rpms/edk2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Nov 14 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-13.el8.5

Browse Source 
- edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236]
- edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236]
- Resolves: RHEL-66236
  ([Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10])
This commit is contained in:
Jon Maloy 2024-11-14 08:40:11 -05:00
parent f97b5169d8
commit d69d9c3c54
3 changed files with 451 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

348
edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch Normal file
View File

@ -0,0 +1,348 @@
From 8d1a7ee22fc04d2106f08461415ee8bc9c68eee6 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Mon, 4 Nov 2024 12:40:12 +0100
Subject: [PATCH 1/2] OvmfPkg: Add a Fallback RNG (RH only)
RH-Author: Oliver Steffen <osteffen@redhat.com>
RH-MergeRequest: 104: OvmfPkg: Add a Fallback RNG (RH only)
RH-Jira: RHEL-66236
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [1/2] b222642bafac64922f5fc30abf56347fe4a849ed
Since the pixiefail CVE fix, the network stack requires a random number
generator.
In case there is no hardware random number generator available,
have the Platform Boot Manager install a pseudo RNG to ensure
the network can be used.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
.../PlatformBootManagerLib/BdsPlatform.c | 6 +
.../PlatformBootManagerLib/FallbackRng.c | 222 ++++++++++++++++++
.../PlatformBootManagerLib/FallbackRng.h | 20 ++
.../PlatformBootManagerLib.inf | 5 +
4 files changed, 253 insertions(+)
create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c
create mode 100644 OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index 186401296a..70d648c7e3 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -14,6 +14,7 @@
#include <Library/Tcg2PhysicalPresenceLib.h>
#include <Library/XenPlatformLib.h>
+#include "FallbackRng.h"
//
// Global data
@@ -446,6 +447,9 @@ PlatformBootManagerBeforeConsole (
//
VisitAllInstancesOfProtocol (&gEfiPciIoProtocolGuid, ConnectVirtioPciRng,
NULL);
+
+ FallbackRngCheckAndInstall ();
+
}
@@ -1528,6 +1532,8 @@ PlatformBootManagerAfterConsole (
DEBUG ((DEBUG_INFO, "PlatformBootManagerAfterConsole\n"));
+ FallbackRngPrintWarning ();
+
if (PcdGetBool (PcdOvmfFlashVariablesEnable)) {
DEBUG ((DEBUG_INFO, "PlatformBdsPolicyBehavior: not restoring NvVars "
"from disk since flash variables appear to be supported.\n"));
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c
new file mode 100644
index 0000000000..bba60e29d5
--- /dev/null
+++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c
@@ -0,0 +1,222 @@
+/** @file
+ Copyright (C) 2024, Red Hat, Inc.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Uefi/UefiBaseType.h>
+#include <Uefi/UefiSpec.h>
+#include <Protocol/Rng.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/RngLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiLib.h>
+#include <Library/PrintLib.h>
+#include <Library/DxeServicesTableLib.h>
+
+#include "FallbackRng.h"
+
+typedef struct {
+ EFI_RNG_PROTOCOL Rng;
+ EFI_HANDLE Handle;
+} FALLBACK_RNG_DEV;
+
+/**
+ Returns information about the random number generation implementation.
+
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
+ instance.
+ @param[in,out] RNGAlgorithmListSize On input, the size in bytes of
+ RNGAlgorithmList.
+ On output with a return code of
+ EFI_SUCCESS, the size in bytes of the
+ data returned in RNGAlgorithmList. On
+ output with a return code of
+ EFI_BUFFER_TOO_SMALL, the size of
+ RNGAlgorithmList required to obtain the
+ list.
+ @param[out] RNGAlgorithmList A caller-allocated memory buffer filled
+ by the driver with one EFI_RNG_ALGORITHM
+ element for each supported RNG algorithm.
+ The list must not change across multiple
+ calls to the same driver. The first
+ algorithm in the list is the default
+ algorithm for the driver.
+
+ @retval EFI_SUCCESS The RNG algorithm list was returned
+ successfully.
+ @retval EFI_UNSUPPORTED The services is not supported by this
+ driver.
+ @retval EFI_DEVICE_ERROR The list of algorithms could not be
+ retrieved due to a hardware or firmware
+ error.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are
+ incorrect.
+ @retval EFI_BUFFER_TOO_SMALL The buffer RNGAlgorithmList is too small
+ to hold the result.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+FallbackRngGetInfo (
+ IN EFI_RNG_PROTOCOL *This,
+ IN OUT UINTN *RNGAlgorithmListSize,
+ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
+ )
+{
+ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (*RNGAlgorithmListSize < sizeof (EFI_RNG_ALGORITHM)) {
+ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM);
