From: Matt Fleming <matt@codeblueprint.co.uk>
To: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
Matt Fleming <matt@codeblueprint.co.uk>,
Kees Cook <keescook@chromium.org>
Subject: [PATCH 5/9] efi/arm*: libstub: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table
Date: Sat, 12 Nov 2016 21:32:33 +0000 [thread overview]
Message-ID: <20161112213237.8804-6-matt@codeblueprint.co.uk> (raw)
In-Reply-To: <20161112213237.8804-1-matt@codeblueprint.co.uk>
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Invoke the EFI_RNG_PROTOCOL protocol in the context of the stub and
install the Linux-specific RNG seed UEFI config table. This will be
picked up by the EFI routines in the core kernel to seed the kernel
entropy pool.
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
drivers/firmware/efi/libstub/arm-stub.c | 2 ++
drivers/firmware/efi/libstub/efistub.h | 2 ++
drivers/firmware/efi/libstub/random.c | 48 +++++++++++++++++++++++++++++++++
include/linux/efi.h | 1 +
4 files changed, 53 insertions(+)
diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index 993aa56755f6..b4f7d78f9e8b 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -340,6 +340,8 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table,
if (status != EFI_SUCCESS)
pr_efi_err(sys_table, "Failed initrd from command line!\n");
+ efi_random_get_seed(sys_table);
+
new_fdt_addr = fdt_addr;
status = allocate_new_fdt_and_exit_boot(sys_table, handle,
&new_fdt_addr, dram_base + MAX_FDT_OFFSET,
diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index fe1f22584c69..b98824e3800a 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -71,4 +71,6 @@ efi_status_t efi_random_alloc(efi_system_table_t *sys_table_arg,
efi_status_t check_platform_features(efi_system_table_t *sys_table_arg);
+efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg);
+
#endif
diff --git a/drivers/firmware/efi/libstub/random.c b/drivers/firmware/efi/libstub/random.c
index f8e2e5ae6872..3a3feacc329f 100644
--- a/drivers/firmware/efi/libstub/random.c
+++ b/drivers/firmware/efi/libstub/random.c
@@ -143,3 +143,51 @@ efi_status_t efi_random_alloc(efi_system_table_t *sys_table_arg,
return status;
}
+
+#define RANDOM_SEED_SIZE 32
+
+efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg)
+{
+ efi_guid_t rng_proto = EFI_RNG_PROTOCOL_GUID;
+ efi_guid_t rng_algo_raw = EFI_RNG_ALGORITHM_RAW;
+ efi_guid_t rng_table_guid = LINUX_EFI_RANDOM_SEED_TABLE_GUID;
+ struct efi_rng_protocol *rng;
+ struct linux_efi_random_seed *seed;
+ efi_status_t status;
+
+ status = efi_call_early(locate_protocol, &rng_proto, NULL,
+ (void **)&rng);
+ if (status != EFI_SUCCESS)
+ return status;
+
+ status = efi_call_early(allocate_pool, EFI_RUNTIME_SERVICES_DATA,
+ sizeof(*seed) + RANDOM_SEED_SIZE,
+ (void **)&seed);
+ if (status != EFI_SUCCESS)
+ return status;
+
+ status = rng->get_rng(rng, &rng_algo_raw, RANDOM_SEED_SIZE,
+ seed->bits);
+ if (status == EFI_UNSUPPORTED)
+ /*
+ * Use whatever algorithm we have available if the raw algorithm
+ * is not implemented.
