[U-Boot] Does U-boot support ASLR?

[Jason Markley <jamarkle@cisco.com>]

On 2/9/12 2:28 PM, Scott Wood wrote:
> On 02/09/2012 12:58 PM, Mike Frysinger wrote:
>> On Thursday 09 February 2012 13:37:15 Jason Markley wrote:
>>
>> please don't top post, and keep the mailing list in cc
>>
>>> I agree any proposal would need to be accompanied by good reasoning.
>>> I'm honestly a little confused as to why a generally accepted security
>>> feature such as ASLR would NOT be useful for u-boot.  U-boot has the
>>> capability to interact with the outside world via the network as well as
>>> the console.  When using the U-boot API, it also remains resident in
>>> memory.  Wouldn't something like ASLR enhance the security posture of
>>> U-boot in those situations?
>> u-boot is running in supervisor mode / ring 0 / etc...  you have full access 
>> to the hardware with a simple `mw` command.  randomizing the address base of 
>> u-boot doesn't gain you anything.  so no, i see no advantage of u-boot itself 
>> utilizing ASLR regardless of what it interacts with.
> This assumes that the full command line interface is enabled, and is the
> mechanism of interaction in question.  It doesn't apply to interactions
> over the network, special serial protocols, etc.
Agree with Scott.  A board that wanted to use ASLR for U-boot would
probably also want to restrict the cmd set available to the user.
>
>> ignoring this, there are two fundamental issues with ASLR:
>>  - this early on, u-boot has very little (if no) entropy, so any attempts to 
>> generate random numbers are going to be fairly predictable
> This doesn't apply if there's a hardware random number generator -- and
> even poor entropy is more effort to guess than a fixed address.
Totally agree.
>
>>  - scripts that u-boot runs at boot time often times need a chunk of memory to 
>> load and boot stuff out of.  if u-boot could randomly be in the middle of that, 
>> then your board now randomly fails to boot.  the only way around that would be 
>> to have u-boot do virtual addresses, and that's clearly a non-starter.
> You'd just need to document which areas U-Boot could be in, and which
> areas are free for user use.
>
> It probably doesn't make sense as default behavior, but I could see it
> being useful in some situations.
>
> -Scott
>
Exactly.  There would be a range of memory that U-boot could be in, but
you would still be able to have a large chunk of space for scripts to
load and boot from.  Depending on how much memory a particular board
has, the 'chunk' required could be small in comparison to the available
memory.  Agree, that if the board has little to no 'available' memory to
randomize because it needs all it's available memory for loading an OS,
that ASLR on such a platform doesn't make sense, but who's to say it
wouldn't be useful for other boards?

-Jason