lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 7 Jun 2022 12:28:08 +0200
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        Stephen Boyd <swboyd@...omium.org>,
        Catalin Marinas <catalin.marinas@....com>,
        Russell King <linux@...linux.org.uk>,
        Arnd Bergmann <arnd@...db.de>,
        Phil Elwell <phil@...pberrypi.com>
Subject: Re: [PATCH] random: do not use jump labels before they are
 initialized

Hi Ard,

On Tue, Jun 07, 2022 at 12:13:29PM +0200, Ard Biesheuvel wrote:
> Hi Jason,
> 
> On Tue, 7 Jun 2022 at 12:04, Jason A. Donenfeld <Jason@...c4.com> wrote:
> >
> > [ I would like to pursue fixing this more directly first before actually
> >   merging this, but I thought I'd send this to the list now anyway as a
> >   the "backup" plan. If I can't figure out how to make headway on the
> >   main plan in the next few days, it'll be easy to just do this. ]
> >
> 
> What more direct fix did you have in mind here?

A non-broken version of https://lore.kernel.org/lkml/20220603121543.360283-1-Jason@zx2c4.com/

As I mentioned in https://lore.kernel.org/lkml/Yp8kQrBgE3WVqqC5@zx2c4.com/ ,

    I would like a few days to see if there's some trivial way of not
    needing that on arm32. If it turns out to be easy, then I'd prefer the
    direct fix akin to the arm64 one. If it turns out to be not easy, then
    I'll merge the backup commit.

> > diff --git a/drivers/char/random.c b/drivers/char/random.c
> > index 4862d4d3ec49..f9a020ec08b9 100644
> > --- a/drivers/char/random.c
> > +++ b/drivers/char/random.c
> > @@ -650,7 +650,8 @@ static void __cold _credit_init_bits(size_t bits)
> >
> >         if (orig < POOL_READY_BITS && new >= POOL_READY_BITS) {
> >                 crng_reseed(); /* Sets crng_init to CRNG_READY under base_crng.lock. */
> > -               execute_in_process_context(crng_set_ready, &set_ready);
> > +               if (static_key_initialized)
> > +                       execute_in_process_context(crng_set_ready, &set_ready);
> 
> Can we just drop this entirely, and rely on the hunk below to set the
> static key? What justifies having two code paths that set the static
> key in different ways on different architectures?

No, we can't. The hunk below (A) is called from init/main.c some time after
jump_label_init(). The hunk above (B) is called whenever we reach the
256-bit mark.

The order is (B)(A) on machines that get seeded from efi or device tree.
The order is (A)(B) on all other machines, which reach the 256-bit mark
at "some point"... could be after a second, a minute, whenever enough
estimated entropy has been accounted.

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