crypto: jitter - add cmdline oversampling overrides

Commit Message

Markus Theil Jan. 27, 2025, 4:02 p.m. UTC

As already mentioned in the comments, using a cryptographic
hash function, like SHA3-256, decreases the expected entropy
due to properties of random mappings (collisions and unused values).

When mapping 256 bit of entropy to 256 output bits, this results
in roughly 6 bit entropy loss (depending on the estimate formula
for mapping 256 bit to 256 bit via a random mapping):

NIST approximation (count all input bits as input): 255.0
NIST approximation (count only entropy bits as input): 251.69 Bit
BSI approximation (count only entropy bits as input): 250.11 Bit

Therefore add a cmdline override for the 64 bit oversampling safety margin,
This results in an expected entropy of nearly 256 bit also after hashing,
when desired.

Only enable this, when you are aware of the increased runtime per
iteration.

This override is only possible, when not in FIPS mode (as FIPS mandates
this to be true for a full entropy claim).

Signed-off-by: Markus Theil <theil.markus@gmail.com>
---
 crypto/jitterentropy.c | 33 +++++++++++++++++++++++++++------
 1 file changed, 27 insertions(+), 6 deletions(-)

Comments

Stephan Mueller Jan. 27, 2025, 4:50 p.m. UTC | #1

Am Montag, 27. Januar 2025, 17:02:36 CET schrieb Markus Theil:

Hi Markus,

> As already mentioned in the comments, using a cryptographic
> hash function, like SHA3-256, decreases the expected entropy
> due to properties of random mappings (collisions and unused values).
> 
> When mapping 256 bit of entropy to 256 output bits, this results
> in roughly 6 bit entropy loss (depending on the estimate formula
> for mapping 256 bit to 256 bit via a random mapping):
> 
> NIST approximation (count all input bits as input): 255.0
> NIST approximation (count only entropy bits as input): 251.69 Bit
> BSI approximation (count only entropy bits as input): 250.11 Bit
> 
> Therefore add a cmdline override for the 64 bit oversampling safety margin,
> This results in an expected entropy of nearly 256 bit also after hashing,
> when desired.
> 
> Only enable this, when you are aware of the increased runtime per
> iteration.
> 
> This override is only possible, when not in FIPS mode (as FIPS mandates
> this to be true for a full entropy claim).
> 
> Signed-off-by: Markus Theil <theil.markus@gmail.com>

Reviewed-by: Stephan Mueller <smueller@chronox.de>

Ciao
Stephan

Herbert Xu Feb. 9, 2025, 9:18 a.m. UTC | #2

On Mon, Jan 27, 2025 at 05:02:36PM +0100, Markus Theil wrote:
> As already mentioned in the comments, using a cryptographic
> hash function, like SHA3-256, decreases the expected entropy
> due to properties of random mappings (collisions and unused values).
> 
> When mapping 256 bit of entropy to 256 output bits, this results
> in roughly 6 bit entropy loss (depending on the estimate formula
> for mapping 256 bit to 256 bit via a random mapping):
> 
> NIST approximation (count all input bits as input): 255.0
> NIST approximation (count only entropy bits as input): 251.69 Bit
> BSI approximation (count only entropy bits as input): 250.11 Bit
> 
> Therefore add a cmdline override for the 64 bit oversampling safety margin,
> This results in an expected entropy of nearly 256 bit also after hashing,
> when desired.
> 
> Only enable this, when you are aware of the increased runtime per
> iteration.
> 
> This override is only possible, when not in FIPS mode (as FIPS mandates
> this to be true for a full entropy claim).
> 
> Signed-off-by: Markus Theil <theil.markus@gmail.com>
> ---
>  crypto/jitterentropy.c | 33 +++++++++++++++++++++++++++------
>  1 file changed, 27 insertions(+), 6 deletions(-)

Why does this need to be a toggle?

Why can't you just make this conditional on fips_enabled?

Cheers,

Markus Theil Feb. 10, 2025, 12:40 p.m. UTC | #3

Hi (& sorry for replying in HTML the last time :(),

On 09.02.25 10:18, Herbert Xu wrote:
> On Mon, Jan 27, 2025 at 05:02:36PM +0100, Markus Theil wrote:
>> As already mentioned in the comments, using a cryptographic
>> hash function, like SHA3-256, decreases the expected entropy
>> due to properties of random mappings (collisions and unused values).
>>
>> When mapping 256 bit of entropy to 256 output bits, this results
>> in roughly 6 bit entropy loss (depending on the estimate formula
>> for mapping 256 bit to 256 bit via a random mapping):
>>
>> NIST approximation (count all input bits as input): 255.0
>> NIST approximation (count only entropy bits as input): 251.69 Bit
>> BSI approximation (count only entropy bits as input): 250.11 Bit
>>
>> Therefore add a cmdline override for the 64 bit oversampling safety margin,
>> This results in an expected entropy of nearly 256 bit also after hashing,
>> when desired.
>>
>> Only enable this, when you are aware of the increased runtime per
>> iteration.
>>
>> This override is only possible, when not in FIPS mode (as FIPS mandates
>> this to be true for a full entropy claim).
>>
>> Signed-off-by: Markus Theil <theil.markus@gmail.com>
>> ---
>>   crypto/jitterentropy.c | 33 +++++++++++++++++++++++++++------
>>   1 file changed, 27 insertions(+), 6 deletions(-)
> 
> Why does this need to be a toggle?

