So this patch is necessary as otherwise, QEMU fails to boot due to a
missing source of randomness in the network drivers, right?
Does this imply that all QEMU deployments that rely on the bundled
firmware images (e.g., for micro-VMs and container use cases) will now
fail to boot if the pre-existing QEMU launch script happens to omit
the virtio-rng device?
If so, we absolutely need a fallback here - RngDxe based on TRNG (for
KVM use cases) as well as RNDR (for TCG with CPU max). This may still
break some deployments, but the vast majority should be covered.
RNDR raises another interesting problem, by the way - the ARM arch
spec requires RNDR to be backed by an appropriate DRBG that complies
with the NIST spec but it does not specify which one. IOW, it is
backed by a DRBG not by a raw entropy source, but specifying which
DRBG (by GUID) is not generally feasible, as the guest VM firmware
cannot interrogate the host about which DRBG is behind RNDR.
TL;DR there are a couple of loose ends here, and so rushing it through
doesn't seem wise imho. I'd rather leave ARM behind with these CVE
fixes than break many different use cases in different ways.
On Thu, 9 May 2024 at 07:56, Doug Flick <doug.e...@gmail.com> wrote:
>
> This patch adds "virtio-rng-pci" to the PlatformBuildLib.py
> This adds Rng services to the guest VM
>
> Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Gerd Hoffmann <kra...@redhat.com>
>
> Signed-off-by: Doug Flick [MSFT] <doug.e...@gmail.com>
> ---
> OvmfPkg/PlatformCI/PlatformBuildLib.py | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/OvmfPkg/PlatformCI/PlatformBuildLib.py
> b/OvmfPkg/PlatformCI/PlatformBuildLib.py
> index 00d454954bff..3fe80f5c1caa 100644
> --- a/OvmfPkg/PlatformCI/PlatformBuildLib.py
> +++ b/OvmfPkg/PlatformCI/PlatformBuildLib.py
> @@ -208,6 +208,8 @@ class PlatformBuilder( UefiBuilder, BuildSettingsManager):
> args += " -net none"
> # turn off network
> args += " -smp 4"
> args += f" -drive file=fat:rw:{VirtualDrive},format=raw,media=disk"
> # Mount disk with startup.nsh
> + # Provides Rng services to the Guest VM
> + args += " -device virtio-rng-pci"
>
> if (self.env.GetValue("QEMU_HEADLESS").upper() == "TRUE"):
> args += " -display none" # no graphics
> --
> 2.34.1
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118753): https://edk2.groups.io/g/devel/message/118753
Mute This Topic: https://groups.io/mt/105996580/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
