From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Harald Freudenberger <freude@linux.vnet.ibm.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Sasha Levin <alexander.levin@verizon.com>
Subject: [PATCH 4.9 60/67] s390/prng: Adjust generation of entropy to produce real 256 bits.
Date: Mon, 6 Nov 2017 10:44:23 +0100 [thread overview]
Message-ID: <20171106091307.792309815@linuxfoundation.org> (raw)
In-Reply-To: <20171106091305.401025609@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
[ Upstream commit d34b1acb78af41b8b8d5c60972b6555ea19f7564 ]
The generate_entropy function used a sha256 for compacting
together 256 bits of entropy into 32 bytes hash. However, it
is questionable if a sha256 can really be used here, as
potential collisions may reduce the max entropy fitting into
a 32 byte hash value. So this batch introduces the use of
sha512 instead and the required buffer adjustments for the
calling functions.
Further more the working buffer for the generate_entropy
function has been widened from one page to two pages. So now
1024 stckf invocations are used to gather 256 bits of
entropy. This has been done to be on the save side if the
jitters of stckf values isn't as good as supposed.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/crypto/prng.c | 40 ++++++++++++++++++++++++----------------
1 file changed, 24 insertions(+), 16 deletions(-)
--- a/arch/s390/crypto/prng.c
+++ b/arch/s390/crypto/prng.c
@@ -110,22 +110,30 @@ static const u8 initial_parm_block[32] _
/*** helper functions ***/
+/*
+ * generate_entropy:
+ * This algorithm produces 64 bytes of entropy data based on 1024
+ * individual stckf() invocations assuming that each stckf() value
+ * contributes 0.25 bits of entropy. So the caller gets 256 bit
+ * entropy per 64 byte or 4 bits entropy per byte.
+ */
static int generate_entropy(u8 *ebuf, size_t nbytes)
{
int n, ret = 0;
- u8 *pg, *h, hash[32];
+ u8 *pg, *h, hash[64];
- pg = (u8 *) __get_free_page(GFP_KERNEL);
+ /* allocate 2 pages */
+ pg = (u8 *) __get_free_pages(GFP_KERNEL, 1);
if (!pg) {
prng_errorflag = PRNG_GEN_ENTROPY_FAILED;
return -ENOMEM;
}
while (nbytes) {
- /* fill page with urandom bytes */
- get_random_bytes(pg, PAGE_SIZE);
- /* exor page with stckf values */
- for (n = 0; n < PAGE_SIZE / sizeof(u64); n++) {
+ /* fill pages with urandom bytes */
+ get_random_bytes(pg, 2*PAGE_SIZE);
+ /* exor pages with 1024 stckf values */
+ for (n = 0; n < 2 * PAGE_SIZE / sizeof(u64); n++) {
u64 *p = ((u64 *)pg) + n;
*p ^= get_tod_clock_fast();
}
@@ -134,8 +142,8 @@ static int generate_entropy(u8 *ebuf, si
h = hash;
else
h = ebuf;
- /* generate sha256 from this page */
- cpacf_kimd(CPACF_KIMD_SHA_256, h, pg, PAGE_SIZE);
+ /* hash over the filled pages */
+ cpacf_kimd(CPACF_KIMD_SHA_512, h, pg, 2*PAGE_SIZE);
if (n < sizeof(hash))
memcpy(ebuf, hash, n);
ret += n;
@@ -143,7 +151,7 @@ static int generate_entropy(u8 *ebuf, si
nbytes -= n;
}
- free_page((unsigned long)pg);
+ free_pages((unsigned long)pg, 1);
return ret;
}
@@ -334,7 +342,7 @@ static int __init prng_sha512_selftest(v
static int __init prng_sha512_instantiate(void)
{
int ret, datalen;
- u8 seed[64];
+ u8 seed[64 + 32 + 16];
pr_debug("prng runs in SHA-512 mode "
"with chunksize=%d and reseed_limit=%u\n",
@@ -357,12 +365,12 @@ static int __init prng_sha512_instantiat
if (ret)
goto outfree;
- /* generate initial seed bytestring, first 48 bytes of entropy */
- ret = generate_entropy(seed, 48);
- if (ret != 48)
+ /* generate initial seed bytestring, with 256 + 128 bits entropy */
+ ret = generate_entropy(seed, 64 + 32);
+ if (ret != 64 + 32)
goto outfree;
/* followed by 16 bytes of unique nonce */
- get_tod_clock_ext(seed + 48);
+ get_tod_clock_ext(seed + 64 + 32);
/* initial seed of the ppno drng */
cpacf_ppno(CPACF_PPNO_SHA512_DRNG_SEED,
@@ -395,9 +403,9 @@ static void prng_sha512_deinstantiate(vo
static int prng_sha512_reseed(void)
{
int ret;
- u8 seed[32];
+ u8 seed[64];
- /* generate 32 bytes of fresh entropy */
+ /* fetch 256 bits of fresh entropy */
ret = generate_entropy(seed, sizeof(seed));
if (ret != sizeof(seed))
return ret;
next prev parent reply other threads:[~2017-11-06 9:46 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-06 9:43 [PATCH 4.9 00/67] 4.9.61-stable review Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 01/67] ALSA: timer: Add missing mutex lock for compat ioctls Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 02/67] ALSA: seq: Fix nested rwsem annotation for lockdep splat Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 03/67] cifs: check MaxPathNameComponentLength != 0 before using it Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 04/67] KEYS: return full count in keyring_read() if buffer is too small Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 05/67] KEYS: fix out-of-bounds read during ASN.1 parsing Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 06/67] ASoC: adau17x1: Workaround for noise bug in ADC Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 07/67] arm64: ensure __dump_instr() checks addr_limit Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 08/67] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 09/67] arm/arm64: kvm: Disable branch profiling in HYP code Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 10/67] ARM: 8715/1: add a private asm/unaligned.h Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 11/67] drm/amdgpu: return -ENOENT from uvd 6.0 early init for harvesting Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 12/67] ocfs2: fstrim: Fix start offset of first cluster group during fstrim Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 14/67] drm/msm: Fix potential buffer overflow issue Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 15/67] drm/msm: fix an integer overflow test Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 16/67] tracing/samples: Fix creation and deletion of simple_thread_fn creation Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 17/67] Fix tracing sample code warning Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 18/67] cpufreq: Do not clear real_cpus mask on policy init Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 19/67] crypto: ccp - Set the AES size field for all modes Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 20/67] staging: fsl-mc: Add missing header Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 21/67] IB/mlx5: Assign DSCP for R-RoCE QPs Address Path Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 22/67] PM / wakeirq: report a wakeup_event on dedicated wekup irq Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 23/67] scsi: megaraid_sas: Do not set fp_possible if TM capable for non-RW syspdIO, change fp_possible to bool Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 24/67] mmc: s3cmci: include linux/interrupt.h for tasklet_struct Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 25/67] mfd: ab8500-sysctrl: Handle probe deferral Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 26/67] mfd: axp20x: Fix axp288 PEK_DBR and PEK_DBF irqs being swapped Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 27/67] bnxt_en: Added PCI IDs for BCM57452 and BCM57454 ASICs Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 28/67] staging: rtl8712u: Fix endian settings for structs describing network packets Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 29/67] PCI/MSI: Return failure when msix_setup_entries() fails Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 30/67] net: mvneta: fix build errors when linux/phy*.h is removed from net/dsa.h Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 31/67] ext4: fix stripe-unaligned allocations Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 32/67] ext4: do not use stripe_width if it is not set Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 33/67] net/ena: change drivers default timeouts Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 34/67] i2c: riic: correctly finish transfers Greg Kroah-Hartman
2017-11-06 9:43 ` [PATCH 4.9 36/67] perf tools: Only increase index if perf_evsel__new_idx() succeeds Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 37/67] iwlwifi: mvm: use the PROBE_RESP_QUEUE to send deauth to unknown station Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 38/67] drm/fsl-dcu: check for clk_prepare_enable() error Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 39/67] clocksource/drivers/arm_arch_timer: Add dt binding for hisilicon-161010101 erratum Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 40/67] net: phy: dp83867: Recover from "port mirroring" N/A MODE4 Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 41/67] cx231xx: Fix I2C on Internal Master 3 Bus Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 42/67] ath10k: fix reading sram contents for QCA4019 Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 43/67] clk: sunxi-ng: Check kzalloc() for errors and cleanup error path Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 44/67] drm/msm/dsi: Set msm_dsi->encoders before initializing bridge Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 45/67] mtd: nand: sunxi: Fix the non-polling case in sunxi_nfc_wait_events() Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 46/67] gpio: mcp23s08: Select REGMAP/REGMAP_I2C to fix build error Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 47/67] xen/manage: correct return value check on xenbus_scanf() Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 48/67] scsi: aacraid: Process Error for response I/O Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 49/67] platform/x86: intel_mid_thermal: Fix module autoload Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 50/67] staging: lustre: llite: dont invoke direct_IO for the EOF case Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 51/67] staging: lustre: hsm: stack overrun in hai_dump_data_field Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 52/67] staging: lustre: ptlrpc: skip lock if export failed Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 53/67] staging: lustre: lmv: Error not handled for lmv_find_target Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 55/67] vfs: open() with O_CREAT should not create inodes with unknown ids Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 56/67] ASoC: Intel: boards: remove .pm_ops in all Atom/DPCM machine drivers Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 57/67] exynos4-is: fimc-is: Unmap region obtained by of_iomap() Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 58/67] mei: return error on notification request to a disconnected client Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 59/67] s390/dasd: check for device error pointer within state change interrupts Greg Kroah-Hartman
2017-11-06 9:44 ` Greg Kroah-Hartman [this message]
2017-11-06 9:44 ` [PATCH 4.9 61/67] s390/crypto: Extend key length check for AES-XTS in fips mode Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 62/67] bt8xx: fix memory leak Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 63/67] drm/exynos: g2d: prevent integer overflow in Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 64/67] PCI: Avoid possible deadlock on pci_lock and p->pi_lock Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 65/67] powerpc/64: Dont try to use radix MMU under a hypervisor Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 66/67] xen: dont print error message in case of missing Xenstore entry Greg Kroah-Hartman
2017-11-06 9:44 ` [PATCH 4.9 67/67] staging: r8712u: Fix Sparse warning in rtl871x_xmit.c Greg Kroah-Hartman
2017-11-06 21:17 ` [PATCH 4.9 00/67] 4.9.61-stable review Guenter Roeck
2017-11-06 22:22 ` Shuah Khan
2017-11-06 23:13 ` Shuah Khan
2017-11-07 22:49 ` Tom Gall
2017-11-08 9:21 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171106091307.792309815@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@verizon.com \
--cc=freude@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).