Re: [edk2-devel] [Patch V2] pip-requirements.txt: Update basetools version to 0.1.24
Created a PR https://github.com/tianocore/edk2/pull/3033 -Original Message- From: devel@edk2.groups.io On Behalf Of Bob Feng Sent: Thursday, June 30, 2022 12:11 PM To: devel@edk2.groups.io Cc: Kinney, Michael D ; Kubacki, Michael Subject: [edk2-devel] [Patch V2] pip-requirements.txt: Update basetools version to 0.1.24 Upgrade the edk2-basetools version from 0.1.17 to 0.1.24 features and bug fixes: 1. Add FMMT Python Tool 2. Remove RVCT support 3. Fix dependency issue in PcdValueInit 4. Output the intermediate library instance when error occurs 5. Ecc: Fix grammar in Ecc error message 6. Fix the GenMake bug for .cpp source file Signed-off-by: Bob Feng Reviewed-by: Michael D Kinney Acked-by: Michael Kubacki ---update the commit message. pip-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pip-requirements.txt b/pip-requirements.txt index 6585df201d..29424b08bd 100644 --- a/pip-requirements.txt +++ b/pip-requirements.txt @@ -12,7 +12,7 @@ # https://www.python.org/dev/peps/pep-0440/#version-specifiers ## edk2-pytool-library==0.11.2 edk2-pytool-extensions~=0.16.0-edk2-basetools==0.1.17+edk2-basetools==0.1.24 antlr4-python3-runtime==4.7.1-- 2.29.1.windows.1 -=-=-=-=-=-= Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90926): https://edk2.groups.io/g/devel/message/90926 Mute This Topic: https://groups.io/mt/92080401/1768742 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [bob.c.f...@intel.com] -=-=-=-=-=-= -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90927): https://edk2.groups.io/g/devel/message/90927 Mute This Topic: https://groups.io/mt/92080401/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [Patch V2] pip-requirements.txt: Update basetools version to 0.1.24
Upgrade the edk2-basetools version from 0.1.17 to 0.1.24 features and bug fixes: 1. Add FMMT Python Tool 2. Remove RVCT support 3. Fix dependency issue in PcdValueInit 4. Output the intermediate library instance when error occurs 5. Ecc: Fix grammar in Ecc error message 6. Fix the GenMake bug for .cpp source file Signed-off-by: Bob Feng Reviewed-by: Michael D Kinney Acked-by: Michael Kubacki --- update the commit message. pip-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pip-requirements.txt b/pip-requirements.txt index 6585df201d..29424b08bd 100644 --- a/pip-requirements.txt +++ b/pip-requirements.txt @@ -12,7 +12,7 @@ # https://www.python.org/dev/peps/pep-0440/#version-specifiers ## edk2-pytool-library==0.11.2 edk2-pytool-extensions~=0.16.0 -edk2-basetools==0.1.17 +edk2-basetools==0.1.24 antlr4-python3-runtime==4.7.1 -- 2.29.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90926): https://edk2.groups.io/g/devel/message/90926 Mute This Topic: https://groups.io/mt/92080401/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH RESEND v1 0/9] Add DrbgLib
More question: Please educate me how you plan to include DrbgLib to openssl? Currently, it is using RngLib. https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/OpensslLib.inf#L634? Thank you Yao Jiewen > -Original Message- > From: Kinney, Michael D > Sent: Thursday, June 30, 2022 8:16 AM > To: devel@edk2.groups.io; pierre.gond...@arm.com; Kinney, Michael D > > Cc: Sami Mujawar ; Leif Lindholm > ; Ard Biesheuvel ; > Rebecca Cran ; Gao, Liming > ; Yao, Jiewen ; Wang, > Jian J > Subject: RE: [edk2-devel] [PATCH RESEND v1 0/9] Add DrbgLib > > Hi Pierre, > > Can you add to the Patch #0 Summary and the BZ the difference > between the existing RngLib and this new DrbgLib? > > Would you recommend one be implement on top of the other? > > Really glad to see test vectors were used to verify correctness. > Can you consider adding formal unit tests using the UnitTestFrameworkPkg > with those test vectors so a unit test failure would be generated if > maintenance is performed in the future that changes the behavior? > > Thanks, > > Mike > > > -Original Message- > > From: devel@edk2.groups.io On Behalf Of > PierreGondois > > Sent: Wednesday, June 29, 2022 12:19 PM > > To: devel@edk2.groups.io > > Cc: Sami Mujawar ; Leif Lindholm > ; Ard Biesheuvel ; > > Rebecca Cran ; Kinney, Michael D > ; Gao, Liming ; Yao, > > Jiewen ; Wang, Jian J > > Subject: [edk2-devel] [PATCH RESEND v1 0/9] Add DrbgLib > > > > From: Pierre Gondois > > > > Bugzilla: Bug 3971 (https://bugzilla.tianocore.org/show_bug.cgi?id=3971) > > > > Add support for a Deterministic Random Bits Generator (Drbg). The > > specifications used are the following: > > > > - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation > > for Random Number Generation Using Deterministic Random Bit > Generators. > > (https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final) > > - [2] NIST Special Publication 800-90B, Recommendation for the Entropy > > Sources Used for Random Bit Generation. > > (https://csrc.nist.gov/publications/detail/sp/800-90b/final) > > - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for > > Random Bit Generator (RBG) Constructions. > > (https://csrc.nist.gov/publications/detail/sp/800-90c/draft) > > - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020, > > Recommendation for Key Management:Part 1 - General. > > > > The test vectors available in the CTR_DRBG_AES256 sections of > > https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and- > Guidelines/documents/examples/CTR_DRBG_noDF.pdf > > were used for validation. > > > > This patch-set can seen at: > > https://github.com/PierreARM/edk2/tree/Arm_Drbg_v1 > > > > This patch has the following dependency: > > - [PATCH v3 00/22] Add Raw algorithm support using Arm FW-TRNG interface > > https://edk2.groups.io/g/devel/message/90845 > > - [PATCH v1 0/7] Add AesLib and ArmAesLib > > https://edk2.groups.io/g/devel/message/90878 > > > > Pierre Gondois (9): > > MdePkg/DrbgLib: Drbg library interface definition > > MdePkg/DrbgLib: Add NULL instance of Drbg Library > > MdePkg/DrbgLib: Add BitStream implementation > > MdePkg/DrbgLib: Add Get_entropy_input() implementation > > MdePkg/DrbgLib: Add common wrappers > > MdePkg/DrbgLib: Add Ctr Drbg mechanism functions > > MdePkg/DrbgLib: Add Drbg mechanism functions and module > > ArmVirtPkg: Kvmtool: Add AesLib/DrbgLib for RngDxe > > SecurityPkg/RngDxe: Use DrbgLib in RngDxe for Arm > > > > ArmVirtPkg/ArmVirtKvmTool.dsc |2 + > > MdePkg/Include/Library/DrbgLib.h | 172 +++ > > MdePkg/Library/DrbgLib/BitStream.c| 1114 + > > MdePkg/Library/DrbgLib/BitStream.h| 366 ++ > > MdePkg/Library/DrbgLib/Common.c | 249 > > MdePkg/Library/DrbgLib/Common.h | 74 ++ > > MdePkg/Library/DrbgLib/CtrDrbg.c | 899 + > > MdePkg/Library/DrbgLib/CtrDrbg.h | 100 ++ > > MdePkg/Library/DrbgLib/DrbgLib.c | 628 ++ > > MdePkg/Library/DrbgLib/DrbgLib.inf| 39 + > > MdePkg/Library/DrbgLib/DrbgLibInternal.h | 310 + > > MdePkg/Library/DrbgLib/GetEntropyInput.c | 72 ++ > > MdePkg/Library/DrbgLib/GetEntropyInput.h | 48 + > > MdePkg/Library/DrbgLibNull/DrbgLib.c | 165 +++ > > MdePkg/Library/DrbgLibNull/DrbgLibNull.inf| 21 + > > MdePkg/MdePkg.dec |4 + > > MdePkg/MdePkg.dsc |2 + > > .../RandomNumberGenerator/RngDxe/ArmRngDxe.c | 75 +- > > .../RandomNumberGenerator/RngDxe/RngDxe.inf |1 + > > SecurityPkg/SecurityPkg.dsc |2 + > > 20 files changed, 4342 insertions(+), 1 deletion(-) > > create mode 100644 MdePkg/Include/Library/DrbgLib.h > > create mode 100644 MdePkg/Library/DrbgLib/BitS
Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add -march=x86-64 for X64 CLANG and GCC targets
GCC 5.4 documentation ( https://gcc.gnu.org/onlinedocs/gcc-5.4.0/gcc/x86-Options.html#x86-Options) doesn't include x86-64. I assume that specific option was added somewhere in the last 2-3 years when this x86-64-v* concept was added? I went looking around in linux and they don't seem to specify anything of sorts either. I can't speak for ARM but for IA32 it's pretty logic: the Pentium 1 (i586) was the first processor with CPUID, RDTSC, RD/WRMSR, etc. Essentials for firmware code that will never really even run on a processor that old. On Thu, Jun 30, 2022 at 12:25 AM dann frazier wrote: > On Wed, Jun 29, 2022 at 11:06:01PM +0100, Pedro Falcato wrote: > > This may be a strong opinion but I would consider toolchains that > > explicitly change the default -march from the well understood x86-64 > (which > > all 64-bit processors support) to be totally broken. If a distro wants to > > switch the -march for the packages, override CFLAGS :) > > Opinion noted. But is there a downside to edk2 being explicit about > its target CPU level on x86-64, given it already does so for IA32 and > ARM? > > -dann > > > On Wed, Jun 29, 2022 at 10:57 PM dann frazier < > dann.fraz...@canonical.com> > > wrote: > > > > > Ping on this. Would it be more palatable if I limited the change only > > > to tested toolchains (gcc/clang)? Alternatively, is there a way to > > > submit this code to CI to verify the !(gcc|clang) variants? > > > > > > -dann > > > > > > On Fri, Jun 10, 2022 at 12:09:18PM -0600, dann frazier wrote: > > > > From: dann frazier > > > > > > > > Some Linux distributions are experimenting with builds that target a > > > > higher x86-64 psABI, such as x86-64-v3. To avoid inheriting these > > > > compiler defaults in edk2 builds, and therefore breaking > compatibility > > > > with machines using older CPUs, explicitly target the generic x86-64 > > > > psABI. This is similar to how we explicitly specify the cpu type for > > > > some other architectures (-march=i586 for IA32, -march=armv7-a for > ARM). > > > > > > > > Spot tested with OVMF builds using GCC5 and CLANG38. > > > > > > > > Signed-off-by: dann frazier > > > > --- > > > > BaseTools/Conf/tools_def.template | 20 ++-- > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > diff --git a/BaseTools/Conf/tools_def.template > > > b/BaseTools/Conf/tools_def.template > > > > index adcd23f727..569d16fb3e 100755 > > > > --- a/BaseTools/Conf/tools_def.template > > > > +++ b/BaseTools/Conf/tools_def.template > > > > @@ -1885,7 +1885,7 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF > > > $@.deps > > > > DEFINE GCC48_ALL_CC_FLAGS= DEF(GCC_ALL_CC_FLAGS) > > > -ffunction-sections -fdata-sections > -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings > > > > DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib > > > -Wl,-n,-q,--gc-sections -z common-page-size=0x20 > > > > DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 > > > -march=i586 -malign-double -fno-stack-protector -D EFI32 > > > -fno-asynchronous-unwind-tables -Wno-address > > > > -DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > > > -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small > -fpie > > > -fno-asynchronous-unwind-tables -Wno-address > > > > +DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > > > -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small > -fpie > > > -fno-asynchronous-unwind-tables -Wno-address > > > > DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = > DEF(GCC48_IA32_X64_DLINK_COMMON) > > > -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable > > > > DEFINE GCC48_IA32_X64_DLINK_FLAGS= > DEF(GCC48_IA32_X64_DLINK_COMMON) > > > -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) > > > -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive > > > > DEFINE GCC48_IA32_DLINK2_FLAGS = > > > -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON) > > > > @@ -2613,15 +2613,15 @@ NOOPT_CLANG38_IA32_DLINK2_FLAGS = > > > DEF(GCC5_IA32_DLINK2_FLAGS) -O0 > > > > *_CLANG38_X64_ASLPP_FLAGS = DEF(GCC_ASLPP_FLAGS) > > > DEF(CLANG38_X64_TARGET) > > > > *_CLANG38_X64_VFRPP_FLAGS = DEF(GCC_VFRPP_FLAGS) > > > DEF(CLANG38_X64_TARGET) > > > > > > > > -DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie > -Oz > > > -flto DEF(CLANG38_X64_TARGET) -g > > > > +DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone > > > -mcmodel=small -fpie -Oz -flto DEF(CLANG38_X64_TARGET) -g > > > > DEBUG_CLANG38_X64_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) > > > -flto -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie > > > -mcmodel=small
Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add -march=x86-64 for X64 CLANG and GCC targets
On Wed, Jun 29, 2022, 18:10 Kinney, Michael D wrote: > What is the default when -march is not specified? > Whatever your compiler was built to target by default. Today that's x86-64 pretty much everywhere. But it's possible some distros may change that, and I don't think we want edk2 builds changing if they happen to be built on one of them. -dann Mike > > > -Original Message- > > From: devel@edk2.groups.io On Behalf Of dann > frazier > > Sent: Wednesday, June 29, 2022 4:25 PM > > To: Pedro Falcato > > Cc: edk2-devel-groups-io ; Feng, Bob C < > bob.c.f...@intel.com>; Gao, Liming ; > > Chen, Christine > > Subject: Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add > -march=x86-64 for X64 CLANG and GCC targets > > > > On Wed, Jun 29, 2022 at 11:06:01PM +0100, Pedro Falcato wrote: > > > This may be a strong opinion but I would consider toolchains that > > > explicitly change the default -march from the well understood x86-64 > (which > > > all 64-bit processors support) to be totally broken. If a distro wants > to > > > switch the -march for the packages, override CFLAGS :) > > > > Opinion noted. But is there a downside to edk2 being explicit about > > its target CPU level on x86-64, given it already does so for IA32 and > > ARM? > > > > -dann > > > > > On Wed, Jun 29, 2022 at 10:57 PM dann frazier < > dann.fraz...@canonical.com> > > > wrote: > > > > > > > Ping on this. Would it be more palatable if I limited the change only > > > > to tested toolchains (gcc/clang)? Alternatively, is there a way to > > > > submit this code to CI to verify the !(gcc|clang) variants? > > > > > > > > -dann > > > > > > > > On Fri, Jun 10, 2022 at 12:09:18PM -0600, dann frazier wrote: > > > > > From: dann frazier > > > > > > > > > > Some Linux distributions are experimenting with builds that target > a > > > > > higher x86-64 psABI, such as x86-64-v3. To avoid inheriting these > > > > > compiler defaults in edk2 builds, and therefore breaking > compatibility > > > > > with machines using older CPUs, explicitly target the generic > x86-64 > > > > > psABI. This is similar to how we explicitly specify the cpu type > for > > > > > some other architectures (-march=i586 for IA32, -march=armv7-a for > ARM). > > > > > > > > > > Spot tested with OVMF builds using GCC5 and CLANG38. > > > > > > > > > > Signed-off-by: dann frazier > > > > > --- > > > > > BaseTools/Conf/tools_def.template | 20 ++-- > > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > > > diff --git a/BaseTools/Conf/tools_def.template > > > > b/BaseTools/Conf/tools_def.template > > > > > index adcd23f727..569d16fb3e 100755 > > > > > --- a/BaseTools/Conf/tools_def.template > > > > > +++ b/BaseTools/Conf/tools_def.template > > > > > @@ -1885,7 +1885,7 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF > > > > $@.deps > > > > > DEFINE GCC48_ALL_CC_FLAGS= DEF(GCC_ALL_CC_FLAGS) > > > > -ffunction-sections -fdata-sections > -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings > > > > > DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib > > > > -Wl,-n,-q,--gc-sections -z common-page-size=0x20 > > > > > DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) > -m32 > > > > -march=i586 -malign-double -fno-stack-protector -D EFI32 > > > > -fno-asynchronous-unwind-tables -Wno-address > > > > > -DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) > -m64 > > > > -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small > -fpie > > > > -fno-asynchronous-unwind-tables -Wno-address > > > > > +DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) > -m64 > > > > -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small > -fpie > > > > -fno-asynchronous-unwind-tables -Wno-address > > > > > DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = > DEF(GCC48_IA32_X64_DLINK_COMMON) > > > > -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable > > > > > DEFINE GCC48_IA32_X64_DLINK_FLAGS= > DEF(GCC48_IA32_X64_DLINK_COMMON) > > > > -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) > > > > -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive > > > > > DEFINE GCC48_IA32_DLINK2_FLAGS = > > > > -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON) > > > > > @@ -2613,15 +2613,15 @@ NOOPT_CLANG38_IA32_DLINK2_FLAGS = > > > > DEF(GCC5_IA32_DLINK2_FLAGS) -O0 > > > > > *_CLANG38_X64_ASLPP_FLAGS = DEF(GCC_ASLPP_FLAGS) > > > > DEF(CLANG38_X64_TARGET) > > > > > *_CLANG38_X64_VFRPP_FLAGS = DEF(GCC_VFRPP_FLAGS) > > > > DEF(CLANG38_X64_TARGET) > > > > > > > > > > -DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) > -m64 > > > > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small > -fpie -Oz > > > > -flto DEF(CLANG38_X64_TARGET) -g > > > > > +DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC
Re: [edk2-devel] [PATCH RESEND v1 5/7] MdePkg/AesLib: Definition for AES library class interface
Hi
1) Would you please educate me, how this library be used in cryptolib? -
https://github.com/tianocore/edk2/blob/master/CryptoPkg/Include/Library/BaseCryptLib.h#L1091
Currently, we have AES_CBC. We are going to add AES_GCM in near future.
2) For Intel AES_NI, we added support in OpensslLib directly -
https://github.com/tianocore/edk2/tree/master/CryptoPkg/Library/OpensslLib/X64,
can ARM use the similar model?
3) Do you have chance to take a look if this interface is good enough to
implement Intel AES_NI instruction?
Thank you
Yao Jiewen
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of
> PierreGondois
> Sent: Thursday, June 30, 2022 3:14 AM
> To: devel@edk2.groups.io
> Cc: Sami Mujawar ; Leif Lindholm
> ; Ard Biesheuvel ;
> Rebecca Cran ; Kinney, Michael D
> ; Gao, Liming ;
> Edward Pickup
> Subject: [edk2-devel] [PATCH RESEND v1 5/7] MdePkg/AesLib: Definition for AES
> library class interface
>
> From: Pierre Gondois
>
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3970
>
> The FIPS PUB 197: "Advanced Encryption Standard (AES)"
> details the AES algorithm. Add a library to allow
> different architecture specific implementations.
>
> Signed-off-by: Pierre Gondois
> ---
> MdePkg/Include/Library/AesLib.h | 104
> MdePkg/MdePkg.dec | 4 ++
> 2 files changed, 108 insertions(+)
> create mode 100644 MdePkg/Include/Library/AesLib.h
>
> diff --git a/MdePkg/Include/Library/AesLib.h b/MdePkg/Include/Library/AesLib.h
> new file mode 100644
> index ..bc3408bb249b
> --- /dev/null
> +++ b/MdePkg/Include/Library/AesLib.h
> @@ -0,0 +1,104 @@
> +/** @file
> + AES library.
> +
> + Copyright (c) 2022, Arm Limited. All rights reserved.
> +
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> + @par Reference(s):
> + - FIPS 197 November 26, 2001:
> + Specification for the ADVANCED ENCRYPTION STANDARD (AES)
> +**/
> +
> +#ifndef AES_LIB_H_
> +#define AES_LIB_H_
> +
> +/// Key size in bytes.
> +#define AES_KEY_SIZE_128 16
> +#define AES_KEY_SIZE_192 24
> +#define AES_KEY_SIZE_256 32
> +#define AES_BLOCK_SIZE16
> +
> +/*
> + The Key Expansion generates a total of Nb (Nr + 1) words with:
> +- Nb = 4:
> + Number of columns (32-bit words) comprising the State
> +- Nr = 10, 12, or 14:
> + Number of rounds.
> + */
> +#define AES_MAX_KEYLENGTH_U32 (4 * (14 + 1))
> +
> +/** A context holding information to for AES encryption/decryption.
> + */
> +typedef struct {
> + /// Expanded encryption key.
> + UINT32ExpEncKey[AES_MAX_KEYLENGTH_U32];
> + /// Expanded decryption key.
> + UINT32ExpDecKey[AES_MAX_KEYLENGTH_U32];
> + /// Key size, in bytes.
> + /// Must be one of 16|24|32.
> + UINT32KeySize;
> +} AES_CTX;
> +
> +/** Encrypt an AES block.
> +
> + Buffers are little-endian. Overlapping is not checked.
> +
> + @param [in] AesCtxAES context.
> + AesCtx is initialized with AesInitCtx ().
> + @param [in] InBlock Input Block. The block to cipher.
> + @param [out] OutBlock Output Block. The ciphered block.
> +
> + @retval RETURN_SUCCESSSuccess.
> + @retval RETURN_INVALID_PARAMETER Invalid parameter.
> + @retval RETURN_UNSUPPORTEDUnsupported.
> +**/
> +RETURN_STATUS
> +EFIAPI
> +AesEncrypt (
> + IN AES_CTX *AesCtx,
> + IN UINT8 CONST *InBlock,
> + OUT UINT8*OutBlock
> + );
> +
> +/** Decrypt an AES block.
> +
> + Buffers are little-endian. Overlapping is not checked.
> +
> + @param [in] AesCtxAES context.
> + AesCtx is initialized with AesInitCtx ().
> + @param [in] InBlock Input Block. The block to de-cipher.
> + @param [out] OutBlock Output Block. The de-ciphered block.
> +
> + @retval RETURN_SUCCESSSuccess.
> + @retval RETURN_INVALID_PARAMETER Invalid parameter.
> + @retval RETURN_UNSUPPORTEDUnsupported.
> +**/
> +RETURN_STATUS
> +EFIAPI
> +AesDecrypt (
> + IN AES_CTX *AesCtx,
> + IN UINT8 CONST *InBlock,
> + OUT UINT8*OutBlock
> + );
> +
> +/** Initialize an AES_CTX structure.
> +
> + @param [in] Key AES key. Buffer of KeySize bytes.
> + The buffer is little endian.
> + @param [in] KeySize Size of the key. Must be one of 128|192|256.
> + @param [in, out] AesCtxAES context to initialize.
> +
> + @retval RETURN_SUCCESSSuccess.
> + @retval RETURN_INVALID_PARAMETER Invalid parameter.
> + @retval RETURN_UNSUPPORTEDUnsupported.
> +**/
> +RETURN_STATUS
> +EFIAPI
> +AesInitCtx (
> + IN UINT8*Key,
> + IN UINT32 KeySize,
> + IN OUT AES_CTX *AesCtx
> + );
> +
> +#endif // AES_LIB_H_
> diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
> index 7ff26e22f915..078ae9323ba6 100644
> --- a/MdePkg/MdePkg.dec
> +++ b/MdePkg/MdePkg.dec
> @@ -280,6 +280,10 @@ [LibraryClasses]
>#
>TrngLib|Include/Library/TrngLib.h
>
> + ## @l
Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries
Thanks, Jiewen. I will incorporate the change you suggested below and
re-validate on the platforms we have, while I wait for the tags from MU
repo owners.
Regards,
Kun
On 6/29/2022 5:19 PM, Yao, Jiewen wrote:
Sounds great.
1) I assume that if it is accepted by project MU, then it must be
reviewed and tested. Please add required tag in next patch set.
2) I suggest just use one of: a) all zero, b) initial data Jan/1/1970,
c) current data.
With above change, reviewed-by: Jiewen Yao
Thank you
Yao, Jiewen
*From:* devel@edk2.groups.io *On Behalf Of *Kun Qin
*Sent:* Thursday, June 30, 2022 2:07 AM
*To:* devel@edk2.groups.io; Yao, Jiewen
*Cc:* Wang, Jian J ; Xu, Min M
; Sean Brogan ; Ard
Biesheuvel ; Justen, Jordan L
; Gerd Hoffmann ;
Rebecca Cran ; Peter Grehan ;
Boeuf, Sebastien ; Andrew Fish
; Ni, Ray
*Subject:* Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot
Variable Libraries
Hi Jiewen,
Thanks for reading through these patches.
For #1, yes, we implemented these changes in project MU and validated
them on both our virtual platform
(https://github.com/microsoft/mu_tiano_platforms) and other
proprietary hardware platforms. I will leave the acked-by or tested-by
to others on the MU teams.
For #2, this is just an arbitrary timestamp from a previous date so
that we can create time based payload without hard dependency on time
protocol (which could result in potential executing sequence issue). I
will update comment to avoid confusion in the next round of patch. But
should you have other suggestions to improve this, please let me know.
Regards,
Kun
On 6/29/2022 1:50 AM, Yao, Jiewen wrote:
Hi Kun
Thank you to make the redesign.
Overall the patch set looks good to me. Some questions:
1. Is that from project MU? If so, I would like to see acked-by
or tested-by from project MU owner. That can give me more
confidence to accept it. 😊
2. Is below data from some document? If so, would please add URL?
Also, why do we have to use this timestamp? What if a
different timestamp is used?
+// MS Default Time-Based Payload Creation Date
+// This is the date that is used when creating SecureBoot default
variables.
+// NOTE: This is a placeholder date that doesn't correspond to
anything else.
+//
+EFI_TIMEÂ mDefaultPayloadTimestamp = {
+ 15,  // Year (2015)
+ 8,   // Month (Aug)
+ 28,  // Day (28)
+ 0,   // Hour
+ 0,   // Minute
+ 0,   // Second
+ 0,   // Pad1
+ 0,   // Nanosecond
+ 0,   // Timezone (Dummy value)
+ 0,   // Daylight (Dummy value)
+Â 0 // Pad2
+};
*From:* Kun Qin
*Sent:* Wednesday, June 29, 2022 5:19 AM
*To:* edk2-devel-groups-io
; kuqi...@gmail.com
*Cc:* Yao, Jiewen
; Wang, Jian J
; Xu, Min M
; Sean Brogan
;
Ard Biesheuvel
; Justen, Jordan L
;
Gerd Hoffmann ;
Rebecca Cran ; Peter
Grehan ; Boeuf,
Sebastien
; Andrew Fish
; Ni, Ray
*Subject:* Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot
Variable Libraries
Hi SecurityPkg maintainers & reviewers,
I posted this patch series a while back intending to generalize
the usage of a few interfaces from secure boot libraries. Could
you please help reviewing them and provide feedback? Any input is
appreciated.
Regards,
Kun
On Mon, Jun 13, 2022 at 1:39 PM Kun Qin via groups.io
wrote:
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This is a revamp of a previously submitted patch series based
on top of
master branch: https://edk2.groups.io/g/devel/message/89507.
No changes
added.
Current SecureBootVariableLib provide great support for
deleting secure
boot related variables, creating time-based payloads.
However, for secure boot enrollment, the
SecureBootVariableProvisionLib
interfaces always assume the changes from variable storage,
limiting the
usage, requiring existing platforms to change key
initialization process
to adapt to the new methods, as well as bringing in extra
dependencies
such as FV protocol, time protocols.
This patch series proposes to update the implementation for
Secure Boot
Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries
Sounds great.
1) I assume that if it is accepted by project MU, then it must be reviewed and
tested. Please add required tag in next patch set.
2) I suggest just use one of: a) all zero, b) initial data Jan/1/1970, c)
current data.
With above change, reviewed-by: Jiewen Yao
Thank you
Yao, Jiewen
From: devel@edk2.groups.io On Behalf Of Kun Qin
Sent: Thursday, June 30, 2022 2:07 AM
To: devel@edk2.groups.io; Yao, Jiewen
Cc: Wang, Jian J ; Xu, Min M ; Sean
Brogan ; Ard Biesheuvel ;
Justen, Jordan L ; Gerd Hoffmann
; Rebecca Cran ; Peter Grehan
; Boeuf, Sebastien ; Andrew Fish
; Ni, Ray
Subject: Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable
Libraries
Hi Jiewen,
Thanks for reading through these patches.
For #1, yes, we implemented these changes in project MU and validated them on
both our virtual platform (https://github.com/microsoft/mu_tiano_platforms) and
other proprietary hardware platforms. I will leave the acked-by or tested-by to
others on the MU teams.
For #2, this is just an arbitrary timestamp from a previous date so that we can
create time based payload without hard dependency on time protocol (which could
result in potential executing sequence issue). I will update comment to avoid
confusion in the next round of patch. But should you have other suggestions to
improve this, please let me know.
Regards,
Kun
On 6/29/2022 1:50 AM, Yao, Jiewen wrote:
Hi Kun
Thank you to make the redesign.
Overall the patch set looks good to me. Some questions:
1. Is that from project MU? If so, I would like to see acked-by or tested-by
from project MU owner. That can give me more confidence to accept it. 😊
1. Is below data from some document? If so, would please add URL? Also, why
do we have to use this timestamp? What if a different timestamp is used?
+// MS Default Time-Based Payload Creation Date
+// This is the date that is used when creating SecureBoot default variables.
+// NOTE: This is a placeholder date that doesn't correspond to anything else.
+//
+EFI_TIME mDefaultPayloadTimestamp = {
+ 15, // Year (2015)
+ 8,// Month (Aug)
+ 28, // Day (28)
+ 0,// Hour
+ 0,// Minute
+ 0,// Second
+ 0,// Pad1
+ 0,// Nanosecond
+ 0,// Timezone (Dummy value)
+ 0,// Daylight (Dummy value)
+ 0 // Pad2
+};
From: Kun Qin
Sent: Wednesday, June 29, 2022 5:19 AM
To: edk2-devel-groups-io ;
kuqi...@gmail.com
Cc: Yao, Jiewen ; Wang, Jian
J ; Xu, Min M
; Sean Brogan
; Ard Biesheuvel
; Justen, Jordan L
; Gerd Hoffmann
; Rebecca Cran
; Peter Grehan
; Boeuf, Sebastien
; Andrew Fish
; Ni, Ray
Subject: Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable
Libraries
Hi SecurityPkg maintainers & reviewers,
I posted this patch series a while back intending to generalize the usage of a
few interfaces from secure boot libraries. Could you please help reviewing them
and provide feedback? Any input is appreciated.
Regards,
Kun
On Mon, Jun 13, 2022 at 1:39 PM Kun Qin via groups.io
mailto:gmail@groups.io>> wrote:
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This is a revamp of a previously submitted patch series based on top of
master branch: https://edk2.groups.io/g/devel/message/89507. No changes
added.
Current SecureBootVariableLib provide great support for deleting secure
boot related variables, creating time-based payloads.
However, for secure boot enrollment, the SecureBootVariableProvisionLib
interfaces always assume the changes from variable storage, limiting the
usage, requiring existing platforms to change key initialization process
to adapt to the new methods, as well as bringing in extra dependencies
such as FV protocol, time protocols.
This patch series proposes to update the implementation for Secure Boot
Variable libraries and their consumers to better support the related
variables operations.
Patch v2 branch: https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v2
Cc: Jiewen Yao mailto:jiewen@intel.com>>
Cc: Jian J Wang mailto:jian.j.w...@intel.com>>
Cc: Min Xu mailto:min.m...@intel.com>>
Cc: Sean Brogan mailto:sean.bro...@microsoft.com>>
Cc: Ard Biesheuvel
mailto:ardb%2btianoc...@kernel.org>>
Cc: Jordan Justen mailto:jordan.l.jus...@intel.com>>
Cc: Gerd Hoffmann mailto:kra...@redhat.com>>
Cc: Rebecca Cran mailto:rebe...@bsdio.com>>
Cc: Peter Grehan mailto:gre...@freebsd.org>>
Cc: Sebastien Boeuf
mailto:sebasti
Re: [edk2-devel] [PATCH RESEND v1 0/9] Add DrbgLib
Hi Pierre, Can you add to the Patch #0 Summary and the BZ the difference between the existing RngLib and this new DrbgLib? Would you recommend one be implement on top of the other? Really glad to see test vectors were used to verify correctness. Can you consider adding formal unit tests using the UnitTestFrameworkPkg with those test vectors so a unit test failure would be generated if maintenance is performed in the future that changes the behavior? Thanks, Mike > -Original Message- > From: devel@edk2.groups.io On Behalf Of PierreGondois > Sent: Wednesday, June 29, 2022 12:19 PM > To: devel@edk2.groups.io > Cc: Sami Mujawar ; Leif Lindholm > ; Ard Biesheuvel ; > Rebecca Cran ; Kinney, Michael D > ; Gao, Liming ; Yao, > Jiewen ; Wang, Jian J > Subject: [edk2-devel] [PATCH RESEND v1 0/9] Add DrbgLib > > From: Pierre Gondois > > Bugzilla: Bug 3971 (https://bugzilla.tianocore.org/show_bug.cgi?id=3971) > > Add support for a Deterministic Random Bits Generator (Drbg). The > specifications used are the following: > > - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation > for Random Number Generation Using Deterministic Random Bit > Generators. > (https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final) > - [2] NIST Special Publication 800-90B, Recommendation for the Entropy > Sources Used for Random Bit Generation. > (https://csrc.nist.gov/publications/detail/sp/800-90b/final) > - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for > Random Bit Generator (RBG) Constructions. > (https://csrc.nist.gov/publications/detail/sp/800-90c/draft) > - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020, > Recommendation for Key Management:Part 1 - General. > > The test vectors available in the CTR_DRBG_AES256 sections of > https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/CTR_DRBG_noDF.pdf > were used for validation. > > This patch-set can seen at: > https://github.com/PierreARM/edk2/tree/Arm_Drbg_v1 > > This patch has the following dependency: > - [PATCH v3 00/22] Add Raw algorithm support using Arm FW-TRNG interface > https://edk2.groups.io/g/devel/message/90845 > - [PATCH v1 0/7] Add AesLib and ArmAesLib > https://edk2.groups.io/g/devel/message/90878 > > Pierre Gondois (9): > MdePkg/DrbgLib: Drbg library interface definition > MdePkg/DrbgLib: Add NULL instance of Drbg Library > MdePkg/DrbgLib: Add BitStream implementation > MdePkg/DrbgLib: Add Get_entropy_input() implementation > MdePkg/DrbgLib: Add common wrappers > MdePkg/DrbgLib: Add Ctr Drbg mechanism functions > MdePkg/DrbgLib: Add Drbg mechanism functions and module > ArmVirtPkg: Kvmtool: Add AesLib/DrbgLib for RngDxe > SecurityPkg/RngDxe: Use DrbgLib in RngDxe for Arm > > ArmVirtPkg/ArmVirtKvmTool.dsc |2 + > MdePkg/Include/Library/DrbgLib.h | 172 +++ > MdePkg/Library/DrbgLib/BitStream.c| 1114 + > MdePkg/Library/DrbgLib/BitStream.h| 366 ++ > MdePkg/Library/DrbgLib/Common.c | 249 > MdePkg/Library/DrbgLib/Common.h | 74 ++ > MdePkg/Library/DrbgLib/CtrDrbg.c | 899 + > MdePkg/Library/DrbgLib/CtrDrbg.h | 100 ++ > MdePkg/Library/DrbgLib/DrbgLib.c | 628 ++ > MdePkg/Library/DrbgLib/DrbgLib.inf| 39 + > MdePkg/Library/DrbgLib/DrbgLibInternal.h | 310 + > MdePkg/Library/DrbgLib/GetEntropyInput.c | 72 ++ > MdePkg/Library/DrbgLib/GetEntropyInput.h | 48 + > MdePkg/Library/DrbgLibNull/DrbgLib.c | 165 +++ > MdePkg/Library/DrbgLibNull/DrbgLibNull.inf| 21 + > MdePkg/MdePkg.dec |4 + > MdePkg/MdePkg.dsc |2 + > .../RandomNumberGenerator/RngDxe/ArmRngDxe.c | 75 +- > .../RandomNumberGenerator/RngDxe/RngDxe.inf |1 + > SecurityPkg/SecurityPkg.dsc |2 + > 20 files changed, 4342 insertions(+), 1 deletion(-) > create mode 100644 MdePkg/Include/Library/DrbgLib.h > create mode 100644 MdePkg/Library/DrbgLib/BitStream.c > create mode 100644 MdePkg/Library/DrbgLib/BitStream.h > create mode 100644 MdePkg/Library/DrbgLib/Common.c > create mode 100644 MdePkg/Library/DrbgLib/Common.h > create mode 100644 MdePkg/Library/DrbgLib/CtrDrbg.c > create mode 100644 MdePkg/Library/DrbgLib/CtrDrbg.h > create mode 100644 MdePkg/Library/DrbgLib/DrbgLib.c > create mode 100644 MdePkg/Library/DrbgLib/DrbgLib.inf > create mode 100644 MdePkg/Library/DrbgLib/DrbgLibInternal.h > create mode 100644 MdePkg/Library/DrbgLib/GetEntropyInput.c > create mode 100644 MdePkg/Library/DrbgLib/GetEntropyInput.h > create mode 100644 MdePkg/Library/DrbgLibNull/DrbgLib.c > create mode 100644 MdePkg/Library/DrbgLibNull/DrbgLibNull.inf > > -- > 2.25.1 > > > > -=-=-
Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add -march=x86-64 for X64 CLANG and GCC targets
What is the default when -march is not specified? Mike > -Original Message- > From: devel@edk2.groups.io On Behalf Of dann frazier > Sent: Wednesday, June 29, 2022 4:25 PM > To: Pedro Falcato > Cc: edk2-devel-groups-io ; Feng, Bob C > ; Gao, Liming ; > Chen, Christine > Subject: Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add -march=x86-64 > for X64 CLANG and GCC targets > > On Wed, Jun 29, 2022 at 11:06:01PM +0100, Pedro Falcato wrote: > > This may be a strong opinion but I would consider toolchains that > > explicitly change the default -march from the well understood x86-64 (which > > all 64-bit processors support) to be totally broken. If a distro wants to > > switch the -march for the packages, override CFLAGS :) > > Opinion noted. But is there a downside to edk2 being explicit about > its target CPU level on x86-64, given it already does so for IA32 and > ARM? > > -dann > > > On Wed, Jun 29, 2022 at 10:57 PM dann frazier > > wrote: > > > > > Ping on this. Would it be more palatable if I limited the change only > > > to tested toolchains (gcc/clang)? Alternatively, is there a way to > > > submit this code to CI to verify the !(gcc|clang) variants? > > > > > > -dann > > > > > > On Fri, Jun 10, 2022 at 12:09:18PM -0600, dann frazier wrote: > > > > From: dann frazier > > > > > > > > Some Linux distributions are experimenting with builds that target a > > > > higher x86-64 psABI, such as x86-64-v3. To avoid inheriting these > > > > compiler defaults in edk2 builds, and therefore breaking compatibility > > > > with machines using older CPUs, explicitly target the generic x86-64 > > > > psABI. This is similar to how we explicitly specify the cpu type for > > > > some other architectures (-march=i586 for IA32, -march=armv7-a for ARM). > > > > > > > > Spot tested with OVMF builds using GCC5 and CLANG38. > > > > > > > > Signed-off-by: dann frazier > > > > --- > > > > BaseTools/Conf/tools_def.template | 20 ++-- > > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > > > diff --git a/BaseTools/Conf/tools_def.template > > > b/BaseTools/Conf/tools_def.template > > > > index adcd23f727..569d16fb3e 100755 > > > > --- a/BaseTools/Conf/tools_def.template > > > > +++ b/BaseTools/Conf/tools_def.template > > > > @@ -1885,7 +1885,7 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF > > > $@.deps > > > > DEFINE GCC48_ALL_CC_FLAGS= DEF(GCC_ALL_CC_FLAGS) > > > -ffunction-sections -fdata-sections > > > -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings > > > > DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib > > > -Wl,-n,-q,--gc-sections -z common-page-size=0x20 > > > > DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 > > > -march=i586 -malign-double -fno-stack-protector -D EFI32 > > > -fno-asynchronous-unwind-tables -Wno-address > > > > -DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > > > -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > > > -fno-asynchronous-unwind-tables -Wno-address > > > > +DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > > > -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > > > -fno-asynchronous-unwind-tables -Wno-address > > > > DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) > > > -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable > > > > DEFINE GCC48_IA32_X64_DLINK_FLAGS= DEF(GCC48_IA32_X64_DLINK_COMMON) > > > -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) > > > -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive > > > > DEFINE GCC48_IA32_DLINK2_FLAGS = > > > -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON) > > > > @@ -2613,15 +2613,15 @@ NOOPT_CLANG38_IA32_DLINK2_FLAGS = > > > DEF(GCC5_IA32_DLINK2_FLAGS) -O0 > > > > *_CLANG38_X64_ASLPP_FLAGS = DEF(GCC_ASLPP_FLAGS) > > > DEF(CLANG38_X64_TARGET) > > > > *_CLANG38_X64_VFRPP_FLAGS = DEF(GCC_VFRPP_FLAGS) > > > DEF(CLANG38_X64_TARGET) > > > > > > > > -DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -Oz > > > -flto DEF(CLANG38_X64_TARGET) -g > > > > +DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone > > > -mcmodel=small -fpie -Oz -flto DEF(CLANG38_X64_TARGET) -g > > > > DEBUG_CLANG38_X64_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) > > > -flto -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie > > > -mcmodel=small > > > > DEBUG_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O3 > > > > > > > > -RELEASE_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -
Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add -march=x86-64 for X64 CLANG and GCC targets
On Wed, Jun 29, 2022 at 11:06:01PM +0100, Pedro Falcato wrote: > This may be a strong opinion but I would consider toolchains that > explicitly change the default -march from the well understood x86-64 (which > all 64-bit processors support) to be totally broken. If a distro wants to > switch the -march for the packages, override CFLAGS :) Opinion noted. But is there a downside to edk2 being explicit about its target CPU level on x86-64, given it already does so for IA32 and ARM? -dann > On Wed, Jun 29, 2022 at 10:57 PM dann frazier > wrote: > > > Ping on this. Would it be more palatable if I limited the change only > > to tested toolchains (gcc/clang)? Alternatively, is there a way to > > submit this code to CI to verify the !(gcc|clang) variants? > > > > -dann > > > > On Fri, Jun 10, 2022 at 12:09:18PM -0600, dann frazier wrote: > > > From: dann frazier > > > > > > Some Linux distributions are experimenting with builds that target a > > > higher x86-64 psABI, such as x86-64-v3. To avoid inheriting these > > > compiler defaults in edk2 builds, and therefore breaking compatibility > > > with machines using older CPUs, explicitly target the generic x86-64 > > > psABI. This is similar to how we explicitly specify the cpu type for > > > some other architectures (-march=i586 for IA32, -march=armv7-a for ARM). > > > > > > Spot tested with OVMF builds using GCC5 and CLANG38. > > > > > > Signed-off-by: dann frazier > > > --- > > > BaseTools/Conf/tools_def.template | 20 ++-- > > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > > > diff --git a/BaseTools/Conf/tools_def.template > > b/BaseTools/Conf/tools_def.template > > > index adcd23f727..569d16fb3e 100755 > > > --- a/BaseTools/Conf/tools_def.template > > > +++ b/BaseTools/Conf/tools_def.template > > > @@ -1885,7 +1885,7 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF > > $@.deps > > > DEFINE GCC48_ALL_CC_FLAGS= DEF(GCC_ALL_CC_FLAGS) > > -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings > > > DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib > > -Wl,-n,-q,--gc-sections -z common-page-size=0x20 > > > DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 > > -march=i586 -malign-double -fno-stack-protector -D EFI32 > > -fno-asynchronous-unwind-tables -Wno-address > > > -DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > > -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > > -fno-asynchronous-unwind-tables -Wno-address > > > +DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > > -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > > -fno-asynchronous-unwind-tables -Wno-address > > > DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) > > -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable > > > DEFINE GCC48_IA32_X64_DLINK_FLAGS= DEF(GCC48_IA32_X64_DLINK_COMMON) > > -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) > > -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive > > > DEFINE GCC48_IA32_DLINK2_FLAGS = > > -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON) > > > @@ -2613,15 +2613,15 @@ NOOPT_CLANG38_IA32_DLINK2_FLAGS = > > DEF(GCC5_IA32_DLINK2_FLAGS) -O0 > > > *_CLANG38_X64_ASLPP_FLAGS = DEF(GCC_ASLPP_FLAGS) > > DEF(CLANG38_X64_TARGET) > > > *_CLANG38_X64_VFRPP_FLAGS = DEF(GCC_VFRPP_FLAGS) > > DEF(CLANG38_X64_TARGET) > > > > > > -DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -Oz > > -flto DEF(CLANG38_X64_TARGET) -g > > > +DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone > > -mcmodel=small -fpie -Oz -flto DEF(CLANG38_X64_TARGET) -g > > > DEBUG_CLANG38_X64_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) > > -flto -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie > > -mcmodel=small > > > DEBUG_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O3 > > > > > > -RELEASE_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -Oz > > -flto DEF(CLANG38_X64_TARGET) > > > +RELEASE_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone > > -mcmodel=small -fpie -Oz -flto DEF(CLANG38_X64_TARGET) > > > RELEASE_CLANG38_X64_DLINK_FLAGS= DEF(GCC5_IA32_X64_DLINK_FLAGS) > > -flto -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie > > -mcmodel=small > > > RELEASE_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O3 > > > > > > -NOOPT_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > > "-DEFIAPI=__att
[edk2-devel] [PATCH] MdePkg/Acpi62: Add bit definitions to NFIT Platform Capabilities Structure
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3915
This commit adds each capability bit definition
for NFIT Platform Capabilities Structure.
The type has been added since ACPI Specification Version 6.2A.
Signed-off-by: Miki Shindo
Cc: Michael D Kinney
Cc: Liming Gao
Cc: Zhiguang Liu
Cc: Ray Ni
Cc: Liming Gao
---
MdePkg/Include/IndustryStandard/Acpi62.h | 4
MdePkg/Include/IndustryStandard/Acpi63.h | 4
MdePkg/Include/IndustryStandard/Acpi64.h | 4
3 files changed, 12 insertions(+)
diff --git a/MdePkg/Include/IndustryStandard/Acpi62.h
b/MdePkg/Include/IndustryStandard/Acpi62.h
index 836e986ee5..e27775a85a 100644
--- a/MdePkg/Include/IndustryStandard/Acpi62.h
+++ b/MdePkg/Include/IndustryStandard/Acpi62.h
@@ -1651,6 +1651,10 @@ typedef struct {
UINT8 Reserved_12[4];
} EFI_ACPI_6_2_NFIT_PLATFORM_CAPABILITIES_STRUCTURE;
+#define
EFI_ACPI_6_2_NFIT_PLATFORM_CAPABILITY_CPU_CACHE_FLUSH_TO_NVDIMM_DURABILITY_ON_POWER_LOSS
BIT0
+#define
EFI_ACPI_6_2_NFIT_PLATFORM_CAPABILITY_MEMORY_CONTROLLER_FLUSH_TO_NVDIMM_DURABILITY_ON_POWER_LOSS
BIT1
+#define
EFI_ACPI_6_2_NFIT_PLATFORM_CAPABILITY_BYTE_ADDRESSABLE_PERSISTENT_MEMORY_HARDWARE_MIRRORING
BIT2
+
///
/// Secure DEVices Table (SDEV)
///
diff --git a/MdePkg/Include/IndustryStandard/Acpi63.h
b/MdePkg/Include/IndustryStandard/Acpi63.h
index 15a30d8808..10bdf5fe5a 100644
--- a/MdePkg/Include/IndustryStandard/Acpi63.h
+++ b/MdePkg/Include/IndustryStandard/Acpi63.h
@@ -1615,6 +1615,10 @@ typedef struct {
UINT8 Reserved_12[4];
} EFI_ACPI_6_3_NFIT_PLATFORM_CAPABILITIES_STRUCTURE;
+#define
EFI_ACPI_6_3_NFIT_PLATFORM_CAPABILITY_CPU_CACHE_FLUSH_TO_NVDIMM_DURABILITY_ON_POWER_LOSS
BIT0
+#define
EFI_ACPI_6_3_NFIT_PLATFORM_CAPABILITY_MEMORY_CONTROLLER_FLUSH_TO_NVDIMM_DURABILITY_ON_POWER_LOSS
BIT1
+#define
EFI_ACPI_6_3_NFIT_PLATFORM_CAPABILITY_BYTE_ADDRESSABLE_PERSISTENT_MEMORY_HARDWARE_MIRRORING
BIT2
+
///
/// Secure DEVices Table (SDEV)
///
diff --git a/MdePkg/Include/IndustryStandard/Acpi64.h
b/MdePkg/Include/IndustryStandard/Acpi64.h
index c1d8b14c44..fe5ebfac2b 100644
--- a/MdePkg/Include/IndustryStandard/Acpi64.h
+++ b/MdePkg/Include/IndustryStandard/Acpi64.h
@@ -1664,6 +1664,10 @@ typedef struct {
UINT8 Reserved_12[4];
} EFI_ACPI_6_4_NFIT_PLATFORM_CAPABILITIES_STRUCTURE;
+#define
EFI_ACPI_6_4_NFIT_PLATFORM_CAPABILITY_CPU_CACHE_FLUSH_TO_NVDIMM_DURABILITY_ON_POWER_LOSS
BIT0
+#define
EFI_ACPI_6_4_NFIT_PLATFORM_CAPABILITY_MEMORY_CONTROLLER_FLUSH_TO_NVDIMM_DURABILITY_ON_POWER_LOSS
BIT1
+#define
EFI_ACPI_6_4_NFIT_PLATFORM_CAPABILITY_BYTE_ADDRESSABLE_PERSISTENT_MEMORY_HARDWARE_MIRRORING
BIT2
+
///
/// Secure DEVices Table (SDEV)
///
--
2.27.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90916): https://edk2.groups.io/g/devel/message/90916
Mute This Topic: https://groups.io/mt/92075891/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel][edk2-platforms][PATCH V1 2/2] MinPlatformPkg/Build: Reduce duplication
Removed needless duplication between sections. Addes spaces after commas. Remove commented out code. Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong Signed-off-by: Isaac Oram --- .../MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc | 55 +-- .../MinPlatformPkg/Include/Dsc/CorePeiLib.dsc | 29 +++--- 2 files changed, 20 insertions(+), 64 deletions(-) diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc index 9b3095d662..6a4d586ddf 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc @@ -8,14 +8,14 @@ ## - # - # Generic EDKII Lib - # +# +# Generic EDKII Lib +# - # - # DXE phase common - # -[LibraryClasses.common.DXE_CORE,LibraryClasses.common.DXE_SMM_DRIVER,LibraryClasses.common.SMM_CORE,LibraryClasses.common.DXE_DRIVER,LibraryClasses.common.DXE_RUNTIME_DRIVER,LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION] +# +# DXE phase common +# +[LibraryClasses.common.DXE_CORE, LibraryClasses.common.DXE_SMM_DRIVER, LibraryClasses.common.SMM_CORE, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf @@ -32,14 +32,8 @@ FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf TimerLib|PcAtChipsetPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf -!if gMinPlatformPkgTokenSpaceGuid.PcdPerformanceEnable == TRUE - PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf -!endif - TimerLib|PcAtChipsetPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf - BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf - Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf @@ -50,6 +44,9 @@ VariableReadLib|MinPlatformPkg/Library/DxeRuntimeVariableReadLib/DxeRuntimeVariableReadLib.inf VariableWriteLib|MinPlatformPkg/Library/DxeRuntimeVariableWriteLib/DxeRuntimeVariableWriteLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] + PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf + [LibraryClasses.common.DXE_CORE, LibraryClasses.common.SMM_CORE] !if $(TARGET) != RELEASE DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf @@ -62,21 +59,15 @@ !if gMinPlatformPkgTokenSpaceGuid.PcdPerformanceEnable == TRUE PerformanceLib|MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf - TimerLib|PcAtChipsetPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf -!endif !endif +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER] + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf + [LibraryClasses.common.DXE_DRIVER] - Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf - PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf - -[LibraryClasses.common.UEFI_DRIVER] - PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf -# PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf [LibraryClasses.common.DXE_SMM_DRIVER] - PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf MmServicesTableLib|MdePkg/Library/MmServicesTableLib/MmServicesTableLib.inf ReportStatusCodeLib|MdeModulePkg/Library/SmmReportStatusCodeLib/SmmReportStatusCodeLib.inf @@ -87,7 +78,6 @@ !if gMinPlatformPkgTokenSpaceGuid.PcdPerformanceEnable == TRUE PerformanceLib|MdeModulePkg/Library/SmmPerformanceLib/SmmPerformanceLib.inf - TimerLib|PcAtChipsetPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf !endif SmmCpuPlatformHookLib|UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf @@ -100,8 +90,6 @@ VariableWriteLib|MinPlatformPkg/Library/SmmVariableWriteLib/TraditionalMmVariableWriteLib.inf [LibraryClasses.common.SMM_CORE] - PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf - HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf MemoryAllocationLib|MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationLib.inf SmmServicesTableLib|MdeModulePkg/Library/PiSmmCoreSmmServicesTableLib/PiSmmCoreSmmServicesTableLib.inf ReportStatusCodeLib|MdeModule
[edk2-devel][edk2-platforms][PATCH V1 1/2] MinPlatformPkg/Build: Add NOOPT build
Add NOOPT build support to enable easy debugging of unoptimized code. Generally the same libraries are desired for DEBUG and NOOPT. Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong Signed-off-by: Isaac Oram --- .../Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc | 11 +-- .../Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc | 4 ++-- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 2 +- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc index 209ccdaf54..9b3095d662 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc @@ -50,6 +50,11 @@ VariableReadLib|MinPlatformPkg/Library/DxeRuntimeVariableReadLib/DxeRuntimeVariableReadLib.inf VariableWriteLib|MinPlatformPkg/Library/DxeRuntimeVariableWriteLib/DxeRuntimeVariableWriteLib.inf +[LibraryClasses.common.DXE_CORE, LibraryClasses.common.SMM_CORE] +!if $(TARGET) != RELEASE + DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf +!endif + [LibraryClasses.common.DXE_CORE] HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf MemoryAllocationLib|MdeModulePkg/Library/DxeCoreMemoryAllocationLib/DxeCoreMemoryAllocationLib.inf @@ -59,9 +64,6 @@ PerformanceLib|MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf TimerLib|PcAtChipsetPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf !endif - -!if $(TARGET) == DEBUG - DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf !endif [LibraryClasses.common.DXE_DRIVER] @@ -109,9 +111,6 @@ PerformanceLib|MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.inf TimerLib|PcAtChipsetPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf !endif - -!if $(TARGET) == DEBUG - DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf !endif [LibraryClasses.common.DXE_RUNTIME_DRIVER] diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc index c12189bd9a..1bf8338f95 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc @@ -37,7 +37,7 @@ [LibraryClasses.common.SEC] ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf -!if $(TARGET) == DEBUG +!if $(TARGET) != RELEASE DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf !endif PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -46,7 +46,7 @@ [LibraryClasses.common.PEI_CORE] TimerLib|PcAtChipsetPkg/Library/AcpiTimerLib/PeiAcpiTimerLib.inf CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SecPeiCpuExceptionHandlerLib.inf -!if $(TARGET) == DEBUG +!if $(TARGET) != RELEASE DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf !endif diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc index a8373a4ecb..09aa6fe4d5 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -20,7 +20,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY= Build/MinPlatformPkg SUPPORTED_ARCHITECTURES = IA32|X64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = NOOPT|DEBUG|RELEASE SKUID_IDENTIFIER= DEFAULT -- 2.36.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90914): https://edk2.groups.io/g/devel/message/90914 Mute This Topic: https://groups.io/mt/92075456/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel][edk2-platforms][PATCH V1 0/2] Add MinPlatformPkg NOOPT build option
Add the NOOPT build option. Use the same libraries for DEBUG and NOOPT Clean up some duplication and coding style issues with the include files. Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong Signed-off-by: Isaac Oram Isaac Oram (2): MinPlatformPkg/Build: Add NOOPT build MinPlatformPkg/Build: Reduce duplication .../MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc | 64 +-- .../MinPlatformPkg/Include/Dsc/CorePeiLib.dsc | 29 ++--- .../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 2 +- 3 files changed, 25 insertions(+), 70 deletions(-) -- 2.36.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90913): https://edk2.groups.io/g/devel/message/90913 Mute This Topic: https://groups.io/mt/92075448/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add -march=x86-64 for X64 CLANG and GCC targets
This may be a strong opinion but I would consider toolchains that explicitly change the default -march from the well understood x86-64 (which all 64-bit processors support) to be totally broken. If a distro wants to switch the -march for the packages, override CFLAGS :) On Wed, Jun 29, 2022 at 10:57 PM dann frazier wrote: > Ping on this. Would it be more palatable if I limited the change only > to tested toolchains (gcc/clang)? Alternatively, is there a way to > submit this code to CI to verify the !(gcc|clang) variants? > > -dann > > On Fri, Jun 10, 2022 at 12:09:18PM -0600, dann frazier wrote: > > From: dann frazier > > > > Some Linux distributions are experimenting with builds that target a > > higher x86-64 psABI, such as x86-64-v3. To avoid inheriting these > > compiler defaults in edk2 builds, and therefore breaking compatibility > > with machines using older CPUs, explicitly target the generic x86-64 > > psABI. This is similar to how we explicitly specify the cpu type for > > some other architectures (-march=i586 for IA32, -march=armv7-a for ARM). > > > > Spot tested with OVMF builds using GCC5 and CLANG38. > > > > Signed-off-by: dann frazier > > --- > > BaseTools/Conf/tools_def.template | 20 ++-- > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > diff --git a/BaseTools/Conf/tools_def.template > b/BaseTools/Conf/tools_def.template > > index adcd23f727..569d16fb3e 100755 > > --- a/BaseTools/Conf/tools_def.template > > +++ b/BaseTools/Conf/tools_def.template > > @@ -1885,7 +1885,7 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF > $@.deps > > DEFINE GCC48_ALL_CC_FLAGS= DEF(GCC_ALL_CC_FLAGS) > -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings > > DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib > -Wl,-n,-q,--gc-sections -z common-page-size=0x20 > > DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 > -march=i586 -malign-double -fno-stack-protector -D EFI32 > -fno-asynchronous-unwind-tables -Wno-address > > -DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > -fno-asynchronous-unwind-tables -Wno-address > > +DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > -fno-asynchronous-unwind-tables -Wno-address > > DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) > -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable > > DEFINE GCC48_IA32_X64_DLINK_FLAGS= DEF(GCC48_IA32_X64_DLINK_COMMON) > -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) > -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive > > DEFINE GCC48_IA32_DLINK2_FLAGS = > -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 DEF(GCC_DLINK2_FLAGS_COMMON) > > @@ -2613,15 +2613,15 @@ NOOPT_CLANG38_IA32_DLINK2_FLAGS = > DEF(GCC5_IA32_DLINK2_FLAGS) -O0 > > *_CLANG38_X64_ASLPP_FLAGS = DEF(GCC_ASLPP_FLAGS) > DEF(CLANG38_X64_TARGET) > > *_CLANG38_X64_VFRPP_FLAGS = DEF(GCC_VFRPP_FLAGS) > DEF(CLANG38_X64_TARGET) > > > > -DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -Oz > -flto DEF(CLANG38_X64_TARGET) -g > > +DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone > -mcmodel=small -fpie -Oz -flto DEF(CLANG38_X64_TARGET) -g > > DEBUG_CLANG38_X64_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) > -flto -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie > -mcmodel=small > > DEBUG_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O3 > > > > -RELEASE_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -Oz > -flto DEF(CLANG38_X64_TARGET) > > +RELEASE_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone > -mcmodel=small -fpie -Oz -flto DEF(CLANG38_X64_TARGET) > > RELEASE_CLANG38_X64_DLINK_FLAGS= DEF(GCC5_IA32_X64_DLINK_FLAGS) > -flto -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie > -mcmodel=small > > RELEASE_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O3 > > > > -NOOPT_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -O0 > DEF(CLANG38_X64_TARGET) -g > > +NOOPT_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone > -mcmodel=small -fpie -O0 DEF(CLANG38_X64_TARGET) -g > > NOOPT_CLANG38_X64_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) > -Wl,-O0 -Wl,-melf_x86_64 -Wl,--oformat=el
Re: [edk2-devel] [PATCH] BaseTools/tools_def.txt: Add -march=x86-64 for X64 CLANG and GCC targets
Ping on this. Would it be more palatable if I limited the change only to tested toolchains (gcc/clang)? Alternatively, is there a way to submit this code to CI to verify the !(gcc|clang) variants? -dann On Fri, Jun 10, 2022 at 12:09:18PM -0600, dann frazier wrote: > From: dann frazier > > Some Linux distributions are experimenting with builds that target a > higher x86-64 psABI, such as x86-64-v3. To avoid inheriting these > compiler defaults in edk2 builds, and therefore breaking compatibility > with machines using older CPUs, explicitly target the generic x86-64 > psABI. This is similar to how we explicitly specify the cpu type for > some other architectures (-march=i586 for IA32, -march=armv7-a for ARM). > > Spot tested with OVMF builds using GCC5 and CLANG38. > > Signed-off-by: dann frazier > --- > BaseTools/Conf/tools_def.template | 20 ++-- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/BaseTools/Conf/tools_def.template > b/BaseTools/Conf/tools_def.template > index adcd23f727..569d16fb3e 100755 > --- a/BaseTools/Conf/tools_def.template > +++ b/BaseTools/Conf/tools_def.template > @@ -1885,7 +1885,7 @@ DEFINE GCC_DEPS_FLAGS = -MMD -MF $@.deps > DEFINE GCC48_ALL_CC_FLAGS= DEF(GCC_ALL_CC_FLAGS) > -ffunction-sections -fdata-sections -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings > DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z > common-page-size=0x20 > DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 > -march=i586 -malign-double -fno-stack-protector -D EFI32 > -fno-asynchronous-unwind-tables -Wno-address > -DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > -fno-asynchronous-unwind-tables -Wno-address > +DEFINE GCC48_X64_CC_FLAGS= DEF(GCC48_ALL_CC_FLAGS) -m64 > -march=x86-64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" > -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie > -fno-asynchronous-unwind-tables -Wno-address > DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) > -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable > DEFINE GCC48_IA32_X64_DLINK_FLAGS= DEF(GCC48_IA32_X64_DLINK_COMMON) > -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) > -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive > DEFINE GCC48_IA32_DLINK2_FLAGS = -Wl,--defsym=PECOFF_HEADER_SIZE=0x220 > DEF(GCC_DLINK2_FLAGS_COMMON) > @@ -2613,15 +2613,15 @@ NOOPT_CLANG38_IA32_DLINK2_FLAGS = > DEF(GCC5_IA32_DLINK2_FLAGS) -O0 > *_CLANG38_X64_ASLPP_FLAGS = DEF(GCC_ASLPP_FLAGS) > DEF(CLANG38_X64_TARGET) > *_CLANG38_X64_VFRPP_FLAGS = DEF(GCC_VFRPP_FLAGS) > DEF(CLANG38_X64_TARGET) > > -DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -Oz > -flto DEF(CLANG38_X64_TARGET) -g > +DEBUG_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small > -fpie -Oz -flto DEF(CLANG38_X64_TARGET) -g > DEBUG_CLANG38_X64_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto > -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie -mcmodel=small > DEBUG_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O3 > > -RELEASE_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -Oz > -flto DEF(CLANG38_X64_TARGET) > +RELEASE_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small > -fpie -Oz -flto DEF(CLANG38_X64_TARGET) > RELEASE_CLANG38_X64_DLINK_FLAGS= DEF(GCC5_IA32_X64_DLINK_FLAGS) -flto > -Wl,-Oz -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie -mcmodel=small > RELEASE_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O3 > > -NOOPT_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small -fpie -O0 > DEF(CLANG38_X64_TARGET) -g > +NOOPT_CLANG38_X64_CC_FLAGS = DEF(CLANG38_ALL_CC_FLAGS) -m64 > -march=x86-64 "-DEFIAPI=__attribute__((ms_abi))" -mno-red-zone -mcmodel=small > -fpie -O0 DEF(CLANG38_X64_TARGET) -g > NOOPT_CLANG38_X64_DLINK_FLAGS = DEF(GCC5_IA32_X64_DLINK_FLAGS) -Wl,-O0 > -Wl,-melf_x86_64 -Wl,--oformat=elf64-x86-64 -Wl,-pie -mcmodel=small > NOOPT_CLANG38_X64_DLINK2_FLAGS = DEF(GCC5_X64_DLINK2_FLAGS) -O0 > > @@ -2798,17 +2798,17 @@ NOOPT_CLANGPDB_IA32_DLINK2_FLAGS = > *_CLANGPDB_X64_ASLPP_FLAGS = DEF(GCC_ASLPP_FLAGS) > DEF(CLANGPDB_X64_TARGET) > *_CLANGPDB_X64_VFRPP_FLAGS = DEF(GCC_VFRPP_FLAGS) > DEF(CLANGPDB_X64_TARGET) > > -DEBUG_CLANGPDB_X64_CC_FLAGS
[edk2-devel][edk2-platforms][PATCH V1 1/1] MinPlatformPkg: Add missing FV PCD
Add missing PCD for BSP FV Base/Size/Offsets. Cc: Eric Dong Cc: Liming Gao Signed-off-by: Isaac Oram --- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec | 8 1 file changed, 8 insertions(+) diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec index 68ab1d702d..76da6f35ae 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec @@ -230,9 +230,17 @@ gMinPlatformPkgTokenSpaceGuid.PcdFlashFvPreMemoryBase|0x|UINT32|0x2004 gMinPlatformPkgTokenSpaceGuid.PcdFlashFvPreMemorySize|0x|UINT32|0x2005 gMinPlatformPkgTokenSpaceGuid.PcdFlashFvPreMemoryOffset|0x|UINT32|0x2006 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvBspPreMemorySize|0x|UINT32|0x2030 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvBspPreMemoryBase|0x|UINT32|0x2031 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvBspPreMemoryOffset|0x|UINT32|0x2032 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvPostMemoryBase|0x|UINT32|0x2007 gMinPlatformPkgTokenSpaceGuid.PcdFlashFvPostMemorySize|0x|UINT32|0x2008 gMinPlatformPkgTokenSpaceGuid.PcdFlashFvPostMemoryOffset|0x|UINT32|0x2009 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvBspSize|0x|UINT32|0x2033 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvBspBase|0x|UINT32|0x2034 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvBspOffset|0x|UINT32|0x2035 + gMinPlatformPkgTokenSpaceGuid.PcdFlashFvUefiBootBase|0x|UINT32|0x200A gMinPlatformPkgTokenSpaceGuid.PcdFlashFvUefiBootSize|0x|UINT32|0x200B gMinPlatformPkgTokenSpaceGuid.PcdFlashFvUefiBootOffset|0x|UINT32|0x200C -- 2.36.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90910): https://edk2.groups.io/g/devel/message/90910 Mute This Topic: https://groups.io/mt/92074372/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 10/10] SecurityPkg/RngDxe: Use DrbgLib in RngDxe for Arm
From: Pierre Gondois
Make use of the new DrbgLib and advertise support for the
SP800-90 Ctr 256 bits Drbg. The algorithm will be used for
Arm and AArch64 arch.
Signed-off-by: Pierre Gondois
---
.../RandomNumberGenerator/RngDxe/ArmRngDxe.c | 75 ++-
.../RandomNumberGenerator/RngDxe/RngDxe.inf | 2 +
SecurityPkg/SecurityPkg.dsc | 5 ++
3 files changed, 81 insertions(+), 1 deletion(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
index 4775252d30b6..400b0a5e9a7c 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
@@ -25,6 +25,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -39,7 +40,7 @@
// populated only once.
// The valid entry with the lowest index will be the default algorithm.
//
-#define RNG_AVAILABLE_ALGO_MAX 2
+#define RNG_AVAILABLE_ALGO_MAX 3
STATIC BOOLEANmAvailableAlgoArrayInit = FALSE;
STATIC UINTN mAvailableAlgoArrayCount;
STATIC EFI_RNG_ALGORITHM mAvailableAlgoArray[RNG_AVAILABLE_ALGO_MAX];
@@ -87,11 +88,78 @@ RngInitAvailableAlgoArray (
sizeof (EFI_RNG_ALGORITHM)
);
mAvailableAlgoArrayCount++;
+
+// SP800-90 Ctr 256 bits Drbg.
+// Arm implementation is based on the Trng.
+CopyMem (
+ &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+ &gEfiRngAlgorithmSp80090Ctr256Guid,
+ sizeof (EFI_RNG_ALGORITHM)
+ );
+mAvailableAlgoArrayCount++;
}
mAvailableAlgoArrayInit = TRUE;
}
+/** Produces and returns an RNG value using a specified Drbg algorithm.
+
+ @param[in] DrbgMechanism The Drbg mechanism to use.
+ @param[in] RNGValueLengthThe length in bytes of the memory buffer
pointed to by
+RNGValue. The driver shall return exactly this
numbers of bytes.
+ @param[out] RNGValue A caller-allocated memory buffer filled by the
driver with the
+resulting RNG value.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+RngGetDrbgVal (
+ IN DRBG_MECHANISM DrbgMechanism,
+ IN UINTN RNGValueLength,
+ OUT UINT8 *RNGValue
+ )
+{
+ EFI_STATUS Status;
+ STATIC VOID *DrbgHandle = NULL;
+
+ // Only instantiate once.
+ if (DrbgHandle == NULL) {
+Status = DrbgInstantiateFn (
+ DrbgMechanism,
+ DrbgEntropyNoCondFn,
+ 256,
+ FALSE,
+ NULL,
+ 0,
+ &DrbgHandle
+ );
+if (EFI_ERROR (Status)) {
+ ASSERT_EFI_ERROR (Status);
+ return Status;
+}
+ }
+
+ // Check overflow.
+ if (RNGValueLength > (MAX_UINTN >> 3)) {
+return EFI_INVALID_PARAMETER;
+ }
+
+ Status = DrbgGenerateFn (
+ 256,
+ FALSE,
+ NULL,
+ 0,
+ RNGValueLength << 3,
+ RNGValue,
+ DrbgHandle
+ );
+ if (EFI_ERROR (Status)) {
+ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
Produces and returns an RNG value using either the default or specified RNG
algorithm.
@@ -163,6 +231,11 @@ FoundAlgo:
return GenerateEntropy (RNGValueLength, RNGValue);
}
+ // SP800-90 Ctr 256 bits Drbg
+ if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmSp80090Ctr256Guid)) {
+return RngGetDrbgVal (DrbgMechansimCtr, RNGValueLength, RNGValue);
+ }
+
//
// Other algorithms are unsupported by this driver.
//
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index 599a3085102d..c95e958e7f85 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -62,6 +62,8 @@ [LibraryClasses]
RngLib
[LibraryClasses.AARCH64, LibraryClasses.ARM]
+ ArmLib
+ DrbgLib
TrngLib
[Guids]
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 882d639489ea..cc6d6de72cea 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -94,6 +94,11 @@ [LibraryClasses.ARM, LibraryClasses.AARCH64]
ArmSmcLib|ArmPkg/Library/ArmSmcLib/ArmSmcLib.inf
ArmHvcLib|ArmPkg/Library/ArmHvcLib/ArmHvcLib.inf
+ # RngDxe dependencies
+ AesLib|MdePkg/Library/AesLibNull/AesLibNull.inf
+ ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
+ DrbgLib|MdePkg/Library/DrbgLibNull/DrbgLibNull.inf
+
[LibraryClasses.ARM]
RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90909): https://edk2.groups.io/g/devel/message/90909
Mute This Topic: https://groups.io/mt/92072298/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 09/10] SecurityPkg: Update Securitypkg.ci.yaml
From: Pierre Gondois
Add ArmPkg.dec as a valid dependency for the SecurityPkg.
Signed-off-by: Pierre Gondois
---
SecurityPkg/SecurityPkg.ci.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
index 791214239899..08e98d713224 100644
--- a/SecurityPkg/SecurityPkg.ci.yaml
+++ b/SecurityPkg/SecurityPkg.ci.yaml
@@ -31,6 +31,7 @@
},
"DependencyCheck": {
"AcceptableDependencies": [
+"ArmPkg/ArmPkg.dec",
"MdePkg/MdePkg.dec",
"MdeModulePkg/MdeModulePkg.dec",
"SecurityPkg/SecurityPkg.dec",
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90908): https://edk2.groups.io/g/devel/message/90908
Mute This Topic: https://groups.io/mt/92072297/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 9/9] SecurityPkg/RngDxe: Use DrbgLib in RngDxe for Arm
From: Pierre Gondois
Make use of the new DrbgLib and advertise support for the
SP800-90 Ctr 256 bits Drbg. The algorithm will be used for
Arm and AArch64 arch.
Signed-off-by: Pierre Gondois
---
.../RandomNumberGenerator/RngDxe/ArmRngDxe.c | 75 ++-
.../RandomNumberGenerator/RngDxe/RngDxe.inf | 1 +
SecurityPkg/SecurityPkg.dsc | 2 +
3 files changed, 77 insertions(+), 1 deletion(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
index 4775252d30b6..400b0a5e9a7c 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
@@ -25,6 +25,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -39,7 +40,7 @@
// populated only once.
// The valid entry with the lowest index will be the default algorithm.
//
-#define RNG_AVAILABLE_ALGO_MAX 2
+#define RNG_AVAILABLE_ALGO_MAX 3
STATIC BOOLEANmAvailableAlgoArrayInit = FALSE;
STATIC UINTN mAvailableAlgoArrayCount;
STATIC EFI_RNG_ALGORITHM mAvailableAlgoArray[RNG_AVAILABLE_ALGO_MAX];
@@ -87,11 +88,78 @@ RngInitAvailableAlgoArray (
sizeof (EFI_RNG_ALGORITHM)
);
mAvailableAlgoArrayCount++;
+
+// SP800-90 Ctr 256 bits Drbg.
+// Arm implementation is based on the Trng.
+CopyMem (
+ &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+ &gEfiRngAlgorithmSp80090Ctr256Guid,
+ sizeof (EFI_RNG_ALGORITHM)
+ );
+mAvailableAlgoArrayCount++;
}
mAvailableAlgoArrayInit = TRUE;
}
+/** Produces and returns an RNG value using a specified Drbg algorithm.
+
+ @param[in] DrbgMechanism The Drbg mechanism to use.
+ @param[in] RNGValueLengthThe length in bytes of the memory buffer
pointed to by
+RNGValue. The driver shall return exactly this
numbers of bytes.
+ @param[out] RNGValue A caller-allocated memory buffer filled by the
driver with the
+resulting RNG value.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+RngGetDrbgVal (
+ IN DRBG_MECHANISM DrbgMechanism,
+ IN UINTN RNGValueLength,
+ OUT UINT8 *RNGValue
+ )
+{
+ EFI_STATUS Status;
+ STATIC VOID *DrbgHandle = NULL;
+
+ // Only instantiate once.
+ if (DrbgHandle == NULL) {
+Status = DrbgInstantiateFn (
+ DrbgMechanism,
+ DrbgEntropyNoCondFn,
+ 256,
+ FALSE,
+ NULL,
+ 0,
+ &DrbgHandle
+ );
+if (EFI_ERROR (Status)) {
+ ASSERT_EFI_ERROR (Status);
+ return Status;
+}
+ }
+
+ // Check overflow.
+ if (RNGValueLength > (MAX_UINTN >> 3)) {
+return EFI_INVALID_PARAMETER;
+ }
+
+ Status = DrbgGenerateFn (
+ 256,
+ FALSE,
+ NULL,
+ 0,
+ RNGValueLength << 3,
+ RNGValue,
+ DrbgHandle
+ );
+ if (EFI_ERROR (Status)) {
+ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
Produces and returns an RNG value using either the default or specified RNG
algorithm.
@@ -163,6 +231,11 @@ FoundAlgo:
return GenerateEntropy (RNGValueLength, RNGValue);
}
+ // SP800-90 Ctr 256 bits Drbg
+ if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmSp80090Ctr256Guid)) {
+return RngGetDrbgVal (DrbgMechansimCtr, RNGValueLength, RNGValue);
+ }
+
//
// Other algorithms are unsupported by this driver.
//
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index 20752e71ac4e..c95e958e7f85 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -63,6 +63,7 @@ [LibraryClasses]
[LibraryClasses.AARCH64, LibraryClasses.ARM]
ArmLib
+ DrbgLib
TrngLib
[Guids]
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 779aa2a061a0..cc6d6de72cea 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -95,7 +95,9 @@ [LibraryClasses.ARM, LibraryClasses.AARCH64]
ArmHvcLib|ArmPkg/Library/ArmHvcLib/ArmHvcLib.inf
# RngDxe dependencies
+ AesLib|MdePkg/Library/AesLibNull/AesLibNull.inf
ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
+ DrbgLib|MdePkg/Library/DrbgLibNull/DrbgLibNull.inf
[LibraryClasses.ARM]
RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90907): https://edk2.groups.io/g/devel/message/90907
Mute This Topic: https://groups.io/mt/92072296/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 8/9] ArmVirtPkg: Kvmtool: Add AesLib/DrbgLib for RngDxe
From: Pierre Gondois BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3971 The RngDxe will require both AesLib and DrbgLib for Arm. Thus add the libraries to ArmVirtKvmTool.dsc. Signed-off-by: Pierre Gondois --- ArmVirtPkg/ArmVirtKvmTool.dsc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ArmVirtPkg/ArmVirtKvmTool.dsc b/ArmVirtPkg/ArmVirtKvmTool.dsc index 847dbdd2af2b..f14ec7a72a42 100644 --- a/ArmVirtPkg/ArmVirtKvmTool.dsc +++ b/ArmVirtPkg/ArmVirtKvmTool.dsc @@ -81,7 +81,9 @@ [LibraryClasses.common] HwInfoParserLib|DynamicTablesPkg/Library/FdtHwInfoParserLib/FdtHwInfoParserLib.inf DynamicPlatRepoLib|DynamicTablesPkg/Library/Common/DynamicPlatRepoLib/DynamicPlatRepoLib.inf + AesLib|ArmPkg/Library/ArmAesLib/ArmAesLib.inf ArmMonitorLib|ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf + DrbgLib|MdePkg/Library/DrbgLib/DrbgLib.inf TrngLib|ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf [LibraryClasses.common.SEC, LibraryClasses.common.PEI_CORE, LibraryClasses.common.PEIM] -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90906): https://edk2.groups.io/g/devel/message/90906 Mute This Topic: https://groups.io/mt/92072295/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 5/9] MdePkg/DrbgLib: Add common wrappers
From: Pierre Gondois
Add common wrappers around the TRNG and AES libraries:
- GetEntropy() relies an Arm Trng
- BlockEncrypt relies on Arm implementation of the AES library
Signed-off-by: Pierre Gondois
---
MdePkg/Library/DrbgLib/Common.c | 249
MdePkg/Library/DrbgLib/Common.h | 74 ++
2 files changed, 323 insertions(+)
create mode 100644 MdePkg/Library/DrbgLib/Common.c
create mode 100644 MdePkg/Library/DrbgLib/Common.h
diff --git a/MdePkg/Library/DrbgLib/Common.c b/MdePkg/Library/DrbgLib/Common.c
new file mode 100644
index ..0aa0459f0b0f
--- /dev/null
+++ b/MdePkg/Library/DrbgLib/Common.c
@@ -0,0 +1,249 @@
+/** @file
+ Implementation of arch specific functions for the Drbg library.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [2] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+ - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020,
+Recommendation for Key Management:Part 1 - General.