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (RNGAlgorithmList == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ *RNGAlgorithmListSize = sizeof (EFI_RNG_ALGORITHM);
+ CopyGuid (RNGAlgorithmList, &gEfiRngAlgorithmRaw);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Produces and returns an RNG value using either the default or specified RNG
+ algorithm.
+
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
+ instance.
+ @param[in] RNGAlgorithm A pointer to the EFI_RNG_ALGORITHM that
+ identifies the RNG algorithm to use. May
+ be NULL in which case the function will
+ use its default RNG algorithm.
+ @param[in] RNGValueLength The length in bytes of the memory buffer
+ pointed to by RNGValue. The driver shall
+ return exactly this numbers of bytes.
+ @param[out] RNGValue A caller-allocated memory buffer filled
+ by the driver with the resulting RNG
+ value.
+
+ @retval EFI_SUCCESS The RNG value was returned successfully.
+ @retval EFI_UNSUPPORTED The algorithm specified by RNGAlgorithm
+ is not supported by this driver.
+ @retval EFI_DEVICE_ERROR An RNG value could not be retrieved due
+ to a hardware or firmware error.
+ @retval EFI_NOT_READY There is not enough random data available
+ to satisfy the length requested by
+ RNGValueLength.
+ @retval EFI_INVALID_PARAMETER RNGValue is NULL or RNGValueLength is
+ zero.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+FallbackRngGetRNG (
+ IN EFI_RNG_PROTOCOL *This,
+ IN EFI_RNG_ALGORITHM *RNGAlgorithm OPTIONAL,
+ IN UINTN RNGValueLength,
+ OUT UINT8 *RNGValue
+ )
+{
+ UINT64 RandomData;
+ EFI_STATUS Status;
+ UINTN i;
+
+ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // We only support the raw algorithm, so reject requests for anything else
+ //
+ if ((RNGAlgorithm != NULL) &&
+ !CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw))
+ {
+ return EFI_UNSUPPORTED;
+ }
+
+ for (i = 0; i < RNGValueLength; ++i) {
+ if (i % 4 == 0) {
+ Status = GetRandomNumber64 (&RandomData);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+static FALLBACK_RNG_DEV Dev = {
+ .Rng.GetInfo = FallbackRngGetInfo,
+ .Rng.GetRNG = FallbackRngGetRNG,
+ .Handle = NULL,
+};
+
+EFI_STATUS
+FallbackRngCheckAndInstall (
+ )
+{
+ EFI_STATUS Status;
+ EFI_HANDLE *HandleBuffer = NULL;
+ UINTN HandleCount = 0;
+
+ if (Dev.Handle != NULL) {
+ DEBUG ((DEBUG_INFO, "Fallback RNG already installed.\n"));
+ return EFI_ALREADY_STARTED;
+ }
+
+ Status = gBS->LocateHandleBuffer (
+ ByProtocol,
+ &gEfiRngProtocolGuid,
+ NULL,
+ &HandleCount,
+ &HandleBuffer
+ );
+
+ gBS->FreePool (HandleBuffer);
+
+ if (Status == EFI_NOT_FOUND) {
+ HandleCount = 0;
+ } else if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Error locating RNG protocol instances: %r\n", Status));
+ return Status;
+ }
+
+ DEBUG ((DEBUG_INFO, "Found %u RNGs\n", HandleCount));
+
+ if (HandleCount == 0) {
+ // Install RNG
+ Status = gBS->InstallProtocolInterface (
+ &Dev.Handle,
+ &gEfiRngProtocolGuid,
+ EFI_NATIVE_INTERFACE,
+ &Dev.Rng
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Failed to install fallback RNG: %r\n", Status));
+ return Status;
+ }
+
+ gDS->Dispatch ();
+ }
+
+ return EFI_SUCCESS;
+}
+
+VOID
+FallbackRngPrintWarning (
+ )
+{
+ if (Dev.Handle != NULL) {
+ Print (L"WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n");
+ DEBUG ((DEBUG_WARN, "WARNING: Pseudo Random Number Generator in use - Pixiefail CVE not mitigated!\n"));
+ gBS->Stall (2000000);
+ }
+}
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h
new file mode 100644
index 0000000000..77332bc51c
--- /dev/null
+++ b/OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h
@@ -0,0 +1,20 @@
+/** @file
+ Copyright (C) 2024, Red Hat, Inc.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _FALLBACK_RNG_H_
+#define _FALLBACK_RNG_H_
+
+#include <Uefi/UefiBaseType.h>
+#include <Uefi/UefiSpec.h>
+
+EFI_STATUS
+FallbackRngCheckAndInstall (
+ );
+
+VOID
+FallbackRngPrintWarning (
+ );
+
+#endif
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index c249a3cf1e..154b0b6c88 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -25,6 +25,8 @@
PlatformData.c
QemuKernel.c
BdsPlatform.h
+ FallbackRng.c
+ FallbackRng.h
[Packages]
MdePkg/MdePkg.dec
@@ -56,6 +58,7 @@
PlatformBmPrintScLib
Tcg2PhysicalPresenceLib
XenPlatformLib
+ RngLib
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
@@ -78,9 +81,11 @@
gEfiDxeSmmReadyToLockProtocolGuid # PROTOCOL SOMETIMES_PRODUCED
gEfiLoadedImageProtocolGuid # PROTOCOL SOMETIMES_PRODUCED
gEfiFirmwareVolume2ProtocolGuid # PROTOCOL SOMETIMES_CONSUMED
+ gEfiRngProtocolGuid # PROTOCOL SOMETIMES_PRODUCED
[Guids]
gEfiEndOfDxeEventGroupGuid
gEfiGlobalVariableGuid
gRootBridgesConnectedEventGroupGuid
gUefiShellFileGuid
+ gEfiRngAlgorithmRaw
--
2.45.2

