From patchwork Wed Feb 19 10:21:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kai X-Patchwork-Id: 57602 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB777C021AA for ; Wed, 19 Feb 2025 10:22:02 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.18981.1739960520837544983 for ; Wed, 19 Feb 2025 02:22:01 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=414568d945=kai.kang@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5pU55024311 for ; Wed, 19 Feb 2025 10:22:00 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00j8vj1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 10:21:59 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 02:21:58 -0800 Received: from pek-lpg-core4.wrs.com (128.224.153.44) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 02:21:57 -0800 From: To: CC: Subject: [kirkstone][PATCH 1/2] Revert "ovmf: Fix CVE-2023-45237" Date: Wed, 19 Feb 2025 18:21:50 +0800 Message-ID: <20250219102151.4000494-1-kai.kang@windriver.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Proofpoint-GUID: bM2OWK_-RFoZR9kXwPY_lsk8expB6cWs X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b5b0c7 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=hqBzw_eTAAAA:8 a=XkRKQH6RAAAA:8 a=QQrwgld0AAAA:8 a=VKio34HhAAAA:8 a=PYnjg3YJAAAA:8 a=t7CeM3EgAAAA:8 a=7CQSdrXTAAAA:8 a=jYJ61ryfAAAA:8 a=VwQbUJbxAAAA:8 a=yMhMjlubAAAA:8 a=QyXUC8HyAAAA:8 a=pGLkceISAAAA:8 a=46JBHfEV3Mg9IWBTB-EA:9 a=1CDiJ765sy9Lk6bq:21 a=lBZTsuZDXdQA:10 a=Hv90Ch-Tvl0A:10 a=RVmHIydaz68A:10 a=bkWp_v3HvcftT6DRAIDL:22 a=1gUyE30hU_ULiMxJiLUW:22 a=GixL4z90Y-kx4mQuXZm8:22 a=ALVy6clGPs_Yy9GZ8Zsv:22 a=FdTzh2GWekK77mhwV6Dw:22 a=a-qgeE7W1pNrGK8U0ZQC:22 a=eNvJ01k53lG8zT5pDJgy:22 X-Proofpoint-ORIG-GUID: bM2OWK_-RFoZR9kXwPY_lsk8expB6cWs X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_04,2025-02-19_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190083 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 10:22:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211699 From: Kai Kang This reverts commit 4c2d3e37308cac98614dfafed79b7323423af8bc. The fix for CVE-2023-45237 causes ovmf firmware not support pxe boot any more and no boot item in OVMF menu such as UEFI PXEv4 (MAC address) It has not been fixed by ovmf upstream and an issue has been created on https://github.com/tianocore/tianocore.github.io/issues/82 Revert the fixes for now. Signed-off-by: Kai Kang --- Please add option `--keep-cr` when invoke `git am`. .../ovmf/ovmf/CVE-2023-45237-0001.patch | 78 - .../ovmf/ovmf/CVE-2023-45237-0002.patch | 1288 ----------------- meta/recipes-core/ovmf/ovmf_git.bb | 2 - 3 files changed, 1368 deletions(-) delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch deleted file mode 100644 index d1dcb8dc44..0000000000 --- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0001.patch +++ /dev/null @@ -1,78 +0,0 @@ -From cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c Mon Sep 17 00:00:00 2001 -From: Pierre Gondois -Date: Fri, 11 Aug 2023 16:33:06 +0200 -Subject: [PATCH] MdePkg/Rng: Add GUID to describe Arm Rndr Rng algorithms - -BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4441 - -The EFI_RNG_PROTOCOL can rely on the RngLib. The RngLib has multiple -implementations, some of them are unsafe (e.g. BaseRngLibTimerLib). -To allow the RngDxe to detect when such implementation is used, -a GetRngGuid() function is added in a following patch. - -Prepare GetRngGuid() return values and add a gEfiRngAlgorithmArmRndr -to describe a Rng algorithm accessed through Arm's RNDR instruction. -[1] states that the implementation of this algorithm should be -compliant to NIST SP900-80. The compliance is not guaranteed. - -[1] Arm Architecture Reference Manual Armv8, for A-profile architecture -sK12.1 'Properties of the generated random number' - -Signed-off-by: Pierre Gondois -Reviewed-by: Sami Mujawar -Reviewed-by: Liming Gao -Acked-by: Ard Biesheuvel -Tested-by: Kun Qin - -CVE: CVE-2023-45237 - -Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c] - -Signed-off-by: Soumya Sambu ---- - MdePkg/Include/Protocol/Rng.h | 10 ++++++++++ - MdePkg/MdePkg.dec | 1 + - 2 files changed, 11 insertions(+) - -diff --git a/MdePkg/Include/Protocol/Rng.h b/MdePkg/Include/Protocol/Rng.h -index baf425587b..38bde53240 100644 ---- a/MdePkg/Include/Protocol/Rng.h -+++ b/MdePkg/Include/Protocol/Rng.h -@@ -67,6 +67,15 @@ typedef EFI_GUID EFI_RNG_ALGORITHM; - { \ - 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 } \ - } -+/// -+/// The Arm Architecture states the RNDR that the DRBG algorithm should be compliant -+/// with NIST SP800-90A, while not mandating a particular algorithm, so as to be -+/// inclusive of different geographies. -+/// -+#define EFI_RNG_ALGORITHM_ARM_RNDR \ -+ { \ -+ 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41} \ -+ } - - /** - Returns information about the random number generation implementation. -@@ -146,5 +155,6 @@ extern EFI_GUID gEfiRngAlgorithmSp80090Ctr256Guid; - extern EFI_GUID gEfiRngAlgorithmX9313DesGuid; - extern EFI_GUID gEfiRngAlgorithmX931AesGuid; - extern EFI_GUID gEfiRngAlgorithmRaw; -+extern EFI_GUID gEfiRngAlgorithmArmRndr; - - #endif -diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec -index 59b405928b..a449dbc556 100644 ---- a/MdePkg/MdePkg.dec -+++ b/MdePkg/MdePkg.dec -@@ -594,6 +594,7 @@ - gEfiRngAlgorithmX9313DesGuid = { 0x63c4785a, 0xca34, 0x4012, {0xa3, 0xc8, 0x0b, 0x6a, 0x32, 0x4f, 0x55, 0x46 }} - gEfiRngAlgorithmX931AesGuid = { 0xacd03321, 0x777e, 0x4d3d, {0xb1, 0xc8, 0x20, 0xcf, 0xd8, 0x88, 0x20, 0xc9 }} - gEfiRngAlgorithmRaw = { 0xe43176d7, 0xb6e8, 0x4827, {0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61 }} -+ gEfiRngAlgorithmArmRndr = { 0x43d2fde3, 0x9d4e, 0x4d79, {0x02, 0x96, 0xa8, 0x9b, 0xca, 0x78, 0x08, 0x41 }} - - ## Include/Protocol/AdapterInformation.h - gEfiAdapterInfoMediaStateGuid = { 0xD7C74207, 0xA831, 0x4A26, {0xB1, 0xF5, 0xD1, 0x93, 0x06, 0x5C, 0xE8, 0xB6 }} --- -2.40.0 - diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch deleted file mode 100644 index 722a6cd530..0000000000 --- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45237-0002.patch +++ /dev/null @@ -1,1288 +0,0 @@ -From 4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 Mon Sep 17 00:00:00 2001 -From: Doug Flick -Date: Wed, 8 May 2024 22:56:28 -0700 -Subject: [PATCH] NetworkPkg: SECURITY PATCH CVE-2023-45237 - -REF:https://bugzilla.tianocore.org/show_bug.cgi?id=4542 - -Bug Overview: -PixieFail Bug #9 -CVE-2023-45237 -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N -CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - -Use of a Weak PseudoRandom Number Generator - -Change Overview: - -Updates all Instances of NET_RANDOM (NetRandomInitSeed ()) to either - -> -> EFI_STATUS -> EFIAPI -> PseudoRandomU32 ( -> OUT UINT32 *Output -> ); -> - -or (depending on the use case) - -> -> EFI_STATUS -> EFIAPI -> PseudoRandom ( -> OUT VOID *Output, -> IN UINTN OutputLength -> ); -> - -This is because the use of - -Example: - -The following code snippet PseudoRandomU32 () function is used: - -> -> UINT32 Random; -> -> Status = PseudoRandomU32 (&Random); -> if (EFI_ERROR (Status)) { -> DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", -__func__, Status)); -> return Status; -> } -> - -This also introduces a new PCD to enable/disable the use of the -secure implementation of algorithms for PseudoRandom () and -instead depend on the default implementation. This may be required for -some platforms where the UEFI Spec defined algorithms are not available. - -> -> PcdEnforceSecureRngAlgorithms -> - -If the platform does not have any one of the UEFI defined -secure RNG algorithms then the driver will assert. - -Cc: Saloni Kasbekar -Cc: Zachary Clark-williams - -Signed-off-by: Doug Flick [MSFT] -Reviewed-by: Saloni Kasbekar - -CVE: CVE-2023-45237 - -Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345] - -Signed-off-by: Soumya Sambu ---- - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c | 10 +- - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c | 11 +- - NetworkPkg/DnsDxe/DnsDhcp.c | 10 +- - NetworkPkg/DnsDxe/DnsImpl.c | 11 +- - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c | 10 +- - NetworkPkg/IScsiDxe/IScsiCHAP.c | 19 ++- - NetworkPkg/IScsiDxe/IScsiMisc.c | 14 +-- - NetworkPkg/IScsiDxe/IScsiMisc.h | 6 +- - NetworkPkg/Include/Library/NetLib.h | 40 +++++-- - NetworkPkg/Ip4Dxe/Ip4Driver.c | 10 +- - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c | 9 +- - NetworkPkg/Ip6Dxe/Ip6Driver.c | 17 ++- - NetworkPkg/Ip6Dxe/Ip6If.c | 12 +- - NetworkPkg/Ip6Dxe/Ip6Mld.c | 12 +- - NetworkPkg/Ip6Dxe/Ip6Nd.c | 33 +++++- - NetworkPkg/Ip6Dxe/Ip6Nd.h | 8 +- - NetworkPkg/Library/DxeNetLib/DxeNetLib.c | 130 ++++++++++++++++++--- - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf | 14 ++- - NetworkPkg/NetworkPkg.dec | 7 ++ - NetworkPkg/SecurityFixes.yaml | 39 +++++++ - NetworkPkg/TcpDxe/TcpDriver.c | 15 ++- - NetworkPkg/TcpDxe/TcpDxe.inf | 3 + - NetworkPkg/Udp4Dxe/Udp4Driver.c | 10 +- - NetworkPkg/Udp6Dxe/Udp6Driver.c | 11 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c | 9 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | 11 +- - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c | 12 +- - 27 files changed, 410 insertions(+), 83 deletions(-) - -diff --git a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -index 8c37e93be3..892caee368 100644 ---- a/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -+++ b/NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -@@ -1,6 +1,7 @@ - /** @file - - Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -189,6 +190,13 @@ Dhcp4CreateService ( - { - DHCP_SERVICE *DhcpSb; - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - *Service = NULL; - DhcpSb = AllocateZeroPool (sizeof (DHCP_SERVICE)); -@@ -203,7 +211,7 @@ Dhcp4CreateService ( - DhcpSb->Image = ImageHandle; - InitializeListHead (&DhcpSb->Children); - DhcpSb->DhcpState = Dhcp4Stopped; -- DhcpSb->Xid = NET_RANDOM (NetRandomInitSeed ()); -+ DhcpSb->Xid = Random; - CopyMem ( - &DhcpSb->ServiceBinding, - &mDhcp4ServiceBindingTemplate, -diff --git a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -index b591a4605b..e7f2787a98 100644 ---- a/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -+++ b/NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -@@ -3,7 +3,7 @@ - implementation for Dhcp6 Driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -123,6 +123,13 @@ Dhcp6CreateService ( - { - DHCP6_SERVICE *Dhcp6Srv; - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - *Service = NULL; - Dhcp6Srv = AllocateZeroPool (sizeof (DHCP6_SERVICE)); -@@ -147,7 +154,7 @@ Dhcp6CreateService ( - Dhcp6Srv->Signature = DHCP6_SERVICE_SIGNATURE; - Dhcp6Srv->Controller = Controller; - Dhcp6Srv->Image = ImageHandle; -- Dhcp6Srv->Xid = (0xffffff & NET_RANDOM (NetRandomInitSeed ())); -+ Dhcp6Srv->Xid = (0xffffff & Random); - - CopyMem ( - &Dhcp6Srv->ServiceBinding, -diff --git a/NetworkPkg/DnsDxe/DnsDhcp.c b/NetworkPkg/DnsDxe/DnsDhcp.c -index 933565a32d..9eb3c1d2d8 100644 ---- a/NetworkPkg/DnsDxe/DnsDhcp.c -+++ b/NetworkPkg/DnsDxe/DnsDhcp.c -@@ -2,6 +2,7 @@ - Functions implementation related with DHCPv4/v6 for DNS driver. - - Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -277,6 +278,7 @@ GetDns4ServerFromDhcp4 ( - EFI_DHCP4_TRANSMIT_RECEIVE_TOKEN Token; - BOOLEAN IsDone; - UINTN Index; -+ UINT32 Random; - - Image = Instance->Service->ImageHandle; - Controller = Instance->Service->ControllerHandle; -@@ -292,6 +294,12 @@ GetDns4ServerFromDhcp4 ( - Data = NULL; - InterfaceInfo = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - ZeroMem ((UINT8 *)ParaList, sizeof (ParaList)); - - ZeroMem (&MnpConfigData, sizeof (EFI_MANAGED_NETWORK_CONFIG_DATA)); -@@ -467,7 +475,7 @@ GetDns4ServerFromDhcp4 ( - - Status = Dhcp4->Build (Dhcp4, &SeedPacket, 0, NULL, 2, ParaList, &Token.Packet); - -- Token.Packet->Dhcp4.Header.Xid = HTONL (NET_RANDOM (NetRandomInitSeed ())); -+ Token.Packet->Dhcp4.Header.Xid = Random; - - Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)0x8000); - -diff --git a/NetworkPkg/DnsDxe/DnsImpl.c b/NetworkPkg/DnsDxe/DnsImpl.c -index d311812800..c2629bb8df 100644 ---- a/NetworkPkg/DnsDxe/DnsImpl.c -+++ b/NetworkPkg/DnsDxe/DnsImpl.c -@@ -2,6 +2,7 @@ - DnsDxe support functions implementation. - - Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -1963,6 +1964,14 @@ ConstructDNSQuery ( - NET_FRAGMENT Frag; - DNS_HEADER *DnsHeader; - DNS_QUERY_SECTION *DnsQuery; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Messages carried by UDP are restricted to 512 bytes (not counting the IP -@@ -1977,7 +1986,7 @@ ConstructDNSQuery ( - // Fill header - // - DnsHeader = (DNS_HEADER *)Frag.Bulk; -- DnsHeader->Identification = (UINT16)NET_RANDOM (NetRandomInitSeed ()); -+ DnsHeader->Identification = (UINT16)Random; - DnsHeader->Flags.Uint16 = 0x0000; - DnsHeader->Flags.Bits.RD = 1; - DnsHeader->Flags.Bits.OpCode = DNS_FLAGS_OPCODE_STANDARD; -diff --git a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -index b22cef4ff5..f964515b0f 100644 ---- a/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -+++ b/NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -@@ -2,6 +2,7 @@ - Functions implementation related with DHCPv6 for HTTP boot driver. - - Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -951,6 +952,7 @@ HttpBootDhcp6Sarr ( - UINT32 OptCount; - UINT8 Buffer[HTTP_BOOT_DHCP6_OPTION_MAX_SIZE]; - EFI_STATUS Status; -+ UINT32 Random; - - Dhcp6 = Private->Dhcp6; - ASSERT (Dhcp6 != NULL); -@@ -961,6 +963,12 @@ HttpBootDhcp6Sarr ( - OptCount = HttpBootBuildDhcp6Options (Private, OptList, Buffer); - ASSERT (OptCount > 0); - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - Retransmit = AllocateZeroPool (sizeof (EFI_DHCP6_RETRANSMISSION)); - if (Retransmit == NULL) { - return EFI_OUT_OF_RESOURCES; -@@ -976,7 +984,7 @@ HttpBootDhcp6Sarr ( - Config.IaInfoEvent = NULL; - Config.RapidCommit = FALSE; - Config.ReconfigureAccept = FALSE; -- Config.IaDescriptor.IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Config.IaDescriptor.IaId = Random; - Config.IaDescriptor.Type = EFI_DHCP6_IA_TYPE_NA; - Config.SolicitRetransmission = Retransmit; - Retransmit->Irt = 4; -diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c -index b507f11cd4..bebb1ac29b 100644 ---- a/NetworkPkg/IScsiDxe/IScsiCHAP.c -+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c -@@ -3,6 +3,7 @@ - Configuration. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -576,16 +577,24 @@ IScsiCHAPToSendReq ( - // - // CHAP_I= - // -- IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1); -+ Status = IScsiGenRandom ((UINT8 *)&AuthData->OutIdentifier, 1); -+ if (EFI_ERROR (Status)) { -+ break; -+ } -+ - AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr); - // - // CHAP_C= - // -- IScsiGenRandom ( -- (UINT8 *)AuthData->OutChallenge, -- AuthData->Hash->DigestSize -- ); -+ Status = IScsiGenRandom ( -+ (UINT8 *)AuthData->OutChallenge, -+ AuthData->Hash->DigestSize -+ ); -+ if (EFI_ERROR (Status)) { -+ break; -+ } -+ - BinToHexStatus = IScsiBinToHex ( - (UINT8 *)AuthData->OutChallenge, - AuthData->Hash->DigestSize, -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.c b/NetworkPkg/IScsiDxe/IScsiMisc.c -index b3ea90158f..cd77f1a13e 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.c -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.c -@@ -2,6 +2,7 @@ - Miscellaneous routines for iSCSI driver. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -474,20 +475,17 @@ IScsiNetNtoi ( - @param[in, out] Rand The buffer to contain random numbers. - @param[in] RandLength The length of the Rand buffer. - -+ @retval EFI_SUCCESS on success -+ @retval others on error -+ - **/ --VOID -+EFI_STATUS - IScsiGenRandom ( - IN OUT UINT8 *Rand, - IN UINTN RandLength - ) - { -- UINT32 Random; -- -- while (RandLength > 0) { -- Random = NET_RANDOM (NetRandomInitSeed ()); -- *Rand++ = (UINT8)(Random); -- RandLength--; -- } -+ return PseudoRandom (Rand, RandLength); - } - - /** -diff --git a/NetworkPkg/IScsiDxe/IScsiMisc.h b/NetworkPkg/IScsiDxe/IScsiMisc.h -index a951eee70e..91b2cd2261 100644 ---- a/NetworkPkg/IScsiDxe/IScsiMisc.h -+++ b/NetworkPkg/IScsiDxe/IScsiMisc.h -@@ -2,6 +2,7 @@ - Miscellaneous definitions for iSCSI driver. - - Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -202,8 +203,11 @@ IScsiNetNtoi ( - @param[in, out] Rand The buffer to contain random numbers. - @param[in] RandLength The length of the Rand buffer. - -+ @retval EFI_SUCCESS on success -+ @retval others on error -+ - **/ --VOID -+EFI_STATUS - IScsiGenRandom ( - IN OUT UINT8 *Rand, - IN UINTN RandLength -diff --git a/NetworkPkg/Include/Library/NetLib.h b/NetworkPkg/Include/Library/NetLib.h -index 8c0e62b388..e8108b79db 100644 ---- a/NetworkPkg/Include/Library/NetLib.h -+++ b/NetworkPkg/Include/Library/NetLib.h -@@ -3,6 +3,7 @@ - It provides basic functions for the UEFI network stack. - - Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -539,8 +540,6 @@ extern EFI_IPv4_ADDRESS mZeroIp4Addr; - #define TICKS_PER_MS 10000U - #define TICKS_PER_SECOND 10000000U - --#define NET_RANDOM(Seed) ((UINT32) ((UINT32) (Seed) * 1103515245UL + 12345) % 4294967295UL) -- - /** - Extract a UINT32 from a byte stream. - -@@ -580,19 +579,40 @@ NetPutUint32 ( - ); - - /** -- Initialize a random seed using current time and monotonic count. -+ Generate a Random output data given a length. - -- Get current time and monotonic count first. Then initialize a random seed -- based on some basic mathematics operation on the hour, day, minute, second, -- nanosecond and year of the current time and the monotonic count value. -+ @param[out] Output - The buffer to store the generated random data. -+ @param[in] OutputLength - The length of the output buffer. - -- @return The random seed initialized with current time. -+ @retval EFI_SUCCESS On Success -+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() - -+ @return Status code - **/ --UINT32 -+EFI_STATUS - EFIAPI --NetRandomInitSeed ( -- VOID -+PseudoRandom ( -+ OUT VOID *Output, -+ IN UINTN OutputLength -+ ); -+ -+/** -+ Generate a 32-bit pseudo-random number. -+ -+ @param[out] Output - The buffer to store the generated random number. -+ -+ @retval EFI_SUCCESS On Success -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() -+ -+ @return Status code -+**/ -+EFI_STATUS -+EFIAPI -+PseudoRandomU32 ( -+ OUT UINT32 *Output - ); - - #define NET_LIST_USER_STRUCT(Entry, Type, Field) \ -diff --git a/NetworkPkg/Ip4Dxe/Ip4Driver.c b/NetworkPkg/Ip4Dxe/Ip4Driver.c -index ec483ff01f..683423f38d 100644 ---- a/NetworkPkg/Ip4Dxe/Ip4Driver.c -+++ b/NetworkPkg/Ip4Dxe/Ip4Driver.c -@@ -2,6 +2,7 @@ - The driver binding and service binding protocol for IP4 driver. - - Copyright (c) 2005 - 2019, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- - SPDX-License-Identifier: BSD-2-Clause-Patent -@@ -549,11 +550,18 @@ Ip4DriverBindingStart ( - EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2; - UINTN Index; - IP4_CONFIG2_DATA_ITEM *DataItem; -+ UINT32 Random; - - IpSb = NULL; - Ip4Cfg2 = NULL; - DataItem = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Test for the Ip4 service binding protocol - // -@@ -653,7 +661,7 @@ Ip4DriverBindingStart ( - // - // Initialize the IP4 ID - // -- mIp4Id = (UINT16)NET_RANDOM (NetRandomInitSeed ()); -+ mIp4Id = (UINT16)Random; - - return Status; - -diff --git a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -index 70e232ce6c..4c1354d26c 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -+++ b/NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -@@ -2276,6 +2276,13 @@ Ip6ConfigInitInstance ( - UINTN Index; - UINT16 IfIndex; - IP6_CONFIG_DATA_ITEM *DataItem; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - IpSb = IP6_SERVICE_FROM_IP6_CONFIG_INSTANCE (Instance); - -@@ -2381,7 +2388,7 @@ Ip6ConfigInitInstance ( - // The NV variable is not set, so generate a random IAID, and write down the - // fresh new configuration as the NV variable now. - // -- Instance->IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Instance->IaId = Random; - - for (Index = 0; Index < IpSb->SnpMode.HwAddressSize; Index++) { - Instance->IaId |= (IpSb->SnpMode.CurrentAddress.Addr[Index] << ((Index << 3) & 31)); -diff --git a/NetworkPkg/Ip6Dxe/Ip6Driver.c b/NetworkPkg/Ip6Dxe/Ip6Driver.c -index b483a7d136..cbe011dad4 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Driver.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Driver.c -@@ -3,7 +3,7 @@ - - Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -316,7 +316,11 @@ Ip6CreateService ( - IpSb->CurHopLimit = IP6_HOP_LIMIT; - IpSb->LinkMTU = IP6_MIN_LINK_MTU; - IpSb->BaseReachableTime = IP6_REACHABLE_TIME; -- Ip6UpdateReachableTime (IpSb); -+ Status = Ip6UpdateReachableTime (IpSb); -+ if (EFI_ERROR (Status)) { -+ goto ON_ERROR; -+ } -+ - // - // RFC4861 RETRANS_TIMER: 1,000 milliseconds - // -@@ -516,11 +520,18 @@ Ip6DriverBindingStart ( - EFI_STATUS Status; - EFI_IP6_CONFIG_PROTOCOL *Ip6Cfg; - IP6_CONFIG_DATA_ITEM *DataItem; -+ UINT32 Random; - - IpSb = NULL; - Ip6Cfg = NULL; - DataItem = NULL; - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Test for the Ip6 service binding protocol - // -@@ -656,7 +667,7 @@ Ip6DriverBindingStart ( - // - // Initialize the IP6 ID - // -- mIp6Id = NET_RANDOM (NetRandomInitSeed ()); -+ mIp6Id = Random; - - return EFI_SUCCESS; - -diff --git a/NetworkPkg/Ip6Dxe/Ip6If.c b/NetworkPkg/Ip6Dxe/Ip6If.c -index 4629c05f25..f3d11c4d21 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6If.c -+++ b/NetworkPkg/Ip6Dxe/Ip6If.c -@@ -2,7 +2,7 @@ - Implement IP6 pseudo interface. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -89,6 +89,14 @@ Ip6SetAddress ( - IP6_PREFIX_LIST_ENTRY *PrefixEntry; - UINT64 Delay; - IP6_DELAY_JOIN_LIST *DelayNode; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - NET_CHECK_SIGNATURE (Interface, IP6_INTERFACE_SIGNATURE); - -@@ -164,7 +172,7 @@ Ip6SetAddress ( - // Thus queue the address to be processed in Duplicate Address Detection module - // after the delay time (in milliseconds). - // -- Delay = (UINT64)NET_RANDOM (NetRandomInitSeed ()); -+ Delay = (UINT64)Random; - Delay = MultU64x32 (Delay, IP6_ONE_SECOND_IN_MS); - Delay = RShiftU64 (Delay, 32); - -diff --git a/NetworkPkg/Ip6Dxe/Ip6Mld.c b/NetworkPkg/Ip6Dxe/Ip6Mld.c -index e6b2b653e2..498a118543 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Mld.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Mld.c -@@ -696,7 +696,15 @@ Ip6UpdateDelayTimer ( - IN OUT IP6_MLD_GROUP *Group - ) - { -- UINT32 Delay; -+ UINT32 Delay; -+ EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // If the Query packet specifies a Maximum Response Delay of zero, perform timer -@@ -715,7 +723,7 @@ Ip6UpdateDelayTimer ( - // is less than the remaining value of the running timer. - // - if ((Group->DelayTimer == 0) || (Delay < Group->DelayTimer)) { -- Group->DelayTimer = Delay / 4294967295UL * NET_RANDOM (NetRandomInitSeed ()); -+ Group->DelayTimer = Delay / 4294967295UL * Random; - } - - return EFI_SUCCESS; -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c -index c10c7017f8..72aa45c10f 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.c -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c -@@ -2,7 +2,7 @@ - Implementation of Neighbor Discovery support routines. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -16,17 +16,28 @@ EFI_MAC_ADDRESS mZeroMacAddress; - - @param[in, out] IpSb Points to the IP6_SERVICE. - -+ @retval EFI_SUCCESS ReachableTime Updated -+ @retval others Failed to update ReachableTime - **/ --VOID -+EFI_STATUS - Ip6UpdateReachableTime ( - IN OUT IP6_SERVICE *IpSb - ) - { -- UINT32 Random; -+ UINT32 Random; -+ EFI_STATUS Status; - -- Random = (NetRandomInitSeed () / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ -+ Random = (Random / 4294967295UL) * IP6_RANDOM_FACTOR_SCALE; - Random = Random + IP6_MIN_RANDOM_FACTOR_SCALED; - IpSb->ReachableTime = (IpSb->BaseReachableTime * Random) / IP6_RANDOM_FACTOR_SCALE; -+ -+ return EFI_SUCCESS; - } - - /** -@@ -972,10 +983,17 @@ Ip6InitDADProcess ( - IP6_SERVICE *IpSb; - EFI_STATUS Status; - UINT32 MaxDelayTick; -+ UINT32 Random; - - NET_CHECK_SIGNATURE (IpIf, IP6_INTERFACE_SIGNATURE); - ASSERT (AddressInfo != NULL); - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - // - // Do nothing if we have already started DAD on the address. - // -@@ -1014,7 +1032,7 @@ Ip6InitDADProcess ( - Entry->Transmit = 0; - Entry->Receive = 0; - MaxDelayTick = IP6_MAX_RTR_SOLICITATION_DELAY / IP6_TIMER_INTERVAL_IN_MS; -- Entry->RetransTick = (MaxDelayTick * ((NET_RANDOM (NetRandomInitSeed ()) % 5) + 1)) / 5; -+ Entry->RetransTick = (MaxDelayTick * ((Random % 5) + 1)) / 5; - Entry->AddressInfo = AddressInfo; - Entry->Callback = Callback; - Entry->Context = Context; -@@ -2078,7 +2096,10 @@ Ip6ProcessRouterAdvertise ( - // in BaseReachableTime and recompute a ReachableTime. - // - IpSb->BaseReachableTime = ReachableTime; -- Ip6UpdateReachableTime (IpSb); -+ Status = Ip6UpdateReachableTime (IpSb); -+ if (EFI_ERROR (Status)) { -+ goto Exit; -+ } - } - - if (RetransTimer != 0) { -diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h -index bf64e9114e..5795e23c7d 100644 ---- a/NetworkPkg/Ip6Dxe/Ip6Nd.h -+++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h -@@ -2,7 +2,7 @@ - Definition of Neighbor Discovery support routines. - - Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -780,10 +780,10 @@ Ip6OnArpResolved ( - /** - Update the ReachableTime in IP6 service binding instance data, in milliseconds. - -- @param[in, out] IpSb Points to the IP6_SERVICE. -- -+ @retval EFI_SUCCESS ReachableTime Updated -+ @retval others Failed to update ReachableTime - **/ --VOID -+EFI_STATUS - Ip6UpdateReachableTime ( - IN OUT IP6_SERVICE *IpSb - ); -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -index fd4a9e15a8..01c13c08d2 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.c -@@ -3,6 +3,7 @@ - - Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved.
