On Wed, 8 May 2024 at 18:47, Doug Flick via groups.io <dougflick=microsoft....@groups.io> wrote: > > I don't disagree. > > The intent is not to be limited by NIST specified standards but rather the > only UEFI Spec defined algorithms are NIST Standards. > > https://uefi.org/specs/UEFI/2.10/37_Secure_Technologies.html#efi-rng-algorithm-definitions > > I'm not sure what's the best way to clarify this distinction >
The issue here is that virtio-rng only exposes the 'raw' RNG protocol, which is what the underlying hardware claims to implement. This has a special status in the spec, as it can be used as an entropy source for the NIST algorithms, the security strength of which is cannot exceed the security strength represented by the size of the seed consumed from the raw input. So in that sense, it might be appropriate to treat the raw protocol in the same way as the NIST ones, and permit them, call them 'secure' etc. Only when taking the default (ergo unspecified) algorithm should we conclude that the algorithm may be less strong than what the spec requires. What would help is if RngDxe could wrap an implementation of the raw RNG protocol produced by another driver, and produce the NIST DRBGs based on that - perhaps I should look into that. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118699): https://edk2.groups.io/g/devel/message/118699 Mute This Topic: https://groups.io/mt/105983246/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-