Re: [edk2-devel] 回复: [edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

To be clear, it requires EFI_RNG_PROTOCOL and EFI_HASH2_PROTOCOL. Both should be mentioned in the release notes -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119260): https://edk2.groups.io/g/devel/message/119260 Mute This Topic:

[edk2-devel] [PATCH v3 17/20] ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI

From: Ard Biesheuvel Currently, only TPM2 builds enable the PCD PEIM, which is a prerequisite for being able to use dynamic PCDs already at the PEI stage. This facility will be used for other reasons too so move those pieces out of code block that are conditional on TPM2_ENABLE Cc: Ard

[edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit

From: Ard Biesheuvel On ARM systems, whether SMC or HVC instructions need to be used to issue monitor calls is typically dependent on the exception level, but there are also cases where EL1 might use SMC instructions, so there is no hard and fast rule. For ArmVirtQemu, this does depend strictly

[edk2-devel] [PATCH v3 16/20] MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT()

From: Ard Biesheuvel BaseRngLib on AARCH64 will discover whether or not RNDR instructions are supported, by inspecting the ISAR0 identification register, and setting a global boolean accordingly. This boolean is used in subsequent execution to decide whether or not to issue the instruction. The

[edk2-devel] [PATCH v3 15/20] ArmVirtPkg: Move PcdMonitorConduitHvc

This moves the PcdMonitorConduitHvc from PcdsFeatureFlag.Common to PcdsFixedAtBuild.Common This is a follow on to the previous commit: ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime ArmVirtQemu may execute at EL2, in which case monitor calls are generally made using SMC

[edk2-devel] [PATCH v3 12/20] MdePkg: Add MockHash2 Protocol for testing

From: Doug Flick This commit adds a new MockHash2 protocol to the MdePkg. This allows the unit tests to pick up the new protocol and use it for testing. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] ---

[edk2-devel] [PATCH v3 14/20] ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime

From: Ard Biesheuvel ArmVirtQemu may execute at EL2, in which case monitor calls are generally made using SMC instructions instead of HVC instructions. Whether or not this is the case can only be decided at runtime, and so the associated PCD needs to be settable at runtime, if the platform

[edk2-devel] [PATCH v3 13/20] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes

From: Doug Flick This patch updates the PxeBcDhcp6GoogleTest due to the changes in the underlying code. The changes are as follows: - Random now comes from the RngLib Protocol - The TCP ISN is now generated by the hash function Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by:

[edk2-devel] [PATCH v3 10/20] MdePkg: : Add MockUefiBootServicesTableLib

From: Doug Flick This commit adds a mock library for UefiBootServicesTableLib. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/MdePkgHostTest.dsc | 1 +

[edk2-devel] [PATCH v3 09/20] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236

From: Doug Flick REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 REF: https://www.rfc-editor.org/rfc/rfc1948.txt REF: https://www.rfc-editor.org/rfc/rfc6528.txt REF: https://www.rfc-editor.org/rfc/rfc9293.txt Bug Overview: PixieFail Bug #8 CVE-2023-45236

[edk2-devel] [PATCH v3 11/20] MdePkg: : Adds Protocol for MockRng

From: Doug Flick This patch adds a protocol for MockRng. This protocol is used to mock the Rng protocol for testing purposes. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h | 48

[edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change

[edk2-devel] [PATCH v3 03/20] OvmfPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+) diff --git

[edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng

Removed from gEfiRngAlgorithmRaw an incorrect assumption that Raw cannot return less than 256 bits. The DRNG Algorithms should always use a 256 bit seed as per nist standards however a caller is free to request less than 256 bits. > > // >// When a DRBG is used on the output of a entropy

[edk2-devel] [PATCH v3 05/20] ArmVirtPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+)

[edk2-devel] [PATCH v3 06/20] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg

This patch adds Hash2DxeCrypto to ArmVirtPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/ArmVirtQemu.dsc | 5 +

[edk2-devel] [PATCH v3 04/20] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg

From: Doug Flick This patch adds Hash2DxeCrypto to OvmfPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/OvmfPkgIa32.dsc| 6 +- OvmfPkg/OvmfPkgIa32X64.dsc | 6

[edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg

This patch adds RngDxe to EmulatorPkg. The RngDxe is used to provide random number generation services to the UEFI firmware. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] Reviewed-by: Ray Ni --- EmulatorPkg/EmulatorPkg.dsc | 7 ++- EmulatorPkg/EmulatorPkg.fdf | 6 +- 2

[edk2-devel] [PATCH v3 02/20] EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg

From: Doug Flick This patch adds Hash2DxeCrypto to EmulatorPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] --- EmulatorPkg/EmulatorPkg.dsc | 9 +++-- EmulatorPkg/EmulatorPkg.fdf | 5 + 2 files

[edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html This patch series patches the following CVEs: - CVE-2023-45236: Predictable TCP Initial Sequence Numbers - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator In order to patch

[edk2-devel] [PATCH v3 18/20] ArmVirtPkg: Use dynamic PCD to set the SMCCC conduit

From: Ard Biesheuvel On ARM systems, whether SMC or HVC instructions need to be used to issue monitor calls is typically dependent on the exception level, but there are also cases where EL1 might use SMC instructions, so there is no hard and fast rule. For ArmVirtQemu, this does depend strictly

[edk2-devel] [PATCH v3 20/20] ArmVirtPkg/ArmVirtQemu: Add RngDxe driver

From: Ard Biesheuvel Add the RngDxe driver to the build, backed by either RNDR or TRNG, one of which is expected to be available in most cases: - RNDR is implemented by the 'max' CPU that QEMU implements in TCG mode - TRNG is implemented by the KVM hypervisor, which backs QEMU's 'host' CPU

[edk2-devel] [PATCH v3 19/20] ArmVirtPkg: Reverse inclusion order of MdeLibs.inc and ArmVirt.dsc.inc

From: Ard Biesheuvel MdeLibs.inc sets default library class resolutions which are much more general than the ones that might be specified in ArmVirt.dsc.inc. So the latter should be included *after* MdeLibs.inc to ensure that its definitions take precedence. Cc: Ard Biesheuvel Cc: Leif

[edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change

[edk2-devel] [PATCH v3 17/20] ArmVirtPkg/ArmVirtQemu: Permit the use of dynamic PCDs in PEI

From: Ard Biesheuvel Currently, only TPM2 builds enable the PCD PEIM, which is a prerequisite for being able to use dynamic PCDs already at the PEI stage. This facility will be used for other reasons too so move those pieces out of code block that are conditional on TPM2_ENABLE Cc: Ard

[edk2-devel] [PATCH v3 16/20] MdePkg/BaseRngLib AARCH64: Remove overzealous ASSERT()

From: Ard Biesheuvel BaseRngLib on AARCH64 will discover whether or not RNDR instructions are supported, by inspecting the ISAR0 identification register, and setting a global boolean accordingly. This boolean is used in subsequent execution to decide whether or not to issue the instruction. The

[edk2-devel] [PATCH v3 15/20] ArmVirtPkg: Move PcdMonitorConduitHvc

This moves the PcdMonitorConduitHvc from PcdsFeatureFlag.Common to PcdsFixedAtBuild.Common This is a follow on to the previous commit: ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime ArmVirtQemu may execute at EL2, in which case monitor calls are generally made using SMC

[edk2-devel] [PATCH v3 12/20] MdePkg: Add MockHash2 Protocol for testing

From: Doug Flick This commit adds a new MockHash2 protocol to the MdePkg. This allows the unit tests to pick up the new protocol and use it for testing. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] ---

[edk2-devel] [PATCH v3 13/20] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes

From: Doug Flick This patch updates the PxeBcDhcp6GoogleTest due to the changes in the underlying code. The changes are as follows: - Random now comes from the RngLib Protocol - The TCP ISN is now generated by the hash function Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by:

[edk2-devel] [PATCH v3 14/20] ArmPkg: Allow SMC/HVC monitor conduit to be specified at runtime

From: Ard Biesheuvel ArmVirtQemu may execute at EL2, in which case monitor calls are generally made using SMC instructions instead of HVC instructions. Whether or not this is the case can only be decided at runtime, and so the associated PCD needs to be settable at runtime, if the platform

[edk2-devel] [PATCH v3 09/20] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236

From: Doug Flick REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 REF: https://www.rfc-editor.org/rfc/rfc1948.txt REF: https://www.rfc-editor.org/rfc/rfc6528.txt REF: https://www.rfc-editor.org/rfc/rfc9293.txt Bug Overview: PixieFail Bug #8 CVE-2023-45236

[edk2-devel] [PATCH v3 11/20] MdePkg: : Adds Protocol for MockRng

From: Doug Flick This patch adds a protocol for MockRng. This protocol is used to mock the Rng protocol for testing purposes. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h | 48

[edk2-devel] [PATCH v3 10/20] MdePkg: : Add MockUefiBootServicesTableLib

From: Doug Flick This commit adds a mock library for UefiBootServicesTableLib. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/MdePkgHostTest.dsc | 1 +

[edk2-devel] [PATCH v3 06/20] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg

This patch adds Hash2DxeCrypto to ArmVirtPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/ArmVirtQemu.dsc | 5 +

[edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng

Removed from gEfiRngAlgorithmRaw an incorrect assumption that Raw cannot return less than 256 bits. The DRNG Algorithms should always use a 256 bit seed as per nist standards however a caller is free to request less than 256 bits. > > // >// When a DRBG is used on the output of a entropy

[edk2-devel] [PATCH v3 05/20] ArmVirtPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+)

[edk2-devel] [PATCH v3 04/20] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg

From: Doug Flick This patch adds Hash2DxeCrypto to OvmfPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/OvmfPkgIa32.dsc| 6 +- OvmfPkg/OvmfPkgIa32X64.dsc | 6

[edk2-devel] [PATCH v3 03/20] OvmfPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+) diff --git

[edk2-devel] [PATCH v3 01/20] EmulatorPkg: : Add RngDxe to EmulatorPkg

This patch adds RngDxe to EmulatorPkg. The RngDxe is used to provide random number generation services to the UEFI firmware. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] Reviewed-by: Ray Ni --- EmulatorPkg/EmulatorPkg.dsc | 7 ++- EmulatorPkg/EmulatorPkg.fdf | 6 +- 2

[edk2-devel] [PATCH v3 00/20] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html This patch series patches the following CVEs: - CVE-2023-45236: Predictable TCP Initial Sequence Numbers - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator In order to patch

[edk2-devel] [PATCH v3 02/20] EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg

From: Doug Flick This patch adds Hash2DxeCrypto to EmulatorPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] --- EmulatorPkg/EmulatorPkg.dsc | 9 +++-- EmulatorPkg/EmulatorPkg.fdf | 5 + 2 files

Re: [edk2-devel] [PATCH v2 09/13] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236

This was more of a design decision. Both Hash2Protocol and HashLib serve similar purposes. The goal was to use Hash2Protocol to decouple and provide greater modularity and flexibility over HashLib. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group.

