lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 27 Sep 2022 10:30:22 +0200
From:   Dominik Brodowski <linux@...inikbrodowski.net>
To:     "Jason A. Donenfeld" <Jason@...c4.com>
Cc:     linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        kasan-dev@...glegroups.com, Kees Cook <keescook@...omium.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        stable@...r.kernel.org
Subject: Re: [PATCH v2 1/2] random: split initialization into early step and
 later step

Am Tue, Sep 27, 2022 at 10:28:11AM +0200 schrieb Jason A. Donenfeld:
> On Tue, Sep 27, 2022 at 8:35 AM Dominik Brodowski
> <linux@...inikbrodowski.net> wrote:
> > >  #if defined(LATENT_ENTROPY_PLUGIN)
> > >       static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy;
> > > @@ -803,34 +798,46 @@ int __init random_init(const char *command_line)
> > >                       i += longs;
> > >                       continue;
> > >               }
> > > -             entropy[0] = random_get_entropy();
> > > -             _mix_pool_bytes(entropy, sizeof(*entropy));
> > >               arch_bits -= sizeof(*entropy) * 8;
> > >               ++i;
> > >       }
> >
> >
> > Previously, random_get_entropy() was mixed into the pool ARRAY_SIZE(entropy)
> > times.
> >
> > > +/*
> > > + * This is called a little bit after the prior function, and now there is
> > > + * access to timestamps counters. Interrupts are not yet enabled.
> > > + */
> > > +void __init random_init(void)
> > > +{
> > > +     unsigned long entropy = random_get_entropy();
> > > +     ktime_t now = ktime_get_real();
> > > +
> > > +     _mix_pool_bytes(utsname(), sizeof(*(utsname())));
> >
> > But now, it's only mixed into the pool once. Is this change on purpose?
> 
> Yea, it is. I don't think it's really doing much of use. Before we did
> it because it was convenient -- because we simply could. But in
> reality mostly what we care about is capturing when it gets to that
> point in the execution. For jitter, the actual jitter function
> (try_to_generate_entropy()) is better here.
> 
> However, before feeling too sad about it, remember that
> extract_entropy() is still filling a block with rdtsc when rdrand
> fails, the same way as this function was. So it's still in there
> anyway.

With that explanation on the record (I think it's important to make such
subtle changes explicit),

	Reviewed-by: Dominik Brodowski <linux@...inikbrodowski.net>

Thanks,
	Dominik

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