Message ID | 20220208155335.378318-5-Jason@zx2c4.com (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Herbert Xu |
Headers | show |
Series | random: cleanups around per-cpu crng & rdrand | expand |
On Tue, Feb 08, 2022 at 04:53:32PM +0100, Jason A. Donenfeld wrote: > Continuing the reasoning of "random: use RDSEED instead of RDRAND in > entropy extraction" from this series, at init time we also don't want to > be xoring RDSEED directly into the crng. Instead it's safer to put it > into our entropy collector and then re-extract it, so that it goes > through a hash function with preimage resistance. > > Cc: Theodore Ts'o <tytso@mit.edu> > Cc: Dominik Brodowski <linux@dominikbrodowski.net> > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> > --- > drivers/char/random.c | 14 ++++---------- > 1 file changed, 4 insertions(+), 10 deletions(-) > Looks good, Reviewed-by: Eric Biggers <ebiggers@google.com> - Eric
diff --git a/drivers/char/random.c b/drivers/char/random.c index db0e0e77613e..2bd19dce822d 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1218,24 +1218,18 @@ int __init rand_initialize(void) bool arch_init = true; unsigned long rv; + mix_pool_bytes(utsname(), sizeof(*(utsname()))); mix_pool_bytes(&now, sizeof(now)); for (i = BLAKE2S_BLOCK_SIZE; i > 0; i -= sizeof(rv)) { - if (!arch_get_random_seed_long(&rv) && - !arch_get_random_long(&rv)) - rv = random_get_entropy(); - mix_pool_bytes(&rv, sizeof(rv)); - } - mix_pool_bytes(utsname(), sizeof(*(utsname()))); - - extract_entropy(&primary_crng.state[4], sizeof(u32) * 12); - for (i = 4; i < 16; i++) { if (!arch_get_random_seed_long_early(&rv) && !arch_get_random_long_early(&rv)) { rv = random_get_entropy(); arch_init = false; } - primary_crng.state[i] ^= rv; + mix_pool_bytes(&rv, sizeof(rv)); } + + extract_entropy(&primary_crng.state[4], sizeof(u32) * 12); if (arch_init && trust_cpu && crng_init < 2) { invalidate_batched_entropy(); crng_init = 2;
Continuing the reasoning of "random: use RDSEED instead of RDRAND in entropy extraction" from this series, at init time we also don't want to be xoring RDSEED directly into the crng. Instead it's safer to put it into our entropy collector and then re-extract it, so that it goes through a hash function with preimage resistance. Cc: Theodore Ts'o <tytso@mit.edu> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> --- drivers/char/random.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-)