Re: [edk2-devel] 回复: [edk2-devel] [PATCH v2 03/13] OvmfPkg:PlatformCI: Support virtio-rng-pci

> > On ARM, we can actually do better than this: I have taken Doug's v2 > and applied some changes on top to make it work with ArmVirtQemu. > > https://github.com/ardbiesheuvel/edk2/tree/doug-v2 > Ard, would you be comfortable with this patch series if I take the commits you're suggesting? I'm

Re: [edk2-devel] [PATCH v2 07/13] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng

So, I'm trying to consult with some RNG experts because I'm by no means an expert and anything I say should be taken with huge grain of salt. When I get the experts take, I'll share it. Basically, the way I read this code is that it by no means tries to enforce any entropy requirement outside

Re: [edk2-devel] 回复: [edk2-devel] [PATCH v2 03/13] OvmfPkg:PlatformCI: Support virtio-rng-pci

At a high level, this isn't my project and I would look towards the maintainers to provide guidance about the direction they want to go. However, In my opinion, this is a debate on Security vs Compatibility. I'm biased more towards security, and I've tried to make it easy for a platform to

Re: [edk2-devel] 回复: [edk2-devel][edk2-stable202405] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

>From the two CVE patches there should be no functional differences to a >platform assuming the platform provides them with a RNG implementation and >HASH2 implementation. The "NetworkPkg:: SECURITY PATCH CVE-2023-45237" change simply get's it's random numbers from outside of the NetworkPkg

Re: [edk2-devel] [PATCH v2 03/13] OvmfPkg:PlatformCI: Support virtio-rng-pci

> > So this patch is necessary as otherwise, QEMU fails to boot due to a > missing source of randomness in the network drivers, right? > So I added this based on your initial suggestion to get the ArmVirtPkg working - running it locally (and against the pipelines) shows this isn't necessary. So

[edk2-devel] [PATCH v2 02/13] EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg

From: Doug Flick This patch adds Hash2DxeCrypto to EmulatorPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] --- EmulatorPkg/EmulatorPkg.dsc | 9 +++-- EmulatorPkg/EmulatorPkg.fdf | 5 + 2 files

[edk2-devel] [PATCH v2 13/13] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes

From: Doug Flick This patch updates the PxeBcDhcp6GoogleTest due to the changes in the underlying code. The changes are as follows: - Random now comes from the RngLib Protocol - The TCP ISN is now generated by the hash function Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by:

[edk2-devel] [PATCH v2 12/13] MdePkg: Add MockHash2 Protocol for testing

From: Doug Flick This commit adds a new MockHash2 protocol to the MdePkg. This protocol is used to test Hash2 protocol consumers. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h | 67

[edk2-devel] [PATCH v2 11/13] MdePkg: : Adds Protocol for MockRng

From: Doug Flick This patch adds a protocol for MockRng. This protocol is used to mock the Rng protocol for testing purposes. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h | 48

[edk2-devel] [PATCH v2 10/13] MdePkg: : Add MockUefiBootServicesTableLib

From: Doug Flick This commit adds a mock library for UefiBootServicesTableLib. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/MdePkgHostTest.dsc | 1 +

[edk2-devel] [PATCH v2 08/13] NetworkPkg:: SECURITY PATCH CVE-2023-45237

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change

[edk2-devel] [PATCH v2 01/13] EmulatorPkg: : Add RngDxe to EmulatorPkg

From: Doug Flick This patch adds RngDxe to EmulatorPkg. The RngDxe is used to provide random number generation services to the UEFI firmware. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] --- EmulatorPkg/EmulatorPkg.dsc | 9 +++-- EmulatorPkg/EmulatorPkg.fdf | 6 +- 2

[edk2-devel] [PATCH v2 09/13] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236

From: Doug Flick REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 REF: https://www.rfc-editor.org/rfc/rfc1948.txt REF: https://www.rfc-editor.org/rfc/rfc6528.txt REF: https://www.rfc-editor.org/rfc/rfc9293.txt Bug Overview: PixieFail Bug #8 CVE-2023-45236

[edk2-devel] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html This patch series patches the following CVEs: - CVE-2023-45236: Predictable TCP Initial Sequence Numbers - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator In order to patch

[edk2-devel] [PATCH v2 07/13] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng

Removed from gEfiRngAlgorithmRaw an incorrect assumption that Raw cannot return less than 256 bits. The DRNG Algorithms should always use a 256 bit seed as per nist standards however a caller is free to request less than 256 bits. > > // >// When a DRBG is used on the output of a entropy

[edk2-devel] [PATCH v2 06/13] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg

This patch adds Hash2DxeCrypto to ArmVirtPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/ArmVirtQemu.dsc | 5 +

[edk2-devel] [PATCH v2 05/13] ArmVirtPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+)

[edk2-devel] [PATCH v2 04/13] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg

From: Doug Flick This patch adds Hash2DxeCrypto to OvmfPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/OvmfPkgIa32.dsc| 6 +- OvmfPkg/OvmfPkgIa32X64.dsc | 6

[edk2-devel] [PATCH v2 03/13] OvmfPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+) diff --git

Re: [edk2-devel] [PATCH v1 07/14] NetworkPkg:: SECURITY PATCH CVE-2023-45237

Ard, I went ahead an added your suggestion to use gEfiRngAlgorithmRaw. This however led me to discover a difference in behavior in x86 based platforms and Arm based platforms and I'm usure which is the correct behavior. On x86 based platforms, if the RngValueLength being requested is less than

Re: [edk2-devel] [PATCH v1 07/14] NetworkPkg:: SECURITY PATCH CVE-2023-45237

In that case, I think that's a fair argument and a simple enough request with limited impact to make. I'll go ahead and add RAW and drop the commits disabling "Secure Algorithms" from VirtioRngDxe based implementations -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent

Re: [edk2-devel] [PATCH v1 07/14] NetworkPkg:: SECURITY PATCH CVE-2023-45237

I don't disagree. The intent is not to be limited by NIST specified standards but rather the only UEFI Spec defined algorithms are NIST Standards. https://uefi.org/specs/UEFI/2.10/37_Secure_Technologies.html#efi-rng-algorithm-definitions I'm not sure what's the best way to clarify this

[edk2-devel] [PATCH v1 11/14] MdePkg: : Add MockUefiBootServicesTableLib

From: Doug Flick This commit adds a mock library for UefiBootServicesTableLib. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/MdePkgHostTest.dsc | 1 +

[edk2-devel] [PATCH v1 06/14] ArmVirtPkg: : Add Hash2DxeCrypto to ArmVirtPkg

This patch adds Hash2DxeCrypto to ArmVirtPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/ArmVirtQemu.dsc | 5 +

[edk2-devel] [PATCH v1 14/14] NetworkPkg: Update the PxeBcDhcp6GoogleTest due to underlying changes

From: Doug Flick This patch updates the PxeBcDhcp6GoogleTest due to the changes in the underlying code. The changes are as follows: - Random now comes from the RngLib Protocol - The TCP ISN is now generated by the hash function Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by:

[edk2-devel] [PATCH v1 13/14] MdePkg: Add MockHash2 Protocol for testing

From: Doug Flick This commit adds a new MockHash2 protocol to the MdePkg. This protocol is used to test Hash2 protocol consumers. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockHash2.h | 67

[edk2-devel] [PATCH v1 07/14] NetworkPkg:: SECURITY PATCH CVE-2023-45237

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change

[edk2-devel] [PATCH v1 12/14] MdePkg: : Adds Protocol for MockRng

From: Doug Flick This patch adds a protocol for MockRng. This protocol is used to mock the Rng protocol for testing purposes. Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- MdePkg/Test/Mock/Include/GoogleTest/Protocol/MockRng.h | 48

[edk2-devel] [PATCH v1 09/14] OvmfPkg: Disable NIST Algorithms NetworkPkg

This commit disables enforcement of NIST defined RNG algorithms. Such that NetworkPkg will accept "Default" and depend on the platform. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/OvmfPkgIa32.dsc| 7 +++ OvmfPkg/OvmfPkgIa32X64.dsc

[edk2-devel] [PATCH v1 08/14] NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236

