[PATCH 1/2] efi: add support for seeding the RNG from a UEFI config table

[Ard Biesheuvel]

On 19 October 2016 at 12:09, Mark Rutland <mark.rutland at arm.com> wrote:
> Hi Ard,
>
> On Thu, Oct 06, 2016 at 11:27:25AM +0100, Ard Biesheuvel wrote:
>> Specify a Linux specific UEFI configuration table that carries some
>> random bits, and use the contents during early boot to seed the kernel's
>> random number generator. This allows much strong random numbers to be
>> generated early on.
>>
>> The entropy is fed to the kernel using add_device_randomness(), which is
>> documented as being appropriate for being called very early.
>>
>> Note that the config table could be generated by the EFI stub or by any
>> other UEFI driver or application (e.g., GRUB), but the random seed table
>> GUID and the associated functionality should be considered an internal
>> kernel interface (unless it is promoted to ABI later on)
>
> What does this mean for kexec? Won't each successive kernel look for the
> table and find the same seed?
>

Yes. Whether this is a problem or not is context dependent: for things
like kdump, I don't think anyone cares. For other cases, having some
seed may still be better than having no seed at all.

It does mean, however, that we have to preserve the memory this table
points to for kexec boots.

> I think to some extent this mush be treated as an ABI, given cases like
> kexec.
>

Perhaps, yes. That would also allow GRUB or other EFI aware
bootloaders to generate the seed.