On 2/17/24 10:17, eddie wang wrote: > Hi Laszlo, > After digging dipper, we found that the *EVP_RAND_fetch *in > "rand_new_seed" and "rand_new_drbg" both got NULL in our case. It's > meant the DRBG implementation could > not be fetched. We also compared it to the case on Linux, and they could > both fetched DRBG implementation correctly. Is it possible that the > opensslLib 3.0.9 caused any compatibility issues with edk2? Or has > anyone else encountered the same problem with these openssl services?
Sorry, I can't say. If you have a small reproducer UEFI application that works fine when built with edk2-stable202305, but does not work when built against either edk2-stable202308 or current master, then filing a TianoCore BZ (regression) seems justified. (AFAICT it was edk2-stable202308 that incorporated the OpenSSL 3.0.9 upgrade, from 1.1.1u.) Attaching the source code of the small repro application to the ticket would likely be helpful. Laszlo > Laszlo Ersek <ler...@redhat.com <mailto:ler...@redhat.com>> 於 2024年2月 > 15日 週四 下午7:48寫道: > > On 2/15/24 12:09, eddie wang wrote: > > Hi Laszlo, > > Thanks for your reply. How can I enable the DEBUGs at RandomSeed() > ? Or > > any suggesting information that I can provide? > > Sorry, upon a closer look, I see you had already narrowed it down to > RAND_seed() and RAND_status(), which are direct OpenSSL APIs. So my > suggestion would amount to adding DEBUGs to OpenSSL, such as to > RAND_seed() in > "CryptoPkg/Library/OpensslLib/openssl/crypto/rand/rand_lib.c". > > But, I think you may be able to do just that. > "CryptoPkg/Library/Include/CrtLibSupport.h" already includes > <DebugLib.h>, and DebugLib is listed under [LibraryClasses] in each > instance of OpensslLib. So if you modify your > "CryptoPkg/Library/OpensslLib/openssl" submodule directory tree locally, > with the following patch: > > | diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c > | index 0fcf4fe3bc1e..e5f105268f52 100644 > | --- a/crypto/rand/rand_lib.c > | +++ b/crypto/rand/rand_lib.c > | @@ -257,6 +257,8 @@ void RAND_seed(const void *buf, int num) > | drbg = RAND_get0_primary(NULL); > | if (drbg != NULL && num > 0) > | EVP_RAND_reseed(drbg, 0, NULL, 0, buf, num); > | + > | + DEBUG ((DEBUG_INFO, "%a: hello\n", __func__)); > | } > | > | void RAND_add(const void *buf, int num, double randomness) > > then you should get usable debug messages -- at least it builds for me. > > Inserting DEBUGs like this (over multiple rounds of testing / narrowing) > should lead you to the exact location that is responsible for the > initialization failure. > > You mention you have encountered the problem with a UEFI application. > That is relevant for choosing your DebugLib instance. If you already > have a function DebugLib instance for your platform (logging to the > serial port, for example), then just use that. > > Otherwise, consider building your UEFI application with a module scope > override in the DSC file, one that resolves DebugLib to > > MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf > > or > > MdePkg/Library/UefiDebugLibStdErr/UefiDebugLibStdErr.inf > > These will send DEBUG messages to the UEFI console or standard error > devices, respectively. > > hth > Laszlo > > > Laszlo Ersek <ler...@redhat.com <mailto:ler...@redhat.com> > <mailto:ler...@redhat.com <mailto:ler...@redhat.com>>> 於 2024年2月 > > 8日 週四 上午5:03寫道: > > > > On 2/6/24 08:00, eddie wang wrote: > > > Hi all, > > > We had an UEFI application that used the EDK2(2023/12/05), > and we > > would > > > like to take advantage of the services in BaseCryptLib .However, > > the API > > > in CryptPkg "*RandomSeed()*"(X64, in CryptRandTsc.c) always > returned > > > false because of the pseudorandom number generator set up > failed. > > I am > > > not sure this issue is from the *openssl configuration in > > OpensslLib(we > > > use the default configuration)* or is from the *openssl 3.0.9*. > > > > > > Is there any comments about this issue? > > > > Can you narrow it down by inserting DEBUGs starting at > RandomSeed() > > [CryptoPkg/Library/BaseCryptLib/Rand/CryptRandTsc.c], and then > digging > > down as necessary? > > > > Laszlo > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#115599): https://edk2.groups.io/g/devel/message/115599 Mute This Topic: https://groups.io/mt/104198931/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
