8e51a8153a
- edk2-MdeModulePkg-Change-use-of-EFI_D_-to-DEBUG_.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Apply-uncrustify-changes.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-Apply-uncrustify-changes.p2.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Rename-RdRandGenerateEntropy-to-g.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Remove-ArchGetSupportedRngAlgorit.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Documentation-include-parameter-c.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Check-before-advertising-Cpu-Rng-.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Add-AArch64-RawAlgorithm-support-.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Add-debug-warning-for-NULL-PcdCpu.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Rename-AArch64-RngDxe.c.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Add-Arm-support-of-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Correctly-update-mAvailableAlgoAr.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Conditionally-install-EFI_RNG_PRO.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdeModulePkg-Duplicate-BaseRngLibTimerLib-to-MdeModu.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Add-deprecated-warning-to-BaseRngLibTimer.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-SecurityPkg.dec-Move-PcdCpuRngSupportedA.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-DxeRngLib-Request-raw-algorithm-instead-of-de.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Rng-Add-GUID-to-describe-Arm-Rndr-Rng-algorit.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdeModulePkg-Rng-Add-GUID-to-describe-unsafe-Rng-alg.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-Rng-Add-GetRngGuid-to-RngLib.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Use-GetRngGuid-when-probing-RngLi.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-Simplify-Rng-algorithm-selection-.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-SECURITY-PATCH-CVE-2023-45237.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-BaseRngLib-Add-a-smoketest-for-RDRAND-and-che.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-SecurityPkg-RngDxe-add-rng-test.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-OvmfPkg-wire-up-RngDxe.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-CryptoPkg-Test-call-ProcessLibraryConstructorList.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-MdePkg-X86UnitTestHost-set-rdrand-cpuid-bit.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-TcpDxe-SECURITY-PATCH-CVE-2023-45236.patch [RHEL-21854 RHEL-21856 RHEL-40099] - edk2-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch [RHEL-21854 RHEL-21856 RHEL-40099] - Resolves: RHEL-21854 (CVE-2023-45236 edk2: Predictable TCP Initial Sequence Numbers [rhel-8]) - Resolves: RHEL-21856 (CVE-2023-45237 edk2: Use of a Weak PseudoRandom Number Generator [rhel-8]) - Resolves: RHEL-40099 (CVE-2024-1298 edk2: Temporary DoS vulnerability [rhel-8.10.z])
337 lines
10 KiB
Diff
337 lines
10 KiB
Diff
From 5bd27a5a923c8880a06d52fca48e304becbbb8f6 Mon Sep 17 00:00:00 2001
|
|
From: Jon Maloy <jmaloy@redhat.com>
|
|
Date: Tue, 25 Jun 2024 22:25:23 -0400
|
|
Subject: [PATCH 08/31] SecurityPkg/RngDxe: Check before advertising Cpu Rng
|
|
algo
|
|
|
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
|
RH-MergeRequest: 77: UINT32 overflow in S3 ResumeCount and Pixiefail fixes
|
|
RH-Jira: RHEL-21854 RHEL-21856 RHEL-40099
|
|
RH-Acked-by: Gerd Hoffmann <None>
|
|
RH-Commit: [8/31] 5417b276749a2d1b1afa9465b5b7a501def26a12
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-21856
|
|
CVE: CVE-2022-45237
|
|
Upstream: Merged
|
|
|
|
commit 4b3e9d80bedf5909a4ec901425ed9c0a738fc76f
|
|
Author: Pierre Gondois <pierre.gondois@arm.com>
|
|
Date: Fri Oct 28 17:32:54 2022 +0200
|
|
|
|
SecurityPkg/RngDxe: Check before advertising Cpu Rng algo
|
|
|
|
RngGetBytes() relies on the RngLib. The RngLib might use the RNDR
|
|
instruction if the FEAT_RNG feature is present. RngGetInfo and
|
|
RngGetRNG both must check that RngGetBytes() is working before
|
|
advertising/using it.