92
edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch Normal file
View File

@ -0,0 +1,92 @@
From c465cf5cf3fbd09caf82d2c34fc6f127f5648b48 Mon Sep 17 00:00:00 2001
From: Oliver Steffen <osteffen@redhat.com>
Date: Thu, 7 Nov 2024 11:36:22 +0100
Subject: [PATCH 2/2] OvmfPkg/ArmVirtPkg: Add a Fallback RNG (RH only)
RH-Author: Oliver Steffen <osteffen@redhat.com>
RH-MergeRequest: 104: OvmfPkg: Add a Fallback RNG (RH only)
RH-Jira: RHEL-66236
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [2/2] d7748d697e522ab5ef70702da53241db71e602fe
Since the pixiefail CVE fix, the network stack requires a random number
generator.
In case there is no hardware random number generator available,
have the Platform Boot Manager install a pseudo RNG to ensure
the network can be used.
This patch adds the fallback rng which was introduced in a
previous commit also to the ArmVirtPkg PlatformBootManagerLib.
Signed-off-by: Oliver Steffen <osteffen@redhat.com>
---
ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c | 5 +++++
.../PlatformBootManagerLib/PlatformBootManagerLib.inf | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
index 1848042f86..c4cfbfc7f6 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
@@ -29,6 +29,7 @@
#include <Guid/GlobalVariable.h>
#include <Guid/RootBridgesConnectedEventGroup.h>
#include <Guid/SerialPortLibVendor.h>
+#include "FallbackRng.h"
#include "PlatformBm.h"
@@ -793,6 +794,8 @@ PlatformBootManagerBeforeConsole (
// instances on Virtio PCI RNG devices.
//
FilterAndProcess (&gEfiPciIoProtocolGuid, IsVirtioPciRng, Connect);
+
+ FallbackRngCheckAndInstall ();
}
/**
@@ -814,6 +817,8 @@ PlatformBootManagerAfterConsole (
{
RETURN_STATUS Status;
+ FallbackRngPrintWarning ();
+
//
// Show the splash screen.
//
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 997eb1a442..d4ea9bef60 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -27,6 +27,8 @@
PlatformBm.c
PlatformBm.h
QemuKernel.c
+ ../../../OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.h
+ ../../../OvmfPkg/Library/PlatformBootManagerLib/FallbackRng.c
[Packages]
ArmVirtPkg/ArmVirtPkg.dec
@@ -53,6 +55,7 @@
UefiBootServicesTableLib
UefiLib
UefiRuntimeServicesTableLib
+ RngLib
[FixedPcd]
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
@@ -69,9 +72,11 @@
gEfiGlobalVariableGuid
gRootBridgesConnectedEventGroupGuid
gUefiShellFileGuid
+ gEfiRngAlgorithmRaw
[Protocols]
gEfiFirmwareVolume2ProtocolGuid
gEfiGraphicsOutputProtocolGuid
gEfiPciRootBridgeIoProtocolGuid
gVirtioDeviceProtocolGuid
+ gEfiRngProtocolGuid
--
2.45.2

12
edk2.spec
View File

@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2 Name: edk2
Version: %{GITDATE}git%{GITCOMMIT} Version: %{GITDATE}git%{GITCOMMIT}
Release: 13%{?dist}.4 Release: 13%{?dist}.5
Summary: UEFI firmware for 64-bit virtual machines Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT License: BSD-2-Clause-Patent and OpenSSL and MIT
@ -388,6 +388,10 @@ Patch115: edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch
Patch116: edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch Patch116: edk2-OvmfPkg-Add-Hash2DxeCrypto-to-OvmfPkg.patch
# For RHEL-60830 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-8.10.z] # For RHEL-60830 - CVE-2024-38796 edk2: Integer overflows in PeCoffLoaderRelocateImage [rhel-8.10.z]
Patch117: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch Patch117: edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch
# For RHEL-66236 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10]
Patch118: edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch
# For RHEL-66236 - [Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10]
Patch119: edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch
# python3-devel and libuuid-devel are required for building tools. # python3-devel and libuuid-devel are required for building tools.
@ -834,6 +838,12 @@ true
%endif %endif
%changelog %changelog
* Thu Nov 14 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-13.el8.5
- edk2-OvmfPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236]
- edk2-OvmfPkg-ArmVirtPkg-Add-a-Fallback-RNG-RH-only.patch [RHEL-66236]
- Resolves: RHEL-66236
([Regression] HTTP Boot not working on old vCPU without virtio-rng device present [rhel-8.10])
* Tue Oct 29 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-13.el8.4 * Tue Oct 29 2024 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-13.el8.4
- edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60830] - edk2-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch [RHEL-60830]
- Resolves: RHEL-60830 - Resolves: RHEL-60830