From patchwork Tue Dec 28 15:38:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 528743 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5D67C433F5 for ; Tue, 28 Dec 2021 15:39:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235359AbhL1PjD (ORCPT ); Tue, 28 Dec 2021 10:39:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235256AbhL1PjC (ORCPT ); Tue, 28 Dec 2021 10:39:02 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D2B4C061574; Tue, 28 Dec 2021 07:39:02 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 57FA261237; Tue, 28 Dec 2021 15:39:01 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 01C58C36AE8; Tue, 28 Dec 2021 15:38:59 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="FbFcvSIr" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1640705938; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OKTCkze0hqaEdMZ/cQLq0jKRXzl988fPbiom7x0AOK0=; b=FbFcvSIrWpVOOp++CfrP+mN1d4RAvR3bpETqJR5mATNe5c9918qwwZkySRY1V1LnTdYQ+g vD7ze4p+/cWvoPXFwCem3IQXbfjHH2l+X0pREr5MMngZp1reHdDn1pqOhaPvrY4tVKZgQ/ USBaA/NMHtmvlfWfXiZtUbCjOkRTDok= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 1055957f (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Tue, 28 Dec 2021 15:38:58 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, Dominik Brodowski , "Theodore Ts'o" , Hsin-Yi Wang , "Ivan T. Ivanov" , Ard Biesheuvel , linux-efi@vger.kernel.org Cc: "Jason A. Donenfeld" Subject: [PATCH v7 2/4] random: do not re-init if crng_reseed completes before primary init Date: Tue, 28 Dec 2021 16:38:24 +0100 Message-Id: <20211228153826.448805-2-Jason@zx2c4.com> In-Reply-To: <20211228153826.448805-1-Jason@zx2c4.com> References: <20211228153826.448805-1-Jason@zx2c4.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org If the bootloader supplies sufficient material and crng_reseed() is called very early on, but not too early that wqs aren't available yet, then we might transition to crng_init==2 before rand_initialize()'s call to crng_initialize_primary() made. Then, when crng_initialize_primary() is called, if we're trusting the CPU's RDRAND instructions, we'll needlessly reinitialize the RNG and emit a message about it. This is mostly harmless, as numa_crng_init() will allocate and then free what it just allocated, and excessive calls to invalidate_batched_entropy() aren't so harmful. But it is funky and the extra message is confusing, so avoid the re-initialization all together by checking for crng_init < 2 in crng_initialize_primary(), just as we already do in crng_reseed(). Cc: Dominik Brodowski Signed-off-by: Jason A. Donenfeld --- drivers/char/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index b003e266a499..95aac486177e 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -827,7 +827,7 @@ static void __init crng_initialize_primary(struct crng_state *crng) { chacha_init_consts(crng->state); _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0); - if (crng_init_try_arch_early(crng) && trust_cpu) { + if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) { invalidate_batched_entropy(); numa_crng_init(); crng_init = 2; From patchwork Tue Dec 28 15:38:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 528742 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D48CC433FE for ; Tue, 28 Dec 2021 15:39:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235369AbhL1PjK (ORCPT ); Tue, 28 Dec 2021 10:39:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235383AbhL1PjK (ORCPT ); Tue, 28 Dec 2021 10:39:10 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 89366C061574; Tue, 28 Dec 2021 07:39:09 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 29E5F61196; Tue, 28 Dec 2021 15:39:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 01D9EC36AE8; Tue, 28 Dec 2021 15:39:07 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="VGuCrq9g" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1640705947; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ANfqn58pkIJbbIFqryT56GHdUs/idxcpyxgLxPbdpfc=; b=VGuCrq9g45ctfoWWh9fS0Q+bf4HS8vN+Vm6j2ObeBJCcJhvcpK2vtiPUe/DdOK8EreiA+B RTSGeNvs2W3FBQ7kDeNVXwUV6QLQMZayjUXU46G8R1Iu8hcDnEqkCJ9maQ5UkRb4r6yuxT NjS9Owv+SDl227XtX7qls9/INeu3vbQ= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 6bd5c1c0 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Tue, 28 Dec 2021 15:39:07 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, Dominik Brodowski , "Theodore Ts'o" , Hsin-Yi Wang , "Ivan T. Ivanov" , Ard Biesheuvel , linux-efi@vger.kernel.org Cc: "Jason A. Donenfeld" Subject: [PATCH v7 4/4] random: mix bootloader randomness into pool Date: Tue, 28 Dec 2021 16:38:26 +0100 Message-Id: <20211228153826.448805-4-Jason@zx2c4.com> In-Reply-To: <20211228153826.448805-1-Jason@zx2c4.com> References: <20211228153826.448805-1-Jason@zx2c4.