Page MenuHomeFreeBSD

Add support for getting early entropy from the UEFI RNG protocol
Needs RevisionPublic

Authored by on Jun 27 2019, 2:39 PM.


Group Reviewers
Contributor Reviews (base)

UEFI provides a protocol for accessing randomness. This is a good way to gather early entropy, especially when there's no driver for the RNG on the platform (as is the case on the Marvell Armada8k (MACCHIATObin) for now).

FreeBSD already has a way to pass entropy from the loader to the kernel: via loading a module with a special type. (I was searching for where the entropy_cache_name etc. variables are used for quite some time before realizing it works dynamically together with regular modules :D)

With a little modification to module.c, we can allow other parts of the code to load modules from anywhere (not just the FS), and use this in the EFI-specific code to load a synthetic module with the entropy.


Test Plan

Tested on: Marvell MACCHIATObin, Lenovo Thinkpad X240

Diff Detail

rS FreeBSD src repository
Lint Skipped
Unit Tests Skipped

Event Timeline

cperciva added inline comments.

The syntax "disable X instead of doing Y" seems confusing to me.

Also, why would we not want to just read both sources of entropy by default?

markm accepted this revision.Jun 27 2019, 6:26 PM

Presuming all the testing works :-)

This revision is now accepted and ready to land.Jun 27 2019, 6:26 PM

Because random_harvestq_prime currently looks for just one loaded file and I don't really want to modify that code.

cem added inline comments.Jun 27 2019, 7:16 PM

I don't think this should be enabled by default if it replaces the other, more trustworthy source. Early seeding is sensitive and nothing I've seen about EFI or BIOSes suggests that we should trust some implementation of the EFI RNG protocol as entropy.

bcran added inline comments.Jun 27 2019, 9:05 PM

I took a look at the EDK2 implementation, and for x86 it uses RDRAND, while for aarch64 it uses the machine specific functionality, such as TRNG on Marvell Aramada devices.

delphij requested changes to this revision.Jun 27 2019, 10:22 PM
delphij added inline comments.

Stored entropy cache has to be used if entropy_cache_load="YES" and when they are available. Please amend random_harvestq_prime to support it.

This revision now requires changes to proceed.Jun 27 2019, 10:22 PM
cperciva added inline comments.Jun 27 2019, 11:59 PM

I agree with cem and delphij -- EFI implementations do not have enough of a reputation for correctness that I would want to trust our security to their ability to implement an RNG. It would not be the first time that a RNG produced non-random numbers.