On Thu, 14 Nov 2019 at 04:39, Wang, Jian J <jian.j.w...@intel.com> wrote: > > Mike, > > I figured that rdseed is only needed in cases demanding highest entropy, > like seeding other pseudo-RNG. It's not for general purpose randomness. > Then I put it in SecurityPkg. But I'm ok to put it into MdePkg. I have no > strong opinion for this. >
I think it is a bad idea to use the same library abstraction [RngLib] for exposing a) entropy sources used for seeding deterministic random number generators b) deterministic random number generators themselves c) low entropy pseudo-RNGs based on timestamp counters, etc given that the use cases don't usually overlap. I.e., only a DRBG implementation requires a), and exports RngLib itself based on that. Use cases that can tolerate c) [like IV generators for block encryption] are typically disjoint from ones that require b) [for key generation]. The idea that you can use RngLib for all of them, and plug arbitrary instantiations of it into each is misguided IMHO. > > -----Original Message----- > > From: Kinney, Michael D <michael.d.kin...@intel.com> > > Sent: Thursday, November 14, 2019 12:25 PM > > To: devel@edk2.groups.io; Wang, Jian J <jian.j.w...@intel.com>; Kinney, > > Michael D <michael.d.kin...@intel.com> > > Cc: Yao, Jiewen <jiewen....@intel.com>; Zhang, Chao B > > <chao.b.zh...@intel.com>; Gao, Liming <liming....@intel.com>; Ni, Ray > > <ray...@intel.com> > > Subject: RE: [edk2-devel] [PATCH 05/11] SecurityPkg/RngLibRdSeed: add an > > instance of RngLib to make use rdseed > > > > Jian, > > > > Why is this lib instance in the SecurityPkg? It only depends > > on the MdePkg. Can't non security feature related modules > > that want to a random number use this lib without using the > > SecurityPkg? Could this lib instance be added to MdePkg? > > > > Thanks, > > > > Mike > > > > > -----Original Message----- > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On > > > Behalf Of Wang, Jian J > > > Sent: Wednesday, November 13, 2019 6:18 PM > > > To: devel@edk2.groups.io > > > Cc: Yao, Jiewen <jiewen....@intel.com>; Zhang, Chao B > > > <chao.b.zh...@intel.com>; Kinney, Michael D > > > <michael.d.kin...@intel.com>; Gao, Liming > > > <liming....@intel.com>; Ni, Ray <ray...@intel.com> > > > Subject: [edk2-devel] [PATCH 05/11] > > > SecurityPkg/RngLibRdSeed: add an instance of RngLib to > > > make use rdseed > > > > > > This version of RngLib makes use of AsmRdSeed to get > > > non-deterministic random number, which can be used for > > > seeding other software DRNG like rand interface in > > > openssl. It can be used only on IA32/X64 processors > > > which supports rdseed instruction. > > > > > > Ref: > > > https://bugzilla.tianocore.org/show_bug.cgi?id=1871 > > > Cc: Jiewen Yao <jiewen....@intel.com> > > > Cc: Chao Zhang <chao.b.zh...@intel.com> > > > Cc: Michael D Kinney <michael.d.kin...@intel.com> > > > Cc: Liming Gao <liming....@intel.com> > > > Cc: Ray Ni <ray...@intel.com> > > > Signed-off-by: Jian J Wang <jian.j.w...@intel.com> > > > --- > > > .../RngLibRdSeed/RngLibRdSeed.inf | 37 > > > ++++ > > > .../RngLibRdSeed/RngLibRdSeed.uni | 18 ++ > > > .../RngLibRdSeed/RngRdSeed.c | 189 > > > ++++++++++++++++++ > > > 3 files changed, 244 insertions(+) > > > create mode 100644 > > > SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLibRd > > > Seed.inf > > > create mode 100644 > > > SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLibRd > > > Seed.uni > > > create mode 100644 > > > SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngRdSee > > > d.c > > > > > > diff --git > > > a/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLib > > > RdSeed.inf > > > b/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLib > > > RdSeed.inf > > > new file mode 100644 > > > index 0000000000..8162408775 > > > --- /dev/null > > > +++ > > > b/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLib > > > RdSeed.inf > > > @@ -0,0 +1,37 @@ > > > +## @file > > > +# Instance of RNG (Random Number Generator) Library. > > > +# > > > +# Rng RdSeed Library that uses CPU RdSeed instruction > > > access to > > > +provide # non-deterministic random number which can > > > be used as seed > > > +for other # software deterministic RNGs. > > > +# > > > +# Copyright (c) 2019, Intel Corporation. All rights > > > reserved.