From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28203C3A5A0 for ; Mon, 19 Aug 2019 18:14:13 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EABE322CF4 for ; Mon, 19 Aug 2019 18:14:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="d5CiWT/Y" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EABE322CF4 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=mit.edu Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=1rxHx+soBdwk1amWxn8mpSqIWx+bLdk5LMf8y0pd4EQ=; b=d5CiWT/YIQVhLL +RFZHTnO4znN0lYtRzxGirGdroqIa1xgAcwDk0fiuM0xoq41VuDXsyR0j+AgT1pw+nBgybXi5y+oQ LNUcP/CWZcYLOQiFMWGL5rm807be5+F42U4YklppaISMrw+9U8tPrlpMX1UeWosXuM9/PJXIsCbTj 9kfRd2S+w7l5J13nraq4EeC/Sqg33ERNY9Ekjx9eTBHEAioyM0H1EQHUczOLWXYlloN92cj/QWmcw NTkblRs3o8XGKvQEuCOM169BTDMjgif22cFGTss9Xw8QGU+g44daOjTTUaIVUuzWU72iKoTYB4CpC g2x2KuzJ//yxz4fhLnMA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hzmAW-0001uh-CH; Mon, 19 Aug 2019 18:14:12 +0000 Received: from outgoing-auth-1.mit.edu ([18.9.28.11] helo=outgoing.mit.edu) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hzmAS-0001uO-Vl for linux-arm-kernel@lists.infradead.org; Mon, 19 Aug 2019 18:14:10 +0000 Received: from callcc.thunk.org (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7JIDpoj023205 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Aug 2019 14:13:53 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 86F16420843; Mon, 19 Aug 2019 14:13:49 -0400 (EDT) Date: Mon, 19 Aug 2019 14:13:49 -0400 From: "Theodore Y. Ts'o" To: Hsin-Yi Wang Subject: Re: [PATCH v8 2/3] fdt: add support for rng-seed Message-ID: <20190819181349.GE10349@mit.edu> Mail-Followup-To: "Theodore Y. Ts'o" , Hsin-Yi Wang , linux-arm-kernel@lists.infradead.org, Rob Herring , devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, Frank Rowand , Catalin Marinas , Will Deacon , Andrew Morton , Mike Rapoport , Ard Biesheuvel , Miles Chen , James Morse , Andrew Murray , Mark Rutland , Jun Yao , Yu Zhao , Robin Murphy , Laura Abbott , Stephen Boyd , Kees Cook References: <20190819071602.139014-1-hsinyi@chromium.org> <20190819071602.139014-3-hsinyi@chromium.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20190819071602.139014-3-hsinyi@chromium.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190819_111409_198244_D94CA0FD X-CRM114-Status: GOOD ( 11.82 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , devicetree@vger.kernel.org, Yu Zhao , Kees Cook , Ard Biesheuvel , Catalin Marinas , Stephen Boyd , Will Deacon , linux-kernel@vger.kernel.org, Mike Rapoport , Jun Yao , Miles Chen , Rob Herring , James Morse , Andrew Murray , Andrew Morton , Laura Abbott , Frank Rowand , linux-arm-kernel@lists.infradead.org, Robin Murphy Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, Aug 19, 2019 at 03:16:04PM +0800, Hsin-Yi Wang wrote: > Introducing a chosen node, rng-seed, which is an entropy that can be > passed to kernel called very early to increase initial device > randomness. Bootloader should provide this entropy and the value is > read from /chosen/rng-seed in DT. So it's really cool that you've sent out this patch set. I've been wanting this for all platforms / architectures for quite a while. Question --- are you willing to guarantee that the booloader can be trusted enough that you *know* the entropy being provided by the bootloader to be secure? If so, we could let fdt.c use a different interface, perhaps add_hwgenerator_randomness(), which allows the bootloader to transfer trusted entropy for the purposes of initializing the crng and entropy accounting for /dev/random. One of the questions is how do we make sure the boot loader is actually secure, but given that we have to trust the boot loader for various trusted boot use cases, it seems reasonable to do that. What do you think? - Ted _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Theodore Y. Ts'o" Subject: Re: [PATCH v8 2/3] fdt: add support for rng-seed Date: Mon, 19 Aug 2019 14:13:49 -0400 Message-ID: <20190819181349.GE10349@mit.edu> References: <20190819071602.139014-1-hsinyi@chromium.org> <20190819071602.139014-3-hsinyi@chromium.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20190819071602.139014-3-hsinyi@chromium.