1. 08 1月, 2020 14 次提交
  2. 18 12月, 2019 1 次提交
  3. 17 11月, 2019 1 次提交
  4. 23 10月, 2019 1 次提交
  5. 03 10月, 2019 1 次提交
    • B
      char/random: Add a newline at the end of the file · 3fd57e7a
      Borislav Petkov 提交于
      On Tue, Oct 01, 2019 at 10:14:40AM -0700, Linus Torvalds wrote:
      > The previous state of the file didn't have that 0xa at the end, so you get that
      >
      >
      >   -EXPORT_SYMBOL_GPL(add_bootloader_randomness);
      >   \ No newline at end of file
      >   +EXPORT_SYMBOL_GPL(add_bootloader_randomness);
      >
      > which is "the '-' line doesn't have a newline, the '+' line does" marker.
      
      Aaha, that makes total sense, thanks for explaining. Oh well, let's fix
      it then so that people don't scratch heads like me.
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3fd57e7a
  6. 30 9月, 2019 1 次提交
    • L
      random: try to actively add entropy rather than passively wait for it · 50ee7529
      Linus Torvalds 提交于
      For 5.3 we had to revert a nice ext4 IO pattern improvement, because it
      caused a bootup regression due to lack of entropy at bootup together
      with arguably broken user space that was asking for secure random
      numbers when it really didn't need to.
      
      See commit 72dbcf72 (Revert "ext4: make __ext4_get_inode_loc plug").
      
      This aims to solve the issue by actively generating entropy noise using
      the CPU cycle counter when waiting for the random number generator to
      initialize.  This only works when you have a high-frequency time stamp
      counter available, but that's the case on all modern x86 CPU's, and on
      most other modern CPU's too.
      
      What we do is to generate jitter entropy from the CPU cycle counter
      under a somewhat complex load: calling the scheduler while also
      guaranteeing a certain amount of timing noise by also triggering a
      timer.
      
      I'm sure we can tweak this, and that people will want to look at other
      alternatives, but there's been a number of papers written on jitter
      entropy, and this should really be fairly conservative by crediting one
      bit of entropy for every timer-induced jump in the cycle counter.  Not
      because the timer itself would be all that unpredictable, but because
      the interaction between the timer and the loop is going to be.
      
      Even if (and perhaps particularly if) the timer actually happens on
      another CPU, the cacheline interaction between the loop that reads the
      cycle counter and the timer itself firing is going to add perturbations
      to the cycle counter values that get mixed into the entropy pool.
      
      As Thomas pointed out, with a modern out-of-order CPU, even quite simple
      loops show a fair amount of hard-to-predict timing variability even in
      the absense of external interrupts.  But this tries to take that further
      by actually having a fairly complex interaction.
      
      This is not going to solve the entropy issue for architectures that have
      no CPU cycle counter, but it's not clear how (and if) that is solvable,
      and the hardware in question is largely starting to be irrelevant.  And
      by doing this we can at least avoid some of the even more contentious
      approaches (like making the entropy waiting time out in order to avoid
      the possibly unbounded waiting).
      
      Cc: Ahmed Darwish <darwish.07@gmail.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Cc: Nicholas Mc Guire <hofrat@opentech.at>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Willy Tarreau <w@1wt.eu>
      Cc: Alexander E. Patrakov <patrakov@gmail.com>
      Cc: Lennart Poettering <mzxreary@0pointer.de>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      50ee7529
  7. 09 9月, 2019 1 次提交
    • S
      random: Use wait_event_freezable() in add_hwgenerator_randomness() · 59b56948
      Stephen Boyd 提交于
      Sebastian reports that after commit ff296293 ("random: Support freezable
      kthreads in add_hwgenerator_randomness()") we can call might_sleep() when the
      task state is TASK_INTERRUPTIBLE (state=1). This leads to the following warning.
      
       do not call blocking ops when !TASK_RUNNING; state=1 set at [<00000000349d1489>] prepare_to_wait_event+0x5a/0x180
       WARNING: CPU: 0 PID: 828 at kernel/sched/core.c:6741 __might_sleep+0x6f/0x80
       Modules linked in:
      
