[PATCH v2] efi_loader: Get rid of kaslr-seed
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri Dec 17 12:13:59 CET 2021
Hi Heinrich,
On Fri, 17 Dec 2021 at 12:59, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> On 12/17/21 08:06, Ilias Apalodimas wrote:
> > Right now we unconditionally pass a 'kaslr-seed' property to the kernel
> > if the DTB we ended up in EFI includes the entry. However the kernel
> > EFI stub completely ignores it and only relies on EFI_RNG_PROTOCOL for
> > it's own randomness needs (i.e the randomization of the physical
> > placement of the kernel).
> > So let's get rid of it if EFI_RNG_PPROTOCOL is installed.
> >
> > It's worth noting that TPMs also provide an RNG. So if we tweak our
> > EFI_RNG_PROTOCOL slightly and install the protocol when a TPM device
> > is present the 'kaslr-seed' property will always be removed, allowing
> > us to reliably measure our DTB as well.
> >
> > Acked-by: Ard Biesheuvel <ardb at kernel.org>
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > ---
> > changes since v1:
> > - Only removing the property if EFI_RNG_PROTOCOL is installed, since some
> > OS'es rely on kaslr-seed
>
> Each TPMv2 provides a hardware RNG. So you can unconditionally remove
> the kaslr-seed and create a new one by calling TPM2_GetRandom().
>
> It would further be useful to provide a DM RNG driver using
> TPM2_GetRandom().
Yes it would, but that's orthogonal to this patch. I did look at this
and there's a bit of plumbing still missing, which I'll fix when I
post the series for measuring a DTB.
Cheers
/Ilias
>
> Best regards
>
> Heinrich
More information about the U-Boot
mailing list