+
(https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- Sec - Security
+- DRBG - Deterministic Random Bits Generator
+- CTR - Counter
+**/
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "Common.h"
+#include "CtrDrbg.h"
+
+/** GetEntropy implementation using Arm Trng.
+
+ Cf. [3] 10.3.1.2 Condensing After Entropy Collection
+
+ The min and max entropy length are in the DrbgHandle.
+
+ @param [in] DrbgHandleThe Drbg hanble.
+ @param [in] ReqEntropyRequested entropy.
+ @param [out] EntropyBitsStream Stream containing the generated entropy.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_ABORTED An error occured.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+GetEntropy (
+ IN DRBG_HANDLE DrbgHandle,
+ IN UINTNReqEntropy,
+ OUT BIT_STREAM **EntropyBitsStream
+ )
+{
+ EFI_STATUS Status;
+ UINTN TrngCollectedEntropy;
+ UINTN TrngReqBits;
+ UINTN TrngMaxBits;
+ UINTN TrngMaxBytes;
+ UINTN MinLen;
+ UINT8 *QueriedBitsBuff;
+
+ if ((DrbgHandle == NULL)||
+ (EntropyBitsStream == NULL) ||
+ (*EntropyBitsStream != NULL))
+ {
+ASSERT (DrbgHandle != NULL);
+ASSERT (EntropyBitsStream != NULL);
+ASSERT (*EntropyBitsStream == NULL);
+return EFI_INVALID_PARAMETER;
+ }
+
+ MinLen = 0;
+ TrngMaxBits = GetTrngMaxSupportedEntropyBits ();
+ TrngMaxBytes= BitsToUpperBytes (TrngMaxBits);
+ QueriedBitsBuff = NULL;
+
+ // 1. If requested_entropy > max_length, return an error indication
+ // and a null value for the entropy_bitstring.
+ //
+ // Note: we also check for MinLen
+ if ((ReqEntropy > DrbgHandle->DrbgVal.MaxLen) ||
+ (ReqEntropy < DrbgHandle->DrbgVal.MinLen))
+ {
+ASSERT (0);
+return EFI_INVALID_PARAMETER;
+ }
+
+ // 2. collected_entropy = 0.
+ TrngCollectedEntropy = 0;
+
+ // 3. entropy_bitstring = the Null string.
+ Status = BitStreamAlloc (ReqEntropy, EntropyBitsStream);
+ if (EFI_ERROR (Status)) {
+ASSERT_EFI_ERROR (Status);
+return Status;
+ }
+
+ QueriedBitsBuff = (UINT8 *)AllocateZeroPool (TrngMaxBytes);
+ if (QueriedBitsBuff == NULL) {
+Status = EFI_OUT_OF_RESOURCES;
+ASSERT_EFI_ERROR (Status);
+goto ErrorHandler;
+ }
+
+ // 4. While collected_entropy < requested_entropy
+ while (TrngCollectedEntropy < ReqEntropy) {
+TrngReqBits = MIN ((MinLen - TrngCollectedEntropy), TrngMaxBits);
+
+// 4.1 Query one or more entropy sources to obtain queried_bits and the
+// assessed_entropy for those bits.
+//
+// Cf. Arm True Random Number Generator Firmware, Interface 1.0,
+// s2.4.2 Usage, the number of bits requested to the TRNG equals the
+// number of bits returned. So assessed_entropy == #queried_bits
+Status = GetTrngEntropy (TrngReqBits, TrngMaxBytes, QueriedBitsBuff);
+if (EFI_ERROR (Status)) {
+ ASSERT_EFI_ERROR (Status);
+ goto ErrorHandler;
+}
+
+// 4.2 entropy_bitstring = entropy_bitstring || queried_bits.
+//
+// We are concatenating the other way around. Since this is a TRNG and
+// the endianness
[edk2-devel] [PATCH RESEND v1 7/9] MdePkg/DrbgLib: Add Drbg mechanism functions and module
From: Pierre Gondois
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3971
>From the NIST Special Publication 800-90A, the implementation
of a Drbg can be split into:
1. DRBG Mechanism Functions (s9 of the spec), describing the
operations generic to all the mechanisms.
2. DRBG Algorithm Specifications (s10 of the spec), describing
the operations specific to each mechanisms (CTR, HMAC, ...)
This patch implements 1., i.e. the operations generic to
all the mechanisms. Functions implemented here are also the
DrbgLib interface.
The .inf file associated to the module is also added here.
Signed-off-by: Pierre Gondois
Signed-off-by: Sami Mujawar
---
MdePkg/Library/DrbgLib/DrbgLib.c | 628 +++
MdePkg/Library/DrbgLib/DrbgLib.inf | 39 ++
MdePkg/Library/DrbgLib/DrbgLibInternal.h | 310 +++
MdePkg/MdePkg.dsc| 1 +
4 files changed, 978 insertions(+)
create mode 100644 MdePkg/Library/DrbgLib/DrbgLib.c
create mode 100644 MdePkg/Library/DrbgLib/DrbgLib.inf
create mode 100644 MdePkg/Library/DrbgLib/DrbgLibInternal.h
diff --git a/MdePkg/Library/DrbgLib/DrbgLib.c b/MdePkg/Library/DrbgLib/DrbgLib.c
new file mode 100644
index ..bfad8fc670be
--- /dev/null
+++ b/MdePkg/Library/DrbgLib/DrbgLib.c
@@ -0,0 +1,628 @@
+/** @file
+ Drbg library.
+ Cf. [1] s9 DRBG Mechanism Functions
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [2] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+ - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020,
+Recommendation for Key Management:Part 1 - General.
+
(https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
+ - [5] Unified Extensible Firmware Interface (UEFI) Specification,
+Version 2.8 Errata B, May 2020
+(https://www.uefi.org/specifications)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- Sec - Security
+- DRBG - Deterministic Random Bits Generator
+- CTR - Counter
+**/
+
+#include
+#include
+#include
+#include
+
+#include "Common.h"
+#include "GetEntropyInput.h"
+
+/** Check the internal state of the Drbg handle.
+
+ @param [in] DrbgHandle The Drbg handle.
+
+ @retval TRUE The Drbg handle has a valid internal state.
+ @retval FALSE Otherwise.
+**/
+STATIC
+BOOLEAN
+CheckInternalState (
+ IN DRBG_HANDLE DrbgHandle
+ )
+{
+ if ((DrbgHandle == NULL) ||
+ EFI_ERROR (DrbgHandle->DrbgCheckInternalState (DrbgHandle)))
+ {
+ASSERT (DrbgHandle != NULL);
+ASSERT_EFI_ERROR (DrbgHandle->DrbgCheckInternalState (DrbgHandle));
+return FALSE;
+ }
+
+ return TRUE;
+}
+
+/** Reseed a DRBG instance.
+
+ Implementation of Reseed_function.
+ Cf. [1] s9.2 'Reseeding a DRBG Instantiation'
+
+ @param [in] PredResRequest Indicates whether prediction resistance
+is to be provided during the request.
+Might not be supported by all Drbgs.
+ @param [in] AddInput An optional additional input.
+Might not be supported by all Drbgs.
+ @param [in] AddInputLen Additional input length (in bits).
+Might not be supported by all Drbgs.
+ @param [in, out] DrbgHandle The Drbg handle.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+DrbgReseedFn (
+ INBOOLEAN PredResRequest,
+ IN CONST CHAR8*AddInput,
+ INUINTNAddInputLen,
+ IN OUT VOID *Handle
+ )
+{
+ EFI_STATUS Status;
+ DRBG_HANDLE DrbgHandle;
+ BIT_STREAM *AddInputStream;
+ BIT_STREAM *EntropyBitsStream;
+
+ DrbgHandle = (DRBG_HANDLE)Handle;
+
+ // 1. Using state_handle, obtain the current internal state.
+ // If state_handle indicates an invalid or unused internal state,
+ // return (ERROR_FLAG).
+ if (((AddInput == NULL) ^ (AddInputLen == 0)) ||
+ !CheckInternalState (DrbgHandle))
+ {
+ASSERT (!((AddInput == NULL) ^ (AddInputLen == 0)));
+ASSERT (CheckInternalState (DrbgHandle));
+return EFI_INVALID_PARAMETER;
+ }
+
+ AddInputStream= NULL;
+ EntropyBitsStream = NULL;
+
+ // 2. If prediction_resistance_request is set, and prediction_resistan
[edk2-devel] [PATCH RESEND v1 6/9] MdePkg/DrbgLib: Add Ctr Drbg mechanism functions
From: Pierre Gondois
>From the NIST Special Publication 800-90A, the implementation
of a Drbg can be split into:
1. DRBG Mechanism Functions (s9 of the spec), describing the
operations generic to all the mechanisms.
2. DRBG Algorithm Specifications (s10 of the spec), describing
the operations specific to each mechanisms (CTR, HMAC, ...)
This patch implements the 2., i.e. the operations specific to
the Ctr Drbg mechanism.
Signed-off-by: Pierre Gondois
---
MdePkg/Library/DrbgLib/CtrDrbg.c | 899 +++
MdePkg/Library/DrbgLib/CtrDrbg.h | 100
2 files changed, 999 insertions(+)
create mode 100644 MdePkg/Library/DrbgLib/CtrDrbg.c
create mode 100644 MdePkg/Library/DrbgLib/CtrDrbg.h
diff --git a/MdePkg/Library/DrbgLib/CtrDrbg.c b/MdePkg/Library/DrbgLib/CtrDrbg.c
new file mode 100644
index ..7db4d724086a
--- /dev/null
+++ b/MdePkg/Library/DrbgLib/CtrDrbg.c
@@ -0,0 +1,899 @@
+/** @file
+ Ctr Drbg implementation.
+ (Counter Deterministic Random Bit Generator)
+ Cf. [1] s10.2.1 CTR_DRBG
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [2] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+ - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020,
+Recommendation for Key Management:Part 1 - General.
+
(https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
+ - [5] Unified Extensible Firmware Interface (UEFI) Specification,
+Version 2.8 Errata B, May 2020
+(https://www.uefi.org/specifications)
+ - [6] FIPS 197 November 26, 2001:
+Specification for the ADVANCED ENCRYPTION STANDARD (AES)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- Sec - Security
+- DRBG - Deterministic Random Bits Generator
+- CTR - Counter
+**/
+
+#include
+#include
+#include
+#include
+
+#include "Common.h"
+#include "CtrDrbg.h"
+
+/** Get a nonce.
+
+ [1] s10.2.1.3.1 Instantiation When a Derivation Function is Not Used
+
+ When instantiation is performed using this method, full-entropy input
+ is required, and a nonce is not used.
+
+ @param [in, out] DrbgHandleThe Drbg handle.
+ @param [out] NonceStream Stream containing the Nonce.
+
+ @retval EFI_SUCCESS Success.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+CtrDrbgGetNonce (
+ IN OUT DRBG_HANDLE DrbgHandle,
+ OUT BIT_STREAM *NonceStream
+ )
+{
+ // Nothing to do.
+ return EFI_SUCCESS;
+}
+
+/** Check the internal state.
+
+ @param [in] DrbgHandleThe Drbg handle.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+CtrDrbgCheckInternalState (
+ IN DRBG_HANDLE DrbgHandle
+ )
+{
+ CTR_INTERNAL_STATE *CtrIntState;
+
+ CtrIntState = (CTR_INTERNAL_STATE *)DrbgHandle->IntState.DrbgAlgoIntState;
+
+ // Just check that key and value BitStreams are still ok.
+ if ((IsBitStreamEmpty (CtrIntState->Val) ||
+ (IsBitStreamEmpty (CtrIntState->Key
+ {
+ASSERT (!IsBitStreamEmpty (CtrIntState->Val));
+ASSERT (!IsBitStreamEmpty (CtrIntState->Key));
+return EFI_INVALID_PARAMETER;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/** Update algorithm.
+
+ CTR_DRBG_Update implementation.
+
+ Cf. [1] s10.2.1.2 The Update Function (CTR_DRBG_Update)
+
+ @param [in] ProvidedData The data to be used. This must be exactly
+ seedlen bits in length.
+ @param [in, out] DrbgHandleThe Drbg handle.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+CtrDrbgUpdate (
+ IN BIT_STREAM *ProvidedData,
+ IN OUT DRBG_HANDLE DrbgHandle
+ )
+{
+ EFI_STATUS Status;
+ BIT_STREAM *IncStream;
+ BIT_STREAM *OutBlkStream;
+ BIT_STREAM *TempStream;
+ CTR_INTERNAL_STATE *CtrIntState;
+ CTR_VALUE_DEFINITIONS *CtrVal;
+
+ if (IsBitStreamEmpty (ProvidedData) ||
+ (DrbgHandle == NULL)||
+ (DrbgHandle->IntState.DrbgAlgoIntState == NULL) ||
+ (DrbgHandle->DrbgVal.DrbgAlgoVal == NULL))
+ {
+ASSERT (!IsBitStreamEmpty (ProvidedData));
+ASSERT (DrbgHandle != NULL);
+ASSERT (DrbgHandle->IntState.DrbgAlgoIntState != NULL);
[edk2-devel] [PATCH RESEND v1 4/9] MdePkg/DrbgLib: Add Get_entropy_input() implementation
From: Pierre Gondois
NIST Special Publication 800-90C, s10.3.3 'Get_entropy_input
Constructions for Accessing Entropy Sources'
specifies multiple way to implement the Get_entropy_input()
function.
Implement s10.3.3.1 'Construction When a Conditioning Function
is not Used' in a separate file to let room for other potential
implementations.
Signed-off-by: Pierre Gondois
---
MdePkg/Library/DrbgLib/GetEntropyInput.c | 72
MdePkg/Library/DrbgLib/GetEntropyInput.h | 48
2 files changed, 120 insertions(+)
create mode 100644 MdePkg/Library/DrbgLib/GetEntropyInput.c
create mode 100644 MdePkg/Library/DrbgLib/GetEntropyInput.h
diff --git a/MdePkg/Library/DrbgLib/GetEntropyInput.c
b/MdePkg/Library/DrbgLib/GetEntropyInput.c
new file mode 100644
index ..6257bc9093dd
--- /dev/null
+++ b/MdePkg/Library/DrbgLib/GetEntropyInput.c
@@ -0,0 +1,72 @@
+/** @file
+ GetEntropyInput function implementation.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [2] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- Sec - Security
+- DRBG - Deterministic Random Bits Generator
+- CTR - Counter
+**/
+
+#include
+#include
+
+#include "Common.h"
+
+/** GetEntropyInput implementation (no conditionning function).
+
+ Cf. [3] 10.3.3.1 Construction When a Conditioning Function is not Used
+
+ @param [in] DrbgHandleThe Drbg hanble.
+ @param [in] MinEntropyMinimum entropy.
+ @param [out] EntropyBitsStream Stream containing the generated entropy.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+GetEntropyInputNoCondFn (
+ IN DRBG_HANDLE DrbgHandle,
+ IN UINTNMinEntropy,
+ OUT BIT_STREAM **EntropyBitsStream
+ )
+{
+ EFI_STATUS Status;
+
+ if ((DrbgHandle == NULL) ||
+ (EntropyBitsStream == NULL) ||
+ (*EntropyBitsStream != NULL))
+ {
+ASSERT (DrbgHandle != NULL);
+ASSERT (EntropyBitsStream != NULL);
+ASSERT (*EntropyBitsStream == NULL);
+return EFI_INVALID_PARAMETER;
+ }
+
+ // 1. (status, entropy_bitstring) = Get_Entropy(min_entropy, max_length).
+ // 2. If (status != SUCCESS), then return (status, Null).
+ // 3. Return SUCCESS, entropy_bitstring.
+ Status = GetEntropy (DrbgHandle, MinEntropy, EntropyBitsStream);
+ if (EFI_ERROR (Status)) {
+ASSERT_EFI_ERROR (Status);
+// Fall through.
+ }
+
+ return Status;
+}
diff --git a/MdePkg/Library/DrbgLib/GetEntropyInput.h
b/MdePkg/Library/DrbgLib/GetEntropyInput.h
new file mode 100644
index ..336fbc3826c0
--- /dev/null
+++ b/MdePkg/Library/DrbgLib/GetEntropyInput.h
@@ -0,0 +1,48 @@
+/** @file
+ GetEntropyInput function implementation.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [2] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- Sec - Security
+- DRBG - Deterministic Random Bits Generator
+- CTR - Counter
+**/
+
+#ifndef GET_ENTROPY_INPUT_H_
+#define GET_ENTROPY_INPUT_H_
+
+/** GetEntropyInput implementation (no conditionning function).
+
+ Cf. [3] 10.3.3.1 Construction When a Conditioning Function is not Used
+
+ @param [in] DrbgHandleThe Drbg hanble.
+ @param [in] MinEntropyMinimum entropy.
+ @param [out] EntropyBitsStream Stream containing the generated entropy.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STAT
[edk2-devel] [PATCH RESEND v1 3/9] MdePkg/DrbgLib: Add BitStream implementation
From: Pierre Gondois
The Ctr Drbg does bitstream operations (additions, right/left
shifting, ...). To have a clearer implementation of the NIST
specifications, add a BitStream representation.
Signed-off-by: Pierre Gondois
Signed-off-by: Sami Mujawar
---
MdePkg/Library/DrbgLib/BitStream.c | 1114
MdePkg/Library/DrbgLib/BitStream.h | 366 +
2 files changed, 1480 insertions(+)
create mode 100644 MdePkg/Library/DrbgLib/BitStream.c
create mode 100644 MdePkg/Library/DrbgLib/BitStream.h
diff --git a/MdePkg/Library/DrbgLib/BitStream.c
b/MdePkg/Library/DrbgLib/BitStream.c
new file mode 100644
index ..1ae114fef803
--- /dev/null
+++ b/MdePkg/Library/DrbgLib/BitStream.c
@@ -0,0 +1,1114 @@
+/** @file
+ BitStream utility.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include
+#include
+#include
+#include
+#include
+
+#include "BitStream.h"
+
+/** Check whether a BitStream is NULL (null length).
+
+ @param [in] Stream The BitStream.
+
+ @retval TRUE if the BitStream is NULL (null length).
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+EFIAPI
+IsBitStreamEmpty (
+ IN BIT_STREAM *Stream
+ )
+{
+ return ((Stream == NULL) ||
+ (Stream->BitLen == 0) ||
+ (Stream->Data == NULL));
+}
+
+/** Convert bits to bytes (rounds down).
+
+ @param [in] BitsBits.
+
+ @return Bytes.
+**/
+UINTN
+EFIAPI
+BitsToLowerBytes (
+ IN UINTN Bits
+ )
+{
+ return Bits >> 3;
+}
+
+/** Convert bits to bytes (rounds up).
+
+ @param [in] BitsBits.
+
+ @return Bytes.
+**/
+UINTN
+EFIAPI
+BitsToUpperBytes (
+ IN UINTN Bits
+ )
+{
+ return ((Bits + 0x7) >> 3);
+}
+
+/** Get the BitStream length (in bits).
+
+ @param [in] StreamThe BitStream.
+
+ @return Length of the BitStream (in bits).
+**/
+UINTN
+EFIAPI
+BitStreamBitLen (
+ IN BIT_STREAM *Stream
+ )
+{
+ if (Stream == NULL) {
+ASSERT (Stream != NULL);
+return 0;
+ }
+
+ return Stream->BitLen;
+}
+
+/** Get the BitStream length (in bytes).
+
+ @param [in] StreamThe BitStream.
+
+ @return Length of the BitStream (in bytes).
+**/
+UINTN
+EFIAPI
+BitStreamByteLen (
+ IN BIT_STREAM *Stream
+ )
+{
+ if (Stream == NULL) {
+ASSERT (Stream != NULL);
+return 0;
+ }
+
+ return Stream->ByteLen;
+}
+
+/** Get the BitStream data buffer.
+
+ @param [in] StreamThe BitStream.
+
+ @return Data buffer of the BitStream (can be NULL).
+**/
+UINT8 *
+EFIAPI
+BitStreamData (
+ IN BIT_STREAM *Stream
+ )
+{
+ if (Stream == NULL) {
+ASSERT (Stream != NULL);
+return 0;
+ }
+
+ return Stream->Data;
+}
+
+/** Clear the unsused bits of a Stream.
+
+ For instance, if a stream is 5 bits long, then:
+ - bits[7:5] must be cleared.
+ - bits[4:0] must be preserved.
+
+ @param [in, out] StreamThe BitStream.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+BitStreamClearUnusedBits (
+ IN OUT BIT_STREAM *Stream
+ )
+{
+ UINT8 UsedBits;
+
+ if (IsBitStreamEmpty (Stream)) {
+ASSERT (!IsBitStreamEmpty (Stream));
+return EFI_INVALID_PARAMETER;
+ }
+
+ // Clear the unsused bits of the Stream.
+ // BitStream are big-endian, so MSByte is at index 0.
+ UsedBits = Stream->BitLen & 0x7;
+ if (UsedBits != 0) {
+Stream->Data[0] &= (0XFF >> (8 - UsedBits));
+ }
+
+ return EFI_SUCCESS;
+}
+
+/** Allocate a buffer of BitLen (bits) for BitStream.
+
+ @param [in] BitLenLength of the buffer to allocate (in bits).
+ @param [out] StreamThe BitStream.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+BitStreamShallowAlloc (
+ IN UINTN BitLen,
+ OUT BIT_STREAM *Stream
+ )
+{
+ UINTN ByteLen;
+
+ if (Stream == NULL) {
+ASSERT (Stream != NULL);
+return EFI_INVALID_PARAMETER;
+ }
+
+ ZeroMem (Stream, sizeof (BIT_STREAM));
+
+ if (BitLen == 0) {
+return EFI_SUCCESS;
+ }
+
+ ByteLen = BitsToUpperBytes (BitLen);
+ Stream->Data = (UINT8 *)AllocateZeroPool (ByteLen);
+ if (Stream->Data == NULL) {
+ASSERT (Stream->Data != NULL);
+return EFI_OUT_OF_RESOURCES;
+ }
+
+ Stream->BitLen = BitLen;
+ Stream->ByteLen = ByteLen;
+
+ return EFI_SUCCESS;
+}
+
+/** Allocate a BitStream of BitLen (bits).
+
+ @param [in] BitLenLength of the BitStream (in bits).
+ @param [out] StreamThe BitStream to allocate.
+ Must be NULL initialized.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+BitStreamAlloc (
+ IN UINTN BitLen,
+ OUT BIT_STREAM **Stream
+ )
+{
+ EFI_STATUS Status;
+ BIT_STREAM *LocStream;
+
+ // Non NULL initialized pointers are consider
[edk2-devel] [PATCH RESEND v1 2/9] MdePkg/DrbgLib: Add NULL instance of Drbg Library
From: Pierre Gondois
Add a Null instance of the DrbgLib satisfy potential
build dependencies issues.
Signed-off-by: Pierre Gondois
---
MdePkg/Library/DrbgLibNull/DrbgLib.c | 165 +
MdePkg/Library/DrbgLibNull/DrbgLibNull.inf | 21 +++
MdePkg/MdePkg.dsc | 1 +
3 files changed, 187 insertions(+)
create mode 100644 MdePkg/Library/DrbgLibNull/DrbgLib.c
create mode 100644 MdePkg/Library/DrbgLibNull/DrbgLibNull.inf
diff --git a/MdePkg/Library/DrbgLibNull/DrbgLib.c
b/MdePkg/Library/DrbgLibNull/DrbgLib.c
new file mode 100644
index ..e366843b03f0
--- /dev/null
+++ b/MdePkg/Library/DrbgLibNull/DrbgLib.c
@@ -0,0 +1,165 @@
+/** @file
+ Drbg library.
+ Cf. [1] s9 DRBG Mechanism Functions
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [2] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+ - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020,
+Recommendation for Key Management:Part 1 - General.
+
(https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
+ - [5] Unified Extensible Firmware Interface (UEFI) Specification,
+Version 2.8 Errata B, May 2020
+(https://www.uefi.org/specifications)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- Sec - Security
+- DRBG - Deterministic Random Bits Generator
+- CTR - Counter
+**/
+
+#include
+#include
+#include
+
+/** Reseed a DRBG instance.
+
+ Implementation of Reseed_function.
+ Cf. [1] s9.2 'Reseeding a DRBG Instantiation'
+
+ @param [in] PredResRequest Indicates whether prediction resistance
+is to be provided during the request.
+Might not be supported by all Drbgs.
+ @param [in] AddInput An optional additional input.
+Might not be supported by all Drbgs.
+ @param [in] AddInputLen Additional input length (in bits).
+Might not be supported by all Drbgs.
+ @param [in, out] Handle The Drbg handle.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+DrbgReseedFn (
+ INBOOLEAN PredResRequest,
+ IN CONST CHAR8*AddInput,
+ INUINTNAddInputLen,
+ IN OUT VOID *Handle
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/** Create a Drbg instance.
+
+ Implementation of Instantiate_function.
+ Cf. [1] s9.1 Instantiating a DRBG
+
+ @param [in] DrbgMechanismDRBG mechanism chosen.
+ @param [in] DrbgEntropySrc Entropy source chosen.
+ @param [in] ReqSecStrength Requested security strength (in bits).
+The security strenght granted can be different.
+ @param [in] PredRes Prediction resistance flag.
+If relevant, instantiate a DRBG that supports
+prediction resistance.
+Might not be supported by all Drbgs.
+ @param [in] PersStr Personnalization string.
+Might not be supported by all Drbgs.
+ @param [in] PersStrLen Personnalization string length (in bits).
+Might not be supported by all Drbgs.
+ @param [out] HandlePtr Pointer containting the created Drbg handle.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+DrbgInstantiateFn (
+ INDRBG_MECHANISMDrbgMechanism,
+ INDRBG_ENTROPY_SRC DrbgEntropySrc,
+ INUINTN ReqSecStrength,
+ INBOOLEAN PredRes,
+ IN CONST CHAR8 *PersStr,
+ INUINTN PersStrLen,
+ OUT VOID **HandlePtr
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/** Generate a random number.
+
+ Implementation of Generate_function.
+ Cf. [1] s9.3.1 The Generate Function
+
+ @param [in] ReqSecStrength Requested security strength (in bits).
+If the DrbgHandle cannot satisfy the request,
+an error is ret
[edk2-devel] [PATCH RESEND v1 1/9] MdePkg/DrbgLib: Drbg library interface definition
From: Pierre Gondois
The NIST Special Publication 800-90A, 800-90B and 800-90C
details how to implement a Deterministic Random Bits Generator (DRBG).
Add a library interface definition for interacting with a Drbg.
Signed-off-by: Pierre Gondois
Signed-off-by: Sami Mujawar
---
MdePkg/Include/Library/DrbgLib.h | 172 +++
MdePkg/MdePkg.dec| 4 +
2 files changed, 176 insertions(+)
create mode 100644 MdePkg/Include/Library/DrbgLib.h
diff --git a/MdePkg/Include/Library/DrbgLib.h b/MdePkg/Include/Library/DrbgLib.h
new file mode 100644
index ..aad46dbec228
--- /dev/null
+++ b/MdePkg/Include/Library/DrbgLib.h
@@ -0,0 +1,172 @@
+/** @file
+ DRBG library.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [2] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+ - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020,
+Recommendation for Key Management:Part 1 - General.
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- Sec - Security
+- DRBG - Deterministic Random Bits Generator
+- CTR - Counter
+**/
+
+#ifndef DRBG_LIB_H_
+#define DRBG_LIB_H_
+
+/** Drbg Mechanisms.
+*/
+typedef enum {
+ DrbgMechansimHash = 0,///< Hash (not supported yet)
+ DrbgMechansimHmac,///< HMAC (not supported yet)
+ DrbgMechansimCtr, ///< CTR
+ DrbgMechansimMax ///< Maximum value.
+} DRBG_MECHANISM;
+
+/** Drbg Entropy sources.
+*/
+typedef enum {
+ /// Cf. [3] s10.3.3.1
+ /// Construction When a Conditioning Function is not Used
+ DrbgEntropyNoCondFn = 0,
+ /// Cf. [3] s10.3.3.2 (no supported yet)
+ /// Construction When a Vetted Conditioning Function is Used
+ /// and Full Entropy is Not Required)
+ DrbgEntropyNoFullEntropy,
+ /// Cf. [3] s10.3.3.3 (no supported yet)
+ /// Construction When a Vetted Conditioning Function is Used
+ /// to Obtain Full Entropy Bitstrings
+ DrbgEntropyFullEntropy,
+ /// Maximum value.
+ DrbgEntropyMax
+} DRBG_ENTROPY_SRC;
+
+/** Reseed a DRBG instance.
+
+ Implementation of Reseed_function.
+ Cf. [1] s9.2 'Reseeding a DRBG Instantiation'
+
+ @param [in] PredResRequest Indicates whether prediction resistance
+is to be provided during the request.
+Might not be supported by all Drbgs.
+ @param [in] AddInput An optional additional input.
+Might not be supported by all Drbgs.
+ @param [in] AddInputLen Additional input length (in bits).
+Might not be supported by all Drbgs.
+ @param [in, out] Handle The Drbg handle.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+DrbgReseedFn (
+ INBOOLEAN PredResRequest,
+ IN CONST CHAR8*AddInput,
+ INUINTNAddInputLen,
+ IN OUT VOID *Handle
+ );
+
+/** Create a Drbg instance.
+
+ Implementation of Instantiate_function.
+ Cf. [1] s9.1 Instantiating a DRBG
+
+ @param [in] DrbgMechanismDRBG mechanism chosen.
+ @param [in] DrbgEntropySrc Entropy source chosen.
+ @param [in] ReqSecStrength Requested security strength (in bits).
+The security strenght granted can be different.
+ @param [in] PredRes Prediction resistance flag.
+If relevant, instantiate a DRBG that supports
+prediction resistance.
+Might not be supported by all Drbgs.
+ @param [in] PersStr Personnalization string.
+Might not be supported by all Drbgs.
+ @param [in] PersStrLen Personnalization string length (in bits).
+Might not be supported by all Drbgs.
+ @param [out] HandlePtr Pointer containting the created Drbg handle.
+
+ @retval EFI_SUCCESS Success.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_OUT_OF_RESOURCESOut of resources.
+**/
+EFI_STATUS
+EFIAPI
+DrbgInstantiateFn (
+ INDRBG_MECHANISMDrbgMechanism,
+ INDRBG_ENTROPY_SRC DrbgEntropySrc,
+ INUINTN ReqSecStrength,
[edk2-devel] [PATCH RESEND v1 0/9] Add DrbgLib
From: Pierre Gondois Bugzilla: Bug 3971 (https://bugzilla.tianocore.org/show_bug.cgi?id=3971) Add support for a Deterministic Random Bits Generator (Drbg). The specifications used are the following: - [1] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. (https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final) - [2] NIST Special Publication 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. (https://csrc.nist.gov/publications/detail/sp/800-90b/final) - [3] (Second Draft) NIST Special Publication 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. (https://csrc.nist.gov/publications/detail/sp/800-90c/draft) - [4] NIST Special Publication 800-57 Part 1 Revision 5, May 2020, Recommendation for Key Management:Part 1 - General. The test vectors available in the CTR_DRBG_AES256 sections of https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/CTR_DRBG_noDF.pdf were used for validation. This patch-set can seen at: https://github.com/PierreARM/edk2/tree/Arm_Drbg_v1 This patch has the following dependency: - [PATCH v3 00/22] Add Raw algorithm support using Arm FW-TRNG interface https://edk2.groups.io/g/devel/message/90845 - [PATCH v1 0/7] Add AesLib and ArmAesLib https://edk2.groups.io/g/devel/message/90878 Pierre Gondois (9): MdePkg/DrbgLib: Drbg library interface definition MdePkg/DrbgLib: Add NULL instance of Drbg Library MdePkg/DrbgLib: Add BitStream implementation MdePkg/DrbgLib: Add Get_entropy_input() implementation MdePkg/DrbgLib: Add common wrappers MdePkg/DrbgLib: Add Ctr Drbg mechanism functions MdePkg/DrbgLib: Add Drbg mechanism functions and module ArmVirtPkg: Kvmtool: Add AesLib/DrbgLib for RngDxe SecurityPkg/RngDxe: Use DrbgLib in RngDxe for Arm ArmVirtPkg/ArmVirtKvmTool.dsc |2 + MdePkg/Include/Library/DrbgLib.h | 172 +++ MdePkg/Library/DrbgLib/BitStream.c| 1114 + MdePkg/Library/DrbgLib/BitStream.h| 366 ++ MdePkg/Library/DrbgLib/Common.c | 249 MdePkg/Library/DrbgLib/Common.h | 74 ++ MdePkg/Library/DrbgLib/CtrDrbg.c | 899 + MdePkg/Library/DrbgLib/CtrDrbg.h | 100 ++ MdePkg/Library/DrbgLib/DrbgLib.c | 628 ++ MdePkg/Library/DrbgLib/DrbgLib.inf| 39 + MdePkg/Library/DrbgLib/DrbgLibInternal.h | 310 + MdePkg/Library/DrbgLib/GetEntropyInput.c | 72 ++ MdePkg/Library/DrbgLib/GetEntropyInput.h | 48 + MdePkg/Library/DrbgLibNull/DrbgLib.c | 165 +++ MdePkg/Library/DrbgLibNull/DrbgLibNull.inf| 21 + MdePkg/MdePkg.dec |4 + MdePkg/MdePkg.dsc |2 + .../RandomNumberGenerator/RngDxe/ArmRngDxe.c | 75 +- .../RandomNumberGenerator/RngDxe/RngDxe.inf |1 + SecurityPkg/SecurityPkg.dsc |2 + 20 files changed, 4342 insertions(+), 1 deletion(-) create mode 100644 MdePkg/Include/Library/DrbgLib.h create mode 100644 MdePkg/Library/DrbgLib/BitStream.c create mode 100644 MdePkg/Library/DrbgLib/BitStream.h create mode 100644 MdePkg/Library/DrbgLib/Common.c create mode 100644 MdePkg/Library/DrbgLib/Common.h create mode 100644 MdePkg/Library/DrbgLib/CtrDrbg.c create mode 100644 MdePkg/Library/DrbgLib/CtrDrbg.h create mode 100644 MdePkg/Library/DrbgLib/DrbgLib.c create mode 100644 MdePkg/Library/DrbgLib/DrbgLib.inf create mode 100644 MdePkg/Library/DrbgLib/DrbgLibInternal.h create mode 100644 MdePkg/Library/DrbgLib/GetEntropyInput.c create mode 100644 MdePkg/Library/DrbgLib/GetEntropyInput.h create mode 100644 MdePkg/Library/DrbgLibNull/DrbgLib.c create mode 100644 MdePkg/Library/DrbgLibNull/DrbgLibNull.inf -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90898): https://edk2.groups.io/g/devel/message/90898 Mute This Topic: https://groups.io/mt/92072283/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 7/7] ArmPkg/ArmAesLib: Add ArmAesLib
From: Pierre Gondois
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3970
The Armv8.0 Cryptographic Extension 'FEAT_AES' provides
instructions for the acceleration of encryption and decryption.
Add an ArmAesLib relying on this feature to implement the
AES algorithm.
Signed-off-by: Pierre Gondois
---
ArmPkg/ArmPkg.dsc | 3 +-
.../Library/ArmAesLib/AArch64/AArch64AesLib.S | 183
ArmPkg/Library/ArmAesLib/Arm/ArmAesLib.S | 183
ArmPkg/Library/ArmAesLib/ArmAesLib.c | 261 ++
ArmPkg/Library/ArmAesLib/ArmAesLib.h | 96 +++
ArmPkg/Library/ArmAesLib/ArmAesLib.inf| 34 +++
6 files changed, 759 insertions(+), 1 deletion(-)
create mode 100644 ArmPkg/Library/ArmAesLib/AArch64/AArch64AesLib.S
create mode 100644 ArmPkg/Library/ArmAesLib/Arm/ArmAesLib.S
create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.c
create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.h
create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.inf
diff --git a/ArmPkg/ArmPkg.dsc b/ArmPkg/ArmPkg.dsc
index 02d1caa3ab40..72efeb77012e 100644
--- a/ArmPkg/ArmPkg.dsc
+++ b/ArmPkg/ArmPkg.dsc
@@ -2,7 +2,7 @@
# ARM processor package.
#
# Copyright (c) 2009 - 2010, Apple Inc. All rights reserved.
-# Copyright (c) 2011 - 2021, Arm Limited. All rights reserved.
+# Copyright (c) 2011 - 2022, Arm Limited. All rights reserved.
# Copyright (c) 2016, Linaro Ltd. All rights reserved.
# Copyright (c) Microsoft Corporation.
# Copyright (c) 2021, Ampere Computing LLC. All rights reserved.
@@ -139,6 +139,7 @@ [Components.common]
ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
ArmPkg/Library/OpteeLib/OpteeLib.inf
ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf
+ ArmPkg/Library/ArmAesLib/ArmAesLib.inf
ArmPkg/Filesystem/SemihostFs/SemihostFs.inf
diff --git a/ArmPkg/Library/ArmAesLib/AArch64/AArch64AesLib.S
b/ArmPkg/Library/ArmAesLib/AArch64/AArch64AesLib.S
new file mode 100644
index ..07d1d30e6e91
--- /dev/null
+++ b/ArmPkg/Library/ArmAesLib/AArch64/AArch64AesLib.S
@@ -0,0 +1,183 @@
+/** @file
+ AArch64 AES implementation.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include
+
+.arch_extension crypto
+
+// Generic notes:
+// - In AArch64, the AESE/AESD/AESMC/AESIMC instructions are using registers
+// as .16B
+// - For some CPUs, the latency of LD1 is 6, thus the unfolding.
+// - The latency of the AESE/AESMC pair is 2.
+// Cf.
+// Arm Cortex-X1 Core Revision: r1p2 Software Optimization Guide
+// Arm Cortex-X2 Core Revision: r2p0 Software Optimization Guide
+
+// /** Encrypt an AES block.
+//
+// @param [in] ExpEncKey Expanded encryption key. An array of 32-bits words
+// with the number of elements depending on the key
+// size:
+//* 128-bits: 44 words
+//* 192-bits: 52 words
+//* 256-bits: 60 words
+// @param [in] Rounds Number of rounds (depending on the key size).
+// @param [in] InBlockInput Block. The block to cipher.
+// @param [out] OutBlock Output Block. The ciphered block.
+// **/
+// VOID
+// ArmAesEncrypt (
+// IN UINT32 CONST *ExpEncKey,
+// IN UINT32Rounds,
+// IN UINT8 CONST *InBlock,
+// OUT UINT8 *OutBlock
+// );
+ASM_FUNC(ArmAesEncrypt)
+ld1 {v0.16b}, [x2]
+cmp w1, #12
+beq 0f
+
+// Rounds = 10 or 14. Start loading the expanded key.
+ld1 {v4.4s}, [x0], #16
+ld1 {v1.4s}, [x0], #16
+ld1 {v2.4s}, [x0], #16
+adds w1, w1, #1
+b2f
+
+// Rounds = 12. Start loading the expanded key.
+0: ld1 {v2.4s}, [x0], #16
+ld1 {v3.4s}, [x0], #16
+ld1 {v4.4s}, [x0], #16
+subs w1, w1, #1
+b3f
+
+// Start of the loop (unfolded for 4 rounds).
+1: ld1 {v4.4s}, [x0], #16
+aese v0.16b, v1.16b
+aesmcv0.16b, v0.16b
+3: ld1 {v1.4s}, [x0], #16
+aese v0.16b, v2.16b
+aesmcv0.16b, v0.16b
+ld1 {v2.4s}, [x0], #16
+aese v0.16b, v3.16b
+aesmcv0.16b, v0.16b
+2: subs w1, w1, #4
+ld1 {v3.4s}, [x0], #16
+aese v0.16b, v4.16b
+aesmcv0.16b, v0.16b
+bpl 1b
+
+// Final round.
+aese v0.16b, v1.16b
+eor v0.16b, v0.16b, v2.16b
+st1 {v0.16b}, [x3]
+ret
+
+// /** Decrypt an AES 128-bits block.
+//
+// @param [in] ExpDecKey Expanded decryption key. An array of 32-bits words
+// with the number of elements depending on the key
+// size:
+//* 128-bits: 44 words
+//* 192-bits: 52 words
+//* 256-bits: 60 words
+// @param [in] Rounds Number of rounds (depending on the key size).
+// @para
[edk2-devel] [PATCH RESEND v1 6/7] MdePkg/AesLib: Add NULL instance of AesLib
From: Pierre Gondois
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3970
The FIPS PUB 197: "Advanced Encryption Standard (AES)"
details the AES algorithm.
Add an AesLibNull implementation.
Signed-off-by: Pierre Gondois
---
MdePkg/Library/AesLibNull/AesLibNull.c | 87
MdePkg/Library/AesLibNull/AesLibNull.inf | 24 +++
MdePkg/MdePkg.dsc| 1 +
3 files changed, 112 insertions(+)
create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.c
create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.inf
diff --git a/MdePkg/Library/AesLibNull/AesLibNull.c
b/MdePkg/Library/AesLibNull/AesLibNull.c
new file mode 100644
index ..3dd680fe37e4
--- /dev/null
+++ b/MdePkg/Library/AesLibNull/AesLibNull.c
@@ -0,0 +1,87 @@
+/** @file
+ Null AES Library
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - FIPS 197 November 26, 2001:
+ Specification for the ADVANCED ENCRYPTION STANDARD (AES)
+**/
+
+#include
+#include
+
+/** Encrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to cipher.
+ @param [out] OutBlock Output Block. The ciphered block.
+
+ @retval EFI_SUCCESSSuccess.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_UNSUPPORTEDUnsupported.
+**/
+EFI_STATUS
+EFIAPI
+AesEncrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/** Decrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to de-cipher.
+ @param [out] OutBlock Output Block. The de-ciphered block.
+
+ @retval EFI_SUCCESSSuccess.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_UNSUPPORTEDUnsupported.
+**/
+EFI_STATUS
+EFIAPI
+AesDecrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/** Initialize an AES_CTX structure.
+
+ @param [in] Key AES key. Buffer of KeySize bytes.
+ The buffer is little endian.
+ @param [in] KeySize Size of the key. Must be one of 128|192|256.
+ @param [in, out] AesCtxAES context to initialize.
+
+ @retval EFI_SUCCESSSuccess.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_UNSUPPORTEDUnsupported.
+**/
+EFI_STATUS
+EFIAPI
+AesInitCtx (
+ IN UINT8*Key,
+ IN UINT32 KeySize,
+ IN OUT AES_CTX *AesCtx
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
diff --git a/MdePkg/Library/AesLibNull/AesLibNull.inf
b/MdePkg/Library/AesLibNull/AesLibNull.inf
new file mode 100644
index ..3020e7b68571
--- /dev/null
+++ b/MdePkg/Library/AesLibNull/AesLibNull.inf
@@ -0,0 +1,24 @@
+## @file
+# Null AES Library
+#
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION= 0x0001001B
+ BASE_NAME = AesLibNull
+ FILE_GUID = F6DED279-FC26-40F6-88B2-05FF5E6E538F
+ VERSION_STRING = 1.0
+ MODULE_TYPE= DXE_DRIVER
+ LIBRARY_CLASS = AesLib
+
+[Sources]
+ AesLibNull.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ DebugLib
diff --git a/MdePkg/MdePkg.dsc b/MdePkg/MdePkg.dsc
index 80e7233363d3..726350c215e5 100644
--- a/MdePkg/MdePkg.dsc
+++ b/MdePkg/MdePkg.dsc
@@ -68,6 +68,7 @@ [Components]
MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.inf
+ MdePkg/Library/AesLibNull/AesLibNull.inf
MdePkg/Library/BaseSerialPortLibNull/BaseSerialPortLibNull.inf
MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90896): https://edk2.groups.io/g/devel/message/90896
Mute This Topic: https://groups.io/mt/92072169/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 5/7] MdePkg/AesLib: Definition for AES library class interface
From: Pierre Gondois
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3970
The FIPS PUB 197: "Advanced Encryption Standard (AES)"
details the AES algorithm. Add a library to allow
different architecture specific implementations.
Signed-off-by: Pierre Gondois
---
MdePkg/Include/Library/AesLib.h | 104
MdePkg/MdePkg.dec | 4 ++
2 files changed, 108 insertions(+)
create mode 100644 MdePkg/Include/Library/AesLib.h
diff --git a/MdePkg/Include/Library/AesLib.h b/MdePkg/Include/Library/AesLib.h
new file mode 100644
index ..bc3408bb249b
--- /dev/null
+++ b/MdePkg/Include/Library/AesLib.h
@@ -0,0 +1,104 @@
+/** @file
+ AES library.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - FIPS 197 November 26, 2001:
+ Specification for the ADVANCED ENCRYPTION STANDARD (AES)
+**/
+
+#ifndef AES_LIB_H_
+#define AES_LIB_H_
+
+/// Key size in bytes.
+#define AES_KEY_SIZE_128 16
+#define AES_KEY_SIZE_192 24
+#define AES_KEY_SIZE_256 32
+#define AES_BLOCK_SIZE16
+
+/*
+ The Key Expansion generates a total of Nb (Nr + 1) words with:
+- Nb = 4:
+ Number of columns (32-bit words) comprising the State
+- Nr = 10, 12, or 14:
+ Number of rounds.
+ */
+#define AES_MAX_KEYLENGTH_U32 (4 * (14 + 1))
+
+/** A context holding information to for AES encryption/decryption.
+ */
+typedef struct {
+ /// Expanded encryption key.
+ UINT32ExpEncKey[AES_MAX_KEYLENGTH_U32];
+ /// Expanded decryption key.
+ UINT32ExpDecKey[AES_MAX_KEYLENGTH_U32];
+ /// Key size, in bytes.
+ /// Must be one of 16|24|32.
+ UINT32KeySize;
+} AES_CTX;
+
+/** Encrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to cipher.
+ @param [out] OutBlock Output Block. The ciphered block.
+
+ @retval RETURN_SUCCESSSuccess.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDUnsupported.
+**/
+RETURN_STATUS
+EFIAPI
+AesEncrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ );
+
+/** Decrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to de-cipher.
+ @param [out] OutBlock Output Block. The de-ciphered block.
+
+ @retval RETURN_SUCCESSSuccess.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDUnsupported.
+**/
+RETURN_STATUS
+EFIAPI
+AesDecrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ );
+
+/** Initialize an AES_CTX structure.
+
+ @param [in] Key AES key. Buffer of KeySize bytes.
+ The buffer is little endian.
+ @param [in] KeySize Size of the key. Must be one of 128|192|256.
+ @param [in, out] AesCtxAES context to initialize.
+
+ @retval RETURN_SUCCESSSuccess.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDUnsupported.
+**/
+RETURN_STATUS
+EFIAPI
+AesInitCtx (
+ IN UINT8*Key,
+ IN UINT32 KeySize,
+ IN OUT AES_CTX *AesCtx
+ );
+
+#endif // AES_LIB_H_
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 7ff26e22f915..078ae9323ba6 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -280,6 +280,10 @@ [LibraryClasses]
#
TrngLib|Include/Library/TrngLib.h
+ ## @libraryclass Provides AES encryption/decryption services.
+ #
+ AesLib|Include/Library/AesLib.h
+
[LibraryClasses.IA32, LibraryClasses.X64, LibraryClasses.AARCH64]
## @libraryclass Provides services to generate random number.
#
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90895): https://edk2.groups.io/g/devel/message/90895
Mute This Topic: https://groups.io/mt/92072168/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 4/7] ArmPkg/ArmLib: Add ArmHasAesExt()
From: Pierre Gondois
Add a ArmHasAesExt() to check for the FEAT_AES extension.
Signed-off-by: Pierre Gondois
---
ArmPkg/Include/Library/ArmLib.h| 12 +++-
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c | 13 +
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h | 1 +
ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c | 13 +
ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h | 2 ++
5 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/ArmPkg/Include/Library/ArmLib.h b/ArmPkg/Include/Library/ArmLib.h
index 8058634dbc53..5cd2bc1a26e5 100644
--- a/ArmPkg/Include/Library/ArmLib.h
+++ b/ArmPkg/Include/Library/ArmLib.h
@@ -1,7 +1,7 @@
/** @file
Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
- Copyright (c) 2011 - 2022, Arm Limited. All rights reserved.
+ Copyright (c) 2011 - 2022, Arm Ltd. All rights reserved.
Copyright (c) 2020 - 2021, NUVIA Inc. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -779,6 +779,16 @@ ArmHasRngExt (
VOID
);
+/** Check if FEAT_AES extension is available.
+
+ @retval TRUE if FEAT_AES extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasAesExt (
+ VOID
+ );
+
#ifdef MDE_CPU_ARM
///
/// AArch32-only ID Register Helper functions
diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
index 124b28e16874..dac406362114 100644
--- a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
+++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
@@ -117,3 +117,16 @@ ArmHasRngExt (
{
return ArmReadIdIsar0 () & ID_AA64ISAR0_EL1_RNDR_MASK;
}
+
+/** Check if FEAT_AES extension is available.
+
+ @retval TRUE if FEAT_AES extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasAesExt (
+ VOID
+ )
+{
+ return ArmReadIdIsar0 () & ID_AA64ISAR0_EL1_AES_MASK;
+}
diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
index 61a775ea27e8..9f5ad3e0214f 100644
--- a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
+++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
@@ -11,6 +11,7 @@
#ifndef AARCH64_LIB_H_
#define AARCH64_LIB_H_
+#define ID_AA64ISAR0_EL1_AES_MASK ((UINT64)0xF << 4U)
#define ID_AA64ISAR0_EL1_RNDR_MASK ((UINT64)0xF << 60U)
typedef VOID (*AARCH64_CACHE_OPERATION)(
diff --git a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
index a4ec23c8f8d8..ee3a847c1b50 100644
--- a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
+++ b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
@@ -133,3 +133,16 @@ ArmHasRngExt (
// Not supported.
return FALSE;
}
+
+/** Check if FEAT_AES extension is available.
+
+ @retval TRUE if FEAT_AES extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasAesExt (
+ VOID
+ )
+{
+ return ArmReadIdIsaR5 () & ID_ISAR5_AES_MASK;
+}
diff --git a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
index 1cfd6e5f65ac..1b91db66fb43 100644
--- a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
+++ b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
@@ -10,6 +10,8 @@
#ifndef ARM_V7_LIB_H_
#define ARM_V7_LIB_H_
+#define ID_ISAR5_AES_MASK (0xF << 4U)
+
#define ID_MMFR0_SHARELVL_SHIFT 12
#define ID_MMFR0_SHARELVL_MASK 0xf
#define ID_MMFR0_SHARELVL_ONE0
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90894): https://edk2.groups.io/g/devel/message/90894
Mute This Topic: https://groups.io/mt/92072167/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 3/7] ArmPkg/ArmLib: Add ArmReadIdIsaR5() helper
From: Pierre Gondois Add a ArmReadIdIsaR5() helper function to access the AArch32 ID_ISAR5 register. Signed-off-by: Pierre Gondois --- ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S | 7 ++- ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h | 11 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S b/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S index 0856740e3290..bc2be5331c7d 100644 --- a/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S +++ b/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S @@ -1,7 +1,7 @@ #-- # # Copyright (c) 2008 - 2009, Apple Inc. All rights reserved. -# Copyright (c) 2011 - 2016, ARM Limited. All rights reserved. +# Copyright (c) 2011 - 2022, Arm Limited. All rights reserved. # Copyright (c) 2016, Linaro Limited. All rights reserved. # # SPDX-License-Identifier: BSD-2-Clause-Patent @@ -167,4 +167,9 @@ ASM_FUNC (ArmGetPhysicalAddressBits) movge r0, #40 // 40 bits if LPAE bx lr +// UINTN ArmReadIdIsaR5(VOID) +ASM_FUNC(ArmReadIdIsaR5) + mrc p15, 0, r0, c0, c2, 5 + bx lr + ASM_FUNCTION_REMOVE_IF_UNREFERENCED diff --git a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h index 404ff92c4e06..1cfd6e5f65ac 100644 --- a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h +++ b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h @@ -1,6 +1,7 @@ /** @file Copyright (c) 2008 - 2009, Apple Inc. All rights reserved. + Copyright (c) 2022, Arm Ltd. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent @@ -66,4 +67,14 @@ ArmReadIdPfr1 ( VOID ); +/** Reads the ID_ISAR5 register. + + @return The contents of the ID_ISAR5 register. +**/ +UINTN +EFIAPI +ArmReadIdIsaR5 ( + VOID + ); + #endif // ARM_V7_LIB_H_ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90893): https://edk2.groups.io/g/devel/message/90893 Mute This Topic: https://groups.io/mt/92072166/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 2/7] ArmPkg/ArmDisassemblerLib: Replace RotateRight()
From: Pierre Gondois
A local RotateRight() function is defined. The RRotU32() function
available in the MdePkg/BaseLib does the same.
Prefer the generic function and remove the local RotateRight().
Signed-off-by: Pierre Gondois
---
ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c | 11 +--
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
b/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
index 0e09062957b4..24a317a9c9f4 100644
--- a/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
+++ b/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
@@ -128,15 +128,6 @@ FieldMask (
return "";
}
-UINT32
-RotateRight (
- IN UINT32 Op,
- IN UINT32 Shift
- )
-{
- return (Op >> Shift) | (Op << (32 - Shift));
-}
-
/**
Place a disassembly of **OpCodePtr into buffer, and update OpCodePtr to
point to next instruction.
@@ -409,7 +400,7 @@ DisassembleArmInstruction (
// A4.1.38 MSR{} CPSR_, # MSR{}
CPSR_,
if (Imm) {
// MSR{} CPSR_, #
- AsciiSPrint (Buf, Size, "MRS%a %a_%a, #0x%x", COND (OpCode), WriteBack ?
"SPSR" : "CPSR", FieldMask ((OpCode >> 16) & 0xf), RotateRight (OpCode & 0xf,
((OpCode >> 8) & 0xf) *2));
+ AsciiSPrint (Buf, Size, "MRS%a %a_%a, #0x%x", COND (OpCode), WriteBack ?
"SPSR" : "CPSR", FieldMask ((OpCode >> 16) & 0xf), RRotU32 (OpCode & 0xf,
((OpCode >> 8) & 0xf) *2));
} else {
// MSR{} CPSR_,
AsciiSPrint (Buf, Size, "MRS%a %a_%a, %a", COND (OpCode), WriteBack ?
"SPSR" : "CPSR", gReg[Rd]);
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90892): https://edk2.groups.io/g/devel/message/90892
Mute This Topic: https://groups.io/mt/92072164/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 0/7] Add AesLib and ArmAesLib
From: Pierre Gondois Bugzilla: Bug 3970 (https://bugzilla.tianocore.org/show_bug.cgi?id=3970) To fasten AES encryption/decryption process or create a Deterministic Random Bits Generator (Drbg), add a library using Arm's AES instructions (AESE AESD, AESMC, AESIMC). The test vectors available in the CTR_DRBG_AES256 sections of https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/CTR_DRBG_noDF.pdf were used for validation. Indeed, the Drbg implementation in a following patch-set relies on the AES encryption. This patch-set can seen at: https://github.com/PierreARM/edk2/tree/Arm_Aes_v1 This patch has the following dependency: - [PATCH v3 00/22] Add Raw algorithm support using Arm FW-TRNG interface https://edk2.groups.io/g/devel/message/90845 Pierre Gondois (7): ArmPkg: Update Armpkg.ci.yaml ArmPkg/ArmDisassemblerLib: Replace RotateRight() ArmPkg/ArmLib: Add ArmReadIdIsaR5() helper ArmPkg/ArmLib: Add ArmHasAesExt() MdePkg/AesLib: Definition for AES library class interface MdePkg/AesLib: Add NULL instance of AesLib ArmPkg/ArmAesLib: Add ArmAesLib ArmPkg/ArmPkg.ci.yaml | 1 + ArmPkg/ArmPkg.dsc | 3 +- ArmPkg/Include/Library/ArmLib.h | 12 +- .../Library/ArmAesLib/AArch64/AArch64AesLib.S | 183 ArmPkg/Library/ArmAesLib/Arm/ArmAesLib.S | 183 ArmPkg/Library/ArmAesLib/ArmAesLib.c | 261 ++ ArmPkg/Library/ArmAesLib/ArmAesLib.h | 96 +++ ArmPkg/Library/ArmAesLib/ArmAesLib.inf| 34 +++ .../ArmDisassemblerLib/ArmDisassembler.c | 11 +- ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c| 13 + ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h| 1 + ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S | 7 +- ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c | 13 + ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h | 13 + MdePkg/Include/Library/AesLib.h | 104 +++ MdePkg/Library/AesLibNull/AesLibNull.c| 87 ++ MdePkg/Library/AesLibNull/AesLibNull.inf | 24 ++ MdePkg/MdePkg.dec | 4 + MdePkg/MdePkg.dsc | 1 + 19 files changed, 1038 insertions(+), 13 deletions(-) create mode 100644 ArmPkg/Library/ArmAesLib/AArch64/AArch64AesLib.S create mode 100644 ArmPkg/Library/ArmAesLib/Arm/ArmAesLib.S create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.c create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.h create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.inf create mode 100644 MdePkg/Include/Library/AesLib.h create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.c create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.inf -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90890): https://edk2.groups.io/g/devel/message/90890 Mute This Topic: https://groups.io/mt/92072155/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH RESEND v1 1/7] ArmPkg: Update Armpkg.ci.yaml
From: Pierre Gondois Add word to the exception list for the spell check tool. Signed-off-by: Pierre Gondois --- ArmPkg/ArmPkg.ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/ArmPkg/ArmPkg.ci.yaml b/ArmPkg/ArmPkg.ci.yaml index b7e07aaef675..ac50c30519f9 100644 --- a/ArmPkg/ArmPkg.ci.yaml +++ b/ArmPkg/ArmPkg.ci.yaml @@ -97,6 +97,7 @@ "ackintid", "actlr", "aeabi", + "aesimc", "asedis", "ashldi", "ashrdi", -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90891): https://edk2.groups.io/g/devel/message/90891 Mute This Topic: https://groups.io/mt/92072161/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries
Hi Jiewen,
Thanks for reading through these patches.
For #1, yes, we implemented these changes in project MU and validated
them on both our virtual platform
(https://github.com/microsoft/mu_tiano_platforms) and other proprietary
hardware platforms. I will leave the acked-by or tested-by to others on
the MU teams.
For #2, this is just an arbitrary timestamp from a previous date so that
we can create time based payload without hard dependency on time
protocol (which could result in potential executing sequence issue). I
will update comment to avoid confusion in the next round of patch. But
should you have other suggestions to improve this, please let me know.
Regards,
Kun
On 6/29/2022 1:50 AM, Yao, Jiewen wrote:
Hi Kun
Thank you to make the redesign.
Overall the patch set looks good to me. Some questions:
1. Is that from project MU? If so, I would like to see acked-by or
tested-by from project MU owner. That can give me more confidence
to accept it. 😊
2. Is below data from some document? If so, would please add URL?
Also, why do we have to use this timestamp? What if a different
timestamp is used?
+// MS Default Time-Based Payload Creation Date
+// This is the date that is used when creating SecureBoot default
variables.
+// NOTE: This is a placeholder date that doesn't correspond to
anything else.
+//
+EFI_TIMEÂ mDefaultPayloadTimestamp = {
+ 15,  // Year (2015)
+ 8,   // Month (Aug)
+ 28,  // Day (28)
+ 0,   // Hour
+ 0,   // Minute
+ 0,   // Second
+ 0,   // Pad1
+ 0,   // Nanosecond
+ 0,   // Timezone (Dummy value)
+ 0,   // Daylight (Dummy value)
+Â 0 // Pad2
+};
*From:* Kun Qin
*Sent:* Wednesday, June 29, 2022 5:19 AM
*To:* edk2-devel-groups-io ; kuqi...@gmail.com
*Cc:* Yao, Jiewen ; Wang, Jian J
; Xu, Min M ; Sean Brogan
; Ard Biesheuvel
; Justen, Jordan L
; Gerd Hoffmann ;
Rebecca Cran ; Peter Grehan ;
Boeuf, Sebastien ; Andrew Fish
; Ni, Ray
*Subject:* Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot
Variable Libraries
Hi SecurityPkg maintainers & reviewers,
I posted this patch series a while back intending to generalize the
usage of a few interfaces from secure boot libraries. Could you please
help reviewing them and provide feedback? Any input is appreciated.
Regards,
Kun
On Mon, Jun 13, 2022 at 1:39 PM Kun Qin via groups.io
wrote:
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This is a revamp of a previously submitted patch series based on
top of
master branch: https://edk2.groups.io/g/devel/message/89507. No
changes
added.
Current SecureBootVariableLib provide great support for deleting
secure
boot related variables, creating time-based payloads.
However, for secure boot enrollment, the
SecureBootVariableProvisionLib
interfaces always assume the changes from variable storage,
limiting the
usage, requiring existing platforms to change key initialization
process
to adapt to the new methods, as well as bringing in extra dependencies
such as FV protocol, time protocols.
This patch series proposes to update the implementation for Secure
Boot
Variable libraries and their consumers to better support the related
variables operations.
Patch v2 branch:
https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v2
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Min Xu
Cc: Sean Brogan
Cc: Ard Biesheuvel mailto:ardb%2btianoc...@kernel.org>>
Cc: Jordan Justen
Cc: Gerd Hoffmann
Cc: Rebecca Cran
Cc: Peter Grehan
Cc: Sebastien Boeuf
Cc: Andrew Fish
Cc: Ray Ni
Kun Qin (8):
 SecurityPkg: UefiSecureBoot: Definitions of cert and payload
  structures
 SecurityPkg: PlatformPKProtectionLib: Added PK protection interface
 SecurityPkg: SecureBootVariableLib: Updated time based payload
creator
 SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
 SecurityPkg: Secure Boot Drivers: Added common header files
 SecurityPkg: SecureBootConfigDxe: Updated invocation pattern
 OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency
 EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency
kuqin (3):
 SecurityPkg: SecureBootVariableLib: Updated signature list creator
 SecurityPkg: SecureBootVariableLib: Added newly supported interfaces
 SecurityPkg: SecureBootVariableLib: Added unit tests
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c Â
         |  1 +
Â
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
 |  51 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
          | 486 -
Â
SecurityPkg/Library/SecureB
[edk2-devel] [edk2-test][PATCH v1 1/1] uefi-sct/SctPkg: Don't always check PixelInformation
According to UEFI 2.9 Section 12.9, the PixelInformation field of the
EFI_GRAPHICS_OUTPUT_MODE_INFORMATION structure is valid only if
PixelFormat is PixelBitMask. The current implementation always checks
the contents of PixelInformation field of the
EFI_GRAPHICS_OUTPUT_MODE_INFORMATION structure returned by QueryMode,
regardless of PixelFormat. Check PixelInformation only if
PixelFormat is PixelBitMask.
Cc: G Edhaya Chandran
Cc: Jeff Booher-Kaeding
Cc: Samer El-Haj-Mahmoud
Cc: Sunny Wang
Cc: Jeremy Linton
Signed-off-by: Dimitrije Pavlov
---
uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestConformance.c
| 30 ++--
uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestFunction.c
| 19 +
2 files changed, 35 insertions(+), 14 deletions(-)
diff --git
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestConformance.c
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestConformance.c
index 13e7227f5845..b2bff9d756b1 100644
---
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestConformance.c
+++
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestConformance.c
@@ -493,16 +493,28 @@ Returns:
);
if (Status != EFI_SUCCESS) {
AssertionType = EFI_TEST_ASSERTION_FAILED;
- } else {
+ } else {
AssertionType = EFI_TEST_ASSERTION_PASSED;
- }
-
- if (SctCompareMem (
- (void *) info,
- (void *) GraphicsOutput->Mode->Info,
- sizeof (EFI_GRAPHICS_OUTPUT_MODE_INFORMATION)
- ) != 0) {
-AssertionType = EFI_TEST_ASSERTION_FAILED;
+if (info != NULL) {
+ //
+ // PixelInformation is checked only if PixelFormat is PixelBitMask
+ //
+ if ( info->Version !=
GraphicsOutput->Mode->Info->Version
+|| info->HorizontalResolution !=
GraphicsOutput->Mode->Info->HorizontalResolution
+|| info->VerticalResolution !=
GraphicsOutput->Mode->Info->VerticalResolution
+|| info->PixelFormat !=
GraphicsOutput->Mode->Info->PixelFormat
+|| info->PixelsPerScanLine!=
GraphicsOutput->Mode->Info->PixelsPerScanLine
+|| ( info->PixelFormat == PixelBitMask
+ && ( info->PixelInformation.RedMask !=
GraphicsOutput->Mode->Info->PixelInformation.RedMask
+|| info->PixelInformation.GreenMask!=
GraphicsOutput->Mode->Info->PixelInformation.GreenMask
+|| info->PixelInformation.BlueMask !=
GraphicsOutput->Mode->Info->PixelInformation.BlueMask
+|| info->PixelInformation.ReservedMask !=
GraphicsOutput->Mode->Info->PixelInformation.ReservedMask)))
+ {
+AssertionType = EFI_TEST_ASSERTION_FAILED;
+ }
+} else {
+ AssertionType = EFI_TEST_ASSERTION_FAILED;
+}
}
if (info != NULL) {
diff --git
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestFunction.c
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestFunction.c
index da51fbc44596..f31ea8175af8 100644
---
a/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestFunction.c
+++
b/uefi-sct/SctPkg/TestCase/UEFI/EFI/Protocol/GraphicsOutput/BlackBoxTest/GraphicsOutputBBTestFunction.c
@@ -125,11 +125,20 @@ Returns:
} else {
AssertionType = EFI_TEST_ASSERTION_PASSED;
if (Info != NULL) {
-if (SctCompareMem (
-(void *) Info,
-(void *) GraphicsOutput->Mode->Info,
-sizeof (EFI_GRAPHICS_OUTPUT_MODE_INFORMATION)
-) != 0) {
+//
+// PixelInformation is checked only if PixelFormat is PixelBitMask
+//
+if ( Info->Version != GraphicsOutput->Mode->Info->Version
+ || Info->HorizontalResolution !=
GraphicsOutput->Mode->Info->HorizontalResolution
+ || Info->VerticalResolution !=
GraphicsOutput->Mode->Info->VerticalResolution
+ || Info->PixelFormat !=
GraphicsOutput->Mode->Info->PixelFormat
+ || Info->PixelsPerScanLine!=
GraphicsOutput->Mode->Info->PixelsPerScanLine
+ || ( Info->PixelFormat == PixelBitMask
+&& ( Info->PixelInformation.RedMask !=
GraphicsOutput->Mode->Info->PixelInformation.RedMask
+ || Info->PixelInformation.GreenMask!=
GraphicsOutput->Mode->Info->PixelInformation.GreenMask
+ || Info->PixelInformation.BlueMask !=
GraphicsOutput->Mode->Info->PixelInformation.BlueMask
+ || Info->PixelInformation.ReservedMask !=
GraphicsOutput->Mode->Info->PixelInformation.ReservedMask)))
+{
Re: [edk2-devel] [Patch] pip-requirements.txt: Update basetools version to 0.1.24
Hi Bob, Can you please add a summary of the BaseTools bugs/features addressed in the upgrade from 0.1.17 to 0.1.24 to the commit message. With that update: Reviewed-by: Michael D Kinney Thanks, Mike > -Original Message- > From: devel@edk2.groups.io On Behalf Of Michael Kubacki > Sent: Wednesday, June 29, 2022 8:23 AM > To: devel@edk2.groups.io; Feng, Bob C > Subject: Re: [edk2-devel] [Patch] pip-requirements.txt: Update basetools > version to 0.1.24 > > Acked-by: Michael Kubacki > > On 6/29/2022 3:55 AM, Bob Feng wrote: > > Synced the basetools patch from edk2 repo to > > edk2-basetools repo. > > > > edk2 sha-1: 59141288716f8917968d4bb96367b7d08fe5ab8a > > > > Update the basetools pip module version > > to the latest 0.1.24. > > > > Signed-off-by: Bob Feng > > --- > > pip-requirements.txt | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/pip-requirements.txt b/pip-requirements.txt > > index 6585df201d..29424b08bd 100644 > > --- a/pip-requirements.txt > > +++ b/pip-requirements.txt > > @@ -12,7 +12,7 @@ > > # https://www.python.org/dev/peps/pep-0440/#version-specifiers > > > > ## > > > > > > > > edk2-pytool-library==0.11.2 > > > > edk2-pytool-extensions~=0.16.0 > > > > -edk2-basetools==0.1.17 > > > > +edk2-basetools==0.1.24 > > > > antlr4-python3-runtime==4.7.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90887): https://edk2.groups.io/g/devel/message/90887 Mute This Topic: https://groups.io/mt/92060732/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [Patch] pip-requirements.txt: Update basetools version to 0.1.24
Acked-by: Michael Kubacki On 6/29/2022 3:55 AM, Bob Feng wrote: Synced the basetools patch from edk2 repo to edk2-basetools repo. edk2 sha-1: 59141288716f8917968d4bb96367b7d08fe5ab8a Update the basetools pip module version to the latest 0.1.24. Signed-off-by: Bob Feng --- pip-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pip-requirements.txt b/pip-requirements.txt index 6585df201d..29424b08bd 100644 --- a/pip-requirements.txt +++ b/pip-requirements.txt @@ -12,7 +12,7 @@ # https://www.python.org/dev/peps/pep-0440/#version-specifiers ## edk2-pytool-library==0.11.2 edk2-pytool-extensions~=0.16.0 -edk2-basetools==0.1.17 +edk2-basetools==0.1.24 antlr4-python3-runtime==4.7.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90886): https://edk2.groups.io/g/devel/message/90886 Mute This Topic: https://groups.io/mt/92060732/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 0/7] Add AesLib and ArmAesLib
This patch-set is incomplete. I will (re-)send the remaining patches later today as there is a limit in the number of messages that can be sent to ( devel@edk2.groups.io ) : host lb01.groups.io[45.79.81.153] said: 500 We have received more than 40 messages in 30 minutes from you. To guard against autoresponder mail loops, we must reject additional messages from you temporarily. Please try again later. (in reply to RCPT TO command) Regards, Pierre -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90885): https://edk2.groups.io/g/devel/message/90885 Mute This Topic: https://groups.io/mt/92066823/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 6/7] MdePkg/AesLib: Add NULL instance of AesLib
From: Pierre Gondois
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3970
The FIPS PUB 197: "Advanced Encryption Standard (AES)"
details the AES algorithm.
Add an AesLibNull implementation.
Signed-off-by: Pierre Gondois
---
MdePkg/Library/AesLibNull/AesLibNull.c | 87
MdePkg/Library/AesLibNull/AesLibNull.inf | 24 +++
MdePkg/MdePkg.dsc| 1 +
3 files changed, 112 insertions(+)
create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.c
create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.inf
diff --git a/MdePkg/Library/AesLibNull/AesLibNull.c
b/MdePkg/Library/AesLibNull/AesLibNull.c
new file mode 100644
index ..3dd680fe37e4
--- /dev/null
+++ b/MdePkg/Library/AesLibNull/AesLibNull.c
@@ -0,0 +1,87 @@
+/** @file
+ Null AES Library
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - FIPS 197 November 26, 2001:
+ Specification for the ADVANCED ENCRYPTION STANDARD (AES)
+**/
+
+#include
+#include
+
+/** Encrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to cipher.
+ @param [out] OutBlock Output Block. The ciphered block.
+
+ @retval EFI_SUCCESSSuccess.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_UNSUPPORTEDUnsupported.
+**/
+EFI_STATUS
+EFIAPI
+AesEncrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/** Decrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to de-cipher.
+ @param [out] OutBlock Output Block. The de-ciphered block.
+
+ @retval EFI_SUCCESSSuccess.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_UNSUPPORTEDUnsupported.
+**/
+EFI_STATUS
+EFIAPI
+AesDecrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/** Initialize an AES_CTX structure.
+
+ @param [in] Key AES key. Buffer of KeySize bytes.
+ The buffer is little endian.
+ @param [in] KeySize Size of the key. Must be one of 128|192|256.
+ @param [in, out] AesCtxAES context to initialize.
+
+ @retval EFI_SUCCESSSuccess.
+ @retval EFI_INVALID_PARAMETER Invalid parameter.
+ @retval EFI_UNSUPPORTEDUnsupported.
+**/
+EFI_STATUS
+EFIAPI
+AesInitCtx (
+ IN UINT8*Key,
+ IN UINT32 KeySize,
+ IN OUT AES_CTX *AesCtx
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
diff --git a/MdePkg/Library/AesLibNull/AesLibNull.inf
b/MdePkg/Library/AesLibNull/AesLibNull.inf
new file mode 100644
index ..3020e7b68571
--- /dev/null
+++ b/MdePkg/Library/AesLibNull/AesLibNull.inf
@@ -0,0 +1,24 @@
+## @file
+# Null AES Library
+#
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION= 0x0001001B
+ BASE_NAME = AesLibNull
+ FILE_GUID = F6DED279-FC26-40F6-88B2-05FF5E6E538F
+ VERSION_STRING = 1.0
+ MODULE_TYPE= DXE_DRIVER
+ LIBRARY_CLASS = AesLib
+
+[Sources]
+ AesLibNull.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ DebugLib
diff --git a/MdePkg/MdePkg.dsc b/MdePkg/MdePkg.dsc
index 80e7233363d3..726350c215e5 100644
--- a/MdePkg/MdePkg.dsc
+++ b/MdePkg/MdePkg.dsc
@@ -68,6 +68,7 @@ [Components]
MdePkg/Library/BaseRngLibNull/BaseRngLibNull.inf
MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.inf
+ MdePkg/Library/AesLibNull/AesLibNull.inf
MdePkg/Library/BaseSerialPortLibNull/BaseSerialPortLibNull.inf
MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90884): https://edk2.groups.io/g/devel/message/90884
Mute This Topic: https://groups.io/mt/92066834/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 5/7] MdePkg/AesLib: Definition for AES library class interface
From: Pierre Gondois
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3970
The FIPS PUB 197: "Advanced Encryption Standard (AES)"
details the AES algorithm. Add a library to allow
different architecture specific implementations.
Signed-off-by: Pierre Gondois
---
MdePkg/Include/Library/AesLib.h | 104
MdePkg/MdePkg.dec | 4 ++
2 files changed, 108 insertions(+)
create mode 100644 MdePkg/Include/Library/AesLib.h
diff --git a/MdePkg/Include/Library/AesLib.h b/MdePkg/Include/Library/AesLib.h
new file mode 100644
index ..bc3408bb249b
--- /dev/null
+++ b/MdePkg/Include/Library/AesLib.h
@@ -0,0 +1,104 @@
+/** @file
+ AES library.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - FIPS 197 November 26, 2001:
+ Specification for the ADVANCED ENCRYPTION STANDARD (AES)
+**/
+
+#ifndef AES_LIB_H_
+#define AES_LIB_H_
+
+/// Key size in bytes.
+#define AES_KEY_SIZE_128 16
+#define AES_KEY_SIZE_192 24
+#define AES_KEY_SIZE_256 32
+#define AES_BLOCK_SIZE16
+
+/*
+ The Key Expansion generates a total of Nb (Nr + 1) words with:
+- Nb = 4:
+ Number of columns (32-bit words) comprising the State
+- Nr = 10, 12, or 14:
+ Number of rounds.
+ */
+#define AES_MAX_KEYLENGTH_U32 (4 * (14 + 1))
+
+/** A context holding information to for AES encryption/decryption.
+ */
+typedef struct {
+ /// Expanded encryption key.
+ UINT32ExpEncKey[AES_MAX_KEYLENGTH_U32];
+ /// Expanded decryption key.
+ UINT32ExpDecKey[AES_MAX_KEYLENGTH_U32];
+ /// Key size, in bytes.
+ /// Must be one of 16|24|32.
+ UINT32KeySize;
+} AES_CTX;
+
+/** Encrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to cipher.
+ @param [out] OutBlock Output Block. The ciphered block.
+
+ @retval RETURN_SUCCESSSuccess.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDUnsupported.
+**/
+RETURN_STATUS
+EFIAPI
+AesEncrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ );
+
+/** Decrypt an AES block.
+
+ Buffers are little-endian. Overlapping is not checked.
+
+ @param [in] AesCtxAES context.
+ AesCtx is initialized with AesInitCtx ().
+ @param [in] InBlock Input Block. The block to de-cipher.
+ @param [out] OutBlock Output Block. The de-ciphered block.
+
+ @retval RETURN_SUCCESSSuccess.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDUnsupported.
+**/
+RETURN_STATUS
+EFIAPI
+AesDecrypt (
+ IN AES_CTX *AesCtx,
+ IN UINT8 CONST *InBlock,
+ OUT UINT8*OutBlock
+ );
+
+/** Initialize an AES_CTX structure.
+
+ @param [in] Key AES key. Buffer of KeySize bytes.
+ The buffer is little endian.
+ @param [in] KeySize Size of the key. Must be one of 128|192|256.
+ @param [in, out] AesCtxAES context to initialize.