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org If we're trusting bootloader randomness, crng_fast_load() is called by add_hwgenerator_randomness(), which sets us to crng_init==1. However, if it's not called after that initial 64-byte push, it won't additionally mix any bytes into the entropy pool. So it's conceivable that crng_init==1 when later crng_initialize_primary() is called, but the entropy pool is empty. When that happens, the crng state key will then be overwritten with extracted output from the empty input pool. That's bad. In contrast, if we're not trusting bootloader randomness, we call crng_slow_load() *and* we call mix_pool_bytes(), so that later crng_initialize_primary() isn't drawing on nothing. In order to prevent crng_initialize_primary() from extracting an empty pool, have the trusted bootloader case mirror that of the untrusted bootloader case, mixing the input into the pool. Cc: Dominik Brodowski Signed-off-by: Jason A. Donenfeld --- drivers/char/random.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index 020443e34603..3499f6762ac1 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -2298,6 +2298,7 @@ void add_hwgenerator_randomness(const char *buffer, size_t count, if (unlikely(crng_init == 0)) { size_t ret = crng_fast_load(buffer, count); + mix_pool_bytes(poolp, buffer, ret); count -= ret; buffer += ret; if (!count || crng_init == 0) From patchwork Wed Dec 29 21:10:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominik Brodowski X-Patchwork-Id: 528882 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A85AC4332F for ; Wed, 29 Dec 2021 21:13:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232011AbhL2VNx (ORCPT ); Wed, 29 Dec 2021 16:13:53 -0500 Received: from isilmar-4.linta.de ([136.243.71.142]:33320 "EHLO isilmar-4.linta.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231288AbhL2VNu (ORCPT ); Wed, 29 Dec 2021 16:13:50 -0500 X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES Received: from owl.dominikbrodowski.net (owl.brodo.linta [10.2.0.111]) by isilmar-4.linta.de (Postfix) with ESMTPSA id 1F5CB200278; Wed, 29 Dec 2021 21:13:48 +0000 (UTC) Received: by owl.dominikbrodowski.net (Postfix, from userid 1000) id D6AA180F5A; Wed, 29 Dec 2021 22:10:18 +0100 (CET) From: Dominik Brodowski To: "Jason A . Donenfeld" Cc: linux-kernel@vger.kernel.org, Theodore Ts'o , "Ivan T . Ivanov" , Ard Biesheuvel , linux-efi@vger.kernel.org, linux@dominikbrodowski.net Subject: [PATCH v8 5/7] random: harmonize "crng init done" messages Date: Wed, 29 Dec 2021 22:10:07 +0100 Message-Id: <20211229211009.108091-5-linux@dominikbrodowski.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211229211009.108091-1-linux@dominikbrodowski.net> References: <20211228153826.448805-1-Jason@zx2c4.com> <20211229211009.108091-1-linux@dominikbrodowski.net> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org We print out "crng init done" for !TRUST_CPU, so we should also print out the same for TRUST_CPU. Signed-off-by: Dominik Brodowski --- drivers/char/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 9d4e1907e4b1..9b5eb6cf82ce 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -831,7 +831,7 @@ static void __init crng_initialize_primary(struct crng_state *crng) invalidate_batched_entropy(); numa_crng_init(); crng_init = 2; - pr_notice("crng done (trusting CPU's manufacturer)\n"); + pr_notice("crng init done (trusting CPU's manufacturer)\n"); } crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; } From patchwork Wed Dec 29 21:10:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominik Brodowski X-Patchwork-Id: 528881 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DBE73C4321E for ; Wed, 29 Dec 2021 21:13:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232446AbhL2VN4 (ORCPT ); Wed, 29 Dec 2021 16:13:56 -0500 Received: from isilmar-4.linta.de ([136.243.71.142]:33348 "EHLO isilmar-4.linta.