Closed nullr0ute closed 3 years ago
nullr0ute
commented
5 years ago An upstream U-Boot commit for some NXP processors retrieves a random seed from the secure monitor mode firmware if it supports it and passes it to the kernel via device tree.
http://git.denx.de/?p=u-boot.git;a=commit;h=a797f274d7ae806d84b9ececf71f043ca6c1502a
glikely
commented
5 years ago On 21/11/2018 11:11, Peter Robinson wrote:
An upstream U-Boot commit for some NXP processors retrieves a random seed from the secure monitor mode firmware if it supports it and passes it to the kernel via device tree.
http://git.denx.de/?p=u-boot.git;a=commit;h=a797f274d7ae806d84b9ececf71f043ca6c1502a
That should be easy to wire up to the UEFI random number API (section 36.5 of the UEFI spec).
g.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ARM-software/ebbr/issues/31#issuecomment-440626624, or mute the thread https://github.com/notifications/unsubscribe-auth/ALMnvXzWfZPB1_A_TpgPVU3c-4LmObpGks5uxTTogaJpZM4WvMv8.
nullr0ute
commented
5 years ago Completely implementation specific, but the sort of functionality implemented here in optee could be used as a source of random entropy on devices without HWRNG https://lwn.net/Articles/775693/
glikely
commented
5 years ago Should EBBR require EFI_RNG_PROTOCOL to be implemented, or is the upstream UEFI spec language sufficient.
Alternatively, should there be an appendix to EBBR adding additional requirements for secure platforms?
glikely
commented
5 years ago From monthly meeting - RNG is fundamental enough that EBBR should call it out as recommended -- potentially required for "higher level" compliance in the future
xypron
commented
4 years ago The EFI_RNG_PROTOCOL has been implemented in U-Boot but is currently (v2020.10-rc2) only supported on:
Further hardware drivers could be ported from Linux drivers/char/hw_random/*
glikely
commented
3 years ago Discussed at Aug 31st 2020 meeting.
Depends on meta question: do we require add security requirements to EBBR? See notes from:
https://github.com/ARM-software/ebbr/wiki/EBBR-Notes-2020.08.31
glikely
commented
3 years ago Update from Ilias: Sughosh added RNG protocol, so this should be working now.
Closing this issue as the infrastructure is in upstream.
The UEFI spec allows to provide a random seed to the kernel. Implement the ability to provide a random seed to enable KASLR in the kernel using the UEFI interface. There should be the ability to use a HW entropy source to provide the seed. It might be worthwhile to provide a default software means of generating a random seed but there might be other implications to that.