From e22e11cc37c3bf3530ea8db1d18371c47c9e4440 Mon Sep 17 00:00:00 2001 From: Jon Maloy Date: Thu, 20 Jun 2024 10:34:22 -0400 Subject: [PATCH 6/8] OvmfPkg: wire up RngDxe RH-Author: Jon Maloy RH-MergeRequest: 75: NetworkPkg: SECURITY PATCH CVE-2023-45236 and CVE-2023-45237 RH-Jira: RHEL-40270 RHEL-40272 RH-Acked-by: Gerd Hoffmann RH-Commit: [6/8] 4adf88888386923ee824469cf836b4f63117807d JIRA: https://issues.redhat.com/browse/RHEL-40270 Upstream: Merged CVE: CVE-2023-45237 Conflicts: Cherry pick wanted to add include files from the missing 'add ShellComponents' (commit 2cb466cc2cbf...) series. This had to be handled manually. commit 712797cf19acd292bf203522a79e40e7e13d268b Author: Gerd Hoffmann Date: Fri May 24 12:51:17 2024 +0200 OvmfPkg: wire up RngDxe Add OvmfRng include snippets with the random number generator configuration for OVMF. Include RngDxe, build with BaseRngLib, so the rdrand instruction is used (if available). Also move VirtioRng to the include snippets. Use the new include snippets for OVMF builds. Signed-off-by: Gerd Hoffmann Signed-off-by: Jon Maloy --- OvmfPkg/AmdSev/AmdSevX64.dsc | 2 +- OvmfPkg/AmdSev/AmdSevX64.fdf | 3 ++- OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc | 9 +++++++++ OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc | 6 ++++++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 2 +- OvmfPkg/IntelTdx/IntelTdxX64.fdf | 3 ++- OvmfPkg/Microvm/MicrovmX64.dsc | 2 +- OvmfPkg/Microvm/MicrovmX64.fdf | 3 ++- OvmfPkg/OvmfPkgIa32.dsc | 2 +- OvmfPkg/OvmfPkgIa32.fdf | 3 ++- OvmfPkg/OvmfPkgIa32X64.dsc | 2 +- OvmfPkg/OvmfPkgIa32X64.fdf | 3 ++- OvmfPkg/OvmfPkgX64.dsc | 2 +- OvmfPkg/OvmfPkgX64.fdf | 3 ++- 14 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc create mode 100644 OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 7bb6ffb3f0..5d50e77002 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -651,7 +651,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf - OvmfPkg/VirtioRngDxe/VirtioRng.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif @@ -763,6 +762,7 @@ gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } !endif +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc OvmfPkg/PlatformDxe/Platform.inf OvmfPkg/AmdSevDxe/AmdSevDxe.inf { diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf index 0e3d7bea2b..c94f2d34ee 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.fdf +++ b/OvmfPkg/AmdSev/AmdSevX64.fdf @@ -220,7 +220,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf -INF OvmfPkg/VirtioRngDxe/VirtioRng.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif @@ -316,6 +315,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf # !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc + ################################################################################ [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc new file mode 100644 index 0000000000..68839a0caa --- /dev/null +++ b/OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc @@ -0,0 +1,9 @@ +## +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + + SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf { + + RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + } + OvmfPkg/VirtioRngDxe/VirtioRng.inf diff --git a/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc new file mode 100644 index 0000000000..99cb4a32b1 --- /dev/null +++ b/OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc @@ -0,0 +1,6 @@ +## +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf +INF OvmfPkg/VirtioRngDxe/VirtioRng.inf diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index fd6722499a..d38fed2171 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -641,7 +641,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf - OvmfPkg/VirtioRngDxe/VirtioRng.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif @@ -752,6 +751,7 @@ gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } !endif +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.fdf b/OvmfPkg/IntelTdx/IntelTdxX64.fdf index 69ed7a9bc6..077a5c8637 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.fdf +++ b/OvmfPkg/IntelTdx/IntelTdxX64.fdf @@ -285,7 +285,6 @@ READ_LOCK_STATUS = TRUE # INF MdeModulePkg/Universal/EbcDxe/EbcDxe.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf -INF OvmfPkg/VirtioRngDxe/VirtioRng.