REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
This patch series patches the following CVEs:
- CVE-2023-45236: Predictable TCP Initial Sequence Numbers
- CVE-2023-45237: Use of a Weak PseudoRandom Number Generator
In order to patch these CVEs, the following changes were made:
- NetworkPkg no longer performs it's own random number generation,
instead it uses EFI_RNG_PROTOCOL provided by the plaform to
generate random numbers.
- This change was made such that any future random number
generation vulnerabilities will be a result of the platforms
implementation of the EFI_RNG_PROTOCOL and not the NetworkPkg
- NetworkPkg uses the TCP initial sequence number algorithm as described
in RFC 6528 to generate the initial sequence number for TCP connections.
- This change was made to ensure that the initial sequence number
is not predictable and therefore cannot be used in a TCP hijacking
attack.
In addition to the above changes, the following changes were made:
- EmulatorPkg OvmfPkg, and ArmVirtPkg were updated to include the
Hash2DxeCrypto driver to support TCP ISN generation using
EFI_HASH2_PROTOCOL
- EmulatorPkg was updated to include the
RngDxe driver to support random number generation using the
EFI_RNG_PROTOCOL
- OvmfPkg, and ArmVirtPkg were updated to include the
virtio-rng-pci device to support random number generation using the
EFI_RNG_PROTOCOL using the existing VirtioRngDxe driver
- SecurityPkg was updated to fix an incorrect limitation on the
GetRng function in the RngDxe driver where the minimum amount of
random data that could be requested was 32 bytes (256 bits) instead
of what the caller requested
- MdePkg was updated to include MockUefiBootServicesTableLib,
MockRng, and MockHash2 protocols for testing
- NetworkPkg was updated to include a test for the PxeBcDhcp6 driver
due to underlying changes
- ArmPkg was updated to allow the SMC/HVC monitor conduit to be
specified at runtime
- MdePkg was updated to remove an overzealous ASSERT in BaseRngLib
- ArmVirtPkg was updated to permit the use of dynamic PCDs in PEI
- ArmVirtPkg was updated to use dynamic PCDs to set the SMCCC conduit
- ArmVirtPkg was updated to add the RngDxe driver
Cc: Liming Gao <[email protected]>
Signed-off-by: Doug Flick [MSFT] <[email protected]>
Ard Biesheuvel (6):
ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime
MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT()
ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI
ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit
ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc
ArmVirtPkg/ArmVirtQemu: Add RngDxe driver
Doug Flick (8):
EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg
OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg
NetworkPkg:: SECURITY PATCH CVE-2023-45237
NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236
MdePkg: : Add MockUefiBootServicesTableLib
MdePkg: : Adds Protocol for MockRng
MdePkg: Add MockHash2 Protocol for testing
NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes
Flickdm (6):
EmulatorPkg: : Add RngDxe to EmulatorPkg
OvmfPkg:PlatformCI: Support virtio-rng-pci
ArmVirtPkg:PlatformCI: Support virtio-rng-pci
ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg
SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
ArmVirtPkg: Move PcdMonitorConduitHvc
ArmPkg/ArmPkg.dec
| 10 +-
NetworkPkg/NetworkPkg.dec
| 7 +
ArmVirtPkg/ArmVirt.dsc.inc
| 5 +-
ArmVirtPkg/ArmVirtCloudHv.dsc
| 3 +
ArmVirtPkg/ArmVirtKvmTool.dsc
| 4 +-
ArmVirtPkg/ArmVirtQemu.dsc
| 20 +-
ArmVirtPkg/ArmVirtQemuKernel.dsc
| 12 +-
