lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <202209261105.9C6AEEEE1@keescook> Date: Mon, 26 Sep 2022 11:22:05 -0700 From: Kees Cook <keescook@...omium.org> To: "Jason A. Donenfeld" <Jason@...c4.com> Cc: linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, Ard Biesheuvel <ardb@...nel.org>, Alexander Potapenko <glider@...gle.com>, Marco Elver <elver@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com, linux-hardening@...r.kernel.org Subject: Re: [PATCH] random: split initialization into early arch step and later non-arch step On Mon, Sep 26, 2022 at 06:03:32PM +0200, Jason A. Donenfeld wrote: > The full RNG initialization relies on some timestamps, made possible > with general functions like time_init() and timekeeping_init(). However, > these are only available rather late in initialization. Meanwhile, other > things, such as memory allocator functions, make use of the RNG much > earlier. > > So split RNG initialization into two phases. We can give arch randomness > very early on, and then later, after timekeeping and such are available, > initialize the rest. > > This ensures that, for example, slabs are properly randomized if RDRAND > is available. Another positive consequence is that on systems with > RDRAND, running with CONFIG_WARN_ALL_UNSEEDED_RANDOM=y results in no > warnings at all. Nice! I like it. Notes below... > > Cc: Kees Cook <keescook@...omium.org> > Cc: Andrew Morton <akpm@...ux-foundation.org> > Cc: stable@...r.kernel.org > Signed-off-by: Jason A. Donenfeld <Jason@...c4.com> > --- > I intend to take this through the random.git tree, but reviews/acks > would be appreciated, given that I'm touching init/main.c. > > drivers/char/random.c | 47 ++++++++++++++++++++++++------------------ > include/linux/random.h | 3 ++- > init/main.c | 17 +++++++-------- > 3 files changed, 37 insertions(+), 30 deletions(-) > > diff --git a/drivers/char/random.c b/drivers/char/random.c > index a90d96f4b3bb..1cb53495e8f7 100644 > --- a/drivers/char/random.c > +++ b/drivers/char/random.c > @@ -772,18 +772,13 @@ static int random_pm_notification(struct notifier_block *nb, unsigned long actio > static struct notifier_block pm_notifier = { .notifier_call = random_pm_notification }; > > /* > - * The first collection of entropy occurs at system boot while interrupts > - * are still turned off. Here we push in latent entropy, RDSEED, a timestamp, > - * utsname(), and the command line. Depending on the above configuration knob, > - * RDSEED may be considered sufficient for initialization. Note that much > - * earlier setup may already have pushed entropy into the input pool by the > - * time we get here. > + * This is called extremely early, before time keeping functionality is > + * available, but arch randomness is. Interrupts are not yet enabled. > */ > -int __init random_init(const char *command_line) > +void __init random_init_early(const char *command_line) > { > - ktime_t now = ktime_get_real(); > - size_t i, longs, arch_bits; > unsigned long entropy[BLAKE2S_BLOCK_SIZE / sizeof(long)]; > + size_t i, longs, arch_bits; > > #if defined(LATENT_ENTROPY_PLUGIN) > static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy; > @@ -803,34 +798,46 @@ int __init random_init(const char *command_line) > i += longs; > continue; > } Can find a way to get efi_get_random_bytes() in here too? (As a separate patch.) I don't see where that actually happens anywhere currently, and we should have it available at this point in the boot, yes? > - entropy[0] = random_get_entropy(); > - _mix_pool_bytes(entropy, sizeof(*entropy)); > arch_bits -= sizeof(*entropy) * 8; > ++i; > } > - _mix_pool_bytes(&now, sizeof(now)); > - _mix_pool_bytes(utsname(), sizeof(*(utsname()))); Hm, can't we keep utsname in the early half by using init_utsname() ? > + > _mix_pool_bytes(command_line, strlen(command_line)); > + > + if (trust_cpu) > + credit_init_bits(arch_bits); > +} > + > +/* > + * This is called a little bit after the prior function, and now there is > + * access to timestamps counters. Interrupts are not yet enabled. > + */ > +void __init random_init(void) > +{ > + unsigned long entropy = random_get_entropy(); > + ktime_t now = ktime_get_real(); > + > + _mix_pool_bytes(utsname(), sizeof(*(utsname()))); (...and then obviously don't repeat it here.) > + _mix_pool_bytes(&now, sizeof(now)); > + _mix_pool_bytes(&entropy, sizeof(entropy)); > add_latent_entropy(); > > /* > - * If we were initialized by the bootloader before jump labels are > - * initialized, then we should enable the static branch here, where > + * If we were initialized by the cpu or bootloader before jump labels > + * are initialized, then we should enable the static branch here, where > * it's guaranteed that jump labels have been initialized. > */ > if (!static_branch_likely(&crng_is_ready) && crng_init >= CRNG_READY) > crng_set_ready(NULL); > > + /* Reseed if already seeded by earlier phases. */ > if (crng_ready()) > crng_reseed(); > - else if (trust_cpu) > - _credit_init_bits(arch_bits); > > WARN_ON(register_pm_notifier(&pm_notifier)); > > - WARN(!random_get_entropy(), "Missing cycle counter and fallback timer; RNG " > - "entropy collection will consequently suffer."); > - return 0; > + WARN(!entropy, "Missing cycle counter and fallback timer; RNG " > + "entropy collection will consequently suffer."); > } > > /* > diff --git a/include/linux/random.h b/include/linux/random.h > index 3fec206487f6..a9e6e16f9774 100644 > --- a/include/linux/random.h > +++ b/include/linux/random.h > @@ -72,7 +72,8 @@ static inline unsigned long get_random_canary(void) > return get_random_long() & CANARY_MASK; > } > > -int __init random_init(const char *command_line); > +void __init random_init_early(const char *command_line); > +void __init random_init(void); > bool rng_is_initialized(void); > int wait_for_random_bytes(void); > > diff --git a/init/main.c b/init/main.c > index 1fe7942f5d4a..611886430e28 100644 > --- a/init/main.c > +++ b/init/main.c > @@ -976,6 +976,9 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void) > parse_args("Setting extra init args", extra_init_args, > NULL, 0, -1, -1, NULL, set_init_arg); > > + /* Call before any memory or allocators are initialized */ Maybe for greater clarity: /* Pre-time-keeping entropy collection before allocator init. */ > + random_init_early(command_line); > + > /* > * These use large bootmem allocations and must precede > * kmem_cache_init() > @@ -1035,17 +1038,13 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void) > hrtimers_init(); > softirq_init(); > timekeeping_init(); > - kfence_init(); > time_init(); Was there a reason kfence_init() was happening before time_init()? > > - /* > - * For best initial stack canary entropy, prepare it after: > - * - setup_arch() for any UEFI RNG entropy and boot cmdline access > - * - timekeeping_init() for ktime entropy used in random_init() > - * - time_init() for making random_get_entropy() work on some platforms > - * - random_init() to initialize the RNG from from early entropy sources > - */ > - random_init(command_line); > + /* This must be after timekeeping is initialized */ > + random_init(); > + > + /* These make use of the initialized randomness */ I'd clarify this more: /* These make use of the fully initialized randomness entropy. */ > + kfence_init(); > boot_init_stack_canary(); > > perf_event_init(); > -- > 2.37.3 > -- Kees Cook
Powered by blists - more mailing lists