From: Doug Flick REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 REF: https://www.rfc-editor.org/rfc/rfc1948.txt REF: https://www.rfc-editor.org/rfc/rfc6528.txt REF: https://www.rfc-editor.org/rfc/rfc9293.txt Bug Overview: PixieFail Bug #8 CVE-2023-45236

[edk2-devel] [PATCH v1 10/14] ArmVirtPkg: : Disables NIST algorithms NetworkPkg

The NetworkPkg attempts to use the NIST Algorithms as defined in the EDK2 specification. If not available (or if so desired) the platform may choose to use "Default" and use what is provided by the platform. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann

[edk2-devel] [PATCH v1 04/14] OvmfPkg: : Add Hash2DxeCrypto to OvmfPkg

From: Doug Flick This patch adds Hash2DxeCrypto to OvmfPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/OvmfPkgIa32.dsc| 6 +- OvmfPkg/OvmfPkgIa32X64.dsc | 6

[edk2-devel] [PATCH v1 05/14] ArmVirtPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- ArmVirtPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+)

[edk2-devel] [PATCH v1 02/14] EmulatorPkg: : Add Hash2DxeCrypto to EmulatorPkg

From: Doug Flick This patch adds Hash2DxeCrypto to EmulatorPkg. The Hash2DxeCrypto is used to provide the hashing protocol services. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] --- EmulatorPkg/EmulatorPkg.dsc | 9 +++-- EmulatorPkg/EmulatorPkg.fdf | 5 + 2 files

[edk2-devel] [PATCH v1 03/14] OvmfPkg:PlatformCI: Support virtio-rng-pci

This patch adds "virtio-rng-pci" to the PlatformBuildLib.py This adds Rng services to the guest VM Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Gerd Hoffmann Signed-off-by: Doug Flick [MSFT] --- OvmfPkg/PlatformCI/PlatformBuildLib.py | 2 ++ 1 file changed, 2 insertions(+) diff --git

[edk2-devel] [PATCH v1 00/14] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

REF:https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html This patch series patches the following CVEs: - CVE-2023-45236: Predictable TCP Initial Sequence Numbers - CVE-2023-45237: Use of a Weak PseudoRandom Number Generator In order to patch

[edk2-devel] [PATCH v1 01/14] EmulatorPkg: : Add RngDxe to EmulatorPkg

From: Doug Flick This patch adds RngDxe to EmulatorPkg. The RngDxe is used to provide random number generation services to the UEFI firmware. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Doug Flick [MSFT] --- EmulatorPkg/EmulatorPkg.dsc | 9 +++-- EmulatorPkg/EmulatorPkg.fdf | 6 +- 2

Re: [edk2-devel] Assistance Needed: ArmVirtPkg

Thanks! I figured out out what I was missing (a mistake on my end) and I now have it booting to shell! I'll make the required changes to OvmfPkg and ArmVirtPkg based on your suggestions and put the Patch Series on the mailing list. The assert you were seeing was the patch attempting to use the

Re: [edk2-devel] Assistance Needed: ArmVirtPkg

Thanks Ard for the explanation! Would you be able to tell me the exact changes you made to get to this point and if that would be an acceptable change to make to get these CVE patches on the mailing list? I'm happy adding the depex but fundamentally I think the goal is get these patches into

[edk2-devel] Assistance Needed: ArmVirtPkg

All, In order to patch Tianocore Bugzilla issues and CVEs: 4541 – Bug 08 - edk2/NetworkPkg: Predictable TCP ISNs (tianocore.org) and 4542 – Bug 09 - edk2/NetworkPkg: Use of a Weak PseudoRandom Number Generator

Re: [edk2-devel] [PATCH v2 4/4] NetworkPkg: : Updating SecurityFixes.yaml

At this point - yes - but I don't have the ability to edit it. The advisory should reflect the current status. SecurtiyFixes.yaml is a way to express which commits are needed to be cherrypicked by a downstream consumer and what the current release is protected against.

