From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 091F6C83F12 for ; Tue, 29 Aug 2023 20:37:50 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8EBF48654E; Tue, 29 Aug 2023 22:37:20 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="DbslzxCt"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 380CF86510; Tue, 29 Aug 2023 22:37:17 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by phobos.denx.de (Postfix) with ESMTP id 4659A864EC for ; Tue, 29 Aug 2023 22:37:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=seanedmond@linux.microsoft.com Received: from ovlvm106.redmond.corp.microsoft.com (unknown [131.107.147.185]) by linux.microsoft.com (Postfix) with ESMTPSA id 884F52129BE6; Tue, 29 Aug 2023 13:37:11 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 884F52129BE6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1693341431; bh=p96aupymbwIcZ15B6g7kBrnwTQpv+zzmONQrlCn2MUA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DbslzxCtR2RDbaAm4dEdF3pea3krm//gRf5+H7tDdFrtCR5Qhu/OfhxJxylMJvSRG Hkl+aYzfgTktMI/KAexY2l3t8ayupD8SdrTNOORILkuRlzx4oWzpm257OsgmFRLr7y lpgmySMurKKhAjA48qzmqybFtbHunkXGYIlmGYCw= From: seanedmond@linux.microsoft.com To: u-boot@lists.denx.de Cc: dphadke@linux.microsoft.com, macromorgan@hotmail.com, sjg@chromium.org Subject: [PATCH v2 2/4] fdt: kaslr seed from tpm entropy Date: Tue, 29 Aug 2023 13:37:08 -0700 Message-Id: <20230829203710.84201-3-seanedmond@linux.microsoft.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230829203710.84201-1-seanedmond@linux.microsoft.com> References: <20230829203710.84201-1-seanedmond@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Dhananjay Phadke Add support for KASLR seed from TPM device. Invokes tpm_get_random() API to read 8-bytes of random bytes for KASLR. Signed-off-by: Dhananjay Phadke Signed-off-by: Drew Kluemke Signed-off-by: Sean Edmond --- boot/image-fdt.c | 15 +++++++++++++++ common/fdt_support.c | 30 ++++++++++++++++++++++++++++++ include/fdt_support.h | 8 ++++++++ lib/Kconfig | 9 +++++++++ 4 files changed, 62 insertions(+) diff --git a/boot/image-fdt.c b/boot/image-fdt.c index f10200f647..ed38ed77b9 100644 --- a/boot/image-fdt.c +++ b/boot/image-fdt.c @@ -624,6 +624,21 @@ int image_setup_libfdt(struct bootm_headers *images, void *blob, goto err; } + if (IS_ENABLED(CONFIG_KASLR_TPM_SEED)) { + ofnode root; + + ret = root_ofnode_from_fdt(blob, &root); + if (ret) { + printf("ERROR: Unable to get root ofnode\n"); + goto err; + } + ret = fdt_tpm_kaslr_seed(root); + if (ret) { + printf("ERROR: fdt fixup KASLR failed: %d\n", ret); + goto err; + } + } + fdt_ret = optee_copy_fdt_nodes(blob); if (fdt_ret) { printf("ERROR: transfer of optee nodes to new fdt failed: %s\n", diff --git a/common/fdt_support.c b/common/fdt_support.c index 52be4375b4..d338fcde54 100644 --- a/common/fdt_support.c +++ b/common/fdt_support.c @@ -13,6 +13,9 @@ #include #include #include +#include +#include +#include #include #include #include @@ -650,6 +653,33 @@ int fdt_fixup_kaslr_seed(ofnode node, const u8 *seed, int len) return 0; } +int fdt_tpm_kaslr_seed(ofnode node) +{ + u8 rand[8] = {0}; + struct udevice *dev; + int ret; + + ret = uclass_first_device_err(UCLASS_TPM, &dev); + if (ret) { + printf("ERROR: Failed to find TPM device\n"); + return ret; + } + + ret = tpm_get_random(dev, rand, sizeof(rand)); + if (ret) { + printf("ERROR: TPM GetRandom failed, ret=%d\n", ret); + return ret; + } + + ret = fdt_fixup_kaslr_seed(node, rand, sizeof(rand)); + if (ret) { + printf("ERROR: failed to add kaslr-seed to fdt\n"); + return ret; + } + + return 0; +} + int fdt_record_loadable(void *blob, u32 index, const char *name, uintptr_t load_addr, u32 size, uintptr_t entry_point, const char *type, const char *os, const char *arch) diff --git a/include/fdt_support.h b/include/fdt_support.h index d967118bed..117ca14ca5 100644 --- a/include/fdt_support.h +++ b/include/fdt_support.h @@ -130,6 +130,14 @@ void fdt_fixup_ethernet(void *fdt); */ int fdt_fixup_kaslr_seed(ofnode node, const u8 *seed, int len); +/* + * fdt_add_tpm_kaslr_seed - Add kalsr-seed node in Device tree with random + * bytes from TPM device + * @node: ofnode + * @eret: 0 for success + */ +int fdt_tpm_kaslr_seed(ofnode node); + int fdt_find_and_setprop(void *fdt, const char *node, const char *prop, const void *val, int len, int create); void fdt_fixup_qe_firmware(void *fdt); diff --git a/lib/Kconfig b/lib/Kconfig index 3926652db6..1530ef7c86 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -465,6 +465,15 @@ config VPL_TPM for the low-level TPM interface, but only one TPM is supported at a time by the TPM library. +config KASLR_TPM_SEED + bool "Use TPM for KASLR random seed" + depends on TPM_V1 || TPM_V2 + help + This enables support for using TPMs as entropy source for KASLR seed + populated in kernel's device tree. Both TPMv1 and TPMv2 are supported + for the low-level TPM interface, but only one TPM is supported at + a time by the library. + endmenu menu "Android Verified Boot" -- 2.40.0