- (C) Copyright 2015 Hewlett Packard Enterprise Development LP
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - **/ - -@@ -31,6 +32,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent - #include - #include - #include -+#include - - #define NIC_ITEM_CONFIG_SIZE (sizeof (NIC_IP4_CONFIG_INFO) + sizeof (EFI_IP4_ROUTE_TABLE) * MAX_IP4_CONFIG_IN_VARIABLE) - #define DEFAULT_ZERO_START ((UINTN) ~0) -@@ -127,6 +129,25 @@ GLOBAL_REMOVE_IF_UNREFERENCED VLAN_DEVICE_PATH mNetVlanDevicePathTemplate = { - 0 - }; - -+// -+// These represent UEFI SPEC defined algorithms that should be supported by -+// the RNG protocol and are generally considered secure. -+// -+// The order of the algorithms in this array is important. This order is the order -+// in which the algorithms will be tried by the RNG protocol. -+// If your platform needs to use a specific algorithm for the random number generator, -+// then you should place that algorithm first in the array. -+// -+GLOBAL_REMOVE_IF_UNREFERENCED EFI_GUID *mSecureHashAlgorithms[] = { -+ &gEfiRngAlgorithmSp80090Ctr256Guid, // SP800-90A DRBG CTR using AES-256 -+ &gEfiRngAlgorithmSp80090Hmac256Guid, // SP800-90A DRBG HMAC using SHA-256 -+ &gEfiRngAlgorithmSp80090Hash256Guid, // SP800-90A DRBG Hash using SHA-256 -+ &gEfiRngAlgorithmArmRndr, // unspecified SP800-90A DRBG via ARM RNDR register -+ &gEfiRngAlgorithmRaw, // Raw data from NRBG (or TRNG) -+}; -+ -+#define SECURE_HASH_ALGORITHMS_SIZE (sizeof (mSecureHashAlgorithms) / sizeof (EFI_GUID *)) -+ - /** - Locate the handles that support SNP, then open one of them - to send the syslog packets. The caller isn't required to close -@@ -884,34 +905,107 @@ Ip6Swap128 ( - } - - /** -- Initialize a random seed using current time and monotonic count. -+ Generate a Random output data given a length. - -- Get current time and monotonic count first. Then initialize a random seed -- based on some basic mathematics operation on the hour, day, minute, second, -- nanosecond and year of the current time and the monotonic count value. -+ @param[out] Output - The buffer to store the generated random data. -+ @param[in] OutputLength - The length of the output buffer. - -- @return The random seed initialized with current time. -+ @retval EFI_SUCCESS On Success -+ @retval EFI_INVALID_PARAMETER Pointer is null or size is zero -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() - -+ @return Status code - **/ --UINT32 -+EFI_STATUS - EFIAPI --NetRandomInitSeed ( -- VOID -+PseudoRandom ( -+ OUT VOID *Output, -+ IN UINTN OutputLength - ) - { -- EFI_TIME Time; -- UINT32 Seed; -- UINT64 MonotonicCount; -+ EFI_RNG_PROTOCOL *RngProtocol; -+ EFI_STATUS Status; -+ UINTN AlgorithmIndex; -+ -+ if ((Output == NULL) || (OutputLength == 0)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ Status = gBS->LocateProtocol (&gEfiRngProtocolGuid, NULL, (VOID **)&RngProtocol); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to locate EFI_RNG_PROTOCOL: %r\n", Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ if (PcdGetBool (PcdEnforceSecureRngAlgorithms)) { -+ for (AlgorithmIndex = 0; AlgorithmIndex < SECURE_HASH_ALGORITHMS_SIZE; AlgorithmIndex++) { -+ Status = RngProtocol->GetRNG (RngProtocol, mSecureHashAlgorithms[AlgorithmIndex], OutputLength, (UINT8 *)Output); -+ if (!EFI_ERROR (Status)) { -+ // -+ // Secure Algorithm was supported on this platform -+ // -+ return EFI_SUCCESS; -+ } else if (Status == EFI_UNSUPPORTED) { -+ // -+ // Secure Algorithm was not supported on this platform -+ // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); -+ -+ // -+ // Try the next secure algorithm -+ // -+ continue; -+ } else { -+ // -+ // Some other error occurred -+ // -+ DEBUG ((DEBUG_ERROR, "Failed to generate random data using secure algorithm %d: %r\n", AlgorithmIndex, Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ } -+ -+ // -+ // If we get here, we failed to generate random data using any secure algorithm -+ // Platform owner should ensure that at least one secure algorithm is supported -+ // -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ // -+ // Lets try using the default algorithm (which may not be secure) -+ // -+ Status = RngProtocol->GetRNG (RngProtocol, NULL, OutputLength, (UINT8 *)Output); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random data: %r\n", __func__, Status)); -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } - -- gRT->GetTime (&Time, NULL); -- Seed = (Time.Hour << 24 | Time.Day << 16 | Time.Minute << 8 | Time.Second); -- Seed ^= Time.Nanosecond; -- Seed ^= Time.Year << 7; -+ return EFI_SUCCESS; -+} -+ -+/** -+ Generate a 32-bit pseudo-random number. - -- gBS->GetNextMonotonicCount (&MonotonicCount); -- Seed += (UINT32)MonotonicCount; -+ @param[out] Output - The buffer to store the generated random number. - -- return Seed; -+ @retval EFI_SUCCESS On Success -+ @retval EFI_NOT_FOUND RNG protocol not found -+ @retval Others Error from RngProtocol->GetRNG() -+ -+ @return Status code -+**/ -+EFI_STATUS -+EFIAPI -+PseudoRandomU32 ( -+ OUT UINT32 *Output -+ ) -+{ -+ return PseudoRandom (Output, sizeof (*Output)); - } - - /** -diff --git a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -index 8145d256ec..a8f534a293 100644 ---- a/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+++ b/NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -@@ -3,6 +3,7 @@ - # - # Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
- # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
-+# Copyright (c) Microsoft Corporation - # SPDX-License-Identifier: BSD-2-Clause-Patent - # - ## -@@ -49,7 +50,11 @@ - gEfiSmbiosTableGuid ## SOMETIMES_CONSUMES ## SystemTable - gEfiSmbios3TableGuid ## SOMETIMES_CONSUMES ## SystemTable - gEfiAdapterInfoMediaStateGuid ## SOMETIMES_CONSUMES -- -+ gEfiRngAlgorithmRaw ## CONSUMES -+ gEfiRngAlgorithmSp80090Ctr256Guid ## CONSUMES -+ gEfiRngAlgorithmSp80090Hmac256Guid ## CONSUMES -+ gEfiRngAlgorithmSp80090Hash256Guid ## CONSUMES -+ gEfiRngAlgorithmArmRndr ## CONSUMES - - [Protocols] - gEfiSimpleNetworkProtocolGuid ## SOMETIMES_CONSUMES -@@ -59,3 +64,10 @@ - gEfiComponentNameProtocolGuid ## SOMETIMES_CONSUMES - gEfiComponentName2ProtocolGuid ## SOMETIMES_CONSUMES - gEfiAdapterInformationProtocolGuid ## SOMETIMES_CONSUMES -+ gEfiRngProtocolGuid ## CONSUMES -+ -+[FixedPcd] -+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES -+ -+[Depex] -+ gEfiRngProtocolGuid -diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec -index 928e84fec4..ff335e957c 100644 ---- a/NetworkPkg/NetworkPkg.dec -+++ b/NetworkPkg/NetworkPkg.dec -@@ -5,6 +5,7 @@ - # - # Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved.
- # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP
-+# Copyright (c) Microsoft Corporation - # - # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -127,6 +128,12 @@ - # @Prompt Indicates whether SnpDxe creates event for ExitBootServices() call. - gEfiNetworkPkgTokenSpaceGuid.PcdSnpCreateExitBootServicesEvent|TRUE|BOOLEAN|0x1000000C - -+ ## Enforces the use of Secure UEFI spec defined RNG algorithms for all network connections. -+ # TRUE - Enforce the use of Secure UEFI spec defined RNG algorithms. -+ # FALSE - Do not enforce and depend on the default implementation of RNG algorithm from the provider. -+ # @Prompt Enforce the use of Secure UEFI spec defined RNG algorithms. -+ gEfiNetworkPkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms|TRUE|BOOLEAN|0x1000000D -+ - [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] - ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355). - # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT] -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -index 7e900483fe..2b2c794697 100644 ---- a/NetworkPkg/SecurityFixes.yaml -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -121,3 +121,42 @@ CVE_2023_45235: - - http://www.openwall.com/lists/oss-security/2024/01/16/2 - - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html - - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45237: -+ commit_titles: -+ - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" -+ cve: CVE-2023-45237 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 09 - Use of a Weak PseudoRandom Number Generator" -+ note: -+ files_impacted: -+ - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c -+ - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c -+ - NetworkPkg/DnsDxe/DnsDhcp.c -+ - NetworkPkg/DnsDxe/DnsImpl.c -+ - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c -+ - NetworkPkg/IScsiDxe/IScsiCHAP.c -+ - NetworkPkg/IScsiDxe/IScsiMisc.c -+ - NetworkPkg/IScsiDxe/IScsiMisc.h -+ - NetworkPkg/Include/Library/NetLib.h -+ - NetworkPkg/Ip4Dxe/Ip4Driver.c -+ - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c -+ - NetworkPkg/Ip6Dxe/Ip6Driver.c -+ - NetworkPkg/Ip6Dxe/Ip6If.c -+ - NetworkPkg/Ip6Dxe/Ip6Mld.c -+ - NetworkPkg/Ip6Dxe/Ip6Nd.c -+ - NetworkPkg/Ip6Dxe/Ip6Nd.h -+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.c -+ - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf -+ - NetworkPkg/NetworkPkg.dec -+ - NetworkPkg/TcpDxe/TcpDriver.c -+ - NetworkPkg/Udp4Dxe/Udp4Driver.c -+ - NetworkPkg/Udp6Dxe/Udp6Driver.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+ - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4542 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45237 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 98a90e0210..8fe6badd68 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -2,7 +2,7 @@ - The driver binding and service binding protocol for the TCP driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -163,7 +163,13 @@ TcpDriverEntryPoint ( - ) - { - EFI_STATUS Status; -- UINT32 Seed; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the TCP Driver Binding Protocol -@@ -203,9 +209,8 @@ TcpDriverEntryPoint ( - // - // Initialize ISS and random port. - // -- Seed = NetRandomInitSeed (); -- mTcpGlobalIss = NET_RANDOM (Seed) % mTcpGlobalIss; -- mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (NET_RANDOM (Seed) % TCP_PORT_KNOWN)); -+ mTcpGlobalIss = Random % mTcpGlobalIss; -+ mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); - mTcp6RandomPort = mTcp4RandomPort; - - return EFI_SUCCESS; -diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf -index c0acbdca57..cf5423f4c5 100644 ---- a/NetworkPkg/TcpDxe/TcpDxe.inf -+++ b/NetworkPkg/TcpDxe/TcpDxe.inf -@@ -82,5 +82,8 @@ - gEfiTcp6ProtocolGuid ## BY_START - gEfiTcp6ServiceBindingProtocolGuid ## BY_START - -+[Depex] -+ gEfiHash2ServiceBindingProtocolGuid -+ - [UserExtensions.TianoCore."ExtraFiles"] - TcpDxeExtra.uni -diff --git a/NetworkPkg/Udp4Dxe/Udp4Driver.c b/NetworkPkg/Udp4Dxe/Udp4Driver.c -index cb917fcfc9..c7ea16f4cd 100644 ---- a/NetworkPkg/Udp4Dxe/Udp4Driver.c -+++ b/NetworkPkg/Udp4Dxe/Udp4Driver.c -@@ -1,6 +1,7 @@ - /** @file - - Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
-+Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -555,6 +556,13 @@ Udp4DriverEntryPoint ( - ) - { - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the Udp4DriverBinding and Udp4ComponentName protocols. -@@ -571,7 +579,7 @@ Udp4DriverEntryPoint ( - // - // Initialize the UDP random port. - // -- mUdp4RandomPort = (UINT16)(((UINT16)NetRandomInitSeed ()) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN); -+ mUdp4RandomPort = (UINT16)(((UINT16)Random) % UDP4_PORT_KNOWN + UDP4_PORT_KNOWN); - } - - return Status; -diff --git a/NetworkPkg/Udp6Dxe/Udp6Driver.c b/NetworkPkg/Udp6Dxe/Udp6Driver.c -index ae96fb9966..edb758d57c 100644 ---- a/NetworkPkg/Udp6Dxe/Udp6Driver.c -+++ b/NetworkPkg/Udp6Dxe/Udp6Driver.c -@@ -2,7 +2,7 @@ - Driver Binding functions and Service Binding functions for the Network driver module. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -596,6 +596,13 @@ Udp6DriverEntryPoint ( - ) - { - EFI_STATUS Status; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } - - // - // Install the Udp6DriverBinding and Udp6ComponentName protocols. -@@ -614,7 +621,7 @@ Udp6DriverEntryPoint ( - // Initialize the UDP random port. - // - mUdp6RandomPort = (UINT16)( -- ((UINT16)NetRandomInitSeed ()) % -+ ((UINT16)Random) % - UDP6_PORT_KNOWN + - UDP6_PORT_KNOWN - ); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -index 91146b78cb..452038c219 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c -@@ -2,7 +2,7 @@ - Functions implementation related with DHCPv4 for UefiPxeBc Driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -1381,6 +1381,12 @@ PxeBcDhcp4Discover ( - UINT8 VendorOptLen; - UINT32 Xid; - -+ Status = PseudoRandomU32 (&Xid); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - Mode = Private->PxeBc.Mode; - Dhcp4 = Private->Dhcp4; - Status = EFI_SUCCESS; -@@ -1471,7 +1477,6 @@ PxeBcDhcp4Discover ( - // - // Set fields of the token for the request packet. - // -- Xid = NET_RANDOM (NetRandomInitSeed ()); - Token.Packet->Dhcp4.Header.Xid = HTONL (Xid); - Token.Packet->Dhcp4.Header.Reserved = HTONS ((UINT16)((IsBCast) ? 0x8000 : 0x0)); - CopyMem (&Token.Packet->Dhcp4.Header.ClientAddr, &Private->StationIp, sizeof (EFI_IPv4_ADDRESS)); -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -index 7fd1281c11..bcabbd2219 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c -@@ -2180,7 +2180,7 @@ PxeBcDhcp6Discover ( - UINTN ReadSize; - UINT16 OpCode; - UINT16 OpLen; -- UINT32 Xid; -+ UINT32 Random; - EFI_STATUS Status; - UINTN DiscoverLenNeeded; - -@@ -2198,6 +2198,12 @@ PxeBcDhcp6Discover ( - return EFI_DEVICE_ERROR; - } - -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ - DiscoverLenNeeded = sizeof (EFI_PXE_BASE_CODE_DHCPV6_PACKET); - Discover = AllocateZeroPool (DiscoverLenNeeded); - if (Discover == NULL) { -@@ -2207,8 +2213,7 @@ PxeBcDhcp6Discover ( - // - // Build the discover packet by the cached request packet before. - // -- Xid = NET_RANDOM (NetRandomInitSeed ()); -- Discover->TransactionId = HTONL (Xid); -+ Discover->TransactionId = HTONL (Random); - Discover->MessageType = Request->Dhcp6.Header.MessageType; - RequestOpt = Request->Dhcp6.Option; - DiscoverOpt = Discover->DhcpOptions; -diff --git a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -index d84aca7e85..4cd915b411 100644 ---- a/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -+++ b/NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c -@@ -3,6 +3,7 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.
-+ Copyright (c) Microsoft Corporation - - SPDX-License-Identifier: BSD-2-Clause-Patent - -@@ -892,6 +893,13 @@ PxeBcCreateIp6Children ( - PXEBC_PRIVATE_PROTOCOL *Id; - EFI_SIMPLE_NETWORK_PROTOCOL *Snp; - UINTN Index; -+ UINT32 Random; -+ -+ Status = PseudoRandomU32 (&Random); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "Failed to generate random number using EFI_RNG_PROTOCOL: %r\n", Status)); -+ return Status; -+ } - - if (Private->Ip6Nic != NULL) { - // -@@ -935,9 +943,9 @@ PxeBcCreateIp6Children ( - } - - // -- // Generate a random IAID for the Dhcp6 assigned address. -+ // Set a random IAID for the Dhcp6 assigned address. - // -- Private->IaId = NET_RANDOM (NetRandomInitSeed ()); -+ Private->IaId = Random; - if (Private->Snp != NULL) { - for (Index = 0; Index < Private->Snp->Mode->HwAddressSize; Index++) { - Private->IaId |= (Private->Snp->Mode->CurrentAddress.Addr[Index] << ((Index << 3) & 31)); --- -2.40.0 - diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index d52e3f4971..bb345688ac 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -47,8 +47,6 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2023-45229-0002.patch \ file://CVE-2023-45229-0003.patch \ file://CVE-2023-45229-0004.patch \ - file://CVE-2023-45237-0001.patch \ - file://CVE-2023-45237-0002.patch \ file://CVE-2023-45236.patch \ file://CVE-2022-36765-0001.patch \ file://CVE-2022-36765-0002.patch \ From patchwork Wed Feb 19 10:21:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kai X-Patchwork-Id: 57601 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD2AFC021B0 for ; Wed, 19 Feb 2025 10:22:02 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.19227.1739960521497528728 for ; Wed, 19 Feb 2025 02:22:01 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=414568d945=kai.kang@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51J5pU56024311 for ; Wed, 19 Feb 2025 10:22:00 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00j8vj1-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 19 Feb 2025 10:22:00 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Wed, 19 Feb 2025 02:21:59 -0800 Received: from pek-lpg-core4.wrs.com (128.224.153.44) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Wed, 19 Feb 2025 02:21:58 -0800 From: To: CC: Subject: [kirkstone][PATCH 2/2] Revert "ovmf: Fix CVE-2023-45236" Date: Wed, 19 Feb 2025 18:21:51 +0800 Message-ID: <20250219102151.4000494-2-kai.kang@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250219102151.4000494-1-kai.kang@windriver.com> References: <20250219102151.4000494-1-kai.kang@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: cS-C7-JloBv0deZx6VrYsHAGvuy9WM3H X-Authority-Analysis: v=2.4 cv=I4GfRMgg c=1 sm=1 tr=0 ts=67b5b0c8 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=hqBzw_eTAAAA:8 a=BqEg4_3jAAAA:8 a=NEAV23lmAAAA:8 a=XkRKQH6RAAAA:8 a=QQrwgld0AAAA:8 a=VKio34HhAAAA:8 a=PYnjg3YJAAAA:8 a=48vgC7mUAAAA:8 a=t7CeM3EgAAAA:8 a=yMhMjlubAAAA:8 a=QyXUC8HyAAAA:8 a=pGLkceISAAAA:8 a=D1ohjMC7YL4RkpoRxuEA:9 a=M8StELapO-GijCwn:21 a=lBZTsuZDXdQA:10 a=Hv90Ch-Tvl0A:10 a=RVmHIydaz68A:10 a=bkWp_v3HvcftT6DRAIDL:22 a=0mFWnFbQd5xWBqmg7tTt:22 a=1gUyE30hU_ULiMxJiLUW:22 a=GixL4z90Y-kx4mQuXZm8:22 a=ALVy6clGPs_Yy9GZ8Zsv:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: cS-C7-JloBv0deZx6VrYsHAGvuy9WM3H X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-19_04,2025-02-19_01,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 impostorscore=0 priorityscore=1501 lowpriorityscore=0 mlxlogscore=999 spamscore=0 adultscore=0 clxscore=1015 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502190083 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Feb 2025 10:22:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211700 From: Kai Kang This reverts commit dd8ed68222f9249766bb4c376833d7d63d601c41. The fix for CVE-2023-45237 has been reverted. And the fix for CVE-2023-45236 depends on it. So revert it too. Signed-off-by: Kai Kang --- .../ovmf/ovmf/CVE-2023-45236.patch | 829 ------------------ meta/recipes-core/ovmf/ovmf_git.bb | 1 - 2 files changed, 830 deletions(-) delete mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch b/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch deleted file mode 100644 index ac43392ce6..0000000000 --- a/meta/recipes-core/ovmf/ovmf/CVE-2023-45236.patch +++ /dev/null @@ -1,829 +0,0 @@ -From 1904a64bcc18199738e5be183d28887ac5d837d7 Mon Sep 17 00:00:00 2001 -From: Doug Flick -Date: Wed, 8 May 2024 22:56:29 -0700 -Subject: [PATCH] NetworkPkg TcpDxe: SECURITY PATCH CVE-2023-45236 - -REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4541 -REF: https://www.rfc-editor.org/rfc/rfc1948.txt -REF: https://www.rfc-editor.org/rfc/rfc6528.txt -REF: https://www.rfc-editor.org/rfc/rfc9293.txt - -Bug Overview: -PixieFail Bug #8 -CVE-2023-45236 -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N -CWE-200 Exposure of Sensitive Information to an Unauthorized Actor - -Updates TCP ISN generation to use a cryptographic hash of the -connection's identifying parameters and a secret key. -This prevents an attacker from guessing the ISN used for some other -connection. - -This is follows the guidance in RFC 1948, RFC 6528, and RFC 9293. - -RFC: 9293 Section 3.4.1. Initial Sequence Number Selection - - A TCP implementation MUST use the above type of "clock" for clock- - driven selection of initial sequence numbers (MUST-8), and SHOULD - generate its initial sequence numbers with the expression: - - ISN = M + F(localip, localport, remoteip, remoteport, secretkey) - - where M is the 4 microsecond timer, and F() is a pseudorandom - function (PRF) of the connection's identifying parameters ("localip, - localport, remoteip, remoteport") and a secret key ("secretkey") - (SHLD-1). F() MUST NOT be computable from the outside (MUST-9), or - an attacker could still guess at sequence numbers from the ISN used - for some other connection. The PRF could be implemented as a - cryptographic hash of the concatenation of the TCP connection - parameters and some secret data. For discussion of the selection of - a specific hash algorithm and management of the secret key data, - please see Section 3 of [42]. - - For each connection there is a send sequence number and a receive - sequence number. The initial send sequence number (ISS) is chosen by - the data sending TCP peer, and the initial receive sequence number - (IRS) is learned during the connection-establishing procedure. - - For a connection to be established or initialized, the two TCP peers - must synchronize on each other's initial sequence numbers. This is - done in an exchange of connection-establishing segments carrying a - control bit called "SYN" (for synchronize) and the initial sequence - numbers. As a shorthand, segments carrying the SYN bit are also - called "SYNs". Hence, the solution requires a suitable mechanism for - picking an initial sequence number and a slightly involved handshake - to exchange the ISNs. - -Cc: Saloni Kasbekar -Cc: Zachary Clark-williams - -Signed-off-by: Doug Flick [MSFT] -Reviewed-by: Saloni Kasbekar - -CVE: CVE-2023-45236 - -Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7] - -Signed-off-by: Soumya Sambu ---- - NetworkPkg/SecurityFixes.yaml | 22 +++ - NetworkPkg/TcpDxe/TcpDriver.c | 92 ++++++++++++- - NetworkPkg/TcpDxe/TcpDxe.inf | 8 +- - NetworkPkg/TcpDxe/TcpFunc.h | 23 ++-- - NetworkPkg/TcpDxe/TcpInput.c | 13 +- - NetworkPkg/TcpDxe/TcpMain.h | 59 ++++++-- - NetworkPkg/TcpDxe/TcpMisc.c | 244 ++++++++++++++++++++++++++++++++-- - NetworkPkg/TcpDxe/TcpTimer.c | 3 +- - 8 files changed, 415 insertions(+), 49 deletions(-) - -diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml -index 2b2c794697..ab355419cc 100644 ---- a/NetworkPkg/SecurityFixes.yaml -+++ b/NetworkPkg/SecurityFixes.yaml -@@ -121,6 +121,28 @@ CVE_2023_45235: - - http://www.openwall.com/lists/oss-security/2024/01/16/2 - - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html - - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html -+CVE_2023_45236: -+ commit_titles: -+ - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch" -+ cve: CVE-2023-45236 -+ date_reported: 2023-08-28 13:56 UTC -+ description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers" -+ note: -+ files_impacted: -+ - NetworkPkg/Include/Library/NetLib.h -+ - NetworkPkg/TcpDxe/TcpDriver.c -+ - NetworkPkg/TcpDxe/TcpDxe.inf -+ - NetworkPkg/TcpDxe/TcpFunc.h -+ - NetworkPkg/TcpDxe/TcpInput.c -+ - NetworkPkg/TcpDxe/TcpMain.h -+ - NetworkPkg/TcpDxe/TcpMisc.c -+ - NetworkPkg/TcpDxe/TcpTimer.c -+ links: -+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4541 -+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45236 -+ - http://www.openwall.com/lists/oss-security/2024/01/16/2 -+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html -+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html - CVE_2023_45237: - commit_titles: - - "NetworkPkg:: SECURITY PATCH CVE 2023-45237" -diff --git a/NetworkPkg/TcpDxe/TcpDriver.c b/NetworkPkg/TcpDxe/TcpDriver.c -index 8fe6badd68..40bba4080c 100644 ---- a/NetworkPkg/TcpDxe/TcpDriver.c -+++ b/NetworkPkg/TcpDxe/TcpDriver.c -@@ -83,6 +83,12 @@ EFI_SERVICE_BINDING_PROTOCOL gTcpServiceBinding = { - TcpServiceBindingDestroyChild - }; - -+// -+// This is the handle for the Hash2ServiceBinding Protocol instance this driver produces -+// if the platform does not provide one. -+// -+EFI_HANDLE mHash2ServiceHandle = NULL; -+ - /** - Create and start the heartbeat timer for the TCP driver. - -@@ -165,6 +171,23 @@ TcpDriverEntryPoint ( - EFI_STATUS Status; - UINT32 Random; - -+ // -+ // Initialize the Secret used for hashing TCP sequence numbers -+ // -+ // Normally this should be regenerated periodically, but since -+ // this is only used for UEFI networking and not a general purpose -+ // operating system, it is not necessary to regenerate it. -+ // -+ Status = PseudoRandomU32 (&mTcpGlobalSecret); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "%a failed to generate random number: %r\n", __func__, Status)); -+ return Status; -+ } -+ -+ // -+ // Get a random number used to generate a random port number -+ // Intentionally not linking this to mTcpGlobalSecret to avoid leaking information about the secret -+ // - Status = PseudoRandomU32 (&Random); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a Failed to generate random number: %r\n", __func__, Status)); -@@ -207,9 +230,8 @@ TcpDriverEntryPoint ( - } - - // -- // Initialize ISS and random port. -+ // Initialize the random port. - // -- mTcpGlobalIss = Random % mTcpGlobalIss; - mTcp4RandomPort = (UINT16)(TCP_PORT_KNOWN + (Random % TCP_PORT_KNOWN)); - mTcp6RandomPort = mTcp4RandomPort; - -@@ -224,6 +246,8 @@ TcpDriverEntryPoint ( - @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. - - @retval EFI_OUT_OF_RESOURCES Failed to allocate some resources. -+ @retval EFI_UNSUPPORTED Service Binding Protocols are unavailable. -+ @retval EFI_ALREADY_STARTED The TCP driver is already started on the controller. - @retval EFI_SUCCESS A new IP6 service binding private was created. - - **/ -@@ -234,11 +258,13 @@ TcpCreateService ( - IN UINT8 IpVersion - ) - { -- EFI_STATUS Status; -- EFI_GUID *IpServiceBindingGuid; -- EFI_GUID *TcpServiceBindingGuid; -- TCP_SERVICE_DATA *TcpServiceData; -- IP_IO_OPEN_DATA OpenData; -+ EFI_STATUS Status; -+ EFI_GUID *IpServiceBindingGuid; -+ EFI_GUID *TcpServiceBindingGuid; -+ TCP_SERVICE_DATA *TcpServiceData; -+ IP_IO_OPEN_DATA OpenData; -+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; -+ EFI_HASH2_PROTOCOL *Hash2Protocol; - - if (IpVersion == IP_VERSION_4) { - IpServiceBindingGuid = &gEfiIp4ServiceBindingProtocolGuid; -@@ -272,6 +298,33 @@ TcpCreateService ( - return EFI_UNSUPPORTED; - } - -+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); -+ if (EFI_ERROR (Status)) { -+ // -+ // If we can't find the Hashing protocol, then we need to create one. -+ // -+ -+ // -+ // Platform is expected to publish the hash service binding protocol to support TCP. -+ // -+ Status = gBS->LocateProtocol ( -+ &gEfiHash2ServiceBindingProtocolGuid, -+ NULL, -+ (VOID **)&Hash2ServiceBinding -+ ); -+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->CreateChild == NULL)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ // -+ // Create an instance of the hash protocol for this controller. -+ // -+ Status = Hash2ServiceBinding->CreateChild (Hash2ServiceBinding, &mHash2ServiceHandle); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } -+ } -+ - // - // Create the TCP service data. - // -@@ -423,6 +476,7 @@ TcpDestroyService ( - EFI_STATUS Status; - LIST_ENTRY *List; - TCP_DESTROY_CHILD_IN_HANDLE_BUF_CONTEXT Context; -+ EFI_SERVICE_BINDING_PROTOCOL *Hash2ServiceBinding; - - ASSERT ((IpVersion == IP_VERSION_4) || (IpVersion == IP_VERSION_6)); - -@@ -439,6 +493,30 @@ TcpDestroyService ( - return EFI_SUCCESS; - } - -+ // -+ // Destroy the Hash2ServiceBinding instance if it is created by Tcp driver. -+ // -+ if (mHash2ServiceHandle != NULL) { -+ Status = gBS->LocateProtocol ( -+ &gEfiHash2ServiceBindingProtocolGuid, -+ NULL, -+ (VOID **)&Hash2ServiceBinding -+ ); -+ if (EFI_ERROR (Status) || (Hash2ServiceBinding == NULL) || (Hash2ServiceBinding->DestroyChild == NULL)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ // -+ // Destroy the instance of the hashing protocol for this controller. -+ // -+ Status = Hash2ServiceBinding->DestroyChild (Hash2ServiceBinding, &mHash2ServiceHandle); -+ if (EFI_ERROR (Status)) { -+ return EFI_UNSUPPORTED; -+ } -+ -+ mHash2ServiceHandle = NULL; -+ } -+ - Status = gBS->OpenProtocol ( - NicHandle, - ServiceBindingGuid, -diff --git a/NetworkPkg/TcpDxe/TcpDxe.inf b/NetworkPkg/TcpDxe/TcpDxe.inf -index cf5423f4c5..76de4cf9ec 100644 ---- a/NetworkPkg/TcpDxe/TcpDxe.inf -+++ b/NetworkPkg/TcpDxe/TcpDxe.inf -@@ -6,6 +6,7 @@ - # stack has been loaded in system. This driver supports both IPv4 and IPv6 network stack. - # - # Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-+# Copyright (c) Microsoft Corporation - # - # SPDX-License-Identifier: BSD-2-Clause-Patent - # -@@ -68,7 +69,6 @@ - NetLib - IpIoLib - -- - [Protocols] - ## SOMETIMES_CONSUMES - ## SOMETIMES_PRODUCES -@@ -81,6 +81,12 @@ - gEfiIp6ServiceBindingProtocolGuid ## TO_START - gEfiTcp6ProtocolGuid ## BY_START - gEfiTcp6ServiceBindingProtocolGuid ## BY_START -+ gEfiHash2ProtocolGuid ## BY_START -+ gEfiHash2ServiceBindingProtocolGuid ## BY_START -+ -+[Guids] -+ gEfiHashAlgorithmMD5Guid ## CONSUMES -+ gEfiHashAlgorithmSha256Guid ## CONSUMES - - [Depex] - gEfiHash2ServiceBindingProtocolGuid -diff --git a/NetworkPkg/TcpDxe/TcpFunc.h b/NetworkPkg/TcpDxe/TcpFunc.h -index a7af01fff2..c707bee3e5 100644 ---- a/NetworkPkg/TcpDxe/TcpFunc.h -+++ b/NetworkPkg/TcpDxe/TcpFunc.h -@@ -2,7 +2,7 @@ - Declaration of external functions shared in TCP driver. - - Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -36,8 +36,11 @@ VOID - - @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpInitTcbLocal ( - IN OUT TCP_CB *Tcb - ); -@@ -128,17 +131,6 @@ TcpCloneTcb ( - IN TCP_CB *Tcb - ); - --/** -- Compute an ISS to be used by a new connection. -- -- @return The result ISS. -- --**/ --TCP_SEQNO --TcpGetIss ( -- VOID -- ); -- - /** - Get the local mss. - -@@ -202,8 +194,11 @@ TcpFormatNetbuf ( - @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a - connection. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpOnAppConnect ( - IN OUT TCP_CB *Tcb - ); -diff --git a/NetworkPkg/TcpDxe/TcpInput.c b/NetworkPkg/TcpDxe/TcpInput.c -index fb1aa827f8..0477a15d0c 100644 ---- a/NetworkPkg/TcpDxe/TcpInput.c -+++ b/NetworkPkg/TcpDxe/TcpInput.c -@@ -724,6 +724,7 @@ TcpInput ( - TCP_SEQNO Urg; - UINT16 Checksum; - INT32 Usable; -+ EFI_STATUS Status; - - ASSERT ((Version == IP_VERSION_4) || (Version == IP_VERSION_6)); - -@@ -872,7 +873,17 @@ TcpInput ( - Tcb->LocalEnd.Port = Head->DstPort; - Tcb->RemoteEnd.Port = Head->SrcPort; - -- TcpInitTcbLocal (Tcb); -+ Status = TcpInitTcbLocal (Tcb); -+ if (EFI_ERROR (Status)) { -+ DEBUG ( -+ (DEBUG_ERROR, -+ "TcpInput: discard a segment because failed to init local end for TCB %p\n", -+ Tcb) -+ ); -+ -+ goto DISCARD; -+ } -+ - TcpInitTcbPeer (Tcb, Seg, &Option); - - TcpSetState (Tcb, TCP_SYN_RCVD); -diff --git a/NetworkPkg/TcpDxe/TcpMain.h b/NetworkPkg/TcpDxe/TcpMain.h -index c0c9b7f46e..4d5566ab93 100644 ---- a/NetworkPkg/TcpDxe/TcpMain.h -+++ b/NetworkPkg/TcpDxe/TcpMain.h -@@ -3,7 +3,7 @@ - It is the common head file for all Tcp*.c in TCP driver. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -13,6 +13,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -31,7 +32,7 @@ extern EFI_UNICODE_STRING_TABLE *gTcpControllerNameTable; - - extern LIST_ENTRY mTcpRunQue; - extern LIST_ENTRY mTcpListenQue; --extern TCP_SEQNO mTcpGlobalIss; -+extern TCP_SEQNO mTcpGlobalSecret; - extern UINT32 mTcpTick; - - /// -@@ -45,14 +46,6 @@ extern UINT32 mTcpTick; - - #define TCP_EXPIRE_TIME 65535 - --/// --/// The implementation selects the initial send sequence number and the unit to --/// be added when it is increased. --/// --#define TCP_BASE_ISS 0x4d7e980b --#define TCP_ISS_INCREMENT_1 2048 --#define TCP_ISS_INCREMENT_2 100 -- - typedef union { - EFI_TCP4_CONFIG_DATA Tcp4CfgData; - EFI_TCP6_CONFIG_DATA Tcp6CfgData; -@@ -774,4 +767,50 @@ Tcp6Poll ( - IN EFI_TCP6_PROTOCOL *This - ); - -+/** -+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local -+ and remote IP addresses and ports. -+ -+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 -+ Where the ISN is computed as follows: -+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) -+ -+ Otherwise: -+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) -+ -+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the -+ connection's identifying parameters ("localip, localport, remoteip, remoteport") -+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the -+ outside (MUST-9), or an attacker could still guess at sequence numbers from the -+ ISN used for some other connection. The PRF could be implemented as a -+ cryptographic hash of the concatenation of the TCP connection parameters and some -+ secret data. For discussion of the selection of a specific hash algorithm and -+ management of the secret key data." -+ -+ @param[in] LocalIp A pointer to the local IP address of the TCP connection. -+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. -+ @param[in] LocalPort The local port number of the TCP connection. -+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. -+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. -+ @param[in] RemotePort The remote port number of the TCP connection. -+ @param[out] Isn A pointer to the variable that will receive the Initial -+ Sequence Number (ISN). -+ -+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was -+ retrieved. -+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. -+ @retval EFI_UNSUPPORTED The operation is not supported. -+ -+**/ -+EFI_STATUS -+TcpGetIsn ( -+ IN UINT8 *LocalIp, -+ IN UINTN LocalIpSize, -+ IN UINT16 LocalPort, -+ IN UINT8 *RemoteIp, -+ IN UINTN RemoteIpSize, -+ IN UINT16 RemotePort, -+ OUT TCP_SEQNO *Isn -+ ); -+ - #endif -diff --git a/NetworkPkg/TcpDxe/TcpMisc.c b/NetworkPkg/TcpDxe/TcpMisc.c -index c93212d47d..3310306f63 100644 ---- a/NetworkPkg/TcpDxe/TcpMisc.c -+++ b/NetworkPkg/TcpDxe/TcpMisc.c -@@ -3,7 +3,7 @@ - - (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -20,7 +20,34 @@ LIST_ENTRY mTcpListenQue = { - &mTcpListenQue - }; - --TCP_SEQNO mTcpGlobalIss = TCP_BASE_ISS; -+// -+// The Session secret -+// This must be initialized to a random value at boot time -+// -+TCP_SEQNO mTcpGlobalSecret; -+ -+// -+// Union to hold either an IPv4 or IPv6 address -+// This is used to simplify the ISN hash computation -+// -+typedef union { -+ UINT8 IPv4[4]; -+ UINT8 IPv6[16]; -+} NETWORK_ADDRESS; -+ -+// -+// The ISN is computed by hashing this structure -+// It is initialized with the local and remote IP addresses and ports -+// and the secret -+// -+// -+typedef struct { -+ UINT16 LocalPort; -+ UINT16 RemotePort; -+ NETWORK_ADDRESS LocalAddress; -+ NETWORK_ADDRESS RemoteAddress; -+ TCP_SEQNO Secret; -+} ISN_HASH_CTX; - - CHAR16 *mTcpStateName[] = { - L"TCP_CLOSED", -@@ -41,12 +68,18 @@ CHAR16 *mTcpStateName[] = { - - @param[in, out] Tcb Pointer to the TCP_CB of this TCP instance. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpInitTcbLocal ( - IN OUT TCP_CB *Tcb - ) - { -+ TCP_SEQNO Isn; -+ EFI_STATUS Status; -+ - // - // Compute the checksum of the fixed parts of pseudo header - // -@@ -57,6 +90,16 @@ TcpInitTcbLocal ( - 0x06, - 0 - ); -+ -+ Status = TcpGetIsn ( -+ Tcb->LocalEnd.Ip.v4.Addr, -+ sizeof (IPv4_ADDRESS), -+ Tcb->LocalEnd.Port, -+ Tcb->RemoteEnd.Ip.v4.Addr, -+ sizeof (IPv4_ADDRESS), -+ Tcb->RemoteEnd.Port, -+ &Isn -+ ); - } else { - Tcb->HeadSum = NetIp6PseudoHeadChecksum ( - &Tcb->LocalEnd.Ip.v6, -@@ -64,9 +107,25 @@ TcpInitTcbLocal ( - 0x06, - 0 - ); -+ -+ Status = TcpGetIsn ( -+ Tcb->LocalEnd.Ip.v6.Addr, -+ sizeof (IPv6_ADDRESS), -+ Tcb->LocalEnd.Port, -+ Tcb->RemoteEnd.Ip.v6.Addr, -+ sizeof (IPv6_ADDRESS), -+ Tcb->RemoteEnd.Port, -+ &Isn -+ ); -+ } -+ -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_ERROR, "TcpInitTcbLocal: failed to get isn\n")); -+ ASSERT (FALSE); -+ return Status; - } - -- Tcb->Iss = TcpGetIss (); -+ Tcb->Iss = Isn; - Tcb->SndUna = Tcb->Iss; - Tcb->SndNxt = Tcb->Iss; - -@@ -82,6 +141,8 @@ TcpInitTcbLocal ( - Tcb->RetxmitSeqMax = 0; - - Tcb->ProbeTimerOn = FALSE; -+ -+ return EFI_SUCCESS; - } - - /** -@@ -506,18 +567,162 @@ TcpCloneTcb ( - } - - /** -- Compute an ISS to be used by a new connection. -- -- @return The resulting ISS. -+ Retrieves the Initial Sequence Number (ISN) for a TCP connection identified by local -+ and remote IP addresses and ports. -+ -+ This method is based on https://datatracker.ietf.org/doc/html/rfc9293#section-3.4.1 -+ Where the ISN is computed as follows: -+ ISN = TimeStamp + MD5(LocalIP, LocalPort, RemoteIP, RemotePort, Secret) -+ -+ Otherwise: -+ ISN = M + F(localip, localport, remoteip, remoteport, secretkey) -+ -+ "Here M is the 4 microsecond timer, and F() is a pseudorandom function (PRF) of the -+ connection's identifying parameters ("localip, localport, remoteip, remoteport") -+ and a secret key ("secretkey") (SHLD-1). F() MUST NOT be computable from the -+ outside (MUST-9), or an attacker could still guess at sequence numbers from the -+ ISN used for some other connection. The PRF could be implemented as a -+ cryptographic hash of the concatenation of the TCP connection parameters and some -+ secret data. For discussion of the selection of a specific hash algorithm and -+ management of the secret key data." -+ -+ @param[in] LocalIp A pointer to the local IP address of the TCP connection. -+ @param[in] LocalIpSize The size, in bytes, of the LocalIp buffer. -+ @param[in] LocalPort The local port number of the TCP connection. -+ @param[in] RemoteIp A pointer to the remote IP address of the TCP connection. -+ @param[in] RemoteIpSize The size, in bytes, of the RemoteIp buffer. -+ @param[in] RemotePort The remote port number of the TCP connection. -+ @param[out] Isn A pointer to the variable that will receive the Initial -+ Sequence Number (ISN). -+ -+ @retval EFI_SUCCESS The operation completed successfully, and the ISN was -+ retrieved. -+ @retval EFI_INVALID_PARAMETER One or more of the input parameters are invalid. -+ @retval EFI_UNSUPPORTED The operation is not supported. - - **/ --TCP_SEQNO --TcpGetIss ( -- VOID -+EFI_STATUS -+TcpGetIsn ( -+ IN UINT8 *LocalIp, -+ IN UINTN LocalIpSize, -+ IN UINT16 LocalPort, -+ IN UINT8 *RemoteIp, -+ IN UINTN RemoteIpSize, -+ IN UINT16 RemotePort, -+ OUT TCP_SEQNO *Isn - ) - { -- mTcpGlobalIss += TCP_ISS_INCREMENT_1; -- return mTcpGlobalIss; -+ EFI_STATUS Status; -+ EFI_HASH2_PROTOCOL *Hash2Protocol; -+ EFI_HASH2_OUTPUT HashResult; -+ ISN_HASH_CTX IsnHashCtx; -+ EFI_TIME TimeStamp; -+ -+ // -+ // Check that the ISN pointer is valid -+ // -+ if (Isn == NULL) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // The local ip may be a v4 or v6 address and may not be NULL -+ // -+ if ((LocalIp == NULL) || (LocalIpSize == 0) || (RemoteIp == NULL) || (RemoteIpSize == 0)) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // the local ip may be a v4 or v6 address -+ // -+ if ((LocalIpSize != sizeof (EFI_IPv4_ADDRESS)) && (LocalIpSize != sizeof (EFI_IPv6_ADDRESS))) { -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ // -+ // Locate the Hash Protocol -+ // -+ Status = gBS->LocateProtocol (&gEfiHash2ProtocolGuid, NULL, (VOID **)&Hash2Protocol); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to locate Hash Protocol: %r\n", Status)); -+ -+ // -+ // TcpCreateService(..) is expected to be called prior to this function -+ // -+ ASSERT_EFI_ERROR (Status); -+ return Status; -+ } -+ -+ // -+ // Initialize the hash algorithm -+ // -+ Status = Hash2Protocol->HashInit (Hash2Protocol, &gEfiHashAlgorithmSha256Guid); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to initialize sha256 hash algorithm: %r\n", Status)); -+ return Status; -+ } -+ -+ IsnHashCtx.LocalPort = LocalPort; -+ IsnHashCtx.RemotePort = RemotePort; -+ IsnHashCtx.Secret = mTcpGlobalSecret; -+ -+ // -+ // Check the IP address family and copy accordingly -+ // -+ if (LocalIpSize == sizeof (EFI_IPv4_ADDRESS)) { -+ CopyMem (&IsnHashCtx.LocalAddress.IPv4, LocalIp, LocalIpSize); -+ } else if (LocalIpSize == sizeof (EFI_IPv6_ADDRESS)) { -+ CopyMem (&IsnHashCtx.LocalAddress.IPv6, LocalIp, LocalIpSize); -+ } else { -+ return EFI_INVALID_PARAMETER; // Unsupported address size -+ } -+ -+ // -+ // Repeat the process for the remote IP address -+ // -+ if (RemoteIpSize == sizeof (EFI_IPv4_ADDRESS)) { -+ CopyMem (&IsnHashCtx.RemoteAddress.IPv4, RemoteIp, RemoteIpSize); -+ } else if (RemoteIpSize == sizeof (EFI_IPv6_ADDRESS)) { -+ CopyMem (&IsnHashCtx.RemoteAddress.IPv6, RemoteIp, RemoteIpSize); -+ } else { -+ return EFI_INVALID_PARAMETER; // Unsupported address size -+ } -+ -+ // -+ // Compute the hash -+ // Update the hash with the data -+ // -+ Status = Hash2Protocol->HashUpdate (Hash2Protocol, (UINT8 *)&IsnHashCtx, sizeof (IsnHashCtx)); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to update hash: %r\n", Status)); -+ return Status; -+ } -+ -+ // -+ // Finalize the hash and retrieve the result -+ // -+ Status = Hash2Protocol->HashFinal (Hash2Protocol, &HashResult); -+ if (EFI_ERROR (Status)) { -+ DEBUG ((DEBUG_NET, "Failed to finalize hash: %r\n", Status)); -+ return Status; -+ } -+ -+ Status = gRT->GetTime (&TimeStamp, NULL); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ -+ // -+ // copy the first 4 bytes of the hash result into the ISN -+ // -+ CopyMem (Isn, HashResult.Md5Hash, sizeof (*Isn)); -+ -+ // -+ // now add the timestamp to the ISN as 4 microseconds units (1000 / 4 = 250) -+ // -+ *Isn += (TCP_SEQNO)TimeStamp.Nanosecond * 250; -+ -+ return Status; - } - - /** -@@ -721,17 +926,28 @@ TcpFormatNetbuf ( - @param[in, out] Tcb Pointer to the TCP_CB that wants to initiate a - connection. - -+ @retval EFI_SUCCESS The operation completed successfully -+ @retval others The underlying functions failed and could not complete the operation -+ - **/ --VOID -+EFI_STATUS - TcpOnAppConnect ( - IN OUT TCP_CB *Tcb - ) - { -- TcpInitTcbLocal (Tcb); -+ EFI_STATUS Status; -+ -+ Status = TcpInitTcbLocal (Tcb); -+ if (EFI_ERROR (Status)) { -+ return Status; -+ } -+ - TcpSetState (Tcb, TCP_SYN_SENT); - - TcpSetTimer (Tcb, TCP_TIMER_CONNECT, Tcb->ConnectTimeout); - TcpToSendData (Tcb, 1); -+ -+ return EFI_SUCCESS; - } - - /** -diff --git a/NetworkPkg/TcpDxe/TcpTimer.c b/NetworkPkg/TcpDxe/TcpTimer.c -index 5d2e124977..065b1bdf5f 100644 ---- a/NetworkPkg/TcpDxe/TcpTimer.c -+++ b/NetworkPkg/TcpDxe/TcpTimer.c -@@ -2,7 +2,7 @@ - TCP timer related functions. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
-- -+ Copyright (c) Microsoft Corporation - SPDX-License-Identifier: BSD-2-Clause-Patent - - **/ -@@ -483,7 +483,6 @@ TcpTickingDpc ( - INT16 Index; - - mTcpTick++; -- mTcpGlobalIss += TCP_ISS_INCREMENT_2; - - // - // Don't use LIST_FOR_EACH, which isn't delete safe. --- -2.40.0 - diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index bb345688ac..3c577e51a9 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -47,7 +47,6 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2023-45229-0002.patch \ file://CVE-2023-45229-0003.patch \ file://CVE-2023-45229-0004.patch \ - file://CVE-2023-45236.patch \ file://CVE-2022-36765-0001.patch \ file://CVE-2022-36765-0002.patch \ file://CVE-2022-36765-0003.patch \