+
+ @retval RETURN_SUCCESSSuccess.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDUnsupported.
+**/
+RETURN_STATUS
+EFIAPI
+AesInitCtx (
+ IN UINT8*Key,
+ IN UINT32 KeySize,
+ IN OUT AES_CTX *AesCtx
+ );
+
+#endif // AES_LIB_H_
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 7ff26e22f915..078ae9323ba6 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -280,6 +280,10 @@ [LibraryClasses]
#
TrngLib|Include/Library/TrngLib.h
+ ## @libraryclass Provides AES encryption/decryption services.
+ #
+ AesLib|Include/Library/AesLib.h
+
[LibraryClasses.IA32, LibraryClasses.X64, LibraryClasses.AARCH64]
## @libraryclass Provides services to generate random number.
#
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90883): https://edk2.groups.io/g/devel/message/90883
Mute This Topic: https://groups.io/mt/92066833/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 4/7] ArmPkg/ArmLib: Add ArmHasAesExt()
From: Pierre Gondois
Add a ArmHasAesExt() to check for the FEAT_AES extension.
Signed-off-by: Pierre Gondois
---
ArmPkg/Include/Library/ArmLib.h| 12 +++-
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c | 13 +
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h | 1 +
ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c | 13 +
ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h | 2 ++
5 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/ArmPkg/Include/Library/ArmLib.h b/ArmPkg/Include/Library/ArmLib.h
index 8058634dbc53..5cd2bc1a26e5 100644
--- a/ArmPkg/Include/Library/ArmLib.h
+++ b/ArmPkg/Include/Library/ArmLib.h
@@ -1,7 +1,7 @@
/** @file
Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
- Copyright (c) 2011 - 2022, Arm Limited. All rights reserved.
+ Copyright (c) 2011 - 2022, Arm Ltd. All rights reserved.
Copyright (c) 2020 - 2021, NUVIA Inc. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -779,6 +779,16 @@ ArmHasRngExt (
VOID
);
+/** Check if FEAT_AES extension is available.
+
+ @retval TRUE if FEAT_AES extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasAesExt (
+ VOID
+ );
+
#ifdef MDE_CPU_ARM
///
/// AArch32-only ID Register Helper functions
diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
index 124b28e16874..dac406362114 100644
--- a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
+++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
@@ -117,3 +117,16 @@ ArmHasRngExt (
{
return ArmReadIdIsar0 () & ID_AA64ISAR0_EL1_RNDR_MASK;
}
+
+/** Check if FEAT_AES extension is available.
+
+ @retval TRUE if FEAT_AES extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasAesExt (
+ VOID
+ )
+{
+ return ArmReadIdIsar0 () & ID_AA64ISAR0_EL1_AES_MASK;
+}
diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
index 61a775ea27e8..9f5ad3e0214f 100644
--- a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
+++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
@@ -11,6 +11,7 @@
#ifndef AARCH64_LIB_H_
#define AARCH64_LIB_H_
+#define ID_AA64ISAR0_EL1_AES_MASK ((UINT64)0xF << 4U)
#define ID_AA64ISAR0_EL1_RNDR_MASK ((UINT64)0xF << 60U)
typedef VOID (*AARCH64_CACHE_OPERATION)(
diff --git a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
index a4ec23c8f8d8..ee3a847c1b50 100644
--- a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
+++ b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
@@ -133,3 +133,16 @@ ArmHasRngExt (
// Not supported.
return FALSE;
}
+
+/** Check if FEAT_AES extension is available.
+
+ @retval TRUE if FEAT_AES extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasAesExt (
+ VOID
+ )
+{
+ return ArmReadIdIsaR5 () & ID_ISAR5_AES_MASK;
+}
diff --git a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
index 1cfd6e5f65ac..1b91db66fb43 100644
--- a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
+++ b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h
@@ -10,6 +10,8 @@
#ifndef ARM_V7_LIB_H_
#define ARM_V7_LIB_H_
+#define ID_ISAR5_AES_MASK (0xF << 4U)
+
#define ID_MMFR0_SHARELVL_SHIFT 12
#define ID_MMFR0_SHARELVL_MASK 0xf
#define ID_MMFR0_SHARELVL_ONE0
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90882): https://edk2.groups.io/g/devel/message/90882
Mute This Topic: https://groups.io/mt/92066831/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 3/7] ArmPkg/ArmLib: Add ArmReadIdIsaR5() helper
From: Pierre Gondois Add a ArmReadIdIsaR5() helper function to access the AArch32 ID_ISAR5 register. Signed-off-by: Pierre Gondois --- ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S | 7 ++- ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h | 11 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S b/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S index 0856740e3290..bc2be5331c7d 100644 --- a/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S +++ b/ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S @@ -1,7 +1,7 @@ #-- # # Copyright (c) 2008 - 2009, Apple Inc. All rights reserved. -# Copyright (c) 2011 - 2016, ARM Limited. All rights reserved. +# Copyright (c) 2011 - 2022, Arm Limited. All rights reserved. # Copyright (c) 2016, Linaro Limited. All rights reserved. # # SPDX-License-Identifier: BSD-2-Clause-Patent @@ -167,4 +167,9 @@ ASM_FUNC (ArmGetPhysicalAddressBits) movge r0, #40 // 40 bits if LPAE bx lr +// UINTN ArmReadIdIsaR5(VOID) +ASM_FUNC(ArmReadIdIsaR5) + mrc p15, 0, r0, c0, c2, 5 + bx lr + ASM_FUNCTION_REMOVE_IF_UNREFERENCED diff --git a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h index 404ff92c4e06..1cfd6e5f65ac 100644 --- a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h +++ b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h @@ -1,6 +1,7 @@ /** @file Copyright (c) 2008 - 2009, Apple Inc. All rights reserved. + Copyright (c) 2022, Arm Ltd. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent @@ -66,4 +67,14 @@ ArmReadIdPfr1 ( VOID ); +/** Reads the ID_ISAR5 register. + + @return The contents of the ID_ISAR5 register. +**/ +UINTN +EFIAPI +ArmReadIdIsaR5 ( + VOID + ); + #endif // ARM_V7_LIB_H_ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90881): https://edk2.groups.io/g/devel/message/90881 Mute This Topic: https://groups.io/mt/92066829/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 2/7] ArmPkg/ArmDisassemblerLib: Replace RotateRight()
From: Pierre Gondois
A local RotateRight() function is defined. The RRotU32() function
available in the MdePkg/BaseLib does the same.
Prefer the generic function and remove the local RotateRight().
Signed-off-by: Pierre Gondois
---
ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c | 11 +--
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
b/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
index 0e09062957b4..24a317a9c9f4 100644
--- a/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
+++ b/ArmPkg/Library/ArmDisassemblerLib/ArmDisassembler.c
@@ -128,15 +128,6 @@ FieldMask (
return "";
}
-UINT32
-RotateRight (
- IN UINT32 Op,
- IN UINT32 Shift
- )
-{
- return (Op >> Shift) | (Op << (32 - Shift));
-}
-
/**
Place a disassembly of **OpCodePtr into buffer, and update OpCodePtr to
point to next instruction.
@@ -409,7 +400,7 @@ DisassembleArmInstruction (
// A4.1.38 MSR{} CPSR_, # MSR{}
CPSR_,
if (Imm) {
// MSR{} CPSR_, #
- AsciiSPrint (Buf, Size, "MRS%a %a_%a, #0x%x", COND (OpCode), WriteBack ?
"SPSR" : "CPSR", FieldMask ((OpCode >> 16) & 0xf), RotateRight (OpCode & 0xf,
((OpCode >> 8) & 0xf) *2));
+ AsciiSPrint (Buf, Size, "MRS%a %a_%a, #0x%x", COND (OpCode), WriteBack ?
"SPSR" : "CPSR", FieldMask ((OpCode >> 16) & 0xf), RRotU32 (OpCode & 0xf,
((OpCode >> 8) & 0xf) *2));
} else {
// MSR{} CPSR_,
AsciiSPrint (Buf, Size, "MRS%a %a_%a, %a", COND (OpCode), WriteBack ?
"SPSR" : "CPSR", gReg[Rd]);
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90880): https://edk2.groups.io/g/devel/message/90880
Mute This Topic: https://groups.io/mt/92066826/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 0/7] Add AesLib and ArmAesLib
From: Pierre Gondois Bugzilla: Bug 3970 (https://bugzilla.tianocore.org/show_bug.cgi?id=3970) To fasten AES encryption/decryption process or create a Deterministic Random Bits Generator (Drbg), add a library using Arm's AES instructions (AESE AESD, AESMC, AESIMC). The test vectors available in the CTR_DRBG_AES256 sections of https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/CTR_DRBG_noDF.pdf were used for validation. Indeed, the Drbg implementation in a following patch-set relies on the AES encryption. This patch-set can seen at: https://github.com/PierreARM/edk2/tree/Arm_Aes_v1 This patch has the following dependency: - [PATCH v3 00/22] Add Raw algorithm support using Arm FW-TRNG interface https://edk2.groups.io/g/devel/message/90845 Pierre Gondois (7): ArmPkg: Update Armpkg.ci.yaml ArmPkg/ArmDisassemblerLib: Replace RotateRight() ArmPkg/ArmLib: Add ArmReadIdIsaR5() helper ArmPkg/ArmLib: Add ArmHasAesExt() MdePkg/AesLib: Definition for AES library class interface MdePkg/AesLib: Add NULL instance of AesLib ArmPkg/ArmAesLib: Add ArmAesLib ArmPkg/ArmPkg.ci.yaml | 1 + ArmPkg/ArmPkg.dsc | 3 +- ArmPkg/Include/Library/ArmLib.h | 12 +- .../Library/ArmAesLib/AArch64/AArch64AesLib.S | 183 ArmPkg/Library/ArmAesLib/Arm/ArmAesLib.S | 183 ArmPkg/Library/ArmAesLib/ArmAesLib.c | 261 ++ ArmPkg/Library/ArmAesLib/ArmAesLib.h | 96 +++ ArmPkg/Library/ArmAesLib/ArmAesLib.inf| 34 +++ .../ArmDisassemblerLib/ArmDisassembler.c | 11 +- ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c| 13 + ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h| 1 + ArmPkg/Library/ArmLib/Arm/ArmLibSupport.S | 7 +- ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c | 13 + ArmPkg/Library/ArmLib/Arm/ArmV7Lib.h | 13 + MdePkg/Include/Library/AesLib.h | 104 +++ MdePkg/Library/AesLibNull/AesLibNull.c| 87 ++ MdePkg/Library/AesLibNull/AesLibNull.inf | 24 ++ MdePkg/MdePkg.dec | 4 + MdePkg/MdePkg.dsc | 1 + 19 files changed, 1038 insertions(+), 13 deletions(-) create mode 100644 ArmPkg/Library/ArmAesLib/AArch64/AArch64AesLib.S create mode 100644 ArmPkg/Library/ArmAesLib/Arm/ArmAesLib.S create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.c create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.h create mode 100644 ArmPkg/Library/ArmAesLib/ArmAesLib.inf create mode 100644 MdePkg/Include/Library/AesLib.h create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.c create mode 100644 MdePkg/Library/AesLibNull/AesLibNull.inf -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90878): https://edk2.groups.io/g/devel/message/90878 Mute This Topic: https://groups.io/mt/92066823/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 1/7] ArmPkg: Update Armpkg.ci.yaml
From: Pierre Gondois Add word to the exception list for the spell check tool. Signed-off-by: Pierre Gondois --- ArmPkg/ArmPkg.ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/ArmPkg/ArmPkg.ci.yaml b/ArmPkg/ArmPkg.ci.yaml index b7e07aaef675..ac50c30519f9 100644 --- a/ArmPkg/ArmPkg.ci.yaml +++ b/ArmPkg/ArmPkg.ci.yaml @@ -97,6 +97,7 @@ "ackintid", "actlr", "aeabi", + "aesimc", "asedis", "ashldi", "ashrdi", -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90879): https://edk2.groups.io/g/devel/message/90879 Mute This Topic: https://groups.io/mt/92066824/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 22/22] ArmVirtPkg: Kvmtool: Add RNG support using FW-TRNG interface
From: Sami Mujawar Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668) The EFI_RNG_PROTOCOL published by RngDxe has been updated to implement the EFI_RNG_ALGORITHM_RAW using the Arm FW-TRNG interface to provide access to entropy. Therefore, enable EFI_RNG_PROTOCOL for the Kvmtool guest/virtual firmware. Signed-off-by: Sami Mujawar --- ArmVirtPkg/ArmVirtKvmTool.dsc | 10 ++ ArmVirtPkg/ArmVirtKvmTool.fdf | 5 + 2 files changed, 15 insertions(+) diff --git a/ArmVirtPkg/ArmVirtKvmTool.dsc b/ArmVirtPkg/ArmVirtKvmTool.dsc index 3bd3ebd6e0b3..847dbdd2af2b 100644 --- a/ArmVirtPkg/ArmVirtKvmTool.dsc +++ b/ArmVirtPkg/ArmVirtKvmTool.dsc @@ -81,6 +81,9 @@ [LibraryClasses.common] HwInfoParserLib|DynamicTablesPkg/Library/FdtHwInfoParserLib/FdtHwInfoParserLib.inf DynamicPlatRepoLib|DynamicTablesPkg/Library/Common/DynamicPlatRepoLib/DynamicPlatRepoLib.inf + ArmMonitorLib|ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf + TrngLib|ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf + [LibraryClasses.common.SEC, LibraryClasses.common.PEI_CORE, LibraryClasses.common.PEIM] PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf PlatformHookLib|ArmVirtPkg/Library/Fdt16550SerialPortHookLib/EarlyFdt16550SerialPortHookLib.inf @@ -112,6 +115,8 @@ [PcdsFeatureFlag.common] # Use MMIO for accessing RTC controller registers. gPcAtChipsetPkgTokenSpaceGuid.PcdRtcUseMmio|TRUE + gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE + [PcdsFixedAtBuild.common] gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800F @@ -362,6 +367,11 @@ [Components.common] OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf + # + # Rng Support + # + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf + !if $(ARCH) == AARCH64 # # ACPI Support diff --git a/ArmVirtPkg/ArmVirtKvmTool.fdf b/ArmVirtPkg/ArmVirtKvmTool.fdf index 9e006e83ee5c..4b5c99ef6700 100644 --- a/ArmVirtPkg/ArmVirtKvmTool.fdf +++ b/ArmVirtPkg/ArmVirtKvmTool.fdf @@ -224,6 +224,11 @@ [FV.FvMain] # INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + # + # Rng Support + # + INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf + [FV.FVMAIN_COMPACT] FvAlignment= 16 ERASE_POLARITY = 1 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90877): https://edk2.groups.io/g/devel/message/90877 Mute This Topic: https://groups.io/mt/92066765/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 21/22] SecurityPkg/RngDxe: Add Arm support of RngDxe
From: Pierre Gondois
Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
Add RngDxe support for Arm. This implementation uses the TrngLib
to support the RawAlgorithm and doens't support the RNDR instruction.
Signed-off-by: Pierre Gondois
---
SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c | 8 ++--
SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf | 10 +++---
SecurityPkg/SecurityPkg.dsc | 5 -
3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
index ffa32a29dc6a..4775252d30b6 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
@@ -22,6 +22,7 @@
**/
+#include
#include
#include
#include
@@ -55,8 +56,9 @@ RngInitAvailableAlgoArray (
UINT16 MajorRevision;
UINT16 MinorRevision;
- // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
- if (!EFI_ERROR (RngGetBytes (sizeof (Rand), (UINT8 *)&Rand))) {
+ #ifdef MDE_CPU_AARCH64
+ // Check FEAT_RNG before advertising PcdCpuRngSupportedAlgorithm.
+ if (ArmHasRngExt ()) {
CopyMem (
&mAvailableAlgoArray[mAvailableAlgoArrayCount],
PcdGetPtr (PcdCpuRngSupportedAlgorithm),
@@ -75,6 +77,8 @@ RngInitAvailableAlgoArray (
DEBUG_CODE_END ();
}
+ #endif
+
// Raw algorithm (Trng)
if (!EFI_ERROR (GetTrngVersion (&MajorRevision, &MinorRevision))) {
CopyMem (
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index d2d0ff9ebb98..20752e71ac4e 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -27,7 +27,7 @@ [Defines]
#
# The following information is for reference only and not required by the
build tools.
#
-# VALID_ARCHITECTURES = IA32 X64 AARCH64
+# VALID_ARCHITECTURES = IA32 X64 AARCH64 ARM
#
[Sources.common]
@@ -40,7 +40,7 @@ [Sources.IA32, Sources.X64]
Rand/AesCore.c
Rand/AesCore.h
-[Sources.AARCH64]
+[Sources.AARCH64, Sources.ARM]
ArmRngDxe.c
ArmTrng.c
@@ -49,6 +49,9 @@ [Packages]
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
+[Packages.AARCH64, Packages.ARM]
+ ArmPkg/ArmPkg.dec
+
[LibraryClasses]
UefiLib
UefiBootServicesTableLib
@@ -58,7 +61,8 @@ [LibraryClasses]
TimerLib
RngLib
-[LibraryClasses.AARCH64]
+[LibraryClasses.AARCH64, LibraryClasses.ARM]
+ ArmLib
TrngLib
[Guids]
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 490076542a33..779aa2a061a0 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -94,6 +94,9 @@ [LibraryClasses.ARM, LibraryClasses.AARCH64]
ArmSmcLib|ArmPkg/Library/ArmSmcLib/ArmSmcLib.inf
ArmHvcLib|ArmPkg/Library/ArmHvcLib/ArmHvcLib.inf
+ # RngDxe dependencies
+ ArmLib|ArmPkg/Library/ArmLib/ArmBaseLib.inf
+
[LibraryClasses.ARM]
RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
@@ -292,7 +295,7 @@ [Components.IA32, Components.X64, Components.ARM,
Components.AARCH64]
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
-[Components.IA32, Components.X64, Components.AARCH64]
+[Components.IA32, Components.X64, Components.AARCH64, Components.ARM]
#
# Random Number Generator
#
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90876): https://edk2.groups.io/g/devel/message/90876
Mute This Topic: https://groups.io/mt/92066763/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 21/21] ArmVirtPkg: Kvmtool: Add RNG support using FW-TRNG interface
From: Sami Mujawar Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668) The EFI_RNG_PROTOCOL published by RngDxe has been updated to implement the EFI_RNG_ALGORITHM_RAW using the Arm FW-TRNG interface to provide access to entropy. Therefore, enable EFI_RNG_PROTOCOL for the Kvmtool guest/virtual firmware. Signed-off-by: Sami Mujawar --- ArmVirtPkg/ArmVirtKvmTool.dsc | 10 ++ ArmVirtPkg/ArmVirtKvmTool.fdf | 5 + 2 files changed, 15 insertions(+) diff --git a/ArmVirtPkg/ArmVirtKvmTool.dsc b/ArmVirtPkg/ArmVirtKvmTool.dsc index 3bd3ebd6e0b3..847dbdd2af2b 100644 --- a/ArmVirtPkg/ArmVirtKvmTool.dsc +++ b/ArmVirtPkg/ArmVirtKvmTool.dsc @@ -81,6 +81,9 @@ [LibraryClasses.common] HwInfoParserLib|DynamicTablesPkg/Library/FdtHwInfoParserLib/FdtHwInfoParserLib.inf DynamicPlatRepoLib|DynamicTablesPkg/Library/Common/DynamicPlatRepoLib/DynamicPlatRepoLib.inf + ArmMonitorLib|ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf + TrngLib|ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf + [LibraryClasses.common.SEC, LibraryClasses.common.PEI_CORE, LibraryClasses.common.PEIM] PciExpressLib|MdePkg/Library/BasePciExpressLib/BasePciExpressLib.inf PlatformHookLib|ArmVirtPkg/Library/Fdt16550SerialPortHookLib/EarlyFdt16550SerialPortHookLib.inf @@ -112,6 +115,8 @@ [PcdsFeatureFlag.common] # Use MMIO for accessing RTC controller registers. gPcAtChipsetPkgTokenSpaceGuid.PcdRtcUseMmio|TRUE + gArmTokenSpaceGuid.PcdMonitorConduitHvc|TRUE + [PcdsFixedAtBuild.common] gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800F @@ -362,6 +367,11 @@ [Components.common] OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf OvmfPkg/Virtio10Dxe/Virtio10.inf + # + # Rng Support + # + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf + !if $(ARCH) == AARCH64 # # ACPI Support diff --git a/ArmVirtPkg/ArmVirtKvmTool.fdf b/ArmVirtPkg/ArmVirtKvmTool.fdf index 9e006e83ee5c..4b5c99ef6700 100644 --- a/ArmVirtPkg/ArmVirtKvmTool.fdf +++ b/ArmVirtPkg/ArmVirtKvmTool.fdf @@ -224,6 +224,11 @@ [FV.FvMain] # INF MdeModulePkg/Universal/Disk/RamDiskDxe/RamDiskDxe.inf + # + # Rng Support + # + INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf + [FV.FVMAIN_COMPACT] FvAlignment= 16 ERASE_POLARITY = 1 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90875): https://edk2.groups.io/g/devel/message/90875 Mute This Topic: https://groups.io/mt/92066761/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 20/22] SecurityPkg/RngDxe: Rename AArch64/RngDxe.c
From: Pierre Gondois
To re-use the AArch64/RngDxe.c for an Arm implementation,
rename AArch64/RngDxe.c to ArmRngDxe.c.
Signed-off-by: Pierre Gondois
---
.../RngDxe/{AArch64/RngDxe.c => ArmRngDxe.c}| 0
SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename SecurityPkg/RandomNumberGenerator/RngDxe/{AArch64/RngDxe.c =>
ArmRngDxe.c} (100%)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
similarity index 100%
rename from SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
rename to SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index 6c3d42066804..d2d0ff9ebb98 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -41,7 +41,7 @@ [Sources.IA32, Sources.X64]
Rand/AesCore.h
[Sources.AARCH64]
- AArch64/RngDxe.c
+ ArmRngDxe.c
ArmTrng.c
[Packages]
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90874): https://edk2.groups.io/g/devel/message/90874
Mute This Topic: https://groups.io/mt/92066760/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 20/21] SecurityPkg/RngDxe: Add Arm support of RngDxe
From: Pierre Gondois
Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
Add RngDxe support for Arm. This implementation uses the TrngLib
to support the RawAlgorithm and doens't support the RNDR instruction.
Signed-off-by: Pierre Gondois
---
SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c | 8 ++--
SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf | 9 ++---
SecurityPkg/SecurityPkg.dsc | 2 +-
3 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
index ffa32a29dc6a..4775252d30b6 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
@@ -22,6 +22,7 @@
**/
+#include
#include
#include
#include
@@ -55,8 +56,9 @@ RngInitAvailableAlgoArray (
UINT16 MajorRevision;
UINT16 MinorRevision;
- // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
- if (!EFI_ERROR (RngGetBytes (sizeof (Rand), (UINT8 *)&Rand))) {
+ #ifdef MDE_CPU_AARCH64
+ // Check FEAT_RNG before advertising PcdCpuRngSupportedAlgorithm.
+ if (ArmHasRngExt ()) {
CopyMem (
&mAvailableAlgoArray[mAvailableAlgoArrayCount],
PcdGetPtr (PcdCpuRngSupportedAlgorithm),
@@ -75,6 +77,8 @@ RngInitAvailableAlgoArray (
DEBUG_CODE_END ();
}
+ #endif
+
// Raw algorithm (Trng)
if (!EFI_ERROR (GetTrngVersion (&MajorRevision, &MinorRevision))) {
CopyMem (
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index d2d0ff9ebb98..599a3085102d 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -27,7 +27,7 @@ [Defines]
#
# The following information is for reference only and not required by the
build tools.
#
-# VALID_ARCHITECTURES = IA32 X64 AARCH64
+# VALID_ARCHITECTURES = IA32 X64 AARCH64 ARM
#
[Sources.common]
@@ -40,7 +40,7 @@ [Sources.IA32, Sources.X64]
Rand/AesCore.c
Rand/AesCore.h
-[Sources.AARCH64]
+[Sources.AARCH64, Sources.ARM]
ArmRngDxe.c
ArmTrng.c
@@ -49,6 +49,9 @@ [Packages]
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
+[Packages.AARCH64, Packages.ARM]
+ ArmPkg/ArmPkg.dec
+
[LibraryClasses]
UefiLib
UefiBootServicesTableLib
@@ -58,7 +61,7 @@ [LibraryClasses]
TimerLib
RngLib
-[LibraryClasses.AARCH64]
+[LibraryClasses.AARCH64, LibraryClasses.ARM]
TrngLib
[Guids]
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 490076542a33..882d639489ea 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -292,7 +292,7 @@ [Components.IA32, Components.X64, Components.ARM,
Components.AARCH64]
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
-[Components.IA32, Components.X64, Components.AARCH64]
+[Components.IA32, Components.X64, Components.AARCH64, Components.ARM]
#
# Random Number Generator
#
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90873): https://edk2.groups.io/g/devel/message/90873
Mute This Topic: https://groups.io/mt/92066759/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 19/21] SecurityPkg/RngDxe: Rename AArch64/RngDxe.c
From: Pierre Gondois
To re-use the AArch64/RngDxe.c for an Arm implementation,
rename AArch64/RngDxe.c to ArmRngDxe.c.
Signed-off-by: Pierre Gondois
---
.../RngDxe/{AArch64/RngDxe.c => ArmRngDxe.c}| 0
SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename SecurityPkg/RandomNumberGenerator/RngDxe/{AArch64/RngDxe.c =>
ArmRngDxe.c} (100%)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
similarity index 100%
rename from SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
rename to SecurityPkg/RandomNumberGenerator/RngDxe/ArmRngDxe.c
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
index 6c3d42066804..d2d0ff9ebb98 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
@@ -41,7 +41,7 @@ [Sources.IA32, Sources.X64]
Rand/AesCore.h
[Sources.AARCH64]
- AArch64/RngDxe.c
+ ArmRngDxe.c
ArmTrng.c
[Packages]
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90872): https://edk2.groups.io/g/devel/message/90872
Mute This Topic: https://groups.io/mt/92066758/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 19/22] SecurityPkg/RngDxe: Add debug warning for NULL PcdCpuRngSupportedAlgorithm
From: Pierre Gondois
PcdCpuRngSupportedAlgorithm should allow to identify the the algorithm
used by the RNDR CPU instruction to generate a random number.
Add a debug warning if the Pcd is not set.
Signed-off-by: Pierre Gondois
---
.../RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index ee3f1ee78434..ffa32a29dc6a 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -63,6 +63,16 @@ RngInitAvailableAlgoArray (
sizeof (EFI_RNG_ALGORITHM)
);
mAvailableAlgoArrayCount++;
+
+DEBUG_CODE_BEGIN ();
+if (IsZeroGuid (PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
+ DEBUG ((
+DEBUG_WARN,
+"PcdCpuRngSupportedAlgorithm should be a non-zero GUID\n"
+));
+}
+
+DEBUG_CODE_END ();
}
// Raw algorithm (Trng)
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90871): https://edk2.groups.io/g/devel/message/90871
Mute This Topic: https://groups.io/mt/92066756/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 18/21] SecurityPkg/RngDxe: Add debug warning for NULL PcdCpuRngSupportedAlgorithm
From: Pierre Gondois
PcdCpuRngSupportedAlgorithm should allow to identify the the algorithm
used by the RNDR CPU instruction to generate a random number.
Add a debug warning if the Pcd is not set.
Signed-off-by: Pierre Gondois
---
.../RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index ee3f1ee78434..ffa32a29dc6a 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -63,6 +63,16 @@ RngInitAvailableAlgoArray (
sizeof (EFI_RNG_ALGORITHM)
);
mAvailableAlgoArrayCount++;
+
+DEBUG_CODE_BEGIN ();
+if (IsZeroGuid (PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
+ DEBUG ((
+DEBUG_WARN,
+"PcdCpuRngSupportedAlgorithm should be a non-zero GUID\n"
+));
+}
+
+DEBUG_CODE_END ();
}
// Raw algorithm (Trng)
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90870): https://edk2.groups.io/g/devel/message/90870
Mute This Topic: https://groups.io/mt/92066755/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 18/22] SecurityPkg/RngDxe: Add AArch64 RawAlgorithm support through TrngLib
From: Sami Mujawar
Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
RawAlgorithm is used to provide access to entropy that is suitable
for cryptographic applications. Therefore, add RawAlgorithm support
that provides access to entropy using the TrngLib.
Also remove unused UefiBootServicesTableLib library inclusion
and Status variable.
Signed-off-by: Sami Mujawar
---
.../RngDxe/AArch64/RngDxe.c | 28 +++-
.../RandomNumberGenerator/RngDxe/ArmTrng.c| 71 +++
.../RandomNumberGenerator/RngDxe/RngDxe.inf | 5 ++
SecurityPkg/SecurityPkg.dsc | 7 ++
4 files changed, 108 insertions(+), 3 deletions(-)
create mode 100644 SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index d8b696bbea5f..ee3f1ee78434 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -1,11 +1,13 @@
/** @file
RNG Driver to produce the UEFI Random Number Generator protocol.
- The driver will use the RNDR instruction to produce random numbers.
+ The driver can use RNDR instruction (through the RngLib and if FEAT_RNG is
+ present) to produce random numbers. It also uses the Arm FW-TRNG interface
+ to implement EFI_RNG_ALGORITHM_RAW.
RNG Algorithms defined in UEFI 2.4:
- EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID
- - EFI_RNG_ALGORITHM_RAW- Unsupported
+ - EFI_RNG_ALGORITHM_RAW
- EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID
- EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID
- EFI_RNG_ALGORITHM_X9_31_3DES_GUID- Unsupported
@@ -24,6 +26,8 @@
#include
#include
#include
+#include
+#include
#include
#include "RngDxeInternals.h"
@@ -34,7 +38,7 @@
// populated only once.
// The valid entry with the lowest index will be the default algorithm.
//
-#define RNG_AVAILABLE_ALGO_MAX 1
+#define RNG_AVAILABLE_ALGO_MAX 2
STATIC BOOLEANmAvailableAlgoArrayInit = FALSE;
STATIC UINTN mAvailableAlgoArrayCount;
STATIC EFI_RNG_ALGORITHM mAvailableAlgoArray[RNG_AVAILABLE_ALGO_MAX];
@@ -48,6 +52,9 @@ RngInitAvailableAlgoArray (
VOID
)
{
+ UINT16 MajorRevision;
+ UINT16 MinorRevision;
+
// Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
if (!EFI_ERROR (RngGetBytes (sizeof (Rand), (UINT8 *)&Rand))) {
CopyMem (
@@ -58,6 +65,16 @@ RngInitAvailableAlgoArray (
mAvailableAlgoArrayCount++;
}
+ // Raw algorithm (Trng)
+ if (!EFI_ERROR (GetTrngVersion (&MajorRevision, &MinorRevision))) {
+CopyMem (
+ &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+ &gEfiRngAlgorithmRaw,
+ sizeof (EFI_RNG_ALGORITHM)
+ );
+mAvailableAlgoArrayCount++;
+ }
+
mAvailableAlgoArrayInit = TRUE;
}
@@ -127,6 +144,11 @@ FoundAlgo:
return Status;
}
+ // Raw algorithm (Trng)
+ if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) {
+return GenerateEntropy (RNGValueLength, RNGValue);
+ }
+
//
// Other algorithms are unsupported by this driver.
//
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
new file mode 100644
index ..6100e02b32b0
--- /dev/null
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
@@ -0,0 +1,71 @@
+/** @file
+ RNG Driver to produce the UEFI Random Number Generator protocol.
+
+ The driver implements the EFI_RNG_ALGORITHM_RAW using the FW-TRNG
+ interface to provide entropy.
+
+ Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+#include
+#include
+#include
+
+#include "RngDxeInternals.h"
+
+/**
+ Generate high-quality entropy source using a TRNG or through RDRAND.
+
+ @param[in] LengthSize of the buffer, in bytes, to fill with.
+ @param[out] Entropy Pointer to the buffer to store the entropy data.
+
+ @retval RETURN_SUCCESSThe function completed successfully.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDFunction not implemented.
+ @retval RETURN_BAD_BUFFER_SIZEBuffer size is too small.
+ @retval RETURN_NOT_READY No Entropy available.
+**/
+EFI_STATUS
+EFIAPI
+GenerateEntropy (
+ IN UINTN Length,
+ OUT UINT8 *Entropy
+ )
+{
+ EFI_STATUS Status;
+ UINTN CollectedEntropyBits;
+ UINTN RequiredEntropyBits;
+ UINTN EntropyBits;
+ UINTN Index;
+ UINTN MaxBits;
+
+ ZeroMem (Entropy, Length);
+
+ RequiredEntropyBits = (Length << 3);
+ Index= 0;
+ CollectedEntropyBits = 0;
+ MaxBits = GetTrngMaxSupportedEntropyBits ();
+ while (CollectedEntropyBits < RequiredEntropyBits) {
+EntropyBits = MIN ((RequiredEntropyBits - CollectedEntropyBits
[edk2-devel] [PATCH v3 17/21] SecurityPkg/RngDxe: Add AArch64 RawAlgorithm support through TrngLib
From: Sami Mujawar
Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
RawAlgorithm is used to provide access to entropy that is suitable
for cryptographic applications. Therefore, add RawAlgorithm support
that provides access to entropy using the TrngLib.
Also remove unused UefiBootServicesTableLib library inclusion
and Status variable.
Signed-off-by: Sami Mujawar
---
.../RngDxe/AArch64/RngDxe.c | 28 +++-
.../RandomNumberGenerator/RngDxe/ArmTrng.c| 71 +++
.../RandomNumberGenerator/RngDxe/RngDxe.inf | 5 ++
SecurityPkg/SecurityPkg.dsc | 7 ++
4 files changed, 108 insertions(+), 3 deletions(-)
create mode 100644 SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index d8b696bbea5f..ee3f1ee78434 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -1,11 +1,13 @@
/** @file
RNG Driver to produce the UEFI Random Number Generator protocol.
- The driver will use the RNDR instruction to produce random numbers.
+ The driver can use RNDR instruction (through the RngLib and if FEAT_RNG is
+ present) to produce random numbers. It also uses the Arm FW-TRNG interface
+ to implement EFI_RNG_ALGORITHM_RAW.
RNG Algorithms defined in UEFI 2.4:
- EFI_RNG_ALGORITHM_SP800_90_CTR_256_GUID
- - EFI_RNG_ALGORITHM_RAW- Unsupported
+ - EFI_RNG_ALGORITHM_RAW
- EFI_RNG_ALGORITHM_SP800_90_HMAC_256_GUID
- EFI_RNG_ALGORITHM_SP800_90_HASH_256_GUID
- EFI_RNG_ALGORITHM_X9_31_3DES_GUID- Unsupported
@@ -24,6 +26,8 @@
#include
#include
#include
+#include
+#include
#include
#include "RngDxeInternals.h"
@@ -34,7 +38,7 @@
// populated only once.
// The valid entry with the lowest index will be the default algorithm.
//
-#define RNG_AVAILABLE_ALGO_MAX 1
+#define RNG_AVAILABLE_ALGO_MAX 2
STATIC BOOLEANmAvailableAlgoArrayInit = FALSE;
STATIC UINTN mAvailableAlgoArrayCount;
STATIC EFI_RNG_ALGORITHM mAvailableAlgoArray[RNG_AVAILABLE_ALGO_MAX];
@@ -48,6 +52,9 @@ RngInitAvailableAlgoArray (
VOID
)
{
+ UINT16 MajorRevision;
+ UINT16 MinorRevision;
+
// Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
if (!EFI_ERROR (RngGetBytes (sizeof (Rand), (UINT8 *)&Rand))) {
CopyMem (
@@ -58,6 +65,16 @@ RngInitAvailableAlgoArray (
mAvailableAlgoArrayCount++;
}
+ // Raw algorithm (Trng)
+ if (!EFI_ERROR (GetTrngVersion (&MajorRevision, &MinorRevision))) {
+CopyMem (
+ &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+ &gEfiRngAlgorithmRaw,
+ sizeof (EFI_RNG_ALGORITHM)
+ );
+mAvailableAlgoArrayCount++;
+ }
+
mAvailableAlgoArrayInit = TRUE;
}
@@ -127,6 +144,11 @@ FoundAlgo:
return Status;
}
+ // Raw algorithm (Trng)
+ if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) {
+return GenerateEntropy (RNGValueLength, RNGValue);
+ }
+
//
// Other algorithms are unsupported by this driver.
//
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
new file mode 100644
index ..6100e02b32b0
--- /dev/null
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/ArmTrng.c
@@ -0,0 +1,71 @@
+/** @file
+ RNG Driver to produce the UEFI Random Number Generator protocol.
+
+ The driver implements the EFI_RNG_ALGORITHM_RAW using the FW-TRNG
+ interface to provide entropy.
+
+ Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+#include
+#include
+#include
+
+#include "RngDxeInternals.h"
+
+/**
+ Generate high-quality entropy source using a TRNG or through RDRAND.
+
+ @param[in] LengthSize of the buffer, in bytes, to fill with.
+ @param[out] Entropy Pointer to the buffer to store the entropy data.
+
+ @retval RETURN_SUCCESSThe function completed successfully.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDFunction not implemented.
+ @retval RETURN_BAD_BUFFER_SIZEBuffer size is too small.
+ @retval RETURN_NOT_READY No Entropy available.
+**/
+EFI_STATUS
+EFIAPI
+GenerateEntropy (
+ IN UINTN Length,
+ OUT UINT8 *Entropy
+ )
+{
+ EFI_STATUS Status;
+ UINTN CollectedEntropyBits;
+ UINTN RequiredEntropyBits;
+ UINTN EntropyBits;
+ UINTN Index;
+ UINTN MaxBits;
+
+ ZeroMem (Entropy, Length);
+
+ RequiredEntropyBits = (Length << 3);
+ Index= 0;
+ CollectedEntropyBits = 0;
+ MaxBits = GetTrngMaxSupportedEntropyBits ();
+ while (CollectedEntropyBits < RequiredEntropyBits) {
+EntropyBits = MIN ((RequiredEntropyBits - CollectedEntropyBits
[edk2-devel] [PATCH v3 17/22] SecurityPkg/RngDxe: Check before advertising Cpu Rng algo
From: Pierre Gondois
RngGetBytes() relies on the RngLib. The RngLib might use the RNDR
instruction if the FEAT_RNG feature is present. Check RngGetBytes() is
working before advertising it via RngGetInfo().
To only check this one time, create a static array that is shared
between RngGetInfo and RngGetRNG. This array contains GUIDs.
The Rng algorithm with the lowest GUID and that has been checked
will be the default Rng algorithm.
This patch also prevents from having PcdCpuRngSupportedAlgorithm
let to a zero GUID, but let the possibility to have no valid Rng
algorithm in such case.
Signed-off-by: Pierre Gondois
---
.../RngDxe/AArch64/RngDxe.c | 77 +--
1 file changed, 69 insertions(+), 8 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index f9c740d761ff..d8b696bbea5f 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -23,10 +23,44 @@
#include
#include
#include
+#include
#include
#include "RngDxeInternals.h"
+//
+// Static array containing the validated Rng algorithm.
+// This array is used by RngGetInfo and RngGetRNG and needs to be
+// populated only once.
