Skip to content

Commit

Permalink
random: ensure early RDSEED goes through mixer on init
Browse files Browse the repository at this point in the history
Continuing the reasoning of "random: use RDSEED instead of RDRAND in
entropy extraction" from this series, at init time we also don't want to
be xoring RDSEED directly into the crng. Instead it's safer to put it
into our entropy collector and then re-extract it, so that it goes
through a hash function with preimage resistance. As a matter of hygiene,
we also order these now so that the RDSEED byte are hashed in first,
followed by the bytes that are likely more predictable (e.g. utsname()).

Cc: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
  • Loading branch information
zx2c4 committed Feb 21, 2022
1 parent 8566417 commit a02cf3d
Showing 1 changed file with 5 additions and 11 deletions.
16 changes: 5 additions & 11 deletions drivers/char/random.c
Original file line number Diff line number Diff line change
Expand Up @@ -1208,24 +1208,18 @@ int __init rand_initialize(void)
bool arch_init = true;
unsigned long rv;

mix_pool_bytes(&now, sizeof(now));
for (i = BLAKE2S_BLOCK_SIZE; i > 0; i -= sizeof(rv)) {
if (!arch_get_random_seed_long(&rv) &&
!arch_get_random_long(&rv))
rv = random_get_entropy();
mix_pool_bytes(&rv, sizeof(rv));
}
mix_pool_bytes(utsname(), sizeof(*(utsname())));

extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
for (i = 4; i < 16; i++) {
if (!arch_get_random_seed_long_early(&rv) &&
!arch_get_random_long_early(&rv)) {
rv = random_get_entropy();
arch_init = false;
}
primary_crng.state[i] ^= rv;
mix_pool_bytes(&rv, sizeof(rv));
}
mix_pool_bytes(&now, sizeof(now));
mix_pool_bytes(utsname(), sizeof(*(utsname())));

extract_entropy(&primary_crng.state[4], sizeof(u32) * 12);
if (arch_init && trust_cpu && crng_init < 2) {
invalidate_batched_entropy();
crng_init = 2;
Expand Down

0 comments on commit a02cf3d

Please sign in to comment.