lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221210194708.675884-1-Jason@zx2c4.com>
Date:   Sat, 10 Dec 2022 20:47:08 +0100
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org
Subject: [GIT PULL] random number generator fixes for 6.2-rc1

Hi Linus,

Please pull the following random number generator updates for 6.2-rc1:

- Replacing prandom_u32_max() and various open-coded variants of it, there is
  now a new family of functions that uses fast rejection sampling to choose
  properly uniformly random numbers within an interval:

    * get_random_u32_below(ceil) - [0, ceil)
    * get_random_u32_above(floor) - (floor, U32_MAX]
    * get_random_u32_inclusive(floor, ceil) - [floor, ceil]
 
  Coccinelle was used to convert all current users of prandom_u32_max(), as
  well as many open-coded patterns, resulting in improvements throughout the
  tree.

  I'll have a "late" 6.1-rc1 pull for you that removes the now unused
  prandom_u32_max() function, just in case any other trees add a new use case
  of it that needs to converted. According to linux-next, there may be two
  trivial cases of prandom_u32_max() reintroductions that are fixable with a
  's/.../.../'. So I'll have for you a final conversion patch doing that
  alongside the removal patch during the second week, before you cut rc1.

  This is a treewide change that touches many files throughout, so it would
  probably make sense to merge this pull early.

- More consistent use of get_random_canary().

- Updates to comments, documentation, tests, headers, and simplification in
  configuration.

- The arch_get_random*_early() abstraction was only used by arm64 and wasn't
  entirely useful, so this has been replaced by code that works in all
  relevant contexts.

- The kernel will use and manage random seeds in non-volatile EFI variables,
  refreshing a variable with a fresh seed when the RNG is initialized. The RNG
  GUID namespace is then hidden from efivarfs to prevent accidental leakage.

  These changes are split into random.c infrastructure code used in the EFI
  subsystem, in this pull request, and related support inside of EFISTUB, in
  Ard's EFI tree. These are co-dependent for full functionality, but the order
  of merging doesn't matter.

- Part of the infrastructure added for the EFI support is also used for an
  improvement to the way vsprintf initializes its siphash key, replacing an
  sleep loop wart.

- The hardware RNG framework now always calls its correct random.c input
  function, add_hwgenerator_randomness(), rather than sometimes going through
  helpers better suited for other cases.

- The add_latent_entropy() function has long been called from the fork
  handler, but is a no-op when the latent entropy gcc plugin isn't used,
  which is fine for the purposes of latent entropy. But it was missing out on
  the cycle counter that was also being mixed in beside the latent entropy
  variable. So now, if the latent entropy gcc plugin isn't enabled,
  add_latent_entropy() will expand to a call to add_device_randomness(NULL,
  0), which adds a cycle counter, without the absent latent entropy variable.

- The RNG is now reseeded from a delayed worker, rather than on demand when
  used. Always running from a worker allows it to make use of the CPU RNG on
  platforms like S390x, whose instructions are too slow to do so from
  interrupts. It also has the effect of adding in new inputs more frequently
  with more regularity, amounting to a long term transcript of random values.
  Plus, it helps a bit with the upcoming vDSO implementation (which isn't yet
  ready for 6.2).

- The jitter entropy algorithm now tries to execute on many different CPUs,
  round-robining, in hopes of hitting even more memory latencies and other
  unpredictable effects. It also will mix in a cycle counter when the entropy
  timer fires, in addition to being mixed in from the main loop, to account
  more explicitly for fluctuations in that timer firing. And the state it
  touches is now kept within the same cache line, so that it's assured that
  the different execution contexts will cause latencies.

There are also a few RNG-related changes that will be arriving to you via
other trees:

- The hardware RNG framework will now pass creditable randomness from much
  more dedicated RNG hardware than before, which lets the RNG be initialized
  even faster on various hardware without RDRAND but with a dedicated RNG
  chip. Along with many other changes here and in random.c throughout the last
  few cycles, the overall push has been centered around trying to productively
  make use of all of the various random sources the kernel has access to, in
  hopes of chipping away at the boot time entropy availability issue.

- EFISTUB will concatenate seeds passed via an EFI configuration table along
  with the ones it generates, so that EFI bootloaders, such as systemd-boot or
  systemd-stub, can do their own RNG seed management using various writable
  media available to those bootloaders, and then pass the seed on directly to
  the kernel, so that it's used at the earliest available opportunity in boot.
  The code for this is already in the systemd tree and will be part of their
  next release. Hopefully other bootloaders will also follow that pattern.

- Since get_random_long() now always makes use of RDRAND (if available) before
  the RNG is fully initialized, calling get_random_long() is always better
  during all stages of boot than calling arch_get_random_longs() directly. So
  the x86 espfix code no arranges its slots based on a call to get_random_long(),
  rather than calling RDRAND/RDTSC itself. This is part of a larger effort to
  cleanup direct calls to arch_get_random_*(), which is more of a private
  implementation detail of random.c than a general purpose API. After this
  reaches your tree from tip, I'll have an archrandom.h cleanup patch as part
  of my "late" 6.2-rc1 pull.

Thanks,
Jason

The following changes since commit 094226ad94f471a9f19e8f8e7140a09c2625abaa:

  Linux 6.1-rc5 (2022-11-13 13:12:55 -0800)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/crng/random.git tags/random-6.2-rc1-for-linus

for you to fetch changes up to 3e6743e28b9b43d37ced234bdf8e19955d0216f8:

  random: include <linux/once.h> in the right header (2022-12-04 14:37:08 +0100)

----------------------------------------------------------------
Random number generator fixes for Linux 6.2-rc1.
----------------------------------------------------------------
Christophe JAILLET (1):
      random: include <linux/once.h> in the right header

Jason A. Donenfeld (22):
      kcsan: remove rng selftest
      random: use rejection sampling for uniform bounded random integers
      random: add helpers for random numbers with given floor or range
      treewide: use get_random_u32_below() instead of deprecated function
      treewide: use get_random_u32_{above,below}() instead of manual loop
      treewide: use get_random_u32_inclusive() when possible
      stackprotector: move get_random_canary() into stackprotector.h
      stackprotector: actually use get_random_canary()
      random: use random.trust_{bootloader,cpu} command line option only
      random: remove early archrandom abstraction
      random: adjust comment to account for removed function
      random: modernize documentation comment on get_random_bytes()
      hw_random: use add_hwgenerator_randomness() for early entropy
      random: always mix cycle counter in add_latent_entropy()
      random: reseed in delayed work rather than on-demand
      random: add back async readiness notifier
      vsprintf: initialize siphash key using notifier
      efi: random: refresh non-volatile random seed when RNG is initialized
      random: remove extraneous period and add a missing one in comments
      random: spread out jitter callback to different CPUs
      random: mix in cycle counter when jitter timer fires
      random: align entropy_timer_state to cache line

 Documentation/admin-guide/kernel-parameters.txt    |  20 +-
 arch/arm/include/asm/stackprotector.h              |   9 +-
 arch/arm/kernel/process.c                          |   2 +-
 arch/arm64/include/asm/archrandom.h                |  48 +---
 arch/arm64/include/asm/stackprotector.h            |   9 +-
 arch/arm64/kernel/process.c                        |   2 +-
 arch/csky/include/asm/stackprotector.h             |  10 +-
 arch/loongarch/kernel/process.c                    |   2 +-
 arch/loongarch/kernel/vdso.c                       |   2 +-
 arch/mips/include/asm/stackprotector.h             |   9 +-
 arch/mips/kernel/process.c                         |   2 +-
 arch/mips/kernel/vdso.c                            |   2 +-
 arch/parisc/kernel/vdso.c                          |   2 +-
 arch/powerpc/configs/microwatt_defconfig           |   1 -
 arch/powerpc/crypto/crc-vpmsum_test.c              |   4 +-
 arch/powerpc/include/asm/stackprotector.h          |  10 +-
 arch/powerpc/kernel/process.c                      |   2 +-
 arch/riscv/include/asm/stackprotector.h            |  10 +-
 arch/s390/configs/debug_defconfig                  |   2 -
 arch/s390/configs/defconfig                        |   2 -
 arch/s390/configs/zfcpdump_defconfig               |   1 -
 arch/s390/kernel/process.c                         |   2 +-
 arch/s390/kernel/vdso.c                            |   2 +-
 arch/sh/include/asm/stackprotector.h               |  10 +-
 arch/sparc/vdso/vma.c                              |   2 +-
 arch/um/kernel/process.c                           |   2 +-
 arch/x86/entry/vdso/vma.c                          |   2 +-
 arch/x86/include/asm/stackprotector.h              |  14 +-
 arch/x86/kernel/cpu/common.c                       |   2 +-
 arch/x86/kernel/module.c                           |   2 +-
 arch/x86/kernel/process.c                          |   2 +-
 arch/x86/kernel/setup_percpu.c                     |   2 +-
 arch/x86/kernel/smpboot.c                          |   1 +
 arch/x86/mm/pat/cpa-test.c                         |   4 +-
 arch/x86/xen/enlighten_pv.c                        |   2 +-
 arch/xtensa/include/asm/stackprotector.h           |   9 +-
 crypto/rsa-pkcs1pad.c                              |   2 +-
 crypto/testmgr.c                                   |  86 +++----
 drivers/block/drbd/drbd_receiver.c                 |   4 +-
 drivers/bus/mhi/host/internal.h                    |   2 +-
 drivers/char/Kconfig                               |  36 ---
 drivers/char/hw_random/core.c                      |   8 +-
 drivers/char/random.c                              | 261 ++++++++++++++-------
 drivers/dma-buf/st-dma-fence-chain.c               |   6 +-
 drivers/firmware/efi/efi.c                         |  19 ++
 drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c     |   2 +-
 .../gpu/drm/i915/gt/intel_execlists_submission.c   |   2 +-
 drivers/gpu/drm/i915/intel_memory_region.c         |   4 +-
 drivers/infiniband/core/cma.c                      |   2 +-
 drivers/infiniband/hw/cxgb4/id_table.c             |   4 +-
 drivers/infiniband/hw/hns/hns_roce_ah.c            |   5 +-
 drivers/infiniband/ulp/rtrs/rtrs-clt.c             |   2 +-
 drivers/md/bcache/request.c                        |   2 +-
 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c      |   8 +-
 drivers/media/test-drivers/vidtv/vidtv_demod.c     |   8 +-
 .../media/test-drivers/vivid/vivid-kthread-cap.c   |   2 +-
 .../media/test-drivers/vivid/vivid-kthread-out.c   |   2 +-
 drivers/media/test-drivers/vivid/vivid-radio-rx.c  |   4 +-
 drivers/media/test-drivers/vivid/vivid-sdr-cap.c   |   2 +-
 drivers/media/test-drivers/vivid/vivid-touch-cap.c |   2 +-
 drivers/mmc/core/core.c                            |   4 +-
 drivers/mmc/host/dw_mmc.c                          |   2 +-
 drivers/mtd/nand/raw/nandsim.c                     |   4 +-
 drivers/mtd/tests/mtd_nandecctest.c                |  10 +-
 drivers/mtd/tests/stresstest.c                     |   8 +-
 drivers/mtd/ubi/debug.c                            |   2 +-
 drivers/mtd/ubi/debug.h                            |   6 +-
 drivers/net/ethernet/broadcom/cnic.c               |   2 +-
 .../chelsio/inline_crypto/chtls/chtls_io.c         |   4 +-
 drivers/net/phy/at803x.c                           |   2 +-
 drivers/net/team/team_mode_random.c                |   2 +-
 drivers/net/wireguard/selftest/allowedips.c        |  20 +-
 drivers/net/wireguard/timers.c                     |   4 +-
 .../net/wireless/broadcom/brcm80211/brcmfmac/p2p.c |   2 +-
 drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c  |   2 +-
 drivers/pci/p2pdma.c                               |   2 +-
 drivers/s390/scsi/zfcp_fc.c                        |   2 +-
 drivers/scsi/fcoe/fcoe_ctlr.c                      |   4 +-
 drivers/scsi/qedi/qedi_main.c                      |   2 +-
 drivers/scsi/scsi_debug.c                          |   6 +-
 fs/ceph/inode.c                                    |   2 +-
 fs/ceph/mdsmap.c                                   |   2 +-
 fs/ext2/ialloc.c                                   |   2 +-
