From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: "Theodore Ts'o" <tytso@mit.edu>, "Jason A . Donenfeld" <Jason@zx2c4.com>
Cc: linux-kernel@vger.kernel.org, Jann Horn <jannh@google.com>
Subject: [PATCH] random: reseed in RNDRESEEDCRNG for the !crng_ready() case
Date: Mon, 3 Jan 2022 17:00:02 +0100 [thread overview]
Message-ID: <20220103160002.1068356-1-Jason@zx2c4.com> (raw)
Userspace often wants to seed the RNG from disk, without knowing how
much entropy is really in that file. In that case, userspace says
there's no entropy, so none is credited. If this happens in the
crng_init==1 state -- common at early boot time when such seed files are
used -- then that seed file will be written into the pool, but it won't
actually help the quality of /dev/urandom reads. Instead, it'll sit
around until something does credit sufficient amounts of entropy, at
which point, the RNG is seeded and initialized.
Rather than let those seed file bits sit around unused until "sometime
later", userspaces that call RNDRESEEDCRNG can expect, with this commit,
for those seed bits to be put to use *somehow*. This is accomplished by
extracting from the input pool on RNDRESEEDCRNG, xoring 32 bytes into
the current crng state.
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
Jann - this is the change I think you were requesting when we discussed
this. Please let me know if it matches what you had in mind.
drivers/char/random.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 17ec60948795..805e509d9c30 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1961,8 +1961,17 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
case RNDRESEEDCRNG:
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
- if (crng_init < 2)
+ if (!crng_ready()) {
+ unsigned long flags, i;
+ u32 new_key[8];
+ _extract_entropy(&input_pool, new_key, sizeof(new_key), 0);
+ spin_lock_irqsave(&primary_crng.lock, flags);
+ for (i = 0; i < ARRAY_SIZE(new_key); ++i)
+ primary_crng.state[4 + i] ^= new_key[i];
+ spin_unlock_irqrestore(&primary_crng.lock, flags);
+ memzero_explicit(new_key, sizeof(new_key));
return -ENODATA;
+ }
crng_reseed(&primary_crng, &input_pool);
WRITE_ONCE(crng_global_init_time, jiffies - 1);
return 0;
--
2.34.1
next reply other threads:[~2022-01-03 16:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-03 16:00 Jason A. Donenfeld [this message]
2022-01-03 16:08 ` [PATCH] random: reseed in RNDRESEEDCRNG for the !crng_ready() case Jann Horn
2022-01-03 16:36 ` Jason A. Donenfeld
2022-01-03 17:02 ` Theodore Ts'o
2022-01-03 17:26 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220103160002.1068356-1-Jason@zx2c4.com \
--to=jason@zx2c4.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.