|
|
|
|
To do so, allocate an array storing the available algorithms.
|
|
The Rng algorithm at the lowest index will be the default Rng
|
|
algorithm. The array is shared between RngGetInfo and RngGetRNG.
|
|
|
|
This array is allocated when the driver is loaded, and freed
|
|
when unloaded.
|
|
|
|
This patch also prevents from having PcdCpuRngSupportedAlgorithm
|
|
let to a zero GUID, but let the possibility to have no valid Rng
|
|
algorithm in such case.
|
|
|
|
Signed-off-by: Pierre Gondois <Pierre.Gondois@arm.com>
|
|
Acked-by: Jiewen Yao <jiewen.yao@intel.com>
|
|
|
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
---
|
|
.../RngDxe/AArch64/RngDxe.c | 87 +++++++++++++++++--
|
|
.../RngDxe/Rand/RngDxe.c | 26 ++++++
|
|
.../RandomNumberGenerator/RngDxe/RngDxe.c | 40 ++++++++-
|
|
.../RandomNumberGenerator/RngDxe/RngDxe.inf | 1 +
|
|
.../RngDxe/RngDxeInternals.h | 27 ++++++
|
|
5 files changed, 172 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
|
|
index 8c6ad4ed43..c9d66d9777 100644
|
|
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
|
|
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
|
|
@@ -22,11 +22,63 @@
|
|
|
|
#include <Library/BaseLib.h>
|
|
#include <Library/BaseMemoryLib.h>
|
|
+#include <Library/DebugLib.h>
|
|
+#include <Library/MemoryAllocationLib.h>
|
|
#include <Library/UefiBootServicesTableLib.h>
|
|
+#include <Library/RngLib.h>
|
|
#include <Protocol/Rng.h>
|
|
|
|
#include "RngDxeInternals.h"
|
|
|
|
+// Maximum number of Rng algorithms.
|
|
+#define RNG_AVAILABLE_ALGO_MAX 1
|
|
+
|
|
+/** Allocate and initialize mAvailableAlgoArray with the available
|
|
+ Rng algorithms. Also update mAvailableAlgoArrayCount.
|
|
+
|
|
+ @retval EFI_SUCCESS The function completed successfully.
|
|
+ @retval EFI_OUT_OF_RESOURCES Could not allocate memory.
|
|
+**/
|
|
+EFI_STATUS
|
|
+EFIAPI
|
|
+GetAvailableAlgorithms (
|
|
+ VOID
|
|
+ )
|
|
+{
|
|
+ UINT64 DummyRand;
|
|
+
|
|
+ // Allocate RNG_AVAILABLE_ALGO_MAX entries to avoid evaluating
|
|
+ // Rng algorithms 2 times, one for the allocation, one to populate.
|
|
+ mAvailableAlgoArray = AllocateZeroPool (RNG_AVAILABLE_ALGO_MAX);
|
|
+ if (mAvailableAlgoArray == NULL) {
|
|
+ return EFI_OUT_OF_RESOURCES;
|
|
+ }
|
|
+
|
|
+ // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
|
|
+ if (!EFI_ERROR (RngGetBytes (sizeof (DummyRand), (UINT8 *)&DummyRand))) {
|
|
+ CopyMem (
|
|
+ &mAvailableAlgoArray[mAvailableAlgoArrayCount],
|
|
+ PcdGetPtr (PcdCpuRngSupportedAlgorithm),
|
|
+ sizeof (EFI_RNG_ALGORITHM)
|
|
+ );
|
|
+ mAvailableAlgoArrayCount++;
|
|
+ }
|
|
+
|
|
+ return EFI_SUCCESS;
|
|
+}
|
|
+
|
|
+/** Free mAvailableAlgoArray.
|
|
+**/
|
|
+VOID
|
|
+EFIAPI
|
|
+FreeAvailableAlgorithms (
|
|
+ VOID
|
|
+ )
|
|
+{
|
|
+ FreePool (mAvailableAlgoArray);
|
|
+ return;
|
|
+}
|
|
+
|
|
/**
|
|
Produces and returns an RNG value using either the default or specified RNG algorithm.