 fs/ext4/ialloc.c                                   |   2 +-
 fs/ext4/mmp.c                                      |   8 +-
 fs/ext4/super.c                                    |   5 +-
 fs/f2fs/gc.c                                       |   2 +-
 fs/f2fs/segment.c                                  |   8 +-
 fs/ubifs/debug.c                                   |   8 +-
 fs/ubifs/lpt_commit.c                              |  14 +-
 fs/ubifs/tnc_commit.c                              |   2 +-
 fs/xfs/libxfs/xfs_alloc.c                          |   2 +-
 fs/xfs/libxfs/xfs_ialloc.c                         |   2 +-
 fs/xfs/xfs_error.c                                 |   2 +-
 include/linux/damon.h                              |   2 +-
 include/linux/nodemask.h                           |   2 +-
 include/linux/prandom.h                            |  19 +-
 include/linux/random.h                             | 102 +++++---
 include/linux/stackprotector.h                     |  19 ++
 kernel/bpf/core.c                                  |   4 +-
 kernel/fork.c                                      |   2 +-
 kernel/kcsan/selftest.c                            |  12 +-
 kernel/locking/test-ww_mutex.c                     |   4 +-
 kernel/time/clocksource.c                          |   2 +-
 lib/fault-inject.c                                 |   2 +-
 lib/find_bit_benchmark.c                           |   4 +-
 lib/kobject.c                                      |   2 +-
 lib/reed_solomon/test_rslib.c                      |   6 +-
 lib/sbitmap.c                                      |   4 +-
 lib/test-string_helpers.c                          |   2 +-
 lib/test_fprobe.c                                  |   5 +-
 lib/test_hexdump.c                                 |  10 +-
 lib/test_kprobes.c                                 |   5 +-
 lib/test_list_sort.c                               |   2 +-
 lib/test_printf.c                                  |   2 +-
 lib/test_rhashtable.c                              |   6 +-
 lib/test_vmalloc.c                                 |   8 +-
 lib/vsprintf.c                                     |  14 +-
 mm/kasan/kasan_test.c                              |   6 +-
 mm/kfence/core.c                                   |   4 +-
 mm/kfence/kfence_test.c                            |   4 +-
 mm/slub.c                                          |   2 +-
 mm/swapfile.c                                      |   5 +-
 net/802/garp.c                                     |   2 +-
 net/802/mrp.c                                      |   2 +-
 net/batman-adv/bat_iv_ogm.c                        |   4 +-
 net/batman-adv/bat_v_elp.c                         |   2 +-
 net/batman-adv/bat_v_ogm.c                         |   4 +-
 net/batman-adv/network-coding.c                    |   2 +-
 net/bluetooth/mgmt.c                               |   5 +-
 net/can/j1939/socket.c                             |   2 +-
 net/can/j1939/transport.c                          |   2 +-
 net/ceph/mon_client.c                              |   2 +-
 net/ceph/osd_client.c                              |   2 +-
 net/core/neighbour.c                               |   4 +-
 net/core/pktgen.c                                  |  37 ++-
 net/core/stream.c                                  |   2 +-
 net/ipv4/icmp.c                                    |   2 +-
 net/ipv4/igmp.c                                    |   6 +-
 net/ipv4/inet_connection_sock.c                    |   2 +-
 net/ipv4/inet_hashtables.c                         |   2 +-
 net/ipv4/route.c                                   |   4 +-
 net/ipv4/tcp_bbr.c                                 |   2 +-
 net/ipv4/tcp_input.c                               |   3 +-
 net/ipv6/addrconf.c                                |   8 +-
 net/ipv6/mcast.c                                   |  10 +-
 net/ipv6/output_core.c                             |   8 +-
 net/ipv6/route.c                                   |   2 +-
 net/netfilter/ipvs/ip_vs_twos.c                    |   4 +-
 net/netfilter/nf_conntrack_core.c                  |   4 +-
 net/netfilter/nf_nat_helper.c                      |   2 +-
 net/netlink/af_netlink.c                           |   2 +-
 net/packet/af_packet.c                             |   4 +-
 net/sched/act_gact.c                               |   2 +-
 net/sched/act_sample.c                             |   2 +-
 net/sched/sch_choke.c                              |   2 +-
 net/sched/sch_netem.c                              |   4 +-
 net/sctp/socket.c                                  |   2 +-
 net/sctp/transport.c                               |   2 +-
 net/sunrpc/cache.c                                 |   2 +-
 net/sunrpc/xprtsock.c                              |   2 +-
 net/tipc/socket.c                                  |   2 +-
 net/vmw_vsock/af_vsock.c                           |   3 +-
 net/xfrm/xfrm_state.c                              |   2 +-
 .../testing/selftests/wireguard/qemu/kernel.config |   2 -
 165 files changed, 611 insertions(+), 649 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