From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: ardb@kernel.org, mark.kettenis@xs4all.nl,
Alexander Graf <agraf@csgraf.de>,
u-boot@lists.denx.de
Subject: Re: [PATCH v2] efi_loader: Get rid of kaslr-seed
Date: Fri, 17 Dec 2021 11:59:42 +0100 [thread overview]
Message-ID: <a2cc0b09-3bdd-f721-eb67-cd81076aded7@gmx.de> (raw)
In-Reply-To: <20211217070644.2458603-1-ilias.apalodimas@linaro.org>
On 12/17/21 08:06, Ilias Apalodimas wrote:
> Right now we unconditionally pass a 'kaslr-seed' property to the kernel
> if the DTB we ended up in EFI includes the entry. However the kernel
> EFI stub completely ignores it and only relies on EFI_RNG_PROTOCOL for
> it's own randomness needs (i.e the randomization of the physical
> placement of the kernel).
> So let's get rid of it if EFI_RNG_PPROTOCOL is installed.
>
> It's worth noting that TPMs also provide an RNG. So if we tweak our
> EFI_RNG_PROTOCOL slightly and install the protocol when a TPM device
> is present the 'kaslr-seed' property will always be removed, allowing
> us to reliably measure our DTB as well.
>
> Acked-by: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
> changes since v1:
> - Only removing the property if EFI_RNG_PROTOCOL is installed, since some
> OS'es rely on kaslr-seed
Each TPMv2 provides a hardware RNG. So you can unconditionally remove
the kaslr-seed and create a new one by calling TPM2_GetRandom().
It would further be useful to provide a DM RNG driver using
TPM2_GetRandom().
Best regards
Heinrich
next prev parent reply other threads:[~2021-12-17 10:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-17 7:06 [PATCH v2] efi_loader: Get rid of kaslr-seed Ilias Apalodimas
2021-12-17 10:59 ` Heinrich Schuchardt [this message]
2021-12-17 11:13 ` Ilias Apalodimas
2021-12-17 11:13 ` Mark Kettenis
2021-12-17 11:23 ` Ilias Apalodimas
2021-12-17 11:33 ` Mark Kettenis
2022-01-02 10:05 ` Heinrich Schuchardt
2022-01-02 20:50 ` Ilias Apalodimas
2022-01-02 21:06 ` Heinrich Schuchardt
2022-01-02 21:27 ` Mark Kettenis
2022-01-03 7:30 ` Ilias Apalodimas
2022-01-03 7:27 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a2cc0b09-3bdd-f721-eb67-cd81076aded7@gmx.de \
--to=xypron.glpk@gmx.de \
--cc=agraf@csgraf.de \
--cc=ardb@kernel.org \
--cc=ilias.apalodimas@linaro.org \
--cc=mark.kettenis@xs4all.nl \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.