1. 22 2月, 2022 7 次提交
    • D
      random: fix locking for crng_init in crng_reseed() · 7191c628
      Dominik Brodowski 提交于
      crng_init is protected by primary_crng->lock. Therefore, we need
      to hold this lock when increasing crng_init to 2. As we shouldn't
      hold this lock for too long, only hold it for those parts which
      require protection.
      Signed-off-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      7191c628
    • J
      random: zero buffer after reading entropy from userspace · 7b5164fb
      Jason A. Donenfeld 提交于
      This buffer may contain entropic data that shouldn't stick around longer
      than needed, so zero out the temporary buffer at the end of write_pool().
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NJann Horn <jannh@google.com>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      7b5164fb
    • J
      random: remove outdated INT_MAX >> 6 check in urandom_read() · 434537ae
      Jason A. Donenfeld 提交于
      In 79a84687 ("random: check for increase of entropy_count because of
      signed conversion"), a number of checks were added around what values
      were passed to account(), because account() was doing fancy fixed point
      fractional arithmetic, and a user had some ability to pass large values
      directly into it. One of things in that commit was limiting those values
      to INT_MAX >> 6. The first >> 3 was for bytes to bits, and the next >> 3
      was for bits to 1/8 fractional bits.
      
      However, for several years now, urandom reads no longer touch entropy
      accounting, and so this check serves no purpose. The current flow is:
      
      urandom_read_nowarn()-->get_random_bytes_user()-->chacha20_block()
      
      Of course, we don't want that size_t to be truncated when adding it into
      the ssize_t. But we arrive at urandom_read_nowarn() in the first place
      either via ordinary fops, which limits reads to MAX_RW_COUNT, or via
      getrandom() which limits reads to INT_MAX.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NJann Horn <jannh@google.com>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      434537ae
    • J
      random: make more consistent use of integer types · 04ec96b7
      Jason A. Donenfeld 提交于
      We've been using a flurry of int, unsigned int, size_t, and ssize_t.
      Let's unify all of this into size_t where it makes sense, as it does in
      most places, and leave ssize_t for return values with possible errors.
      
      In addition, keeping with the convention of other functions in this
      file, functions that are dealing with raw bytes now take void *
      consistently instead of a mix of that and u8 *, because much of the time
      we're actually passing some other structure that is then interpreted as
      bytes by the function.
      
      We also take the opportunity to fix the outdated and incorrect comment
      in get_random_bytes_arch().
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NJann Horn <jannh@google.com>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      04ec96b7
    • J
      random: use hash function for crng_slow_load() · 66e4c2b9
      Jason A. Donenfeld 提交于
      Since we have a hash function that's really fast, and the goal of
      crng_slow_load() is reportedly to "touch all of the crng's state", we
      can just hash the old state together with the new state and call it a
      day. This way we dont need to reason about another LFSR or worry about
      various attacks there. This code is only ever used at early boot and
      then never again.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      66e4c2b9
    • J
      random: use simpler fast key erasure flow on per-cpu keys · 186873c5
      Jason A. Donenfeld 提交于
      Rather than the clunky NUMA full ChaCha state system we had prior, this
      commit is closer to the original "fast key erasure RNG" proposal from
      <https://blog.cr.yp.to/20170723-random.html>, by simply treating ChaCha
      keys on a per-cpu basis.
      
      All entropy is extracted to a base crng key of 32 bytes. This base crng
      has a birthdate and a generation counter. When we go to take bytes from
      the crng, we first check if the birthdate is too old; if it is, we
      reseed per usual. Then we start working on a per-cpu crng.
      
      This per-cpu crng makes sure that it has the same generation counter as
      the base crng. If it doesn't, it does fast key erasure with the base
      crng key and uses the output as its new per-cpu key, and then updates
      its local generation counter. Then, using this per-cpu state, we do
      ordinary fast key erasure. Half of this first block is used to overwrite
      the per-cpu crng key for the next call -- this is the fast key erasure
      RNG idea -- and the other half, along with the ChaCha state, is returned
      to the caller. If the caller desires more than this remaining half, it
      can generate more ChaCha blocks, unlocked, using the now detached ChaCha
      state that was just returned. Crypto-wise, this is more or less what we
      were doing before, but this simply makes it more explicit and ensures
      that we always have backtrack protection by not playing games with a
      shared block counter.
      
      The flow looks like this:
      
      ──extract()──► base_crng.key ◄──memcpy()───┐
                         │                       │
                         └──chacha()──────┬─► new_base_key
                                          └─► crngs[n].key ◄──memcpy()───┐
                                                    │                    │
                                                    └──chacha()───┬─► new_key
                                                                  └─► random_bytes
                                                                            │
                                                                            └────►
      
      There are a few hairy details around early init. Just as was done
      before, prior to having gathered enough entropy, crng_fast_load() and
      crng_slow_load() dump bytes directly into the base crng, and when we go
      to take bytes from the crng, in that case, we're doing fast key erasure
      with the base crng rather than the fast unlocked per-cpu crngs. This is
      fine as that's only the state of affairs during very early boot; once
      the crng initializes we never use these paths again.
      
      In the process of all this, the APIs into the crng become a bit simpler:
      we have get_random_bytes(buf, len) and get_random_bytes_user(buf, len),
      which both do what you'd expect. All of the details of fast key erasure
      and per-cpu selection happen only in a very short critical section of
      crng_make_state(), which selects the right per-cpu key, does the fast
      key erasure, and returns a local state to the caller's stack. So, we no
      longer have a need for a separate backtrack function, as this happens
      all at once here. The API then allows us to extend backtrack protection
      to batched entropy without really having to do much at all.
      
      The result is a bit simpler than before and has fewer foot guns. The
      init time state machine also gets a lot simpler as we don't need to wait
      for workqueues to come online and do deferred work. And the multi-core
      performance should be increased significantly, by virtue of having hardly
      any locking on the fast path.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: NJann Horn <jannh@google.com>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      186873c5
    • J
      random: absorb fast pool into input pool after fast load · c30c575d
      Jason A. Donenfeld 提交于
      During crng_init == 0, we never credit entropy in add_interrupt_
      randomness(), but instead dump it directly into the primary_crng. That's
      fine, except for the fact that we then wind up throwing away that
      entropy later when we switch to extracting from the input pool and
      xoring into (and later in this series overwriting) the primary_crng key.
      The two other early init sites -- add_hwgenerator_randomness()'s use
      crng_fast_load() and add_device_ randomness()'s use of crng_slow_load()
      -- always additionally give their inputs to the input pool. But not
      add_interrupt_randomness().
      
      This commit fixes that shortcoming by calling mix_pool_bytes() after
      crng_fast_load() in add_interrupt_randomness(). That's partially
      verboten on PREEMPT_RT, where it implies taking spinlock_t from an IRQ
      handler. But this also only happens during early boot and then never
      again after that. Plus it's a trylock so it has the same considerations
      as calling crng_fast_load(), which we're already using.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Suggested-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      c30c575d
  2. 21 2月, 2022 13 次提交
    • J
      random: do not xor RDRAND when writing into /dev/random · 91c2afca
      Jason A. Donenfeld 提交于
      Continuing the reasoning of "random: ensure early RDSEED goes through
      mixer on init", we don't want RDRAND interacting with anything without
      going through the mixer function, as a backdoored CPU could presumably
      cancel out data during an xor, which it'd have a harder time doing when
      being forced through a cryptographic hash function. There's actually no
      need at all to be calling RDRAND in write_pool(), because before we
      extract from the pool, we always do so with 32 bytes of RDSEED hashed in
      at that stage. Xoring at this stage is needless and introduces a minor
      liability.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      91c2afca
    • J
      random: ensure early RDSEED goes through mixer on init · a02cf3d0
      Jason A. Donenfeld 提交于
      Continuing the reasoning of "random: use RDSEED instead of RDRAND in
      entropy extraction" from this series, at init time we also don't want to
      be xoring RDSEED directly into the crng. Instead it's safer to put it
      into our entropy collector and then re-extract it, so that it goes
      through a hash function with preimage resistance. As a matter of hygiene,
      we also order these now so that the RDSEED byte are hashed in first,
      followed by the bytes that are likely more predictable (e.g. utsname()).
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      a02cf3d0
    • J
      random: inline leaves of rand_initialize() · 85664172
      Jason A. Donenfeld 提交于
      This is a preparatory commit for the following one. We simply inline the
      various functions that rand_initialize() calls that have no other
      callers. The compiler was doing this anyway before. Doing this will
      allow us to reorganize this after. We can then move the trust_cpu and
      parse_trust_cpu definitions a bit closer to where they're actually used,
      which makes the code easier to read.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      85664172
    • J
      random: get rid of secondary crngs · a9412d51
      Jason A. Donenfeld 提交于
      As the comment said, this is indeed a "hack". Since it was introduced,
      it's been a constant state machine nightmare, with lots of subtle early
      boot issues and a wildly complex set of machinery to keep everything in
      sync. Rather than continuing to play whack-a-mole with this approach,
      this commit simply removes it entirely. This commit is preparation for
      "random: use simpler fast key erasure flow on per-cpu keys" in this
      series, which introduces a simpler (and faster) mechanism to accomplish
      the same thing.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      a9412d51
    • J
      random: use RDSEED instead of RDRAND in entropy extraction · 28f425e5
      Jason A. Donenfeld 提交于
      When /dev/random was directly connected with entropy extraction, without
      any expansion stage, extract_buf() was called for every 10 bytes of data
      read from /dev/random. For that reason, RDRAND was used rather than
      RDSEED. At the same time, crng_reseed() was still only called every 5
      minutes, so there RDSEED made sense.
      
