MdePkg/DxeRngLib: Use PcdEnforceSecureRngAlgorithms for default algorithm

Use PcdEnforceSecureRngAlgorithms to allow using the Rng protocol
with the default algorithm. All previous call to the Rng protocol
are requesting a secure Rng algorithm.
Not specifying the Rng algorithm GUID to use is considered unsecure.

Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>

diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.c b/MdePkg/Library/DxeRngLib/DxeRngLib.c
index 4b4efef0b424541936da1ce5d27f9d98cb984d9e..17c932d802c78051c33d3fd1e9bfe1ca4aaf1513 100644 (file)
--- a/MdePkg/Library/DxeRngLib/DxeRngLib.c
+++ b/MdePkg/Library/DxeRngLib/DxeRngLib.c
@@ -197,11 +197,13 @@ GenerateRandomNumberViaNist800Algorithm (
     }\r
   }\r
 \r
-  // If all the other methods have failed, use the default method from the RngProtocol\r
-  Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer);\r
-  DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status));\r
-  if (!EFI_ERROR (Status)) {\r
-    return Status;\r
+  if (!PcdGetBool (PcdEnforceSecureRngAlgorithms)) {\r
+    // If all the other methods have failed, use the default method from the RngProtocol\r
+    Status = mRngProtocol->GetRNG (mRngProtocol, NULL, BufferSize, Buffer);\r
+    DEBUG ((DEBUG_INFO, "%a: GetRNG algorithm default - Status = %r\n", __func__, Status));\r
+    if (!EFI_ERROR (Status)) {\r
+      return Status;\r
+    }\r
   }\r
 \r
   // If we get to this point, we have failed\r

diff --git a/MdePkg/Library/DxeRngLib/DxeRngLib.inf b/MdePkg/Library/DxeRngLib/DxeRngLib.inf
index ca649585d4cf5104ece31cf5e9f35ab1e21dc478..0eff20d98886f40c6f1d56c13bb003db361b2a1b 100644 (file)
--- a/MdePkg/Library/DxeRngLib/DxeRngLib.inf
+++ b/MdePkg/Library/DxeRngLib/DxeRngLib.inf
@@ -39,3 +39,6 @@
   gEfiRngAlgorithmSp80090Hash256Guid\r
   gEfiRngAlgorithmSp80090Hmac256Guid\r
   gEfiRngAlgorithmRaw\r
+\r
+[FixedPcd]\r
+  gEfiMdePkgTokenSpaceGuid.PcdEnforceSecureRngAlgorithms ## CONSUMES\r