From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: "Alex Bennée" <alex.bennee@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>,
qemu-arm@nongnu.org, Jerome Forissier <jerome@forissier.org>,
qemu-devel@nongnu.org
Subject: Re: [PATCH] hw/arm: add control knob to disable kaslr_seed via DTB
Date: Wed, 15 Dec 2021 15:15:22 +0200 [thread overview]
Message-ID: <CAC_iWjL6x+qPmWSeeV1QWg=8X5XmXVaCJb99==_1uoyQsOps_w@mail.gmail.com> (raw)
In-Reply-To: <20211215120926.1696302-1-alex.bennee@linaro.org>
Hi Alex,
On Wed, 15 Dec 2021 at 14:09, Alex Bennée <alex.bennee@linaro.org> wrote:
>
> Generally a guest needs an external source of randomness to properly
> enable things like address space randomisation. However in a trusted
> boot environment where the firmware will cryptographically verify
> components having random data in the DTB will cause verification to
> fail. Add a control knob so we can prevent this being added to the
> system DTB.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> Cc: Jerome Forissier <jerome@forissier.org>
> ---
> docs/system/arm/virt.rst | 7 +++++++
> include/hw/arm/virt.h | 1 +
> hw/arm/virt.c | 32 ++++++++++++++++++++++++++++++--
> 3 files changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
> index 850787495b..c86a4808df 100644
> --- a/docs/system/arm/virt.rst
> +++ b/docs/system/arm/virt.rst
> @@ -121,6 +121,13 @@ ras
> Set ``on``/``off`` to enable/disable reporting host memory errors to a guest
> using ACPI and guest external abort exceptions. The default is off.
>
> +kaslr-dtb-seed
> + Set ``on``/``off`` to pass a random seed via the guest dtb to use for features
> + like address space randomisation. The default is ``on``. You will want
> + to disable it if your trusted boot chain will verify the DTB it is
> + passed. It would be the responsibility of the firmware to come up
> + with a seed and pass it on if it wants to.
> +
> Linux guest kernel configuration
> """"""""""""""""""""""""""""""""
>
> diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
> index dc6b66ffc8..acd0665fe7 100644
> --- a/include/hw/arm/virt.h
> +++ b/include/hw/arm/virt.h
> @@ -148,6 +148,7 @@ struct VirtMachineState {
> bool virt;
> bool ras;
> bool mte;
> + bool kaslr_dtb_seed;
> OnOffAuto acpi;
> VirtGICType gic_version;
> VirtIOMMUType iommu;
> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
> index 30da05dfe0..4496612e89 100644
> --- a/hw/arm/virt.c
> +++ b/hw/arm/virt.c
> @@ -248,11 +248,15 @@ static void create_fdt(VirtMachineState *vms)
>
> /* /chosen must exist for load_dtb to fill in necessary properties later */
> qemu_fdt_add_subnode(fdt, "/chosen");
> - create_kaslr_seed(ms, "/chosen");
> + if (vms->kaslr_dtb_seed) {
> + create_kaslr_seed(ms, "/chosen");
> + }
>
> if (vms->secure) {
> qemu_fdt_add_subnode(fdt, "/secure-chosen");
> - create_kaslr_seed(ms, "/secure-chosen");
> + if (vms->kaslr_dtb_seed) {
> + create_kaslr_seed(ms, "/secure-chosen");
> + }
> }
>
> /* Clock node, for the benefit of the UART. The kernel device tree
> @@ -2236,6 +2240,20 @@ static void virt_set_its(Object *obj, bool value, Error **errp)
> vms->its = value;
> }
>
> +static bool virt_get_kaslr_dtb_seed(Object *obj, Error **errp)
> +{
> + VirtMachineState *vms = VIRT_MACHINE(obj);
> +
> + return vms->kaslr_dtb_seed;
> +}
> +
> +static void virt_set_kaslr_dtb_seed(Object *obj, bool value, Error **errp)
> +{
> + VirtMachineState *vms = VIRT_MACHINE(obj);
> +
> + vms->kaslr_dtb_seed = value;
> +}
> +
> static char *virt_get_oem_id(Object *obj, Error **errp)
> {
> VirtMachineState *vms = VIRT_MACHINE(obj);
> @@ -2765,6 +2783,13 @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
> "Set on/off to enable/disable "
> "ITS instantiation");
>
> + object_class_property_add_bool(oc, "kaslr-dtb-seed",
> + virt_get_kaslr_dtb_seed,
> + virt_set_kaslr_dtb_seed);
> + object_class_property_set_description(oc, "kaslr-dtb-seed",
> + "Set off to disable passing of kaslr "
> + "dtb node to guest");
> +
> object_class_property_add_str(oc, "x-oem-id",
> virt_get_oem_id,
> virt_set_oem_id);
> @@ -2829,6 +2854,9 @@ static void virt_instance_init(Object *obj)
> /* MTE is disabled by default. */
> vms->mte = false;
>
> + /* Supply a kaslr-seed by default */
> + vms->kaslr_dtb_seed = true;
> +
> vms->irqmap = a15irqmap;
>
> virt_flash_create(vms);
> --
> 2.30.2
>
This is particularly useful if the bootloader uses a TPM to measures
the DTB and end up with a measured boot flow.
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
next prev parent reply other threads:[~2021-12-15 13:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-15 12:09 [PATCH] hw/arm: add control knob to disable kaslr_seed via DTB Alex Bennée
2021-12-15 13:15 ` Ilias Apalodimas [this message]
2021-12-15 13:19 ` Jerome Forissier
2021-12-15 13:36 ` Peter Maydell
2021-12-15 13:43 ` Ilias Apalodimas
2021-12-16 17:10 ` Heinrich Schuchardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAC_iWjL6x+qPmWSeeV1QWg=8X5XmXVaCJb99==_1uoyQsOps_w@mail.gmail.com' \
--to=ilias.apalodimas@linaro.org \
--cc=alex.bennee@linaro.org \
--cc=jerome@forissier.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).