Hi Heinrich,
On Fri, 17 Dec 2021 at 12:59, Heinrich Schuchardt <xypron.g...@gmx.de> wrote: > > On 12/17/21 08:06, Ilias Apalodimas wrote: > > Right now we unconditionally pass a 'kaslr-seed' property to the kernel > > if the DTB we ended up in EFI includes the entry. However the kernel > > EFI stub completely ignores it and only relies on EFI_RNG_PROTOCOL for > > it's own randomness needs (i.e the randomization of the physical > > placement of the kernel). > > So let's get rid of it if EFI_RNG_PPROTOCOL is installed. > > > > It's worth noting that TPMs also provide an RNG. So if we tweak our > > EFI_RNG_PROTOCOL slightly and install the protocol when a TPM device > > is present the 'kaslr-seed' property will always be removed, allowing > > us to reliably measure our DTB as well. > > > > Acked-by: Ard Biesheuvel <a...@kernel.org> > > Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> > > --- > > changes since v1: > > - Only removing the property if EFI_RNG_PROTOCOL is installed, since some > > OS'es rely on kaslr-seed > > Each TPMv2 provides a hardware RNG. So you can unconditionally remove > the kaslr-seed and create a new one by calling TPM2_GetRandom(). > > It would further be useful to provide a DM RNG driver using > TPM2_GetRandom(). Yes it would, but that's orthogonal to this patch. I did look at this and there's a bit of plumbing still missing, which I'll fix when I post the series for measuring a DTB. Cheers /Ilias > > Best regards > > Heinrich
