[v7,4/4] random: mix bootloader randomness into pool

Message ID	20211228153826.448805-4-Jason@zx2c4.com
State	New
Headers	show Return-Path: <linux-efi-owner@kernel.org> From: "Jason A. Donenfeld" <Jason@zx2c4.com> To: linux-kernel@vger.kernel.org, Dominik Brodowski <linux@dominikbrodowski.net>, "Theodore Ts'o" <tytso@mit.edu>, Hsin-Yi Wang <hsinyi@chromium.org>, "Ivan T. Ivanov" <iivanov@suse.de>, Ard Biesheuvel <ardb@kernel.org>, linux-efi@vger.kernel.org Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Subject: [PATCH v7 4/4] random: mix bootloader randomness into pool Date: Tue, 28 Dec 2021 16:38:26 +0100 Message-Id: <20211228153826.448805-4-Jason@zx2c4.com> In-Reply-To: <20211228153826.448805-1-Jason@zx2c4.com> References: <CAHmME9qC2iX5EvDLj5YBZBdDJ_n8xTUYZT73qonsEhbKCwizFw@mail.gmail.com> <20211228153826.448805-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [v7,2/4] random: do not re-init if crng_reseed completes before primary init [v7,4/4] random: mix bootloader randomness into pool [v8,5/7] random: harmonize "crng init done" messages [v8,6/7] random: early initialization of ChaCha constants

Message ID

20211228153826.448805-4-Jason@zx2c4.com

State

New

Headers

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: linux-kernel@vger.kernel.org,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        "Theodore Ts'o" <tytso@mit.edu>,
        Hsin-Yi Wang <hsinyi@chromium.org>,
        "Ivan T. Ivanov" <iivanov@suse.de>,
        Ard Biesheuvel <ardb@kernel.org>, linux-efi@vger.kernel.org
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH v7 4/4] random: mix bootloader randomness into pool
Date: Tue, 28 Dec 2021 16:38:26 +0100
Message-Id: <20211228153826.448805-4-Jason@zx2c4.com>
In-Reply-To: <20211228153826.448805-1-Jason@zx2c4.com>
References: 
 <CAHmME9qC2iX5EvDLj5YBZBdDJ_n8xTUYZT73qonsEhbKCwizFw@mail.gmail.com>
 <20211228153826.448805-1-Jason@zx2c4.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Jason A. Donenfeld Dec. 28, 2021, 3:38 p.m. UTC

If we're trusting bootloader randomness, crng_fast_load() is called by
add_hwgenerator_randomness(), which sets us to crng_init==1. However, if
it's not called after that initial 64-byte push, it won't additionally
mix any bytes into the entropy pool. So it's conceivable that
crng_init==1 when later crng_initialize_primary() is called, but the
entropy pool is empty. When that happens, the crng state key will then
be overwritten with extracted output from the empty input pool. That's
bad.

In contrast, if we're not trusting bootloader randomness, we call
crng_slow_load() *and* we call mix_pool_bytes(), so that later
crng_initialize_primary() isn't drawing on nothing.

In order to prevent crng_initialize_primary() from extracting an empty
pool, have the trusted bootloader case mirror that of the untrusted
bootloader case, mixing the input into the pool.

Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 drivers/char/random.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 020443e34603..3499f6762ac1 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -2298,6 +2298,7 @@  void add_hwgenerator_randomness(const char *buffer, size_t count,
 
 	if (unlikely(crng_init == 0)) {
 		size_t ret = crng_fast_load(buffer, count);
+		mix_pool_bytes(poolp, buffer, ret);
 		count -= ret;
 		buffer += ret;
 		if (!count || crng_init == 0)

[v7,4/4] random: mix bootloader randomness into pool

Commit Message

Patch