Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751710AbdFGR1O (ORCPT ); Wed, 7 Jun 2017 13:27:14 -0400 Received: from foss.arm.com ([217.140.101.70]:35958 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751397AbdFGR1N (ORCPT ); Wed, 7 Jun 2017 13:27:13 -0400 Date: Wed, 7 Jun 2017 18:26:28 +0100 From: Mark Rutland To: Daniel Micay Cc: Henrique de Moraes Holschuh , "Theodore Ts'o" , "Jason A. Donenfeld" , Eric Biggers , Linux Crypto Mailing List , LKML , kernel-hardening@lists.openwall.com, Greg Kroah-Hartman , David Miller , Herbert Xu , Stephan Mueller Subject: Re: [kernel-hardening] Re: [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using Message-ID: <20170607172627.GB8330@leverpostej> References: <20170606005108.5646-1-Jason@zx2c4.com> <20170606005108.5646-5-Jason@zx2c4.com> <20170606030004.4go6btmobrsmqiwz@thunk.org> <20170606044404.GA3469@zzz> <20170606170319.5eva2yoxxeru5p74@thunk.org> <20170606221910.GB9057@khazad-dum.debian.net> <1496854825.10825.24.camel@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1496854825.10825.24.camel@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1067 Lines: 24 On Wed, Jun 07, 2017 at 01:00:25PM -0400, Daniel Micay wrote: > > On the better bootloaders, an initramfs segment can be loaded > > independently (and you can have as many as required), which makes an > > early_initramfs a more palatable vector to inject large amounts of > > entropy into the next boot than, say, modifying the kernel image > > directly at every boot/shutdown to stash entropy in there somewhere. [...] > I didn't really understand the device tree approach and mentioned a > few times before. Passing via the kernel cmdline is a lot simpler than > modifying the device tree in-memory and persistent modification isn't > an option unless verified boot is missing anyway. I might be missing something here, but the command line is inside of the device tree, at /chosen/bootargs, so modifying the kernel command line *is* modifying the device tree in-memory. For arm64, we have a /chosen/kaslr-seed property that we hope FW/bootloaders fill in, and similar could be done for some initial entropy, provided appropriate HW/FW support. Thanks, Mark.