From: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
To: Torsten Duwe <duwe@lst.de>,
Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com>
Cc: linux-kernel@vger.kernel.org, "Theodore Ts'o" <tytso@mit.edu>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Gerald Schaefer <gerald.schaefer@de.ibm.com>,
Heiko Carstens <heicars2@linux.vnet.ibm.com>,
Hendrik Brueckner <brueckner@de.ibm.com>,
Matt Mackall <mpm@selenic.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Harald Freudenberger <freude@de.ibm.com>
Subject: Re: [PATCH] s390/zcrypt: enable s390 hwrng to seed kernel entropy
Date: Mon, 11 Aug 2014 17:11:52 +0200 [thread overview]
Message-ID: <53E8DD38.4080005@linux.vnet.ibm.com> (raw)
In-Reply-To: <20140811135611.GP27247@lst.de>
On 08/11/2014 03:56 PM, Torsten Duwe wrote:
> On Wed, Jul 30, 2014 at 02:17:36PM +0200, Ingo Tuchscherer wrote:
>> Set the 'quality' property in the zcrypt rng device structure to enable the
>> zcrypt hwrng device to take part in the kernel entropy seeding process.
>> A module parameter named hwrng_seed will be introduced to disable the
>> participation. By default this parameter is set to 1 (enabled).
> I only had a one-liner that simply enabled it. I guess the extra switch
> is for certification scenarios?
I introduced this switch for several reasons. I would like to have the
possibility to prevent the card from being interrupted with rng queries
(in case of heavy workload) or card verification/certification or other
measurement processes.
Last but not least we are able to deactivate this feature in case of any
failures/attacks.
> Anyway,
>
> Acked-by: Torsten Duwe <duwe@suse.de>
>> Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com>
>> ---
>> drivers/s390/crypto/ap_bus.c | 5 +++++
>> drivers/s390/crypto/ap_bus.h | 1 +
>> drivers/s390/crypto/zcrypt_api.c | 3 +++
>> 3 files changed, 9 insertions(+)
>>
>> diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
>> index 4038437..19fac5f 100644
>> --- a/drivers/s390/crypto/ap_bus.c
>> +++ b/drivers/s390/crypto/ap_bus.c
>> @@ -85,6 +85,11 @@ static int ap_thread_flag = 0;
>> module_param_named(poll_thread, ap_thread_flag, int, S_IRUSR|S_IRGRP);
>> MODULE_PARM_DESC(poll_thread, "Turn on/off poll thread, default is 0 (off).");
>>
>> +int ap_hwrng_seed = 1;
>> +EXPORT_SYMBOL(ap_hwrng_seed);
>> +module_param_named(hwrng_seed, ap_hwrng_seed, int, S_IRUSR|S_IRGRP);
>> +MODULE_PARM_DESC(hwrng_seed, "Turn on/off hwrng auto seed, default is 1 (on).");
>> +
>> static struct device *ap_root_device = NULL;
>> static struct ap_config_info *ap_configuration;
>> static DEFINE_SPINLOCK(ap_device_list_lock);
>> diff --git a/drivers/s390/crypto/ap_bus.h b/drivers/s390/crypto/ap_bus.h
>> index 6405ae2..b0be09a 100644
>> --- a/drivers/s390/crypto/ap_bus.h
>> +++ b/drivers/s390/crypto/ap_bus.h
>> @@ -38,6 +38,7 @@
>> #define AP_POLL_TIME 1 /* Time in ticks between receive polls. */
>>
>> extern int ap_domain_index;
>> +extern int ap_hwrng_seed;
>>
>> /**
>> * The ap_qid_t identifier of an ap queue. It contains a
>> diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
>> index 0e18c5d..ed91665 100644
>> --- a/drivers/s390/crypto/zcrypt_api.c
>> +++ b/drivers/s390/crypto/zcrypt_api.c
>> @@ -1374,6 +1374,7 @@ static int zcrypt_rng_data_read(struct hwrng *rng, u32 *data)
>> static struct hwrng zcrypt_rng_dev = {
>> .name = "zcrypt",
>> .data_read = zcrypt_rng_data_read,
>> + .quality = 990,
>> };
>>
>> static int zcrypt_rng_device_add(void)
>> @@ -1388,6 +1389,8 @@ static int zcrypt_rng_device_add(void)
>> goto out;
>> }
>> zcrypt_rng_buffer_index = 0;
>> + if (!ap_hwrng_seed)
>> + zcrypt_rng_dev.quality = 0;
>> rc = hwrng_register(&zcrypt_rng_dev);
>> if (rc)
>> goto out_free;
>> --
>> 1.8.5.5
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
prev parent reply other threads:[~2014-08-11 15:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 12:17 [PATCH] s390/zcrypt: enable s390 hwrng to seed kernel entropy Ingo Tuchscherer
2014-08-11 13:56 ` Torsten Duwe
2014-08-11 15:11 ` Ingo Tuchscherer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53E8DD38.4080005@linux.vnet.ibm.com \
--to=ingo.tuchscherer@linux.vnet.ibm.com \
--cc=brueckner@de.ibm.com \
--cc=duwe@lst.de \
--cc=freude@de.ibm.com \
--cc=gerald.schaefer@de.ibm.com \
--cc=heicars2@linux.vnet.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=ingo.tuchscherer@de.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=schwidefsky@de.ibm.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.