diff mbox series

[v12,16/16] arm64: kexec_file: add kaslr support

Message ID 20180724065759.19186-17-takahiro.akashi@linaro.org
State New
Headers show
Series arm64: kexec: add kexec_file_load() support | expand

Commit Message

AKASHI Takahiro July 24, 2018, 6:57 a.m. UTC 
Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual
address randomization, at secondary kernel boot. We always do this as
it will have no harm on kaslr-incapable kernel.

We don't have any "switch" to turn off this feature directly, but still
can suppress it by passing "nokaslr" as a kernel boot argument.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
---
 arch/arm64/kernel/machine_kexec_file.c | 8 ++++++++
 1 file changed, 8 insertions(+)

-- 
2.18.0

Comments

James Morse July 26, 2018, 1:40 p.m. UTC | #1 
Hi Akashi,

On 24/07/18 07:57, AKASHI Takahiro wrote:
> Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual

> address randomization, at secondary kernel boot.


Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel
physical placement when booted via the EFIstub, the kernel-text VAs and the
location of memory in the linear-map region. Adding the kaslr-seed only does the
last two.

This means the physical placement of the new kernel is predictable from
/proc/iomem ... but this also tells you the physical placement of the current
kernel, so I don't think this is a problem.


> We always do this as it will have no harm on kaslr-incapable kernel.


> We don't have any "switch" to turn off this feature directly, but still

> can suppress it by passing "nokaslr" as a kernel boot argument.



> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c

> index 7356da5a53d5..47a4fbd0dc34 100644

> --- a/arch/arm64/kernel/machine_kexec_file.c

> +++ b/arch/arm64/kernel/machine_kexec_file.c

> @@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,


Don't you need to reserve some space in the area you vmalloc()d for the DT?


> +	/* add kaslr-seed */

> +	get_random_bytes(&value, sizeof(value));


What happens if the crng isn't ready?

It looks like this will print a warning that these random-bytes aren't really up
to standard, but the new kernel doesn't know this happened.

crng_ready() isn't exposed, all we could do now is
wait_for_random_bytes(), but that may wait forever because we do this
unconditionally.

I'd prefer to leave this feature until we can check crng_ready(), and skip
adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's
entropy pool.


> +	ret = fdt_setprop(buf, nodeoffset, "kaslr-seed", &value, sizeof(value));


Nit: It would be nice if this string were in a header file somewhere, to void
future refactoring typos.


Thanks,

James
AKASHI Takahiro July 27, 2018, 8:31 a.m. UTC | #2 
On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:
> Hi Akashi,

> 

> On 24/07/18 07:57, AKASHI Takahiro wrote:

> > Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual

> > address randomization, at secondary kernel boot.

> 

> Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel

> physical placement when booted via the EFIstub, the kernel-text VAs and the

> location of memory in the linear-map region. Adding the kaslr-seed only does the

> last two.


Yes, but I think that I and Mark has agreed that "kaslr" meant
"virtual" randomisation, not including "physical" randomisation.

> This means the physical placement of the new kernel is predictable from

> /proc/iomem ... but this also tells you the physical placement of the current

> kernel, so I don't think this is a problem.

> 

> 

> > We always do this as it will have no harm on kaslr-incapable kernel.

> 

> > We don't have any "switch" to turn off this feature directly, but still

> > can suppress it by passing "nokaslr" as a kernel boot argument.

> 

> 

> > diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c

> > index 7356da5a53d5..47a4fbd0dc34 100644

> > --- a/arch/arm64/kernel/machine_kexec_file.c

> > +++ b/arch/arm64/kernel/machine_kexec_file.c

> > @@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,

> 

> Don't you need to reserve some space in the area you vmalloc()d for the DT?


No, I don't think so.
All the data to be loaded are temporarily saved in kexec buffers,
which will eventually be copied to target locations in machine_kexec
(arm64_relocate_new_kernel, which, unlike its name, will handle
not only kernel but also other data as well).

> 

> > +	/* add kaslr-seed */

> > +	get_random_bytes(&value, sizeof(value));

> 

> What happens if the crng isn't ready?

> 

> It looks like this will print a warning that these random-bytes aren't really up

> to standard, but the new kernel doesn't know this happened.

> 

> crng_ready() isn't exposed, all we could do now is

> wait_for_random_bytes(), but that may wait forever because we do this

> unconditionally.

> 

> I'd prefer to leave this feature until we can check crng_ready(), and skip

> adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's

> entropy pool.


OK. I would try to follow the same way as Bhupesh's userspace patch
does for kaslr-seed:
http://lists.infradead.org/pipermail/kexec/2018-April/020564.html

  if (not found kaslr-seed in 1st kernel's dtb)
     don't care; go ahead
  else
     if (current kaslr-seed != 0)
        error
     if (crng_ready()) ; FIXME, it's a local macro
        get_random_bytes(non-blocking)
        set new kaslr-seed
     else
        error

> 

> > +	ret = fdt_setprop(buf, nodeoffset, "kaslr-seed", &value, sizeof(value));

> 

> Nit: It would be nice if this string were in a header file somewhere, to void

> future refactoring typos.


OK. (but in this file for now as I mentioned in my previous reply)

Thanks,
-Takahiro AKASHI

> 

> Thanks,

> 

> James
James Morse July 27, 2018, 9:22 a.m. UTC | #3 
Hi Akashi,


On 07/27/2018 09:31 AM, AKASHI Takahiro wrote:
> On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:

>> On 24/07/18 07:57, AKASHI Takahiro wrote:

>>> Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual

>>> address randomization, at secondary kernel boot.

>> Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel

>> physical placement when booted via the EFIstub, the kernel-text VAs and the

>> location of memory in the linear-map region. Adding the kaslr-seed only does the

>> last two.

> Yes, but I think that I and Mark has agreed that "kaslr" meant

> "virtual" randomisation, not including "physical" randomisation.

Okay, I'll update my terminology!


>> This means the physical placement of the new kernel is predictable from

>> /proc/iomem ... but this also tells you the physical placement of the current

>> kernel, so I don't think this is a problem.

>>

>>

>>> We always do this as it will have no harm on kaslr-incapable kernel.

>>> We don't have any "switch" to turn off this feature directly, but still

>>> can suppress it by passing "nokaslr" as a kernel boot argument.

>>

>>> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c

>>> index 7356da5a53d5..47a4fbd0dc34 100644

>>> --- a/arch/arm64/kernel/machine_kexec_file.c

>>> +++ b/arch/arm64/kernel/machine_kexec_file.c

>>> @@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,

>> Don't you need to reserve some space in the area you vmalloc()d for the DT?

> No, I don't think so.

> All the data to be loaded are temporarily saved in kexec buffers,

> which will eventually be copied to target locations in machine_kexec

> (arm64_relocate_new_kernel, which, unlike its name, will handle

> not only kernel but also other data as well).


I think we're speaking at cross purposes. Don't you need:

| buf_size += fdt_prop_len("kaslr―seed", sizeof(u64));


You can't assume the existing DTB had a kaslr-seed property, and the 
difference may take us over a PAGE_SIZE boundary.


>

>>

>>> +	/* add kaslr-seed */

>>> +	get_random_bytes(&value, sizeof(value));

>> What happens if the crng isn't ready?

>>

>> It looks like this will print a warning that these random-bytes aren't really up

>> to standard, but the new kernel doesn't know this happened.

>>

>> crng_ready() isn't exposed, all we could do now is

>> wait_for_random_bytes(), but that may wait forever because we do this

>> unconditionally.

>>

>> I'd prefer to leave this feature until we can check crng_ready(), and skip

>> adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's

>> entropy pool.

> OK. I would try to follow the same way as Bhupesh's userspace patch

> does for kaslr-seed:

> http://lists.infradead.org/pipermail/kexec/2018-April/020564.html


(I really don't understand this 'copying code from user-space' that 
happens with kexec_file_load)


>    if (not found kaslr-seed in 1st kernel's dtb)

>       don't care; go ahead


Don' t bother. As you say in the commit-message its harmless if the new 
kernel doesn't support it.
Always having this would let you use kexec_file_load as a bootloader 
that can get the crng to
provide decent entropy even if the platform bootloader can't.


>    else

>       if (current kaslr-seed != 0)

>          error


Don't bother. If this happens its a bug in another part of the kernel 
that doesn't affect this one. We aren't second-guessing the file-system 
when we read the kernel-fd, lets keep this simple.

>       if (crng_ready()) ; FIXME, it's a local macro

>          get_random_bytes(non-blocking)

>          set new kaslr-seed

>       else

>          error

error? Something like pr_warn_once().