      Those olden days were also a time when the entropy collector did not use
      a cryptographic hash function, which meant most bets were off in terms
      of real preimage resistance. For that reason too it didn't matter
      _that_ much whether RDSEED was mixed in before or after entropy
      extraction; both choices were sort of bad.
      
      But now we have a cryptographic hash function at work, and with that we
      get real preimage resistance. We also now only call extract_entropy()
      every 5 minutes, rather than every 10 bytes. This allows us to do two
      important things.
      
      First, we can switch to using RDSEED in extract_entropy(), as Dominik
      suggested. Second, we can ensure that RDSEED input always goes into the
      cryptographic hash function with other things before being used
      directly. This eliminates a category of attacks in which the CPU knows
      the current state of the crng and knows that we're going to xor RDSEED
      into it, and so it computes a malicious RDSEED. By going through our
      hash function, it would require the CPU to compute a preimage on the
      fly, which isn't going to happen.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Suggested-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      28f425e5
    • D
      random: fix locking in crng_fast_load() · 7c2fe2b3
      Dominik Brodowski 提交于
      crng_init is protected by primary_crng->lock, so keep holding that lock
      when incrementing crng_init from 0 to 1 in crng_fast_load(). The call to
      pr_notice() can wait until the lock is released; this code path cannot
      be reached twice, as crng_fast_load() aborts early if crng_init > 0.
      Signed-off-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      7c2fe2b3
    • J
      random: remove batched entropy locking · 77760fd7
      Jason A. Donenfeld 提交于
      Rather than use spinlocks to protect batched entropy, we can instead
      disable interrupts locally, since we're dealing with per-cpu data, and
      manage resets with a basic generation counter. At the same time, we
      can't quite do this on PREEMPT_RT, where we still want spinlocks-as-
      mutexes semantics. So we use a local_lock_t, which provides the right
      behavior for each. Because this is a per-cpu lock, that generation
      counter is still doing the necessary CPU-to-CPU communication.
      
      This should improve performance a bit. It will also fix the linked splat
      that Jonathan received with a PROVE_RAW_LOCK_NESTING=y.
      Reviewed-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Suggested-by: NAndy Lutomirski <luto@kernel.org>
      Reported-by: NJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Tested-by: NJonathan Neuschäfer <j.neuschaefer@gmx.net>
      Link: https://lore.kernel.org/lkml/YfMa0QgsjCVdRAvJ@latitude/Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      77760fd7
    • E
      random: remove use_input_pool parameter from crng_reseed() · 5d58ea3a
      Eric Biggers 提交于
      The primary_crng is always reseeded from the input_pool, while the NUMA
      crngs are always reseeded from the primary_crng.  Remove the redundant
      'use_input_pool' parameter from crng_reseed() and just directly check
      whether the crng is the primary_crng.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      5d58ea3a
    • J
      random: make credit_entropy_bits() always safe · a49c010e
      Jason A. Donenfeld 提交于
      This is called from various hwgenerator drivers, so rather than having
      one "safe" version for userspace and one "unsafe" version for the
      kernel, just make everything safe; the checks are cheap and sensible to
      have anyway.
      Reported-by: NSultan Alsawaf <sultan@kerneltoast.com>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      a49c010e
    • J
      random: always wake up entropy writers after extraction · 489c7fc4
      Jason A. Donenfeld 提交于
      Now that POOL_BITS == POOL_MIN_BITS, we must unconditionally wake up
      entropy writers after every extraction. Therefore there's no point of
      write_wakeup_threshold, so we can move it to the dustbin of unused
      compatibility sysctls. While we're at it, we can fix a small comparison
      where we were waking up after <= min rather than < min.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Suggested-by: NEric Biggers <ebiggers@kernel.org>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      489c7fc4
    • J
      random: use linear min-entropy accumulation crediting · c5704490
      Jason A. Donenfeld 提交于
      30e37ec5 ("random: account for entropy loss due to overwrites")
      assumed that adding new entropy to the LFSR pool probabilistically
      cancelled out old entropy there, so entropy was credited asymptotically,
      approximating Shannon entropy of independent sources (rather than a
      stronger min-entropy notion) using 1/8th fractional bits and replacing
      a constant 2-2/√𝑒 term (~0.786938) with 3/4 (0.75) to slightly
      underestimate it. This wasn't superb, but it was perhaps better than
      nothing, so that's what was done. Which entropy specifically was being
      cancelled out and how much precisely each time is hard to tell, though
      as I showed with the attack code in my previous commit, a motivated
      adversary with sufficient information can actually cancel out
      everything.
      
