[PATCH 1/1] efi_leader: delete rng-seed if having EFI RNG protocol

[Simon Glass]

Hi,

On Thu, 19 Sept 2024 at 16:32, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Hi all,
>
> On Thu, 19 Sept 2024 at 17:20, Heinrich Schuchardt
> <heinrich.schuchardt at canonical.com> wrote:
> >
> > On 19.09.24 16:10, Simon Glass wrote:
> > > Hi Heinrich,
> > >
> > > On Sat, 14 Sept 2024 at 18:06, Heinrich Schuchardt
> > > <heinrich.schuchardt at canonical.com> wrote:
> > >>
> > >> For measured be boot we must avoid any volatile values in the device-tree.
> > >> We already delete /chosen/kaslr-seed if we provide and EFI RNG protocol.
> > >
> > > Could you explain a bit why this is, and where this is checked?
> > >>
> > >> Additionally remove /chosen/rng-seed provided by QEMU or U-Boot.
> >
> > Measured boot relies on creating hashes of artifacts and writing these
> > to TPM. If the hashes don't match the OS will either warn or refuse to
> > boot. The device-tree is one of the artifacts that are measured.
> >
> > If we have random values in /chosen, measured boot will fail.
> >
> > When an EFI RNG protocol is provided by the firmware, GRUB and the
> > kernel will use it instead of /chosen/rng-seed and /chosen/kaslr-seed.
>
> There's a comment on top of that function that explains what happens as well.
> In short the EFI stub does not even look at the KASLR seed and never
> randomizes the physical placement of the kernel. It only does that
> when the EFI_RNG protocol is there.

OK thank you. I suppose I am more just wondering why it got added in
the first place?

Regards,
Simon


>
> Regards
> /Ilias
> >
> > Best regards
> >
> > Heinrich
> >
> > >>
> > >> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
> > >> ---
> > >>   include/efi_loader.h          |  2 +-
> > >>   lib/efi_loader/efi_dt_fixup.c | 15 ++++++++++-----
> > >>   lib/efi_loader/efi_helper.c   |  2 +-
> > >>   3 files changed, 12 insertions(+), 7 deletions(-)
> > >
> > > [..]
> > >
> > > Regards,
> > > Simon
> >