edk2/edk2-SecurityPkg-SecurityPkg.dec-Move-PcdCpuRngSupportedA.patch

From 1548ea758f7d9d58fd61110f5719cc12786380d3 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Thu, 20 Jun 2024 16:01:08 -0400
Subject: [PATCH 17/31] SecurityPkg/SecurityPkg.dec: Move
 PcdCpuRngSupportedAlgorithm to MdePkg

RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
RH-Acked-by: Gerd Hoffmann <None>
RH-Commit: [17/31] 01f31c97f800f3451072762c0e9a9eb59f1cc2ab

JIRA: https://issues.redhat.com/browse/RHEL-21856
Upstream: Merged
CVE: CVE-2023-45237

commit 65b5dd828ef2ea5056031b239a4e7a6642f771a3
Author: Pierre Gondois <pierre.gondois@arm.com>
Date:   Fri Aug 11 16:33:04 2023 +0200

    SecurityPkg/SecurityPkg.dec: Move PcdCpuRngSupportedAlgorithm to MdePkg

    In order to use PcdCpuRngSupportedAlgorithm in the MdePkg in a
    following patch and to avoid making the MdePkg dependent on another
    package, move PcdCpuRngSupportedAlgorithm to the MdePkg.

    As the Pcd is only used for AARCH64, place it in an AARCH64
    specific sections.

    Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
    Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
    Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
    Acked-by: Ard Biesheuvel <ardb@kernel.org>
    Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
    Tested-by: Kun Qin <kun.qin@microsoft.com>

Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
 .../Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf        | 2 +-
 MdePkg/MdePkg.dec                                            | 5 +++++
 SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf          | 4 ++--
 SecurityPkg/SecurityPkg.dec                                  | 2 --
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
index f857290e82..f729001060 100644
--- a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+++ b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
@@ -19,7 +19,7 @@
   INF_VERSION                    = 1.27
   BASE_NAME                      = BaseRngLibTimerLib
   MODULE_UNI_FILE                = BaseRngLibTimerLib.uni
-  FILE_GUID                      = 74950C45-10FC-4AB5-B114-49C87C17409B
+  FILE_GUID                      = B3E66B05-D218-4B9A-AC33-EF0F83D6A513
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = RngLib
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 6389a48338..8f05e822ac 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -2306,6 +2306,11 @@
   # @Prompt Memory Address of GuidedExtractHandler Table.
   gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress|0x1000000|UINT64|0x30001015
 
+[PcdsFixedAtBuild.AARCH64, PcdsPatchableInModule.AARCH64]
+  ## GUID identifying the Rng algorithm implemented by CPU instruction.
+  # @Prompt CPU Rng algorithm's GUID.
+  gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00000037
+
 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
   ## This value is used to set the base address of PCI express hierarchy.
   # @Prompt PCI Express Base Address.
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index c8e0ee4ae5..d6c2d30195 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -79,8 +79,8 @@
 [Protocols]
   gEfiRngProtocolGuid                ## PRODUCES
 
-[Pcd]
-  gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm      ## CONSUMES
+[Pcd.AARCH64]
+  gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm      ## CONSUMES
 
 [Depex]
   TRUE
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 9f7a032d60..8cf80b1e84 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -323,8 +323,6 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationPass|0x0303100A|UINT32|0x00010030
   gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationFail|0x0303100B|UINT32|0x00010031
 
-  gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00010032
-
 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
   ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>
   #  NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
-- 
2.39.3
* Wed Jul 03 2024 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-13.el8_10.1 - edk2-MdeModulePkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Apply-uncrustify-changes.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-Apply-uncrustify-changes.p2.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Rename-RdRandGenerateEntropy-to-g.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Remove-ArchGetSupportedRngAlgorit.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Documentation-include-parameter-c.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Check-before-advertising-Cpu-Rng-.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Add-AArch64-RawAlgorithm-support-.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Add-debug-warning-for-NULL-PcdCpu.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Rename-AArch64-RngDxe.c.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Add-Arm-support-of-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Correctly-update-mAvailableAlgoAr.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Conditionally-install-EFI_RNG_PRO.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdeModulePkg-Duplicate-BaseRngLibTimerLib-to-MdeModu.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Add-deprecated-warning-to-BaseRngLibTimer.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-SecurityPkg.dec-Move-PcdCpuRngSupportedA.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-DxeRngLib-Request-raw-algorithm-instead-of-de.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Rng-Add-GUID-to-describe-Arm-Rndr-Rng-algorit.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdeModulePkg-Rng-Add-GUID-to-describe-unsafe-Rng-alg.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Rng-Add-GetRngGuid-to-RngLib.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Use-GetRngGuid-when-probing-RngLi.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Simplify-Rng-algorithm-selection-.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-add-rng-test.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-OvmfPkg-wire-up-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch [RHEL-21854 RHEL-21856 RHEL-40099] - Resolves: RHEL-21854 (CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]) - Resolves: RHEL-21856 (CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]) - Resolves: RHEL-40099 (CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z]) 2024-07-03 12:35:29 +00:00			`From 1548ea758f7d9d58fd61110f5719cc12786380d3 Mon Sep 17 00:00:00 2001`
			`From: Jon Maloy <jmaloy@redhat.com>`
			`Date: Thu, 20 Jun 2024 16:01:08 -0400`
			`Subject: [PATCH 17/31] SecurityPkg/SecurityPkg.dec: Move`
			`PcdCpuRngSupportedAlgorithm to MdePkg`

			`RH-Author: Jon Maloy <jmaloy@redhat.com>`
			`RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes`
			`RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099`
			`RH-Acked-by: Gerd Hoffmann <None>`
			`RH-Commit: [17/31] 01f31c97f800f3451072762c0e9a9eb59f1cc2ab`

			`JIRA: https://issues.redhat.com/browse/RHEL-21856`
			`Upstream: Merged`
			`CVE: CVE-2023-45237`

			`commit 65b5dd828ef2ea5056031b239a4e7a6642f771a3`
			`Author: Pierre Gondois <pierre.gondois@arm.com>`
			`Date: Fri Aug 11 16:33:04 2023 +0200`

			`SecurityPkg/SecurityPkg.dec: Move PcdCpuRngSupportedAlgorithm to MdePkg`

			`In order to use PcdCpuRngSupportedAlgorithm in the MdePkg in a`
			`following patch and to avoid making the MdePkg dependent on another`
			`package, move PcdCpuRngSupportedAlgorithm to the MdePkg.`

			`As the Pcd is only used for AARCH64, place it in an AARCH64`
			`specific sections.`

			`Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>`
			`Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>`
			`Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>`
			`Acked-by: Ard Biesheuvel <ardb@kernel.org>`
			`Acked-by: Jiewen Yao <Jiewen.yao@intel.com>`
			`Tested-by: Kun Qin <kun.qin@microsoft.com>`

			`Signed-off-by: Jon Maloy <jmaloy@redhat.com>`
			`---`
			`.../Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf \| 2 +-`
			`MdePkg/MdePkg.dec \| 5 +++++`
			`SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf \| 4 ++--`
			`SecurityPkg/SecurityPkg.dec \| 2 --`
			`4 files changed, 8 insertions(+), 5 deletions(-)`

			`diff --git a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf`
			`index f857290e82..f729001060 100644`
			`--- a/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf`
			`+++ b/MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf`
			`@@ -19,7 +19,7 @@`
			`INF_VERSION = 1.27`
			`BASE_NAME = BaseRngLibTimerLib`
			`MODULE_UNI_FILE = BaseRngLibTimerLib.uni`
			`- FILE_GUID = 74950C45-10FC-4AB5-B114-49C87C17409B`
			`+ FILE_GUID = B3E66B05-D218-4B9A-AC33-EF0F83D6A513`
			`MODULE_TYPE = BASE`
			`VERSION_STRING = 1.0`
			`LIBRARY_CLASS = RngLib`
			`diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec`
			`index 6389a48338..8f05e822ac 100644`
			`--- a/MdePkg/MdePkg.dec`
			`+++ b/MdePkg/MdePkg.dec`
			`@@ -2306,6 +2306,11 @@`
			`# @Prompt Memory Address of GuidedExtractHandler Table.`
			`gEfiMdePkgTokenSpaceGuid.PcdGuidedExtractHandlerTableAddress\|0x1000000\|UINT64\|0x30001015`

			`+[PcdsFixedAtBuild.AARCH64, PcdsPatchableInModule.AARCH64]`
			`+ ## GUID identifying the Rng algorithm implemented by CPU instruction.`
			`+ # @Prompt CPU Rng algorithm's GUID.`
			`+ gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm\|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}\|VOID*\|0x00000037`
			`+`
			`[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]`
			`## This value is used to set the base address of PCI express hierarchy.`
			`# @Prompt PCI Express Base Address.`
			`diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf`
			`index c8e0ee4ae5..d6c2d30195 100644`
			`--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf`
			`+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf`
			`@@ -79,8 +79,8 @@`
			`[Protocols]`
			`gEfiRngProtocolGuid ## PRODUCES`

			`-[Pcd]`
			`- gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm ## CONSUMES`
			`+[Pcd.AARCH64]`
			`+ gEfiMdePkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm ## CONSUMES`

			`[Depex]`
			`TRUE`
			`diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec`
			`index 9f7a032d60..8cf80b1e84 100644`
			`--- a/SecurityPkg/SecurityPkg.dec`
			`+++ b/SecurityPkg/SecurityPkg.dec`
			`@@ -323,8 +323,6 @@`
			`gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationPass\|0x0303100A\|UINT32\|0x00010030`
			`gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeFvVerificationFail\|0x0303100B\|UINT32\|0x00010031`

			`- gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm\|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}\|VOID*\|0x00010032`
			`-`
			`[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]`
			`## Image verification policy for OptionRom. Only following values are valid:<BR><BR>`
			`# NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>`
			`--`
			`2.39.3`