From 5ed8f64647f57c993ea979db0c7803b949db4262 Mon Sep 17 00:00:00 2001 From: Pierre Gondois Date: Thu, 29 Aug 2024 16:42:33 +0200 Subject: MdePkg/DxeRngLib: Use PcdEnforceSecureRngAlgorithms for default algorithm Use PcdEnforceSecureRngAlgorithms to allow using the Rng protocol with the default algorithm. All previous call to the Rng protocol are requesting a secure Rng algorithm. Not specifying the Rng algorithm GUID to use is considered unsecure. Signed-off-by: Pierre Gondois --- MdePkg/Library/DxeRngLib/DxeRngLib.c | 12 +++++++----- MdePkg/Library/DxeRngLib/DxeRngLib.inf | 3 +++ 2 files changed, 10 insertions(+), 5 deletions(-) (limited to 'MdePkg') diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.c b/MdePkg/Library/DxeRngLib/DxeRngLib.c index 4b4efef0b4..17c932d802 100644 --- a/MdePkg/Library/DxeRngLib/DxeRngLib.c +++ b/MdePkg/Library/DxeRngLib/DxeRngLib.c @@ -197,11 +197,13 @@ GenerateRandomNumberViaNist800Algorithm ( } } - // If all the other methods have failed, use the default method from the RngProtocol - Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer); - DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status)); - if (!EFI_ERROR (Status)) { - return Status; + if (!PcdGetBool (PcdEnforceSecureRngAlgorithms)) { + // If all the other methods have failed, use the default method from the RngProtocol + Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer); + DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status)); + if (!EFI_ERROR (Status)) { + return Status; + } } // If we get to this point, we have failed diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.inf b/MdePkg/Library/DxeRngLib/DxeRngLib.inf index ca649585d4..0eff20d988 100644 --- a/MdePkg/Library/DxeRngLib/DxeRngLib.inf +++ b/MdePkg/Library/DxeRngLib/DxeRngLib.inf @@ -39,3 +39,6 @@ gEfiRngAlgorithmSp80090Hash256Guid gEfiRngAlgorithmSp80090Hmac256Guid gEfiRngAlgorithmRaw + +[FixedPcd] + gEfiMdePkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES -- cgit v1.2.3