       CPU: 0 PID: 828 Comm: hwrng Not tainted 5.3.0-rc7-next-20190903+ #46
       RIP: 0010:__might_sleep+0x6f/0x80
      
       Call Trace:
        kthread_freezable_should_stop+0x1b/0x60
        add_hwgenerator_randomness+0xdd/0x130
        hwrng_fillfn+0xbf/0x120
        kthread+0x10c/0x140
        ret_from_fork+0x27/0x50
      
      We shouldn't call kthread_freezable_should_stop() from deep within the
      wait_event code because the task state is still set as
      TASK_INTERRUPTIBLE instead of TASK_RUNNING and
      kthread_freezable_should_stop() will try to call into the freezer with
      the task in the wrong state. Use wait_event_freezable() instead so that
      it calls schedule() in the right place and tries to enter the freezer
      when the task state is TASK_RUNNING instead.
      Reported-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Keerthy <j-keerthy@ti.com>
      Fixes: ff296293 ("random: Support freezable kthreads in add_hwgenerator_randomness()")
      Signed-off-by: NStephen Boyd <swboyd@chromium.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      59b56948
  8. 23 8月, 2019 1 次提交
    • H
      fdt: add support for rng-seed · 428826f5
      Hsin-Yi Wang 提交于
      Introducing a chosen node, rng-seed, which is an entropy that can be
      passed to kernel called very early to increase initial device
      randomness. Bootloader should provide this entropy and the value is
      read from /chosen/rng-seed in DT.
      
      Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
      since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
      
      Add a new interface add_bootloader_randomness() for rng-seed use case.
      Depends on whether the seed is trustworthy, rng seed would be passed to
      add_hwgenerator_randomness(). Otherwise it would be passed to
      add_device_randomness(). Decision is controlled by kernel config
      RANDOM_TRUST_BOOTLOADER.
      Signed-off-by: NHsin-Yi Wang <hsinyi@chromium.org>
      Reviewed-by: NStephen Boyd <swboyd@chromium.org>
      Reviewed-by: NRob Herring <robh@kernel.org>
      Reviewed-by: Theodore Ts'o <tytso@mit.edu> # drivers/char/random.c
      Signed-off-by: NWill Deacon <will@kernel.org>
      428826f5
  9. 22 8月, 2019 1 次提交
    • S
      random: Support freezable kthreads in add_hwgenerator_randomness() · ff296293
      Stephen Boyd 提交于
      The kthread calling this function is freezable after commit 03a3bb7a
      ("hwrng: core - Freeze khwrng thread during suspend") is applied.
      Unfortunately, this function uses wait_event_interruptible() but doesn't
      check for the kthread being woken up by the fake freezer signal. When a
      user suspends the system, this kthread will wake up and if it fails the
      entropy size check it will immediately go back to sleep and not go into
      the freezer. Eventually, suspend will fail because the task never froze
      and a warning message like this may appear:
      
       PM: suspend entry (deep)
       Filesystems sync: 0.000 seconds
       Freezing user space processes ... (elapsed 0.001 seconds) done.
       OOM killer disabled.
       Freezing remaining freezable tasks ...
       Freezing of tasks failed after 20.003 seconds (1 tasks refusing to freeze, wq_busy=0):
       hwrng           R  running task        0   289      2 0x00000020
       [<c08c64c4>] (__schedule) from [<c08c6a10>] (schedule+0x3c/0xc0)
       [<c08c6a10>] (schedule) from [<c05dbd8c>] (add_hwgenerator_randomness+0xb0/0x100)
       [<c05dbd8c>] (add_hwgenerator_randomness) from [<bf1803c8>] (hwrng_fillfn+0xc0/0x14c [rng_core])
       [<bf1803c8>] (hwrng_fillfn [rng_core]) from [<c015abec>] (kthread+0x134/0x148)
       [<c015abec>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
      
      Check for a freezer signal here and skip adding any randomness if the
      task wakes up because it was frozen. This should make the kthread freeze
      properly and suspend work again.
      
      Fixes: 03a3bb7a ("hwrng: core - Freeze khwrng thread during suspend")
      Reported-by: NKeerthy <j-keerthy@ti.com>
      Tested-by: NKeerthy <j-keerthy@ti.com>
      Signed-off-by: NStephen Boyd <swboyd@chromium.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      ff296293
  10. 26 5月, 2019 1 次提交
  11. 20 4月, 2019 4 次提交
    • S
      random: add a spinlock_t to struct batched_entropy · b7d5dc21
      Sebastian Andrzej Siewior 提交于
      The per-CPU variable batched_entropy_uXX is protected by get_cpu_var().
      This is just a preempt_disable() which ensures that the variable is only
      from the local CPU. It does not protect against users on the same CPU
      from another context. It is possible that a preemptible context reads
      slot 0 and then an interrupt occurs and the same value is read again.
      
      The above scenario is confirmed by lockdep if we add a spinlock:
      | ================================
      | WARNING: inconsistent lock state
      | 5.1.0-rc3+ #42 Not tainted
      | --------------------------------
      | inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      | ksoftirqd/9/56 [HC0[0]:SC1[1]:HE0:SE0] takes:
      | (____ptrval____) (batched_entropy_u32.lock){+.?.}, at: get_random_u32+0x3e/0xe0
      | {SOFTIRQ-ON-W} state was registered at:
      |   _raw_spin_lock+0x2a/0x40
      |   get_random_u32+0x3e/0xe0
      |   new_slab+0x15c/0x7b0
      |   ___slab_alloc+0x492/0x620
      |   __slab_alloc.isra.73+0x53/0xa0
      |   kmem_cache_alloc_node+0xaf/0x2a0
      |   copy_process.part.41+0x1e1/0x2370
      |   _do_fork+0xdb/0x6d0
      |   kernel_thread+0x20/0x30
      |   kthreadd+0x1ba/0x220
      |   ret_from_fork+0x3a/0x50
      …
      | other info that might help us debug this:
      |  Possible unsafe locking scenario:
      |
      |        CPU0
      |        ----
      |   lock(batched_entropy_u32.lock);
      |   <Interrupt>
      |     lock(batched_entropy_u32.lock);
      |
      |  *** DEADLOCK ***
      |
      | stack backtrace:
      | Call Trace:
      …
      |  kmem_cache_alloc_trace+0x20e/0x270
      |  ipmi_alloc_recv_msg+0x16/0x40
      …
      |  __do_softirq+0xec/0x48d
      |  run_ksoftirqd+0x37/0x60
      |  smpboot_thread_fn+0x191/0x290
      |  kthread+0xfe/0x130
      |  ret_from_fork+0x3a/0x50
      
      Add a spinlock_t to the batched_entropy data structure and acquire the
      lock while accessing it. Acquire the lock with disabled interrupts
      because this function may be used from interrupt context.
      
      Remove the batched_entropy_reset_lock lock. Now that we have a lock for
      the data scructure, we can access it from a remote CPU.
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      b7d5dc21
    • G
      random: document get_random_int() family · 92e507d2
      George Spelvin 提交于
      Explain what these functions are for and when they offer
      an advantage over get_random_bytes().
      
      (We still need documentation on rng_is_initialized(), the
      random_ready_callback system, and early boot in general.)
      Signed-off-by: NGeorge Spelvin <lkml@sdf.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      92e507d2
    • J
      random: fix CRNG initialization when random.trust_cpu=1 · fe6f1a6a
      Jon DeVree 提交于
      When the system boots with random.trust_cpu=1 it doesn't initialize the
      per-NUMA CRNGs because it skips the rest of the CRNG startup code. This
      means that the code from 1e7f583a ("random: make /dev/urandom scalable
      for silly userspace programs") is not used when random.trust_cpu=1.
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314029] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $6 = (struct crng_state **) 0x0
      
      After adding the missing call to numa_crng_init() the per-NUMA CRNGs are
      initialized again:
      
      crash> dmesg | grep random:
      [    0.000000] random: get_random_bytes called from start_kernel+0x94/0x530 with crng_init=0
      [    0.314031] random: crng done (trusting CPU's manufacturer)
      crash> print crng_node_pool
      $1 = (struct crng_state **) 0xffff9a915f4014a0
      
      The call to invalidate_batched_entropy() was also missing. This is
      important for architectures like PPC and S390 which only have the
      arch_get_random_seed_* functions.
      
      Fixes: 39a8883a ("random: add a config option to trust the CPU's hwrng")
      Signed-off-by: NJon DeVree <nuxi@vault24.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      fe6f1a6a
    • K
      random: move rand_initialize() earlier · d5553523
      Kees Cook 提交于
      Right now rand_initialize() is run as an early_initcall(), but it only
      depends on timekeeping_init() (for mixing ktime_get_real() into the
      pools). However, the call to boot_init_stack_canary() for stack canary
      initialization runs earlier, which triggers a warning at boot:
      
      random: get_random_bytes called from start_kernel+0x357/0x548 with crng_init=0
      
      Instead, this moves rand_initialize() to after timekeeping_init(), and moves
      canary initialization here as well.
      
      Note that this warning may still remain for machines that do not have
      UEFI RNG support (which initializes the RNG pools during setup_arch()),
      or for x86 machines without RDRAND (or booting without "random.trust=on"
      or CONFIG_RANDOM_TRUST_CPU=y).
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      d5553523
  12. 17 4月, 2019 4 次提交
  13. 20 11月, 2018 1 次提交
    • E
      crypto: chacha20-generic - refactor to allow varying number of rounds · 1ca1b917
      Eric Biggers 提交于
      In preparation for adding XChaCha12 support, rename/refactor
      chacha20-generic to support different numbers of rounds.  The
      justification for needing XChaCha12 support is explained in more detail
      in the patch "crypto: chacha - add XChaCha12 support".
      
      The only difference between ChaCha{8,12,20} are the number of rounds
      itself; all other parts of the algorithm are the same.  Therefore,
      remove the "20" from all definitions, structures, functions, files, etc.
      that will be shared by all ChaCha versions.
      
      Also make ->setkey() store the round count in the chacha_ctx (previously
      chacha20_ctx).  The generic code then passes the round count through to
      chacha_block().  There will be a ->setkey() function for each explicitly
      allowed round count; the encrypt/decrypt functions will be the same.  I
      decided not to do it the opposite way (same ->setkey() function for all
      round counts, with different encrypt/decrypt functions) because that
      would have required more boilerplate code in architecture-specific
      implementations of ChaCha and XChaCha.
      Reviewed-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: NMartin Willi <martin@strongswan.org>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      1ca1b917
  14. 21 9月, 2018 1 次提交
    • E
      crypto: chacha20 - Fix chacha20_block() keystream alignment (again) · a5e9f557
      Eric Biggers 提交于
      In commit 9f480fae ("crypto: chacha20 - Fix keystream alignment for
      chacha20_block()"), I had missed that chacha20_block() can be called
      directly on the buffer passed to get_random_bytes(), which can have any
      alignment.  So, while my commit didn't break anything, it didn't fully
      solve the alignment problems.
      
      Revert my solution and just update chacha20_block() to use
      put_unaligned_le32(), so the output buffer need not be aligned.
      This is simpler, and on many CPUs it's the same speed.
      
      But, I kept the 'tmp' buffers in extract_crng_user() and
      _get_random_bytes() 4-byte aligned, since that alignment is actually
      needed for _crng_backtrack_protect() too.
      Reported-by: NStephan Müller <smueller@chronox.de>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      a5e9f557
  15. 02 9月, 2018 1 次提交
  16. 03 8月, 2018 1 次提交
    • J
      random: Make crng state queryable · 9a47249d
      Jason A. Donenfeld 提交于
      It is very useful to be able to know whether or not get_random_bytes_wait
      / wait_for_random_bytes is going to block or not, or whether plain
      get_random_bytes is going to return good randomness or bad randomness.
      
