From: Kees Cook <keescook@chromium.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Dominik Brodowski <linux@dominikbrodowski.net>
Subject: Re: [PATCH v3] random: split initialization into early step and later step
Date: Tue, 27 Sep 2022 07:28:25 -0700 [thread overview]
Message-ID: <202209270728.5FE3CB0@keescook> (raw)
In-Reply-To: <20220927110957.1620347-1-Jason@zx2c4.com>
On Tue, Sep 27, 2022 at 01:09:57PM +0200, Jason A. Donenfeld wrote:
> The full RNG initialization relies on some timestamps, made possible
> with general functions like time_init() and timekeeping_init(). However,
> these are only available rather late in initialization. Meanwhile, other
> things, such as memory allocator functions, make use of the RNG much
> earlier.
>
> So split RNG initialization into two phases. We can give arch randomness
> very early on, and then later, after timekeeping and such are available,
> initialize the rest.
>
> This ensures that, for example, slabs are properly randomized if RDRAND
> is available. Without this, CONFIG_SLAB_FREELIST_RANDOM=y loses a degree
> of its security, because its random seed is potentially deterministic,
> since it hasn't yet incorporated RDRAND. It also makes it possible to
> use a better seed in kfence, which currently relies on only the cycle
> counter.
>
> Another positive consequence is that on systems with RDRAND, running
> with CONFIG_WARN_ALL_UNSEEDED_RANDOM=y results in no warnings at all.
>
> One subtle side effect of this change is that on systems with no RDRAND,
> RDTSC is now only queried by random_init() once, committing the moment
> of the function call, instead of multiple times as before. This is
> intentional, as the multiple RDTSCs in a loop before weren't
> accomplishing very much, with jitter being better provided by
> try_to_generate_entropy(). Plus, filling blocks with RDTSC is still
> being done in extract_entropy(), which is necessarily called before
> random bytes are served anyway.
>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Thanks for the updates!
--
Kees Cook
prev parent reply other threads:[~2022-09-27 14:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-26 21:31 [PATCH v2 1/2] random: split initialization into early step and later step Jason A. Donenfeld
2022-09-26 21:31 ` [PATCH v2 2/2] kfence: use better stack hash seed Jason A. Donenfeld
2022-09-27 6:35 ` [PATCH v2 1/2] random: split initialization into early step and later step Dominik Brodowski
2022-09-27 8:28 ` Jason A. Donenfeld
2022-09-27 8:30 ` Dominik Brodowski
2022-09-27 8:40 ` Jason A. Donenfeld
2022-09-27 11:09 ` [PATCH v3] " Jason A. Donenfeld
2022-09-27 14:28 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202209270728.5FE3CB0@keescook \
--to=keescook@chromium.org \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.