Software PRNG fixes #1843
Merged
Software PRNG fixes #1843
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
|
You could add to the commit message also that this resolves: OP-TEE-2017-0001. |
This commit fixes a vulnerability (OP-TEE-2017-0001) that affects platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that platforms that also set CFG_SECURE_TIME_SOURCE_REE=y are still vulnerable, unless they provide an implementation of plat_prng_add_jitter_entropy_norpc(). The LibTomCrypt API is not used properly in the current PRNG initialization code (tee_ltc_prng_init()). We have: prng->start(); prng->ready(); plat_prng_add_jitter_entropy_norpc(); ...and at this point, the PRNG is assumed to be ready to provide random data through rng->read(). That is broken, because there is no guarantee that the added entropy will have an immediate effect on the output of rng->read(). In fact, it usually will NOT. For instance, the default software PRNG used in OP-TEE (Fortuna) re-seeds its PRNG generator from the entropy pools only once every ten reads. So we're effectively using an un-seeded generator for the first ten calls to prng->read(). Practically it means that the same byte sequences are generated after each boot and, for the Fortuna PRNG, until the 11th call to the PRNG read function. At the Internal Core API level, this affects TEE_GenerateRandom() and TEE_GenerateKey(). The fix is simple: prng->ready() seeds the generator from the pools, so by moving plat_prng_add_jitter_entropy_norpc() before prng->ready(), we can ensure that some amount of entropy is used immediately. Fixes: OP-TEE#1730 Link: https://op-tee.org/security-advisories Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
This commit fixes a vulnerability (OP-TEE-2017-0001) that affects platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that platforms that also set CFG_SECURE_TIME_SOURCE_REE=y are still vulnerable, unless they provide an implementation of plat_prng_add_jitter_entropy_norpc(). Adds some entropy to the PRNG used to generate the AE key for paged user TAs. Link: https://op-tee.org/security-advisories/ Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
jforissier
force-pushed
the
fortuna-fix
branch
from
b4eff9f
to
424eaa8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.