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf !endif @@ -333,6 +332,8 @@ INF OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf INF OvmfPkg/VirtioGpuDxe/VirtioGpu.inf INF OvmfPkg/PlatformDxe/Platform.inf +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc + ################################################################################ [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 79f14b5c05..ca6902971f 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -754,7 +754,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf - OvmfPkg/VirtioRngDxe/VirtioRng.inf OvmfPkg/VirtioSerialDxe/VirtioSerial.inf MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf @@ -880,6 +879,7 @@ gEfiShellPkgTokenSpaceGuid.PcdShellLibAutoInitialize|FALSE gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/Microvm/MicrovmX64.fdf b/OvmfPkg/Microvm/MicrovmX64.fdf index eda24a3ec9..767ee4b338 100644 --- a/OvmfPkg/Microvm/MicrovmX64.fdf +++ b/OvmfPkg/Microvm/MicrovmX64.fdf @@ -204,7 +204,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf -INF OvmfPkg/VirtioRngDxe/VirtioRng.inf INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(SECURE_BOOT_ENABLE) == TRUE @@ -303,6 +302,8 @@ INF OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc + ################################################################################ [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 83adecc374..4074aa382d 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -804,7 +804,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf - OvmfPkg/VirtioRngDxe/VirtioRng.inf OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf @@ -942,6 +941,7 @@ gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } !endif +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf index 88c57ff5ff..20cfd2788e 100644 --- a/OvmfPkg/OvmfPkgIa32.fdf +++ b/OvmfPkg/OvmfPkgIa32.fdf @@ -236,7 +236,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf -INF OvmfPkg/VirtioRngDxe/VirtioRng.inf INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf @@ -367,6 +366,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf # !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc + !if $(LOAD_X64_ON_IA32_ENABLE) == TRUE INF OvmfPkg/CompatImageLoaderDxe/CompatImageLoaderDxe.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index b47cdf63e7..75ef19bc85 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -822,7 +822,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf - OvmfPkg/VirtioRngDxe/VirtioRng.inf OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf @@ -960,6 +959,7 @@ gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } !endif +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf index ab5a9bc306..8517c79ba2 100644 --- a/OvmfPkg/OvmfPkgIa32X64.fdf +++ b/OvmfPkg/OvmfPkgIa32X64.fdf @@ -237,7 +237,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf -INF OvmfPkg/VirtioRngDxe/VirtioRng.inf INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf @@ -374,6 +373,8 @@ INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf # !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc + ################################################################################ [FV.FVMAIN_COMPACT] diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index be3824ec1e..631ff0c788 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -890,7 +890,6 @@ OvmfPkg/Virtio10Dxe/Virtio10.inf OvmfPkg/VirtioBlkDxe/VirtioBlk.inf OvmfPkg/VirtioScsiDxe/VirtioScsi.inf - OvmfPkg/VirtioRngDxe/VirtioRng.inf OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE OvmfPkg/PvScsiDxe/PvScsiDxe.inf @@ -1028,6 +1027,7 @@ gEfiMdePkgTokenSpaceGuid.PcdUefiLibMaxPrintBufferSize|8000 } !endif +!include OvmfPkg/Include/Dsc/OvmfRngComponents.dsc.inc !if $(SECURE_BOOT_ENABLE) == TRUE SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf index 851399888f..7ecde357ce 100644 --- a/OvmfPkg/OvmfPkgX64.fdf +++ b/OvmfPkg/OvmfPkgX64.fdf @@ -262,7 +262,6 @@ INF OvmfPkg/VirtioPciDeviceDxe/VirtioPciDeviceDxe.inf INF OvmfPkg/Virtio10Dxe/Virtio10.inf INF OvmfPkg/VirtioBlkDxe/VirtioBlk.inf INF OvmfPkg/VirtioScsiDxe/VirtioScsi.inf -INF OvmfPkg/VirtioRngDxe/VirtioRng.inf INF OvmfPkg/VirtioSerialDxe/VirtioSerial.inf !if $(PVSCSI_ENABLE) == TRUE INF OvmfPkg/PvScsiDxe/PvScsiDxe.inf @@ -408,6 +407,8 @@ INF SecurityPkg/Tcg/TdTcg2Dxe/TdTcg2Dxe.inf # !include OvmfPkg/Include/Fdf/OvmfTpmDxe.fdf.inc +!include OvmfPkg/Include/Fdf/OvmfRngDxe.fdf.inc + ################################################################################ [FV.FVMAIN_COMPACT] -- 2.39.3