MdePkg/DxeRngLib: Use PcdEnforceSecureRngAlgorithms for default algorithm

Use PcdEnforceSecureRngAlgorithms to allow using the Rng protocol
with the default algorithm. All previous call to the Rng protocol
are requesting a secure Rng algorithm.
Not specifying the Rng algorithm GUID to use is considered unsecure.

Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>

2 files changed, 10 insertions, 5 deletions

diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.c b/MdePkg/Library/DxeRngLib/DxeRngLib.c
index 4b4efef0b4..17c932d802 100644
--- a/MdePkg/Library/DxeRngLib/DxeRngLib.c
+++ b/MdePkg/Library/DxeRngLib/DxeRngLib.c
@@ -197,11 +197,13 @@ GenerateRandomNumberViaNist800Algorithm (
     }

   }

 

-  // If all the other methods have failed, use the default method from the RngProtocol

-  Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer);

-  DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status));

-  if (!EFI_ERROR (Status)) {

-    return Status;

+  if (!PcdGetBool (PcdEnforceSecureRngAlgorithms)) {

+    // If all the other methods have failed, use the default method from the RngProtocol

+    Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer);

+    DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status));

+    if (!EFI_ERROR (Status)) {

+      return Status;

+    }

   }

 

   // If we get to this point, we have failed

diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.inf b/MdePkg/Library/DxeRngLib/DxeRngLib.inf
index ca649585d4..0eff20d988 100644
--- a/MdePkg/Library/DxeRngLib/DxeRngLib.inf
+++ b/MdePkg/Library/DxeRngLib/DxeRngLib.inf
@@ -39,3 +39,6 @@
   gEfiRngAlgorithmSp80090Hash256Guid

   gEfiRngAlgorithmSp80090Hmac256Guid

   gEfiRngAlgorithmRaw

+

+[FixedPcd]

+  gEfiMdePkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES