Re: [edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
Acked-by: Jiewe Yao BTW: This patch is already got RB from below people. I suggest you can put them in commit directly. Reviewed-by: Pierre Gondois Reviewed-by: Ard Biesheuvel Thank you Yao, Jiewen > -Original Message- > From: Flickdm > Sent: Friday, May 24, 2024 1:45 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen > Subject: [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on > GetRng > > Removed from gEfiRngAlgorithmRaw an incorrect assumption that > Raw cannot return less than 256 bits. The DRNG Algorithms > should always use a 256 bit seed as per nist standards > however a caller is free to request less than 256 bits. > > > > // > >// When a DRBG is used on the output of a entropy source, > >// its security level must be at least 256 bits according to UEFI > Spec. > >// > >if (RNGValueLength < 32) { > > return EFI_INVALID_PARAMETER; > >} > > > > AARCH64 platforms do not have this limitation and this brings both > implementations into alignment with each other and the spec. > > Cc: Jiewen Yao > > Signed-off-by: Doug Flick [MSFT] > Reviewed-by: Ard Biesheuvel > --- > SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 > 1 file changed, 8 deletions(-) > > diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > index 7e06e16e4b..5723ed6957 100644 > --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c > @@ -116,14 +116,6 @@ RngGetRNG ( >// The "raw" algorithm is intended to provide entropy directly > >// > >if (CompareGuid (RNGAlgorithm, )) { > > -// > > -// When a DRBG is used on the output of a entropy source, > > -// its security level must be at least 256 bits according to UEFI Spec. > > -// > > -if (RNGValueLength < 32) { > > - return EFI_INVALID_PARAMETER; > > -} > > - > > Status = GenerateEntropy (RNGValueLength, RNGValue); > > return Status; > >} > > -- > 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119246): https://edk2.groups.io/g/devel/message/119246 Mute This Topic: https://groups.io/mt/106276859/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
Removed from gEfiRngAlgorithmRaw an incorrect assumption that Raw cannot return less than 256 bits. The DRNG Algorithms should always use a 256 bit seed as per nist standards however a caller is free to request less than 256 bits. > > // >// When a DRBG is used on the output of a entropy source, >// its security level must be at least 256 bits according to UEFI Spec. >// >if (RNGValueLength < 32) { > return EFI_INVALID_PARAMETER; >} > AARCH64 platforms do not have this limitation and this brings both implementations into alignment with each other and the spec. Cc: Jiewen Yao Signed-off-by: Doug Flick [MSFT] Reviewed-by: Ard Biesheuvel --- SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 1 file changed, 8 deletions(-) diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c index 7e06e16e4b..5723ed6957 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c @@ -116,14 +116,6 @@ RngGetRNG ( // The "raw" algorithm is intended to provide entropy directly // if (CompareGuid (RNGAlgorithm, )) { -// -// When a DRBG is used on the output of a entropy source, -// its security level must be at least 256 bits according to UEFI Spec. -// -if (RNGValueLength < 32) { - return EFI_INVALID_PARAMETER; -} - Status = GenerateEntropy (RNGValueLength, RNGValue); return Status; } -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119234): https://edk2.groups.io/g/devel/message/119234 Mute This Topic: https://groups.io/mt/106276859/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 07/20] SecurityPkg: RngDxe: Remove incorrect limitation on GetRng
Removed from gEfiRngAlgorithmRaw an incorrect assumption that Raw cannot return less than 256 bits. The DRNG Algorithms should always use a 256 bit seed as per nist standards however a caller is free to request less than 256 bits. > > // >// When a DRBG is used on the output of a entropy source, >// its security level must be at least 256 bits according to UEFI Spec. >// >if (RNGValueLength < 32) { > return EFI_INVALID_PARAMETER; >} > AARCH64 platforms do not have this limitation and this brings both implementations into alignment with each other and the spec. Cc: Jiewen Yao Signed-off-by: Doug Flick [MSFT] Reviewed-by: Ard Biesheuvel --- SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 1 file changed, 8 deletions(-) diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c index 7e06e16e4b..5723ed6957 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c @@ -116,14 +116,6 @@ RngGetRNG ( // The "raw" algorithm is intended to provide entropy directly // if (CompareGuid (RNGAlgorithm, )) { -// -// When a DRBG is used on the output of a entropy source, -// its security level must be at least 256 bits according to UEFI Spec. -// -if (RNGValueLength < 32) { - return EFI_INVALID_PARAMETER; -} - Status = GenerateEntropy (RNGValueLength, RNGValue); return Status; } -- 2.34.1