From: Andrew Jones <drjones@redhat.com>
To: "Alex Bennée" <alex.bennee@linaro.org>
Cc: fam@euphon.net, Peter Maydell <peter.maydell@linaro.org>,
berrange@redhat.com, Heinrich Schuchardt <xypron.glpk@gmx.de>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
qemu-devel@nongnu.org, f4bug@amsat.org, pbonzini@redhat.com,
aurelien@aurel32.net, stefanha@redhat.com, crosa@redhat.com,
Jerome Forissier <jerome@forissier.org>,
"open list:Virt" <qemu-arm@nongnu.org>
Subject: Re: [PATCH v1 21/34] hw/arm: add control knob to disable kaslr_seed via DTB
Date: Wed, 5 Jan 2022 15:49:13 +0100 [thread overview]
Message-ID: <20220105144913.2nitpxzmdyucgr7g@gator> (raw)
In-Reply-To: <20220105135009.1584676-22-alex.bennee@linaro.org>
On Wed, Jan 05, 2022 at 01:49:56PM +0000, Alex Bennée wrote:
> Generally a guest needs an external source of randomness to properly
> enable things like address space randomisation. However in a trusted
> boot environment where the firmware will cryptographically verify
> components having random data in the DTB will cause verification to
> fail. Add a control knob so we can prevent this being added to the
> system DTB.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> Acked-by: Jerome Forissier <jerome@forissier.org>
> Message-Id: <20211215120926.1696302-1-alex.bennee@linaro.org>
> ---
> docs/system/arm/virt.rst | 7 +++++++
> include/hw/arm/virt.h | 1 +
> hw/arm/virt.c | 32 ++++++++++++++++++++++++++++++--
> 3 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
> index 850787495b..c86a4808df 100644
> --- a/docs/system/arm/virt.rst
> +++ b/docs/system/arm/virt.rst
> @@ -121,6 +121,13 @@ ras
> Set ``on``/``off`` to enable/disable reporting host memory errors to a guest
> using ACPI and guest external abort exceptions. The default is off.
>
> +kaslr-dtb-seed
> + Set ``on``/``off`` to pass a random seed via the guest dtb to use for features
> + like address space randomisation. The default is ``on``. You will want
> + to disable it if your trusted boot chain will verify the DTB it is
> + passed. It would be the responsibility of the firmware to come up
> + with a seed and pass it on if it wants to.
> +
> Linux guest kernel configuration
> """"""""""""""""""""""""""""""""
>
> diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
> index dc6b66ffc8..acd0665fe7 100644
> --- a/include/hw/arm/virt.h
> +++ b/include/hw/arm/virt.h
> @@ -148,6 +148,7 @@ struct VirtMachineState {
> bool virt;
> bool ras;
> bool mte;
> + bool kaslr_dtb_seed;
> OnOffAuto acpi;
> VirtGICType gic_version;
> VirtIOMMUType iommu;
> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
> index 6bce595aba..1781e47c76 100644
> --- a/hw/arm/virt.c
> +++ b/hw/arm/virt.c
> @@ -247,11 +247,15 @@ static void create_fdt(VirtMachineState *vms)
>
> /* /chosen must exist for load_dtb to fill in necessary properties later */
> qemu_fdt_add_subnode(fdt, "/chosen");
> - create_kaslr_seed(ms, "/chosen");
> + if (vms->kaslr_dtb_seed) {
> + create_kaslr_seed(ms, "/chosen");
> + }
>
> if (vms->secure) {
> qemu_fdt_add_subnode(fdt, "/secure-chosen");
> - create_kaslr_seed(ms, "/secure-chosen");
> + if (vms->kaslr_dtb_seed) {
> + create_kaslr_seed(ms, "/secure-chosen");
> + }
> }
>
> /* Clock node, for the benefit of the UART. The kernel device tree
> @@ -2235,6 +2239,20 @@ static void virt_set_its(Object *obj, bool value, Error **errp)
> vms->its = value;
> }
>
> +static bool virt_get_kaslr_dtb_seed(Object *obj, Error **errp)
> +{
> + VirtMachineState *vms = VIRT_MACHINE(obj);
> +
> + return vms->kaslr_dtb_seed;
> +}
> +
> +static void virt_set_kaslr_dtb_seed(Object *obj, bool value, Error **errp)
> +{
> + VirtMachineState *vms = VIRT_MACHINE(obj);
> +
> + vms->kaslr_dtb_seed = value;
> +}
> +
> static char *virt_get_oem_id(Object *obj, Error **errp)
> {
> VirtMachineState *vms = VIRT_MACHINE(obj);
> @@ -2764,6 +2782,13 @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
> "Set on/off to enable/disable "
> "ITS instantiation");
>
> + object_class_property_add_bool(oc, "kaslr-dtb-seed",
> + virt_get_kaslr_dtb_seed,
> + virt_set_kaslr_dtb_seed);
> + object_class_property_set_description(oc, "kaslr-dtb-seed",
> + "Set off to disable passing of kaslr "
> + "dtb node to guest");
> +
> object_class_property_add_str(oc, "x-oem-id",
> virt_get_oem_id,
> virt_set_oem_id);
> @@ -2828,6 +2853,9 @@ static void virt_instance_init(Object *obj)
> /* MTE is disabled by default. */
> vms->mte = false;
>
> + /* Supply a kaslr-seed by default */
> + vms->kaslr_dtb_seed = true;
> +
> vms->irqmap = a15irqmap;
>
> virt_flash_create(vms);
> --
> 2.30.2
>
>
Reviewed-by: Andrew Jones <drjones@redhat.com>
next prev parent reply other threads:[~2022-01-05 15:02 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-05 13:49 [PATCH v1 00/34] testing/next and other misc fixes Alex Bennée
2022-01-05 13:49 ` [PATCH v1 01/34] ui: avoid compiler warnings from unused clipboard info variable Alex Bennée
2022-01-05 13:49 ` [PATCH v1 02/34] spice: Update QXLInterface for spice >= 0.15.0 Alex Bennée
2022-01-05 13:49 ` [PATCH v1 03/34] meson: require liburing >= 0.3 Alex Bennée
2022-01-05 13:49 ` [PATCH v1 04/34] ui: avoid warnings about directdb on Alpine / musl libc Alex Bennée
2022-01-05 13:49 ` [PATCH v1 05/34] ci: explicitly skip I/O tests on alpine Alex Bennée
2022-01-05 15:14 ` Thomas Huth
2022-01-05 13:49 ` [PATCH v1 06/34] tests/docker: switch fedora image to release 35 Alex Bennée
2022-01-05 13:49 ` [PATCH v1 07/34] tests: integrate lcitool for generating build env manifests Alex Bennée
2022-01-05 13:49 ` [PATCH v1 08/34] tests/docker: auto-generate centos8.docker with lcitool Alex Bennée
2022-01-05 13:49 ` [PATCH v1 09/34] tests/docker: auto-generate fedora.docker " Alex Bennée
2022-01-05 13:49 ` [PATCH v1 10/34] tests/docker: auto-generate ubuntu1804.docker " Alex Bennée
2022-01-05 13:49 ` [PATCH v1 11/34] tests/docker: auto-generate ubuntu2004.docker " Alex Bennée
2022-01-05 13:49 ` [PATCH v1 12/34] tests/docker: auto-generate opensuse-leap.docker " Alex Bennée
2022-01-05 13:49 ` [PATCH v1 13/34] tests/docker: remove ubuntu.docker container Alex Bennée
2022-01-05 13:49 ` [PATCH v1 14/34] .gitlab-ci.d/cirrus: auto-generate variables with lcitool Alex Bennée
2022-01-05 13:49 ` [PATCH v1 15/34] tests/docker: updates to alpine package list Alex Bennée
2022-01-05 13:49 ` [PATCH v1 16/34] tests/docker: fix sorting of alpine image package lists Alex Bennée
2022-01-05 13:49 ` [PATCH v1 17/34] tests/docker: fully expand the alpine package list Alex Bennée
2022-01-05 13:49 ` [PATCH v1 18/34] tests/docker: auto-generate alpine.docker with lcitool Alex Bennée
2022-01-05 13:49 ` [PATCH v1 19/34] tests/tcg: use CONFIG_LINUX_USER, not CONFIG_LINUX Alex Bennée
2022-01-10 9:58 ` Philippe Mathieu-Daudé
2022-01-16 23:22 ` Warner Losh
2022-01-05 13:49 ` [PATCH v1 20/34] tests/docker: add libfuse3 development headers Alex Bennée
2022-01-05 14:26 ` Richard W.M. Jones
2022-01-05 14:50 ` Daniel P. Berrangé
2022-01-05 13:49 ` [PATCH v1 21/34] hw/arm: add control knob to disable kaslr_seed via DTB Alex Bennée
2022-01-05 14:49 ` Andrew Jones [this message]
2022-01-06 17:21 ` Peter Maydell
2022-01-05 13:49 ` [PATCH v1 22/34] monitor: move x-query-profile into accel/tcg to fix build Alex Bennée
2022-01-05 13:49 ` [PATCH v1 23/34] docs/devel: update C standard to C11 Alex Bennée
2022-01-05 13:49 ` [PATCH v1 24/34] docs/devel: more documentation on the use of suffixes Alex Bennée
2022-01-05 13:50 ` [PATCH v1 25/34] linux-user/elfload: add extra logging for hole finding Alex Bennée
2022-01-07 0:11 ` Richard Henderson
2022-01-10 9:53 ` Philippe Mathieu-Daudé
2022-01-10 21:50 ` Warner Losh
2022-01-05 13:50 ` [PATCH v1 26/34] linux-user: don't adjust base of found hole Alex Bennée
2022-01-05 13:50 ` [PATCH v1 27/34] tests/avocado: add :avocado: tags for some tests Alex Bennée
2022-01-10 9:56 ` Philippe Mathieu-Daudé
2022-01-10 10:20 ` Alex Bennée
2022-01-10 21:11 ` Beraldo Leal
2022-01-05 13:50 ` [PATCH v1 28/34] tests/tcg/multiarch: Read fp flags before printf Alex Bennée
2022-01-05 13:50 ` [PATCH v1 29/34] test/tcg/ppc64le: Add float reference files Alex Bennée
2022-01-05 13:50 ` [PATCH v1 30/34] FreeBSD: Upgrade to 12.3 release Alex Bennée
2022-01-05 13:50 ` [PATCH v1 31/34] docs/sphinx: fix compatibility with sphinx < 1.8 Alex Bennée
2022-01-05 13:50 ` [PATCH v1 32/34] gitlab-ci: Enable docs in the centos job Alex Bennée
2022-01-05 13:50 ` [PATCH v1 33/34] docker: include bison in debian-tricore-cross Alex Bennée
2022-01-05 13:50 ` [PATCH v1 34/34] linux-user: Remove the deprecated ppc64abi32 target Alex Bennée
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220105144913.2nitpxzmdyucgr7g@gator \
--to=drjones@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=aurelien@aurel32.net \
--cc=berrange@redhat.com \
--cc=crosa@redhat.com \
--cc=f4bug@amsat.org \
--cc=fam@euphon.net \
--cc=ilias.apalodimas@linaro.org \
--cc=jerome@forissier.org \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).