From 33973e1e1f88b7588fe9629645e279ff2c6ca1c4 Mon Sep 17 00:00:00 2001 From: Alex Bennée Date: Wed, 5 Jan 2022 13:49:56 +0000 Subject: hw/arm: add control knob to disable kaslr_seed via DTB Generally a guest needs an external source of randomness to properly enable things like address space randomisation. However in a trusted boot environment where the firmware will cryptographically verify components having random data in the DTB will cause verification to fail. Add a control knob so we can prevent this being added to the system DTB. Signed-off-by: Alex Bennée Tested-by: Heinrich Schuchardt Acked-by: Ilias Apalodimas Acked-by: Jerome Forissier Reviewed-by: Andrew Jones Message-Id: <20220105135009.1584676-22-alex.bennee@linaro.org> --- docs/system/arm/virt.rst | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs') diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst index 850787495b..1544632b67 100644 --- a/docs/system/arm/virt.rst +++ b/docs/system/arm/virt.rst @@ -121,6 +121,14 @@ ras Set ``on``/``off`` to enable/disable reporting host memory errors to a guest using ACPI and guest external abort exceptions. The default is off. +dtb-kaslr-seed + Set ``on``/``off`` to pass a random seed via the guest dtb + kaslr-seed node (in both "/chosen" and /secure-chosen) to use + for features like address space randomisation. The default is + ``on``. You will want to disable it if your trusted boot chain will + verify the DTB it is passed. It would be the responsibility of the + firmware to come up with a seed and pass it on if it wants to. + Linux guest kernel configuration """""""""""""""""""""""""""""""" -- cgit v1.2.3-55-g7522