From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 09A35C001DB for ; Fri, 4 Aug 2023 23:34:40 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 323C4866C0; Sat, 5 Aug 2023 01:34:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="TqnTxIH1"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3C24E8660E; Sat, 5 Aug 2023 01:34:09 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by phobos.denx.de (Postfix) with ESMTP id 2A2A9865DF for ; Sat, 5 Aug 2023 01:34:05 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=seanedmond@linux.microsoft.com Received: from ovlvm106.redmond.corp.microsoft.com (unknown [131.107.147.185]) by linux.microsoft.com (Postfix) with ESMTPSA id B3AC220861EF; Fri, 4 Aug 2023 16:34:03 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com B3AC220861EF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1691192043; bh=AF+EZXs/Gb1RckBO2eIHrHZ6QG1rXLoxN395SfE+GhE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TqnTxIH18nENPIkORZbN1OlsbnOlP608QUHHrcemc+DV8FTxMCxyTytn8RdA/1wCw K76sWzSQgsIHbC0/ZjC/esO5A+ITMZglWEUsEdNVWphxdoeqvvKK67doUyC2gORjxX OcTNpmpOlLb+9ZIz7PoO6U+vRngHCI2gWsgv7pok= From: seanedmond@linux.microsoft.com To: u-boot@lists.denx.de Cc: dphadke@linux.microsoft.com, macromorgan@hotmail.com, sjg@chromium.org Subject: [PATCH 2/3] fdt: kaslr seed from tpm entropy Date: Fri, 4 Aug 2023 16:33:56 -0700 Message-Id: <20230804233357.65214-3-seanedmond@linux.microsoft.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230804233357.65214-1-seanedmond@linux.microsoft.com> References: <20230804233357.65214-1-seanedmond@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Dhananjay Phadke Add support for KASLR seed from TPM device. Invokes tpm_get_random() API to read 8-bytes of random bytes for KASLR. Signed-off-by: Dhananjay Phadke Signed-off-by: Drew Kluemke Signed-off-by: Sean Edmond --- boot/image-fdt.c | 3 +++ common/fdt_support.c | 39 ++++++++++++++++++++++++++++++++++++++- include/fdt_support.h | 1 + lib/Kconfig | 9 +++++++++ 4 files changed, 51 insertions(+), 1 deletion(-) diff --git a/boot/image-fdt.c b/boot/image-fdt.c index f10200f647..127443963e 100644 --- a/boot/image-fdt.c +++ b/boot/image-fdt.c @@ -624,6 +624,9 @@ int image_setup_libfdt(struct bootm_headers *images, void *blob, goto err; } + if (IS_ENABLED(CONFIG_KASLR_TPM_SEED)) + fdt_tpm_kaslr_seed(blob); + fdt_ret = optee_copy_fdt_nodes(blob); if (fdt_ret) { printf("ERROR: transfer of optee nodes to new fdt failed: %s\n", diff --git a/common/fdt_support.c b/common/fdt_support.c index 35d4f26dbd..1ac33355a0 100644 --- a/common/fdt_support.c +++ b/common/fdt_support.c @@ -13,6 +13,10 @@ #include #include #include +#include +#include +#include +#include #include #include #include @@ -632,7 +636,7 @@ void fdt_fixup_ethernet(void *fdt) } /* - * fdt_fix_kaslr_seed - Add kalsr-seed node in Device tree + * fdt_fixup_kaslr_seed - Add kaslr-seed node in Device tree * @fdt: Device tree * @eret: 0 for success */ @@ -662,6 +666,39 @@ int fdt_fixup_kaslr_seed(void *fdt, const u8 *seed, int len) return 0; } +/* + * fdt_add_tpm_kaslr_seed - Add kalsr-seed node in Device tree with random + * bytes from TPM device + * @fdt: Device tree + * @eret: 0 for success + */ +int fdt_tpm_kaslr_seed(void *fdt) +{ + u8 rand[8] = {0}; + struct udevice *dev; + int ret; + + ret = uclass_get_device(UCLASS_TPM, 0, &dev); + if (ret) { + printf("ERROR: Failed to find TPM device\n"); + return ret; + } + + ret = tpm_get_random(dev, rand, sizeof(rand)); + if (ret) { + printf("ERROR: TPM GetRandom failed, ret=%d\n", ret); + return ret; + } + + ret = fdt_fixup_kaslr_seed(fdt, rand, sizeof(rand)); + if (ret) { + printf("ERROR: failed to add kaslr-seed to fdt\n"); + return ret; + } + + return 0; +} + int fdt_record_loadable(void *blob, u32 index, const char *name, uintptr_t load_addr, u32 size, uintptr_t entry_point, const char *type, const char *os, const char *arch) diff --git a/include/fdt_support.h b/include/fdt_support.h index d74ef4e0a7..9e50db1b96 100644 --- a/include/fdt_support.h +++ b/include/fdt_support.h @@ -123,6 +123,7 @@ static inline int fdt_fixup_memory_banks(void *blob, u64 start[], u64 size[], void fdt_fixup_ethernet(void *fdt); int fdt_fixup_kaslr_seed(void *fdt, const u8 *seed, int len); +int fdt_tpm_kaslr_seed(void *fdt); int fdt_find_and_setprop(void *fdt, const char *node, const char *prop, const void *val, int len, int create); diff --git a/lib/Kconfig b/lib/Kconfig index 3926652db6..1530ef7c86 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -465,6 +465,15 @@ config VPL_TPM for the low-level TPM interface, but only one TPM is supported at a time by the TPM library. +config KASLR_TPM_SEED + bool "Use TPM for KASLR random seed" + depends on TPM_V1 || TPM_V2 + help + This enables support for using TPMs as entropy source for KASLR seed + populated in kernel's device tree. Both TPMv1 and TPMv2 are supported + for the low-level TPM interface, but only one TPM is supported at + a time by the library. + endmenu menu "Android Verified Boot" -- 2.40.0