Code First - PI Specification - Add RNG PPI (Bugzilla Bug 4814) #10529
Comments
Comment 23241Date: 2024-07-17 20:32:31 +0000
The proposed addition to the PI Specification is a Random Number Generator (RNG) PPI to provide a standard binary interface for a platform PEIM to provide RNG services to other PEIMs. Similar to the RNG Protocol defined in the UEFI 2.10 Specification, the RNG PPI returns random numbers and can serve as an entropy source for seeding other cryptographic services. The RNG PPI interface is proposed to use the same interface as the protocol for API consistency and implementation reuse. Security has evolved in modern firmware implementations to necessitate supporting technologies that depend on strong entropy sources. More content is expected to be secure at rest, in transit, and in use. In addition, random numbers strengthen recent security mitigations being adopted in PEI phase modules such as dynamically generated stack cookie values. At the same time, secure software supply chain practices are gaining adoption with an emphasis on software inventory management and software bill of materials (SBOM) generation. This lends to more binary distribution alongside an accompanying SBOM especially for security sensitive components such as the platform RNG provider. RNG technologies also vary across architecture, vendor, and computing segments. A platform may need to provide RNG services in PEI across binary boundaries and that can be accomplished with the RNG PPI. Because this change is introducing an entirely new API, there will not be any impact on existing implementations. An instance of the RngLib will be provided that instead of statically linking RNG code directly will locate and use the RNG PPI. As is always the case for dynamic interfaces like PPIs, platform integrators will need to account for dependencies between the PEIM that produces the RNG PPI and the PEIMs that consume it. |
Comment 23242Date: 2024-07-17 21:23:00 +0000 Code first branch is posted in edk-staging: https://github.com/tianocore/edk2-staging/tree/BZ4814-AddRngPpi Some small refactoring may be made to the PeiRngLib and RngPei implementations, but they are representative of their responsibilities. The document with additional details is here: https://github.com/tianocore/edk2-staging/blob/BZ4814-AddRngPpi/CodeFirst/BZ4814-SpecChange.md |
Comment 23371Date: 2024-09-04 20:49:38 +0000 [email protected] has worked on it. |
|
Hi @makubacki As RNG PPI has been added to the PI 1.9 Specification, would it be possible now to merge the changes to the edk2 master. |
Hi @sachinami, I created the linked pull request in edk2 with the change. |
Thank you @makubacki ! |
REF:tianocore#10529 Adds a new PPI that serves the same purpose as EFI_RNG_PROTOCOL in DXE. This PPI can be produced by a PEIM to provide a dynamic interface to RNG services in PEI. Signed-off-by: Michael Kubacki <[email protected]>
REF:tianocore#10529 Adds a new PEI library instance for RngLib that uses the RNG services provided by the RNG PPI. This library instance will add a DEPEX on gEfiRngPpiGuid on modules it links against. It can be used to allow PEIMs to get RNG support over a dynamic interface. Signed-off-by: Michael Kubacki <[email protected]>
REF:tianocore#10529 The `RngPei` PEIM can be used if RNG should be provided over a dynamic binary interface to other PEIMs on a platform. Tested with: - SecurityPkg CI - Verify RNG linked with RngLib is executed as expected - Verify random numbers are generated successfully with a valid RngLib Integration instructions: Use the `RngPei` module if a platform needs to produce `gEfiRngPpiGuid`. The platform should usually link a different `RngLib` instance to `RngPei` than other PEIMs that may use the RNG PPI produced since `RngPei` is responsible for producing the PPI. For example, a `RngLib` instance that uses the rdrand instruction may be linked against `RngPei` and a `RngLib` instance that uses the RNG PPI may be linked against other PEIMs. Signed-off-by: Michael Kubacki <[email protected]>
This issue was created automatically with bugzilla2github
Bugzilla Bug 4814
Date: 2024-07-17T20:32:31+00:00
From: @makubacki
To: @makubacki
CC: @lgao4
Last updated: 2024-09-04T20:49:38+00:00
The text was updated successfully, but these errors were encountered: