lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240326112137.GDZgKvwRHD4yQs3Zm-@fat_crate.local>
Date: Tue, 26 Mar 2024 12:21:37 +0100
From: Borislav Petkov <bp@...en8.de>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: x86@...nel.org, linux-coco@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Daniel P . Berrangé <berrange@...hat.com>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	"H . Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Tom Lendacky <thomas.lendacky@....com>, stable@...r.kernel.org,
	Elena Reshetova <elena.reshetova@...el.com>,
	"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
	Theodore Ts'o <tytso@....edu>
Subject: Re: [PATCH v5] x86/coco: Require seeding RNG with RDRAND on CoCo
 systems

On Sat, Feb 24, 2024 at 02:18:56AM +0100, Jason A. Donenfeld wrote:
> +__init void cc_random_init(void)
> +{
> +	/*
> +	 * The seed is 32 bytes (in units of longs), which is 256 bits, which
> +	 * is the security level that the RNG is targeting.
> +	 */
> +	unsigned long rng_seed[32 / sizeof(long)];
> +	size_t i, longs;
> +
> +	if (!cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))
> +		return;
> +
> +	/*
> +	 * Since the CoCo threat model includes the host, the only reliable
> +	 * source of entropy that can be neither observed nor manipulated is
> +	 * RDRAND. Usually, RDRAND failure is considered tolerable, but since
> +	 * CoCo guests have no other unobservable source of entropy, it's
> +	 * important to at least ensure the RNG gets some initial random seeds.
> +	 */
> +	for (i = 0; i < ARRAY_SIZE(rng_seed); i += longs) {
> +		longs = arch_get_random_longs(&rng_seed[i], ARRAY_SIZE(rng_seed) - i);
> +
> +		/*
> +		 * A zero return value means that the guest doesn't have RDRAND
> +		 * or the CPU is physically broken, and in both cases that
> +		 * means most crypto inside of the CoCo instance will be
> +		 * broken, defeating the purpose of CoCo in the first place. So
> +		 * just panic here because it's absolutely unsafe to continue
> +		 * executing.
> +		 */
> +		if (longs == 0)
> +			panic("RDRAND is defective.");
> +	}
> +	add_device_randomness(rng_seed, sizeof(rng_seed));
> +	memzero_explicit(rng_seed, sizeof(rng_seed));

Please redo your patch ontop of latest tip/master:

arch/x86/coco/core.c: In function ‘cc_random_init’:
arch/x86/coco/core.c:189:9: error: implicit declaration of function ‘memzero_explicit’ [-Werror=implicit-function-declaration]
  189 |         memzero_explicit(rng_seed, sizeof(rng_seed));
      |         ^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:244: arch/x86/coco/core.o] Error 1
make[3]: *** [scripts/Makefile.build:485: arch/x86/coco] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [scripts/Makefile.build:485: arch/x86] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/mnt/kernel/kernel/2nd/linux/Makefile:1919: .] Error 2
make: *** [Makefile:240: __sub-make] Error 2

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