Implement the same mechanism for x86 efistub as introduced by commit 568bc4e87033 ("efi/arm*/libstub: Invoke EFI_RNG_PROTOCOL to seed the UEFI RNG table") for efi/arm*/libstub, and best described here and there as: Invoke the EFI_RNG_PROTOCOL protocol in the context of the stub and install the Linux-specific RNG seed UEFI config table. This will be picked up by the EFI routines in the core kernel to seed the kernel entropy pool. Signed-off-by: Dominik Brodowski <linux@xxxxxxxxxxxxxxxxxxxx> Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> Cc: Hsin-Yi Wang <hsinyi@xxxxxxxxxxxx> Cc: Stephen Boyd <swboyd@xxxxxxxxxxxx> Cc: Rob Herring <robh@xxxxxxxxxx> Cc: Theodore Ts'o <tytso@xxxxxxx> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Cc: Ingo Molnar <mingo@xxxxxxxxxx> Cc: Borislav Petkov <bp@xxxxxxxxx> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> Cc: <x86@xxxxxxxxxx> --- As far as I can see, we do not yet make use of the UEFI RNG on x86 at all, but only on arm. Note that this works only when Linux is booted as an EFI stub, and that the EFI-provided randomness is not credited as entropy unless RANDOM_TRUST_BOOTLOADER is set _and_ another patch (on its way upstream; thanks Ard!) is applied, see https://lore.kernel.org/lkml/20190928101428.GA222453@xxxxxxxxxxxxxxxxxxxxxxxxxx/ Further note that this patch is untested, as the firmware on my old x86 laptop only has UEFI v2.31. If you want to test it, you may wish to apply https://lore.kernel.org/lkml/20191005113632.GA74715@xxxxxxxxxxxxxxxxxxxxxxxxxx/T/#u first to get a clear indication in dmesg. Thanks, Dominik diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index d6662fdef300..4b909e5ab857 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -781,6 +781,9 @@ efi_main(struct efi_config *c, struct boot_params *boot_params) /* Ask the firmware to clear memory on unclean shutdown */ efi_enable_reset_attack_mitigation(sys_table); + + efi_random_get_seed(sys_table); + efi_retrieve_tpm2_eventlog(sys_table); setup_graphics(boot_params); diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index 0460c7581220..ece24c60fc2c 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -38,7 +38,8 @@ OBJECT_FILES_NON_STANDARD := y # Prevents link failures: __sanitizer_cov_trace_pc() is not linked in. KCOV_INSTRUMENT := n -lib-y := efi-stub-helper.o gop.o secureboot.o tpm.o +lib-y := efi-stub-helper.o gop.o secureboot.o tpm.o \ + random.o # include the stub's generic dependencies from lib/ when building for ARM/arm64 arm-deps-y := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c @@ -47,7 +48,7 @@ arm-deps-$(CONFIG_ARM64) += sort.c $(obj)/lib-%.o: $(srctree)/lib/%.c FORCE $(call if_changed_rule,cc_o_c) -lib-$(CONFIG_EFI_ARMSTUB) += arm-stub.o fdt.o string.o random.o \ +lib-$(CONFIG_EFI_ARMSTUB) += arm-stub.o fdt.o string.o \ $(patsubst %.c,lib-%.o,$(arm-deps-y)) lib-$(CONFIG_ARM) += arm32-stub.o diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index 7f1556fd867d..05739ae013c8 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -63,8 +63,6 @@ efi_status_t efi_random_alloc(efi_system_table_t *sys_table_arg, efi_status_t check_platform_features(efi_system_table_t *sys_table_arg); -efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg); - void *get_efi_config_table(efi_system_table_t *sys_table, efi_guid_t guid); /* Helper macros for the usual case of using simple C variables: */ diff --git a/include/linux/efi.h b/include/linux/efi.h index bd3837022307..a17cc5841668 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1631,6 +1631,8 @@ static inline void efi_enable_reset_attack_mitigation(efi_system_table_t *sys_table_arg) { } #endif +efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg); + void efi_retrieve_tpm2_eventlog(efi_system_table_t *sys_table); /*