[PATCH 2/3] fdt: kaslr seed from tpm entropy

[seanedmond@linux.microsoft.com]

From: Dhananjay Phadke <dphadke@linux.microsoft.com>

Add support for KASLR seed from TPM device. Invokes tpm_get_random()
API to read 8-bytes of random bytes for KASLR.

Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com>
Signed-off-by: Drew Kluemke <ankluemk@microsoft.com>
Signed-off-by: Sean Edmond <seanedmond@microsoft.com>
---
 boot/image-fdt.c      |  3 +++
 common/fdt_support.c  | 39 ++++++++++++++++++++++++++++++++++++++-
 include/fdt_support.h |  1 +
 lib/Kconfig           |  9 +++++++++
 4 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/boot/image-fdt.c b/boot/image-fdt.c
index f10200f647..127443963e 100644
--- a/boot/image-fdt.c
+++ b/boot/image-fdt.c
@@ -624,6 +624,9 @@ int image_setup_libfdt(struct bootm_headers *images, void *blob,
 		goto err;
 	}
 
+	if (IS_ENABLED(CONFIG_KASLR_TPM_SEED))
+		fdt_tpm_kaslr_seed(blob);
+
 	fdt_ret = optee_copy_fdt_nodes(blob);
 	if (fdt_ret) {
 		printf("ERROR: transfer of optee nodes to new fdt failed: %s\n",
diff --git a/common/fdt_support.c b/common/fdt_support.c
index 35d4f26dbd..1ac33355a0 100644
--- a/common/fdt_support.c
+++ b/common/fdt_support.c
@@ -13,6 +13,10 @@
 #include <mapmem.h>
 #include <net.h>
 #include <stdio_dev.h>
+#include <tpm-v1.h>
+#include <tpm-v2.h>
+#include <dm/device.h>
+#include <dm/uclass.h>
 #include <dm/ofnode.h>
 #include <linux/ctype.h>
 #include <linux/types.h>
@@ -632,7 +636,7 @@ void fdt_fixup_ethernet(void *fdt)
 }
 
 /*
- * fdt_fix_kaslr_seed - Add kalsr-seed node in Device tree
+ * fdt_fixup_kaslr_seed - Add kaslr-seed node in Device tree
  * @fdt:		Device tree
  * @eret:		0 for success
  */
@@ -662,6 +666,39 @@ int fdt_fixup_kaslr_seed(void *fdt, const u8 *seed, int len)
 	return 0;
 }
 
+/*
+ * fdt_add_tpm_kaslr_seed - Add kalsr-seed node in Device tree with random
+ *			    bytes from TPM device
+ * @fdt:		Device tree
+ * @eret:		0 for success
+ */
+int fdt_tpm_kaslr_seed(void *fdt)
+{
+	u8 rand[8] = {0};
+	struct udevice *dev;
+	int ret;
+
+	ret = uclass_get_device(UCLASS_TPM, 0, &dev);
+	if (ret) {
+		printf("ERROR: Failed to find TPM device\n");
+		return ret;
+	}
+
+	ret = tpm_get_random(dev, rand, sizeof(rand));
+	if (ret) {
+		printf("ERROR: TPM GetRandom failed, ret=%d\n", ret);
+		return ret;
+	}
+
+	ret = fdt_fixup_kaslr_seed(fdt, rand, sizeof(rand));
+	if (ret) {
+		printf("ERROR: failed to add kaslr-seed to fdt\n");
+		return ret;
+	}
+
+	return 0;
+}
+
 int fdt_record_loadable(void *blob, u32 index, const char *name,
 			uintptr_t load_addr, u32 size, uintptr_t entry_point,
 			const char *type, const char *os, const char *arch)
diff --git a/include/fdt_support.h b/include/fdt_support.h
index d74ef4e0a7..9e50db1b96 100644
--- a/include/fdt_support.h
+++ b/include/fdt_support.h
@@ -123,6 +123,7 @@ static inline int fdt_fixup_memory_banks(void *blob, u64 start[], u64 size[],
 void fdt_fixup_ethernet(void *fdt);
 
 int fdt_fixup_kaslr_seed(void *fdt, const u8 *seed, int len);
+int fdt_tpm_kaslr_seed(void *fdt);
 
 int fdt_find_and_setprop(void *fdt, const char *node, const char *prop,
 			 const void *val, int len, int create);
diff --git a/lib/Kconfig b/lib/Kconfig
index 3926652db6..1530ef7c86 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -465,6 +465,15 @@ config VPL_TPM
 	  for the low-level TPM interface, but only one TPM is supported at
 	  a time by the TPM library.
 
+config KASLR_TPM_SEED
+	bool "Use TPM for KASLR random seed"
+	depends on TPM_V1 || TPM_V2
+	help
+	  This enables support for using TPMs as entropy source for KASLR seed
+	  populated in kernel's device tree. Both TPMv1 and TPMv2 are supported
+	  for the low-level TPM interface, but only one TPM is supported at
+	  a time by the library.
+
 endmenu
 
 menu "Android Verified Boot"
-- 
2.40.0