ArmVirtPkg/ArmVirtXen.dsc
| 6 +-
EmulatorPkg/EmulatorPkg.dsc
| 14 +-
MdePkg/Test/MdePkgHostTest.dsc
| 1 +
NetworkPkg/Test/NetworkPkgHostTest.dsc
| 1 +
OvmfPkg/OvmfPkgIa32.dsc
| 6 +-
OvmfPkg/OvmfPkgIa32X64.dsc
| 6 +-
OvmfPkg/OvmfPkgX64.dsc
| 6 +-
OvmfPkg/OvmfXen.dsc
| 5 +
ArmVirtPkg/ArmVirtQemu.fdf
| 2 +-
EmulatorPkg/EmulatorPkg.fdf
| 11 +-
OvmfPkg/OvmfPkgIa32.fdf
| 5 +
OvmfPkg/OvmfPkgIa32X64.fdf
| 5 +
OvmfPkg/OvmfPkgX64.fdf
| 5 +
OvmfPkg/OvmfXen.fdf
| 5 +
ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.inf
| 1 +
MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf
| 32 +++
NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
| 14 +-
NetworkPkg/TcpDxe/TcpDxe.inf
| 11 +-
NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
| 3 +-
MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h
| 78 +++++++
MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h
| 67 ++++++
MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h
| 48 ++++
NetworkPkg/IScsiDxe/IScsiMisc.h
| 6 +-
NetworkPkg/Include/Library/NetLib.h
| 40 +++-
NetworkPkg/Ip6Dxe/Ip6Nd.h
| 8 +-
NetworkPkg/TcpDxe/TcpFunc.h
| 23 +-
NetworkPkg/TcpDxe/TcpMain.h
| 59 ++++-
ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
| 2 +-
ArmVirtPkg/Library/PlatformPeiLib/PlatformPeiLib.c
| 14 ++
MdePkg/Library/BaseRngLib/AArch64/Rndr.c
| 1 -
NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
| 10 +-
NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
| 11 +-
NetworkPkg/DnsDxe/DnsDhcp.c
| 10 +-
NetworkPkg/DnsDxe/DnsImpl.c
| 11 +-
NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
| 10 +-
NetworkPkg/IScsiDxe/IScsiCHAP.c
| 19 +-
NetworkPkg/IScsiDxe/IScsiMisc.c
| 14 +-
NetworkPkg/Ip4Dxe/Ip4Driver.c
| 10 +-
NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
| 9 +-
NetworkPkg/Ip6Dxe/Ip6Driver.c
| 17 +-
NetworkPkg/Ip6Dxe/Ip6If.c
| 12 +-
NetworkPkg/Ip6Dxe/Ip6Mld.c
| 12 +-
NetworkPkg/Ip6Dxe/Ip6Nd.c
| 33 ++-
NetworkPkg/Library/DxeNetLib/DxeNetLib.c
| 130 +++++++++--
NetworkPkg/TcpDxe/TcpDriver.c
| 105 ++++++++-
NetworkPkg/TcpDxe/TcpInput.c
| 13 +-
NetworkPkg/TcpDxe/TcpMisc.c
| 244 ++++++++++++++++++--
NetworkPkg/TcpDxe/TcpTimer.c
| 3 +-
NetworkPkg/Udp4Dxe/Udp4Driver.c
| 10 +-
NetworkPkg/Udp6Dxe/Udp6Driver.c
| 11 +-
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
| 9 +-
NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
| 11 +-
NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
| 12 +-
SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
| 8 -
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc
| 6 +
ArmVirtPkg/PlatformCI/PlatformBuildLib.py
| 2 +
MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp
| 69 ++++++
MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp
| 27 +++
MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp
| 21 ++
NetworkPkg/SecurityFixes.yaml
| 61 +++++
NetworkPkg/UefiPxeBcDxe/GoogleTest/PxeBcDhcp6GoogleTest.cpp
| 102 +++++++-
OvmfPkg/PlatformCI/PlatformBuildLib.py
| 2 +
69 files changed, 1397 insertions(+), 173 deletions(-)
create mode 100644
MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.inf
create mode 100644
MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.h
create mode 100644 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h
create mode 100644 MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h
create mode 100644
MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUefiBootServicesTableLib.cpp
create mode 100644 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockHash2.cpp
create mode 100644 MdePkg/Test/Mock/Library/GoogleTest/Protocol/MockRng.cpp
--
2.34.1
