From: Mark Rutland <mark.rutland@arm.com>
To: Daniel Micay <danielmicay@gmail.com>
Cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>,
"Theodore Ts'o" <tytso@mit.edu>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Eric Biggers <ebiggers3@gmail.com>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
David Miller <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
Stephan Mueller <smueller@chronox.de>
Subject: Re: [kernel-hardening] Re: [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using
Date: Wed, 7 Jun 2017 18:26:28 +0100 [thread overview]
Message-ID: <20170607172627.GB8330@leverpostej> (raw)
In-Reply-To: <1496854825.10825.24.camel@gmail.com>
On Wed, Jun 07, 2017 at 01:00:25PM -0400, Daniel Micay wrote:
> > On the better bootloaders, an initramfs segment can be loaded
> > independently (and you can have as many as required), which makes an
> > early_initramfs a more palatable vector to inject large amounts of
> > entropy into the next boot than, say, modifying the kernel image
> > directly at every boot/shutdown to stash entropy in there somewhere.
[...]
> I didn't really understand the device tree approach and mentioned a
> few times before. Passing via the kernel cmdline is a lot simpler than
> modifying the device tree in-memory and persistent modification isn't
> an option unless verified boot is missing anyway.
I might be missing something here, but the command line is inside of the
device tree, at /chosen/bootargs, so modifying the kernel command line
*is* modifying the device tree in-memory.
For arm64, we have a /chosen/kaslr-seed property that we hope
FW/bootloaders fill in, and similar could be done for some initial
entropy, provided appropriate HW/FW support.
Thanks,
Mark.
next prev parent reply other threads:[~2017-06-07 17:27 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 0:50 [PATCH v3 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 01/13] random: add synchronous API for the urandom pool Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 02/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld
2017-06-06 5:11 ` Jeffrey Walton
2017-06-06 12:21 ` Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 03/13] random: invalidate batched entropy after crng init Jason A. Donenfeld
2017-06-07 17:42 ` kbuild test robot
2017-06-07 18:16 ` Jason A. Donenfeld
2017-06-06 0:50 ` [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld
2017-06-06 3:00 ` Theodore Ts'o
2017-06-06 3:56 ` Jason A. Donenfeld
2017-06-06 4:44 ` [kernel-hardening] " Eric Biggers
2017-06-06 12:34 ` Jason A. Donenfeld
2017-06-06 15:23 ` Jason A. Donenfeld
2017-06-06 17:26 ` Eric Biggers
2017-06-06 17:30 ` Jason A. Donenfeld
2017-06-06 17:03 ` Theodore Ts'o
2017-06-06 17:28 ` Jason A. Donenfeld
2017-06-06 17:57 ` Stephan Müller
2017-06-06 18:01 ` Jason A. Donenfeld
2017-06-06 22:19 ` Henrique de Moraes Holschuh
2017-06-06 23:14 ` Theodore Ts'o
2017-06-07 5:00 ` Stephan Müller
2017-06-07 14:42 ` Henrique de Moraes Holschuh
2017-06-07 21:27 ` Theodore Ts'o
2017-06-07 17:00 ` Daniel Micay
2017-06-07 17:26 ` Mark Rutland [this message]
2017-06-08 3:59 ` Daniel Micay
2017-06-07 17:37 ` Mark Rutland
2017-06-08 12:02 ` Kevin Easton
2017-06-06 0:51 ` [PATCH v3 05/13] security/keys: ensure RNG is seeded before use Jason A. Donenfeld
2017-06-06 10:08 ` David Howells
2017-06-06 12:23 ` Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 06/13] iscsi: " Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld
2017-06-06 0:51 ` [PATCH v3 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170607172627.GB8330@leverpostej \
--to=mark.rutland@arm.com \
--cc=Jason@zx2c4.com \
--cc=danielmicay@gmail.com \
--cc=davem@davemloft.net \
--cc=ebiggers3@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=hmh@hmh.eng.br \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox