lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACi5LpMR4VLrg3SvbQ2_DJb9TgpurhGm5iQuKxQgWUwm4Z3Kjw@mail.gmail.com>
Date:   Mon, 30 Sep 2019 16:41:24 +0530
From:   Bhupesh Sharma <bhsharma@...hat.com>
To:     Dominik Brodowski <linux@...inikbrodowski.net>
Cc:     Ard Biesheuvel <ard.biesheuvel@...aro.org>, hsinyi@...omium.org,
        swboyd@...omium.org, robh@...nel.org, tytso@....edu,
        Kees Cook <keescook@...omium.org>, joeyli.kernel@...il.com,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-efi@...r.kernel.org
Subject: Re: [RFC] random: UEFI RNG input is bootloader randomness

On Sat, Sep 28, 2019 at 3:54 PM Dominik Brodowski
<linux@...inikbrodowski.net> wrote:
>
> Depending on RANDOM_TRUST_BOOTLOADER, bootloader-provided randomness
> is credited as entropy. As the UEFI seeding entropy pool is seeded by
> the UEFI firmware/bootloader, add its content as bootloader randomness.
>
> Note that this UEFI (v2.4 or newer) feature is currently only
> implemented for EFI stub booting on ARM, and further note that
> RANDOM_TRUST_BOOTLOADER must only be enabled if there indeed is
> sufficient trust in the bootloader _and_ its source of randomness.
>
> Signed-off-by: Dominik Brodowski <linux@...inikbrodowski.net>
> Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>
> Cc: Hsin-Yi Wang <hsinyi@...omium.org>
> Cc: Stephen Boyd <swboyd@...omium.org>
> Cc: Rob Herring <robh@...nel.org>
> Cc: Theodore Ts'o <tytso@....edu>
> Cc: Lee, Chun-Yi <joeyli.kernel@...il.com>
>
> ---
>
> Untested patch, as efi_random_get_seed() is only hooked up on ARM,
> and the firmware on my old x86 laptop only has UEFI v2.31 anyway.
>
> Thanks,
>         Dominik
>
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 8f1ab04f6743..db0bffce754e 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -545,7 +545,7 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz,
>                                               sizeof(*seed) + size);
>                         if (seed != NULL) {
>                                 pr_notice("seeding entropy pool\n");
> -                               add_device_randomness(seed->bits, seed->size);
> +                               add_bootloader_randomness(seed->bits, seed->size);
>                                 early_memunmap(seed, sizeof(*seed) + size);
>                         } else {
>                                 pr_err("Could not map UEFI random seed!\n");

Tested the patch on my arm64 board which support EFI_RNG_PROTOCOL
(i.e. EFI firmware acts as the entropy source) and has
'CONFIG_RANDOM_TRUST_BOOTLOADER=y', so:

Tested-by: Bhupesh Sharma <bhsharma@...hat.com>

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