<BR> # # > > > +SPDX-License-Identifier: BSD-2-Clause-Patent # # ## > > > + > > > +[Defines] > > > + INF_VERSION = 0x00010029 > > > + BASE_NAME = RngLibRdSeed > > > + MODULE_UNI_FILE = RngLibRdSeed.uni > > > + FILE_GUID = 8B613B2E-B944-40F9- > > > B979-1B60D7CAA73C > > > + MODULE_TYPE = BASE > > > + VERSION_STRING = 1.0 > > > + LIBRARY_CLASS = RngLib > > > + CONSTRUCTOR = > > > RngLibRdSeedConstructor > > > + > > > +# > > > +# VALID_ARCHITECTURES = IA32 X64 > > > +# > > > + > > > +[Sources.Ia32, Sources.X64] > > > + RngRdSeed.c > > > + > > > +[Packages] > > > + MdePkg/MdePkg.dec > > > + > > > +[LibraryClasses] > > > + BaseLib > > > + DebugLib > > > diff --git > > > a/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLib > > > RdSeed.uni > > > b/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLib > > > RdSeed.uni > > > new file mode 100644 > > > index 0000000000..051a3019bc > > > --- /dev/null > > > +++ > > > b/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngLib > > > RdSeed.uni > > > @@ -0,0 +1,18 @@ > > > +// /** @file > > > +// Instance of RNG (Random Number Generator) Library. > > > +// > > > +// Rng RdSeed Library that uses CPU RdSeed instruction > > > access to > > > +provide // non-deterministic random number which can > > > be used as seed > > > +for other // software deterministic RNGs. > > > +// > > > +// Copyright (c) 2019, Intel Corporation. All rights > > > reserved.<BR> // > > > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // > > > **/ > > > + > > > + > > > +#string STR_MODULE_ABSTRACT #language en- > > > US "Instance of RNG Library" > > > + > > > +#string STR_MODULE_DESCRIPTION #language en- > > > US "RngRdSeed Library that uses CPU RdSeed instruction > > > access to provide non-deterministic random numbers." > > > + > > > diff --git > > > a/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngRdS > > > eed.c > > > b/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngRdS > > > eed.c > > > new file mode 100644 > > > index 0000000000..0036faa050 > > > --- /dev/null > > > +++ > > > b/SecurityPkg/RandomNumberGenerator/RngLibRdSeed/RngRdS > > > eed.c > > > @@ -0,0 +1,189 @@ > > > +/** @file > > > + Random number generator services that uses RdSeed > > > instruction access > > > + to provide non-deterministic random numbers, which > > > are usually used > > > + for seeding other pseudo-random number generators. > > > + > > > +Copyright (c) 2019, Intel Corporation. All rights > > > reserved.<BR> > > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > > + > > > +**/ > > > + > > > +#include <Library/BaseLib.h> > > > +#include <Library/DebugLib.h> > > > +#include <Library/RngLib.h> > > > + > > > +// > > > +// Bit mask used to determine if RdSeed instruction is > > > supported. > > > +// > > > +#define RDSEED_MASK BIT18 > > > + > > > +// > > > +// Limited retry number when valid random data is > > > returned. > > > +// It varies between 1 and 100 according to "Intel(R) > > > DRGN Software > > > +Implementation // Guide". Let's use the same value as > > > RDRAND in BaseRngLib. > > > +// > > > +#define RDSEED_RETRY_LIMIT 10 > > > + > > > +/** > > > + The constructor function checks whether or not > > > RDSEED instruction is > > > +supported > > > + by the host hardware. > > > + > > > + The constructor function checks whether or not > > > RDSEED instruction is supported. > > > + It will ASSERT() if RDSEED instruction is not > > > supported. > > > + > > > + @retval RETURN_SUCCESS The processor supports > > > RDSEED instruction. > > > + @retval RETURN_UNSUPPORTED RDSEED instruction is > > > not supported. > > > + > > > +**/ > > > +RETURN_STATUS > > > +EFIAPI > > > +RngLibRdSeedConstructor ( > > > + VOID > > > + ) > > > +{ > > > + UINT32 RegEbx; > > > + > > > + // > > > + // Determine RDSEED support by examining bit 18 of > > > the EBX register > > > + returned by // CPUID(EAX=7, ECX=0). BIT18 of EBX > > > indicates that > > > + processor support RDSEED // instruction. > > > + // > > > + AsmCpuidEx (7, 0, NULL, &RegEbx, NULL, NULL); if > > > ((RegEbx & > > > + RDSEED_MASK) != RDSEED_MASK) { > > > + ASSERT ((RegEbx & RDSEED_MASK) == RDSEED_MASK); > > > + return RETURN_UNSUPPORTED; > > > + } > > > + > > > + return RETURN_SUCCESS; > > > +} > > > + > > > +/** > > > + Generates a 16-bit random number. > > > + > > > + if Rand is NULL, then ASSERT(). > > > + > > > + @param[out] Rand Buffer pointer to store the 16- > > > bit random value. > > > + > > > + @retval TRUE Random number generated > > > successfully. > > > + @retval FALSE Failed to generate the random > > > number. > > > + > > > +**/ > > > +BOOLEAN > > > +EFIAPI > > > +GetRandomNumber16 ( > > > + OUT UINT16 *Rand > > > + ) > > > +{ > > > + UINT32 Index; > > > + > > > + ASSERT (Rand != NULL); > > > + > > > + // > > > + // A loop to fetch a 16 bit random value with a > > > retry count limit. > > > + // > > > + for (Index = 0; Index < RDSEED_RETRY_LIMIT; Index++) > > > { > > > + if (AsmRdSeed16 (Rand)) { > > > + return TRUE; > > > + } > > > + } > > > + > > > + return FALSE; > > > +} > > > + > > > +/** > > > + Generates a 32-bit random number. > > > + > > > + if Rand is NULL, then ASSERT(). > > > + > > > + @param[out] Rand Buffer pointer to store the 32- > > > bit random value. > > > + > > > + @retval TRUE Random number generated > > > successfully. > > > + @retval FALSE Failed to generate the random > > > number. > > > + > > > +**/ > > > +BOOLEAN > > > +EFIAPI > > > +GetRandomNumber32 ( > > > + OUT UINT32 *Rand > > > + ) > > > +{ > > > + UINT32 Index; > > > + > > > + ASSERT (Rand != NULL); > > > + > > > + // > > > + // A loop to fetch a 32 bit random value with a > > > retry count limit. > > > + // > > > + for (Index = 0; Index < RDSEED_RETRY_LIMIT; Index++) > > > { > > > + if (AsmRdSeed32 (Rand)) { > > > + return TRUE; > > > + } > > > + } > > > + > > > + return FALSE; > > > +} > > > + > > > +/** > > > + Generates a 64-bit random number. > > > + > > > + if Rand is NULL, then ASSERT(). > > > + > > > + @param[out] Rand Buffer pointer to store the 64- > > > bit random value. > > > + > > > + @retval TRUE Random number generated > > > successfully. > > > + @retval FALSE Failed to generate the random > > > number. > > > + > > > +**/ > > > +BOOLEAN > > > +EFIAPI > > > +GetRandomNumber64 ( > > > + OUT UINT64 *Rand > > > + ) > > > +{ > > > + UINT32 Index; > > > + > > > + ASSERT (Rand != NULL); > > > + > > > + // > > > + // A loop to fetch a 64 bit random value with a > > > retry count limit. > > > + // > > > + for (Index = 0; Index < RDSEED_RETRY_LIMIT; Index++) > > > { > > > + if (AsmRdSeed64 (Rand)) { > > > + return TRUE; > > > + } > > > + } > > > + > > > + return FALSE; > > > +} > > > + > > > +/** > > > + Generates a 128-bit random number. > > > + > > > + if Rand is NULL, then ASSERT(). > > > + > > > + @param[out] Rand Buffer pointer to store the > > > 128-bit random value. > > > + > > > + @retval TRUE Random number generated > > > successfully. > > > + @retval FALSE Failed to generate the random > > > number. > > > + > > > +**/ > > > +BOOLEAN > > > +EFIAPI > > > +GetRandomNumber128 ( > > > + OUT UINT64 *Rand > > > + ) > > > +{ > > > + ASSERT (Rand != NULL); > > > + > > > + // > > > + // Read first 64 bits > > > + // > > > + if (!GetRandomNumber64 (Rand)) { > > > + return FALSE; > > > + } > > > + > > > + // > > > + // Read second 64 bits > > > + // > > > + return GetRandomNumber64 (++Rand); > > > +} > > > -- > > > 2.17.1.windows.2 > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50725): https://edk2.groups.io/g/devel/message/50725 Mute This Topic: https://groups.io/mt/56714084/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
