 X-Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.100) by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Fri, 10 May 2024 03:23:40 -0700 X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by SA3PR11MB7655.namprd11.prod.outlook.com (2603:10b6:806:307::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.46; Fri, 10 May 2024 10:23:37 +0000 X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::6444:ca4c:aa3e:f8d2]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::6444:ca4c:aa3e:f8d2%4]) with mapi id 15.20.7544.048; Fri, 10 May 2024 10:23:37 +0000 From: "Yao, Jiewen" To: Doug Flick , "devel@edk2.groups.io" Subject: Re: [edk2-devel] [PATCH v2 07/13] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng Thread-Topic: [PATCH v2 07/13] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng Thread-Index: AQHaodWy8++ksZGQUU6r61Zd6rNeobGQQqKA Date: Fri, 10 May 2024 10:23:37 +0000 Message-ID: References: <20240509055633.828642-1-doug.edk2@gmail.com> <20240509055633.828642-8-doug.edk2@gmail.com> In-Reply-To: <20240509055633.828642-8-doug.edk2@gmail.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|SA3PR11MB7655:EE_ x-ms-office365-filtering-correlation-id: 9db41323-7173-48ed-3241-08dc70db4131 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: =?us-ascii?Q?llXJM6WBKaeg7aRczElNur2ACwdw31OuH7heegWWV1tD28l/ooDg/dmE4rIq?= =?us-ascii?Q?enMAnZdDJS3OxrTVT1gGciGCLB60Pn/WcX8bHifUoThU7IaARLU9NXO/CJUC?= =?us-ascii?Q?Zah+EQMCwfJwCwkzNfPGOMI/JLC5PrAzQc5ieUZ4utMUukZA5fHd0Ex6idKX?= =?us-ascii?Q?fdhuDcIdg9ylP+U11d1SymHLFEMhcubIdz3ntrT8pQNU/iNOiFvM1WFHzABG?= =?us-ascii?Q?U/OrRwZSW1dMsq+hYINxYlLncmdkRJmYLo63GHBXFCwTRxEsK7iS3VE4X6US?= =?us-ascii?Q?WUeda0KXAtTRK+Bwq9ZVqo3QrzKUQ8js6OWjvQPRLqPsKAJiQA+euRYsPATB?= =?us-ascii?Q?lxjsmYiUOPFv95kGhnaUyAQI1QIqx+9Q6FbueawZztQvajnc5IfmKyia7KtT?= =?us-ascii?Q?HkJ7Hq5Ch5Sk7VSeA1RTHdgFy4RD7tibTFL+FwXVZC1haaON45fk3O8oFNBw?= =?us-ascii?Q?DzCZ3/joUG8/RkH5QM4xdcJ8/eZAQU6cXco0rVJYcSF9gZKOXu1RivBNqyc7?= =?us-ascii?Q?4ZhfcMHaIz9leDOzMbcgYgBq+Luw19sgpF/P/8w1dJ6n+9AmNRr66r8t5qJq?= =?us-ascii?Q?P9X7dfLKjGIMHXpp/hA0l/cUrfaASoB8AW8FXWMRcPZIaLR0uMeqi53TIvXH?= =?us-ascii?Q?G6uBW6AcoygS1XFHD1GaYZgFilXEF1JnpBMEd2f8vR6SPU/j4nJ3fkhqx4VV?= =?us-ascii?Q?DUBnzpHhYOCA4CYx9/VpsZ0WTX8rWdIKXaNeoBWnK2uqoZ7Hm1wOIKWrXrpy?= =?us-ascii?Q?hFTZEsVnyWVVaganS9HwOHKH4+6SvgtTcoiwl5ZTK2v5jbkWOArcDXLBbCNR?= =?us-ascii?Q?D09Fq60OW7889XhNuyoswfVoiGyFJgUZYZqA+E8GInyd0/mc1Urq1XVKgSb3?= =?us-ascii?Q?+U1RRPeoMkDp4gl7klup0WPFBi55lyONnddtzJQeOxJDBrw/U5/Zqn+TlVem?= =?us-ascii?Q?4Af5lxAePWlodh5RsuY8jJLnUeV6my63C+ocLNqzSIaDb6Gi8nJMn7B4aCBg?= =?us-ascii?Q?SAtyc6PUCAdBHSbN9Z5sOhpB73fDxqxHHEsD3eHL1moobKZvDtn7luuku7Gs?= =?us-ascii?Q?wH+XHnMYFlakVGqUysw8+LT+e+dhus3fziskcpnT0qlIxMPpTctmq4PiJXoW?= =?us-ascii?Q?o8UbcpBzydVblwXxFRDABem2u9En1CxUvaQFATdbgRzLIQai8zDdZZ3bEyhT?