+// The valid entry with the lowest index will be the default algorithm.
+//
+#define RNG_AVAILABLE_ALGO_MAX 1
+STATIC BOOLEANmAvailableAlgoArrayInit = FALSE;
+STATIC UINTN mAvailableAlgoArrayCount;
+STATIC EFI_RNG_ALGORITHM mAvailableAlgoArray[RNG_AVAILABLE_ALGO_MAX];
+
+/** Initialize mAvailableAlgoArray with the available Rng algorithms.
+**/
+STATIC
+VOID
+EFIAPI
+RngInitAvailableAlgoArray (
+ VOID
+ )
+{
+ // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
+ if (!EFI_ERROR (RngGetBytes (sizeof (Rand), (UINT8 *)&Rand))) {
+CopyMem (
+ &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+ PcdGetPtr (PcdCpuRngSupportedAlgorithm),
+ sizeof (EFI_RNG_ALGORITHM)
+ );
+mAvailableAlgoArrayCount++;
+ }
+
+ mAvailableAlgoArrayInit = TRUE;
+}
+
/**
Produces and returns an RNG value using either the default or specified RNG
algorithm.
@@ -59,18 +93,35 @@ RngGetRNG (
)
{
EFI_STATUS Status;
+ UINTN Index;
if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
return EFI_INVALID_PARAMETER;
}
+ if (!mAvailableAlgoArrayInit) {
+RngInitAvailableAlgoArray ();
+ }
+
if (RNGAlgorithm == NULL) {
//
// Use the default RNG algorithm if RNGAlgorithm is NULL.
//
-RNGAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
+for (Index = 0; Index < RNG_AVAILABLE_ALGO_MAX; Index++) {
+ if (!IsZeroGuid (&mAvailableAlgoArray[Index])) {
+RNGAlgorithm = &mAvailableAlgoArray[Index];
+goto FoundAlgo;
+ }
+}
+
+if (Index == RNG_AVAILABLE_ALGO_MAX) {
+ // No algorithm available.
+ ASSERT (Index != RNG_AVAILABLE_ALGO_MAX);
+ return EFI_DEVICE_ERROR;
+}
}
+FoundAlgo:
if (CompareGuid (RNGAlgorithm, PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
Status = RngGetBytes (RNGValueLength, RNGValue);
return Status;
@@ -113,24 +164,34 @@ RngGetInfo (
OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
- UINTN RequiredSize;
- EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
-
- RequiredSize = sizeof (EFI_RNG_ALGORITHM);
+ UINTN RequiredSize;
if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
return EFI_INVALID_PARAMETER;
}
+ if (!mAvailableAlgoArrayInit) {
+RngInitAvailableAlgoArray ();
+ }
+
+ RequiredSize = mAvailableAlgoArrayCount * sizeof (EFI_RNG_ALGORITHM);
+
+ if (RequiredSize == 0) {
+// No supported algorithms found.
+return EFI_UNSUPPORTED;
+ }
+
if (*RNGAlgorithmListSize < RequiredSize) {
*RNGAlgorithmListSize = RequiredSize;
return EFI_BUFFER_TOO_SMALL;
}
- CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
-
- CopyMem (&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof
(EFI_RNG_ALGORITHM));
+ if (RNGAlgorithmList == NULL) {
+return EFI_INVALID_PARAMETER;
+ }
+ // There is no gap in the array, so copy the block.
+ CopyMem (RNGAlgorithmList, mAvailableAlgoArray, RequiredSize);
*RNGAlgorithmListSize = RequiredSize;
return EFI_SUCCESS;
}
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90868): https://edk2.groups.io/g/devel/message/90868
Mute This Topic: https://groups.io/mt/92066753/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 16/22] SecurityPkg/RngDxe: Documentation/include/parameter cleanup
From: Pierre Gondois
This patch:
-Update RngGetBytes() documentation to align the function
definition and declaration.
-Improve input parameter checking. Even though 'This'
it is not used, the parameter should always point to the
current EFI_RNG_PROTOCOL.
-Removes TimerLib inclusion as unused.
Signed-off-by: Pierre Gondois
---
SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 3 +--
SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c| 2 +-
SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c | 3 +--
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index 6d989f7ea376..f9c740d761ff 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -23,7 +23,6 @@
#include
#include
#include
-#include
#include
#include "RngDxeInternals.h"
@@ -61,7 +60,7 @@ RngGetRNG (
{
EFI_STATUS Status;
- if ((RNGValueLength == 0) || (RNGValue == NULL)) {
+ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
return EFI_INVALID_PARAMETER;
}
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index b2d2236380fd..8f5d8e740f5e 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -59,7 +59,7 @@ RngGetRNG (
{
EFI_STATUS Status;
- if ((RNGValueLength == 0) || (RNGValue == NULL)) {
+ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
return EFI_INVALID_PARAMETER;
}
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
index 6608ca8804a5..d7905a7f4d72 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
@@ -23,7 +23,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
-#include
#include
#include "RngDxeInternals.h"
@@ -72,7 +71,7 @@ RngDriverEntry (
}
/**
- Calls RDRAND to fill a buffer of arbitrary size with random bytes.
+ Runs CPU RNG instruction to fill a buffer of arbitrary size with random
bytes.
@param[in] LengthSize of the buffer, in bytes, to fill with.
@param[out] RandBufferPointer to the buffer to store the random result.
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90866): https://edk2.groups.io/g/devel/message/90866
Mute This Topic: https://groups.io/mt/92066751/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 16/21] SecurityPkg/RngDxe: Check before advertising Cpu Rng algo
From: Pierre Gondois
RngGetBytes() relies on the RngLib. The RngLib might use the RNDR
instruction if the FEAT_RNG feature is present. Check RngGetBytes() is
working before advertising it via RngGetInfo().
To only check this one time, create a static array that is shared
between RngGetInfo and RngGetRNG. This array contains GUIDs.
The Rng algorithm with the lowest GUID and that has been checked
will be the default Rng algorithm.
This patch also prevents from having PcdCpuRngSupportedAlgorithm
let to a zero GUID, but let the possibility to have no valid Rng
algorithm in such case.
Signed-off-by: Pierre Gondois
---
.../RngDxe/AArch64/RngDxe.c | 77 +--
1 file changed, 69 insertions(+), 8 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index f9c740d761ff..d8b696bbea5f 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -23,10 +23,44 @@
#include
#include
#include
+#include
#include
#include "RngDxeInternals.h"
+//
+// Static array containing the validated Rng algorithm.
+// This array is used by RngGetInfo and RngGetRNG and needs to be
+// populated only once.
+// The valid entry with the lowest index will be the default algorithm.
+//
+#define RNG_AVAILABLE_ALGO_MAX 1
+STATIC BOOLEANmAvailableAlgoArrayInit = FALSE;
+STATIC UINTN mAvailableAlgoArrayCount;
+STATIC EFI_RNG_ALGORITHM mAvailableAlgoArray[RNG_AVAILABLE_ALGO_MAX];
+
+/** Initialize mAvailableAlgoArray with the available Rng algorithms.
+**/
+STATIC
+VOID
+EFIAPI
+RngInitAvailableAlgoArray (
+ VOID
+ )
+{
+ // Check RngGetBytes() before advertising PcdCpuRngSupportedAlgorithm.
+ if (!EFI_ERROR (RngGetBytes (sizeof (Rand), (UINT8 *)&Rand))) {
+CopyMem (
+ &mAvailableAlgoArray[mAvailableAlgoArrayCount],
+ PcdGetPtr (PcdCpuRngSupportedAlgorithm),
+ sizeof (EFI_RNG_ALGORITHM)
+ );
+mAvailableAlgoArrayCount++;
+ }
+
+ mAvailableAlgoArrayInit = TRUE;
+}
+
/**
Produces and returns an RNG value using either the default or specified RNG
algorithm.
@@ -59,18 +93,35 @@ RngGetRNG (
)
{
EFI_STATUS Status;
+ UINTN Index;
if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
return EFI_INVALID_PARAMETER;
}
+ if (!mAvailableAlgoArrayInit) {
+RngInitAvailableAlgoArray ();
+ }
+
if (RNGAlgorithm == NULL) {
//
// Use the default RNG algorithm if RNGAlgorithm is NULL.
//
-RNGAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
+for (Index = 0; Index < RNG_AVAILABLE_ALGO_MAX; Index++) {
+ if (!IsZeroGuid (&mAvailableAlgoArray[Index])) {
+RNGAlgorithm = &mAvailableAlgoArray[Index];
+goto FoundAlgo;
+ }
+}
+
+if (Index == RNG_AVAILABLE_ALGO_MAX) {
+ // No algorithm available.
+ ASSERT (Index != RNG_AVAILABLE_ALGO_MAX);
+ return EFI_DEVICE_ERROR;
+}
}
+FoundAlgo:
if (CompareGuid (RNGAlgorithm, PcdGetPtr (PcdCpuRngSupportedAlgorithm))) {
Status = RngGetBytes (RNGValueLength, RNGValue);
return Status;
@@ -113,24 +164,34 @@ RngGetInfo (
OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
- UINTN RequiredSize;
- EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
-
- RequiredSize = sizeof (EFI_RNG_ALGORITHM);
+ UINTN RequiredSize;
if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
return EFI_INVALID_PARAMETER;
}
+ if (!mAvailableAlgoArrayInit) {
+RngInitAvailableAlgoArray ();
+ }
+
+ RequiredSize = mAvailableAlgoArrayCount * sizeof (EFI_RNG_ALGORITHM);
+
+ if (RequiredSize == 0) {
+// No supported algorithms found.
+return EFI_UNSUPPORTED;
+ }
+
if (*RNGAlgorithmListSize < RequiredSize) {
*RNGAlgorithmListSize = RequiredSize;
return EFI_BUFFER_TOO_SMALL;
}
- CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
-
- CopyMem (&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof
(EFI_RNG_ALGORITHM));
+ if (RNGAlgorithmList == NULL) {
+return EFI_INVALID_PARAMETER;
+ }
+ // There is no gap in the array, so copy the block.
+ CopyMem (RNGAlgorithmList, mAvailableAlgoArray, RequiredSize);
*RNGAlgorithmListSize = RequiredSize;
return EFI_SUCCESS;
}
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90865): https://edk2.groups.io/g/devel/message/90865
Mute This Topic: https://groups.io/mt/92066750/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 15/22] SecurityPkg/RngDxe: Remove ArchGetSupportedRngAlgorithms()
From: Pierre Gondois
RngGetInfo() is one of the 2 functions of the EFI_RNG_PROTOCOL.
RngGetInfo() is currently a mere wrapper around
ArchGetSupportedRngAlgorithms() which is implemented differently
depending on the architecture used.
RngGetInfo() does nothing more than calling
ArchGetSupportedRngAlgorithms(). So remove it, and let RngGetInfo()
be implemented differently according to the architecture.
This follows the implementation of the other function of the
EFI_RNG_PROTOCOL, RngGetRNG().
Signed-off-by: Pierre Gondois
---
.../RngDxe/AArch64/RngDxe.c | 19 +--
.../RngDxe/Rand/RngDxe.c | 24 +++--
.../RandomNumberGenerator/RngDxe/RngDxe.c | 49 ---
.../RngDxe/RngDxeInternals.h | 25 --
4 files changed, 34 insertions(+), 83 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index 3daf847d46d3..6d989f7ea376 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -14,6 +14,7 @@
Copyright (c) 2021, NUVIA Inc. All rights reserved.
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2015 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -85,6 +86,7 @@ RngGetRNG (
/**
Returns information about the random number generation implementation.
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
instance.
@param[in,out] RNGAlgorithmListSize On input, the size in bytes of
RNGAlgorithmList.
On output with a return code of
EFI_SUCCESS, the size
in bytes of the data returned in
RNGAlgorithmList. On output
@@ -97,14 +99,19 @@ RngGetRNG (
is the default algorithm for the driver.
@retval EFI_SUCCESS The RNG algorithm list was returned
successfully.
+ @retval EFI_UNSUPPORTED The services is not supported by this
driver.
+ @retval EFI_DEVICE_ERRORThe list of algorithms could not be
retrieved due to a
+ hardware or firmware error.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are
incorrect.
@retval EFI_BUFFER_TOO_SMALLThe buffer RNGAlgorithmList is too small
to hold the result.
**/
-UINTN
+EFI_STATUS
EFIAPI
-ArchGetSupportedRngAlgorithms (
- IN OUT UINTN *RNGAlgorithmListSize,
- OUTEFI_RNG_ALGORITHM *RNGAlgorithmList
+RngGetInfo (
+ IN EFI_RNG_PROTOCOL*This,
+ IN OUT UINTN *RNGAlgorithmListSize,
+ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
UINTN RequiredSize;
@@ -112,6 +119,10 @@ ArchGetSupportedRngAlgorithms (
RequiredSize = sizeof (EFI_RNG_ALGORITHM);
+ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
+return EFI_INVALID_PARAMETER;
+ }
+
if (*RNGAlgorithmListSize < RequiredSize) {
*RNGAlgorithmListSize = RequiredSize;
return EFI_BUFFER_TOO_SMALL;
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index 8cfe6b471192..b2d2236380fd 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -104,6 +104,7 @@ RngGetRNG (
/**
Returns information about the random number generation implementation.
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
instance.
@param[in,out] RNGAlgorithmListSize On input, the size in bytes of
RNGAlgorithmList.
On output with a return code of
EFI_SUCCESS, the size
in bytes of the data returned in
RNGAlgorithmList. On output
@@ -116,18 +117,27 @@ RngGetRNG (
is the default algorithm for the driver.
@retval EFI_SUCCESS The RNG algorithm list was returned
successfully.
+ @retval EFI_UNSUPPORTED No supported algorithms found.
+ @retval EFI_DEVICE_ERRORThe list of algorithms could not be
retrieved due to a
+ hardware or firmware error.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are
incorrect.
@retval EFI_BUFFER_TOO_SMALLThe buffer RNGAlgorithmList is too small
to hold the result.
**/
-UINTN
+EFI_STATUS
EFIAPI
-ArchGetSupportedRngAlgorithms (
- IN OUT UINTN *RNGAlgorithmListSize,
- OUTEFI_RNG_ALGORITHM *RNGAlgorithmList
+RngGetInfo (
+ IN EFI_RNG_PROTOCOL*This,
+ IN OUT UINTN *RNGAlgorithmListSize,
+ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
UINTN RequiredSize;
+
[edk2-devel] [PATCH v3 15/21] SecurityPkg/RngDxe: Documentation/include/parameter cleanup
From: Pierre Gondois
This patch:
-Update RngGetBytes() documentation to align the function
definition and declaration.
-Improve input parameter checking. Even though 'This'
it is not used, the parameter should always point to the
current EFI_RNG_PROTOCOL.
-Removes TimerLib inclusion as unused.
Signed-off-by: Pierre Gondois
---
SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c | 3 +--
SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c| 2 +-
SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c | 3 +--
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index 6d989f7ea376..f9c740d761ff 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -23,7 +23,6 @@
#include
#include
#include
-#include
#include
#include "RngDxeInternals.h"
@@ -61,7 +60,7 @@ RngGetRNG (
{
EFI_STATUS Status;
- if ((RNGValueLength == 0) || (RNGValue == NULL)) {
+ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
return EFI_INVALID_PARAMETER;
}
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index b2d2236380fd..8f5d8e740f5e 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -59,7 +59,7 @@ RngGetRNG (
{
EFI_STATUS Status;
- if ((RNGValueLength == 0) || (RNGValue == NULL)) {
+ if ((This == NULL) || (RNGValueLength == 0) || (RNGValue == NULL)) {
return EFI_INVALID_PARAMETER;
}
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
index 6608ca8804a5..d7905a7f4d72 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.c
@@ -23,7 +23,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
-#include
#include
#include "RngDxeInternals.h"
@@ -72,7 +71,7 @@ RngDriverEntry (
}
/**
- Calls RDRAND to fill a buffer of arbitrary size with random bytes.
+ Runs CPU RNG instruction to fill a buffer of arbitrary size with random
bytes.
@param[in] LengthSize of the buffer, in bytes, to fill with.
@param[out] RandBufferPointer to the buffer to store the random result.
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90863): https://edk2.groups.io/g/devel/message/90863
Mute This Topic: https://groups.io/mt/92066747/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 14/22] SecurityPkg/RngDxe: Replace Pcd with Sp80090Ctr256Guid
From: Pierre Gondois
gEfiRngAlgorithmSp80090Ctr256Guid was used as the default algorithm
in RngGetRNG(). The commit below set the default algorithm to
PcdCpuRngSupportedAlgorithm, which is a zero GUID by default.
As the Pcd value is not defined for any platform in the edk2-platfoms
repository, assume it was an error and go back to the first version,
using gEfiRngAlgorithmSp80090Ctr256Guid.
Fixes 4e5ecdbac8bd ("SecurityPkg: Add support for RngDxe on AARCH64")
Signed-off-by: Pierre Gondois
---
SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index 8d44f0636c3d..8cfe6b471192 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -126,8 +126,7 @@ ArchGetSupportedRngAlgorithms (
OUTEFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
- UINTN RequiredSize;
- EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
+ UINTN RequiredSize;
RequiredSize = 2 * sizeof (EFI_RNG_ALGORITHM);
@@ -136,9 +135,7 @@ ArchGetSupportedRngAlgorithms (
return EFI_BUFFER_TOO_SMALL;
}
- CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
-
- CopyMem (&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof
(EFI_RNG_ALGORITHM));
+ CopyMem (&RNGAlgorithmList[0], gEfiRngAlgorithmSp80090Ctr256Guid, sizeof
(EFI_RNG_ALGORITHM));
// x86 platforms also support EFI_RNG_ALGORITHM_RAW via RDSEED
CopyMem (&RNGAlgorithmList[1], &gEfiRngAlgorithmRaw, sizeof
(EFI_RNG_ALGORITHM));
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90862): https://edk2.groups.io/g/devel/message/90862
Mute This Topic: https://groups.io/mt/92066746/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 14/21] SecurityPkg/RngDxe: Remove ArchGetSupportedRngAlgorithms()
From: Pierre Gondois
RngGetInfo() is one of the 2 functions of the EFI_RNG_PROTOCOL.
RngGetInfo() is currently a mere wrapper around
ArchGetSupportedRngAlgorithms() which is implemented differently
depending on the architecture used.
RngGetInfo() does nothing more than calling
ArchGetSupportedRngAlgorithms(). So remove it, and let RngGetInfo()
be implemented differently according to the architecture.
This follows the implementation of the other function of the
EFI_RNG_PROTOCOL, RngGetRNG().
Signed-off-by: Pierre Gondois
---
.../RngDxe/AArch64/RngDxe.c | 19 +--
.../RngDxe/Rand/RngDxe.c | 24 +++--
.../RandomNumberGenerator/RngDxe/RngDxe.c | 49 ---
.../RngDxe/RngDxeInternals.h | 25 --
4 files changed, 34 insertions(+), 83 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
index 3daf847d46d3..6d989f7ea376 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/AArch64/RngDxe.c
@@ -14,6 +14,7 @@
Copyright (c) 2021, NUVIA Inc. All rights reserved.
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2015 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -85,6 +86,7 @@ RngGetRNG (
/**
Returns information about the random number generation implementation.
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
instance.
@param[in,out] RNGAlgorithmListSize On input, the size in bytes of
RNGAlgorithmList.
On output with a return code of
EFI_SUCCESS, the size
in bytes of the data returned in
RNGAlgorithmList. On output
@@ -97,14 +99,19 @@ RngGetRNG (
is the default algorithm for the driver.
@retval EFI_SUCCESS The RNG algorithm list was returned
successfully.
+ @retval EFI_UNSUPPORTED The services is not supported by this
driver.
+ @retval EFI_DEVICE_ERRORThe list of algorithms could not be
retrieved due to a
+ hardware or firmware error.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are
incorrect.
@retval EFI_BUFFER_TOO_SMALLThe buffer RNGAlgorithmList is too small
to hold the result.
**/
-UINTN
+EFI_STATUS
EFIAPI
-ArchGetSupportedRngAlgorithms (
- IN OUT UINTN *RNGAlgorithmListSize,
- OUTEFI_RNG_ALGORITHM *RNGAlgorithmList
+RngGetInfo (
+ IN EFI_RNG_PROTOCOL*This,
+ IN OUT UINTN *RNGAlgorithmListSize,
+ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
UINTN RequiredSize;
@@ -112,6 +119,10 @@ ArchGetSupportedRngAlgorithms (
RequiredSize = sizeof (EFI_RNG_ALGORITHM);
+ if ((This == NULL) || (RNGAlgorithmListSize == NULL)) {
+return EFI_INVALID_PARAMETER;
+ }
+
if (*RNGAlgorithmListSize < RequiredSize) {
*RNGAlgorithmListSize = RequiredSize;
return EFI_BUFFER_TOO_SMALL;
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index 8cfe6b471192..b2d2236380fd 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -104,6 +104,7 @@ RngGetRNG (
/**
Returns information about the random number generation implementation.
+ @param[in] This A pointer to the EFI_RNG_PROTOCOL
instance.
@param[in,out] RNGAlgorithmListSize On input, the size in bytes of
RNGAlgorithmList.
On output with a return code of
EFI_SUCCESS, the size
in bytes of the data returned in
RNGAlgorithmList. On output
@@ -116,18 +117,27 @@ RngGetRNG (
is the default algorithm for the driver.
@retval EFI_SUCCESS The RNG algorithm list was returned
successfully.
+ @retval EFI_UNSUPPORTED No supported algorithms found.
+ @retval EFI_DEVICE_ERRORThe list of algorithms could not be
retrieved due to a
+ hardware or firmware error.
+ @retval EFI_INVALID_PARAMETER One or more of the parameters are
incorrect.
@retval EFI_BUFFER_TOO_SMALLThe buffer RNGAlgorithmList is too small
to hold the result.
**/
-UINTN
+EFI_STATUS
EFIAPI
-ArchGetSupportedRngAlgorithms (
- IN OUT UINTN *RNGAlgorithmListSize,
- OUTEFI_RNG_ALGORITHM *RNGAlgorithmList
+RngGetInfo (
+ IN EFI_RNG_PROTOCOL*This,
+ IN OUT UINTN *RNGAlgorithmListSize,
+ OUT EFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
UINTN RequiredSize;
+
[edk2-devel] [PATCH v3 13/21] SecurityPkg/RngDxe: Replace Pcd with Sp80090Ctr256Guid
From: Pierre Gondois
gEfiRngAlgorithmSp80090Ctr256Guid was used as the default algorithm
in RngGetRNG(). The commit below set the default algorithm to
PcdCpuRngSupportedAlgorithm, which is a zero GUID by default.
As the Pcd value is not defined for any platform in the edk2-platfoms
repository, assume it was an error and go back to the first version,
using gEfiRngAlgorithmSp80090Ctr256Guid.
Fixes 4e5ecdbac8bd ("SecurityPkg: Add support for RngDxe on AARCH64")
Signed-off-by: Pierre Gondois
---
SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
index 8d44f0636c3d..8cfe6b471192 100644
--- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
+++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c
@@ -126,8 +126,7 @@ ArchGetSupportedRngAlgorithms (
OUTEFI_RNG_ALGORITHM *RNGAlgorithmList
)
{
- UINTN RequiredSize;
- EFI_RNG_ALGORITHM *CpuRngSupportedAlgorithm;
+ UINTN RequiredSize;
RequiredSize = 2 * sizeof (EFI_RNG_ALGORITHM);
@@ -136,9 +135,7 @@ ArchGetSupportedRngAlgorithms (
return EFI_BUFFER_TOO_SMALL;
}
- CpuRngSupportedAlgorithm = PcdGetPtr (PcdCpuRngSupportedAlgorithm);
-
- CopyMem (&RNGAlgorithmList[0], CpuRngSupportedAlgorithm, sizeof
(EFI_RNG_ALGORITHM));
+ CopyMem (&RNGAlgorithmList[0], gEfiRngAlgorithmSp80090Ctr256Guid, sizeof
(EFI_RNG_ALGORITHM));
// x86 platforms also support EFI_RNG_ALGORITHM_RAW via RDSEED
CopyMem (&RNGAlgorithmList[1], &gEfiRngAlgorithmRaw, sizeof
(EFI_RNG_ALGORITHM));
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90860): https://edk2.groups.io/g/devel/message/90860
Mute This Topic: https://groups.io/mt/92066744/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 13/22] SecurityPkg/RngDxe: Rename RdRandGenerateEntropy to generic name
From: Sami Mujawar Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668) Rename RdRandGenerateEntropy() to GenerateEntropy() to provide a common interface to generate entropy on other architectures. GenerateEntropy() is intended to generate high quality entropy. Also move the definition to RngDxeInternals.h Signed-off-by: Sami Mujawar --- .../RngDxe/Rand/RdRand.c | 14 -- .../RngDxe/Rand/RdRand.h | 43 --- .../RngDxe/Rand/RngDxe.c | 7 ++- .../RandomNumberGenerator/RngDxe/RngDxe.inf | 2 +- .../RngDxe/RngDxeInternals.h | 19 5 files changed, 36 insertions(+), 49 deletions(-) delete mode 100644 SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c index 5b6644138231..4b011c7e8e49 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c @@ -1,15 +1,23 @@ /** @file - Support routines for RDRAND instruction access. + Support routines for RDRAND instruction access, which will leverage + Intel Secure Key technology to provide high-quality random numbers for use + in applications, or entropy for seeding other random number generators. + Refer to http://software.intel.com/en-us/articles/intel-digital-random-number + -generator-drng-software-implementation-guide/ for more information about Intel + Secure Key technology. +Copyright (c) 2021 - 2022, Arm Limited. All rights reserved. Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett Packard Enterprise Development LP SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#include #include +#include #include "AesCore.h" -#include "RdRand.h" #include "RngDxeInternals.h" /** @@ -87,7 +95,7 @@ RdRandGetSeed128 ( **/ EFI_STATUS EFIAPI -RdRandGenerateEntropy ( +GenerateEntropy ( IN UINTN Length, OUT UINT8 *Entropy ) diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h deleted file mode 100644 index 7fdb6891bd63.. --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h +++ /dev/null @@ -1,43 +0,0 @@ -/** @file - Header for the RDRAND APIs used by RNG DXE driver. - - Support API definitions for RDRAND instruction access, which will leverage - Intel Secure Key technology to provide high-quality random numbers for use - in applications, or entropy for seeding other random number generators. - Refer to http://software.intel.com/en-us/articles/intel-digital-random-number - -generator-drng-software-implementation-guide/ for more information about Intel - Secure Key technology. - -Copyright (c) 2013, Intel Corporation. All rights reserved. -(C) Copyright 2015 Hewlett Packard Enterprise Development LP -SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef __RD_RAND_H__ -#define __RD_RAND_H__ - -#include -#include -#include -#include -#include - -/** - Generate high-quality entropy source through RDRAND. - - @param[in] LengthSize of the buffer, in bytes, to fill with. - @param[out] Entropy Pointer to the buffer to store the entropy data. - - @retval EFI_SUCCESSEntropy generation succeeded. - @retval EFI_NOT_READY Failed to request random data. - -**/ -EFI_STATUS -EFIAPI -RdRandGenerateEntropy ( - IN UINTN Length, - OUT UINT8 *Entropy - ); - -#endif // __RD_RAND_H__ diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c index 2df4ed44329a..8d44f0636c3d 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c @@ -14,13 +14,16 @@ - EFI_RNG_ALGORITHM_X9_31_3DES_GUID- Unsupported - EFI_RNG_ALGORITHM_X9_31_AES_GUID - Unsupported + Copyright (c) 2021 - 2022, Arm Limited. All rights reserved. Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett Packard Enterprise Development LP SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#include "RdRand.h" +#include +#include + #include "RngDxeInternals.h" /** @@ -88,7 +91,7 @@ RngGetRNG ( return EFI_INVALID_PARAMETER; } -Status = RdRandGenerateEntropy (RNGValueLength, RNGValue); +Status = GenerateEntropy (RNGValueLength, RNGValue); return Status; } diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf index f3300971993f..60efb5562ee0 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf @@ -10,6 +10,7 @@ # # Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. # (C) Copyr
[edk2-devel] [PATCH v3 12/22] SecurityPkg: Update Securitypkg.ci.yaml
From: Pierre Gondois
Add ArmPkg.dec as a valid dependency for the SecurityPkg.
Signed-off-by: Pierre Gondois
---
SecurityPkg/SecurityPkg.ci.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.yaml
index 791214239899..08e98d713224 100644
--- a/SecurityPkg/SecurityPkg.ci.yaml
+++ b/SecurityPkg/SecurityPkg.ci.yaml
@@ -31,6 +31,7 @@
},
"DependencyCheck": {
"AcceptableDependencies": [
+"ArmPkg/ArmPkg.dec",
"MdePkg/MdePkg.dec",
"MdeModulePkg/MdeModulePkg.dec",
"SecurityPkg/SecurityPkg.dec",
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90858): https://edk2.groups.io/g/devel/message/90858
Mute This Topic: https://groups.io/mt/92066741/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 12/21] SecurityPkg/RngDxe: Rename RdRandGenerateEntropy to generic name
From: Sami Mujawar Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668) Rename RdRandGenerateEntropy() to GenerateEntropy() to provide a common interface to generate entropy on other architectures. GenerateEntropy() is intended to generate high quality entropy. Also move the definition to RngDxeInternals.h Signed-off-by: Sami Mujawar --- .../RngDxe/Rand/RdRand.c | 14 -- .../RngDxe/Rand/RdRand.h | 43 --- .../RngDxe/Rand/RngDxe.c | 7 ++- .../RandomNumberGenerator/RngDxe/RngDxe.inf | 2 +- .../RngDxe/RngDxeInternals.h | 19 5 files changed, 36 insertions(+), 49 deletions(-) delete mode 100644 SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c index 5b6644138231..4b011c7e8e49 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.c @@ -1,15 +1,23 @@ /** @file - Support routines for RDRAND instruction access. + Support routines for RDRAND instruction access, which will leverage + Intel Secure Key technology to provide high-quality random numbers for use + in applications, or entropy for seeding other random number generators. + Refer to http://software.intel.com/en-us/articles/intel-digital-random-number + -generator-drng-software-implementation-guide/ for more information about Intel + Secure Key technology. +Copyright (c) 2021 - 2022, Arm Limited. All rights reserved. Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett Packard Enterprise Development LP SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#include #include +#include #include "AesCore.h" -#include "RdRand.h" #include "RngDxeInternals.h" /** @@ -87,7 +95,7 @@ RdRandGetSeed128 ( **/ EFI_STATUS EFIAPI -RdRandGenerateEntropy ( +GenerateEntropy ( IN UINTN Length, OUT UINT8 *Entropy ) diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h deleted file mode 100644 index 7fdb6891bd63.. --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RdRand.h +++ /dev/null @@ -1,43 +0,0 @@ -/** @file - Header for the RDRAND APIs used by RNG DXE driver. - - Support API definitions for RDRAND instruction access, which will leverage - Intel Secure Key technology to provide high-quality random numbers for use - in applications, or entropy for seeding other random number generators. - Refer to http://software.intel.com/en-us/articles/intel-digital-random-number - -generator-drng-software-implementation-guide/ for more information about Intel - Secure Key technology. - -Copyright (c) 2013, Intel Corporation. All rights reserved. -(C) Copyright 2015 Hewlett Packard Enterprise Development LP -SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef __RD_RAND_H__ -#define __RD_RAND_H__ - -#include -#include -#include -#include -#include - -/** - Generate high-quality entropy source through RDRAND. - - @param[in] LengthSize of the buffer, in bytes, to fill with. - @param[out] Entropy Pointer to the buffer to store the entropy data. - - @retval EFI_SUCCESSEntropy generation succeeded. - @retval EFI_NOT_READY Failed to request random data. - -**/ -EFI_STATUS -EFIAPI -RdRandGenerateEntropy ( - IN UINTN Length, - OUT UINT8 *Entropy - ); - -#endif // __RD_RAND_H__ diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c index 2df4ed44329a..8d44f0636c3d 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c @@ -14,13 +14,16 @@ - EFI_RNG_ALGORITHM_X9_31_3DES_GUID- Unsupported - EFI_RNG_ALGORITHM_X9_31_AES_GUID - Unsupported + Copyright (c) 2021 - 2022, Arm Limited. All rights reserved. Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett Packard Enterprise Development LP SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#include "RdRand.h" +#include +#include + #include "RngDxeInternals.h" /** @@ -88,7 +91,7 @@ RngGetRNG ( return EFI_INVALID_PARAMETER; } -Status = RdRandGenerateEntropy (RNGValueLength, RNGValue); +Status = GenerateEntropy (RNGValueLength, RNGValue); return Status; } diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf index f3300971993f..60efb5562ee0 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf @@ -10,6 +10,7 @@ # # Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. # (C) Copyr
[edk2-devel] [PATCH v3 11/22] ArmPkg/ArmLib: Add ArmHasRngExt()
From: Pierre Gondois
Add a ArmHasRngExt() to check for the FEAT_RNG extension.
Also add a mask for the RNDR bits.
Signed-off-by: Pierre Gondois
---
ArmPkg/Include/Library/ArmLib.h| 12 +++-
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c | 15 ++-
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h | 2 ++
ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c | 16 +++-
4 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/ArmPkg/Include/Library/ArmLib.h b/ArmPkg/Include/Library/ArmLib.h
index 6566deebdde2..8058634dbc53 100644
--- a/ArmPkg/Include/Library/ArmLib.h
+++ b/ArmPkg/Include/Library/ArmLib.h
@@ -1,7 +1,7 @@
/** @file
Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
- Copyright (c) 2011 - 2016, ARM Ltd. All rights reserved.
+ Copyright (c) 2011 - 2022, Arm Limited. All rights reserved.
Copyright (c) 2020 - 2021, NUVIA Inc. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -769,6 +769,16 @@ ArmHasCcidx (
VOID
);
+/** Check if FEAT_RNG extension is available.
+
+ @retval TRUE if FEAT_RNG extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasRngExt (
+ VOID
+ );
+
#ifdef MDE_CPU_ARM
///
/// AArch32-only ID Register Helper functions
diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
index 7ab28e3e05fe..124b28e16874 100644
--- a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
+++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c
@@ -1,7 +1,7 @@
/** @file
Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
- Portions copyright (c) 2011 - 2014, ARM Ltd. All rights reserved.
+ Portions copyright (c) 2011 - 2022, Arm Limited. All rights reserved.
Copyright (c) 2021, NUVIA Inc. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -104,3 +104,16 @@ ArmHasCcidx (
Mmfr2 = ArmReadIdAA64Mmfr2 ();
return (((Mmfr2 >> 20) & 0xF) == 1) ? TRUE : FALSE;
}
+
+/** Check if FEAT_RNG extension is available.
+
+ @retval TRUE if FEAT_RNG extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasRngExt (
+ VOID
+ )
+{
+ return ArmReadIdIsar0 () & ID_AA64ISAR0_EL1_RNDR_MASK;
+}
diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
index 105a52ee16fe..61a775ea27e8 100644
--- a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
+++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h
@@ -11,6 +11,8 @@
#ifndef AARCH64_LIB_H_
#define AARCH64_LIB_H_
+#define ID_AA64ISAR0_EL1_RNDR_MASK ((UINT64)0xF << 60U)
+
typedef VOID (*AARCH64_CACHE_OPERATION)(
UINTN
);
diff --git a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
index 521d5be0de33..a4ec23c8f8d8 100644
--- a/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
+++ b/ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c
@@ -1,7 +1,7 @@
/** @file
Copyright (c) 2008 - 2009, Apple Inc. All rights reserved.
- Copyright (c) 2011 - 2014, ARM Limited. All rights reserved.
+ Copyright (c) 2011 - 2022, Arm Limited. All rights reserved.
Copyright (c) 2021, NUVIA Inc. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -119,3 +119,17 @@ ArmHasCcidx (
Mmfr4 = ArmReadIdMmfr4 ();
return (((Mmfr4 >> 24) & 0xF) == 1) ? TRUE : FALSE;
}
+
+/** Check if FEAT_RNG extension is available.
+
+ @retval TRUE if FEAT_RNG extension is available.
+ @retval FALSE otherwise.
+**/
+BOOLEAN
+ArmHasRngExt (
+ VOID
+ )
+{
+ // Not supported.
+ return FALSE;
+}
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90856): https://edk2.groups.io/g/devel/message/90856
Mute This Topic: https://groups.io/mt/92066737/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 10/22] ArmPkg/ArmLib: Add ArmReadIdIsar0() helper
From: Pierre Gondois Add a ArmReadIdIsar0() helper function to access the AArch64 ID_ISAR0_EL1 register. Signed-off-by: Pierre Gondois --- ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h | 12 +++- ArmPkg/Library/ArmLib/AArch64/AArch64Support.S | 7 ++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h index 330481fc50db..105a52ee16fe 100644 --- a/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h +++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h @@ -1,7 +1,7 @@ /** @file Copyright (c) 2008 - 2009, Apple Inc. All rights reserved. - Portions Copyright (c) 2011 - 2013, ARM Ltd. All rights reserved. + Portions Copyright (c) 2011 - 2022, Arm Ltd. All rights reserved. Copyright (c) 2020, NUVIA Inc. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent @@ -54,4 +54,14 @@ ArmReadIdAA64Mmfr2 ( VOID ); +/** Reads the ID_ISAR0_EL1 register. + + @return The contents of the ID_ISAR0_EL1 register. +**/ +UINTN +EFIAPI +ArmReadIdIsar0 ( + VOID + ); + #endif // AARCH64_LIB_H_ diff --git a/ArmPkg/Library/ArmLib/AArch64/AArch64Support.S b/ArmPkg/Library/ArmLib/AArch64/AArch64Support.S index d3cc1e86716b..baba283d01b9 100644 --- a/ArmPkg/Library/ArmLib/AArch64/AArch64Support.S +++ b/ArmPkg/Library/ArmLib/AArch64/AArch64Support.S @@ -1,7 +1,7 @@ #-- # # Copyright (c) 2008 - 2010, Apple Inc. All rights reserved. -# Copyright (c) 2011 - 2017, ARM Limited. All rights reserved. +# Copyright (c) 2011 - 2022, Arm Limited. All rights reserved. # Copyright (c) 2016, Linaro Limited. All rights reserved. # Copyright (c) 2020, NUVIA Inc. All rights reserved. # @@ -482,4 +482,9 @@ ASM_FUNC(ArmWriteCntHctl) msr cnthctl_el2, x0 ret +// UINTN ArmReadIdIsar0(VOID) +ASM_FUNC(ArmReadIdIsar0) + mrs x0, id_aa64isar0_el1 + ret + ASM_FUNCTION_REMOVE_IF_UNREFERENCED -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90855): https://edk2.groups.io/g/devel/message/90855 Mute This Topic: https://groups.io/mt/92066736/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 09/22] MdePkg/BaseRngLib: Rename ArmReadIdIsar0() to ArmGetFeatRng()
From: Pierre Gondois
The MdePkg must be self contained and not have external dependencies.
ArmReadIdIsar0() is defined in MdePkg/Library/BaseRngLib and is
limited to the scope of this library.
The same function will be required to check the FEAT_AES and FEAT_RNG
extensions in other libraries. As this function is Arm specific, it
cannot be added to a library interface in MdePkg. It should be part of
ArmPkg/ArmLib.
