From: Kees Cook <keescook@chromium.org>
To: Mark Salyzyn <salyzyn@android.com>
Cc: linux-kernel@vger.kernel.org, kernel-team@android.com,
Theodore Ts'o <tytso@mit.edu>, Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Richard Henderson <richard.henderson@linaro.org>,
Mark Brown <broonie@kernel.org>,
Hsin-Yi Wang <hsinyi@chromium.org>,
Vasily Gorbik <gor@linux.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
"Steven Rostedt (VMware)" <rostedt@goodmis.org>,
Mike Rapoport <rppt@linux.ibm.com>,
Arvind Sankar <nivedita@alum.mit.edu>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Thomas Gleixner <tglx@linutronix.de>,
Alexander Potapenko <glider@google.com>
Subject: Re: [PATCH] random: add rng-seed= command line option
Date: Fri, 7 Feb 2020 09:28:27 -0800 [thread overview]
Message-ID: <202002070850.BD92BDCA@keescook> (raw)
In-Reply-To: <20200207150809.19329-1-salyzyn@android.com>
On Fri, Feb 07, 2020 at 07:07:59AM -0800, Mark Salyzyn wrote:
> +#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER)
> +/* caller called add_device_randomness, but it is from a trusted source */
> +void __init credit_trusted_entropy(unsigned int size)
> +{
> + credit_entropy_bits(&input_pool, size * 8);
> +}
> +#endif
As Ted already mentioned, I was expecting the string contents to actually
get added somewhere. Is the idea that it's already been added via the
add_device_randomness(command_line) call, and you just want to explicitly
credit those bytes? If so, that deserves a comment, and I think it should
likely not use 8 bits per character, as that's not how many bits are
possible for an alphanumeric string character; I would expect 6 bits (~32
standard letter/number) -- this likely needs fixing in the fdt patch too.
> diff --git a/include/linux/random.h b/include/linux/random.h
> index d319f9a1e4290..1e09eeadc613c 100644
> --- a/include/linux/random.h
> +++ b/include/linux/random.h
> @@ -20,6 +20,11 @@ struct random_ready_callback {
>
> extern void add_device_randomness(const void *, unsigned int);
> extern void add_bootloader_randomness(const void *, unsigned int);
> +#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER)
> +extern void __init credit_trusted_entropy(unsigned int b);
> +#else
> +static inline void credit_trusted_entropy(unsigned int b) {}
> +#endif
>
> #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
> static inline void add_latent_entropy(void)
> diff --git a/init/main.c b/init/main.c
> index cc0ee4873419c..ae976b2dea5dc 100644
> --- a/init/main.c
> +++ b/init/main.c
> @@ -524,24 +524,53 @@ static inline void smp_prepare_cpus(unsigned int maxcpus) { }
> * parsing is performed in place, and we should allow a component to
> * store reference of name/value for future reference.
> */
> +static const char rng_seed_str[] __initconst = "rng-seed=";
> +/* try to clear rng-seed so it won't be found by user applications. */
> +static void __init copy_command_line(char *dest, char *src, size_t r)
> +{
> + char *rng_seed = strnstr(src, rng_seed_str, r);
> +
> + if (rng_seed) {
> + size_t l = rng_seed - src;
> + char *end;
> +
> + memcpy(dest, src, l);
> + dest += l;
> + src = rng_seed + strlen(rng_seed_str);
> + r -= l + strlen(rng_seed_str);
> + end = strnchr(src, r, ' ');
> + if (end) {
> + if (l && rng_seed[-1] == ' ')
> + ++end;
> + r -= end - src;
> + src = end;
> + }
> + }
> + memcpy(dest, src, r);
> + dest[r] = '\0';
> +}
> +
> static void __init setup_command_line(char *command_line)
> {
> size_t len, xlen = 0, ilen = 0;
> + static const char argsep_str[] __initconst = " -- ";
> + static const char alloc_fail_msg[] __initconst =
> + "%s: Failed to allocate %zu bytes\n";
There's some refactoring in this patch unrelated to the seed logic. Can
you split that out? (I think these changes are good.)
>
> if (extra_command_line)
> xlen = strlen(extra_command_line);
Unrelated note: whoa this is based on linux-next which has a massive
change to the boot command line handling and appears to be doing some
bad things. I need to go find that thread...
> if (extra_init_args)
> - ilen = strlen(extra_init_args) + 4; /* for " -- " */
> + ilen = strlen(extra_init_args) + strlen(argsep_str);
>
> - len = xlen + strlen(boot_command_line) + 1;
> + len = xlen + strnlen(boot_command_line, sizeof(boot_command_line)) + 1;
>
> saved_command_line = memblock_alloc(len + ilen, SMP_CACHE_BYTES);
> if (!saved_command_line)
> - panic("%s: Failed to allocate %zu bytes\n", __func__, len + ilen);
> + panic(alloc_fail_msg, __func__, len + ilen);
>
> static_command_line = memblock_alloc(len, SMP_CACHE_BYTES);
> if (!static_command_line)
> - panic("%s: Failed to allocate %zu bytes\n", __func__, len);
> + panic(alloc_fail_msg, __func__, len);
>
> if (xlen) {
> /*
> @@ -549,11 +578,14 @@ static void __init setup_command_line(char *command_line)
> * lines because there could be dashes (separator of init
> * command line) in the command lines.
