| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Nov 2018 21:15:32 +0100
From: Michael Niewöhner <linux@...ewoehner.de>
To: Louis Collard <louiscollard@...omium.org>
Cc: linux-integrity@...r.kernel.org, Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>,
apronin@...omium.org, Jason Gunthorpe <jgg@...pe.ca>,
david.bild@...tum.com
Subject: Re: [PATCH] Allow hwrng to initialize crng.
Hi Louis,
On Wed, 2018-09-26 at 11:24 +0800, Louis Collard wrote:
> Some systems, for example embedded systems, do not generate
> enough entropy on boot through interrupts, and boot may be blocked for
> several minutes waiting for a call to getrandom to complete.
>
> Currently, random data is read from a hwrng when it is registered,
> and is loaded into primary_crng. This data is treated in the same
> way as data that is device-specific but otherwise unchanging, and
> so primary_crng cannot become initialized with the data from the
> hwrng.
>
> This change causes the data initially read from the hwrng to be
> treated the same as subsequent data that is read from the hwrng if
> it's quality score is non-zero.
>
> The implications of this are:
>
> The data read from hwrng can cause primary_crng to become
> initialized, therefore avoiding problems of getrandom blocking
> on boot.
>
> Calls to getrandom (with GRND_RANDOM) may be using entropy
> exclusively (or in practise, almost exclusively) from the hwrng.
>
> Regarding the latter point; this behavior is the same as if a
> user specified a quality score of 1 (bit of entropy per 1024 bits)
> so hopefully this is not too scary a change to make.
>
> This change is the result of the discussion here:
> https://patchwork.kernel.org/patch/10453893/
>
> Signed-off-by: Louis Collard <louiscollard@...omium.org>
> Acked-by: Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
> ---
> drivers/char/hw_random/core.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
> index aaf9e5afaad4..47f358aa0c3d 100644
> --- a/drivers/char/hw_random/core.c
> +++ b/drivers/char/hw_random/core.c
> @@ -24,6 +24,7 @@
> #include <linux/sched.h>
> #include <linux/slab.h>
> #include <linux/uaccess.h>
> +#include <crypto/chacha20.h>
>
> #define RNG_MODULE_NAME "hw_random"
>
> @@ -64,13 +65,17 @@ static size_t rng_buffer_size(void)
> static void add_early_randomness(struct hwrng *rng)
> {
> int bytes_read;
> - size_t size = min_t(size_t, 16, rng_buffer_size());
> + /* Read enough to initialize crng. */
> + size_t size = 2*CHACHA20_KEY_SIZE;
>
> mutex_lock(&reading_mutex);
> bytes_read = rng_get_data(rng, rng_buffer, size, 1);
> mutex_unlock(&reading_mutex);
> if (bytes_read > 0)
> - add_device_randomness(rng_buffer, bytes_read);
> + /* Allow crng to become initialized, but do not add
> + * entropy to the pool.
> + */
> + add_hwgenerator_randomness(rng_buffer, bytes_read, 0);
> }
>
> static inline void cleanup_rng(struct kref *kref)
I found your patch by chance, searching for a solution for crng init delay on my
headless machine. Unfortunately it hardly makes any difference for me. With the
patch the system hangs for about 80s instead of 120s until the "crng init done"
message.In contrast, doing a `cat /dev/hwrng >/dev/random` or running rngd
initializes the crng instantly.
Isn't that delay the problem this patch tries to fix? Any idea what is wrong
here?
Thanks!
Best regards
Michael
Powered by blists - more mailing lists