feat: add new rnglib

Add a new RngLib that will try to get an RNG from the ARM TRNG Library or falls back to the timer-based library if the TRNG service isn't implemented in ATF. Signed-off-by: Girish Mahadevan <gmahadevan@nvidia.com> Reviewed-by: Jeff Brasen <jbrasen@nvidia.com> Reviewed-by: Jake Garver <jake@nvidia.com> Tested-by: Jake Garver <jake@nvidia.com>
NVIDIA · Oct 18, 2024 · f4d4ea4 · f4d4ea4
1 parent c3d171d
commit f4d4ea4
Show file tree

Hide file tree

Showing 12 changed files with 781 additions and 0 deletions.
diff --git a/Platform/NVIDIA/Jetson/Jetson.defconfig b/Platform/NVIDIA/Jetson/Jetson.defconfig
@@ -33,3 +33,4 @@ CONFIG_SECURITY_UEFI_MENU_USER_AUTH=y
 CONFIG_EHCI=y
 CONFIG_SECURITY_PHYSICAL_PRESENCE=y
 CONFIG_SECURITY_DISABLE_PHYSICAL_PRESENCE_POST_SECUREBOOT=y
+CONFIG_SECURITY_HW_RNG=y
diff --git a/Platform/NVIDIA/JetsonMinimal/Jetson.defconfig b/Platform/NVIDIA/JetsonMinimal/Jetson.defconfig
@@ -25,3 +25,4 @@ CONFIG_FS_EXT4=y
 # CONFIG_SHELL is not set
 CONFIG_SECURITY_PHYSICAL_PRESENCE=y
 CONFIG_SERIAL_PORT_CONSOLE_TEGRA=y
+CONFIG_SECURITY_NON_HW_RNG=y
diff --git a/Platform/NVIDIA/Kconfig b/Platform/NVIDIA/Kconfig
@@ -125,6 +125,22 @@ menu "Security options"
   default y
   help
     Support for UEFI Secure Boot verification of third party components.
+
+  choice SECURITY_RNG_TYPE
+    prompt "UEFI RNG Type"
+    help
+      RNG Type.
+
+    config SECURITY_NON_HW_RNG
+    bool "Unsafe RNG driver not based on HW RNG."
+    help
+      RngLib that will use an unsafe upstream Library (BaseRngLibTimerLib).
+
+    config SECURITY_HW_RNG
+    bool "RNG using ARM TRNG."
+    help
+      RngLib that will use ARM TRNG based RNG or fallback to Timer based.
+  endchoice
 endmenu
 
 menu "Variable options"

diff --git a/Platform/NVIDIA/NVIDIA.common.dsc.inc b/Platform/NVIDIA/NVIDIA.common.dsc.inc
@@ -237,7 +237,14 @@ CONFIG_ARM_WATCHDOG_INTERRUPT=0
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
 !endif
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+
+!ifdef CONFIG_SECURITY_HW_RNG
+  RngLib|Silicon/NVIDIA/Library/NvRngLib/NvRngLib.inf
+!endif
+
+!ifdef CONFIG_SECURITY_NON_HW_RNG
   RngLib|MdeModulePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
+!endif
 
   PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf

diff --git a/Platform/NVIDIA/Server/Server.defconfig b/Platform/NVIDIA/Server/Server.defconfig
@@ -35,3 +35,4 @@ CONFIG_SERVER_POWER_CONTROLLERS=y
 CONFIG_SMBIOS_DYNAMICTABLESPKG=y
 CONFIG_INFINEON_TPM_FW_UPDATE=y
 CONFIG_PRM_RAS_CPER_MODULE=y
+CONFIG_SECURITY_HW_RNG=y
diff --git a/Platform/NVIDIA/ServerIgx/ServerIgx.defconfig b/Platform/NVIDIA/ServerIgx/ServerIgx.defconfig
@@ -36,3 +36,4 @@ CONFIG_SECURITY_UEFI_MENU_USER_AUTH=y
 CONFIG_EHCI=y
 CONFIG_SERIAL_PORT_CONSOLE_TEGRA=y
 CONFIG_SECURITY_PHYSICAL_PRESENCE=y
+CONFIG_SECURITY_HW_RNG=y
diff --git a/Silicon/NVIDIA/Library/NvRngLib/NvRngLib.c b/Silicon/NVIDIA/Library/NvRngLib/NvRngLib.c
@@ -0,0 +1,128 @@
+/** @file
+ Rng Lib that gets the RNG from a secure RNG driver in StMM or from a Non-Safe
+ Rng Source if MM isn't present.
+
+ SPDX-FileCopyrightText: Copyright (c) 2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "NvRngProto.h"
+
+STATIC NVIDIA_NVRNG_PROTOCOL  *RngOps = NULL;
+
+/**
+  Generates a 16-bit random number.
+
+  if Rand is NULL, then ASSERT().
+
+  @param[out] Rand     Buffer pointer to store the 16-bit random value.
+
+  @retval TRUE         Random number generated successfully.
+  @retval FALSE        Failed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber16 (
+  OUT     UINT16  *Rand
+  )
+{
+  return RngOps->NvGetRng16 (Rand);
+}
+
+/**
+  Generates a 32-bit random number.
+
+  if Rand is NULL, then ASSERT().
+
+  @param[out] Rand     Buffer pointer to store the 32-bit random value.
+
+  @retval TRUE         Random number generated successfully.
+  @retval FALSE        Failed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber32 (
+  OUT     UINT32  *Rand
+  )
+{
+  return RngOps->NvGetRng32 (Rand);
+}
+
+/**
+  Generates a 64-bit random number.
+
+  if Rand is NULL, then ASSERT().
+
+  @param[out] Rand     Buffer pointer to store the 64-bit random value.
+
+  @retval TRUE         Random number generated successfully.
+  @retval FALSE        Failed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber64 (
+  OUT     UINT64  *Rand
+  )
+{
+  return RngOps->NvGetRng64 (Rand);
+}
+
+/**
+  Generates a 128-bit random number.
+
+  if Rand is NULL, then ASSERT().
+
+  @param[out] Rand     Buffer pointer to store the 128-bit random value.
+
+  @retval TRUE         Random number generated successfully.
+  @retval FALSE        Failed to generate the random number.
+
+**/
+BOOLEAN
+EFIAPI
+GetRandomNumber128 (
+  OUT     UINT64  *Rand
+  )
+{
+  return RngOps->NvGetRng128 (Rand);
+}
+
+/**
+  Get a GUID identifying the RNG algorithm implementation.
+
+  @param [out] RngGuid  If success, contains the GUID identifying
+                        the RNG algorithm implementation.
+
+  @retval EFI_SUCCESS             Success.
+  @retval EFI_UNSUPPORTED         Not supported.
+  @retval EFI_INVALID_PARAMETER   Invalid parameter.
+**/
+EFI_STATUS
+EFIAPI
+GetRngGuid (
+  GUID  *RngGuid
+  )
+{
+  return RngOps->NvGetRngGuid (RngGuid);
+}
+
+EFI_STATUS
+EFIAPI
+NvRngLibConstructor (
+  VOID
+  )
+{
+  RngOps = HwRngGetOps ();
+  if (RngOps == NULL) {
+    RngOps = NonHwRngGetOps ();
+    DEBUG ((DEBUG_ERROR, "%a: No StMM Using NonHW RngLib\n", __FUNCTION__));
+  } else {
+    DEBUG ((DEBUG_INFO, "%a: Using HW RngLib\n", __FUNCTION__));
+  }
+
+  return EFI_SUCCESS;
+}
diff --git a/Silicon/NVIDIA/Library/NvRngLib/NvRngLib.inf b/Silicon/NVIDIA/Library/NvRngLib/NvRngLib.inf
@@ -0,0 +1,50 @@
+## @file
+#  Rng Lib that gets the RNG from a secure RNG driver in StMM or from a Non-Safe
+#  Rng Source if MM isn't present.
+#
+#  SPDX-FileCopyrightText: Copyright (c) 2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010029
+  BASE_NAME                      = NvRngLib
+  MODULE_UNI_FILE                = NvRngLib.uni
+  FILE_GUID                      = 979ff860-9401-4757-b990-1f2a43b8aaab
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  CONSTRUCTOR                    = NvRngLibConstructor
+  LIBRARY_CLASS                  = RngLib
+
+#
+#  VALID_ARCHITECTURES           = IA32 X64 ARM AARCH64 EBC
+#
+
+[Sources]
+  NvRngLib.c
+  NvRngLibHw.c
+  NvRngLibNonHw.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  Silicon/NVIDIA/NVIDIA.dec
+  ArmPkg/ArmPkg.dec
+
+[LibraryClasses]
+  MemoryAllocationLib
+  BaseLib
+  UefiBootServicesTableLib
+  DebugLib
+  ArmTrngLib
+
+[Protocols]
+
+[Guids]
+  gEdkiiRngAlgorithmUnSafe
+  gEfiRngAlgorithmRaw
+
+[Depex]
+  TRUE
diff --git a/Silicon/NVIDIA/Library/NvRngLib/NvRngLib.uni b/Silicon/NVIDIA/Library/NvRngLib/NvRngLib.uni
@@ -0,0 +1,14 @@
+// /** @file
+// Null Instance of RNG (Random Number Generator) Library.
+//
+// SPDX-FileCopyrightText: Copyright (c) 2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "NVIDIA's instance of RNG Library"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This library instance should be used with modules that inherit an (indirect) dependency on the RngLib class, but never actually call RngLib APIs for consuming randomness."
+