[PATCH 1/1] efi_leader: delete rng-seed if having EFI RNG protocol
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Thu Sep 19 17:05:41 CEST 2024
On 19.09.24 17:00, Simon Glass wrote:
> Hi,
>
> On Thu, 19 Sept 2024 at 16:32, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
>>
>> Hi all,
>>
>> On Thu, 19 Sept 2024 at 17:20, Heinrich Schuchardt
>> <heinrich.schuchardt at canonical.com> wrote:
>>>
>>> On 19.09.24 16:10, Simon Glass wrote:
>>>> Hi Heinrich,
>>>>
>>>> On Sat, 14 Sept 2024 at 18:06, Heinrich Schuchardt
>>>> <heinrich.schuchardt at canonical.com> wrote:
>>>>>
>>>>> For measured be boot we must avoid any volatile values in the device-tree.
>>>>> We already delete /chosen/kaslr-seed if we provide and EFI RNG protocol.
>>>>
>>>> Could you explain a bit why this is, and where this is checked?
>>>>>
>>>>> Additionally remove /chosen/rng-seed provided by QEMU or U-Boot.
>>>
>>> Measured boot relies on creating hashes of artifacts and writing these
>>> to TPM. If the hashes don't match the OS will either warn or refuse to
>>> boot. The device-tree is one of the artifacts that are measured.
>>>
>>> If we have random values in /chosen, measured boot will fail.
>>>
>>> When an EFI RNG protocol is provided by the firmware, GRUB and the
>>> kernel will use it instead of /chosen/rng-seed and /chosen/kaslr-seed.
>>
>> There's a comment on top of that function that explains what happens as well.
>> In short the EFI stub does not even look at the KASLR seed and never
>> randomizes the physical placement of the kernel. It only does that
>> when the EFI_RNG protocol is there.
>
> OK thank you. I suppose I am more just wondering why it got added in
> the first place?
For booting via the legacy Linux entry point adding kaslr-seed allows to
randomize addresses. QEMU adds rng-seed instead of kaslr-seed.
Best regards
Heinrich
>
> Regards,
> Simon
>
>
>>
>> Regards
>> /Ilias
>>>
>>> Best regards
>>>
>>> Heinrich
>>>
>>>>>
>>>>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
>>>>> ---
>>>>> include/efi_loader.h | 2 +-
>>>>> lib/efi_loader/efi_dt_fixup.c | 15 ++++++++++-----
>>>>> lib/efi_loader/efi_helper.c | 2 +-
>>>>> 3 files changed, 12 insertions(+), 7 deletions(-)
>>>>
>>>> [..]
>>>>
>>>> Regards,
>>>> Simon
>>>
More information about the U-Boot
mailing list