From patchwork Thu Oct 6 10:27:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 9364581 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D79C4600C8 for ; Thu, 6 Oct 2016 10:29:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C746228EC5 for ; Thu, 6 Oct 2016 10:29:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BBC9528ECB; Thu, 6 Oct 2016 10:29:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 355CE28EC5 for ; Thu, 6 Oct 2016 10:29:39 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bs5uQ-0003Ef-0M; Thu, 06 Oct 2016 10:28:14 +0000 Received: from mail-wm0-x22d.google.com ([2a00:1450:400c:c09::22d]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bs5u7-0003B1-7X for linux-arm-kernel@lists.infradead.org; Thu, 06 Oct 2016 10:27:56 +0000 Received: by mail-wm0-x22d.google.com with SMTP id k125so319041323wma.1 for ; Thu, 06 Oct 2016 03:27:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=q9vZbFdM2bXDH23zRLCypcio86WCAWhgFUdAh0pw2bw=; b=DEgwVqLLQtG/lZ8QuT35ftPJbgupE+99AD+Xe8o6buPPzO8C/RiJcVGI5ShCHjIIGA Tn2xwNPYuRORKgmtrthaACwLAFA6KI3OvDiJO04Bn1CzxYjZPghgpC+0l+Q0Tv/FWfjB FKSrWW1b3WVIBNp7IjA3lSZ+kNSZvm7d3LsFs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=q9vZbFdM2bXDH23zRLCypcio86WCAWhgFUdAh0pw2bw=; b=OS/X90K+MX2ixnzd/DoDCQ/Wnuhj3fQm43jm4rMvqt6P8K6rlY+tYaGlRR+CvQyqZQ UpbULIhXlytNYpFuSWJCDMTX+nASeiXhzXLzt2VrqYBVxuqi0RxnzaYXrdFrwaHwDvAV 8hXxgO81zAC286BMBJGImmY9FElcxXiZClMIGxAW8Ln3/Jw9LUqSw7ShsWd/ohkpRE3/ 1PhEMgleJQ2TOdXGdkbvTOl89g1HK6ATQNsqd6ZLsB5udytqDlmA3pc1POs/oR3cHcdy BOC9llNIbP11gXeyoNDbuvJI/9Z7Lh/IRExkS3v2cLgSFpKtaDahedyWWcn1RBz9emCc Myfg== X-Gm-Message-State: AA6/9RlGhLqMTkj0/JyIzTC947cG9J/l+2O2AQt2GX5shTdRfjqPYK2TtlEiw1OX+6XzmSHN X-Received: by 10.28.9.194 with SMTP id 185mr14606917wmj.108.1475749653364; Thu, 06 Oct 2016 03:27:33 -0700 (PDT) Received: from localhost.localdomain ([197.128.164.82]) by smtp.gmail.com with ESMTPSA id x124sm34552469wmf.22.2016.10.06.03.27.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 06 Oct 2016 03:27:32 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org, matt@codeblueprint.co.uk, linux-arm-kernel@lists.infradead.org Subject: [PATCH 1/2] efi: add support for seeding the RNG from a UEFI config table Date: Thu, 6 Oct 2016 11:27:25 +0100 Message-Id: <1475749646-10844-2-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1475749646-10844-1-git-send-email-ard.biesheuvel@linaro.org> References: <1475749646-10844-1-git-send-email-ard.biesheuvel@linaro.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20161006_032755_477294_4D3DA41C X-CRM114-Status: GOOD ( 17.72 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: mark.rutland@arm.com, Ard Biesheuvel MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Specify a Linux specific UEFI configuration table that carries some random bits, and use the contents during early boot to seed the kernel's random number generator. This allows much strong random numbers to be generated early on. The entropy is fed to the kernel using add_device_randomness(), which is documented as being appropriate for being called very early. Note that the config table could be generated by the EFI stub or by any other UEFI driver or application (e.g., GRUB), but the random seed table GUID and the associated functionality should be considered an internal kernel interface (unless it is promoted to ABI later on) Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/efi.c | 26 ++++++++++++++++++++ include/linux/efi.h | 8 ++++++ 2 files changed, 34 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ac199cd75e7..c8ae40f9b674 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -48,6 +49,7 @@ struct efi __read_mostly efi = { .esrt = EFI_INVALID_TABLE_ADDR, .properties_table = EFI_INVALID_TABLE_ADDR, .mem_attr_table = EFI_INVALID_TABLE_ADDR, + .rng_seed = EFI_INVALID_TABLE_ADDR, }; EXPORT_SYMBOL(efi); @@ -438,6 +440,7 @@ static __initdata efi_config_table_type_t common_tables[] = { {EFI_SYSTEM_RESOURCE_TABLE_GUID, "ESRT", &efi.esrt}, {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table}, {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table}, + {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed}, {NULL_GUID, NULL, NULL}, }; @@ -499,6 +502,29 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz, pr_cont("\n"); set_bit(EFI_CONFIG_TABLES, &efi.flags); + if (efi.rng_seed != EFI_INVALID_TABLE_ADDR) { + struct linux_efi_random_seed *seed; + u32 size = 0; + + seed = early_memremap(efi.rng_seed, sizeof(*seed)); + if (seed != NULL) { + size = seed->size; + early_memunmap(seed, sizeof(*seed)); + } else { + pr_err("Could not map UEFI random seed!\n"); + } + if (size > 0) { + seed = early_memremap(efi.rng_seed, + sizeof(*seed) + size); + if (seed != NULL) { + add_device_randomness(seed->bits, seed->size); + early_memunmap(seed, sizeof(*seed) + size); + } else { + pr_err("Could not map UEFI random seed!\n"); + } + } + } + /* Parse the EFI Properties table if it exists */ if (efi.properties_table != EFI_INVALID_TABLE_ADDR) { efi_properties_table_t *tbl; diff --git a/include/linux/efi.h b/include/linux/efi.h index 2d089487d2da..85e28b138cdd 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -599,6 +599,7 @@ void efi_native_runtime_setup(void); */ #define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95) #define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f) +#define LINUX_EFI_RANDOM_SEED_TABLE_GUID EFI_GUID(0x1ce1e5bc, 0x7ceb, 0x42f2, 0x81, 0xe5, 0x8a, 0xad, 0xf1, 0x80, 0xf5, 0x7b) typedef struct { efi_guid_t guid; @@ -872,6 +873,7 @@ extern struct efi { unsigned long esrt; /* ESRT table */ unsigned long properties_table; /* properties table */ unsigned long mem_attr_table; /* memory attributes table */ + unsigned long rng_seed; /* UEFI firmware random seed */ efi_get_time_t *get_time; efi_set_time_t *set_time; efi_get_wakeup_time_t *get_wakeup_time; @@ -1493,4 +1495,10 @@ efi_status_t efi_exit_boot_services(efi_system_table_t *sys_table, struct efi_boot_memmap *map, void *priv, efi_exit_boot_map_processing priv_func); + +struct linux_efi_random_seed { + u32 size; + u8 bits[]; +}; + #endif /* _LINUX_EFI_H */