From: Daniel Micay <danielmicay@gmail.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>,
Theodore Ts'o <tytso@mit.edu>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Eric Biggers <ebiggers3@gmail.com>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
David Miller <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Stephan Mueller <smueller@chronox.de>
Subject: Re: [kernel-hardening] Re: [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using
Date: Wed, 07 Jun 2017 23:59:01 -0400 [thread overview]
Message-ID: <1496894341.10825.26.camel@gmail.com> (raw)
In-Reply-To: <20170607172627.GB8330@leverpostej>
On Wed, 2017-06-07 at 18:26 +0100, Mark Rutland wrote:
> On Wed, Jun 07, 2017 at 01:00:25PM -0400, Daniel Micay wrote:
> > > On the better bootloaders, an initramfs segment can be loaded
> > > independently (and you can have as many as required), which makes
> > > an
> > > early_initramfs a more palatable vector to inject large amounts of
> > > entropy into the next boot than, say, modifying the kernel image
> > > directly at every boot/shutdown to stash entropy in there
> > > somewhere.
>
> [...]
>
> > I didn't really understand the device tree approach and mentioned a
> > few times before. Passing via the kernel cmdline is a lot simpler
> > than
> > modifying the device tree in-memory and persistent modification
> > isn't
> > an option unless verified boot is missing anyway.
>
> I might be missing something here, but the command line is inside of
> the
> device tree, at /chosen/bootargs, so modifying the kernel command line
> *is* modifying the device tree in-memory.
>
> For arm64, we have a /chosen/kaslr-seed property that we hope
> FW/bootloaders fill in, and similar could be done for some initial
> entropy, provided appropriate HW/FW support.
>
> Thanks,
> Mark.
I was assuming it was simpler since bootloaders are already setting it,
but it seems I'm wrong about that.
next prev parent reply other threads:[~2017-06-08 3:59 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 0:50 [PATCH v3 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 01/13] random: add synchronous API for the urandom pool Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 02/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld
2017-06-06 5:11 ` Jeffrey Walton
2017-06-06 12:21 ` Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 03/13] random: invalidate batched entropy after crng init Jason A. Donenfeld
2017-06-07 17:42 ` kbuild test robot
2017-06-07 18:16 ` Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld
2017-06-06 3:00 ` Theodore Ts'o
2017-06-06 3:56 ` Jason A. Donenfeld
2017-06-06 4:44 ` [kernel-hardening] " Eric Biggers
2017-06-06 12:34 ` Jason A. Donenfeld
2017-06-06 15:23 ` Jason A. Donenfeld
2017-06-06 17:26 ` Eric Biggers
2017-06-06 17:30 ` Jason A. Donenfeld
2017-06-06 17:03 ` Theodore Ts'o
2017-06-06 17:28 ` Jason A. Donenfeld
2017-06-06 17:57 ` Stephan Müller
2017-06-06 18:01 ` Jason A. Donenfeld
2017-06-06 22:19 ` Henrique de Moraes Holschuh
2017-06-06 23:14 ` Theodore Ts'o
2017-06-07 5:00 ` Stephan Müller
2017-06-07 14:42 ` Henrique de Moraes Holschuh
2017-06-07 21:27 ` [kernel-hardening] " Theodore Ts'o
2017-06-07 17:00 ` Daniel Micay
2017-06-07 17:26 ` Mark Rutland
2017-06-08 3:59 ` Daniel Micay [this message]
2017-06-07 17:37 ` Mark Rutland
2017-06-08 12:02 ` Kevin Easton
2017-06-06 0:51 ` [PATCH v3 05/13] security/keys: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 06/13] iscsi: " Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
2017-06-06 10:08 ` [PATCH v3 05/13] security/keys: ensure RNG is seeded before use David Howells
2017-06-06 12:23 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1496894341.10825.26.camel@gmail.com \
--to=danielmicay@gmail.com \
--cc=Jason@zx2c4.com \
--cc=davem@davemloft.net \
--cc=ebiggers3@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=hmh@hmh.eng.br \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).