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231682AbhL2VNw (ORCPT ); Wed, 29 Dec 2021 16:13:52 -0500 X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES Received: from owl.dominikbrodowski.net (owl.brodo.linta [10.2.0.111]) by isilmar-4.linta.de (Postfix) with ESMTPSA id 904D120136C; Wed, 29 Dec 2021 21:13:48 +0000 (UTC) Received: by owl.dominikbrodowski.net (Postfix, from userid 1000) id 77F7580F5C; Wed, 29 Dec 2021 22:10:19 +0100 (CET) From: Dominik Brodowski To: "Jason A . Donenfeld" Cc: linux-kernel@vger.kernel.org, Theodore Ts'o , "Ivan T . Ivanov" , Ard Biesheuvel , linux-efi@vger.kernel.org, linux@dominikbrodowski.net Subject: [PATCH v8 6/7] random: early initialization of ChaCha constants Date: Wed, 29 Dec 2021 22:10:08 +0100 Message-Id: <20211229211009.108091-6-linux@dominikbrodowski.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211229211009.108091-1-linux@dominikbrodowski.net> References: <20211228153826.448805-1-Jason@zx2c4.com> <20211229211009.108091-1-linux@dominikbrodowski.net> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org Previously, the ChaCha constants for the primary pool were only initialized once rand_initialize() calls crng_initialize_primary(). However, some randomness is actually extracted from the primary pool beforehand, e.g. by kmem_cache_create(). Therefore, statically initialize the ChaCha constants for the primary pool. In exchange, we can remove the dynamic initialization in crng_initialize_primary(), as it is only called - as the name suggests - for the primary pool. Therefore, no parameter to this function is needed. Signed-off-by: Dominik Brodowski --- drivers/char/random.c | 10 +++++++--- include/crypto/chacha.h | 15 +++++++++++---- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 9b5eb6cf82ce..a5bf662578cb 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -457,6 +457,10 @@ struct crng_state { static struct crng_state primary_crng = { .lock = __SPIN_LOCK_UNLOCKED(primary_crng.lock), + .state[0] = CHACHA_CONSTANT_EXPA, /* "expa" */ + .state[1] = CHACHA_CONSTANT_ND_3, /* "nd 3" */ + .state[2] = CHACHA_CONSTANT_2_BY, /* "2-by" */ + .state[3] = CHACHA_CONSTANT_TE_K, /* "te k" */ }; /* @@ -823,9 +827,9 @@ static void __maybe_unused crng_initialize_secondary(struct crng_state *crng) crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; } -static void __init crng_initialize_primary(struct crng_state *crng) +static void __init crng_initialize_primary(void) { - chacha_init_consts(crng->state); + struct crng_state *crng = &primary_crng; _extract_entropy(&input_pool, &crng->state[4], sizeof(__u32) * 12, 0); if (crng_init_try_arch_early(crng) && trust_cpu && crng_init < 2) { invalidate_batched_entropy(); @@ -1797,7 +1801,7 @@ int __init rand_initialize(void) init_std_data(&input_pool); if (crng_need_final_init) crng_finalize_init(&primary_crng); - crng_initialize_primary(&primary_crng); + crng_initialize_primary(); crng_global_init_time = jiffies; if (ratelimit_disable) { urandom_warning.interval = 0; diff --git a/include/crypto/chacha.h b/include/crypto/chacha.h index dabaee698718..147e56fc755e 100644 --- a/include/crypto/chacha.h +++ b/include/crypto/chacha.h @@ -47,12 +47,19 @@ static inline void hchacha_block(const u32 *state, u32 *out, int nrounds) hchacha_block_generic(state, out, nrounds); } +enum chacha_constants { /* expand 32-byte k */ + CHACHA_CONSTANT_EXPA = 0x61707865U, + CHACHA_CONSTANT_ND_3 = 0x3320646eU, + CHACHA_CONSTANT_2_BY = 0x79622d32U, + CHACHA_CONSTANT_TE_K = 0x6b206574U +}; + static inline void chacha_init_consts(u32 *state) { - state[0] = 0x61707865; /* "expa" */ - state[1] = 0x3320646e; /* "nd 3" */ - state[2] = 0x79622d32; /* "2-by" */ - state[3] = 0x6b206574; /* "te k" */ + state[0] = CHACHA_CONSTANT_EXPA; /* "expa" */ + state[1] = CHACHA_CONSTANT_ND_3; /* "nd 3" */ + state[2] = CHACHA_CONSTANT_2_BY; /* "2-by" */ + state[3] = CHACHA_CONSTANT_TE_K; /* "te k" */ } void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);