Thanks to confirm that.

I am OK on what you have said.

 

Since the ARM part is added by Pierre Gondois pierre.gondois@arm.com, I will let him comment if there is any concern on the change for ARM.

 

Thank you

Yao, Jiewen

 

 

From: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Sent: Saturday, May 11, 2024 5:12 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
Subject: Re: [edk2-devel] [PATCH v2 07/13] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng

 

So, I'm trying to consult with some RNG experts because I'm by no means an expert and anything I say should be taken with huge grain of salt. When I get the experts take, I'll share it.

Basically, the way I read this code is that it by no means tries to enforce any entropy requirement outside of what you ask for.

My understanding is the 256 Bit Entropy requirements comes from when you are using a DRNG algorithm such as:

#define EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID \
 {0xa7af67cb, 0x603b, 0x4d42,\
 {0xba, 0x21, 0x70, 0xbf, 0xb6, 0x29, 0x3f, 0x96}}
 
#define EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID \
 {0xc5149b43, 0xae85, 0x4f53,\
 {0x99, 0x82, 0xb9, 0x43, 0x35, 0xd3, 0xa9, 0xe7}}
 
#define EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID \
 {0x44f0de6e, 0x4d8c, 0x4045, \
 {0xa8, 0xc7, 0x4d, 0xd1, 0x68, 0x85, 0x6b, 0x9e}}

"When a Deterministic Random Bit Generator (DRBG) is used on the output of a (raw) entropy source, its security level must be at least 256 bits."

https://uefi.org/specs/UEFI/2.10/37_Secure_Technologies.html#random-number-generator-protocol

That is, the seed of these algorithms must be at a minimum 256 bits from your entropy source.

Now when you call for instance EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID

On an INTEL CPU it uses the Intel RDRAND Instruction

https://github.com/tianocore/edk2/blob/4b6ee06a090d956f80b4a92fb9bf03098a372f39/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c#L108C45-L108C51

Which from what I can tell the generator takes pairs of 256-bit raw entropy samples generated by the hardware entropy source and applies them to an Advanced Encryption Standard (AES) (in CBC-MAC mode) conditioner which reduces them to a single 256-bit conditioned entropy sample.

https://en.wikipedia.org/wiki/RDRAND

https://www.intel.com/content/www/us/en/developer/articles/guide/intel-digital-random-number-generator-drng-software-implementation-guide.html

Which means, if you are implementing these algorithms in software, you must comply with the 256 bit entropy requirement for your source. However in our case the CPU is performing that requirement for us.

Again I'm no expert. So if an expert is reading this and I'm completely wrong please let me know :)

_._,_._,_
Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#118828) | | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_