|
|
|
|
@@ -59,6 +111,7 @@ RngGetRNG (
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
+ UINTN Index;
|
|
|
|
if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
|
|
return EFI_INVALID_PARAMETER;
|
|
@@ -68,9 +121,21 @@ RngGetRNG (
|
|
//
|
|
// Use the default RNG algorithm if RNGAlgorithm is NULL.
|
|
//
|
|
- RNGAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
|
|
+ for (Index = 0; Index < mAvailableAlgoArrayCount; Index++) {
|
|
+ if (!IsZeroGuid (&mAvailableAlgoArray[Index])) {
|
|
+ RNGAlgorithm = &mAvailableAlgoArray[Index];
|
|
+ goto FoundAlgo;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (Index == mAvailableAlgoArrayCount) {
|
|
+ // No algorithm available.
|
|
+ ASSERT (Index != mAvailableAlgoArrayCount);
|
|
+ return EFI_DEVICE_ERROR;
|
|
+ }
|
|
}
|
|
|
|
+FoundAlgo:
|
|
if (CompareGuid (RNGAlgorithm, PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
|
|
Status = RngGetBytes (RNGValueLength, RNGValue);
|
|
return Status;
|
|
@@ -113,24 +178,30 @@ RngGetInfo (
|
|
OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
|
|
)
|
|
{
|
|
- UINTN RequiredSize;
|
|
- EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
|
|
-
|
|
- RequiredSize = sizeof (EFI_RNG_ALGORITHM);
|
|
+ UINTN RequiredSize;
|
|
|
|
if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
+ RequiredSize = mAvailableAlgoArrayCount * sizeof (EFI_RNG_ALGORITHM);
|
|
+
|
|
+ if (RequiredSize == 0) {
|
|
+ // No supported algorithms found.
|
|
+ return EFI_UNSUPPORTED;
|
|
+ }
|
|
+
|
|
if (*RNGAlgorithmListSize < RequiredSize) {
|
|
*RNGAlgorithmListSize = RequiredSize;
|
|
return EFI_BUFFER_TOO_SMALL;
|
|
}
|
|
|
|
- CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
|
|
-
|
|
- CopyMem(&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof (EFI_RNG_ALGORITHM));
|
|
+ if (RNGAlgorithmList == NULL) {
|
|
+ return EFI_INVALID_PARAMETER;
|
|
+ }
|
|
|
|
+ // There is no gap in the array, so copy the block.
|
|
+ CopyMem (RNGAlgorithmList, mAvailableAlgoArray, RequiredSize);
|
|
*RNGAlgorithmListSize = RequiredSize;
|
|
return EFI_SUCCESS;
|
|
}
|
|
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
|
index 70b6ac20c9..7caa64a4ff 100644
|
|
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
|
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
|
|
@@ -26,6 +26,32 @@
|
|
|
|
#include "RngDxeInternals.h"
|
|
|
|
+/** Allocate and initialize mAvailableAlgoArray with the available
|
|
+ Rng algorithms. Also update mAvailableAlgoArrayCount.
|
|
+
|
|
+ @retval EFI_SUCCESS The function completed successfully.
|
|
+ @retval EFI_OUT_OF_RESOURCES Could not allocate memory.
|
|
+**/
|
|
+EFI_STATUS
|
|
+EFIAPI
|
|
+GetAvailableAlgorithms (
|
|
+ VOID
|
|
+ )
|
|
+{
|
|
+ return EFI_SUCCESS;
|
|
+}
|
|
+
|
|
+/** Free mAvailableAlgoArray.
|
|
+**/
|
|
+VOID
|
|
+EFIAPI
|
|
+FreeAvailableAlgorithms (
|
|
+ VOID
|
|
+ )
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
/**
|
|
Produces and returns an RNG value using either the default or specified RNG algorithm.
