[edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237
From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change Overview: Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either > > EFI_STATUS > EFIAPI > PseudoRandomU32 ( > OUT UINT32 *Output > ); > or (depending on the use case) > > EFI_STATUS > EFIAPI > PseudoRandom ( > OUT VOID *Output, > IN UINTN OutputLength > ); > This is because the use of Example: The following code snippet PseudoRandomU32 () function is used: > > UINT32 Random; > > Status = PseudoRandomU32 (); > if (EFI_ERROR (Status)) { > DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); > return Status; > } > This also introduces a new PCD to enable/disable the use of the secure implementation of algorithms for PseudoRandom () and instead depend on the default implementation. This may be required for some platforms where the UEFI Spec defined algorithms are not available. > > PcdEnforceSecureRngAlgorithms > If the platform does not have any one of the UEFI defined secure RNG algorithms then the driver will assert. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/NetworkPkg.dec | 7 ++ NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 14 ++- NetworkPkg/TcpDxe/TcpDxe.inf | 3 + NetworkPkg/IScsiDxe/IScsiMisc.h| 6 +- NetworkPkg/Include/Library/NetLib.h| 40 -- NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- NetworkPkg/DnsDxe/DnsDhcp.c| 10 +- NetworkPkg/DnsDxe/DnsImpl.c| 11 +- NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- NetworkPkg/IScsiDxe/IScsiCHAP.c| 19 ++- NetworkPkg/IScsiDxe/IScsiMisc.c| 14 +-- NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 - NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 +--- NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- NetworkPkg/Udp4Dxe/Udp4Driver.c| 10 +- NetworkPkg/Udp6Dxe/Udp6Driver.c| 11 +- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- NetworkPkg/SecurityFixes.yaml | 39 ++ 27 files changed, 410 insertions(+), 83 deletions(-) diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec index e06f35e774..7c4289b77b 100644 --- a/NetworkPkg/NetworkPkg.dec +++ b/NetworkPkg/NetworkPkg.dec @@ -5,6 +5,7 @@ # # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP +# Copyright (c) Microsoft Corporation # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -130,6 +131,12 @@ # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call. gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x100C + ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections. + # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms. + # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider. + # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms. + gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x100D + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355). # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT] diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf index 8145d256ec..a8f534a293 100644 --- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf @@ -3,6 +3,7 @@ # # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved. # (C) Copyright 2015 Hewlett Packard Enterprise Development LP +# Copyright (c) Microsoft Corporation # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -49,7 +50,11 @@ gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES - + gEfiRngAlgorithmRaw ##
[edk2-devel] [PATCH v3 08/20] NetworkPkg:: SECURITY PATCH CVE-2023-45237
From: Doug Flick REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 Bug Overview: PixieFail Bug #9 CVE-2023-45237 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Use of a Weak PseudoRandom Number Generator Change Overview: Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either > > EFI_STATUS > EFIAPI > PseudoRandomU32 ( > OUT UINT32 *Output > ); > or (depending on the use case) > > EFI_STATUS > EFIAPI > PseudoRandom ( > OUT VOID *Output, > IN UINTN OutputLength > ); > This is because the use of Example: The following code snippet PseudoRandomU32 () function is used: > > UINT32 Random; > > Status = PseudoRandomU32 (); > if (EFI_ERROR (Status)) { > DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); > return Status; > } > This also introduces a new PCD to enable/disable the use of the secure implementation of algorithms for PseudoRandom () and instead depend on the default implementation. This may be required for some platforms where the UEFI Spec defined algorithms are not available. > > PcdEnforceSecureRngAlgorithms > If the platform does not have any one of the UEFI defined secure RNG algorithms then the driver will assert. Cc: Saloni Kasbekar Cc: Zachary Clark-williams Signed-off-by: Doug Flick [MSFT] --- NetworkPkg/NetworkPkg.dec | 7 ++ NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 14 ++- NetworkPkg/TcpDxe/TcpDxe.inf | 3 + NetworkPkg/IScsiDxe/IScsiMisc.h| 6 +- NetworkPkg/Include/Library/NetLib.h| 40 -- NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- NetworkPkg/DnsDxe/DnsDhcp.c| 10 +- NetworkPkg/DnsDxe/DnsImpl.c| 11 +- NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- NetworkPkg/IScsiDxe/IScsiCHAP.c| 19 ++- NetworkPkg/IScsiDxe/IScsiMisc.c| 14 +-- NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 - NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 +--- NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- NetworkPkg/Udp4Dxe/Udp4Driver.c| 10 +- NetworkPkg/Udp6Dxe/Udp6Driver.c| 11 +- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- NetworkPkg/SecurityFixes.yaml | 39 ++ 27 files changed, 410 insertions(+), 83 deletions(-) diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec index e06f35e774..7c4289b77b 100644 --- a/NetworkPkg/NetworkPkg.dec +++ b/NetworkPkg/NetworkPkg.dec @@ -5,6 +5,7 @@ # # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP +# Copyright (c) Microsoft Corporation # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -130,6 +131,12 @@ # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call. gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x100C + ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections. + # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms. + # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider. + # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms. + gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x100D + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355). # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT] diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf index 8145d256ec..a8f534a293 100644 --- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf +++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf @@ -3,6 +3,7 @@ # # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved. # (C) Copyright 2015 Hewlett Packard Enterprise Development LP +# Copyright (c) Microsoft Corporation # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -49,7 +50,11 @@ gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES - + gEfiRngAlgorithmRaw ##