RFC: provide KASLR support to u-boot v2024.07 general availability

[alexl83]

Description

KASRL-supporting u-boot 2024.07 for everyone:

• move /chosen/kaslr-seed DTC node support patchset to general 2024.07 BOOTPATCHDIR
• attach nanopi-r5c and orangepi5-plus BOOTPACHDIR to patches/uboot/v2024.07

Hopefully, other boards using same uboot-version can benefit from the added support

note for Maintainers - to enable KASLR seed, you need:
- CONFIG_RANDOMIZE_BASE=y configured in your kernel .config
- CONFIG_CMD_KASLRSEED=y and CONFIG_DM_RNG=y configured in your u-boot .config
- exposed crypto and rng nodes in you board's device-tree
- kaslrseed command before kernel boot in your boot.cmd
- CONFIG_SECURITY_DMESG_RESTRICT=y in kernel .config is also advisable (integrated by #7079 and #7080 for orangepi5-plus/nanopi-r5c)

note for Maintainers 2 - please place your u-boot patches [defconfig and device-trees (when needed) come to mind] in patch/u-boot/v2024.07/board_${BOARD}

How Has This Been Tested?

• Built and ran BRANCH=edge RELEASE=trixie BOARDS=(nanopi-r5c orangepi5-plus)
• Built and ran BRANCH=current RELEASE=trixie BOARD=nanopi-r5c

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• My changes generate no new warnings

[alexl83]

Given we're approaching 08 milestone, perhaps milestone 11 tag could be wise
@ColorfulRhino @igorpecovnik - any thoughts?

Thank you :)
Ale

[ColorfulRhino]

Nice!
Using the patch for the defconfigs is probably better since you can quickly glance over what's changed from the default defconfig file. You can use the board_nanopi-r5c folder without needing to use BOOTPATCHDIR="v2024.07/board_${BOARD}", this folder will get included automatically, but only for the board it is for. For this reason, I'd keep the two ***_kaslrseed.patch (but maybe rename it to e.g. nanopi-r5c-Add-kaslrseed-support-defconfig-patch, it's always better to be able to quickly see thigns based on naming while glancing over it 😄).

Also, not sure if the two placeholder files for the dt directory are neccessary.

[alexl83]

Nice! Using the patch for the defconfigs is probably better since you can quickly glance over what's changed from the default defconfig file. You can use the board_nanopi-r5c folder without needing to use BOOTPATCHDIR="v2024.07/board_${BOARD}", this folder will get included automatically, but only for the board it is for. For this reason, I'd keep the two ***_kaslrseed.patch (but maybe rename it to e.g. nanopi-r5c-Add-kaslrseed-support-defconfig-patch, it's always better to be able to quickly see thigns based on naming while glancing over it 😄).

Also, not sure if the two placeholder files for the dt directory are neccessary.

Done ;-) Thanks!

[ColorfulRhino]

Great, thanks! Did you try to do a rewrite-uboot-patches?
It will probably complain that the patches do not have a proper description, author and so on. In the future, try to keep the commit descriptions and such in the patch :) Like in this patch for example: https://github.com/armbian/build/blob/main/patch/u-boot/v2024.07/general-btrfs-fix-out-of-bounds-write.patch (this patch was also not yet rewritten though, so not the best example)

[alexl83]

Great, thanks! Did you try to do a rewrite-uboot-patches? It will probably complain that the patches do not have a proper description, author and so on. In the future, try to keep the commit descriptions and such in the patch :) Like in this patch for example: https://github.com/armbian/build/blob/main/patch/u-boot/v2024.07/general-btrfs-fix-out-of-bounds-write.patch (this patch was also not yet rewritten though, so not the best example)

Didn't even know there was a rewrite-uboot-patches process - thanks for the hint!
rewrote patches to provide a simple description

[ColorfulRhino]

Didn't even know there was a rewrite-uboot-patches process - thanks for the hint! rewrote patches to provide a simple description

Oh, it's basically doing the same like rewrite-kernel-patches :) Great!

I was more referring to the four patches that you (I think?) took from somewhere like 1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch https://github.com/armbian/build/blob/ed2ad82bc31b98f4e279668ecf23074c2b1bb51d/patch/u-boot/v2024.07/1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch to keep the description from the original commit and author which added this.
You can keep this in midn for the future though :)

[ColorfulRhino]

Looks good besides the nit mentioned above 👍

[alexl83]

Didn't even know there was a rewrite-uboot-patches process - thanks for the hint! rewrote patches to provide a simple description

Oh, it's basically doing the same like rewrite-kernel-patches :) Great!

