On Tue, 7 May 2024 at 00:22, Doug Flick <dougfl...@microsoft.com> wrote: > > All, > > In order to patch Tianocore Bugzilla issues and CVEs: > 4541 – Bug 08 - edk2/NetworkPkg: Predictable TCP ISNs (tianocore.org) > and > 4542 – Bug 09 - edk2/NetworkPkg: Use of a Weak PseudoRandom Number Generator > (tianocore.org) > > I've added as a dependency Hash2CryptoDxe and RngDxe lib to NetworkPkg. I've > been able to add the relevant libraries to the DSCs of OvmfPkg and > EmulatorPkg however I'm seeing odd behavior with ArmVirtPkg. > > Would someone more knowledgeable with ArmVirtPkg take a look this PR. > > PixieFail #8 and #9 TCBZ4541 and TCBZ4542 by Flickdm · Pull Request #5582 · > tianocore/edk2 (github.com) > > The issue was introduced in the commit "ArmVirtPkg: : Add RngDxe to > ArmVirtPkg" > > Right now PlatformCI_ArmVirtPkg_Ubuntu_GCC5_PR is crashing
You need to configure the TrngLib to use either secure monitor calls or hypervisor calls, and this might be different depending on the context: - ordinary VMs running under proper virtualization will execute at EL1 under a hypervisor that implements the TRNG service, so it can only use HVC (and SMC will trap, as you've experienced) - QEMU itself does not implement the TRNG service (to my knowledge) so running a VM under TCG emulation of EL1 will not have access to the TRNG - other emulation modes of QEMU may run the firmware in a different way, where SMC is actually appropriate, and this could be either EL1 or EL2. This makes it slightly awkward to decide whether or not to dispatch RngDxe, and this is why nobody has gotten around to it (and I forgot about this tbh) TL;DR building with --pcd PcdMonitorConduitHvc=TRUE will avoid the crash but may not result in a usable RngDxe It also seems to me that those network drivers will now need to DEPEX on the RNG protocol, as they may get dispatched too early otherwise: Failed to generate random data using secure algorithm 0: Unsupported Failed to generate random data using secure algorithm 1: Unsupported Failed to generate random data using secure algorithm 2: Unsupported ASSERT_EFI_ERROR (Status = Unsupported) ASSERT [Udp4Dxe] DxeNetLib.c(973): !(((INTN)(RETURN_STATUS)(Status)) < 0) QEMU: Terminated This is with -device virtio-rng-pci and the VirtioRngDxe driver (which is already included in OVMF and ArmVirtQemu) but the driver dispatches before the driver model can instantiate the protocol. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118646): https://edk2.groups.io/g/devel/message/118646 Mute This Topic: https://groups.io/mt/105949609/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
