Re: [PATCH v9 2/3] fdt: add support for rng-seed

From: Kees Cook <keescook@chromium.org>
To: "Theodore Y. Ts'o" <tytso@mit.edu>,
	Hsin-Yi Wang <hsinyi@chromium.org>,
	Stephen Boyd <swboyd@chromium.org>,
	"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
	<linux-arm-kernel@lists.infradead.org>,
	 Russell King <linux@armlinux.org.uk>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
	"H . Peter Anvin" <hpa@zytor.com>,
	"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
	Kate Stewart <kstewart@linuxfoundation.org>,
	"David S . Miller" <davem@davemloft.net>,
	Viresh Kumar <viresh.kumar@linaro.org>,
	Marek Szyprowski <m.szyprowski@samsung.com>,
	Arnd Bergmann <arnd@arndb.de>, Marc Zyngier <maz@kernel.org>,
	Julien Thierry <julien.thierry.kdev@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Wei Li <liwei391@huawei.com>,
	Anders Roxell <anders.roxell@linaro.org>,
	Rob Herring <robh@kernel.org>,
	Aaro Koskinen <aaro.koskinen@nokia.com>,
	Daniel Thompson <daniel.thompson@linaro.org>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	Rik van Riel <riel@surriel.com>, Waiman Long <longman@redhat.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Armijn Hemel <armijn@tjaldur.nl>,
	Grzegorz Halat <ghalat@redhat.com>,
	Len Brown <len.brown@intel.com>,
	Shaokun Zhang <zhangshaokun@hisilicon.com>,
	Mike Rapoport <rppt@linux.vnet.ibm.com>,
	Guenter Roeck <groeck@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Yury Norov <ynorov@marvell.com>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Jiri Kosina <jkosina@suse.cz>, Mukesh Ojha <mojha@codeaurora.org>,
	lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v9 2/3] fdt: add support for rng-seed
Date: Thu, 29 Aug 2019 09:25:32 -0700	[thread overview]
Message-ID: <201908290922.5C6E4885D@keescook> (raw)
In-Reply-To: <20190829154505.GB10779@mit.edu>

On Thu, Aug 29, 2019 at 11:45:05AM -0400, Theodore Y. Ts'o wrote:
> I thought about asking for this, but we really want to do this as
> early as possible, so that it can be used by KASLR and other services

KASLR entropy is sent via a separate DT entry, since it's needed before
the kernel is even running.

> that are run super early.  Also, whether or not we can trust the

Are there things using the kernel RNG before the stack canary is set up?
I tried to move all of that code as early as possible already.

> bootloader is going to be a system-level thing.  This should probably
> be defaulted to off, and only enabled by the system integrator if they
> are 100%, positively sure, that the entire system is one where we can
> trust the source of randomness which the bootloader is using --- or
> for that matter, that the bootloader is trustworthy!
> 
> Is it really going to be that useful for a random system administrator
> to be able to flip this on or off from the command line?  Hopefully
> there will be an easy way to configure the firmware or the bootloader
> to simply not supply entropy, if for some reason it's not trustworthy.

You have a point about bootloader vs system design. I'm cautiously
convinced we don't need a boot param, but if we CAN put all the entropy
collection in a single place, that'd be nice.

-- 
Kees Cook

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel