[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <158166064078.9887.1754084457230746782.stgit@devnote2>
Date: Fri, 14 Feb 2020 15:10:41 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: linux-kernel@...r.kernel.org
Cc: kernel-team@...roid.com, Mark Salyzyn <salyzyn@...roid.com>,
Theodore Ts'o <tytso@....edu>, Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Richard Henderson <richard.henderson@...aro.org>,
Mark Brown <broonie@...nel.org>,
Kees Cook <keescook@...omium.org>,
Hsin-Yi Wang <hsinyi@...omium.org>,
Vasily Gorbik <gor@...ux.ibm.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Steven Rostedt <rostedt@...dmis.org>,
Mike Rapoport <rppt@...ux.ibm.com>,
Arvind Sankar <nivedita@...m.mit.edu>,
Dominik Brodowski <linux@...inikbrodowski.net>,
Thomas Gleixner <tglx@...utronix.de>,
Alexander Potapenko <glider@...gle.com>,
Jonathan Corbet <corbet@....net>,
Mauro Carvalho Chehab <mchehab+samsung@...nel.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Juergen Gross <jgross@...e.com>, Rob Herring <robh@...nel.org>,
linux-doc@...r.kernel.org
Subject: [PATCH 3/3] random: add random.rng_seed= bootconfig option
From: Mark Salyzyn <salyzyn@...roid.com>
A followup to commit 428826f5358c922dc378830a1717b682c0823160
("fdt: add support for rng-seed") to extend what was started
with Open Firmware (OF or Device Tree) parsing, but also add
it to the bootconfig.
If CONFIG_RANDOM_TRUST_BOOTLOADER is set, then feed the
random.rng_seed bootconfig data length as added trusted
entropy.
Always erase view of the random.rng_seed option from
/proc/bootconfig to prevent leakage to applications or modules,
to eliminate any attack vector. Note that initcall embedded
code still have a chance to see it, but that will be unsafe
at different level.
It is preferred to add rng-seed to the Device Tree, but some
platforms do not have this option, so this adds the ability to
provide some bootconfig-limited data to the entropy through this
alternate mechanism. Expect on average 6 bits of useful entropy
per character.
Signed-off-by: Mark Salyzyn <salyzyn@...roid.com>
Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
Cc: linux-kernel@...r.kernel.org
Cc: kernel-team@...roid.com
Cc: "Theodore Ts'o" <tytso@....edu>
Cc: Arnd Bergmann <arnd@...db.de>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Richard Henderson <richard.henderson@...aro.org>
Cc: Mark Brown <broonie@...nel.org>
Cc: Kees Cook <keescook@...omium.org>
Cc: Hsin-Yi Wang <hsinyi@...omium.org>
Cc: Vasily Gorbik <gor@...ux.ibm.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: "Steven Rostedt (VMware)" <rostedt@...dmis.org>
Cc: Mike Rapoport <rppt@...ux.ibm.com>
Cc: Arvind Sankar <nivedita@...m.mit.edu>
Cc: Dominik Brodowski <linux@...inikbrodowski.net>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Alexander Potapenko <glider@...gle.com>
---
v4
- Use bootconfig instead of command line
- Move the documentation under Documentation/admin-guide/bootconfig/.
v3
- Add Documentation (all other new v2 patches unchanged)
v2
- Split into four bite sized patches.
- Correct spelling in commit message.
- rng-seed is assumed to be utf-8, so correct both to 6 bits/character
of collected entropy.
- Move entropy collection to a static __always_inline helper function.
---
Documentation/admin-guide/bootconfig/random.rst | 21 ++++++++++++
drivers/char/Kconfig | 1 +
drivers/char/random.c | 8 ++++
fs/proc/bootconfig.c | 4 ++
include/linux/random.h | 7 ++++
init/main.c | 41 ++++++++++++++++-------
6 files changed, 70 insertions(+), 12 deletions(-)
create mode 100644 Documentation/admin-guide/bootconfig/random.rst
diff --git a/Documentation/admin-guide/bootconfig/random.rst b/Documentation/admin-guide/bootconfig/random.rst
new file mode 100644
index 000000000000..d4ee513c5136
--- /dev/null
+++ b/Documentation/admin-guide/bootconfig/random.rst
@@ -0,0 +1,21 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+===============================
+The Random Subsystem Bootconfig
+===============================
+
+The keys start with "random." configures random number generator subsystem.
+
+Options
+=======
+
+random.rng_seed
+ Provide a trusted seed for the kernel's CRNG. Seed only trusted if
+ CONFIG_RANDOM_TRUST_BOOTLOADER=y. After collection, this option is not
+ shown in /proc/bootconfig.
+ The seed is given a weight of 6 bits per character with the assumption that
+ it is a printable utf8 string. It is expected that the supplier of the
+ seed, typically a bootloader or virtualization, will supply a new random
+ seed for each kernel instance.
+ A fixed serial number is typically not appropriate for security features
+ like ASLR.
diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
index 26956c006987..43fbbd307204 100644
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -554,6 +554,7 @@ config RANDOM_TRUST_CPU
config RANDOM_TRUST_BOOTLOADER
bool "Trust the bootloader to initialize Linux's CRNG"
+ select BOOT_CONFIG
help
Some bootloaders can provide entropy to increase the kernel's initial
device randomness. Say Y here to assume the entropy provided by the
diff --git a/drivers/char/random.c b/drivers/char/random.c
index ee21a6a584b1..83c77306e18e 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -2311,3 +2311,11 @@ void add_bootloader_randomness(const void *buf, unsigned int size)
add_device_randomness(buf, size);
}
EXPORT_SYMBOL_GPL(add_bootloader_randomness);
+
+#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER)
+/* caller called add_device_randomness, but it is from a trusted source */
+void __init credit_trusted_entropy_bits(unsigned int nbits)
+{
+ credit_entropy_bits(&input_pool, nbits);
+}
+#endif
diff --git a/fs/proc/bootconfig.c b/fs/proc/bootconfig.c
index 9955d75c0585..6d1a819f2df4 100644
--- a/fs/proc/bootconfig.c
+++ b/fs/proc/bootconfig.c
@@ -8,6 +8,7 @@
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/bootconfig.h>
+#include <linux/random.h>
#include <linux/slab.h>
static char *saved_boot_config;
@@ -36,6 +37,9 @@ static int __init copy_xbc_key_value_list(char *dst, size_t size)
ret = xbc_node_compose_key(leaf, key, XBC_KEYLEN_MAX);
if (ret < 0)
break;
+ /* For keeping security reason, remove randomness key */
+ if (!strcmp(key, RANDOM_SEED_XBC_KEY))
+ continue;
ret = snprintf(dst, rest(dst, end), "%s = ", key);
if (ret < 0)
break;
diff --git a/include/linux/random.h b/include/linux/random.h
index d319f9a1e429..c8f41ab4f342 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -20,6 +20,13 @@ struct random_ready_callback {
extern void add_device_randomness(const void *, unsigned int);
extern void add_bootloader_randomness(const void *, unsigned int);
+#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER)
+extern void __init credit_trusted_entropy_bits(unsigned int nbits);
+#else
+static inline void credit_trusted_entropy_bits(unsigned int nbits) {}
+#endif
+
+#define RANDOM_SEED_XBC_KEY "random.rng_seed"
#if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
static inline void add_latent_entropy(void)
diff --git a/init/main.c b/init/main.c
index f95b014a5479..d0e5a95b4182 100644
--- a/init/main.c
+++ b/init/main.c
@@ -776,6 +776,34 @@ void __init __weak arch_call_rest_init(void)
rest_init();
}
+static __always_inline void __init collect_entropy(const char *command_line)
+{
+ /*
+ * For best initial stack canary entropy, prepare it after:
+ * - setup_arch() for any UEFI RNG entropy and boot cmdline access
+ * - timekeeping_init() for ktime entropy used in rand_initialize()
+ * - rand_initialize() to get any arch-specific entropy like RDRAND
+ * - add_latent_entropy() to get any latent entropy
+ * - adding command line entropy
+ */
+ rand_initialize();
+ add_latent_entropy();
+ add_device_randomness(command_line, strlen(command_line));
+ if (IS_BUILTIN(CONFIG_RANDOM_TRUST_BOOTLOADER)) {
+ /*
+ * Added bootconfig device randomness above,
+ * now add entropy credit for just random.rng_seed=<data>
+ */
+ const char *rng_seed = xbc_find_value(RANDOM_SEED_XBC_KEY, NULL);
+
+ if (rng_seed) {
+ add_device_randomness(rng_seed, strlen(rng_seed));
+ credit_trusted_entropy_bits(strlen(rng_seed) * 6);
+ }
+ }
+ boot_init_stack_canary();
+}
+
asmlinkage __visible void __init start_kernel(void)
{
char *command_line;
@@ -887,18 +915,7 @@ asmlinkage __visible void __init start_kernel(void)
softirq_init();
timekeeping_init();
- /*
- * For best initial stack canary entropy, prepare it after:
- * - setup_arch() for any UEFI RNG entropy and boot cmdline access
- * - timekeeping_init() for ktime entropy used in rand_initialize()
- * - rand_initialize() to get any arch-specific entropy like RDRAND
- * - add_latent_entropy() to get any latent entropy
- * - adding command line entropy
- */
- rand_initialize();
- add_latent_entropy();
- add_device_randomness(command_line, strlen(command_line));
- boot_init_stack_canary();
+ collect_entropy(command_line);
time_init();
printk_safe_init();
Powered by blists - more mailing lists