From 93794878d14862cd688590470a81fcb011ac76b2 Mon Sep 17 00:00:00 2001
From: hy <12444214+dhjgty@user.noreply.gitee.com>
Date: Sun, 23 Feb 2025 16:13:08 +0800
Subject: [PATCH] Fix timing side-channel in ECDSA signature computation There
 is a timing signal of around 300 nanoseconds when the top word of the
 inverted ECDSA nonce value is zero. This can happen with significant
 probability only for some of the supported elliptic curves. In particular the
 NIST P-521 curve is affected. To be able to measure this leak, the attacker
 process must either be located in the same physical computer or must have a
 very fast network connection with low latency.

Attacks on ECDSA nonce are also known as Minerva attack.

Fixes CVE-2024-13176

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
---
 0080-Fix-timing-side-channel.patch | 113 +++++++++++++++++++++++++++++
 edk2.spec                          |  14 +++-
 2 files changed, 123 insertions(+), 4 deletions(-)
 create mode 100644 0080-Fix-timing-side-channel.patch

diff --git a/0080-Fix-timing-side-channel.patch b/0080-Fix-timing-side-channel.patch
new file mode 100644
index 0000000..83b14e4
--- /dev/null
+++ b/0080-Fix-timing-side-channel.patch
@@ -0,0 +1,113 @@
+From 1614a65a25ed2265d57147a9a79e6ec0269bf328 Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Sun, 23 Feb 2025 15:39:46 +0800
+Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
+There is a timing signal of around 300 nanoseconds when the top word of
+the inverted ECDSA nonce value is zero. This can happen with significant
+probability only for some of the supported elliptic curves. In particular
+the NIST P-521 curve is affected. To be able to measure this leak, the
+attacker process must either be located in the same physical computer or
+must have a very fast network connection with low latency.
+
+Attacks on ECDSA nonce are also known as Minerva attack.
+
+Fixes CVE-2024-13176
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com> 
+
+---
+ .../OpensslLib/openssl/crypto/bn/bn_exp.c     | 21 +++++++++++++------
+ .../OpensslLib/openssl/crypto/ec/ec_lib.c     |  6 +++---
+ .../OpensslLib/openssl/include/crypto/bn.h    |  3 +++
+ 3 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
+index 4e169ae1..a161e580 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c
+@@ -598,7 +598,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
+  * out by Colin Percival,
+  * http://www.daemonology.net/hyperthreading-considered-harmful/)
+  */
+-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                               const BIGNUM *m, BN_CTX *ctx,
+                               BN_MONT_CTX *in_mont)
+ {
+@@ -615,10 +615,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     unsigned int t4 = 0;
+ #endif
+ 
+-    bn_check_top(a);
+-    bn_check_top(p);
+-    bn_check_top(m);
+-
+     if (!BN_is_odd(m)) {
+         ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
+         return 0;
+@@ -1138,7 +1134,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+             goto err;
+     } else
+ #endif
+-    if (!BN_from_montgomery(rr, &tmp, mont, ctx))
++    if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
+         goto err;
+     ret = 1;
+  err:
+@@ -1152,6 +1148,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     return ret;
+ }
+ 
++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++                              const BIGNUM *m, BN_CTX *ctx,
++                              BN_MONT_CTX *in_mont)
++{
++    bn_check_top(a);
++    bn_check_top(p);
++    bn_check_top(m);
++    if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
++        return 0;
++    bn_correct_top(rr);
++    return 1;
++}
++
+ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
+                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+ {
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
+index b1696d93..7f247d9e 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c
+@@ -1262,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
+     if (!BN_sub(e, group->order, e))
+         goto err;
+     /*-
+-     * Exponent e is public.
+-     * No need for scatter-gather or BN_FLG_CONSTTIME.
++     * Although the exponent is public we want the result to be
++     * fixed top.
+      */
+-    if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
++    if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
+         goto err;
+ 
+     ret = 1;
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+index fd1c09d9..ba50bca2 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h
+@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
+  */
+ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                           BN_MONT_CTX *mont, BN_CTX *ctx);
++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
++                              const BIGNUM *m, BN_CTX *ctx,
++                              BN_MONT_CTX *in_mont);
+ int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                          BN_CTX *ctx);
+ int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+-- 
+2.33.0
+
diff --git a/edk2.spec b/edk2.spec
index 4e91f55..9df8bf1 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 16
+Release: 17
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -125,6 +125,9 @@ patch77: 0077-VirtioDxe-add-support-of-MMIO-Bar-for-virtio-devices.patch
 patch78: 0078-Virtio-wait-virtio-device-reset-done.patch
 patch79: 0079-VirtioBlk-split-large-IO-according-to-segment_size_m.patch
 
+# Fix CVE-2024-13176
+patch80: 0080-Fix-timing-side-channel.patch
+ 
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
 %description
@@ -394,6 +397,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Sun Feb 23 2025 huyu<huyu70@h-partners.com> - 202308-17
+- fix CVE-2024-13176
+
 * Fri Nov 29 2024 adttil<2429917001@qq.com> - 202308-16
 - vdpa: support vdpa blk/scsi device boot
 
@@ -403,12 +409,12 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 * Mon Oct 14 2024 shenyage<shenyage1@huawei.com> - 202308-14
 - fix CVE-2023-45236、CVE-2023-45237
 
-* Mon Sep 23 2024 hanliyang<hanliyang@hygon.cn> - 202308-13
-- Add support for running in Hygon CSV3 guest
-
 * Wed Oct 09 2024 zhangxianting <zhangxianting@uniontech.com> - 202308-12
 - fix CVE-2024-38796
 
+* Mon Sep 23 2024 hanliyang<hanliyang@hygon.cn> - 202308-13
+- Add support for running in Hygon CSV3 guest
+
 * Fri Sep 13 2024 Xiaotian Wu <wuxiaotian@loongson.cn> - 202308-11
 - add LoongArch support
 - backport edk2-platform to build with edk2-2308
-- 
Gitee