<div dir="ltr"><div>Hi Ard,</div><div><br></div><div>Given this patch plus the corresponding linux-efi patches wrt RNG, I'm mildly concerned about buggy RDRAND implementations compromising the kernel's RNG. Is this not a concern?</div><div><br></div><div>It's also worth noting that MdePkg/Library/BaseRngLib skips the CPUID bit check in ArchIsRngSupported for $REASON, which I assume will crash pre-RDRAND VMs.</div><div>We should probably also test for stupidly broken rdrand implementations like the notorious Zen 3 which always return 0xFFFFFFFF (per xkcd 221 ;)).</div><div><br></div><div>Thanks,</div><div>Pedro<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 10, 2022 at 1:48 PM Ard Biesheuvel <<a href="mailto:ardb@kernel.org">ardb@kernel.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Expose the EFI_RNG_PROTOCOL based on RdRand, so that we don't have to<br>
rely on QEMU providing a virtio-rng device in order to implement this<br>
protocol.<br>
<br>
Signed-off-by: Ard Biesheuvel <<a href="mailto:ardb@kernel.org" target="_blank">ardb@kernel.org</a>><br>
---<br>
 OvmfPkg/OvmfPkgIa32.dsc    | 1 +<br>
 OvmfPkg/OvmfPkgIa32.fdf    | 1 +<br>
 OvmfPkg/OvmfPkgIa32X64.dsc | 1 +<br>
 OvmfPkg/OvmfPkgIa32X64.fdf | 1 +<br>
 OvmfPkg/OvmfPkgX64.dsc     | 1 +<br>
 OvmfPkg/OvmfPkgX64.fdf     | 1 +<br>
 6 files changed, 6 insertions(+)<br>
<br>
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc<br>
index e9ba491237ae..18c1e7255812 100644<br>
--- a/OvmfPkg/OvmfPkgIa32.dsc<br>
+++ b/OvmfPkg/OvmfPkgIa32.dsc<br>
@@ -941,6 +941,7 @@ [Components]<br>
   }<br>
 !endif<br>
<br>
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf<br>
 !if $(SECURE_BOOT_ENABLE) == TRUE<br>
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
   OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf<br>
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf<br>
index 7023ade8cebe..34f27ca832bc 100644<br>
--- a/OvmfPkg/OvmfPkgIa32.fdf<br>
+++ b/OvmfPkg/OvmfPkgIa32.fdf<br>
@@ -248,6 +248,7 @@ [FV.DXEFV]<br>
 INF  OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf<br>
 !endif<br>
<br>
+  INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf<br>
 !if $(SECURE_BOOT_ENABLE) == TRUE<br>
   INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
 !endif<br>
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc<br>
index af566b953f36..e9a199c9f490 100644<br>
--- a/OvmfPkg/OvmfPkgIa32X64.dsc<br>
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc<br>
@@ -955,6 +955,7 @@ [Components.X64]<br>
   }<br>
 !endif<br>
<br>
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf<br>
 !if $(SECURE_BOOT_ENABLE) == TRUE<br>
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
   OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf<br>
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf<br>
index 80de4fa2c0df..33cc163e596e 100644<br>
--- a/OvmfPkg/OvmfPkgIa32X64.fdf<br>
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf<br>
@@ -249,6 +249,7 @@ [FV.DXEFV]<br>
 INF  OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf<br>
 !endif<br>
<br>
+  INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf<br>
 !if $(SECURE_BOOT_ENABLE) == TRUE<br>
   INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
 !endif<br>
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc<br>
index f39d9cd117e6..5572cb82998f 100644<br>
--- a/OvmfPkg/OvmfPkgX64.dsc<br>
+++ b/OvmfPkg/OvmfPkgX64.dsc<br>
@@ -1023,6 +1023,7 @@ [Components]<br>
   }<br>
 !endif<br>
<br>
+  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf<br>
 !if $(SECURE_BOOT_ENABLE) == TRUE<br>
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
   OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf<br>
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf<br>
index c0f5a1ef3c30..d42deebe3f8f 100644<br>
--- a/OvmfPkg/OvmfPkgX64.fdf<br>
+++ b/OvmfPkg/OvmfPkgX64.fdf<br>
@@ -274,6 +274,7 @@ [FV.DXEFV]<br>
 INF  OvmfPkg/LsiScsiDxe/LsiScsiDxe.inf<br>
 !endif<br>
<br>
+INF  SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf<br>
 !if $(SECURE_BOOT_ENABLE) == TRUE<br>
   INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf<br>
 !endif<br>
-- <br>
2.35.1<br>
<br>
<br>
<br>
------------<br>
Groups.io Links: You receive all messages sent to this group.<br>
View/Reply Online (#96191): <a href="https://edk2.groups.io/g/devel/message/96191" rel="noreferrer" target="_blank">https://edk2.groups.io/g/devel/message/96191</a><br>
Mute This Topic: <a href="https://groups.io/mt/94935843/5946980" rel="noreferrer" target="_blank">https://groups.io/mt/94935843/5946980</a><br>
Group Owner: <a href="mailto:devel%2Bowner@edk2.groups.io" target="_blank">devel+owner@edk2.groups.io</a><br>
Unsubscribe: <a href="https://edk2.groups.io/g/devel/unsub" rel="noreferrer" target="_blank">https://edk2.groups.io/g/devel/unsub</a> [<a href="mailto:pedro.falcato@gmail.com" target="_blank">pedro.falcato@gmail.com</a>]<br>
------------<br>
<br>
<br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Pedro Falcato</div></div>


 <div width="1" style="color:white;clear:both">_._,_._,_</div> <hr>   Groups.io Links:<p>   You receive all messages sent to this group.    <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/96546">View/Reply Online (#96546)</a> |    |  <a target="_blank" href="https://groups.io/mt/94935843/1813853">Mute This Topic</a>  | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br>    <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> |  <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a>  [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>