Hi Peter On Wed, Dec 15, 2021 at 01:36:07PM +0000, Peter Maydell wrote: > On Wed, 15 Dec 2021 at 12:09, Alex Bennée <alex.ben...@linaro.org> wrote: > > > > Generally a guest needs an external source of randomness to properly > > enable things like address space randomisation. However in a trusted > > boot environment where the firmware will cryptographically verify > > components having random data in the DTB will cause verification to > > fail. Add a control knob so we can prevent this being added to the > > system DTB. > > Given that the DTB is automatically generated for the virt board, > firmware has no way to guarantee that it's the same every time > anyway, surely ?
The firmware needs hardware assistance to do this. In order to have some guarantees on the loaded DTB, the firmware measures and extends the TPM PCRs. In that case you'd expect the measurements to match across reboots assuming the command line hasn't been changed. The kaslr-seed is obviously a deal breaker for this. Thanks /Ilias