I thought the kaslr-seed was added to the entropy pool, but now I look 
again I see its a separate EFI table. So the new kernel will add the 
same entropy ... that doesn't sound clever. (I can't see where its 
zero'd or re-initialised)



Thanks,

James
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Hi Akashi,<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 07/27/2018 09:31 AM, AKASHI Takahiro
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">On 24/07/18 07:57, AKASHI Takahiro wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual
address randomization, at secondary kernel boot.
</pre>
        </blockquote>
        <pre wrap="">
Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel
physical placement when booted via the EFIstub, the kernel-text VAs and the
location of memory in the linear-map region. Adding the kaslr-seed only does the
last two.
</pre>
      </blockquote>
      <pre wrap="">
Yes, but I think that I and Mark has agreed that "kaslr" meant
"virtual" randomisation, not including "physical" randomisation.</pre>
    </blockquote>
    Okay, I'll update my terminology!<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <blockquote type="cite">
        <pre wrap="">This means the physical placement of the new kernel is predictable from
/proc/iomem ... but this also tells you the physical placement of the current
kernel, so I don't think this is a problem.


</pre>
        <blockquote type="cite">
          <pre wrap="">We always do this as it will have no harm on kaslr-incapable kernel.
</pre>
        </blockquote>
        <pre wrap="">
</pre>
        <blockquote type="cite">
          <pre wrap="">We don't have any "switch" to turn off this feature directly, but still
can suppress it by passing "nokaslr" as a kernel boot argument.
</pre>
        </blockquote>
        <pre wrap="">

</pre>
        <blockquote type="cite">
          <pre wrap="">diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 7356da5a53d5..47a4fbd0dc34 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,
</pre>
        </blockquote>
        <pre wrap="">
Don't you need to reserve some space in the area you vmalloc()d for the DT?
</pre>
      </blockquote>
      <pre wrap="">
No, I don't think so.
All the data to be loaded are temporarily saved in kexec buffers,
which will eventually be copied to target locations in machine_kexec
(arm64_relocate_new_kernel, which, unlike its name, will handle
not only kernel but also other data as well).</pre>
    </blockquote>
    <br>
    I think we're speaking at cross purposes. Don't you need:<br>
    <pre wrap="">| buf_size += fdt_prop_len("kaslr<span class="ILfuVd yZ8quc">―</span>seed", sizeof(u64));</pre>
    <br>
    You can't assume the existing DTB had a kaslr-seed property, and the
    difference may take us over a PAGE_SIZE boundary.<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org"><br>
      <blockquote type="cite"><br>
        <blockquote type="cite">
          <pre wrap="">+	/* add kaslr-seed */
+	get_random_bytes(&amp;value, sizeof(value));
</pre>
        </blockquote>
        <pre wrap="">
What happens if the crng isn't ready?

It looks like this will print a warning that these random-bytes aren't really up
to standard, but the new kernel doesn't know this happened.

crng_ready() isn't exposed, all we could do now is
wait_for_random_bytes(), but that may wait forever because we do this
unconditionally.

I'd prefer to leave this feature until we can check crng_ready(), and skip
adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's
entropy pool.
</pre>
      </blockquote>
      <pre wrap="">
OK. I would try to follow the same way as Bhupesh's userspace patch
does for kaslr-seed:
<a class="moz-txt-link-freetext" href="http://lists.infradead.org/pipermail/kexec/2018-April/020564.html">http://lists.infradead.org/pipermail/kexec/2018-April/020564.html</a></pre>
    </blockquote>
    <br>
    (I really don't understand this 'copying code from user-space' that
    happens with kexec_file_load)<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">  if (not found kaslr-seed in 1st kernel's dtb)
     don't care; go ahead</pre>
    </blockquote>
    <br>
    Don' t bother. As you say in the commit-message its harmless if the
    new kernel doesn't support it.<br>
    Always having this would let you use kexec_file_load as a bootloader
    that can get the crng to<br>
    provide decent entropy even if the platform bootloader can't.<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">  else
     if (current kaslr-seed != 0)
        error</pre>
    </blockquote>
    <br>
    Don't bother. If this happens its a bug in another part of the
    kernel that doesn't affect this one. We aren't second-guessing the
    file-system when we read the kernel-fd, lets keep this simple.<br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">     if (crng_ready()) ; FIXME, it's a local macro
        get_random_bytes(non-blocking)
        set new kaslr-seed
     else
        error</pre>
    </blockquote>
    error? Something like pr_warn_once().<br>
    <br>
    I thought the kaslr-seed was added to the entropy pool, but now I
    look again I see its a separate EFI table. So the new kernel will
    add the same entropy ... that doesn't sound clever. (I can't see
    where its zero'd or re-initialised)<br>
    <br>
    <br>
    <br>
    Thanks,<br>
    <br>
    James<br>
  </body>
</html>
Ard Biesheuvel July 27, 2018, 9:28 a.m. UTC | #4 
On 27 July 2018 at 11:22, James Morse <james.morse@arm.com> wrote:
> Hi Akashi,

>

>

> On 07/27/2018 09:31 AM, AKASHI Takahiro wrote:

>

> On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:

>

> On 24/07/18 07:57, AKASHI Takahiro wrote:

>

> Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual

> address randomization, at secondary kernel boot.