To avoid having mutiple definitions/prototypes of ArmReadIdIsar0(),
and as BaseRngLib only requires to check the RNG capability bits,
rename the MdePkg/Library/BaseRngLib implementation to ArmGetFeatRng().
Signed-off-by: Pierre Gondois
---
.../AArch64/{ArmReadIdIsar0.S => ArmGetFeatRng.S} | 8
.../AArch64/{ArmReadIdIsar0.asm => ArmGetFeatRng.asm} | 8
MdePkg/Library/BaseRngLib/AArch64/ArmRng.h| 2 +-
MdePkg/Library/BaseRngLib/AArch64/Rndr.c | 2 +-
MdePkg/Library/BaseRngLib/BaseRngLib.inf | 4 ++--
5 files changed, 12 insertions(+), 12 deletions(-)
rename MdePkg/Library/BaseRngLib/AArch64/{ArmReadIdIsar0.S => ArmGetFeatRng.S}
(78%)
rename MdePkg/Library/BaseRngLib/AArch64/{ArmReadIdIsar0.asm =>
ArmGetFeatRng.asm} (81%)
diff --git a/MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.S
b/MdePkg/Library/BaseRngLib/AArch64/ArmGetFeatRng.S
similarity index 78%
rename from MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.S
rename to MdePkg/Library/BaseRngLib/AArch64/ArmGetFeatRng.S
index 82a00d362212..c42d60513077 100644
--- a/MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.S
+++ b/MdePkg/Library/BaseRngLib/AArch64/ArmGetFeatRng.S
@@ -1,6 +1,6 @@
#--
#
-# ArmReadIdIsar0() for AArch64
+# ArmGetFeatRng() for AArch64
#
# Copyright (c) 2021, NUVIA Inc. All rights reserved.
#
@@ -10,7 +10,7 @@
.text
.p2align 2
-GCC_ASM_EXPORT(ArmReadIdIsar0)
+GCC_ASM_EXPORT(ArmGetFeatRng)
#/**
# Reads the ID_AA64ISAR0 Register.
@@ -20,11 +20,11 @@ GCC_ASM_EXPORT(ArmReadIdIsar0)
#**/
#UINT64
#EFIAPI
-#ArmReadIdIsar0 (
+#ArmGetFeatRng (
# VOID
# );
#
-ASM_PFX(ArmReadIdIsar0):
+ASM_PFX(ArmGetFeatRng):
mrs x0, id_aa64isar0_el1 // Read ID_AA64ISAR0 Register
ret
diff --git a/MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.asm
b/MdePkg/Library/BaseRngLib/AArch64/ArmGetFeatRng.asm
similarity index 81%
rename from MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.asm
rename to MdePkg/Library/BaseRngLib/AArch64/ArmGetFeatRng.asm
index 1d9f9a808c0c..947adfcd2749 100644
--- a/MdePkg/Library/BaseRngLib/AArch64/ArmReadIdIsar0.asm
+++ b/MdePkg/Library/BaseRngLib/AArch64/ArmGetFeatRng.asm
@@ -1,6 +1,6 @@
;--
;
-; ArmReadIdIsar0() for AArch64
+; ArmGetFeatRng() for AArch64
;
; Copyright (c) 2021, NUVIA Inc. All rights reserved.
;
@@ -8,7 +8,7 @@
;
;--
- EXPORT ArmReadIdIsar0
+ EXPORT ArmGetFeatRng
AREA BaseLib_LowLevel, CODE, READONLY
;/**
@@ -19,11 +19,11 @@
;**/
;UINT64
;EFIAPI
-;ArmReadIdIsar0 (
+;ArmGetFeatRng (
; VOID
; );
;
-ArmReadIdIsar0
+ArmGetFeatRng
mrs x0, id_aa64isar0_el1 // Read ID_AA64ISAR0 Register
ret
diff --git a/MdePkg/Library/BaseRngLib/AArch64/ArmRng.h
b/MdePkg/Library/BaseRngLib/AArch64/ArmRng.h
index 2d6ef48ab941..b35cba3c063a 100644
--- a/MdePkg/Library/BaseRngLib/AArch64/ArmRng.h
+++ b/MdePkg/Library/BaseRngLib/AArch64/ArmRng.h
@@ -35,7 +35,7 @@ ArmRndr (
**/
UINT64
EFIAPI
-ArmReadIdIsar0 (
+ArmGetFeatRng (
VOID
);
diff --git a/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
b/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
index 20811bf3ebf3..0cfdf4c37149 100644
--- a/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
+++ b/MdePkg/Library/BaseRngLib/AArch64/Rndr.c
@@ -47,7 +47,7 @@ BaseRngLibConstructor (
// Determine RNDR support by examining bits 63:60 of the ISAR0 register
returned by
// MSR. A non-zero value indicates that the processor supports the RNDR
instruction.
//
- Isar0 = ArmReadIdIsar0 ();
+ Isar0 = ArmGetFeatRng ();
ASSERT ((Isar0 & RNDR_MASK) != 0);
mRndrSupported = ((Isar0 & RNDR_MASK) != 0);
diff --git a/MdePkg/Library/BaseRngLib/BaseRngLib.inf
b/MdePkg/Library/BaseRngLib/BaseRngLib.inf
index 1fcceb941495..d6eccb07d469 100644
--- a/MdePkg/Library/BaseRngLib/BaseRngLib.inf
+++ b/MdePkg/Library/BaseRngLib/BaseRngLib.inf
@@ -37,10 +37,10 @@ [Sources.AARCH64]
AArch64/Rndr.c
AArch64/ArmRng.h
- AArch64/ArmReadIdIsar0.S | GCC
+ AArch64/ArmGetFeatRng.S| GCC
AArch64/ArmRng.S | GCC
- AArch64/ArmReadIdIsar0.asm | MSFT
+ AArch64/ArmGetFeatRng.asm | MSFT
AArch64/ArmRng.asm | MSFT
[Packages]
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90854): https://edk2.groups.io/g/devel/message/90854
Mute This Topic
[edk2-devel] [PATCH v3 08/22] ArmPkg/TrngLib: Add Arm Firmware TRNG library
From: Sami Mujawar
Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
The Arm True Random Number Generator Firmware, Interface 1.0,
Platform Design Document
(https://developer.arm.com/documentation/den0098/latest/)
defines an interface between an Operating System (OS) executing
at EL1 and Firmware (FW) exposing a conditioned entropy source
that is provided by a TRNG back end.
The conditioned entropy, that is provided by the TRNG FW interface,
is commonly used to seed deterministic random number generators.
This patch adds a TrngLib library that implements the Arm TRNG
firmware interface.
Signed-off-by: Sami Mujawar
---
ArmPkg/ArmPkg.dsc| 1 +
ArmPkg/Library/ArmFwTrngLib/ArmFwTrngDefs.h | 50 +++
ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.c | 403 +++
ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf | 29 ++
4 files changed, 483 insertions(+)
create mode 100644 ArmPkg/Library/ArmFwTrngLib/ArmFwTrngDefs.h
create mode 100644 ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.c
create mode 100644 ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf
diff --git a/ArmPkg/ArmPkg.dsc b/ArmPkg/ArmPkg.dsc
index e33b40f2c215..02d1caa3ab40 100644
--- a/ArmPkg/ArmPkg.dsc
+++ b/ArmPkg/ArmPkg.dsc
@@ -138,6 +138,7 @@ [Components.common]
ArmPkg/Library/ArmSvcLib/ArmSvcLib.inf
ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
ArmPkg/Library/OpteeLib/OpteeLib.inf
+ ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf
ArmPkg/Filesystem/SemihostFs/SemihostFs.inf
diff --git a/ArmPkg/Library/ArmFwTrngLib/ArmFwTrngDefs.h
b/ArmPkg/Library/ArmFwTrngLib/ArmFwTrngDefs.h
new file mode 100644
index ..150c89fe7969
--- /dev/null
+++ b/ArmPkg/Library/ArmFwTrngLib/ArmFwTrngDefs.h
@@ -0,0 +1,50 @@
+/** @file
+ Arm Firmware TRNG definitions.
+
+ Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] Arm True Random Number Generator Firmware, Interface 1.0,
+Platform Design Document.
+(https://developer.arm.com/documentation/den0098/latest/)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- FID - Function ID
+**/
+
+#ifndef ARM_FW_TRNG_DEFS_H_
+#define ARM_FW_TRNG_DEFS_H_
+
+#include
+
+// Firmware TRNG revision mask and shift
+#define TRNG_REV_MAJOR_MASK 0x7FFF
+#define TRNG_REV_MINOR_MASK 0x
+#define TRNG_REV_MAJOR_SHIFT 16
+
+#if defined (MDE_CPU_ARM)
+
+/** FID to use on AArch32 platform to request entropy.
+*/
+#define FID_TRNG_RND FID_TRNG_RND_AARCH32
+
+/** Maximum bits of entropy supported on AArch32.
+*/
+#define MAX_ENTROPY_BITS 96
+#elif defined (MDE_CPU_AARCH64)
+
+/** FID to use on AArch64 platform to request entropy.
+*/
+#define FID_TRNG_RND FID_TRNG_RND_AARCH64
+
+/** Maximum bits of entropy supported on AArch64.
+*/
+#define MAX_ENTROPY_BITS 192
+#else
+ #error "Firmware TRNG not supported. Unknown chipset."
+#endif
+
+#endif // ARM_FW_TRNG_DEFS_H_
diff --git a/ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.c
b/ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.c
new file mode 100644
index ..5cff23de0250
--- /dev/null
+++ b/ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.c
@@ -0,0 +1,403 @@
+/** @file
+ Arm Firmware TRNG interface library.
+
+ Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] Arm True Random Number Generator Firmware, Interface 1.0,
+Platform Design Document.
+(https://developer.arm.com/documentation/den0098/latest/)
+ - [2] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [3] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [4] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+- FID - Function ID
+**/
+
+#include
+#include
+#include
+#include
+#include
+
+#include "ArmFwTrngDefs.h"
+
+/** Convert TRNG status codes to RETURN status codes.
+
+ @param [in] TrngStatusTRNG status code.
+
+ @retval RETURN_SUCCESSSuccess.
+ @retval RETURN_UNSUPPORTEDFunction not implemented or
+ negative return code.
+ @retval RETURN_INVALID_PARAMETER A parameter is invalid.
+ @retval RETURN_NOT_READY No Entropy available.
+**/
+STATIC
+RETURN_STATUS
+TrngStatusToReturnStatus (
+ IN INT32 TrngStatus
+ )
+{
+ switch (TrngStatus) {
+case TRNG_STATUS_NOT_SUPPORTED:
+ return RETURN_UNSUPPORTED;
+
+
[edk2-devel] [PATCH v3 07/22] ArmPkg: Add FID definitions for Firmware TRNG
From: Sami Mujawar Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668) The Arm True Random Number Generator Firmware, Interface 1.0, Platform Design Document (https://developer.arm.com/documentation/den0098/latest/) defines an interface between an Operating System (OS) executing at EL1 and Firmware (FW) exposing a conditioned entropy source that is provided by a TRNG back end. New function IDs have been defined by the specification for accessing the TRNG services. Therefore, add these definitions to the Arm standard SMC header. Signed-off-by: Sami Mujawar --- ArmPkg/Include/IndustryStandard/ArmStdSmc.h | 109 +++- 1 file changed, 107 insertions(+), 2 deletions(-) diff --git a/ArmPkg/Include/IndustryStandard/ArmStdSmc.h b/ArmPkg/Include/IndustryStandard/ArmStdSmc.h index 655edc21b205..4b2edcf0154c 100644 --- a/ArmPkg/Include/IndustryStandard/ArmStdSmc.h +++ b/ArmPkg/Include/IndustryStandard/ArmStdSmc.h @@ -1,13 +1,20 @@ /** @file * * Copyright (c) 2020, NUVIA Inc. All rights reserved. -* Copyright (c) 2012-2017, ARM Limited. All rights reserved. +* Copyright (c) 2012 - 2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-2-Clause-Patent * * @par Revision Reference: -* - SMC Calling Convention version 1.2 +* - [1] SMC Calling Convention version 1.2 *(https://developer.arm.com/documentation/den0028/c/?lang=en) +* - [2] Arm True Random Number Generator Firmware, Interface 1.0, +*Platform Design Document. +*(https://developer.arm.com/documentation/den0098/latest/) +* +* @par Glossary: +*- TRNG - True Random Number Generator +* **/ #ifndef ARM_STD_SMC_H_ @@ -137,4 +144,102 @@ /*0xbf00ff02 is reserved */ #define ARM_SMC_ID_TOS_REVISION 0xbf00ff03 +// Firmware TRNG interface Function IDs + +/* + SMC/HVC call to get the version of the TRNG backend, + Cf. [2], 2.1 TRNG_VERSION + Input values: +W00x8400_0050 +W1-W7 Reserved (MBZ) + Return values: +Success (W0 > 0) W0[31] MBZ + W0[30:16] Major revision + W0[15:0] Minor revision + W1 - W3 Reserved (MBZ) +Error (W0 < 0) + NOT_SUPPORTED Function not implemented +*/ +#define FID_TRNG_VERSION 0x8450 + +/* + SMC/HVC call to check if a TRNG function ID is implemented by the backend, + Cf. [2], Section 2.2 TRNG_FEATURES + Input Values +W00x8400_0051 +W1trng_func_id +W2-W7 Reserved (MBZ) + Return values: +Success (W0 >= 0): + SUCCESS Function is implemented. +> 0 Function is implemented and +has specific capabilities, +see function definition. +Error (W0 < 0) + NOT_SUPPORTED Function with FID=trng_func_id + is not implemented +*/ +#define FID_TRNG_FEATURES 0x8451 + +/* + SMC/HVC call to get the UUID of the TRNG backend, + Cf. [2], Section 2.3 TRNG_GET_UUID + Input Values: +W00x8400_0052 +W1-W7 Reserved (MBZ) + Return Values: +Success (W0 != -1) +W0 UUID[31:0] +W1 UUID[63:32] +W2 UUID[95:64] +W3 UUID[127:96] +Error (W0 = -1) +W0 NOT_SUPPORTED +*/ +#define FID_TRNG_GET_UUID 0x8452 + +/* + AARCH32 SMC/HVC call to get entropy bits, Cf. [2], Section 2.4 TRNG_RND. + Input values: +W00x8400_0053 +W2-W7 Reserved (MBZ) + Return values: +Success (W0 = 0): + W0 MBZ + W1 Entropy[95:64] + W2 Entropy[63:32] + W3 Entropy[31:0] +Error (W0 < 0) + W0 NOT_SUPPORTED + NO_ENTROPY + INVALID_PARAMETERS + W1 - W3 Reserved (MBZ) +*/ +#define FID_TRNG_RND_AARCH32 0x8453 + +/* + AARCH64 SMC/HVC call to get entropy bits, Cf. [2], Section 2.4 TRNG_RND. + Input values: + X00xC400_0053 + X2-X7 Reserved (MBZ) + Return values: +Success (X0 = 0): + X0 MBZ + X1 Entropy[191:128] + X2 Entropy[127:64] + X3 Entropy[63:0] +Error (X0 < 0) + X0 NOT_SUPPORTED + NO_ENTROPY + INVALID_PARAMETERS + X1 - X3 Reserved (MBZ) +*/ +#define FID_TRNG_RND_AARCH64 0xC453 + +// Firmware TRNG status codes +#define TRNG_STATUS_SUCCESS(INT32)(0) +#define TRNG_STATUS_NOT_SUPPORTED (INT32)(-1) +#define TRNG_STATUS_INVALID_PARAMETER (INT32)(-2) +#define TRNG_STATUS_NO_ENTROPY (INT32)(-3) + #endif // ARM_STD_SMC_H_ -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90852): https://edk2.groups.io/g/devel/message/90852 Mute This Topic: https://groups.io/mt/92066727/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 06/22] MdePkg/TrngLib: Add NULL instance of TRNG Library
From: Sami Mujawar
Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
The True Random Number Generator (TRNG) library defines an
interface to access the entropy source on a platform. On
platforms that do not have access to an entropy source, a
NULL instance of the TRNG library may be useful to satisfy
the build dependency.
Therefore, add a NULL instance of the TRNG library.
Signed-off-by: Sami Mujawar
---
.../Library/BaseTrngLibNull/BaseTrngLibNull.c | 135 ++
.../BaseTrngLibNull/BaseTrngLibNull.inf | 30
.../BaseTrngLibNull/BaseTrngLibNull.uni | 12 ++
MdePkg/MdePkg.dsc | 1 +
4 files changed, 178 insertions(+)
create mode 100644 MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.c
create mode 100644 MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.inf
create mode 100644 MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.uni
diff --git a/MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.c
b/MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.c
new file mode 100644
index ..e383cd0cf1cc
--- /dev/null
+++ b/MdePkg/Library/BaseTrngLibNull/BaseTrngLibNull.c
@@ -0,0 +1,135 @@
+/** @file
+ Null version of TRNG (True Random Number Generator) services.
+
+ Copyright (c) 2021 - 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Reference(s):
+ - [1] Arm True Random Number Generator Firmware, Interface 1.0,
+Platform Design Document.
+(https://developer.arm.com/documentation/den0098/latest/)
+ - [2] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation
+for Random Number Generation Using Deterministic Random Bit Generators.
+(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final)
+ - [3] NIST Special Publication 800-90B, Recommendation for the Entropy
+Sources Used for Random Bit Generation.
+(https://csrc.nist.gov/publications/detail/sp/800-90b/final)
+ - [4] (Second Draft) NIST Special Publication 800-90C, Recommendation for
+Random Bit Generator (RBG) Constructions.
+(https://csrc.nist.gov/publications/detail/sp/800-90c/draft)
+
+ @par Glossary:
+- TRNG - True Random Number Generator
+**/
+
+#include
+#include
+
+/** Get the version of the TRNG backend.
+
+ A TRNG may be implemented by the system firmware, in which case this
+ function shall return the version of the TRNG backend.
+ The implementation must return NOT_SUPPORTED if a Back end is not present.
+
+ @param [out] MajorRevision Major revision.
+ @param [out] MinorRevision Minor revision.
+
+ @retval RETURN_SUCCESSThe function completed successfully.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDBackend not present.
+**/
+RETURN_STATUS
+EFIAPI
+GetTrngVersion (
+ OUT UINT16 *MajorRevision,
+ OUT UINT16 *MinorRevision
+ )
+{
+ ASSERT (FALSE);
+ return RETURN_UNSUPPORTED;
+}
+
+/** Get the UUID of the TRNG backend.
+
+ A TRNG may be implemented by the system firmware, in which case this
+ function shall return the UUID of the TRNG backend.
+ Returning the TRNG UUID is optional and if not implemented,
RETURN_UNSUPPORTED
+ shall be returned.
+
+ Note: The caller must not rely on the returned UUID as a trustworthy TRNG
+Back end identity
+
+ @param [out] Guid UUID of the TRNG backend.
+
+ @retval RETURN_SUCCESSThe function completed successfully.
+ @retval RETURN_INVALID_PARAMETER Invalid parameter.
+ @retval RETURN_UNSUPPORTEDFunction not implemented.
+**/
+RETURN_STATUS
+EFIAPI
+GetTrngUuid (
+ OUT GUID *Guid
+ )
+{
+ ASSERT (FALSE);
+ return RETURN_UNSUPPORTED;
+}
+
+/** Returns maximum number of entropy bits that can be returned in a single
+call.
+
+ @return Returns the maximum number of Entropy bits that can be returned
+ in a single call to GetTrngEntropy().
+**/
+UINTN
+EFIAPI
+GetTrngMaxSupportedEntropyBits (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return 0;
+}
+
+/** Returns N bits of conditioned entropy.
+
+ See [3] Section 2.3.1 GetEntropy: An Interface to the Entropy Source
+GetEntropy
+ Input:
+bits_of_entropy: the requested amount of entropy
+ Output:
+entropy_bitstring: The string that provides the requested entropy.
+ status: A Boolean value that is TRUE if the request has been satisfied,
+ and is FALSE otherwise.
+
+ Note: In this implementation this function returns a status code instead
+of a boolean value.
+This is also compatible with the definition of Get_Entropy, see [4]
+Section 7.4 Entropy Source Calls.
+ (status, entropy_bitstring) = Get_Entropy (
+ requested_entropy,
+ max_length
+ )
+
+ @param [in] EntropyBits Number of entropy bit
[edk2-devel] [PATCH v3 05/22] MdePkg/TrngLib: Definition for TRNG library class interface
From: Sami Mujawar Bugzilla: 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668) The NIST Special Publications 800-90A, 800-90B and 800-90C provide recommendations for random number generation. The NIST 800-90C, Recommendation for Random Bit Generator (RBG) Constructions, defines the GetEntropy() interface that is used to access the entropy source. The GetEntropy() interface is further used by Deterministic Random Bit Generators (DRBG) to generate random numbers. The True Random Number Generator (TRNG) library defines an interface to access the entropy source on a platform. Some platforms/architectures may provide access to the entropy using a firmware interface. In such cases the TRNG library shall be used to provide an abstraction. Signed-off-by: Sami Mujawar --- MdePkg/Include/Library/TrngLib.h | 121 +++ MdePkg/MdePkg.dec| 5 ++ 2 files changed, 126 insertions(+) create mode 100644 MdePkg/Include/Library/TrngLib.h diff --git a/MdePkg/Include/Library/TrngLib.h b/MdePkg/Include/Library/TrngLib.h new file mode 100644 index ..a6f165b1f918 --- /dev/null +++ b/MdePkg/Include/Library/TrngLib.h @@ -0,0 +1,121 @@ +/** @file + TRNG interface library definitions. + + Copyright (c) 2021 - 2022, Arm Limited. All rights reserved. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Reference(s): + - [1] Arm True Random Number Generator Firmware, Interface 1.0, +Platform Design Document. +(https://developer.arm.com/documentation/den0098/latest/) + - [2] NIST Special Publication 800-90A Revision 1, June 2015, Recommendation +for Random Number Generation Using Deterministic Random Bit Generators. +(https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final) + - [3] NIST Special Publication 800-90B, Recommendation for the Entropy +Sources Used for Random Bit Generation. +(https://csrc.nist.gov/publications/detail/sp/800-90b/final) + - [4] (Second Draft) NIST Special Publication 800-90C, Recommendation for +Random Bit Generator (RBG) Constructions. +(https://csrc.nist.gov/publications/detail/sp/800-90c/draft) + + @par Glossary: +- TRNG - True Random Number Generator +**/ + +#ifndef TRNG_LIB_H_ +#define TRNG_LIB_H_ + +/** Get the version of the TRNG backend. + + A TRNG may be implemented by the system firmware, in which case this + function shall return the version of the TRNG backend. + The implementation must return NOT_SUPPORTED if a Back end is not present. + + @param [out] MajorRevision Major revision. + @param [out] MinorRevision Minor revision. + + @retval RETURN_SUCCESSThe function completed successfully. + @retval RETURN_INVALID_PARAMETER Invalid parameter. + @retval RETURN_UNSUPPORTEDBackend not present. +**/ +RETURN_STATUS +EFIAPI +GetTrngVersion ( + OUT UINT16 *MajorRevision, + OUT UINT16 *MinorRevision + ); + +/** Get the UUID of the TRNG backend. + + A TRNG may be implemented by the system firmware, in which case this + function shall return the UUID of the TRNG backend. + Returning the TRNG UUID is optional and if not implemented, RETURN_UNSUPPORTED + shall be returned. + + Note: The caller must not rely on the returned UUID as a trustworthy TRNG +Back end identity + + @param [out] Guid UUID of the TRNG backend. + + @retval RETURN_SUCCESSThe function completed successfully. + @retval RETURN_INVALID_PARAMETER Invalid parameter. + @retval RETURN_UNSUPPORTEDFunction not implemented. +**/ +RETURN_STATUS +EFIAPI +GetTrngUuid ( + OUT GUID *Guid + ); + +/** Returns maximum number of entropy bits that can be returned in a single +call. + + @return Returns the maximum number of Entropy bits that can be returned + in a single call to GetTrngEntropy(). +**/ +UINTN +EFIAPI +GetTrngMaxSupportedEntropyBits ( + VOID + ); + +/** Returns N bits of conditioned entropy. + + See [3] Section 2.3.1 GetEntropy: An Interface to the Entropy Source +GetEntropy + Input: +bits_of_entropy: the requested amount of entropy + Output: +entropy_bitstring: The string that provides the requested entropy. + status: A Boolean value that is TRUE if the request has been satisfied, + and is FALSE otherwise. + + Note: In this implementation this function returns a status code instead +of a boolean value. +This is also compatible with the definition of Get_Entropy, see [4] +Section 7.4 Entropy Source Calls. + (status, entropy_bitstring) = Get_Entropy ( + requested_entropy, + max_length + ) + + @param [in] EntropyBits Number of entropy bits requested. + @param [in] BufferSize Size of the Buffer in bytes. + @param [out] Buffer Buffer to return the ent
[edk2-devel] [PATCH v3 04/22] ArmPkg/ArmHvcNullLib: Add NULL instance of ArmHvcLib
From: Pierre Gondois
Add a Null instance of ArmHvcLib in case of library dependencies.
Signed-off-by: Pierre Gondois
---
ArmPkg/ArmPkg.dsc | 1 +
ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.c | 29 +++
.../Library/ArmHvcNullLib/ArmHvcNullLib.inf | 22 ++
3 files changed, 52 insertions(+)
create mode 100644 ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.c
create mode 100644 ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.inf
diff --git a/ArmPkg/ArmPkg.dsc b/ArmPkg/ArmPkg.dsc
index 3afd212f472b..e33b40f2c215 100644
--- a/ArmPkg/ArmPkg.dsc
+++ b/ArmPkg/ArmPkg.dsc
@@ -134,6 +134,7 @@ [Components.common]
ArmPkg/Library/ArmSmcLib/ArmSmcLib.inf
ArmPkg/Library/ArmSmcLibNull/ArmSmcLibNull.inf
ArmPkg/Library/ArmHvcLib/ArmHvcLib.inf
+ ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.inf
ArmPkg/Library/ArmSvcLib/ArmSvcLib.inf
ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
ArmPkg/Library/OpteeLib/OpteeLib.inf
diff --git a/ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.c
b/ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.c
new file mode 100644
index ..6905631ccb6c
--- /dev/null
+++ b/ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.c
@@ -0,0 +1,29 @@
+/** @file
+ Arm HyperVisor Call (HVC) Null Library.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+
+/**
+ Trigger an HVC call
+
+ HVC calls can take up to 8 arguments and return up to 4 return values.
+ Therefore, the 4 first fields in the ARM_HVC_ARGS structure are used
+ for both input and output values.
+
+ @param [in, out] ArgsArguments for the HVC call.
+**/
+VOID
+ArmCallHvc (
+ IN OUT ARM_HVC_ARGS *Args
+ )
+{
+ ASSERT (FALSE);
+ return;
+}
diff --git a/ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.inf
b/ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.inf
new file mode 100644
index ..c4665d34018b
--- /dev/null
+++ b/ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.inf
@@ -0,0 +1,22 @@
+## @file
+# Arm Hvc Null Library
+#
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION= 0x00010005
+ BASE_NAME = ArmHvcNullLib
+ FILE_GUID = 02076A46-D6DB-48DD-8E5F-153172DD73A1
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = ArmHvcLib
+
+[Sources]
+ ArmHvcNullLib.c
+
+[Packages]
+ ArmPkg/ArmPkg.dec
+ MdePkg/MdePkg.dec
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90849): https://edk2.groups.io/g/devel/message/90849
Mute This Topic: https://groups.io/mt/92066724/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 03/22] ArmPkg/ArmMonitorLib: Add ArmMonitorLib
From: Pierre Gondois
The ArmMonitorLib provides an abstract interface to issue
an HyperVisor Call (HVC) or System Monitor Call (SMC) depending
on the default conduit.
The PcdMonitorConduitHvc PCD allows to select the default conduit.
Signed-off-by: Pierre Gondois
---
ArmPkg/ArmPkg.dsc | 1 +
ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c | 34 +++
.../Library/ArmMonitorLib/ArmMonitorLib.inf | 29
3 files changed, 64 insertions(+)
create mode 100644 ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
create mode 100644 ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
diff --git a/ArmPkg/ArmPkg.dsc b/ArmPkg/ArmPkg.dsc
index 59fd8f295d4f..3afd212f472b 100644
--- a/ArmPkg/ArmPkg.dsc
+++ b/ArmPkg/ArmPkg.dsc
@@ -135,6 +135,7 @@ [Components.common]
ArmPkg/Library/ArmSmcLibNull/ArmSmcLibNull.inf
ArmPkg/Library/ArmHvcLib/ArmHvcLib.inf
ArmPkg/Library/ArmSvcLib/ArmSvcLib.inf
+ ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
ArmPkg/Library/OpteeLib/OpteeLib.inf
ArmPkg/Filesystem/SemihostFs/SemihostFs.inf
diff --git a/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
b/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
new file mode 100644
index ..5e91f2957325
--- /dev/null
+++ b/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c
@@ -0,0 +1,34 @@
+/** @file
+ Arm Monitor Library.
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+#include
+#include
+
+/** Monitor call.
+
+ An HyperVisor Call (HVC) or System Monitor Call (SMC) will be issued
+ depending on the default conduit. PcdMonitorConduitHvc determines the type
+ of the call: if true, do an HVC.
+
+ @param [in, out] ArgsArguments for the HVC/SMC.
+**/
+VOID
+EFIAPI
+ArmMonitorCall (
+ IN OUT ARM_MONITOR_ARGS *Args
+ )
+{
+ if (FeaturePcdGet (PcdMonitorConduitHvc)) {
+ArmCallHvc ((ARM_HVC_ARGS *)Args);
+ } else {
+ArmCallSmc ((ARM_SMC_ARGS *)Args);
+ }
+}
diff --git a/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
b/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
new file mode 100644
index ..abaeb556d471
--- /dev/null
+++ b/ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.inf
@@ -0,0 +1,29 @@
+## @file
+# Arm Monitor Library
+#
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION= 0x0001001B
+ BASE_NAME = ArmMonitorLib
+ FILE_GUID = F918DACB-FBB8-4CB6-A61D-08E75AF0E7CD
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = ArmMonitorLib
+
+[Sources]
+ ArmMonitorLib.c
+
+[Packages]
+ ArmPkg/ArmPkg.dec
+ MdePkg/MdePkg.dec
+
+[LibraryClasses]
+ ArmHvcLib
+ ArmSmcLib
+
+[Pcd]
+ gArmTokenSpaceGuid.PcdMonitorConduitHvc
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90848): https://edk2.groups.io/g/devel/message/90848
Mute This Topic: https://groups.io/mt/92066723/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 01/22] ArmPkg: PCD to select conduit for monitor calls
From: Sami Mujawar Define a PCD 'PcdMonitorConduitHvc' to select the conduit to use for monitor calls. PcdMonitorConduitHvc is defined as FALSE by default, meaning the SMC conduit is enabled as default. Adding PcdMonitorConduitHvc allows selection of HVC conduit to be used by virtual firmware implementations. Signed-off-by: Sami Mujawar --- ArmPkg/ArmPkg.dec | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ArmPkg/ArmPkg.dec b/ArmPkg/ArmPkg.dec index 9da1bbc9f216..bb5cbecbc228 100644 --- a/ArmPkg/ArmPkg.dec +++ b/ArmPkg/ArmPkg.dec @@ -2,7 +2,7 @@ # ARM processor package. # # Copyright (c) 2009 - 2010, Apple Inc. All rights reserved. -# Copyright (c) 2011 - 2021, ARM Limited. All rights reserved. +# Copyright (c) 2011 - 2022, ARM Limited. All rights reserved. # Copyright (c) 2021, Ampere Computing LLC. All rights reserved. # #SPDX-License-Identifier: BSD-2-Clause-Patent @@ -132,6 +132,11 @@ [PcdsFeatureFlag.common] # Define if the GICv3 controller should use the GICv2 legacy gArmTokenSpaceGuid.PcdArmGicV3WithV2Legacy|FALSE|BOOLEAN|0x0042 + ## Define the conduit to use for monitor calls. + # Default PcdMonitorConduitHvc = FALSE, conduit = SMC + # If PcdMonitorConduitHvc = TRUE, conduit = HVC + gArmTokenSpaceGuid.PcdMonitorConduitHvc|FALSE|BOOLEAN|0x0047 + [PcdsFeatureFlag.ARM] # Whether to map normal memory as non-shareable. FALSE is the safe choice, but # TRUE may be appropriate to fix performance problems if you don't care about -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90846): https://edk2.groups.io/g/devel/message/90846 Mute This Topic: https://groups.io/mt/92066720/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 02/22] ArmPkg/ArmMonitorLib: Definition for ArmMonitorLib library class
From: Pierre Gondois
The ArmMonitorLib provides an abstract interface to issue
an HyperVisor Call (HVC) or System Monitor Call (SMC) depending
on the default conduit.
The PcdMonitorConduitHvc PCD allows to select the default conduit.
The new library relies on the ArmHvcLib and ArmSmcLib libraries.
A Null instance of these libraries can be used for the unused conduit.
Signed-off-by: Pierre Gondois
---
ArmPkg/ArmPkg.dec | 5 +++
ArmPkg/Include/Library/ArmMonitorLib.h | 42 ++
2 files changed, 47 insertions(+)
create mode 100644 ArmPkg/Include/Library/ArmMonitorLib.h
diff --git a/ArmPkg/ArmPkg.dec b/ArmPkg/ArmPkg.dec
index bb5cbecbc228..653942ff63c3 100644
--- a/ArmPkg/ArmPkg.dec
+++ b/ArmPkg/ArmPkg.dec
@@ -71,6 +71,11 @@ [LibraryClasses.common]
#
ArmSvcLib|Include/Library/ArmSvcLib.h
+ ## @libraryclass Provides a Monitor Call interface that will use the
+ # default conduit (HVC or SMC).
+ #
+ ArmMonitorLib|Include/Library/ArmMonitorLib.h
+
## @libraryclass Provides a default exception handler.
#
DefaultExceptionHandlerLib|Include/Library/DefaultExceptionHandlerLib.h
diff --git a/ArmPkg/Include/Library/ArmMonitorLib.h
b/ArmPkg/Include/Library/ArmMonitorLib.h
new file mode 100644
index ..8bc430f92036
--- /dev/null
+++ b/ArmPkg/Include/Library/ArmMonitorLib.h
@@ -0,0 +1,42 @@
+/** @file
+
+ Copyright (c) 2022, Arm Limited. All rights reserved.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ARM_MONITOR_LIB_H_
+#define ARM_MONITOR_LIB_H_
+
+/** The size of the SMC arguments is different between AArch64 and AArch32.
+
+ The native size is used for the arguments.
+ It will be casted to either HVC or SMC args.
+*/
+typedef struct {
+ UINTNArg0;
+ UINTNArg1;
+ UINTNArg2;
+ UINTNArg3;
+ UINTNArg4;
+ UINTNArg5;
+ UINTNArg6;
+ UINTNArg7;
+} ARM_MONITOR_ARGS;
+
+/** Monitor call.
+
+ An HyperVisor Call (HVC) or System Monitor Call (SMC) will be issued
+ depending on the default conduit. PcdMonitorConduitHvc determines the type
+ of the call: if true, do an HVC.
+
+ @param [in, out] ArgsArguments for the HVC/SMC.
+**/
+VOID
+EFIAPI
+ArmMonitorCall (
+ IN OUT ARM_MONITOR_ARGS *Args
+ );
+
+#endif // ARM_MONITOR_LIB_H_
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90847): https://edk2.groups.io/g/devel/message/90847
Mute This Topic: https://groups.io/mt/92066721/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 00/22] Add Raw algorithm support using Arm FW-TRNG interface
From: Pierre Gondois
Bugzilla: Bug 3668 (https://bugzilla.tianocore.org/show_bug.cgi?id=3668)
The Arm True Random Number Generator Firmware, Interface 1.0, specification
defines an interface between an Operating System (OS) executing at EL1 and
Firmware (FW) exposing a conditioned entropy source that is provided by a
TRNG back end.
This patch-set:
- defines a TRNG library class that provides an interface to access the
entropy source on a platform.
- implements a TRNG library instance that uses the Arm FW-TRNG interface.
- Adds RawAlgorithm support to RngDxe for Arm architecture using the Arm
FW-TRNG interface.
- Enables RNG support using FW-TRNG interface for Kvmtool Guest/Virtual
firmware.
This patch-set is based on the v2 from Sami Mujawar:
[PATCH v2 0/8] Add Raw algorithm support using Arm FW-TRNG interface
https://edk2.groups.io/g/devel/message/83775
This patch-set can seen at:
https://github.com/PierreARM/edk2/tree/Arm_Trng_v3
V3:
- Address Leif's comment (moving definitions, optimizations, ...)
- Add ArmMonitorLib to choose Hvc/Smc conduit depending on a Pcd.
- Re-factor some parts of SecurityPkg/RngDxe/ to ease the addition
of new algorithms.
- Add ArmHasRngExt() function to check Arm's FEAT_RNG extension.
V2:
- Updates TrngLib definitions to use RETURN_STATUS as the return type
from the interface functions as TrngLib is base type library.
- Drops the patch "MdePkg: Add definition for NULL GUID" as there is
already an equivalent definition provided by gZeroGuid. Thus, the
use of gNullGuid has been replaced with gZeroGuid.