It slightly increases the runtime of the code per 256 Bit random number 
generated, which possibly doesn't suit embedded guys using this RNG but 
demanding short system bootup.
So users who can live with this penalty can enable it, others probably 
won't tolerate it. With this being a toggle, it will also be easier to 
enable this in default distribution kernels running e.g. in cloud instances.

> 
> Why can't you just make this conditional on fips_enabled?

This was also my first thought, just enable fips mode. Our workloads 
don't have to run in FIPS mode and I don't know which software may 
reacts to the kernel announcing to be fips enabled in an unexpected way.

So basically, this seems to be useful, even when not in FIPS mode.

BR
Markus

Herbert Xu Feb. 11, 2025, 9:14 a.m. UTC | #4

On Mon, Feb 10, 2025 at 01:40:10PM +0100, Markus Theil wrote:
>
> This was also my first thought, just enable fips mode. Our workloads don't
> have to run in FIPS mode and I don't know which software may reacts to the
> kernel announcing to be fips enabled in an unexpected way.
> 
> So basically, this seems to be useful, even when not in FIPS mode.

That's not a strong reason for adding a new run-time toggle.  It
sounds like you could just enable FIPS mode instead.

Cheers,

Patch

diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
index 3b390bd6c119..2dceb5914aa6 100644
--- a/crypto/jitterentropy.c
+++ b/crypto/jitterentropy.c
@@ -145,10 +145,30 @@  struct rand_data {
  */
 #define JENT_ENTROPY_SAFETY_FACTOR	64
 
+#include <linux/errno.h>
 #include <linux/fips.h>
 #include <linux/minmax.h>
+#include <linux/moduleparam.h>
+#include <linux/types.h>
 #include "jitterentropy.h"
 
+/* FIPS mode mandates this to be true, otherwise allow override,
+ * show correct enabled state also in FIPS mode
+ */
+static bool full_entropy = fips_enabled;
+static int jent_set_full_entropy(const char *val, const struct kernel_param *kp)
+{
+	if (!fips_enabled) {
+		return kstrtobool(val, &full_entropy);
+	} else {
+		return -EINVAL;
+	}
+}
+module_param_call(full_entropy, jent_set_full_entropy, param_get_bool, &full_entropy, 0444);
+MODULE_PARM_DESC(full_entropy,
+		 "Enable additional 64 round safety margin, to reach full entropy (NIST definition)."
+);
+
 /***************************************************************************
  * Adaptive Proportion Test
  *
@@ -178,7 +198,6 @@  static const unsigned int jent_apt_cutoff_lookup[15] = {
 static const unsigned int jent_apt_cutoff_permanent_lookup[15] = {
 	355, 447, 479, 494, 502, 507, 510, 512,
 	512, 512, 512, 512, 512, 512, 512 };
-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
 
 static void jent_apt_init(struct rand_data *ec, unsigned int osr)
 {
@@ -273,7 +292,7 @@  static void jent_rct_insert(struct rand_data *ec, int stuck)
 		 * alpha = 2^-30 or 2^-60 as recommended in SP800-90B.
 		 * In addition, we require an entropy value H of 1/osr as this
 		 * is the minimum entropy required to provide full entropy.
-		 * Note, we collect (DATA_SIZE_BITS + ENTROPY_SAFETY_FACTOR)*osr
+		 * Note, we collect (DATA_SIZE_BITS + JENT_ENTROPY_SAFETY_FACTOR)*osr
 		 * deltas for inserting them into the entropy pool which should
 		 * then have (close to) DATA_SIZE_BITS bits of entropy in the
 		 * conditioned output.
@@ -549,7 +568,7 @@  static int jent_measure_jitter(struct rand_data *ec, __u64 *ret_current_delta)
 }
 
 /*
- * Generator of one 64 bit random number
+ * Generator of one 256 bit random number
  * Function fills rand_data->hash_state
  *
  * @ec [in] Reference to entropy collector
@@ -558,7 +577,9 @@  static void jent_gen_entropy(struct rand_data *ec)
 {
 	unsigned int k = 0, safety_factor = 0;
 
-	if (fips_enabled)
+	/* entropy safety factor can only be enabled, not disabled
+	 * it is always active in fips mode */
+	if (full_entropy)
 		safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
 
 	/* priming of the ->prev_time value */
@@ -583,9 +604,9 @@  static void jent_gen_entropy(struct rand_data *ec)
  *
  * This function invokes the entropy gathering logic as often to generate
  * as many bytes as requested by the caller. The entropy gathering logic
- * creates 64 bit per invocation.
+ * creates 256 bit per invocation.
  *
- * This function truncates the last 64 bit entropy value output to the exact
+ * This function truncates the last 256 bit entropy value output to the exact
  * size specified by the caller.
  *
  * @ec [in] Reference to entropy collector