Re: [PATCH] efi/arm64: libstub: Deal gracefully with EFI_RNG_PROTOCOL failure

Heinrich Schuchardt <xypron.glpk@xxxxxx> · Sun, 27 Sep 2020 10:17:56 +0200

On 9/26/20 10:58 AM, Ard Biesheuvel wrote:
> Currently, on arm64, we abort on any failure from efi_get_random_bytes()
> other than EFI_NOT_FOUND when it comes to setting the physical seed for
> KASLR, but ignore such failures when obtaining the seed for virtual
> KASLR or for early seeding of the kernel's entropy pool via the config
> table. This is inconsistent, and may lead to unexpected boot failures.
>
> So let's permit any failure for the physical seed, and simply report
> the error code if it does not equal EFI_NOT_FOUND.
>
> Reported-by: Heinrich Schuchardt <xypron.glpk@xxxxxx>
> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>

Hello Ard,

thank you for providing the patch. Unfortunately this seems not to be
enough for booting with an EFI_RNG_PROTOCOL.GetRng() returning
EFI_UNSUPPORTED.

This is the output I received on v5.9-rc6, defconfig with your patch
applied. I can retry with a branch from
https://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git/ if you
indicate which one to use.

EFI stub: Booting Linux Kernel...
EFI stub: ERROR: efi_get_random_bytes() failed (0x8000000000000003),
KASLR will be disabled
EFI stub: Using DTB from configuration table

EFI stub: Exiting boot services and installing virtual address map...

EFI stub: ERROR: Unable to construct new device tree.
EFI stub: ERROR: Failed to update FDT and exit boot services

This matches the problem originally reported by Scott.

Best regards

Heinrich

> ---
>  drivers/firmware/efi/libstub/arm64-stub.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c
> index e5bfac79e5ac..21692a986beb 100644
> --- a/drivers/firmware/efi/libstub/arm64-stub.c
> +++ b/drivers/firmware/efi/libstub/arm64-stub.c
> @@ -62,10 +62,10 @@ efi_status_t handle_kernel_image(unsigned long *image_addr,
>  			status = efi_get_random_bytes(sizeof(phys_seed),
>  						      (u8 *)&phys_seed);
>  			if (status == EFI_NOT_FOUND) {
> -				efi_info("EFI_RNG_PROTOCOL unavailable, no randomness supplied\n");
> +				efi_info("EFI_RNG_PROTOCOL unavailable, KASLR will be disabled\n");
>  			} else if (status != EFI_SUCCESS) {
> -				efi_err("efi_get_random_bytes() failed\n");
> -				return status;
> +				efi_err("efi_get_random_bytes() failed (0x%lx), KASLR will be disabled\n",
> +					status);
>  			}
>  		} else {
>  			efi_info("KASLR disabled on kernel command line\n");
>