lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191018204220.GD31027@cork>
Date:   Fri, 18 Oct 2019 13:42:20 -0700
From:   Jörn Engel <joern@...estorage.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH] random: make try_to_generate_entropy() more robust

On Fri, Oct 18, 2019 at 01:37:04PM -0700, Jörn Engel wrote:
> Sorry for coming late to the discussion.  I generally like the approach
> in try_to_generate_entropy(), but I think we can do a little better
> still.  Would something like this work?

Fixed lkml address.

> From 90078333edb6e720f13f6668376a69c0f9c570f5 Mon Sep 17 00:00:00 2001
> From: Joern Engel <joern@...estorage.com>
> Date: Fri, 18 Oct 2019 13:25:52 -0700
> Subject: [PATCH] random: make try_to_generate_entropy() more robust
> 
> We can generate entropy on almost any CPU, even if it doesn't provide a
> high-resolution timer for random_get_entropy().  As long as the CPU is
> not idle, it changed the register file every few cycles.  As long as the
> ALU isn't fully synchronized with the timer, the drift between the
> register file and the timer is enough to generate entropy from.
> 
> Also print a warning on systems where entropy collection might be a
> problem.  I have good confidence in two unsynchronized timers generating
> entropy.  But I cannot tell whether timer and ALU are synchronized and
> we ought to warn users if all their crypto is likely to be broken.
> 
> Signed-off-by: Joern Engel <joern@...estorage.com>
> ---
>  drivers/char/random.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index de434feb873a..00a04efd0686 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -1748,6 +1748,16 @@ EXPORT_SYMBOL(get_random_bytes);
>   */
>  static void entropy_timer(struct timer_list *t)
>  {
> +	struct pt_regs *regs = get_irq_regs();
> +
> +	/*
> +	 * Even if we don't have a high-resolution timer in our system,
> +	 * the register file itself is a high-resolution timer.  It
> +	 * isn't monotonic or particularly useful to read the current
> +	 * time.  But it changes with every retired instruction, which
> +	 * is enough to generate entropy from.
> +	 */
> +	mix_pool_bytes(&input_pool, regs, sizeof(*regs));
>  	credit_entropy_bits(&input_pool, 1);
>  }
>  
> @@ -1764,9 +1774,8 @@ static void try_to_generate_entropy(void)
>  
>  	stack.now = random_get_entropy();
>  
> -	/* Slow counter - or none. Don't even bother */
> -	if (stack.now == random_get_entropy())
> -		return;
> +	/* Slow counter - or none.  Warn user */
> +	WARN_ON(stack.now == random_get_entropy());
>  
>  	timer_setup_on_stack(&stack.timer, entropy_timer, 0);
>  	while (!crng_ready()) {
> -- 
> 2.20.1
> 

Jörn

--
...one more straw can't possibly matter...
-- Kirby Bakken

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