> From: Ard Biesheuvel <[email protected]> > Date: Thu, 16 Dec 2021 16:28:06 +0100 > > On Thu, 16 Dec 2021 at 16:25, Mark Kettenis <[email protected]> wrote: > > > > > From: Ilias Apalodimas <[email protected]> > > > Date: Thu, 16 Dec 2021 16:52:08 +0200 > > > > > > Right now we unconditionally pass a 'kaslr-seed' property to the kernel > > > if the DTB we ended up in EFI includes the entry. However the kernel > > > EFI stub completely ignores it and only relies on EFI_RNG_PROTOCOL. > > > So let's get rid of it unconditionally since it would mess up the > > > (upcoming) DTB TPM measuring as well. > > > > NAK > > > > OpenBSD uses the kaslr-seed property in the bootloader to mix in some > > additional entropy. (It will also use EFI_RNG_PROTOCOL if it is > > avilable, but most U-Boot boards don't provide that, or at least not > > yet). > > > > What is the point of using both the DT property and the protocol if > both are available?
Unless kaslr-seed is coming from a different entropy source, there probably isn't a point. But it doesn't hurt and it made the bootloader code simpler. It does mean there is some room for compromise though. If U-Boot would only remove kaslr-seed if it implements EFI_RNG_PROTOCOL it wouldn't be a problem. > > Even on Linux the EFI stub isn't the only way to load a Linux kernel. > > You can use a conventional EFI bootloader like grub. > > > > No, you cannot, at least not on architectures other than x86. GRUB on > ARM always boots via the EFI stub. Ok. It isn't immediately clear from the documentation that this is the case. It would still be possible to write such a bootloader, but if it isn't a thing, it isn't a thing. But not all the world is Linux.