I was more referring to the four patches that you (I think?) took from somewhere like 1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch https://github.com/armbian/build/blob/ed2ad82bc31b98f4e279668ecf23074c2b1bb51d/patch/u-boot/v2024.07/1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch to keep the description from the original commit and author which added this. You can keep this in midn for the future though :)

Understood, thanks
I took them from patchwork and haven't been able to convert to an armbian-digestible mbox format; so I ended up git-diff-ing each one of them
I literally tried for hours but that patchwork format gave me only sorrow :D

Reference patchset: 1949474
Credit: Tim Harvey

[ColorfulRhino]

Didn't even know there was a rewrite-uboot-patches process - thanks for the hint! rewrote patches to provide a simple description

Oh, it's basically doing the same like rewrite-kernel-patches :) Great!
I was more referring to the four patches that you (I think?) took from somewhere like 1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch https://github.com/armbian/build/blob/ed2ad82bc31b98f4e279668ecf23074c2b1bb51d/patch/u-boot/v2024.07/1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch to keep the description from the original commit and author which added this. You can keep this in midn for the future though :)

Understood, thanks I took them from patchwork and haven't been able to convert to an armbian-digestible mbox format; so I ended up git-diff-ing each one of them I literally tried for hours but that patchwork format gave me only sorrow :D

Reference patchset: 1949474 Credit: Tim Harvey

Oh. You just need to

1. Download the patch series from patchwork (sometimes single patches is better for visibility reasons and if we might want to remove certain patches later, depends on case by case)
2. Replace the date From ... with From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 for every patch in the series (look through the file if you downloaded the series as one file)
3. Use rewrite-uboot-patches

Then it's done :) Example: 6d78bd1

[alexl83]

Didn't even know there was a rewrite-uboot-patches process - thanks for the hint! rewrote patches to provide a simple description

Oh, it's basically doing the same like rewrite-kernel-patches :) Great!
I was more referring to the four patches that you (I think?) took from somewhere like 1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch https://github.com/armbian/build/blob/ed2ad82bc31b98f4e279668ecf23074c2b1bb51d/patch/u-boot/v2024.07/1-4-Add-fdt_kaslrseed-function-to-add-kaslr-seed-to-chosen-node.patch to keep the description from the original commit and author which added this. You can keep this in midn for the future though :)

Understood, thanks I took them from patchwork and haven't been able to convert to an armbian-digestible mbox format; so I ended up git-diff-ing each one of them I literally tried for hours but that patchwork format gave me only sorrow :D
Reference patchset: 1949474 Credit: Tim Harvey

Oh. You just need to

1. Download the patch series from patchwork (sometimes single patches is better for visibility reasons and if we might want to remove certain patches later, depends on case by case)

2. Replace the date `From ... ` with `From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001` for every patch in the series (look through the file if you downloaded the series as one file)

3. Use `rewrite-uboot-patches`

Then it's done :) Example: 6d78bd1

Grazie!!!!!!

[ColorfulRhino]

You're welcome! :)
Maybe there's an even easier method to convert the patchwork series into a patch. We could even make a command which does this automatically. The manual process really doesn't take long, but automating stuff is nice! As long as it doesn't add complexity 😂

[ColorfulRhino]

Note: We should probably squash + merge this PR instead of the usual rebase + merge since there was quite some add, remove and add again stuff going on :D

[alexl83]

You're welcome! :) Maybe there's an even easier method to convert the patchwork series into a patch. We could even make a command which does this automatically. The manual process really doesn't take long, but automating stuff is nice! As long as it doesn't add complexity 😂

Maybe a command switch to rewrite-xxx-patches: like --patchwork with a sed s'/From:/From 0000/g'

[ColorfulRhino]

You're welcome! :) Maybe there's an even easier method to convert the patchwork series into a patch. We could even make a command which does this automatically. The manual process really doesn't take long, but automating stuff is nice! As long as it doesn't add complexity 😂

Maybe a command switch to rewrite-xxx-patches: like --patchwork with a sed s'/From:/From 0000/g'

I was more thinking of providing the patch series URL so it can download and apply it automatically. But well, probably that's too much complexity for not much added benefit.

The important thing here is the date, it has to be a magic date for Git.