Re: [PATCH] hw/arm: add control knob to disable kaslr_seed via DTB

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Jerome Forissier <jerome@forissier.org>
To: "Ilias Apalodimas" <ilias.apalodimas@linaro.org>,
	"Alex Bennée" <alex.bennee@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	qemu-arm@nongnu.org, qemu-devel@nongnu.org
Subject: Re: [PATCH] hw/arm: add control knob to disable kaslr_seed via DTB
Date: Wed, 15 Dec 2021 14:19:34 +0100	[thread overview]
Message-ID: <aa48cfca-3db1-2bfc-100f-ae1c1e83f0ef@forissier.org> (raw)
In-Reply-To: <CAC_iWjL6x+qPmWSeeV1QWg=8X5XmXVaCJb99==_1uoyQsOps_w@mail.gmail.com>



On 12/15/21 14:15, Ilias Apalodimas wrote:
> Hi Alex,
> 
> On Wed, 15 Dec 2021 at 14:09, Alex Bennée <alex.bennee@linaro.org> wrote:
>>
>> Generally a guest needs an external source of randomness to properly
>> enable things like address space randomisation. However in a trusted
>> boot environment where the firmware will cryptographically verify
>> components having random data in the DTB will cause verification to
>> fail. Add a control knob so we can prevent this being added to the
>> system DTB.
>>
>> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
>> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>> Cc: Jerome Forissier <jerome@forissier.org>
>> ---
>>  docs/system/arm/virt.rst |  7 +++++++
>>  include/hw/arm/virt.h    |  1 +
>>  hw/arm/virt.c            | 32 ++++++++++++++++++++++++++++++--
>>  3 files changed, 38 insertions(+), 2 deletions(-)
>>
>> diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
>> index 850787495b..c86a4808df 100644
>> --- a/docs/system/arm/virt.rst
>> +++ b/docs/system/arm/virt.rst
>> @@ -121,6 +121,13 @@ ras
>>    Set ``on``/``off`` to enable/disable reporting host memory errors to a guest
>>    using ACPI and guest external abort exceptions. The default is off.
>>
>> +kaslr-dtb-seed
>> +  Set ``on``/``off`` to pass a random seed via the guest dtb to use for features
>> +  like address space randomisation. The default is ``on``. You will want
>> +  to disable it if your trusted boot chain will verify the DTB it is
>> +  passed. It would be the responsibility of the firmware to come up
>> +  with a seed and pass it on if it wants to.
>> +
>>  Linux guest kernel configuration
>>  """"""""""""""""""""""""""""""""
>>
>> diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
>> index dc6b66ffc8..acd0665fe7 100644
>> --- a/include/hw/arm/virt.h
>> +++ b/include/hw/arm/virt.h
>> @@ -148,6 +148,7 @@ struct VirtMachineState {
>>      bool virt;
>>      bool ras;
>>      bool mte;
>> +    bool kaslr_dtb_seed;
>>      OnOffAuto acpi;
>>      VirtGICType gic_version;
>>      VirtIOMMUType iommu;
>> diff --git a/hw/arm/virt.c b/hw/arm/virt.c
>> index 30da05dfe0..4496612e89 100644
>> --- a/hw/arm/virt.c
>> +++ b/hw/arm/virt.c
>> @@ -248,11 +248,15 @@ static void create_fdt(VirtMachineState *vms)
>>
>>      /* /chosen must exist for load_dtb to fill in necessary properties later */
>>      qemu_fdt_add_subnode(fdt, "/chosen");
>> -    create_kaslr_seed(ms, "/chosen");
>> +    if (vms->kaslr_dtb_seed) {
>> +        create_kaslr_seed(ms, "/chosen");
>> +    }
>>
>>      if (vms->secure) {
>>          qemu_fdt_add_subnode(fdt, "/secure-chosen");
>> -        create_kaslr_seed(ms, "/secure-chosen");
>> +        if (vms->kaslr_dtb_seed) {
>> +            create_kaslr_seed(ms, "/secure-chosen");
>> +        }
>>      }
>>
>>      /* Clock node, for the benefit of the UART. The kernel device tree
>> @@ -2236,6 +2240,20 @@ static void virt_set_its(Object *obj, bool value, Error **errp)
>>      vms->its = value;
>>  }
>>
>> +static bool virt_get_kaslr_dtb_seed(Object *obj, Error **errp)
>> +{
>> +    VirtMachineState *vms = VIRT_MACHINE(obj);
>> +
>> +    return vms->kaslr_dtb_seed;
>> +}
>> +
>> +static void virt_set_kaslr_dtb_seed(Object *obj, bool value, Error **errp)
>> +{
>> +    VirtMachineState *vms = VIRT_MACHINE(obj);
>> +
>> +    vms->kaslr_dtb_seed = value;
>> +}
>> +
>>  static char *virt_get_oem_id(Object *obj, Error **errp)
>>  {
>>      VirtMachineState *vms = VIRT_MACHINE(obj);
>> @@ -2765,6 +2783,13 @@ static void virt_machine_class_init(ObjectClass *oc, void *data)
>>                                            "Set on/off to enable/disable "
>>                                            "ITS instantiation");
>>
>> +    object_class_property_add_bool(oc, "kaslr-dtb-seed",
>> +                                   virt_get_kaslr_dtb_seed,
>> +                                   virt_set_kaslr_dtb_seed);
>> +    object_class_property_set_description(oc, "kaslr-dtb-seed",
>> +                                          "Set off to disable passing of kaslr "
>> +                                          "dtb node to guest");
>> +
>>      object_class_property_add_str(oc, "x-oem-id",
>>                                    virt_get_oem_id,
>>                                    virt_set_oem_id);
>> @@ -2829,6 +2854,9 @@ static void virt_instance_init(Object *obj)
>>      /* MTE is disabled by default.  */
>>      vms->mte = false;
>>
>> +    /* Supply a kaslr-seed by default */
>> +    vms->kaslr_dtb_seed = true;
>> +
>>      vms->irqmap = a15irqmap;
>>
>>      virt_flash_create(vms);
>> --
>> 2.30.2
>>
> 
> This is particularly useful if the bootloader uses a TPM to measures
> the DTB and end up with a measured boot flow.
> 
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> 

Fine with me too. FWIW:

Acked-by: Jerome Forissier <jerome@forissier.org>

next prev parent reply	other threads:[~2021-12-15 14:17 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-15 12:09 [PATCH] hw/arm: add control knob to disable kaslr_seed via DTB Alex Bennée
2021-12-15 13:15 ` Ilias Apalodimas
2021-12-15 13:19   ` Jerome Forissier [this message]
2021-12-15 13:36 ` Peter Maydell
2021-12-15 13:43   ` Ilias Apalodimas
2021-12-16 17:10 ` Heinrich Schuchardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa48cfca-3db1-2bfc-100f-ae1c1e83f0ef@forissier.org \
    --to=jerome@forissier.org \
    --cc=alex.bennee@linaro.org \
    --cc=ilias.apalodimas@linaro.org \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-arm@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).