>

> Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The

> kernel

> physical placement when booted via the EFIstub, the kernel-text VAs and the

> location of memory in the linear-map region. Adding the kaslr-seed only does

> the

> last two.

>

> Yes, but I think that I and Mark has agreed that "kaslr" meant

> "virtual" randomisation, not including "physical" randomisation.

>

> Okay, I'll update my terminology!

>

>

> This means the physical placement of the new kernel is predictable from

> /proc/iomem ... but this also tells you the physical placement of the

> current

> kernel, so I don't think this is a problem.

>

>

> We always do this as it will have no harm on kaslr-incapable kernel.

>

> We don't have any "switch" to turn off this feature directly, but still

> can suppress it by passing "nokaslr" as a kernel boot argument.

>

> diff --git a/arch/arm64/kernel/machine_kexec_file.c

> b/arch/arm64/kernel/machine_kexec_file.c

> index 7356da5a53d5..47a4fbd0dc34 100644

> --- a/arch/arm64/kernel/machine_kexec_file.c

> +++ b/arch/arm64/kernel/machine_kexec_file.c

> @@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,

>

> Don't you need to reserve some space in the area you vmalloc()d for the DT?

>

> No, I don't think so.

> All the data to be loaded are temporarily saved in kexec buffers,

> which will eventually be copied to target locations in machine_kexec

> (arm64_relocate_new_kernel, which, unlike its name, will handle

> not only kernel but also other data as well).

>

>

> I think we're speaking at cross purposes. Don't you need:

>

> | buf_size += fdt_prop_len("kaslr―seed", sizeof(u64));

>

>

> You can't assume the existing DTB had a kaslr-seed property, and the

> difference may take us over a PAGE_SIZE boundary.

>

>

>

>

> + /* add kaslr-seed */

> + get_random_bytes(&value, sizeof(value));

>

> What happens if the crng isn't ready?

>

> It looks like this will print a warning that these random-bytes aren't

> really up

> to standard, but the new kernel doesn't know this happened.

>

> crng_ready() isn't exposed, all we could do now is

> wait_for_random_bytes(), but that may wait forever because we do this

> unconditionally.

>

> I'd prefer to leave this feature until we can check crng_ready(), and skip

> adding a dodgy-seed if its not-ready. This avoids polluting the

> next-kernel's

> entropy pool.

>

> OK. I would try to follow the same way as Bhupesh's userspace patch

> does for kaslr-seed:

> http://lists.infradead.org/pipermail/kexec/2018-April/020564.html

>

>

> (I really don't understand this 'copying code from user-space' that happens

> with kexec_file_load)

>

>

>   if (not found kaslr-seed in 1st kernel's dtb)

>      don't care; go ahead

>

>

> Don' t bother. As you say in the commit-message its harmless if the new

> kernel doesn't support it.

> Always having this would let you use kexec_file_load as a bootloader that

> can get the crng to

> provide decent entropy even if the platform bootloader can't.

>

>

>   else

>      if (current kaslr-seed != 0)

>         error

>

>

> Don't bother. If this happens its a bug in another part of the kernel that

> doesn't affect this one. We aren't second-guessing the file-system when we

> read the kernel-fd, lets keep this simple.

>

>      if (crng_ready()) ; FIXME, it's a local macro

>         get_random_bytes(non-blocking)

>         set new kaslr-seed

>      else

>         error

>

> error? Something like pr_warn_once().

>

> I thought the kaslr-seed was added to the entropy pool, but now I look again

> I see its a separate EFI table. So the new kernel will add the same entropy

> ... that doesn't sound clever. (I can't see where its zero'd or

> re-initialised)

>


We do have a hook for that: grep for update_efi_random_seed()
AKASHI Takahiro Aug. 1, 2018, 7:57 a.m. UTC | #5 
James,

All the changes mentioned below were applied to my coming v13.

On Fri, Jul 27, 2018 at 10:22:31AM +0100, James Morse wrote:
> Hi Akashi,

> 

> 

> On 07/27/2018 09:31 AM, AKASHI Takahiro wrote:

> >On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:

> >>On 24/07/18 07:57, AKASHI Takahiro wrote:

> >>>Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual

> >>>address randomization, at secondary kernel boot.

> >>Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel

> >>physical placement when booted via the EFIstub, the kernel-text VAs and the

> >>location of memory in the linear-map region. Adding the kaslr-seed only does the

> >>last two.

> >Yes, but I think that I and Mark has agreed that "kaslr" meant

> >"virtual" randomisation, not including "physical" randomisation.