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=m.gmane.org@lists.infradead.org To: Hsin-Yi Wang Cc: Mark Rutland , devicetree@vger.kernel.org, Yu Zhao , Kees Cook , Ard Biesheuvel , Catalin Marinas , Stephen Boyd , Will Deacon , linux-kernel@vger.kernel.org, Mike Rapoport , Jun Yao , Miles Chen , Rob Herring , James Morse , Andrew Murray , Andrew Morton , Laura Abbott , Frank Rowand , linux-arm-kernel@lists.infradead.org, Robin Murphy List-Id: devicetree@vger.kernel.org On Mon, Aug 19, 2019 at 03:16:04PM +0800, Hsin-Yi Wang wrote: > Introducing a chosen node, rng-seed, which is an entropy that can be > passed to kernel called very early to increase initial device > randomness. Bootloader should provide this entropy and the value is > read from /chosen/rng-seed in DT. So it's really cool that you've sent out this patch set. I've been wanting this for all platforms / architectures for quite a while. Question --- are you willing to guarantee that the booloader can be trusted enough that you *know* the entropy being provided by the bootloader to be secure? If so, we could let fdt.c use a different interface, perhaps add_hwgenerator_randomness(), which allows the bootloader to transfer trusted entropy for the purposes of initializing the crng and entropy accounting for /dev/random. One of the questions is how do we make sure the boot loader is actually secure, but given that we have to trust the boot loader for various trusted boot use cases, it seems reasonable to do that. What do you think? - Ted From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C72BC3A5A0 for ; Mon, 19 Aug 2019 18:14:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2E8D02087E for ; Mon, 19 Aug 2019 18:14:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728022AbfHSSOX (ORCPT ); Mon, 19 Aug 2019 14:14:23 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:42728 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726987AbfHSSOX (ORCPT ); Mon, 19 Aug 2019 14:14:23 -0400 Received: from callcc.thunk.org (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7JIDpoj023205 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Aug 2019 14:13:53 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 86F16420843; Mon, 19 Aug 2019 14:13:49 -0400 (EDT) Date: Mon, 19 Aug 2019 14:13:49 -0400 From: "Theodore Y. Ts'o" To: Hsin-Yi Wang Cc: linux-arm-kernel@lists.infradead.org, Rob Herring , devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, Frank Rowand , Catalin Marinas , Will Deacon , Andrew Morton , Mike Rapoport , Ard Biesheuvel , Miles Chen , James Morse , Andrew Murray , Mark Rutland , Jun Yao , Yu Zhao , Robin Murphy , Laura Abbott , Stephen Boyd , Kees Cook Subject: Re: [PATCH v8 2/3] fdt: add support for rng-seed Message-ID: <20190819181349.GE10349@mit.edu> Mail-Followup-To: "Theodore Y. Ts'o" , Hsin-Yi Wang , linux-arm-kernel@lists.infradead.org, Rob Herring , devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, Frank Rowand , Catalin Marinas , Will Deacon , Andrew Morton , Mike Rapoport , Ard Biesheuvel , Miles Chen , James Morse , Andrew Murray , Mark Rutland , Jun Yao , Yu Zhao , Robin Murphy , Laura Abbott , Stephen Boyd , Kees Cook References: <20190819071602.139014-1-hsinyi@chromium.org> <20190819071602.139014-3-hsinyi@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190819071602.139014-3-hsinyi@chromium.org> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 19, 2019 at 03:16:04PM +0800, Hsin-Yi Wang wrote: > Introducing a chosen node, rng-seed, which is an entropy that can be > passed to kernel called very early to increase initial device > randomness. Bootloader should provide this entropy and the value is > read from /chosen/rng-seed in DT. So it's really cool that you've sent out this patch set. I've been wanting this for all platforms / architectures for quite a while. Question --- are you willing to guarantee that the booloader can be trusted enough that you *know* the entropy being provided by the bootloader to be secure? If so, we could let fdt.c use a different interface, perhaps add_hwgenerator_randomness(), which allows the bootloader to transfer trusted entropy for the purposes of initializing the crng and entropy accounting for /dev/random. One of the questions is how do we make sure the boot loader is actually secure, but given that we have to trust the boot loader for various trusted boot use cases, it seems reasonable to do that. What do you think? - Ted