> */
> - strcpy(saved_command_line, extra_command_line);
> - strcpy(static_command_line, extra_command_line);
> + copy_command_line(saved_command_line, extra_command_line, xlen);
> + copy_command_line(static_command_line, extra_command_line,
> + xlen);
> }
> - strcpy(saved_command_line + xlen, boot_command_line);
> - strcpy(static_command_line + xlen, command_line);
> + copy_command_line(saved_command_line + xlen, boot_command_line,
> + len - xlen - 1);
> + copy_command_line(static_command_line + xlen, command_line,
> + len - xlen - 1);
>
> if (ilen) {
> /*
> @@ -562,13 +594,15 @@ static void __init setup_command_line(char *command_line)
> * to init.
> */
> len = strlen(saved_command_line);
> - if (!strstr(boot_command_line, " -- ")) {
> - strcpy(saved_command_line + len, " -- ");
> - len += 4;
> + if (!strnstr(boot_command_line, argsep_str,
> + sizeof(boot_command_line))) {
> + strcpy(saved_command_line + len, argsep_str);
> + len += strlen(argsep_str);
> } else
> saved_command_line[len++] = ' ';
>
> - strcpy(saved_command_line + len, extra_init_args);
> + copy_command_line(saved_command_line + len, extra_init_args,
> + ilen - strlen(argsep_str));
> }
> }
>
> @@ -875,6 +909,21 @@ asmlinkage __visible void __init start_kernel(void)
> rand_initialize();
> add_latent_entropy();
> add_device_randomness(command_line, strlen(command_line));
> + if (IS_BUILTIN(CONFIG_RANDOM_TRUST_BOOTLOADER)) {
> + size_t l = strlen(command_line);
> + char *rng_seed = strnstr(command_line, rng_seed_str, l);
> +
> + if (rng_seed) {
> + char *end;
> +
> + rng_seed += strlen(rng_seed_str);
> + l -= rng_seed - command_line;
> + end = strnchr(rng_seed, l, ' ');
> + if (end)
> + l = end - rng_seed;
> + credit_trusted_entropy(l);
> + }
> + }
Can you pull this out of line and write a new static help that does all
of the rng stuff here? Basically from rand_initialize() through
boot_init_stack_canary(), so it's all in one place and not "open coded"
in start_kernel(). (And then, actually, you don't need a separate
credit_trusted_entropy() function at all -- just call
credit_entropy_bits() directly there (and add a comment about the
command line already getting added).
> boot_init_stack_canary();
>
> time_init();
> --
> 2.25.0.341.g760bfbb309-goog
>
--
Kees Cook
next prev parent reply other threads:[~2020-02-07 17:28 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-07 15:07 [PATCH] random: add rng-seed= command line option Mark Salyzyn
2020-02-07 15:58 ` Theodore Y. Ts'o
2020-02-07 17:49 ` Mark Salyzyn
2020-02-08 0:49 ` Theodore Y. Ts'o
2020-02-08 0:53 ` Steven Rostedt
2020-02-13 11:24 ` Masami Hiramatsu
2020-02-13 15:03 ` Masami Hiramatsu
2020-02-13 18:44 ` Mark Salyzyn
2020-02-14 1:16 ` Masami Hiramatsu
2020-02-14 17:02 ` Mark Salyzyn
2020-02-10 12:13 ` Mark Brown
2020-02-11 15:07 ` Theodore Y. Ts'o
2020-02-10 14:45 ` [PATCH 0/4 v2] random add rng-seed to " Mark Salyzyn
2020-02-10 14:45 ` [PATCH 1/4 v2] init: move string constants to __initconst section Mark Salyzyn
2020-02-10 14:45 ` [PATCH 2/4 v2] init: boot_command_line can be truncated Mark Salyzyn
2020-02-10 14:45 ` [PATCH 3/4 v2] random: rng-seed source is utf-8 Mark Salyzyn
2020-02-10 14:45 ` [PATCH 4/4 v2] random: add rng-seed= command line option Mark Salyzyn
2020-02-10 21:40 ` Randy Dunlap
2020-02-10 22:19 ` [PATCH 4/4 v3] " Mark Salyzyn
2020-02-07 17:28 ` Kees Cook [this message]
2020-02-07 17:47 ` [PATCH] " Steven Rostedt
2020-02-07 17:58 ` Mark Salyzyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202002070850.BD92BDCA@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=broonie@kernel.org \
--cc=glider@google.com \
--cc=gor@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=hsinyi@chromium.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=mhiramat@kernel.org \
--cc=nivedita@alum.mit.edu \
--cc=richard.henderson@linaro.org \
--cc=rostedt@goodmis.org \
--cc=rppt@linux.ibm.com \
--cc=salyzyn@android.com \
--cc=tglx@linutronix.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.