[PATCH v2 2/4] fdt: kaslr seed from tpm entropy
Simon Glass
sjg at chromium.org
Thu Aug 31 21:02:01 CEST 2023
Hi Sean,
On Tue, 29 Aug 2023 at 14:37, <seanedmond at linux.microsoft.com> wrote:
>
> From: Dhananjay Phadke <dphadke at linux.microsoft.com>
>
> Add support for KASLR seed from TPM device. Invokes tpm_get_random()
> API to read 8-bytes of random bytes for KASLR.
>
> Signed-off-by: Dhananjay Phadke <dphadke at linux.microsoft.com>
> Signed-off-by: Drew Kluemke <ankluemk at microsoft.com>
> Signed-off-by: Sean Edmond <seanedmond at microsoft.com>
> ---
> boot/image-fdt.c | 15 +++++++++++++++
> common/fdt_support.c | 30 ++++++++++++++++++++++++++++++
> include/fdt_support.h | 8 ++++++++
> lib/Kconfig | 9 +++++++++
> 4 files changed, 62 insertions(+)
>
> diff --git a/boot/image-fdt.c b/boot/image-fdt.c
> index f10200f647..ed38ed77b9 100644
> --- a/boot/image-fdt.c
> +++ b/boot/image-fdt.c
> @@ -624,6 +624,21 @@ int image_setup_libfdt(struct bootm_headers *images, void *blob,
> goto err;
> }
>
> + if (IS_ENABLED(CONFIG_KASLR_TPM_SEED)) {
> + ofnode root;
> +
> + ret = root_ofnode_from_fdt(blob, &root);
But can't you drop all this code and use an event spy?
> + if (ret) {
> + printf("ERROR: Unable to get root ofnode\n");
> + goto err;
> + }
> + ret = fdt_tpm_kaslr_seed(root);
This function can have a test.
> + if (ret) {
> + printf("ERROR: fdt fixup KASLR failed: %d\n", ret);
> + goto err;
> + }
> + }
> +
> fdt_ret = optee_copy_fdt_nodes(blob);
> if (fdt_ret) {
> printf("ERROR: transfer of optee nodes to new fdt failed: %s\n",
> diff --git a/common/fdt_support.c b/common/fdt_support.c
> index 52be4375b4..d338fcde54 100644
> --- a/common/fdt_support.c
> +++ b/common/fdt_support.c
> @@ -13,6 +13,9 @@
> #include <mapmem.h>
> #include <net.h>
> #include <stdio_dev.h>
> +#include <tpm_api.h>
> +#include <dm/device.h>
> +#include <dm/uclass.h>
> #include <dm/ofnode.h>
> #include <linux/ctype.h>
> #include <linux/types.h>
> @@ -650,6 +653,33 @@ int fdt_fixup_kaslr_seed(ofnode node, const u8 *seed, int len)
> return 0;
> }
>
> +int fdt_tpm_kaslr_seed(ofnode node)
> +{
> + u8 rand[8] = {0};
> + struct udevice *dev;
> + int ret;
> +
> + ret = uclass_first_device_err(UCLASS_TPM, &dev);
> + if (ret) {
> + printf("ERROR: Failed to find TPM device\n");
> + return ret;
> + }
> +
> + ret = tpm_get_random(dev, rand, sizeof(rand));
> + if (ret) {
> + printf("ERROR: TPM GetRandom failed, ret=%d\n", ret);
> + return ret;
> + }
> +
> + ret = fdt_fixup_kaslr_seed(node, rand, sizeof(rand));
> + if (ret) {
> + printf("ERROR: failed to add kaslr-seed to fdt\n");
> + return ret;
> + }
> +
> + return 0;
> +}
> +
> int fdt_record_loadable(void *blob, u32 index, const char *name,
> uintptr_t load_addr, u32 size, uintptr_t entry_point,
> const char *type, const char *os, const char *arch)
> diff --git a/include/fdt_support.h b/include/fdt_support.h
> index d967118bed..117ca14ca5 100644
> --- a/include/fdt_support.h
> +++ b/include/fdt_support.h
> @@ -130,6 +130,14 @@ void fdt_fixup_ethernet(void *fdt);
> */
> int fdt_fixup_kaslr_seed(ofnode node, const u8 *seed, int len);
>
> +/*
> + * fdt_add_tpm_kaslr_seed - Add kalsr-seed node in Device tree with random
> + * bytes from TPM device
> + * @node: ofnode
> + * @eret: 0 for success
> + */
> +int fdt_tpm_kaslr_seed(ofnode node);
> +
> int fdt_find_and_setprop(void *fdt, const char *node, const char *prop,
> const void *val, int len, int create);
> void fdt_fixup_qe_firmware(void *fdt);
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 3926652db6..1530ef7c86 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -465,6 +465,15 @@ config VPL_TPM
> for the low-level TPM interface, but only one TPM is supported at
> a time by the TPM library.
>
> +config KASLR_TPM_SEED
> + bool "Use TPM for KASLR random seed"
> + depends on TPM_V1 || TPM_V2
> + help
> + This enables support for using TPMs as entropy source for KASLR seed
> + populated in kernel's device tree. Both TPMv1 and TPMv2 are supported
> + for the low-level TPM interface, but only one TPM is supported at
> + a time by the library.
> +
> endmenu
>
> menu "Android Verified Boot"
> --
> 2.40.0
>
Regards,
Simon
More information about the U-Boot
mailing list