[PATCH 2/3] fdt: kaslr seed from tpm entropy

Simon Glass sjg at chromium.org
Wed Aug 9 04:03:46 CEST 2023 

Hi,

On Fri, 4 Aug 2023 at 17:34, <seanedmond at linux.microsoft.com> wrote:
>
> From: Dhananjay Phadke <dphadke at linux.microsoft.com>
>
> Add support for KASLR seed from TPM device. Invokes tpm_get_random()
> API to read 8-bytes of random bytes for KASLR.
>
> Signed-off-by: Dhananjay Phadke <dphadke at linux.microsoft.com>
> Signed-off-by: Drew Kluemke <ankluemk at microsoft.com>
> Signed-off-by: Sean Edmond <seanedmond at microsoft.com>
> ---
>  boot/image-fdt.c      |  3 +++
>  common/fdt_support.c  | 39 ++++++++++++++++++++++++++++++++++++++-
>  include/fdt_support.h |  1 +
>  lib/Kconfig           |  9 +++++++++
>  4 files changed, 51 insertions(+), 1 deletion(-)
>
> diff --git a/boot/image-fdt.c b/boot/image-fdt.c
> index f10200f647..127443963e 100644
> --- a/boot/image-fdt.c
> +++ b/boot/image-fdt.c
> @@ -624,6 +624,9 @@ int image_setup_libfdt(struct bootm_headers *images, void *blob,
>                 goto err;
>         }
>
> +       if (IS_ENABLED(CONFIG_KASLR_TPM_SEED))
> +               fdt_tpm_kaslr_seed(blob);

Error checking needed. Also please make your new function take an
oftree or ofnode

> +
>         fdt_ret = optee_copy_fdt_nodes(blob);
>         if (fdt_ret) {
>                 printf("ERROR: transfer of optee nodes to new fdt failed: %s\n",
> diff --git a/common/fdt_support.c b/common/fdt_support.c
> index 35d4f26dbd..1ac33355a0 100644
> --- a/common/fdt_support.c
> +++ b/common/fdt_support.c
> @@ -13,6 +13,10 @@
>  #include <mapmem.h>
>  #include <net.h>
>  #include <stdio_dev.h>
> +#include <tpm-v1.h>
> +#include <tpm-v2.h>
> +#include <dm/device.h>
> +#include <dm/uclass.h>
>  #include <dm/ofnode.h>
>  #include <linux/ctype.h>
>  #include <linux/types.h>
> @@ -632,7 +636,7 @@ void fdt_fixup_ethernet(void *fdt)
>  }
>
>  /*
> - * fdt_fix_kaslr_seed - Add kalsr-seed node in Device tree
> + * fdt_fixup_kaslr_seed - Add kaslr-seed node in Device tree
>   * @fdt:               Device tree
>   * @eret:              0 for success
>   */
> @@ -662,6 +666,39 @@ int fdt_fixup_kaslr_seed(void *fdt, const u8 *seed, int len)
>         return 0;
>  }
>
> +/*
> + * fdt_add_tpm_kaslr_seed - Add kalsr-seed node in Device tree with random
> + *                         bytes from TPM device
> + * @fdt:               Device tree
> + * @eret:              0 for success
> + */
> +int fdt_tpm_kaslr_seed(void *fdt)
> +{
> +       u8 rand[8] = {0};
> +       struct udevice *dev;
> +       int ret;
> +
> +       ret = uclass_get_device(UCLASS_TPM, 0, &dev);

uclass_first_device_err(UCLASS_TPM, &dev)

> +       if (ret) {
> +               printf("ERROR: Failed to find TPM device\n");
> +               return ret;
> +       }
> +
> +       ret = tpm_get_random(dev, rand, sizeof(rand));
> +       if (ret) {
> +               printf("ERROR: TPM GetRandom failed, ret=%d\n", ret);
> +               return ret;
> +       }
> +
> +       ret = fdt_fixup_kaslr_seed(fdt, rand, sizeof(rand));
> +       if (ret) {
> +               printf("ERROR: failed to add kaslr-seed to fdt\n");
> +               return ret;
> +       }
> +
> +       return 0;
> +}
> +
>  int fdt_record_loadable(void *blob, u32 index, const char *name,
>                         uintptr_t load_addr, u32 size, uintptr_t entry_point,
>                         const char *type, const char *os, const char *arch)
> diff --git a/include/fdt_support.h b/include/fdt_support.h
> index d74ef4e0a7..9e50db1b96 100644
> --- a/include/fdt_support.h
> +++ b/include/fdt_support.h
> @@ -123,6 +123,7 @@ static inline int fdt_fixup_memory_banks(void *blob, u64 start[], u64 size[],
>  void fdt_fixup_ethernet(void *fdt);
>
>  int fdt_fixup_kaslr_seed(void *fdt, const u8 *seed, int len);
> +int fdt_tpm_kaslr_seed(void *fdt);
>
>  int fdt_find_and_setprop(void *fdt, const char *node, const char *prop,
>                          const void *val, int len, int create);
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 3926652db6..1530ef7c86 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -465,6 +465,15 @@ config VPL_TPM
>           for the low-level TPM interface, but only one TPM is supported at
>           a time by the TPM library.
>
> +config KASLR_TPM_SEED
> +       bool "Use TPM for KASLR random seed"
> +       depends on TPM_V1 || TPM_V2
> +       help
> +         This enables support for using TPMs as entropy source for KASLR seed
> +         populated in kernel's device tree. Both TPMv1 and TPMv2 are supported
> +         for the low-level TPM interface, but only one TPM is supported at
> +         a time by the library.
> +
>  endmenu
>
>  menu "Android Verified Boot"
> --
> 2.40.0

Regards,
Simon

More information about the U-Boot mailing list