[edk2-devel] [PATCH v2 15/15] NetworkPkg: : Adds a SecurityFix.yaml file

This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/SecurityFixes.yaml | 123

[edk2-devel] [PATCH v2 14/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Unit tests to confirm that the bug.. Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message ..has been patched. This patch contains unit tests for the following functions:

[edk2-devel] [PATCH v2 11/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 Unit tests to that the bug.. Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message ..has been patched This contains tests for the following functions: PxeBcHandleDhcp6Offer

[edk2-devel] [PATCH v2 13/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 Bug Details: PixieFail Bug #7 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when handling Server ID

[edk2-devel] [PATCH v2 12/15] MdePkg: Test: Add gRT_GetTime Google Test Mock

This adds support for GetTime Google Test Mock Cc: Michael D Kinney Cc: Liming Gao Cc: Zhiguang Liu Signed-off-by: Doug Flick [MSFT] --- .../GoogleTest/Library/MockUefiRuntimeServicesTableLib.h | 7 +++ .../MockUefiRuntimeServicesTableLib.cpp| 5 +++-- 2 files

[edk2-devel] [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4539 Bug Details: PixieFail Bug #6 CVE-2023-45234 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Buffer overflow when processing DNS

[edk2-devel] [PATCH v2 08/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 Bug Details: PixieFail Bug #4 CVE-2023-45232 CVSS 7.5 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

[edk2-devel] [PATCH v2 09/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4537 REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4538 Unit tests to confirm that.. Infinite loop when parsing unknown options in the Destination Options header and Infinite loop when parsing a PadN option in the

[edk2-devel] [PATCH v2 07/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Validates that the patch for... Out-of-bounds read when handling a ND Redirect message with truncated options .. has been fixed Tests the following function to ensure that an out of bounds read does not occur

[edk2-devel] [PATCH v2 06/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4536 Bug Overview: PixieFail Bug #3 CVE-2023-45231 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Out-of-bounds read when handling a ND Redirect message with truncated options Change

[edk2-devel] [PATCH v2 05/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 These tests confirm that the report bug... "Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" ..has been patched. The following functions are tested to confirm an out of bounds read is patched and that

[edk2-devel] [PATCH v2 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4534 Bug Details: PixieFail Bug #1 CVE-2023-45229 CVSS 6.5 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-125 Out-of-bounds Read Change Overview: Introduce Dhcp6SeekInnerOptionSafe which performs checks before seeking the Inner Option from

[edk2-devel] [PATCH v2 03/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4535 Confirms that reported issue... "Buffer overflow in the DHCPv6 client via a long Server ID option" ..has been corrected by the provided patch. Tests the following functions to ensure they appropriately handle untrusted data (either too

[edk2-devel] [PATCH v2 02/15] NetworkPkg: : Add Unit tests to CI and create Host Test DSC

Adds Host Based testing to the NetworkPkg Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/Test/NetworkPkgHostTest.dsc | 98 ++ NetworkPkg/NetworkPkg.ci.yaml | 7 +- 2 files changed, 104 insertions(+), 1

[edk2-devel] [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4535 Bug Details: PixieFail Bug #2 CVE-2023-45230 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Changes Overview: > -UINT8 * > +EFI_STATUS >

[edk2-devel] [PATCH v2 00/15] Security Patches for EDK II Network Stack

The security patches contained in this series with the exception of "MdePkg/Test: Add gRT_GetTime Google Test Mock" and "NetworkPkg: : Adds a SecurityFix.yaml file" have been reviewed during GHSA-hc6x-cw6p-gj7h infosec review. This patch series contains the following security patches for the

[edk2-devel] [PATCH 13/14] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests

From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4540 SECURITY PATCH - Unit Tests TCBZ4540 CVE-2023-45235 CVSS 8.3 : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Cc: Saloni Kasbekar Cc:

  1   2   >