= =?us-ascii?Q?kLxh/jr2vsipsKzGhbpDbnsoDH8/3MIIGdX2hr2WtjCyeX0LrJtXsRBeeZ3i?= =?us-ascii?Q?ORyf6lU0zdcSDD4eu+VV8A8E8FTZbCjZxSoH/bzKzg=3D=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?uL6jqWH1aOmxNvwIJA9E/vm09jZHaqCpVOmK3v6PQeeIUq5wy7dgt5tbY9j9?= =?us-ascii?Q?Dw9lOTWzEKJwjJzRGo8DWASWVFE7o+cJNbcGKz/CqGMcELVwTSbC13wLixfF?= =?us-ascii?Q?AqV6AHDibcf0d0BuKpiMc0HWwudxSYu4t449c4w0KEskUC4LwIKPplW66BPs?= =?us-ascii?Q?5YOFVuGxyocZyjkADADSPoYtvDsnj/feGcmk2s/R6nnWucTnThyswW7oyvYZ?= =?us-ascii?Q?sFTs1ljIUe4+H0kq6qM/pAtUDaGeJWnuwE4yUqGMcR9NngEJDmgbuUiidyYS?= =?us-ascii?Q?0DP2aGtZRo+nDMQgjR8KOQupTbrX3jt2fpqom7ji3QDthAWv87o7ghTJJwof?= =?us-ascii?Q?UTjfpqp5JG3OrkXHVlEnHYErHAIKe04BlcLwZnbcyLFtWNv5Hxy2dIp88JH4?= =?us-ascii?Q?n2GzDZ9goGCLSJFXzWSJsRQTGrGp+pjCGJyhX8IIE7wzqQcS1HWahfiABktL?= =?us-ascii?Q?HPUWGhAZkhAwPDpWFe3GdhQTdu9us4P/jd1e/oeGVCPGad4fjBBXGLa5BQX8?= =?us-ascii?Q?BshZ97GE1s3GDOuqQ3Y4vUIPULLfhY555MzZr2Jp72Yyqg7ppDWPy4Nz/C9h?= =?us-ascii?Q?/GQ0BV5yQDryfmUZdK39i0Fa36zn7KYPPfG1XsgtEFS9wg1KtqmkQ1hfyUqT?= =?us-ascii?Q?LZetcdgnn7jzUarzPkcKQmAZJLowbwiBn3ABljaTEbEYk+b4VJSyZNEe08vn?= =?us-ascii?Q?kWVXWQnTUUatNo/nmAUxBjjKaHH9u36RrvuaP4VE9R1WUqe82Id6Pni4GHrU?= =?us-ascii?Q?ue/el4ktM6Vohf2ESg9gml2mp9JZjzfgtUZiihcUY6dsI3XhzVhqyc7qXm4i?= =?us-ascii?Q?VSnLssN4kCu/xjcHcke1ankzhaeJm7Te7eQ1+/OQb7f7GFNMwm5E/pPtZ+pk?= =?us-ascii?Q?enUsldR3G1FFJYGQ6+JqI/FmT8iyeygzeTyMNmq98AqEVJ7P/nYMcW+vpJR5?= =?us-ascii?Q?uEv0MLRPFTZGS0FjPYnEWTddvKiKz/aMDxVVP1IbzlPkBHDyU9BB+ckX5VsM?= =?us-ascii?Q?2NHODjZe9KG0fgQ2aauIG504grdMyj20n1yP8cLDFaxrOz9jWUyUbQwFyarB?= =?us-ascii?Q?5U4HkcgIxXfw57D5vuKQ5nKOjGfGwNo8tvSaBMvc+Dl7fibZsUdus0lVaOyR?= =?us-ascii?Q?qEMD2IyXgCA88qp4WSontQwJPZNKP8bgIv9+8q8bP1TjwMoNy+c9dzpI3+Vt?= =?us-ascii?Q?HBfg2REXXWd8gfiJmyIzXnjOSsWH/ZdznXMUfoez6F2+C3y6fG+1+VNR6ZXk?= =?us-ascii?Q?7wlk3XjqeYLlvCT8yYJMgAs1CIDjcA7odgjBkhTjK8e3eFOKGq23F7GGe3tF?= =?us-ascii?Q?GnVtoU/SunJ5weu2xjmpmRgd9Fl3MC0w8WZrS0oc9wuEHccfGrPg8CJW2at/?= =?us-ascii?Q?KKCR3AQ8q/CPuYR+gW+WHIth1ck/hVXSLhJWVs2EgD9zA6yLEHzzzIvyftBN?= =?us-ascii?Q?AB0siE/mX4vq3EBdD/q6dP25uLj2hyWjQiqeb/bn+ZoEul0swZeV8BAaqZE8?= =?us-ascii?Q?oWCDUIiHHmR3rkbqZu6d0o06+TbHrdXDXec1VHAQ6Wep2/HasEFebcCC2qbh?= =?us-ascii?Q?q0/ZsABuma0g2x4owucsPsWbhOBoGXkpPFeVkYGp?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9db41323-7173-48ed-3241-08dc70db4131 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2024 10:23:37.3026 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8nP/+2G1Ecf0tutQ/M1o6Y0r0di4dJXTic+nGN4FySEkzk0+8x3qBf0TTykaa2SKIqbDSUy8hgSkLBJf8UKl2A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB7655 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 10 May 2024 03:23:41 -0700 Resent-From: jiewen.yao@intel.com Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 0MI74UqZr8FF6ro6NOrdosOJx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=3mzqaabb; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none) Hi