|
|
|
|
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
|
|
index 4599728889..cc2ddfcc06 100644
|
|
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
|
|
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
|
|
@@ -27,6 +27,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
|
|
#include "RngDxeInternals.h"
|
|
|
|
+//
|
|
+// Array containing the validated Rng algorithm.
|
|
+// The entry with the lowest index will be the default algorithm.
|
|
+//
|
|
+UINTN mAvailableAlgoArrayCount;
|
|
+EFI_RNG_ALGORITHM *mAvailableAlgoArray;
|
|
+
|
|
//
|
|
// The Random Number Generator (RNG) protocol
|
|
//
|
|
@@ -66,8 +73,39 @@ RngDriverEntry (
|
|
&mRngRdRand,
|
|
NULL
|
|
);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ return Status;
|
|
+ }
|
|
+
|
|
+ //
|
|
+ // Get the list of available algorithm.
|
|
+ //
|
|
+ return GetAvailableAlgorithms ();
|
|
+}
|
|
+
|
|
+/**
|
|
+ This is the unload handle for RndgDxe module.
|
|
+
|
|
+ Disconnect the driver specified by ImageHandle from all the devices in the handle database.
|
|
+ Uninstall all the protocols installed in the driver entry point.
|
|
|
|
- return Status;
|
|
+ @param[in] ImageHandle The drivers' driver image.
|
|
+
|
|
+ @retval EFI_SUCCESS The image is unloaded.
|
|
+ @retval Others Failed to unload the image.
|
|
+
|
|
+**/
|
|
+EFI_STATUS
|
|
+EFIAPI
|
|
+RngDriverUnLoad (
|
|
+ IN EFI_HANDLE ImageHandle
|
|
+ )
|
|
+{
|
|
+ //
|
|
+ // Free the list of available algorithm.
|
|
+ //
|
|
+ FreeAvailableAlgorithms ();
|
|
+ return EFI_SUCCESS;
|
|
}
|
|
|
|
|
|
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
|
|
index 60efb5562e..1985dfbb46 100644
|
|
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
|
|
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
|
|
@@ -22,6 +22,7 @@
|
|
MODULE_TYPE = DXE_DRIVER
|
|
VERSION_STRING = 1.0
|
|
ENTRY_POINT = RngDriverEntry
|
|
+ UNLOAD_IMAGE = RngDriverUnLoad
|
|
MODULE_UNI_FILE = RngDxe.uni
|
|
|
|
#
|
|
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
|
|
index f17adb83fb..0ef5e6522f 100644
|
|
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
|
|
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxeInternals.h
|
|
@@ -12,6 +12,33 @@
|
|
|
|
#include <Protocol/Rng.h>
|
|
|
|
+//
|
|
+// Array containing the validated Rng algorithm.
|
|
+// The entry with the lowest index will be the default algorithm.
|
|
+//
|
|
+extern UINTN mAvailableAlgoArrayCount;
|
|
+extern EFI_RNG_ALGORITHM *mAvailableAlgoArray;
|
|
+
|
|
+/** Allocate and initialize mAvailableAlgoArray with the available
|
|
+ Rng algorithms. Also update mAvailableAlgoArrayCount.
|
|
+
|
|
+ @retval EFI_SUCCESS The function completed successfully.
|
|
+ @retval EFI_OUT_OF_RESOURCES Could not allocate memory.
|
|
+**/
|
|
+EFI_STATUS
|
|
+EFIAPI
|
|
+GetAvailableAlgorithms (
|
|
+ VOID
|
|
+ );
|
|
+
|
|
+/** Free mAvailableAlgoArray.
|
|
+**/
|
|
+VOID
|
|
+EFIAPI
|
|
+FreeAvailableAlgorithms (
|
|
+ VOID
|
|
+ );
|
|
+
|
|
/**
|
|
Returns information about the random number generation implementation.
|
|
|
|
--
|
|
2.39.3
|
|
|