ASLR seed in imx-optee

alexanderhoppus · ‎06-23-2025

Hi,

I'm looking in imx-optee and how ASLR seed is generated there. I see support for ELE https://github.com/nxp-imx/imx-optee-os/blob/lf-6.12.3_1.0.0/core/drivers/crypto/ele/ele.c#L610 , but there is no ele on my platform (imx8mp), however still the hardware rng is available in caam, but I don't see that it is used to seed ASLR, so system end up with seed 0 github.com/nxp-imx/imx-optee-os/blob/lf-6.12.3_1.0.0/core/arch/arm/kernel/boot.c#L112 what it seems is insecure.

alexanderhoppus · ‎06-28-2025

Hi @Harvey021 ,

thanks for your response, I don't think taking seed from dts will work, since seed need to be random and it should change on every boot, in other case aslr is unreliable. I don't think correct seeding will work with current codebase, I have several ideas how that can be resolved, but I'm not sure who is the right person / where is right place to discuss. Or maybe should I send MRs to optee/atf directly. But I would like first check if the ideas are feasible or not.

Harvey021 · ‎07-02-2025

Hi @alexanderhoppus

I've sent you system email.

Regards

Harvey

Harvey021 · ‎06-26-2025

Hi,

Have you tried to test what log or RNG past from FDT?

with unsigned long __weak get_aslr_seed(void) from boot.c

.....

offs = fdt_path_offset(fdt, "/secure-chosen");

if (offs < 0) {

DMSG("Cannot find /secure-chosen");

goto err;

}

seed = fdt_getprop(fdt, offs, "kaslr-seed", &len);

if (!seed || len != sizeof(*seed)) {

DMSG("Cannot find valid kaslr-seed");

goto err;

}

return fdt64_to_cpu(fdt64_ld(seed));

err:

/* Try platform implementation */

return plat_get_aslr_seed();

Regards

Harvey