lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID:
 <SN6PR02MB41576DD458EB3C72F3784EDBD4292@SN6PR02MB4157.namprd02.prod.outlook.com>
Date: Thu, 14 Mar 2024 00:30:06 +0000
From: Michael Kelley <mhklinux@...look.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>
CC: "haiyangz@...rosoft.com" <haiyangz@...rosoft.com>, "wei.liu@...nel.org"
	<wei.liu@...nel.org>, "decui@...rosoft.com" <decui@...rosoft.com>,
	"tglx@...utronix.de" <tglx@...utronix.de>, "mingo@...hat.com"
	<mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>,
	"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>, "hpa@...or.com"
	<hpa@...or.com>, "arnd@...db.de" <arnd@...db.de>, "tytso@....edu"
	<tytso@....edu>, "x86@...nel.org" <x86@...nel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
	"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>
Subject: RE: [PATCH v2 1/1] x86/hyperv: Use Hyper-V entropy to seed guest
 random number generator

From: Jason A. Donenfeld <Jason@...c4.com> Sent: Wednesday, March 13, 2024 4:33 PM
> 
> Hi Michael,
> 
> On Thu, Mar 07, 2024 at 10:48:20AM -0800, mhkelley58@...il.com wrote:
> > +	/*
> > +	 * Seed the Linux random number generator with entropy provided by
> > +	 * the Hyper-V host in ACPI table OEM0.  It would be nice to do this
> > +	 * even earlier in ms_hyperv_init_platform(), but the ACPI subsystem
> > +	 * isn't set up at that point. Skip if booted via EFI as generic EFI
> > +	 * code has already done some seeding using the EFI RNG protocol.
> > +	 */
> > +	if (!IS_ENABLED(CONFIG_ACPI) || efi_enabled(EFI_BOOT))
> > +		return;
> 
> Even if EFI seeds the kernel using its own code, if this is available,
> it should be used too. So I think you should remove the `|| efi_enabled(EFI_BOOT)`
> part and let the add_bootloader_randomness() do what it wants with the
> entropy.

OK, fair enough.  But just to double-check:  When this is called,
the EFI RNG protocol has already invoked add_bootloader_randomness(),
 and this line has been output:

[    0.000000] random: crng init done

I don't see an obvious problem with calling add_bootloader_randomness()
again, but wanted to confirm.

Also, if we're adding this ACPI-based randomness for VMs that
boot via EFI, then for consistency we should use it on Hyper-V
based ARM64 VMs as well.

> 
> > +
> > +	status = acpi_get_table("OEM0", 0, &header);
> > +	if (ACPI_FAILURE(status) || !header)
> > +		return;
> > +
> > +	/*
> > +	 * Since the "OEM0" table name is for OEM specific usage, verify
> > +	 * that what we're seeing purports to be from Microsoft.
> > +	 */
> > +	if (strncmp(header->oem_table_id, "MICROSFT", 8))
> > +		goto error;
> > +
> > +	/*
> > +	 * Ensure the length is reasonable.  Requiring at least 32 bytes and
> > +	 * no more than 256 bytes is somewhat arbitrary.  Hyper-V currently
> > +	 * provides 64 bytes, but allow for a change in a later version.
> > +	 */
> > +	if (header->length < sizeof(*header) + 32 ||
> > +	    header->length > sizeof(*header) + 256)
> 
> What's the point of the lower bound? Obviously skip for 0, but if
> there's only 16 bytes, cool, 16 bytes is good and can't hurt.
> 
> For the upper bound, I understand you need some sanity check. Why not
> put it a bit higher, though, at SZ_4K or something? Can't hurt.

Both bounds are just a check for bogusness.  Having the hypervisor
provide just 4 bytes (for example) of randomness seems like
there might be something weird going on.  But widening the bounds
is fine with me.  I'll use "8" and "SZ_4K".

> 
> > +		goto error;
> > +
> > +	length = header->length - sizeof(*header);
> > +	randomdata = (u8 *)(header + 1);
> > +
> > +	pr_debug("Hyper-V: Seeding rng with %d random bytes from ACPI table OEM0\n",
> > +			length);
> > +
> > +	add_bootloader_randomness(randomdata, length);
> > +
> > +	/*
> > +	 * To prevent the seed data from being visible in /sys/firmware/acpi,
> > +	 * zero out the random data in the ACPI table and fixup the checksum.
> > +	 */
> > +	for (i = 0; i < length; i++) {
> > +		header->checksum += randomdata[i];
> > +		randomdata[i] = 0;
> > +	}
> 
> Seems dangerous for kexec and such. What if, in addition to zeroing out
> the actual data, you also set header->length to 0, so that it doesn't
> get used again as 32 bytes of known zeros?

What's your take on the whole idea of zero'ing the random data?   I
saw the EFI RNG protocol handling was doing something roughly
similiar.  But yes, good point about kexec().  Zeroing the header->length
would make sense to prevent any re-use.

Thanks for reviewing -- I wanted to get the benefit of your expertise
in this area. :-)

Michael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