MdePkg/DxeRngLib: Use PcdEnforceSecureRngAlgorithms for default algorithm

Use PcdEnforceSecureRngAlgorithms to allow using the Rng protocol with the default algorithm. All previous call to the Rng protocol are requesting a secure Rng algorithm. Not specifying the Rng algorithm GUID to use is considered unsecure. Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
2025-07-23 05:34:31 +02:00 · 2024-08-29 16:42:33 +02:00 · 2024-08-29 16:42:33 +02:00 · 5ed8f64647
commit 5ed8f64647
parent c04c4534c4
2 changed files with 10 additions and 5 deletions
--- a/MdePkg/Library/DxeRngLib/DxeRngLib.c
+++ b/MdePkg/Library/DxeRngLib/DxeRngLib.c
@ -197,11 +197,13 @@ GenerateRandomNumberViaNist800Algorithm (
    }
  }

-  // If all the other methods have failed, use the default method from the RngProtocol
-  Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer);
-  DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status));
-  if (!EFI_ERROR (Status)) {
-    return Status;
+  if (!PcdGetBool (PcdEnforceSecureRngAlgorithms)) {
+    // If all the other methods have failed, use the default method from the RngProtocol
+    Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer);
+    DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status));
+    if (!EFI_ERROR (Status)) {
+      return Status;
+    }
  }

  // If we get to this point, we have failed
--- a/MdePkg/Library/DxeRngLib/DxeRngLib.inf
+++ b/MdePkg/Library/DxeRngLib/DxeRngLib.inf
@ -39,3 +39,6 @@
  gEfiRngAlgorithmSp80090Hash256Guid
  gEfiRngAlgorithmSp80090Hmac256Guid
  gEfiRngAlgorithmRaw
+
+[FixedPcd]
+  gEfiMdePkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES