On Wed, 8 May 2024 at 17:29, Doug Flick via groups.io <dougflick=microsoft....@groups.io> wrote: > > From: Doug Flick <dougfl...@microsoft.com> > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 > > Bug Overview: > PixieFail Bug #9 > CVE-2023-45237 > CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N > CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) > > Use of a Weak PseudoRandom Number Generator > > Change Overview: > > Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either > > > > > EFI_STATUS > > EFIAPI > > PseudoRandomU32 ( > > OUT UINT32 *Output > > ); > > > > or (depending on the use case) > > > > > EFI_STATUS > > EFIAPI > > PseudoRandom ( > > OUT VOID *Output, > > IN UINTN OutputLength > > ); > > > > This is because the use of > > Example: > > The following code snippet PseudoRandomU32 () function is used: > > > > > UINT32 Random; > > > > Status = PseudoRandomU32 (&Random); > > if (EFI_ERROR (Status)) { > > DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", > __func__, Status)); > > return Status; > > } > > > > This also introduces a new PCD to enable/disable the use of the > NIST SP-800-90 approved algorithms for PseudoRandom () and > instead depend on the default implementation. This may be required for > some platforms where the UEFI Spec defined algorithms are not available. > > > > > PcdEnforceSecureRngAlgorithms > > > > If the platform does not have the NIST SP-800-90 approved algorithms > then the driver will assert. > > Cc: Saloni Kasbekar <saloni.kasbe...@intel.com> > Cc: Zachary Clark-williams <zachary.clark-willi...@intel.com> > > Signed-off-by: Doug Flick [MSFT] <doug.e...@gmail.com> > --- > NetworkPkg/NetworkPkg.dec | 7 ++ > NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 12 +- > NetworkPkg/TcpDxe/TcpDxe.inf | 3 + > NetworkPkg/IScsiDxe/IScsiMisc.h | 6 +- > NetworkPkg/Include/Library/NetLib.h | 40 ++++-- > NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- > NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- > NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- > NetworkPkg/DnsDxe/DnsDhcp.c | 10 +- > NetworkPkg/DnsDxe/DnsImpl.c | 11 +- > NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- > NetworkPkg/IScsiDxe/IScsiCHAP.c | 19 ++- > NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +-- > NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- > NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- > NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- > NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- > NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- > NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 ++++- > NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 129 +++++++++++++++++--- > NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- > NetworkPkg/Udp4Dxe/Udp4Driver.c | 10 +- > NetworkPkg/Udp6Dxe/Udp6Driver.c | 11 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- > NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- > NetworkPkg/SecurityFixes.yaml | 39 ++++++ > 27 files changed, 407 insertions(+), 83 deletions(-) > > diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec > index e06f35e7747c..7c4289b77b21 100644 > --- a/NetworkPkg/NetworkPkg.dec > +++ b/NetworkPkg/NetworkPkg.dec > @@ -5,6 +5,7 @@ > # > # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.<BR> > # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP<BR> > +# Copyright (c) Microsoft Corporation > # > # SPDX-License-Identifier: BSD-2-Clause-Patent > # > @@ -130,6 +131,12 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] > # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() > call. > > gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C > > + ## Enforces the use of Secure UEFI spec defined RNG algorithms for all > network connections. > + # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms. > + # FALSE - Do not enforce and depend on the default implementation of RNG > algorithm from the provider. > + # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms. > + > gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x1000000D > +
This conflates 'secure' with 'specified by NIST', which I don't think is entirely accurate. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118691): https://edk2.groups.io/g/devel/message/118691 Mute This Topic: https://groups.io/mt/105983246/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-