| Message ID | 20220927160742.1773167-1-Jason@zx2c4.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arm: re-randomize rng-seed on reboot | expand |
Hi Peter, On Tue, Sep 27, 2022 at 06:07:42PM +0200, Jason A. Donenfeld wrote: > When the system reboots, the rng-seed that the FDT has should be > re-randomized, so that the new boot gets a new seed. Since the FDT is in > the ROM region at this point, we add a hook right after the ROM has been > added, so that we have a pointer to that copy of the FDT. When the > reboot happens, we then look for RNG seeds and replace their contents > with new random data. > > Cc: Peter Maydell <peter.maydell@linaro.org> > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Just FYI, I'm waiting for your feedback on this approach, first, before I add a similar thing for other architectures (at which point perhaps rerandomize_fdt_seeds will be moved into device_tree.c or something). Jason > --- > hw/arm/boot.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/hw/arm/boot.c b/hw/arm/boot.c > index ada2717f76..2836db4abb 100644 > --- a/hw/arm/boot.c > +++ b/hw/arm/boot.c > @@ -25,6 +25,7 @@ > #include "qemu/config-file.h" > #include "qemu/option.h" > #include "qemu/units.h" > +#include "qemu/guest-random.h" > > /* Kernel boot protocol is specified in the kernel docs > * Documentation/arm/Booting and Documentation/arm64/booting.txt > @@ -529,6 +530,26 @@ static void fdt_add_psci_node(void *fdt) > qemu_fdt_setprop_cell(fdt, "/psci", "migrate", migrate_fn); > } > > +static void rerandomize_fdt_seeds(void *fdt) > +{ > + int noffset, poffset, len; > + const char *name; > + uint8_t *data; > + > + for (noffset = fdt_next_node(fdt, 0, NULL); > + noffset >= 0; > + noffset = fdt_next_node(fdt, noffset, NULL)) { > + for (poffset = fdt_first_property_offset(fdt, noffset); > + poffset >= 0; > + poffset = fdt_next_property_offset(fdt, poffset)) { > + data = (uint8_t *)fdt_getprop_by_offset(fdt, poffset, &name, &len); > + if (!data || strcmp(name, "rng-seed")) > + continue; > + qemu_guest_getrandom_nofail(data, len); > + } > + } > +} > + > int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo, > hwaddr addr_limit, AddressSpace *as, MachineState *ms) > { > @@ -683,6 +704,7 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo, > * the DTB is copied again upon reset, even if addr points into RAM. > */ > rom_add_blob_fixed_as("dtb", fdt, size, addr, as); > + qemu_register_reset(rerandomize_fdt_seeds, rom_ptr_for_as(as, addr, size)); > > g_free(fdt); > > -- > 2.37.3 > >
On Thu, Sep 29, 2022 at 10:57:22PM +0200, Jason A. Donenfeld via wrote: > Hi Peter, > > On Tue, Sep 27, 2022 at 06:07:42PM +0200, Jason A. Donenfeld wrote: > > When the system reboots, the rng-seed that the FDT has should be > > re-randomized, so that the new boot gets a new seed. Since the FDT is in > > the ROM region at this point, we add a hook right after the ROM has been > > added, so that we have a pointer to that copy of the FDT. When the > > reboot happens, we then look for RNG seeds and replace their contents > > with new random data. > > > > Cc: Peter Maydell <peter.maydell@linaro.org> > > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> > > Just FYI, I'm waiting for your feedback on this approach, first, before > I add a similar thing for other architectures (at which point perhaps > rerandomize_fdt_seeds will be moved into device_tree.c or something). Actually, I think I'll generalize it now, and then we can evaluate it all together. It actually looks a bit nicer split into patches. So I'll have a replacement series for you shortly. Jason
diff --git a/hw/arm/boot.c b/hw/arm/boot.c index ada2717f76..2836db4abb 100644 --- a/hw/arm/boot.c +++ b/hw/arm/boot.c @@ -25,6 +25,7 @@ #include "qemu/config-file.h" #include "qemu/option.h" #include "qemu/units.h" +#include "qemu/guest-random.h" /* Kernel boot protocol is specified in the kernel docs * Documentation/arm/Booting and Documentation/arm64/booting.txt @@ -529,6 +530,26 @@ static void fdt_add_psci_node(void *fdt) qemu_fdt_setprop_cell(fdt, "/psci", "migrate", migrate_fn); } +static void rerandomize_fdt_seeds(void *fdt) +{ + int noffset, poffset, len; + const char *name; + uint8_t *data; + + for (noffset = fdt_next_node(fdt, 0, NULL); + noffset >= 0; + noffset = fdt_next_node(fdt, noffset, NULL)) { + for (poffset = fdt_first_property_offset(fdt, noffset); + poffset >= 0; + poffset = fdt_next_property_offset(fdt, poffset)) { + data = (uint8_t *)fdt_getprop_by_offset(fdt, poffset, &name, &len); + if (!data || strcmp(name, "rng-seed")) + continue; + qemu_guest_getrandom_nofail(data, len); + } + } +} + int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo, hwaddr addr_limit, AddressSpace *as, MachineState *ms) { @@ -683,6 +704,7 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo, * the DTB is copied again upon reset, even if addr points into RAM. */ rom_add_blob_fixed_as("dtb", fdt, size, addr, as); + qemu_register_reset(rerandomize_fdt_seeds, rom_ptr_for_as(as, addr, size)); g_free(fdt);
When the system reboots, the rng-seed that the FDT has should be re-randomized, so that the new boot gets a new seed. Since the FDT is in the ROM region at this point, we add a hook right after the ROM has been added, so that we have a pointer to that copy of the FDT. When the reboot happens, we then look for RNG seeds and replace their contents with new random data. Cc: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> --- hw/arm/boot.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)