| Message ID | 20220208155335.378318-6-Jason@zx2c4.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | random: cleanups around per-cpu crng & rdrand | expand |
On Tue, Feb 08, 2022 at 04:53:33PM +0100, Jason A. Donenfeld wrote: > Continuing the reasoning of "random: ensure early RDSEED goes through > mixer on init", we don't want RDRAND interacting with anything without > going through the mixer function, as a backdoored CPU could presumably > cancel out data during an xor, which it'd have a harder time doing when > being forced through a cryptographic hash function. There's actually no > need at all to be calling RDRAND in write_pool(), because before we > extract from the pool, we always do so with 32 bytes of RDSEED hashed in > at that stage. Xoring at this stage is needless and introduces a minor > liability. > > Cc: Theodore Ts'o <tytso@mit.edu> > Cc: Dominik Brodowski <linux@dominikbrodowski.net> > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> > --- > drivers/char/random.c | 14 ++------------ > 1 file changed, 2 insertions(+), 12 deletions(-) Looks good, Reviewed-by: Eric Biggers <ebiggers@google.com> - Eric
diff --git a/drivers/char/random.c b/drivers/char/random.c index 2bd19dce822d..ed7fcef1ba31 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1315,25 +1315,15 @@ static __poll_t random_poll(struct file *file, poll_table *wait) static int write_pool(const char __user *buffer, size_t count) { size_t bytes; - u32 t, buf[16]; + u8 buf[BLAKE2S_BLOCK_SIZE]; const char __user *p = buffer; while (count > 0) { - int b, i = 0; - bytes = min(count, sizeof(buf)); - if (copy_from_user(&buf, p, bytes)) + if (copy_from_user(buf, p, bytes)) return -EFAULT; - - for (b = bytes; b > 0; b -= sizeof(u32), i++) { - if (!arch_get_random_int(&t)) - break; - buf[i] ^= t; - } - count -= bytes; p += bytes; - mix_pool_bytes(buf, bytes); cond_resched(); }
Continuing the reasoning of "random: ensure early RDSEED goes through mixer on init", we don't want RDRAND interacting with anything without going through the mixer function, as a backdoored CPU could presumably cancel out data during an xor, which it'd have a harder time doing when being forced through a cryptographic hash function. There's actually no need at all to be calling RDRAND in write_pool(), because before we extract from the pool, we always do so with 32 bytes of RDSEED hashed in at that stage. Xoring at this stage is needless and introduces a minor liability. Cc: Theodore Ts'o <tytso@mit.edu> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> --- drivers/char/random.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-)