diff mbox series

[v3] random: absorb fast pool into input pool after fast load

Message ID 20220215211333.244383-1-Jason@zx2c4.com (mailing list archive)
State Not Applicable
Delegated to: Herbert Xu
Headers show
Series [v3] random: absorb fast pool into input pool after fast load | expand

Commit Message

Jason A. Donenfeld Feb. 15, 2022, 9:13 p.m. UTC 
During crng_init == 0, we never credit entropy in add_interrupt_
randomness(), but instead dump it directly into the primary_crng. That's
fine, except for the fact that we then wind up throwing away that
entropy later when we switch to extracting from the input pool and
overwriting the primary_crng key. The two other early init sites --
add_hwgenerator_randomness()'s use crng_fast_load() and add_device_
randomness()'s use of crng_slow_load() -- always additionally give their
inputs to the input pool. But not add_interrupt_randomness().

This commit fixes that shortcoming by calling mix_pool_bytes() after
crng_fast_load() in add_interrupt_randomness(). That's partially
verboten on PREEMPT_RT, where it implies taking spinlock_t from an IRQ
handler. But this also only happens during early boot and then never
again after that. Plus it's a trylock so it has the same considerations
as calling crng_fast_load(), which we're already using.

Cc: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
Suggested-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
v3 uses a trylock instead of a spinlock, just like all the other locks
taken in hard irq. (Incidentally, we're now talking about moving this
into the deferred stage, so that at can be a spinlock, but at least with
what we have here, this really must be a trylock.)

 drivers/char/random.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Eric Biggers Feb. 21, 2022, 2:47 a.m. UTC | #1 
On Tue, Feb 15, 2022 at 10:13:33PM +0100, Jason A. Donenfeld wrote:
> During crng_init == 0, we never credit entropy in add_interrupt_
> randomness(), but instead dump it directly into the primary_crng. That's
> fine, except for the fact that we then wind up throwing away that
> entropy later when we switch to extracting from the input pool and
> overwriting the primary_crng key. The two other early init sites --
> add_hwgenerator_randomness()'s use crng_fast_load() and add_device_
> randomness()'s use of crng_slow_load() -- always additionally give their
> inputs to the input pool. But not add_interrupt_randomness().
> 
> This commit fixes that shortcoming by calling mix_pool_bytes() after
> crng_fast_load() in add_interrupt_randomness(). That's partially
> verboten on PREEMPT_RT, where it implies taking spinlock_t from an IRQ
> handler. But this also only happens during early boot and then never
> again after that. Plus it's a trylock so it has the same considerations
> as calling crng_fast_load(), which we're already using.
> 
> Cc: Theodore Ts'o <tytso@mit.edu>
> Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
> Suggested-by: Eric Biggers <ebiggers@google.com>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
> v3 uses a trylock instead of a spinlock, just like all the other locks
> taken in hard irq. (Incidentally, we're now talking about moving this
> into the deferred stage, so that at can be a spinlock, but at least with
> what we have here, this really must be a trylock.)

This looks fine, though it's unfortunate that it has to be a trylock so this
isn't guaranteed.  Also, the commit message is a bit misleading because it talks
about "overwriting" the primary_crng key, but at this point in the series the
extracted entropy is still being XOR'd with the primary_crng key.  It's not
until the next patch that the key is simply overwritten.

- Eric
Jason A. Donenfeld Feb. 21, 2022, 2:57 p.m. UTC | #2 
On Mon, Feb 21, 2022 at 3:47 AM Eric Biggers <ebiggers@kernel.org> wrote:
> This looks fine, though it's unfortunate that it has to be a trylock so this
> isn't guaranteed.  Also, the commit message is a bit misleading because it talks
> about "overwriting" the primary_crng key, but at this point in the series the
> extracted entropy is still being XOR'd with the primary_crng key.  It's not
> until the next patch that the key is simply overwritten.

I'll fix up the commit message.
diff mbox series

Patch

diff --git a/drivers/char/random.c b/drivers/char/random.c
index d31b0b3afe2e..f3179c67010b 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -850,6 +850,10 @@  void add_interrupt_randomness(int irq)
 		    crng_fast_load((u8 *)fast_pool->pool, sizeof(fast_pool->pool)) > 0) {
 			fast_pool->count = 0;
 			fast_pool->last = now;
+			if (spin_trylock(&input_pool.lock)) {
+				_mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool));
+				spin_unlock(&input_pool.lock);
+			}
 		}
 		return;
 	}