      Since we're no longer using an LFSR for entropy accumulation, this
      probabilistic cancellation is no longer relevant. Rather, we're now
      using a computational hash function as the accumulator and we've
      switched to working in the random oracle model, from which we can now
      revisit the question of min-entropy accumulation, which is done in
      detail in <https://eprint.iacr.org/2019/198>.
      
      Consider a long input bit string that is built by concatenating various
      smaller independent input bit strings. Each one of these inputs has a
      designated min-entropy, which is what we're passing to
      credit_entropy_bits(h). When we pass the concatenation of these to a
      random oracle, it means that an adversary trying to receive back the
      same reply as us would need to become certain about each part of the
      concatenated bit string we passed in, which means becoming certain about
      all of those h values. That means we can estimate the accumulation by
      simply adding up the h values in calls to credit_entropy_bits(h);
      there's no probabilistic cancellation at play like there was said to be
      for the LFSR. Incidentally, this is also what other entropy accumulators
      based on computational hash functions do as well.
      
      So this commit replaces credit_entropy_bits(h) with essentially `total =
      min(POOL_BITS, total + h)`, done with a cmpxchg loop as before.
      
      What if we're wrong and the above is nonsense? It's not, but let's
      assume we don't want the actual _behavior_ of the code to change much.
      Currently that behavior is not extracting from the input pool until it
      has 128 bits of entropy in it. With the old algorithm, we'd hit that
      magic 128 number after roughly 256 calls to credit_entropy_bits(1). So,
      we can retain more or less the old behavior by waiting to extract from
      the input pool until it hits 256 bits of entropy using the new code. For
      people concerned about this change, it means that there's not that much
      practical behavioral change. And for folks actually trying to model
      the behavior rigorously, it means that we have an even higher margin
      against attacks.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NJean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      c5704490
    • J
      random: simplify entropy debiting · 9c07f578
      Jason A. Donenfeld 提交于
      Our pool is 256 bits, and we only ever use all of it or don't use it at
      all, which is decided by whether or not it has at least 128 bits in it.
      So we can drastically simplify the accounting and cmpxchg loop to do
      exactly this.  While we're at it, we move the minimum bit size into a
      constant so it can be shared between the two places where it matters.
      
      The reason we want any of this is for the case in which an attacker has
      compromised the current state, and then bruteforces small amounts of
      entropy added to it. By demanding a particular minimum amount of entropy
      be present before reseeding, we make that bruteforcing difficult.
      
      Note that this rationale no longer includes anything about /dev/random
      blocking at the right moment, since /dev/random no longer blocks (except
      for at ~boot), but rather uses the crng. In a former life, /dev/random
      was different and therefore required a more nuanced account(), but this
      is no longer.
      
      Behaviorally, nothing changes here. This is just a simplification of
      the code.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      9c07f578
    • J
      random: use computational hash for entropy extraction · 6e8ec255
      Jason A. Donenfeld 提交于
      The current 4096-bit LFSR used for entropy collection had a few
      desirable attributes for the context in which it was created. For
      example, the state was huge, which meant that /dev/random would be able
      to output quite a bit of accumulated entropy before blocking. It was
      also, in its time, quite fast at accumulating entropy byte-by-byte,
      which matters given the varying contexts in which mix_pool_bytes() is
      called. And its diffusion was relatively high, which meant that changes
      would ripple across several words of state rather quickly.
      
      However, it also suffers from a few security vulnerabilities. In
      particular, inputs learned by an attacker can be undone, but moreover,
      if the state of the pool leaks, its contents can be controlled and
      entirely zeroed out. I've demonstrated this attack with this SMT2
      script, <https://xn--4db.cc/5o9xO8pb>, which Boolector/CaDiCal solves in
      a matter of seconds on a single core of my laptop, resulting in little
      proof of concept C demonstrators such as <https://xn--4db.cc/jCkvvIaH/c>.
      
      For basically all recent formal models of RNGs, these attacks represent
      a significant cryptographic flaw. But how does this manifest
      practically? If an attacker has access to the system to such a degree
      that he can learn the internal state of the RNG, arguably there are
      other lower hanging vulnerabilities -- side-channel, infoleak, or
      otherwise -- that might have higher priority. On the other hand, seed
      files are frequently used on systems that have a hard time generating
      much entropy on their own, and these seed files, being files, often leak
      or are duplicated and distributed accidentally, or are even seeded over
      the Internet intentionally, where their contents might be recorded or
      tampered with. Seen this way, an otherwise quasi-implausible
      vulnerability is a bit more practical than initially thought.
      
      Another aspect of the current mix_pool_bytes() function is that, while
      its performance was arguably competitive for the time in which it was
      created, it's no longer considered so. This patch improves performance
      significantly: on a high-end CPU, an i7-11850H, it improves performance
      of mix_pool_bytes() by 225%, and on a low-end CPU, a Cortex-A7, it
      improves performance by 103%.
      
      This commit replaces the LFSR of mix_pool_bytes() with a straight-
      forward cryptographic hash function, BLAKE2s, which is already in use
      for pool extraction. Universal hashing with a secret seed was considered
      too, something along the lines of <https://eprint.iacr.org/2013/338>,
      but the requirement for a secret seed makes for a chicken & egg problem.
      Instead we go with a formally proven scheme using a computational hash
      function, described in sections 5.1, 6.4, and B.1.8 of
      <https://eprint.iacr.org/2019/198>.
      
      BLAKE2s outputs 256 bits, which should give us an appropriate amount of
      min-entropy accumulation, and a wide enough margin of collision
      resistance against active attacks. mix_pool_bytes() becomes a simple
      call to blake2s_update(), for accumulation, while the extraction step
      becomes a blake2s_final() to generate a seed, with which we can then do
      a HKDF-like or BLAKE2X-like expansion, the first part of which we fold
      back as an init key for subsequent blake2s_update()s, and the rest we
      produce to the caller. This then is provided to our CRNG like usual. In
      that expansion step, we make opportunistic use of 32 bytes of RDRAND
      output, just as before. We also always reseed the crng with 32 bytes,
      unconditionally, or not at all, rather than sometimes with 16 as before,
      as we don't win anything by limiting beyond the 16 byte threshold.
      
      Going for a hash function as an entropy collector is a conservative,
      proven approach. The result of all this is a much simpler and much less
      bespoke construction than what's there now, which not only plugs a
      vulnerability but also improves performance considerably.
      
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Reviewed-by: NEric Biggers <ebiggers@google.com>
      Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Reviewed-by: NJean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      6e8ec255
  3. 05 2月, 2022 4 次提交
  4. 22 1月, 2022 1 次提交
    • X
      random: move the random sysctl declarations to its own file · 5475e8f0
      Xiaoming Ni 提交于
      kernel/sysctl.c is a kitchen sink where everyone leaves their dirty
      dishes, this makes it very difficult to maintain.
      
      To help with this maintenance let's start by moving sysctls to places
      where they actually belong.  The proc sysctl maintainers do not want to
      know what sysctl knobs you wish to add for your own piece of code, we
      just care about the core logic.
      
      So move the random sysctls to their own file and use
      register_sysctl_init().
      