Pierre Gondois (14):
ArmPkg/ArmMonitorLib: Definition for ArmMonitorLib library class
ArmPkg/ArmMonitorLib: Add ArmMonitorLib
ArmPkg/ArmHvcNullLib: Add NULL instance of ArmHvcLib
MdePkg/BaseRngLib: Rename ArmReadIdIsar0() to ArmGetFeatRng()
ArmPkg/ArmLib: Add ArmReadIdIsar0() helper
ArmPkg/ArmLib: Add ArmHasRngExt()
SecurityPkg: Update Securitypkg.ci.yaml
SecurityPkg/RngDxe: Replace Pcd with Sp80090Ctr256Guid
SecurityPkg/RngDxe: Remove ArchGetSupportedRngAlgorithms()
SecurityPkg/RngDxe: Documentation/include/parameter cleanup
SecurityPkg/RngDxe: Check before advertising Cpu Rng algo
SecurityPkg/RngDxe: Add debug warning for NULL
PcdCpuRngSupportedAlgorithm
SecurityPkg/RngDxe: Rename AArch64/RngDxe.c
SecurityPkg/RngDxe: Add Arm support of RngDxe
Sami Mujawar (8):
ArmPkg: PCD to select conduit for monitor calls
MdePkg/TrngLib: Definition for TRNG library class interface
MdePkg/TrngLib: Add NULL instance of TRNG Library
ArmPkg: Add FID definitions for Firmware TRNG
ArmPkg/TrngLib: Add Arm Firmware TRNG library
SecurityPkg/RngDxe: Rename RdRandGenerateEntropy to generic name
SecurityPkg/RngDxe: Add AArch64 RawAlgorithm support through TrngLib
ArmVirtPkg: Kvmtool: Add RNG support using FW-TRNG interface
ArmPkg/ArmPkg.dec | 12 +-
ArmPkg/ArmPkg.dsc | 3 +
ArmPkg/Include/IndustryStandard/ArmStdSmc.h | 109 -
ArmPkg/Include/Library/ArmLib.h | 12 +-
ArmPkg/Include/Library/ArmMonitorLib.h| 42 ++
ArmPkg/Library/ArmFwTrngLib/ArmFwTrngDefs.h | 50 +++
ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.c| 403 ++
ArmPkg/Library/ArmFwTrngLib/ArmFwTrngLib.inf | 29 ++
ArmPkg/Library/ArmHvcNullLib/ArmHvcNullLib.c | 29 ++
.../Library/ArmHvcNullLib/ArmHvcNullLib.inf | 22 +
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.c| 15 +-
ArmPkg/Library/ArmLib/AArch64/AArch64Lib.h| 14 +-
.../Library/ArmLib/AArch64/AArch64Support.S | 7 +-
ArmPkg/Library/ArmLib/Arm/ArmV7Lib.c | 16 +-
ArmPkg/Library/ArmMonitorLib/ArmMonitorLib.c | 34 ++
.../Library/ArmMonitorLib/ArmMonitorLib.inf | 29 ++
ArmVirtPkg/ArmVirtKvmTool.dsc | 10 +
ArmVirtPkg/ArmVirtKvmTool.fdf | 5 +
MdePkg/Include/Library/TrngLib.h | 121 ++
.../{ArmReadIdIsar0.S => ArmGetFeatRng.S} | 8 +-
.../{ArmReadIdIsar0.asm => ArmGetFeatRng.asm} | 8 +-
MdePkg/Library/BaseRngLib/AArch64/ArmRng.h| 2 +-
MdePkg/Library/BaseRngLib/AArch64/Rndr.c | 2 +-
MdePkg/Library/BaseRngLib/BaseRngLib.inf | 4 +-
.../Library/BaseTrngLibNull/BaseTrngLibNull.c | 135 ++
.../BaseTrngLibNull/BaseTrngLibNull.inf | 30 ++
.../BaseTrngLibNull/BaseTrngLibNull.uni | 12 +
MdePkg/MdePkg.dec | 5 +
MdePkg/MdePkg.dsc | 1 +
.../RngDxe/{AArch64/RngDxe.c => ArmRngDxe.c} | 137 +-
.../RandomNumberGenerator/RngDxe/ArmTrng.c| 71 +++
.../RngDxe/Rand/RdRand.c | 14 +-
.../RngDxe/Rand/RdRand.h | 43 --
.../RngDxe/Rand/RngDxe.c | 36 +-
.../RandomNumberGenerator/RngDxe/RngDxe.c | 52 +--
.../RandomNumberGenerator/RngDxe/RngDxe.inf | 17 +-
.../RngDxe/RngDxeInternals.h | 44 +-
SecurityPkg/SecurityPkg.ci.yaml
Re: [edk2-devel] [PATCH] ArmVirtPkg: do not enable iSCSI driver by default
Hi, > --- a/ArmVirtPkg/ArmVirtQemu.dsc > +++ b/ArmVirtPkg/ArmVirtQemu.dsc > @@ -40,7 +40,6 @@ [Defines] >DEFINE NETWORK_SNP_ENABLE = FALSE >DEFINE NETWORK_TLS_ENABLE = FALSE >DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE > - DEFINE NETWORK_ISCSI_ENABLE= TRUE How about leaving the line there, but set it to FALSE? Makes the option more discover-able. Also what about OvmfPkg ? I think it makes sense to keep ovmf + armvirt in sync here. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90844): https://edk2.groups.io/g/devel/message/90844 Mute This Topic: https://groups.io/mt/92041308/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] Need clarification about UEFI Strings
Just for clarification, UCS2 and not UTF-16 means there are no surrogate pairs right? Ayush Singh On Tue, Jun 7, 2022 at 5:15 PM Ayush Singh via groups.io wrote: > > Ok, Thanks for all the help. > > On Tue, Jun 7, 2022 at 3:28 PM Pedro Falcato wrote: > > > > I'd say that it depends. But 98% of the strings you'll find in UEFI > > (including APIs) are UCS-2 CHAR16 strings. > > > > On Tue, Jun 7, 2022 at 9:19 AM Ayush Singh wrote: > >> > >> Thanks, Pedro, > >> > >> However, according to the specs, it is possible to construct ASCII > >> Strings as well. So when would ASCII Strings be used over normal UCS-2 > >> Strings? > >> > >> Ayush Singh > >> > >> On Tue, Jun 7, 2022 at 1:13 PM Pedro Falcato > >> wrote: > >> > > >> > Hi Ayush, > >> > > >> > In the latest UEFI 2.9 spec, it's specified under 2.3.1 that CHAR8 > >> > strings/characters are (usually) ASCII, and CHAR16 strings/characters > >> > are (usually) UCS-2 (*not* UTF-16). > >> > > >> > On Tue, Jun 7, 2022 at 7:02 AM Ayush Singh > >> > wrote: > >> >> > >> >> Hello everyone, I am trying to write an implementation for UEFI > >> >> strings in Rust and just wanted clarification about some things. > >> >> > >> >> Are UEFI Strings UTF-16 encoded? I have looked at some previous Rust > >> >> implementations for this and it seems UEFI does not support the whole > >> >> UTF-16 but rather only UCS-2 > >> >> (https://en.wikipedia.org/wiki/Universal_Coded_Character_Set) which is > >> >> a subset of UTF-16. > >> >> > >> >> There is also something called WTF-8 > >> >> (https://en.wikipedia.org/wiki/UTF-8#WTF-8) which Rust uses to > >> >> represent OsStrings in Windows which is supposed to use UTF-16 (?). > >> >> > >> >> Anyway, if someone can point me to the resources/specifications of > >> >> UEFI Strings, it would be a great help. > >> >> > >> >> Ayush Singh > >> >> > >> >> > >> >> > >> >> > >> >> > >> > > >> > > >> > -- > >> > Pedro Falcato > > > > > > > > -- > > Pedro Falcato > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90843): https://edk2.groups.io/g/devel/message/90843 Mute This Topic: https://groups.io/mt/91595087/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3 7/7] OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED
From: Min M Xu SECURE_BOOT_FEATURE_ENABLED is the build-flag defined when secure boot is enabled. Currently this flag is used in below lib: - OvmfPkg/PlatformPei - PeilessStartupLib So it is defined in below 5 .dsc - OvmfPkg/CloudHv/CloudHvX64.dsc - OvmfPkg/IntelTdx/IntelTdxX64.dsc - OvmfPkg/OvmfPkgIa32.dsc - OvmfPkg/OvmfPkgIa32X64.dsc - OvmfPkg/OvmfPkgX64.dsc Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Cc: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/CloudHv/CloudHvX64.dsc | 9 + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 + OvmfPkg/OvmfPkgIa32.dsc | 9 + OvmfPkg/OvmfPkgIa32X64.dsc | 9 + OvmfPkg/OvmfPkgX64.dsc | 9 + 5 files changed, 45 insertions(+) diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index ca601aa09d3a..2712731caf55 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -93,6 +93,15 @@ INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES + # + # SECURE_BOOT_FEATURE_ENABLED + # +!if $(SECURE_BOOT_ENABLE) == TRUE + MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED +!endif + !include NetworkPkg/NetworkBuildOptions.dsc.inc [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index c662ae8720ff..f4f495a9d199 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -85,6 +85,15 @@ INTEL:*_*_*_CC_FLAGS = /D TDX_PEI_LESS_BOOT GCC:*_*_*_CC_FLAGS = -D TDX_PEI_LESS_BOOT + # + # SECURE_BOOT_FEATURE_ENABLED + # +!if $(SECURE_BOOT_ENABLE) == TRUE + MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED +!endif + [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000 XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 934edbbd2a7b..3126e695b7dd 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -89,6 +89,15 @@ INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES + # + # SECURE_BOOT_FEATURE_ENABLED + # +!if $(SECURE_BOOT_ENABLE) == TRUE + MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED +!endif + !include NetworkPkg/NetworkBuildOptions.dsc.inc [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 4f432c294958..0c86e0b4882d 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -93,6 +93,15 @@ INTEL:*_*_*_CC_FLAGS = /D DISABLE_NEW_DEPRECATED_INTERFACES GCC:*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES + # + # SECURE_BOOT_FEATURE_ENABLED + # +!if $(SECURE_BOOT_ENABLE) == TRUE + MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED +!endif + !include NetworkPkg/NetworkBuildOptions.dsc.inc [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index b22da97d4f77..a36bcef4fd3c 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -106,6 +106,15 @@ INTEL:*_*_*_CC_FLAGS = /D TDX_GUEST_SUPPORTED GCC:*_*_*_CC_FLAGS = -D TDX_GUEST_SUPPORTED + # + # SECURE_BOOT_FEATURE_ENABLED + # +!if $(SECURE_BOOT_ENABLE) == TRUE + MSFT:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + INTEL:*_*_*_CC_FLAGS = /D SECURE_BOOT_FEATURE_ENABLED + GCC:*_*_*_CC_FLAGS = -D SECURE_BOOT_FEATURE_ENABLED +!endif + !include NetworkPkg/NetworkBuildOptions.dsc.inc [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER] -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90842): https://edk2.groups.io/g/devel/message/90842 Mute This Topic: https://groups.io/mt/92061210/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3 6/7] OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved
From: Min M Xu
Set PcdEmuVariableNvStoreReserved with the value in PlatformInfoHob. It
is the address of the EmuVariableNvStore reserved in Pei-less startup.
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Gerd Hoffmann
Signed-off-by: Min Xu
---
OvmfPkg/TdxDxe/TdxDxe.c | 2 ++
OvmfPkg/TdxDxe/TdxDxe.inf | 1 +
2 files changed, 3 insertions(+)
diff --git a/OvmfPkg/TdxDxe/TdxDxe.c b/OvmfPkg/TdxDxe/TdxDxe.c
index 2318db989792..837f1f8e3024 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.c
+++ b/OvmfPkg/TdxDxe/TdxDxe.c
@@ -64,6 +64,8 @@ SetPcdSettings (
PlatformInfoHob->PcdCpuBootLogicalProcessorNumber
));
+ PcdSet64S (PcdEmuVariableNvStoreReserved,
PlatformInfoHob->PcdEmuVariableNvStoreReserved);
+
if (TdIsEnabled ()) {
PcdStatus = PcdSet64S (PcdTdxSharedBitMask, TdSharedPageMask ());
ASSERT_RETURN_ERROR (PcdStatus);
diff --git a/OvmfPkg/TdxDxe/TdxDxe.inf b/OvmfPkg/TdxDxe/TdxDxe.inf
index a7e0abda1522..3ce8a5c32c98 100644
--- a/OvmfPkg/TdxDxe/TdxDxe.inf
+++ b/OvmfPkg/TdxDxe/TdxDxe.inf
@@ -68,3 +68,4 @@
gEfiMdePkgTokenSpaceGuid.PcdConfidentialComputingGuestAttr
gEfiMdeModulePkgTokenSpaceGuid.PcdTdxSharedBitMask
gEfiMdeModulePkgTokenSpaceGuid.PcdSetNxForStack
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90841): https://edk2.groups.io/g/devel/message/90841
Mute This Topic: https://groups.io/mt/92061208/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3 5/7] OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in secure-boot
From: Min M Xu
OvmfPkg/Library/NvVarsFileLib allows loading variables into emulated
varstore from a on-disk NvVars file. We can't allow that when secure
boot is active. So check secure-boot feature and shortcut the
ConnectNvVarsToFileSystem() function when sb is enabled.
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Gerd Hoffmann
Suggested-by: Gerd Hoffmann
Signed-off-by: Min Xu
---
OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
index 21b71524ea48..72289da35819 100644
--- a/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
+++ b/OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c
@@ -28,6 +28,12 @@ ConnectNvVarsToFileSystem (
IN EFI_HANDLE FsHandle
)
{
+ #ifdef SECURE_BOOT_FEATURE_ENABLED
+
+ return EFI_UNSUPPORTED;
+
+ #else
+
EFI_STATUS Status;
//
@@ -46,6 +52,7 @@ ConnectNvVarsToFileSystem (
}
return Status;
+ #endif
}
/**
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90840): https://edk2.groups.io/g/devel/message/90840
Mute This Topic: https://groups.io/mt/92061207/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3 4/7] OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup
From: Min M Xu
EmuVariableNvStore is reserved and init with below 2 functions defined in
PlatformInitLib:
- PlatformReserveEmuVariableNvStore
- PlatformInitEmuVariableNvStore
PlatformInitEmuVariableNvStore works when secure boot feature is enabled.
This is because secure boot needs the EFI variables (PK/KEK/DB/DBX, etc)
and EmuVariableNvStore is cleared when OVMF is launched with -bios
parameter.
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Gerd Hoffmann
Signed-off-by: Min Xu
---
OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
index 7502ec44669e..380e71597206 100644
--- a/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
+++ b/OvmfPkg/Library/PeilessStartupLib/PeilessStartup.c
@@ -42,6 +42,7 @@ InitializePlatform (
)
{
UINT32 LowerMemorySize;
+ VOID*VariableStore;
DEBUG ((DEBUG_INFO, "InitializePlatform in Pei-less boot\n"));
PlatformDebugDumpCmos ();
@@ -79,6 +80,12 @@ InitializePlatform (
LowerMemorySize
));
+ VariableStore =
PlatformReserveEmuVariableNvStore ();
+ PlatformInfoHob->PcdEmuVariableNvStoreReserved =
(UINT64)(UINTN)VariableStore;
+ #ifdef SECURE_BOOT_FEATURE_ENABLED
+ PlatformInitEmuVariableNvStore (VariableStore);
+ #endif
+
if (TdIsEnabled ()) {
PlatformTdxPublishRamRegions ();
} else {
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90839): https://edk2.groups.io/g/devel/message/90839
Mute This Topic: https://groups.io/mt/92061205/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3 3/7] OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore
From: Min M Xu ReserveEmuVariableNvStore is updated with below 2 functions defined in PlatformInitLib: - PlatformReserveEmuVariableNvStore - PlatformInitEmuVariableNvStore PlatformInitEmuVariableNvStore works when secure boot feature is enabled. This is because secure boot needs the EFI variables (PK/KEK/DB/DBX, etc) and EmuVariableNvStore is cleared when OVMF is launched with -bios parameter. Cc: Erdem Aktas Cc: James Bottomley Cc: Jiewen Yao Cc: Tom Lendacky Cc: Gerd Hoffmann Signed-off-by: Min Xu --- OvmfPkg/PlatformPei/Platform.c | 25 +++-- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/OvmfPkg/PlatformPei/Platform.c b/OvmfPkg/PlatformPei/Platform.c index 009db67ee60a..b1f8140d6041 100644 --- a/OvmfPkg/PlatformPei/Platform.c +++ b/OvmfPkg/PlatformPei/Platform.c @@ -220,24 +220,13 @@ ReserveEmuVariableNvStore ( EFI_PHYSICAL_ADDRESS VariableStore; RETURN_STATUS PcdStatus; - // - // Allocate storage for NV variables early on so it will be - // at a consistent address. Since VM memory is preserved - // across reboots, this allows the NV variable storage to survive - // a VM reboot. - // - VariableStore = -(EFI_PHYSICAL_ADDRESS)(UINTN) -AllocateRuntimePages ( - EFI_SIZE_TO_PAGES (2 * PcdGet32 (PcdFlashNvStorageFtwSpareSize)) - ); - DEBUG (( -DEBUG_INFO, -"Reserved variable store memory: 0x%lX; size: %dkb\n", -VariableStore, -(2 * PcdGet32 (PcdFlashNvStorageFtwSpareSize)) / 1024 -)); - PcdStatus = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore); + VariableStore = (EFI_PHYSICAL_ADDRESS)(UINTN)PlatformReserveEmuVariableNvStore (); + PcdStatus = PcdSet64S (PcdEmuVariableNvStoreReserved, VariableStore); + + #ifdef SECURE_BOOT_FEATURE_ENABLED + PlatformInitEmuVariableNvStore ((VOID *)(UINTN)VariableStore); + #endif + ASSERT_RETURN_ERROR (PcdStatus); } -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90838): https://edk2.groups.io/g/devel/message/90838 Mute This Topic: https://groups.io/mt/92061203/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3 2/7] OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore
From: Min M Xu
There are 3 functions added for EmuVariableNvStore:
- PlatformReserveEmuVariableNvStore
- PlatformInitEmuVariableNvStore
- PlatformValidateNvVarStore
PlatformReserveEmuVariableNvStore allocate storage for NV variables early
on so it will be at a consistent address.
PlatformInitEmuVariableNvStore copies the content in
PcdOvmfFlashNvStorageVariableBase to the storage allocated by
PlatformReserveEmuVariableNvStore. This is used in the case that OVMF is
launched with -bios parameter. Because in that situation UEFI variables
will be partially emulated, and non-volatile variables may lose their
contents after a reboot. This makes the secure boot feature not working.
PlatformValidateNvVarStore is renamed from TdxValidateCfv and it is used
to validate the integrity of FlashNvVarStore
(PcdOvmfFlashNvStorageVariableBase). It should be called before
PlatformInitEmuVariableNvStore is called to copy over the content.
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Gerd Hoffmann
Signed-off-by: Min Xu
---
OvmfPkg/Include/Library/PlatformInitLib.h | 51
OvmfPkg/Library/PlatformInitLib/Platform.c| 238 ++
.../PlatformInitLib/PlatformInitLib.inf | 3 +
3 files changed, 292 insertions(+)
diff --git a/OvmfPkg/Include/Library/PlatformInitLib.h
b/OvmfPkg/Include/Library/PlatformInitLib.h
index 2987a367cc9c..c5234bf26d45 100644
--- a/OvmfPkg/Include/Library/PlatformInitLib.h
+++ b/OvmfPkg/Include/Library/PlatformInitLib.h
@@ -234,4 +234,55 @@ PlatformTdxPublishRamRegions (
VOID
);
+/**
+ Check the integrity of NvVarStore.
+
+ @param[in] NvVarStoreBase - A pointer to NvVarStore header
+ @param[in] NvVarStoreSize - NvVarStore size
+
+ @retval TRUE - The NvVarStore is valid.
+ @retval FALSE - The NvVarStore is invalid.
+
+**/
+BOOLEAN
+EFIAPI
+PlatformValidateNvVarStore (
+ IN UINT8 *NvVarStoreBase,
+ IN UINT32 NvVarStoreSize
+ );
+
+/**
+ Allocate storage for NV variables early on so it will be
+ at a consistent address. Since VM memory is preserved
+ across reboots, this allows the NV variable storage to survive
+ a VM reboot.
+
+ *
+ * @retval VOID* The pointer to the storage for NV Variables
+ */
+VOID *
+EFIAPI
+PlatformReserveEmuVariableNvStore (
+ VOID
+ );
+
+/**
+ When OVMF is lauched with -bios parameter, UEFI variables will be
+ partially emulated, and non-volatile variables may lose their contents
+ after a reboot. This makes the secure boot feature not working.
+
+ This function is used to initialize the EmuVariableNvStore
+ with the conent in PcdOvmfFlashNvStorageVariableBase.
+
+ @param[in] EmuVariableNvStore - A pointer to EmuVariableNvStore
+
+ @retval EFI_SUCCESS - Successfully init the EmuVariableNvStore
+ @retval Others- As the error code indicates
+ */
+EFI_STATUS
+EFIAPI
+PlatformInitEmuVariableNvStore (
+ IN VOID *EmuVariableNvStore
+ );
+
#endif // PLATFORM_INIT_LIB_H_
diff --git a/OvmfPkg/Library/PlatformInitLib/Platform.c
b/OvmfPkg/Library/PlatformInitLib/Platform.c
index c3d34e43af5a..2582689ffe35 100644
--- a/OvmfPkg/Library/PlatformInitLib/Platform.c
+++ b/OvmfPkg/Library/PlatformInitLib/Platform.c
@@ -25,10 +25,13 @@
#include
#include
#include
+#include
#include
#include
#include
#include
+#include
+#include
#include
#include
@@ -576,3 +579,238 @@ PlatformMaxCpuCountInitialization (
PlatformInfoHob->PcdCpuMaxLogicalProcessorNumber = MaxCpuCount;
PlatformInfoHob->PcdCpuBootLogicalProcessorNumber = BootCpuCount;
}
+
+/**
+ Check padding data all bit should be 1.
+
+ @param[in] Buffer - A pointer to buffer header
+ @param[in] BufferSize - Buffer size
+
+ @retval TRUE - The padding data is valid.
+ @retval TRUE - The padding data is invalid.
+
+**/
+BOOLEAN
+CheckPaddingData (
+ IN UINT8 *Buffer,
+ IN UINT32 BufferSize
+ )
+{
+ UINT32 index;
+
+ for (index = 0; index < BufferSize; index++) {
+if (Buffer[index] != 0xFF) {
+ return FALSE;
+}
+ }
+
+ return TRUE;
+}
+
+/**
+ Check the integrity of NvVarStore.
+
+ @param[in] NvVarStoreBase - A pointer to NvVarStore header
+ @param[in] NvVarStoreSize - NvVarStore size
+
+ @retval TRUE - The NvVarStore is valid.
+ @retval FALSE - The NvVarStore is invalid.
+
+**/
+BOOLEAN
+EFIAPI
+PlatformValidateNvVarStore (
+ IN UINT8 *NvVarStoreBase,
+ IN UINT32 NvVarStoreSize
+ )
+{
+ UINT16 Checksum;
+ UINTN VariableBase;
+ UINT32 VariableOffset;
+ UINT32 VariableOffsetBeforeAlign;
+ EFI_FIRMWARE_VOLUME_HEADER *NvVarStoreFvHeader;
+ VARIABLE_STORE_HEADER *NvVarStoreHeader;
+ AUTHENTICATED_VARIABLE_HEADER *VariableHeader;
+
+ static EFI_GUID FvHdrGUID = EFI_SYSTEM_NV_DATA_FV_GUID;
+ static EFI_GUID VarStoreHdrGUID = EFI_AUTHENTICATED_VARIABLE_GUID;
+
+ VariableOffset = 0;
+
+ if (NvVarStoreBase == NULL) {
+DEBUG ((DEBU
[edk2-devel] [PATCH V3 0/7] Enable secure-boot when lauch OVMF with -bios parameter
Secure-Boot related variables include the PK/KEK/DB/DBX and they are stored in NvVarStore (OVMF_VARS.fd). When lauching with -pflash, QEMU/OVMF will use emulated flash, and fully support UEFI variables. But when launching with -bios parameter, UEFI variables will be partially emulated, and non-volatile variables may lose their contents after a reboot. See OvmfPkg/README. Tdx guest is an example that -pflash is not supported. So this patch-set is designed to initialize the NvVarStore with the content of in OVMF_VARS.fd. patch 1: Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. This function will be used in PeilessStartupLib which will run in SEC phase. patch 2: Delete the TdxValidateCfv in PeilessStartupLib. Because it is going to be renamed to PlatformValidateNvVarStore and be moved to PlatformInitLib. patch 3 - 7: Then we add functions for EmuVariableNvStore in PlatformInitLib. This lib will then be called in OvmfPkg/PlatformPei and PeilessStartupLib. We also shortcut ConnectNvVarsToFileSystem in secure-boot. patch 8: At last a build-flag (SECURE_BOOT_FEATURE_ENABLED) is introduced in the dsc in OvmfPkg. Because the copy over of OVMR_VARS.fd to EmuVariableNvStore is only required when secure-boot is enabled. Code: https://github.com/mxu9/edk2/tree/secure-boot.v3 v3 changes: - Renamed TdxValidateCfv to PlatformValidateNvVarStore and implemented in PlatformInitlLib/Platform.c. - Shortcut ConnectNvVarsToFileSystem in secure-boot. - Other minor changes, such as adding log in PlatformInitEmuVariableNvStore. v2 changes: - The v1 title is "Enable Secure-Boot in Tdx guest". Because the patch-setwe was first designed to fix the gap when secure-boot feature was enabled in Tdx guest. After discussing with the community (see the disuccsions under https://edk2.groups.io/g/devel/message/90589) this patch-set can fix the secure-boot issue when OVMF is lauched with -bios parameter. So the title is updated. - Add a new function (AllocateRuntimePages) in PrePiMemoryAllocationLib. - Add build-flag SECURE_BOOT_FEATURE_ENABLED to control the copy over of OVMF_VARS.fd to EmuVariableNvStore. Cc: Leif Lindholm Cc: Ard Biesheuvel Cc: Abner Chang Cc: Daniel Schaefer Cc: Erdem Aktas Cc: James Bottomley [jejb] Cc: Jiewen Yao [jyao1] Cc: Tom Lendacky [tlendacky] Cc: Gerd Hoffmann Signed-off-by: Min Xu Min M Xu (7): OvmfPkg/PeilessStartupLib: Delete TdxValidateCfv OvmfPkg/PlatformInitLib: Add functions for EmuVariableNvStore OvmfPkg/PlatformPei: Update ReserveEmuVariableNvStore OvmfPkg: Reserve and init EmuVariableNvStore in Pei-less Startup OvmfPkg/NvVarsFileLib: Shortcut ConnectNvVarsToFileSystem in secure-boot OvmfPkg/TdxDxe: Set PcdEmuVariableNvStoreReserved OvmfPkg: Add build-flag SECURE_BOOT_FEATURE_ENABLED OvmfPkg/CloudHv/CloudHvX64.dsc| 9 + OvmfPkg/Include/Library/PlatformInitLib.h | 51 OvmfPkg/IntelTdx/IntelTdxX64.dsc | 9 + OvmfPkg/Library/NvVarsFileLib/NvVarsFileLib.c | 7 + OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 --- .../PeilessStartupLib/PeilessStartup.c| 15 +- .../PeilessStartupInternal.h | 17 -- OvmfPkg/Library/PlatformInitLib/Platform.c| 238 ++ .../PlatformInitLib/PlatformInitLib.inf | 3 + OvmfPkg/OvmfPkgIa32.dsc | 9 + OvmfPkg/OvmfPkgIa32X64.dsc| 9 + OvmfPkg/OvmfPkgX64.dsc| 9 + OvmfPkg/PlatformPei/Platform.c| 25 +- OvmfPkg/TdxDxe/TdxDxe.c | 2 + OvmfPkg/TdxDxe/TdxDxe.inf | 1 + 15 files changed, 361 insertions(+), 196 deletions(-) -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90835): https://edk2.groups.io/g/devel/message/90835 Mute This Topic: https://groups.io/mt/92061200/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V3 1/7] OvmfPkg/PeilessStartupLib: Delete TdxValidateCfv
From: Min M Xu
TdxValidateCfv is used to validate the integrity of FlashNvVarStore
(PcdOvmfFlashNvStorageVariableBase) and it is not Tdx specific.
So it will be moved to PlatformInitLib and be renamed to
PlatformValidateNvVarStore in the following patch. And it will be called
before EmuVaribleNvStore is initialized with the content in
FlashNvVarStore.
Cc: Erdem Aktas
Cc: James Bottomley
Cc: Jiewen Yao
Cc: Tom Lendacky
Cc: Gerd Hoffmann
Signed-off-by: Min Xu
---
OvmfPkg/Library/PeilessStartupLib/IntelTdx.c | 153 --
.../PeilessStartupLib/PeilessStartup.c| 8 -
.../PeilessStartupInternal.h | 17 --
3 files changed, 178 deletions(-)
diff --git a/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
b/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
index 484fd21057c8..216c413caad5 100644
--- a/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
+++ b/OvmfPkg/Library/PeilessStartupLib/IntelTdx.c
@@ -7,8 +7,6 @@
#include
#include
#include
-#include
-#include
#include
#include
#include
@@ -37,157 +35,6 @@ typedef struct {
#pragma pack()
-/**
- Check padding data all bit should be 1.
-
- @param[in] Buffer - A pointer to buffer header
- @param[in] BufferSize - Buffer size
-
- @retval TRUE - The padding data is valid.
- @retval TRUE - The padding data is invalid.
-
-**/
-BOOLEAN
-CheckPaddingData (
- IN UINT8 *Buffer,
- IN UINT32 BufferSize
- )
-{
- UINT32 index;
-
- for (index = 0; index < BufferSize; index++) {
-if (Buffer[index] != 0xFF) {
- return FALSE;
-}
- }
-
- return TRUE;
-}
-
-/**
- Check the integrity of CFV data.
-
- @param[in] TdxCfvBase - A pointer to CFV header
- @param[in] TdxCfvSize - CFV data size
-
- @retval TRUE - The CFV data is valid.
- @retval FALSE - The CFV data is invalid.
-
-**/
-BOOLEAN
-EFIAPI
-TdxValidateCfv (
- IN UINT8 *TdxCfvBase,
- IN UINT32 TdxCfvSize
- )
-{
- UINT16 Checksum;
- UINTN VariableBase;
- UINT32 VariableOffset;
- UINT32 VariableOffsetBeforeAlign;
- EFI_FIRMWARE_VOLUME_HEADER *CfvFvHeader;
- VARIABLE_STORE_HEADER *CfvVariableStoreHeader;
- AUTHENTICATED_VARIABLE_HEADER *VariableHeader;
-
- static EFI_GUID FvHdrGUID = EFI_SYSTEM_NV_DATA_FV_GUID;
- static EFI_GUID VarStoreHdrGUID = EFI_AUTHENTICATED_VARIABLE_GUID;
-
- VariableOffset = 0;
-
- if (TdxCfvBase == NULL) {
-DEBUG ((DEBUG_ERROR, "TDX CFV: CFV pointer is NULL\n"));
-return FALSE;
- }
-
- //
- // Verify the header zerovetor, filesystemguid,
- // revision, signature, attributes, fvlength, checksum
- // HeaderLength cannot be an odd number
- //
- CfvFvHeader = (EFI_FIRMWARE_VOLUME_HEADER *)TdxCfvBase;
-
- if ((!IsZeroBuffer (CfvFvHeader->ZeroVector, 16)) ||
- (!CompareGuid (&FvHdrGUID, &CfvFvHeader->FileSystemGuid)) ||
- (CfvFvHeader->Signature != EFI_FVH_SIGNATURE) ||
- (CfvFvHeader->Attributes != 0x4feff) ||
- (CfvFvHeader->Revision != EFI_FVH_REVISION) ||
- (CfvFvHeader->FvLength != TdxCfvSize)
- )
- {
-DEBUG ((DEBUG_ERROR, "TDX CFV: Basic FV headers were invalid\n"));
-return FALSE;
- }
-
- //
- // Verify the header checksum
- //
- Checksum = CalculateSum16 ((VOID *)CfvFvHeader, CfvFvHeader->HeaderLength);
-
- if (Checksum != 0) {
-DEBUG ((DEBUG_ERROR, "TDX CFV: FV checksum was invalid\n"));
-return FALSE;
- }
-
- //
- // Verify the header signature, size, format, state
- //
- CfvVariableStoreHeader = (VARIABLE_STORE_HEADER *)(TdxCfvBase +
CfvFvHeader->HeaderLength);
- if ((!CompareGuid (&VarStoreHdrGUID, &CfvVariableStoreHeader->Signature)) ||
- (CfvVariableStoreHeader->Format != VARIABLE_STORE_FORMATTED) ||
- (CfvVariableStoreHeader->State != VARIABLE_STORE_HEALTHY) ||
- (CfvVariableStoreHeader->Size > (CfvFvHeader->FvLength -
CfvFvHeader->HeaderLength)) ||
- (CfvVariableStoreHeader->Size < sizeof (VARIABLE_STORE_HEADER))
- )
- {
-DEBUG ((DEBUG_ERROR, "TDX CFV: Variable Store header was invalid\n"));
-return FALSE;
- }
-
- //
- // Verify the header startId, state
- // Verify data to the end
- //
- VariableBase = (UINTN)TdxCfvBase + CfvFvHeader->HeaderLength + sizeof
(VARIABLE_STORE_HEADER);
- while (VariableOffset < (CfvVariableStoreHeader->Size - sizeof
(VARIABLE_STORE_HEADER))) {
-VariableHeader = (AUTHENTICATED_VARIABLE_HEADER *)(VariableBase +
VariableOffset);
-if (VariableHeader->StartId != VARIABLE_DATA) {
- if (!CheckPaddingData ((UINT8 *)VariableHeader,
CfvVariableStoreHeader->Size - sizeof (VARIABLE_STORE_HEADER) -
VariableOffset)) {
-DEBUG ((DEBUG_ERROR, "TDX CFV: Variable header was invalid\n"));
-return FALSE;
- }
-
- VariableOffset = CfvVariableStoreHeader->Size - sizeof
(VARIABLE_STORE_HEADER);
-} else {
- if (!((VariableHeader->State == VAR_IN_DELETED_TRANSITION) ||
-(VariableH
Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries
Hi Kun
Thank you to make the redesign.
Overall the patch set looks good to me. Some questions:
1. Is that from project MU? If so, I would like to see acked-by or tested-by
from project MU owner. That can give me more confidence to accept it. 😊
1. Is below data from some document? If so, would please add URL? Also, why
do we have to use this timestamp? What if a different timestamp is used?
+// MS Default Time-Based Payload Creation Date
+// This is the date that is used when creating SecureBoot default variables.
+// NOTE: This is a placeholder date that doesn't correspond to anything else.
+//
+EFI_TIME mDefaultPayloadTimestamp = {
+ 15, // Year (2015)
+ 8,// Month (Aug)
+ 28, // Day (28)
+ 0,// Hour
+ 0,// Minute
+ 0,// Second
+ 0,// Pad1
+ 0,// Nanosecond
+ 0,// Timezone (Dummy value)
+ 0,// Daylight (Dummy value)
+ 0 // Pad2
+};
From: Kun Qin
Sent: Wednesday, June 29, 2022 5:19 AM
To: edk2-devel-groups-io ; kuqi...@gmail.com
Cc: Yao, Jiewen ; Wang, Jian J ;
Xu, Min M ; Sean Brogan ; Ard
Biesheuvel ; Justen, Jordan L
; Gerd Hoffmann ; Rebecca Cran
; Peter Grehan ; Boeuf, Sebastien
; Andrew Fish ; Ni, Ray
Subject: Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable
Libraries
Hi SecurityPkg maintainers & reviewers,
I posted this patch series a while back intending to generalize the usage of a
few interfaces from secure boot libraries. Could you please help reviewing them
and provide feedback? Any input is appreciated.
Regards,
Kun
On Mon, Jun 13, 2022 at 1:39 PM Kun Qin via groups.io
mailto:gmail@groups.io>> wrote:
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This is a revamp of a previously submitted patch series based on top of
master branch: https://edk2.groups.io/g/devel/message/89507. No changes
added.
Current SecureBootVariableLib provide great support for deleting secure
boot related variables, creating time-based payloads.
However, for secure boot enrollment, the SecureBootVariableProvisionLib
interfaces always assume the changes from variable storage, limiting the
usage, requiring existing platforms to change key initialization process
to adapt to the new methods, as well as bringing in extra dependencies
such as FV protocol, time protocols.
This patch series proposes to update the implementation for Secure Boot
Variable libraries and their consumers to better support the related
variables operations.
Patch v2 branch: https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v2
Cc: Jiewen Yao mailto:jiewen@intel.com>>
Cc: Jian J Wang mailto:jian.j.w...@intel.com>>
Cc: Min Xu mailto:min.m...@intel.com>>
Cc: Sean Brogan mailto:sean.bro...@microsoft.com>>
Cc: Ard Biesheuvel
mailto:ardb%2btianoc...@kernel.org>>
Cc: Jordan Justen mailto:jordan.l.jus...@intel.com>>
Cc: Gerd Hoffmann mailto:kra...@redhat.com>>
Cc: Rebecca Cran mailto:rebe...@bsdio.com>>
Cc: Peter Grehan mailto:gre...@freebsd.org>>
Cc: Sebastien Boeuf
mailto:sebastien.bo...@intel.com>>
Cc: Andrew Fish mailto:af...@apple.com>>
Cc: Ray Ni mailto:ray...@intel.com>>
Kun Qin (8):
SecurityPkg: UefiSecureBoot: Definitions of cert and payload
structures
SecurityPkg: PlatformPKProtectionLib: Added PK protection interface
SecurityPkg: SecureBootVariableLib: Updated time based payload creator
SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
SecurityPkg: Secure Boot Drivers: Added common header files
SecurityPkg: SecureBootConfigDxe: Updated invocation pattern
OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency
EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency
kuqin (3):
SecurityPkg: SecureBootVariableLib: Updated signature list creator
SecurityPkg: SecureBootVariableLib: Added newly supported interfaces
SecurityPkg: SecureBootVariableLib: Added unit tests
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
|1 +
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
| 51 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
| 486 -
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c
| 36 +
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c
| 201 ++
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c
| 13 +
SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c
| 2037
SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
| 145 +-
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
| 128 +-
SecurityPkg/VariableAuthenticated/SecureBootDefaultK
[edk2-devel] [Patch] pip-requirements.txt: Update basetools version to 0.1.24
Synced the basetools patch from edk2 repo to edk2-basetools repo. edk2 sha-1: 59141288716f8917968d4bb96367b7d08fe5ab8a Update the basetools pip module version to the latest 0.1.24. Signed-off-by: Bob Feng --- pip-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pip-requirements.txt b/pip-requirements.txt index 6585df201d..29424b08bd 100644 --- a/pip-requirements.txt +++ b/pip-requirements.txt @@ -12,7 +12,7 @@ # https://www.python.org/dev/peps/pep-0440/#version-specifiers ## edk2-pytool-library==0.11.2 edk2-pytool-extensions~=0.16.0 -edk2-basetools==0.1.17 +edk2-basetools==0.1.24 antlr4-python3-runtime==4.7.1 -- 2.29.1.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90833): https://edk2.groups.io/g/devel/message/90833 Mute This Topic: https://groups.io/mt/92060732/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v1 1/1] OvmfPkg/QemuVideoDxe: Zero out PixelInformation in QueryMode
On Tue, Jun 28, 2022 at 01:48:16PM -0500, Dimitrije Pavlov wrote: > Ensure that the PixelInformation field of the > EFI_GRAPHICS_OUTPUT_MODE_INFORMATION structure is zeroed out in > EFI_GRAPHICS_OUTPUT_PROTOCOL.QueryMode() and > EFI_GRAPHICS_OUTPUT_PROTOCOL.SetMode() when PixelFormat is > PixelBlueGreenRedReserved8BitPerColor. > > According to UEFI 2.9 Section 12.9, PixelInformation field of the > EFI_GRAPHICS_OUTPUT_MODE_INFORMATION structure is valid only if > PixelFormat is PixelBitMask. This means that firmware is not required > to fill out the PixelInformation field for other PixelFormat types, > which implies that the QemuVideoDxe implementation is technically > correct. > > However, not zeroing out those fields will leak the contents of the > memory returned by the memory allocator, so it is better to explicitly > set them to zero. > > In addition, the SCT test suite relies on PixelInformation always > having a consistent value, which causes failures. > > Cc: Ard Biesheuvel > Cc: Jiewen Yao > Cc: Jordan Justen > Cc: Gerd Hoffmann > Cc: Jeff Booher-Kaeding > Cc: Samer El-Haj-Mahmoud > Cc: Sunny Wang > Cc: Jeremy Linton > > Signed-off-by: Dimitrije Pavlov Acked-by: Gerd Hoffmann -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90832): https://edk2.groups.io/g/devel/message/90832 Mute This Topic: https://groups.io/mt/92050521/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