+ */
+ status = rng->get_rng(rng, NULL, RANDOM_SEED_SIZE,
+ seed->bits);
+
+ if (status != EFI_SUCCESS)
+ goto err_freepool;
+
+ seed->size = RANDOM_SEED_SIZE;
+ status = efi_call_early(install_configuration_table, &rng_table_guid,
+ seed);
+ if (status != EFI_SUCCESS)
+ goto err_freepool;
+
+ return EFI_SUCCESS;
+
+err_freepool:
+ efi_call_early(free_pool, seed);
+ return status;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 85e28b138cdd..f5a821d9b90c 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -589,6 +589,7 @@ void efi_native_runtime_setup(void);
#define DEVICE_TREE_GUID EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5, 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0)
#define EFI_PROPERTIES_TABLE_GUID EFI_GUID(0x880aaca3, 0x4adc, 0x4a04, 0x90, 0x79, 0xb7, 0x47, 0x34, 0x08, 0x25, 0xe5)
#define EFI_RNG_PROTOCOL_GUID EFI_GUID(0x3152bca5, 0xeade, 0x433d, 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44)
+#define EFI_RNG_ALGORITHM_RAW EFI_GUID(0xe43176d7, 0xb6e8, 0x4827, 0xb7, 0x84, 0x7f, 0xfd, 0xc4, 0xb6, 0x85, 0x61)
#define EFI_MEMORY_ATTRIBUTES_TABLE_GUID EFI_GUID(0xdcfa911d, 0x26eb, 0x469f, 0xa2, 0x20, 0x38, 0xb7, 0xdc, 0x46, 0x12, 0x20)
#define EFI_CONSOLE_OUT_DEVICE_GUID EFI_GUID(0xd3b36f2c, 0xd551, 0x11d4, 0x9a, 0x46, 0x00, 0x90, 0x27, 0x3f, 0xc1, 0x4d)
--
2.10.0
next prev parent reply other threads:[~2016-11-12 21:32 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-12 21:32 [GIT PULL 0/9] EFI changes for v4.10 Matt Fleming
2016-11-12 21:32 ` Matt Fleming
[not found] ` <20161112213237.8804-1-matt-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2016-11-12 21:32 ` [PATCH 1/9] efi/libstub: Fix allocation size calculations Matt Fleming
2016-11-12 21:32 ` Matt Fleming
2016-11-13 9:04 ` [tip:efi/core] " tip-bot for Roy Franz
2016-11-12 21:32 ` [PATCH 4/9] efi/libstub: Add random.c to ARM build Matt Fleming
2016-11-12 21:32 ` Matt Fleming
2016-11-13 9:05 ` [tip:efi/core] " tip-bot for Ard Biesheuvel
2016-11-12 21:32 ` [PATCH 6/9] efi: Add device path parser Matt Fleming
2016-11-12 21:32 ` Matt Fleming
2016-11-13 9:07 ` [tip:efi/core] " tip-bot for Lukas Wunner
2016-11-12 21:32 ` [PATCH 2/9] MAINTAINERS: Add ARM and arm64 EFI specific files to EFI subsystem Matt Fleming
2016-11-13 9:04 ` [tip:efi/core] " tip-bot for Ard Biesheuvel
2016-11-12 21:32 ` [PATCH 3/9] efi: Add support for seeding the RNG from a UEFI config table Matt Fleming
2016-11-13 9:05 ` [tip:efi/core] " tip-bot for Ard Biesheuvel
2016-11-12 21:32 ` Matt Fleming [this message]
2016-11-13 7:19 ` [PATCH 5/9] efi/arm*: libstub: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table Ingo Molnar
2016-11-13 8:59 ` Ingo Molnar
2016-11-14 13:27 ` Matt Fleming
[not found] ` <20161114132708.GC2373-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2016-11-14 15:10 ` Lukas Wunner
2016-11-14 15:10 ` Lukas Wunner
2016-11-15 10:50 ` [tip:efi/core] thunderbolt, efi: Fix Kconfig dependencies tip-bot for Lukas Wunner
2016-11-14 13:23 ` [PATCH 5/9] efi/arm*: libstub: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table Matt Fleming
2016-11-14 13:55 ` Ingo Molnar
2016-11-14 14:01 ` Matt Fleming
2016-11-13 9:06 ` [tip:efi/core] efi/arm*/libstub: " tip-bot for Ard Biesheuvel
2016-11-12 21:32 ` [PATCH 7/9] efi: Allow bitness-agnostic protocol calls Matt Fleming
2016-11-13 9:07 ` [tip:efi/core] " tip-bot for Lukas Wunner
2016-11-12 21:32 ` [PATCH 8/9] x86/efi: Retrieve and assign Apple device properties Matt Fleming
2016-11-13 9:08 ` [tip:efi/core] " tip-bot for Lukas Wunner
2016-11-12 21:32 ` [PATCH 9/9] thunderbolt: Use Device ROM retrieved from EFI Matt Fleming
2016-11-13 9:08 ` [tip:efi/core] " tip-bot for Lukas Wunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161112213237.8804-6-matt@codeblueprint.co.uk \
--to=matt@codeblueprint.co.uk \
--cc=ard.biesheuvel@linaro.org \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.