      The particular use case is for mitigating certain attacks in WireGuard.
      A handshake packet arrives and is queued up. Elsewhere a worker thread
      takes items from the queue and processes them. In replying to these
      items, it needs to use some random data, and it has to be good random
      data. If we simply block until we can have good randomness, then it's
      possible for an attacker to fill the queue up with packets waiting to be
      processed. Upon realizing the queue is full, WireGuard will detect that
      it's under a denial of service attack, and behave accordingly. A better
      approach is just to drop incoming handshake packets if the crng is not
      yet initialized.
      
      This patch, therefore, makes that information directly accessible.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      9a47249d
  17. 25 7月, 2018 2 次提交
    • I
      random: remove preempt disabled region · b34fbaa9
      Ingo Molnar 提交于
      No need to keep preemption disabled across the whole function.
      
      mix_pool_bytes() uses a spin_lock() to protect the pool and there are
      other places like write_pool() whhich invoke mix_pool_bytes() without
      disabling preemption.
      credit_entropy_bits() is invoked from other places like
      add_hwgenerator_randomness() without disabling preemption.
      
      Before commit 95b709b6 ("random: drop trickle mode") the function
      used __this_cpu_inc_return() which would require disabled preemption.
      The preempt_disable() section was added in commit 43d5d3018c37 ("[PATCH]
      random driver preempt robustness", history tree).  It was claimed that
      the code relied on "vt_ioctl() being called under BKL".
      
      Cc: "Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      [bigeasy: enhance the commit message]
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      b34fbaa9
    • T
      random: add a config option to trust the CPU's hwrng · 39a8883a
      Theodore Ts'o 提交于
      This gives the user building their own kernel (or a Linux
      distribution) the option of deciding whether or not to trust the CPU's
      hardware random number generator (e.g., RDRAND for x86 CPU's) as being
      correctly implemented and not having a back door introduced (perhaps
      courtesy of a Nation State's law enforcement or intelligence
      agencies).
      
      This will prevent getrandom(2) from blocking, if there is a
      willingness to trust the CPU manufacturer.
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      39a8883a
  18. 18 7月, 2018 3 次提交
    • T
      random: Return nbytes filled from hw RNG · 753d433b
      Tobin C. Harding 提交于
      Currently the function get_random_bytes_arch() has return value 'void'.
      If the hw RNG fails we currently fall back to using get_random_bytes().
      This defeats the purpose of requesting random material from the hw RNG
      in the first place.
      
      There are currently no intree users of get_random_bytes_arch().
      
      Only get random bytes from the hw RNG, make function return the number
      of bytes retrieved from the hw RNG.
      Acked-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      753d433b
    • T
      random: Fix whitespace pre random-bytes work · 8ddd6efa
      Tobin C. Harding 提交于
      There are a couple of whitespace issues around the function
      get_random_bytes_arch().  In preparation for patching this function
      let's clean them up.
      Acked-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NTobin C. Harding <me@tobin.cc>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      8ddd6efa
    • T
      random: mix rdrand with entropy sent in from userspace · 81e69df3
      Theodore Ts'o 提交于
      Fedora has integrated the jitter entropy daemon to work around slow
      boot problems, especially on VM's that don't support virtio-rng:
      
          https://bugzilla.redhat.com/show_bug.cgi?id=1572944
      
      It's understandable why they did this, but the Jitter entropy daemon
      works fundamentally on the principle: "the CPU microarchitecture is
      **so** complicated and we can't figure it out, so it *must* be
      random".  Yes, it uses statistical tests to "prove" it is secure, but
      AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with
      flying colors.
      
      So if RDRAND is available, mix it into entropy submitted from
      userspace.  It can't hurt, and if you believe the NSA has backdoored
      RDRAND, then they probably have enough details about the Intel
      microarchitecture that they can reverse engineer how the Jitter
      entropy daemon affects the microarchitecture, and attack its output
      stream.  And if RDRAND is in fact an honest DRNG, it will immeasurably
      improve on what the Jitter entropy daemon might produce.
      
      This also provides some protection against someone who is able to read
      or set the entropy seed file.
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      Cc: Arnd Bergmann <arnd@arndb.de>
      81e69df3