> Okay, I'll update my terminology!

> 

> 

> >>This means the physical placement of the new kernel is predictable from

> >>/proc/iomem ... but this also tells you the physical placement of the current

> >>kernel, so I don't think this is a problem.

> >>

> >>

> >>>We always do this as it will have no harm on kaslr-incapable kernel.

> >>>We don't have any "switch" to turn off this feature directly, but still

> >>>can suppress it by passing "nokaslr" as a kernel boot argument.

> >>

> >>>diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c

> >>>index 7356da5a53d5..47a4fbd0dc34 100644

> >>>--- a/arch/arm64/kernel/machine_kexec_file.c

> >>>+++ b/arch/arm64/kernel/machine_kexec_file.c

> >>>@@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,

> >>Don't you need to reserve some space in the area you vmalloc()d for the DT?

> >No, I don't think so.

> >All the data to be loaded are temporarily saved in kexec buffers,

> >which will eventually be copied to target locations in machine_kexec

> >(arm64_relocate_new_kernel, which, unlike its name, will handle

> >not only kernel but also other data as well).

> 

> I think we're speaking at cross purposes. Don't you need:

> 

> | buf_size += fdt_prop_len("kaslr―seed", sizeof(u64));

> 

> 

> You can't assume the existing DTB had a kaslr-seed property, and the

> difference may take us over a PAGE_SIZE boundary.


I see, I will add that.

> 

> >

> >>

> >>>+	/* add kaslr-seed */

> >>>+	get_random_bytes(&value, sizeof(value));

> >>What happens if the crng isn't ready?

> >>

> >>It looks like this will print a warning that these random-bytes aren't really up

> >>to standard, but the new kernel doesn't know this happened.

> >>

> >>crng_ready() isn't exposed, all we could do now is

> >>wait_for_random_bytes(), but that may wait forever because we do this

> >>unconditionally.

> >>

> >>I'd prefer to leave this feature until we can check crng_ready(), and skip

> >>adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's

> >>entropy pool.

> >OK. I would try to follow the same way as Bhupesh's userspace patch

> >does for kaslr-seed:

> >http://lists.infradead.org/pipermail/kexec/2018-April/020564.html

> 

> (I really don't understand this 'copying code from user-space' that happens

> with kexec_file_load)

> 

> 

> >   if (not found kaslr-seed in 1st kernel's dtb)

> >      don't care; go ahead

> 

> Don' t bother. As you say in the commit-message its harmless if the new

> kernel doesn't support it.

> Always having this would let you use kexec_file_load as a bootloader that

> can get the crng to

> provide decent entropy even if the platform bootloader can't.


OK, but anyway previous "kaslr-seed" will be dropped first.

> 

> >   else

> >      if (current kaslr-seed != 0)

> >         error

> 

> Don't bother. If this happens its a bug in another part of the kernel that

> doesn't affect this one. We aren't second-guessing the file-system when we

> read the kernel-fd, lets keep this simple.


OK

> >      if (crng_ready()) ; FIXME, it's a local macro

> >         get_random_bytes(non-blocking)

> >         set new kaslr-seed

> >      else

> >         error

> error? Something like pr_warn_once().


It was changed to pr_notice() since there is nothing wrong.

Thanks,
-Takahiro AKASHI

> I thought the kaslr-seed was added to the entropy pool, but now I look again

> I see its a separate EFI table. So the new kernel will add the same entropy

> ... that doesn't sound clever. (I can't see where its zero'd or

> re-initialised)

> 

> 

> 

> Thanks,

> 

> James
diff mbox series

Patch

diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 7356da5a53d5..47a4fbd0dc34 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -16,6 +16,7 @@ 
 #include <linux/libfdt.h>
 #include <linux/memblock.h>
 #include <linux/of_fdt.h>
+#include <linux/random.h>
 #include <linux/slab.h>
 #include <linux/types.h>
 #include <linux/vmalloc.h>
@@ -46,6 +47,7 @@  static int setup_dtb(struct kimage *image,
 	void *buf = NULL;
 	size_t buf_size, range_size;
 	int nodeoffset;
+	u64 value;
 	int ret;
 
 	/* check ranges against root's #address-cells and #size-cells */
@@ -158,6 +160,12 @@  static int setup_dtb(struct kimage *image,
 		}
 	}
 
+	/* add kaslr-seed */
+	get_random_bytes(&value, sizeof(value));
+	ret = fdt_setprop(buf, nodeoffset, "kaslr-seed", &value, sizeof(value));
+	if (ret)
+		goto out_err;
+
 	/* trim a buffer */
 	fdt_pack(buf);
 	*dtb_buf = buf;