Doug First, I agree with you that "A caller is free to request less than 256 bit= ". Second, I think we still need to meet 256 bit entropy requirement in UEFI s= pec, right? With above assumption, I checked how the callee is implemented when input l= ength is small. https://github.com/tianocore/edk2/blob/master/SecurityPkg/RandomNumberGener= ator/RngDxe/ArmTrng.c#L54-L59 EntropyBits =3D MIN ((RequiredEntropyBits - CollectedEntropyBits), MaxB= its); Status =3D GetArmTrngEntropy ( EntropyBits, (Length - Index), &Entropy[Index] ); It seems to me that the EntropyBits is also less than 256, when the input r= equirement is less than 256 bit. Would you please double check that, to see if the requirement is still sati= sfied? Please correct me if my understanding is wrong. Thank you Yao, Jiewen > -----Original Message----- > From: Doug Flick > Sent: Thursday, May 9, 2024 1:56 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen > Subject: [PATCH v2 07/13] SecurityPkg: RngDxe: Remove incorrect limitatio= n on > GetRng >=20 > Removed from gEfiRngAlgorithmRaw an incorrect assumption that > Raw cannot return less than 256 bits. The DRNG Algorithms > should always use a 256 bit seed as per nist standards > however a caller is free to request less than 256 bits. > > > > // > > // When a DRBG is used on the output of a entropy source, > > // its security level must be at least 256 bits according to UEFI Sp= ec. > > // > > if (RNGValueLength < 32) { > > return EFI_INVALID_PARAMETER; > > } > > >=20 > AARCH64 platforms do not have this limitation and this brings both > implementations into alignment with each other and the spec. >=20 > Cc: Jiewen Yao >=20 > Signed-off-by: Doug Flick [MSFT] > --- > SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 -------- > 1 file changed, 8 deletions(-) >=20 > diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > index 7e06e16e4be5..5723ed695747 100644 > --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > @@ -116,14 +116,6 @@ RngGetRNG ( > // The "raw" algorithm is intended to provide entropy directly >=20 > // >=20 > if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) { >=20 > - // >=20 > - // When a DRBG is used on the output of a entropy source, >=20 > - // its security level must be at least 256 bits according to UEFI Sp= ec. >=20 > - // >=20 > - if (RNGValueLength < 32) { >=20 > - return EFI_INVALID_PARAMETER; >=20 > - } >=20 > - >=20 > Status =3D GenerateEntropy (RNGValueLength, RNGValue); >=20 > return Status; >=20 > } >=20 > -- > 2.34.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118811): https://edk2.groups.io/g/devel/message/118811 Mute This Topic: https://groups.io/mt/105996584/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-