From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Devicetree List <devicetree@vger.kernel.org>,
Yu Zhao <yuzhao@google.com>, Kees Cook <keescook@chromium.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Stephen Boyd <swboyd@chromium.org>,
Will Deacon <will.deacon@arm.com>,
lkml <linux-kernel@vger.kernel.org>,
Mike Rapoport <rppt@linux.ibm.com>,
Jun Yao <yaojun8558363@gmail.com>,
Miles Chen <miles.chen@mediatek.com>,
Rob Herring <robh+dt@kernel.org>,
James Morse <james.morse@arm.com>,
Hsin-Yi Wang <hsinyi@chromium.org>,
Andrew Murray <andrew.murray@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Laura Abbott <labbott@redhat.com>,
Frank Rowand <frowand.list@gmail.com>,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>,
Robin Murphy <robin.murphy@arm.com>
Subject: Re: [PATCH v8 2/3] fdt: add support for rng-seed
Date: Wed, 21 Aug 2019 12:21:26 -0400 [thread overview]
Message-ID: <20190821162126.GA2713@mit.edu> (raw)
In-Reply-To: <CAKv+Gu-kp-LqCCx=h2TJxzns4KpM-UEjz3md0u3hbVOyp+iFtA@mail.gmail.com>
On Wed, Aug 21, 2019 at 09:39:28AM +0300, Ard Biesheuvel wrote:
>
> Whether to trust the firmware provided entropy is a policy decision,
> and typically, we try to avoid dictating policy in the kernel, and
> instead, we try to provide a sane default but give the user control
> over it.
>
> So in this case, we should probably introduce
> add_firmware_randomness() with a Kconfig/cmdline option pair to decide
> whether it should be trusted or not (or reuse the one we have for
> trusting RDRAND etc)
I'd call it add_bootloader_randomness(), since we are trusting the
*bootloader*; it's the bootloader which is vouching for the security /
validity of the passed-in entropy. Furthermore, the bootloader on
some architectures might be fetching directly from some secure
element.
And for that reason, I'd use a different Kconfig/cmdline option pair
than the one used for trusting CPU-provided randomness.
- Ted
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Devicetree List <devicetree@vger.kernel.org>,
Yu Zhao <yuzhao@google.com>, Kees Cook <keescook@chromium.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Stephen Boyd <swboyd@chromium.org>,
Will Deacon <will.deacon@arm.com>,
lkml <linux-kernel@vger.kernel.org>,
Mike Rapoport <rppt@linux.ibm.com>,
Jun Yao <yaojun8558363@gmail.com>,
Miles Chen <miles.chen@mediatek.com>,
Rob Herring <robh+dt@kernel.org>,
James Morse <james.morse@arm.com>,
Hsin-Yi Wang <hsinyi@chromium.org>,
Andrew Murray <andrew.murray@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Laura Abbott <labbott@redhat.com>,
Frank Rowand <frowand.list@gmail.com>,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>,
Robin Murphy <robin.murphy@arm.com>
Subject: Re: [PATCH v8 2/3] fdt: add support for rng-seed
Date: Wed, 21 Aug 2019 12:21:26 -0400 [thread overview]
Message-ID: <20190821162126.GA2713@mit.edu> (raw)
In-Reply-To: <CAKv+Gu-kp-LqCCx=h2TJxzns4KpM-UEjz3md0u3hbVOyp+iFtA@mail.gmail.com>
On Wed, Aug 21, 2019 at 09:39:28AM +0300, Ard Biesheuvel wrote:
>
> Whether to trust the firmware provided entropy is a policy decision,
> and typically, we try to avoid dictating policy in the kernel, and
> instead, we try to provide a sane default but give the user control
> over it.
>
> So in this case, we should probably introduce
> add_firmware_randomness() with a Kconfig/cmdline option pair to decide
> whether it should be trusted or not (or reuse the one we have for
> trusting RDRAND etc)
I'd call it add_bootloader_randomness(), since we are trusting the
*bootloader*; it's the bootloader which is vouching for the security /
validity of the passed-in entropy. Furthermore, the bootloader on
some architectures might be fetching directly from some secure
element.
And for that reason, I'd use a different Kconfig/cmdline option pair
than the one used for trusting CPU-provided randomness.
