[PATCH 1/1] Dockerfile: flag to disable kaslr-seed in QEMU

Ilias Apalodimas ilias.apalodimas at linaro.org
Thu Dec 16 15:35:09 CET 2021 

Hi Heinrich,

On Thu, 16 Dec 2021 at 16:05, Heinrich Schuchardt
<heinrich.schuchardt at canonical.com> wrote:
>
> The QEMU ARM device-tree contains a random kaslr-seed. This results in
> random measurements of the device-tree in the implementation of the
> EFI_TCG2_PROTOCOL.
>
> Add an upstream patch which allows to disable the kaslr-seed via a command
> line parameter that we can use in the U-Boot test hooks.
>
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> ---
>  tools/docker/Dockerfile | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
> index fb422e7588..d906f91863 100644
> --- a/tools/docker/Dockerfile
> +++ b/tools/docker/Dockerfile
> @@ -115,6 +115,10 @@ RUN apt-get update && apt-get install -y \
>  # Make kernels readable for libguestfs tools to work correctly
>  RUN chmod +r /boot/vmlinu*
>
> +# 'git am' requires setting up name and email address beforehand
> +RUN git config --global user.email "you at example.com" && \
> +       git config --global user.name "Your Name"
> +
>  # Manually install a new enough version of sbsigntools (must be v0.9.4 or later)
>  RUN git clone https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git /tmp/sbsigntools && \
>         cd /tmp/sbsigntools && \
> @@ -178,6 +182,9 @@ RUN git clone git://git.qemu.org/qemu.git /tmp/qemu && \
>         cd /tmp/qemu && \
>         git submodule update --init dtc && \
>         git checkout v6.1.0 && \
> +       wget https://lore.kernel.org/qemu-devel/20211215120926.1696302-1-alex.bennee@linaro.org/raw \
> +       -O 0001-hw-arm-add-control-knob-to-disable-kaslr_seed-via-DT.patch && \
> +       git am 0001-hw-arm-add-control-knob-to-disable-kaslr_seed-via-DT.patch && \
>         # config user.name and user.email to make 'git am' happy
>         git config user.name u-boot && \
>         git config user.email u-boot at denx.de && \
> --
> 2.32.0
>

Asking around and looking at the EFI  stub, it seems like currently
ignores kaslr-seed. I am going to send a patch to u-boot shortly which
unconditionally removes it for EFI boot processes.  So I think we can
skip this overall

Cheers
/Ilias

More information about the U-Boot mailing list