On Wed, Dec 16, 2020 at 1:17 PM Torsten Duwe duwe@lst.de wrote:
On Wed, 16 Dec 2020 11:41:15 +0100 matthias.bgg@kernel.org wrote:
From: Matthias Brugger mbrugger@suse.com
For now bootp and uuid code use a weak seed for generating random data. U-Boot as support for RNG devices now, so we should change to code to use them if they are present. This will help mitigate issues like seen in CVE-2019-11690.
First of all: thanks for bringing this up. These patches are a big improvement over the current state.
But: thinking about this further, it could be possible to give U-Boot a lightweight version of a complete entropy keeper, with /dev/random and /dev/urandom functionality. Linux, for example, will happily randomise the kernel address layout, if it's configured and the boot loader provides enough entropy...
That functionality is already available with U-Boot via the UEFI random seed functionality if you're booting Linux using U-Boot's UEFI support.