[PATCH] add kaslr-seed generation to extlinux.conf

ning ning at ts-551
Sat Jan 29 16:40:51 CET 2022 

On Sat, Jan 29, 2022 at 03:04:48PM +0200, Ilias Apalodimas wrote:
> Hi Zhang,
> 
> On Sat, Jan 29, 2022 at 10:06:53AM +0800, Zhang Ning wrote:
> > add kaslrseed key word to extlinux.conf,
> > which means generate kaslr-seed for linux
> > 
> > with this patch exlinux.conf boot item looks like
> 
> I am not too familiar with the extlinux stuff in U-Boot.  Does that boot
> with efi or not?  On the efi booting kaslr-seed is close to useless for
> linux.  In fact we explicitly strip it when booting with EFI and and RNG 
> hardware is available. 
> 
> The EFI stub ignores it and uses the EFI_RNG_PROTOCOL. Since you
> rely on an rng device to generate it the EFI_RNG_PROTOCOL will be
> installed. 

thank you for your review.

extlinux is same as bootm cmd in uboot cmdline, thus no relationship with EFI boot.
I checked my old Uboot for khadas VIM, EFI_RNG_PROTOCOL is set, and kernel EFI_STUB
is set, and I use extlinux.conf, kernel still complain no kalsr seed.

> 
> > 
> > label l0
> >         menu testing
> >         linux /boot/vmlinuz-5.15.16-arm
> >         initrd /boot/initramfs-5.15.16-arm.img
> >         fdtdir /boot/dtbs/5.15.16-arm/
> >         kaslrseed
> >         append root=UUID=92ae1e50-eeeb-4c5b-8939-7e1cd6cfb059 ro
> > 
> > Signed-off-by: Zhang Ning <zhangn1985 at qq.com>
> > ---
> >  boot/pxe_utils.c    | 69 +++++++++++++++++++++++++++++++++++++++++++++
> >  include/pxe_utils.h |  2 ++
> >  2 files changed, 71 insertions(+)
> > 
> > diff --git a/boot/pxe_utils.c b/boot/pxe_utils.c
> > index bb231b11a2..c7c422926e 100644
> > --- a/boot/pxe_utils.c
> > +++ b/boot/pxe_utils.c
> > @@ -20,6 +20,11 @@
> >  #include <errno.h>
> >  #include <linux/list.h>
> >  
> > +#ifdef CONFIG_DM_RNG
> > +#include <dm.h>
> > +#include <rng.h>
> > +#endif
> > +
> >  #include <splash.h>
> >  #include <asm/io.h>
> >  
> > @@ -311,6 +316,61 @@ static int label_localboot(struct pxe_label *label)
> >  	return run_command_list(localcmd, strlen(localcmd), 0);
> >  }
> >  
> > +/*
> > + * label_boot_kaslrseed generate kaslrseed from hw rng
> > + */
> > +
> > +static void label_boot_kaslrseed(void)
> > +{
> > +#ifdef CONFIG_DM_RNG
> > +	ulong fdt_addr;
> > +	struct fdt_header *working_fdt;
> > +	size_t n = 0x8;
> > +	struct udevice *dev;
> > +	u64 *buf;
> > +	int nodeoffset;
> > +	int err;
> > +
> > +	/* Get the main fdt and map it */
> > +	fdt_addr = hextoul(env_get("fdt_addr_r"), NULL);
> > +	working_fdt = map_sysmem(fdt_addr, 0);
> > +	err = fdt_check_header(working_fdt);
> > +	if (err)
> > +		return;
> > +
> > +	if (uclass_get_device(UCLASS_RNG, 0, &dev) || !dev) {
> > +		printf("No RNG device\n");
> > +		return;
> > +	}
> > +
> > +	buf = malloc(n);
> > +	if (!buf) {
> > +		printf("Out of memory\n");
> > +		return;
> > +	}
> > +
> > +	if (dm_rng_read(dev, buf, n)) {
> > +		printf("Reading RNG failed\n");
> > +		return;
> > +	}
> > +
> > +	nodeoffset = fdt_find_or_add_subnode(working_fdt, 0, "chosen");
> > +	if (nodeoffset < 0) {
> > +		printf("Reading chosen node failed\n");
> > +		return;
> > +	}
> > +
> > +	err = fdt_setprop(working_fdt, nodeoffset, "kaslr-seed", buf, sizeof(buf));
> > +	if (err < 0) {
> > +		printf("Unable to set kaslr-seed on chosen node: %s\n", fdt_strerror(err));
> > +		return;
> > +	}
> 
> Almost all of the return cases fail to free the buffer.  I'd write that a
> bit differently as well.  Just allocate the buffer *after* you made sure
> the hardware and required nodes are there.
> 
these code are copied from cmd/kalsrseed.c, I will add buff free in next version.

> Regards
> /Ilias
> > +
> > +	free(buf);
> > +#endif
> > +	return;
> > +}
> > +
> >  /**
> >   * label_boot_fdtoverlay() - Loads fdt overlays specified in 'fdtoverlays'
> >   *
> > @@ -631,6 +691,9 @@ static int label_boot(struct pxe_context *ctx, struct pxe_label *label)
> >  				}
> >  			}
> >  
> > +		if (label->kaslrseed)
> > +			label_boot_kaslrseed();
> > +
> >  #ifdef CONFIG_OF_LIBFDT_OVERLAY
> >  			if (label->fdtoverlays)
> >  				label_boot_fdtoverlay(ctx, label);
> > @@ -710,6 +773,7 @@ enum token_type {
> >  	T_ONTIMEOUT,
> >  	T_IPAPPEND,
> >  	T_BACKGROUND,
> > +	T_KASLRSEED,
> >  	T_INVALID
> >  };
> >  
> > @@ -741,6 +805,7 @@ static const struct token keywords[] = {
> >  	{"ontimeout", T_ONTIMEOUT,},
> >  	{"ipappend", T_IPAPPEND,},
> >  	{"background", T_BACKGROUND,},
> > +	{"kaslrseed", T_KASLRSEED,},
> >  	{NULL, T_INVALID}
> >  };
> >  
> > @@ -1194,6 +1259,10 @@ static int parse_label(char **c, struct pxe_menu *cfg)
> >  			err = parse_integer(c, &label->ipappend);
> >  			break;
> >  
> > +		case T_KASLRSEED:
> > +			label->kaslrseed = 1;
> > +			break;
> > +
> >  		case T_EOL:
> >  			break;
> >  
> > diff --git a/include/pxe_utils.h b/include/pxe_utils.h
> > index dad2668818..4a73b2aace 100644
> > --- a/include/pxe_utils.h
> > +++ b/include/pxe_utils.h
> > @@ -33,6 +33,7 @@
> >   * initrd - path to the initrd to use for this label.
> >   * attempted - 0 if we haven't tried to boot this label, 1 if we have.
> >   * localboot - 1 if this label specified 'localboot', 0 otherwise.
> > + * kaslrseed - 1 if generate kaslrseed from hw_rng
> >   * list - lets these form a list, which a pxe_menu struct will hold.
> >   */
> >  struct pxe_label {
> > @@ -50,6 +51,7 @@ struct pxe_label {
> >  	int attempted;
> >  	int localboot;
> >  	int localboot_val;
> > +	int kaslrseed;
> >  	struct list_head list;
> >  };
> >  
> > -- 
> > 2.34.1
> >

More information about the U-Boot mailing list