回复: [edk2-devel] 回复: [edk2-devel][edk2-stable202405] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

2024-05-14 Thread gaoliming via groups.io 
Doug:

  Thanks for your clarification. For the changes in MdePkg and EmulatorPkg, I 
have no comments. Reviewed-by: Liming Gao 

 

Thanks

Liming

发件人: Doug Flick via groups.io  
发送时间: 2024年5月10日 2:26
收件人: gaoliming ; devel@edk2.groups.io
主题: Re: [edk2-devel] 回复: [edk2-devel][edk2-stable202405] [PATCH v2 00/13] 
NetworkPkg: CVE-2023-45236 and CVE-2023-45237

 

>From the two CVE patches there should be no functional differences to a 
>platform assuming the platform provides them with a RNG implementation and 
>HASH2 implementation.

The "NetworkPkg:: SECURITY PATCH CVE-2023-45237" change simply get's it's 
random numbers from outside of the NetworkPkg and makes it a platform decision. 
The "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236" changes how the TCP Isn 
number is generated and puts the platform in compliance with the relevant 
specification.

There is a functional change with "SecurityPkg: RngDxe: Remove incorrect 
limitation on GetRng" as this will now allow a caller to call less than 32 
bytes.

The other changes are unit tests and platform integration changes.



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118897): https://edk2.groups.io/g/devel/message/118897
Mute This Topic: https://groups.io/mt/106106240/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] 回复: [edk2-devel][edk2-stable202405] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

2024-05-09 Thread Doug Flick via groups.io 
>From the two CVE patches there should be no functional differences to a 
>platform assuming the platform provides them with a RNG implementation and 
>HASH2 implementation. 

The "NetworkPkg:: SECURITY PATCH CVE-2023-45237" change simply get's it's 
random numbers from outside of the NetworkPkg and makes it a platform decision.
The "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236" changes how the TCP Isn 
number is generated and puts the platform in compliance with the relevant 
specification. 

There is a functional change with  "SecurityPkg: RngDxe: Remove incorrect 
limitation on GetRng" as this will now allow a caller to call less than 32 
bytes. 

The other changes are unit tests and platform integration changes.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#118768): https://edk2.groups.io/g/devel/message/118768
Mute This Topic: https://groups.io/mt/105998004/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

回复: [edk2-devel][edk2-stable202405] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

2024-05-09 Thread gaoliming via groups.io 
Doug:
  Is there any functionality impact by these two CVE fixes?