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Hsin-Yi Wang <hsinyi@chromium.org>,
"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
<linux-arm-kernel@lists.infradead.org>,
Rob Herring <robh+dt@kernel.org>,
Devicetree List <devicetree@vger.kernel.org>,
lkml <linux-kernel@vger.kernel.org>,
Frank Rowand <frowand.list@gmail.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Mike Rapoport <rppt@linux.ibm.com>,
Miles Chen <miles.chen@mediatek.com>,
James Morse <james.morse@arm.com>,
Andrew Murray <andrew.murray@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Jun Yao <yaojun8558363@gmail.com>, Yu Zhao <yuzhao@google.com>,
Robin Murphy <robin.murphy@arm.com>,
Laura Abbott <labbott@redhat.com>,
Stephen Boyd <swboyd@chromium.org>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH v8 2/3] fdt: add support for rng-seed
Date: Wed, 21 Aug 2019 12:21:26 -0400 [thread overview]
Message-ID: <20190821162126.GA2713@mit.edu> (raw)
In-Reply-To: <CAKv+Gu-kp-LqCCx=h2TJxzns4KpM-UEjz3md0u3hbVOyp+iFtA@mail.gmail.com>
On Wed, Aug 21, 2019 at 09:39:28AM +0300, Ard Biesheuvel wrote:
>
> Whether to trust the firmware provided entropy is a policy decision,
> and typically, we try to avoid dictating policy in the kernel, and
> instead, we try to provide a sane default but give the user control
> over it.
>
> So in this case, we should probably introduce
> add_firmware_randomness() with a Kconfig/cmdline option pair to decide
> whether it should be trusted or not (or reuse the one we have for
> trusting RDRAND etc)
I'd call it add_bootloader_randomness(), since we are trusting the
*bootloader*; it's the bootloader which is vouching for the security /
validity of the passed-in entropy. Furthermore, the bootloader on
some architectures might be fetching directly from some secure
element.
And for that reason, I'd use a different Kconfig/cmdline option pair
than the one used for trusting CPU-provided randomness.
- Ted
next prev parent reply other threads:[~2019-08-21 16:22 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-19 7:16 [PATCH v8 0/3] add support for rng-seed Hsin-Yi Wang
2019-08-19 7:16 ` Hsin-Yi Wang
2019-08-19 7:16 ` [PATCH v8 1/3] arm64: map FDT as RW for early_init_dt_scan() Hsin-Yi Wang
2019-08-19 7:16 ` Hsin-Yi Wang
2019-08-19 7:16 ` [PATCH v8 2/3] fdt: add support for rng-seed Hsin-Yi Wang
2019-08-19 7:16 ` Hsin-Yi Wang
2019-08-19 18:13 ` Theodore Y. Ts'o
2019-08-19 18:13 ` Theodore Y. Ts'o
2019-08-19 18:13 ` Theodore Y. Ts'o
2019-08-20 7:42 ` Hsin-Yi Wang
2019-08-20 7:42 ` Hsin-Yi Wang
2019-08-20 7:42 ` Hsin-Yi Wang
2019-08-20 11:14 ` Ard Biesheuvel
2019-08-20 11:14 ` Ard Biesheuvel
2019-08-20 11:14 ` Ard Biesheuvel
2019-08-21 5:57 ` Hsin-Yi Wang
2019-08-21 5:57 ` Hsin-Yi Wang
2019-08-21 5:57 ` Hsin-Yi Wang
2019-08-21 6:39 ` Ard Biesheuvel
2019-08-21 6:39 ` Ard Biesheuvel
2019-08-21 6:39 ` Ard Biesheuvel
2019-08-21 16:21 ` Theodore Y. Ts'o [this message]
2019-08-21 16:21 ` Theodore Y. Ts'o
2019-08-21 16:21 ` Theodore Y. Ts'o
2019-08-19 7:16 ` [PATCH v8 3/3] arm64: kexec_file: add rng-seed support Hsin-Yi Wang
2019-08-19 7:16 ` Hsin-Yi Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190821162126.GA2713@mit.edu \
--to=tytso@mit.edu \
--cc=akpm@linux-foundation.org \
--cc=andrew.murray@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=devicetree@vger.kernel.org \
--cc=frowand.list@gmail.com \
--cc=hsinyi@chromium.org \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=miles.chen@mediatek.com \
--cc=robh+dt@kernel.org \
--cc=robin.murphy@arm.com \
--cc=rppt@linux.ibm.com \
--cc=swboyd@chromium.org \
--cc=will.deacon@arm.com \
--cc=yaojun8558363@gmail.com \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.