      [mcgrof@kernel.org: commit log update to justify the move]
      
      Link: https://lkml.kernel.org/r/20211124231435.1445213-3-mcgrof@kernel.orgSigned-off-by: NXiaoming Ni <nixiaoming@huawei.com>
      Signed-off-by: NLuis Chamberlain <mcgrof@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Amir Goldstein <amir73il@gmail.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Antti Palosaari <crope@iki.fi>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Cc: Clemens Ladisch <clemens@ladisch.de>
      Cc: David Airlie <airlied@linux.ie>
      Cc: Douglas Gilbert <dgilbert@interlog.com>
      Cc: Eric Biederman <ebiederm@xmission.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Iurii Zaikin <yzaikin@google.com>
      Cc: James E.J. Bottomley <jejb@linux.ibm.com>
      Cc: Jani Nikula <jani.nikula@intel.com>
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: John Ogness <john.ogness@linutronix.de>
      Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
      Cc: Julia Lawall <julia.lawall@inria.fr>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Lukas Middendorf <kernel@tuxforce.de>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: Paul Turner <pjt@google.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Phillip Potter <phil@philpotter.co.uk>
      Cc: Qing Wang <wangqing@vivo.com>
      Cc: "Rafael J. Wysocki" <rafael@kernel.org>
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Cc: Sebastian Reichel <sre@kernel.org>
      Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
      Cc: Stephen Kitt <steve@sk2.org>
      Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: Suren Baghdasaryan <surenb@google.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: "Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5475e8f0
  5. 18 1月, 2022 13 次提交
  6. 07 1月, 2022 2 次提交
    • J
      random: don't reset crng_init_cnt on urandom_read() · 6c8e11e0
      Jann Horn 提交于
      At the moment, urandom_read() (used for /dev/urandom) resets crng_init_cnt
      to zero when it is called at crng_init<2. This is inconsistent: We do it
      for /dev/urandom reads, but not for the equivalent
      getrandom(GRND_INSECURE).
      
      (And worse, as Jason pointed out, we're only doing this as long as
      maxwarn>0.)
      
      crng_init_cnt is only read in crng_fast_load(); it is relevant at
      crng_init==0 for determining when to switch to crng_init==1 (and where in
      the RNG state array to write).
      
      As far as I understand:
      
       - crng_init==0 means "we have nothing, we might just be returning the same
         exact numbers on every boot on every machine, we don't even have
         non-cryptographic randomness; we should shove every bit of entropy we
         can get into the RNG immediately"
       - crng_init==1 means "well we have something, it might not be
         cryptographic, but at least we're not gonna return the same data every
         time or whatever, it's probably good enough for TCP and ASLR and stuff;
         we now have time to build up actual cryptographic entropy in the input
         pool"
       - crng_init==2 means "this is supposed to be cryptographically secure now,
         but we'll keep adding more entropy just to be sure".
      
      The current code means that if someone is pulling data from /dev/urandom
      fast enough at crng_init==0, we'll keep resetting crng_init_cnt, and we'll
      never make forward progress to crng_init==1. It seems to be intended to
      prevent an attacker from bruteforcing the contents of small individual RNG
      inputs on the way from crng_init==0 to crng_init==1, but that's misguided;
      crng_init==1 isn't supposed to provide proper cryptographic security
      anyway, RNG users who care about getting secure RNG output have to wait
      until crng_init==2.
      
      This code was inconsistent, and it probably made things worse - just get
      rid of it.
      Signed-off-by: NJann Horn <jannh@google.com>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      6c8e11e0
    • J
      random: avoid superfluous call to RDRAND in CRNG extraction · 2ee25b69
      Jason A. Donenfeld 提交于
      RDRAND is not fast. RDRAND is actually quite slow. We've known this for
      a while, which is why functions like get_random_u{32,64} were converted
      to use batching of our ChaCha-based CRNG instead.
      
      Yet CRNG extraction still includes a call to RDRAND, in the hot path of
      every call to get_random_bytes(), /dev/urandom, and getrandom(2).
      
      This call to RDRAND here seems quite superfluous. CRNG is already
      extracting things based on a 256-bit key, based on good entropy, which
      is then reseeded periodically, updated, backtrack-mutated, and so
      forth. The CRNG extraction construction is something that we're already
      relying on to be secure and solid. If it's not, that's a serious
      problem, and it's unlikely that mixing in a measly 32 bits from RDRAND
      is going to alleviate things.
      
      And in the case where the CRNG doesn't have enough entropy yet, we're
      already initializing the ChaCha key row with RDRAND in
      crng_init_try_arch_early().
      
      Removing the call to RDRAND improves performance on an i7-11850H by
      370%. In other words, the vast majority of the work done by
      extract_crng() prior to this commit was devoted to fetching 32 bits of
      RDRAND.
      Reviewed-by: NTheodore Ts'o <tytso@mit.edu>
      Acked-by: NArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      2ee25b69