[PATCH 1/3] fdt: common API to populate kaslr seed

Chris Morgan macromorgan at hotmail.com
Thu Aug 10 20:17:21 CEST 2023 

On Wed, Aug 09, 2023 at 07:49:08PM -0600, Simon Glass wrote:
> Hi Sean,
> 
> On Wed, 9 Aug 2023 at 16:35, Sean Edmond <seanedmond at linux.microsoft.com> wrote:
> >
> >
> > On 2023-08-08 7:03 p.m., Simon Glass wrote:
> > > Hi,
> > >
> > > On Fri, 4 Aug 2023 at 17:34, <seanedmond at linux.microsoft.com> wrote:
> > >> From: Dhananjay Phadke <dphadke at linux.microsoft.com>
> > >>
> > >> fdt_fixup_kaslr_seed() will update given FDT with random seed value.
> > >> Source for random seed can be TPM or RNG driver in u-boot or sec
> > >> firmware (ARM).
> > >>
> > >> Signed-off-by: Dhananjay Phadke <dphadke at linux.microsoft.com>
> > >> ---
> > >>   arch/arm/cpu/armv8/sec_firmware.c | 32 +++++++------------------------
> > >>   common/fdt_support.c              | 31 ++++++++++++++++++++++++++++++
> > >>   include/fdt_support.h             |  3 +++
> > >>   3 files changed, 41 insertions(+), 25 deletions(-)
> > > We need to find a way to use the ofnode API here.
> > >
> > >> diff --git a/arch/arm/cpu/armv8/sec_firmware.c b/arch/arm/cpu/armv8/sec_firmware.c
> > >> index c0e8726346..84ba49924e 100644
> > >> --- a/arch/arm/cpu/armv8/sec_firmware.c
> > >> +++ b/arch/arm/cpu/armv8/sec_firmware.c
> > >> @@ -411,46 +411,28 @@ int sec_firmware_init(const void *sec_firmware_img,
> > >>   /*
> > >>    * fdt_fix_kaslr - Add kalsr-seed node in Device tree
> > >>    * @fdt:               Device tree
> > >> - * @eret:              0 in case of error, 1 for success
> > >> + * @eret:              0 for success
> > >>    */
> > >>   int fdt_fixup_kaslr(void *fdt)
> > > You could pass an oftree to this function, e.g. obtained with:
> > >
> > > oftree_from_fdt(fdt)
> >
> > The common API I added is fdt_fixup_kaslr_seed(), which was added to
> > "common/fdt_support.c".
> >
> > There are 3 callers:
> > sec_firmware_init()->fdt_fixup_kaslr_seed()
> > do_kaslr_seed()->fdt_fixup_kaslr_seed()
> > image_setup_libfdt()->fdt_tpm_kaslr_seed->fdt_fixup_kaslr_seed()
> >
> > I think the ask is to create a common API that uses the ofnode API.  So,
> > instead of fdt_fixup_kaslr_seed() I can create
> > ofnode_fixup_kaslr_seed()?  Where should it live?
> 
> If you like you could add common/ofnode_support.c ?
> 
> But it is OK to have it in the same file, I think.
> 
> > Are you also wanting
> > the callers (eg. fdt_tpm_kaslr_seed, fdt_fixup_kaslr) to take oftree as
> > input too?
> 
> So far as you can go, yes. Also you may want to pass an ofnode (the
> root node) so that things can deal with adding their stuff to any
> node.
> 
> Regards,
> Simon

I'm almost wondering if now would be a good time to look at removing
the kaslrseed command and instead doing it in the fdt_support.c like
we do with rng-seed and like is being done here with the TPM seeding.

I'm not a security expert and please don't yell at me if I'm proposing
something stupid, but what if the kaslrseed command be reworked to
only seed with software based entropy via the rand() function?

Thank you,
Chris Morgan

More information about the U-Boot mailing list