Re: [edk2-devel] [PATCH 1/1] MdePkg/BaseRngLib: Add a smoketest for RDRAND and check CPUID

Tue, 22 Nov 2022 07:37:12 -0800 

Hi,

On Tue, Nov 22, 2022 at 02:01:21PM +0000, Pedro Falcato wrote:
> RDRAND has notoriously been broken many times over its lifespan.
> Add a smoketest to RDRAND, in order to better sniff out potential
> security concerns.
> 
> Also add a proper CPUID test in order to support older CPUs which may
> not have it; it was previously being tested but then promptly ignored.
> 
> Signed-off-by: Pedro Falcato <pedro.falc...@gmail.com>
> Cc: Michael D Kinney <michael.d.kin...@intel.com>
> Cc: Liming Gao <gaolim...@byosoft.com.cn>
> Cc: Zhiguang Liu <zhiguang....@intel.com>

Considering our discussion an hour ago, I would have appreciated you
CC'ing me. I'm not subscribed to this list, and it's not on lore, so
this is a bit of a PITA to subscribe to.

> +STATIC
> +BOOLEAN
> +TestRdRand (
> +  VOID
> +  )
> +{
> +  //
> +  // Test for notoriously broken rdrand implementations that always return 
> the same
> +  // value, like the Zen 3 uarch (all-1s) or other several AMD families on 
> suspend/resume (also all-1s).
> +  // Note that this should be expanded to extensively test for other sorts of
> +  // possible errata. This testing is quite naive.
> +  //

The test that the kernel does is more robust. Maybe try doing that
instead?

  void x86_init_rdrand(struct cpuinfo_x86 *c)
  {
    enum { SAMPLES = 8, MIN_CHANGE = 5 };
    unsigned long sample, prev;
    bool failure = false;
    size_t i, changed;

    if (!cpu_has(c, X86_FEATURE_RDRAND))
      return;

    for (changed = 0, i = 0; i < SAMPLES; ++i) {
      if (!rdrand_long(&sample)) {
        failure = true;
        break;
      }
      changed += i && sample != prev;
      prev = sample;
    }
    if (changed < MIN_CHANGE)
      failure = true;

    if (failure) {
      clear_cpu_cap(c, X86_FEATURE_RDRAND);
      clear_cpu_cap(c, X86_FEATURE_RDSEED);
      pr_emerg("RDRAND is not reliable on this platform; disabling.\n");
    }
  }

Just copy and paste that and convert the Linuxisms to EDK2isms.

Jason


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96562): https://edk2.groups.io/g/devel/message/96562
Mute This Topic: https://groups.io/mt/95195631/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to