Thanks
Liming
> -邮件原件-
> 发件人: devel@edk2.groups.io  代表 Doug Flick via
> groups.io
> 发送时间: 2024年5月9日 13:56
> 收件人: devel@edk2.groups.io
> 抄送: Liming Gao 
> 主题: [edk2-devel] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and
> CVE-2023-45237
> 
>
REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-
edk-ii-
> ipv6-network-stack.html
> 
> This patch series patches the following CVEs:
> - CVE-2023-45236: Predictable TCP Initial Sequence Numbers
> - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator
> 
> In order to patch these CVEs, the following changes were made:
> - NetworkPkg no longer performs it's own random number generation,
>   instead it uses EFI_RNG_PROTOCOL provided by the plaform to
>   generate random numbers.
>   - This change was made such that any future random number
> generation vulnerabilities will be a result of the platforms
> implementation of the EFI_RNG_PROTOCOL and not the NetworkPkg
> 
> - NetworkPkg uses the TCP initial sequence number algorithm as described
>   in RFC 6528 to generate the initial sequence number for TCP connections.
>   - This change was made to ensure that the initial sequence number
> is not predictable and therefore cannot be used in a TCP hijacking
> attack.
> 
> In addition to the above changes, the following changes were made:
> - EmulatorPkg OvmfPkg, and ArmVirtPkg were updated to include the
>   Hash2DxeCrypto driver to support TCP ISN generation using
>   EFI_HASH2_PROTOCOL
> 
> - EmulatorPkg was updated to include the
>   RngDxe driver to support random number generation using the
>   EFI_RNG_PROTOCOL
> 
> - OvmfPkg, and ArmVirtPkg were updated to include the
>   virtio-rng-pci device to support random number generation using the
>   EFI_RNG_PROTOCOL using the existing VirtioRngDxe driver
> 
> - SecurityPkg was updated to fix an incorrect limitation on the
>   GetRng function in the RngDxe driver where the minimum amount of
>   random data that could be requested was 32 bytes (256 bits) instead
>   of what the caller requested
> 
> - MdePkg was updated to include MockUefiBootServicesTableLib,
>   MockRng, and MockHash2 protocols for testing
> 
> - NetworkPkg was updated to include a test for the PxeBcDhcp6 driver
>   due to underlying changes
> 
> Cc: Liming Gao 
> 
> Signed-off-by: Doug Flick [MSFT] 
> 
> Doug Flick (13):
>   EmulatorPkg: : Add RngDxe to EmulatorPkg
>   EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg
>   OvmfPkg:PlatformCI: Support virtio-rng-pci
>   OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg
>   ArmVirtPkg:PlatformCI: Support virtio-rng-pci
>   ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg
>   SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
>   NetworkPkg:: SECURITY PATCH CVE-2023-45237
>   NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236
>   MdePkg: : Add MockUefiBootServicesTableLib
>   MdePkg: : Adds Protocol for MockRng
>   MdePkg: Add MockHash2 Protocol for testing
>   NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes
> 
>  NetworkPkg/NetworkPkg.dec
> |   7 +
>  ArmVirtPkg/ArmVirtQemu.dsc
> |   5 +
>  ArmVirtPkg/ArmVirtQemuKernel.dsc
> |   5 +
>  EmulatorPkg/EmulatorPkg.dsc
> |  14 +-
>  MdePkg/Test/MdePkgHostTest.dsc
> |   1 +
>  NetworkPkg/Test/NetworkPkgHostTest.dsc
> |   1 +
>  OvmfPkg/OvmfPkgIa32.dsc
> |   6 +-
>  OvmfPkg/OvmfPkgIa32X64.dsc
> |   6 +-
>  OvmfPkg/OvmfPkgX64.dsc
> |   6 +-
>  OvmfPkg/OvmfXen.dsc
> |   5 +
>  EmulatorPkg/EmulatorPkg.fdf
> |  11 +-
>  OvmfPkg/OvmfPkgIa32.fdf
> |   5 +
>  OvmfPkg/OvmfPkgIa32X64.fdf
> |   5 +
>  OvmfPkg/OvmfPkgX64.fdf
> |   5 +
>  OvmfPkg/OvmfXen.fdf
> |   5 +
> 
> MdePkg/Test/Mock/Library/GoogleTest/MockUefiBootServicesTableLib/MockUe
> fiBootServicesTableLib.inf |  32 +++
>  NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
> |  13 +-
>  NetworkPkg/TcpDxe/TcpDxe.inf
> |  11 +-
>  NetworkPkg/UefiPxeBcDxe/GoogleTest/UefiPxeBcDxeGoogleTest.inf
> |   3 +-
> 
> MdePkg/Test/Mock/Include/GoogleTest/Library/MockUefiBootServicesTableLib.
> h|  78 +++
>  MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h
> |  67 ++
>  MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h
> |  48 
>  NetworkPkg/IScsiDxe/IScsiMisc.h
> |   6 +-
>  NetworkPkg/Include/Library/NetLib.h
> |  40 +++-
>  NetworkPkg/Ip6Dxe/Ip6Nd.h
> |   8 +-
>  NetworkPkg/TcpDxe/TcpFunc.h
> |  23 +-
>  NetworkPkg/TcpDxe/TcpMain.h
> |  59 -
>  NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
> |  10 +-
>  NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
> |  11 +-
>  NetworkPkg/DnsDxe/DnsDhcp.c
> |  10 +-
>  NetworkPkg/DnsDxe/DnsImpl.c
> |  11 +-
>  NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
> |  10 +-
>  NetworkPkg/IScsiDxe/IScsiCHAP.c
> |  19 +-
>  NetworkPkg/IScsiDxe/IScsiMisc.c
> |  14 +-
>  NetworkPkg/Ip4Dxe/Ip4Driver.c
> |  10 +-
>  NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
> |   9 +-
>  NetworkPkg/Ip6Dxe/Ip6Driver.c
> |  17 +-
>  NetworkPkg/Ip6Dxe/Ip6If.c
> |  12 +-
>