diff options
| author | Alex Bennée <alex.bennee@linaro.org> | 2022-01-05 13:49:56 +0000 |
|---|---|---|
| committer | Alex Bennée <alex.bennee@linaro.org> | 2022-01-18 16:42:42 +0000 |
| commit | 33973e1e1f88b7588fe9629645e279ff2c6ca1c4 (patch) | |
| tree | bddb1128cb4c4346513d2744a5fc413b02bce852 /docs | |
| parent | 7bef20d72985c5da4082d198ad175715272cd50c (diff) | |
hw/arm: add control knob to disable kaslr_seed via DTB
Generally a guest needs an external source of randomness to properly
enable things like address space randomisation. However in a trusted
boot environment where the firmware will cryptographically verify
components having random data in the DTB will cause verification to
fail. Add a control knob so we can prevent this being added to the
system DTB.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-Id: <20220105135009.1584676-22-alex.bennee@linaro.org>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/system/arm/virt.rst | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst index 850787495b..1544632b67 100644 --- a/docs/system/arm/virt.rst +++ b/docs/system/arm/virt.rst @@ -121,6 +121,14 @@ ras Set ``on``/``off`` to enable/disable reporting host memory errors to a guest using ACPI and guest external abort exceptions. The default is off. +dtb-kaslr-seed + Set ``on``/``off`` to pass a random seed via the guest dtb + kaslr-seed node (in both "/chosen" and /secure-chosen) to use + for features like address space randomisation. The default is + ``on``. You will want to disable it if your trusted boot chain will + verify the DTB it is passed. It would be the responsibility of the + firmware to come up with a seed and pass it on if it wants to. + Linux guest kernel configuration """""""""""""""""""""""""""""""" |