From a85336531cf56e4bb04cf61ec3991a8104320dc4 Mon Sep 17 00:00:00 2001 From: Flickdm Date: Mon, 20 May 2024 11:07:38 -0700 Subject: SecurityPkg RngDxe: Remove incorrect limitation on GetRng Removed from gEfiRngAlgorithmRaw an incorrect assumption that Raw cannot return less than 256 bits. The DRNG Algorithms should always use a 256 bit seed as per nist standards however a caller is free to request less than 256 bits. > > // > // When a DRBG is used on the output of a entropy source, > // its security level must be at least 256 bits according to UEFI Spec. > // > if (RNGValueLength < 32) { > return EFI_INVALID_PARAMETER; > } > AARCH64 platforms do not have this limitation and this brings both implementations into alignment with each other and the spec. Cc: Jiewen Yao Signed-off-by: Doug Flick [MSFT] Reviewed-by: Ard Biesheuvel Reviewed-by: Pierre Gondois Acked-by: Jiewe Yao --- SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c index 7e06e16e4b..5723ed6957 100644 --- a/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c +++ b/SecurityPkg/RandomNumberGenerator/RngDxe/Rand/RngDxe.c @@ -116,14 +116,6 @@ RngGetRNG ( // The "raw" algorithm is intended to provide entropy directly // if (CompareGuid (RNGAlgorithm, &gEfiRngAlgorithmRaw)) { - // - // When a DRBG is used on the output of a entropy source, - // its security level must be at least 256 bits according to UEFI Spec. - // - if (RNGValueLength < 32) { - return EFI_INVALID_PARAMETER; - } - Status = GenerateEntropy (RNGValueLength, RNGValue); return Status; } -- cgit