[PATCH v2] efi_loader: Get rid of kaslr-seed
Heinrich Schuchardt
xypron.glpk at gmx.de
Fri Dec 17 11:59:42 CET 2021
On 12/17/21 08:06, Ilias Apalodimas wrote:
> Right now we unconditionally pass a 'kaslr-seed' property to the kernel
> if the DTB we ended up in EFI includes the entry. However the kernel
> EFI stub completely ignores it and only relies on EFI_RNG_PROTOCOL for
> it's own randomness needs (i.e the randomization of the physical
> placement of the kernel).
> So let's get rid of it if EFI_RNG_PPROTOCOL is installed.
>
> It's worth noting that TPMs also provide an RNG. So if we tweak our
> EFI_RNG_PROTOCOL slightly and install the protocol when a TPM device
> is present the 'kaslr-seed' property will always be removed, allowing
> us to reliably measure our DTB as well.
>
> Acked-by: Ard Biesheuvel <ardb at kernel.org>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> changes since v1:
> - Only removing the property if EFI_RNG_PROTOCOL is installed, since some
> OS'es rely on kaslr-seed
Each TPMv2 provides a hardware RNG. So you can unconditionally remove
the kaslr-seed and create a new one by calling TPM2_GetRandom().
It would further be useful to provide a DM RNG driver using
TPM2_GetRandom().
Best regards
Heinrich
More information about the U-Boot
mailing list