From patchwork Sat Jun 3 02:32:02 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 9763775 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 691EC60360 for ; Sat, 3 Jun 2017 02:32:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 57CC52849F for ; Sat, 3 Jun 2017 02:32:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4C85528518; Sat, 3 Jun 2017 02:32:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 6D4E32849F for ; Sat, 3 Jun 2017 02:32:53 +0000 (UTC) Received: (qmail 22089 invoked by uid 550); 3 Jun 2017 02:32:39 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 20295 invoked from network); 3 Jun 2017 02:32:30 -0000 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references; s=mail; bh=f/tr l8iN5dSeK7gwHWnMaiV7jWU=; b=hQxqQ1Lle703RrJSNmaWyTxVT4k2znUV9/yC aSM7rPt4uAnZTfu9QIboAosQWIoGU3sholSvNZc3JLM46psFLe9BFruawaL0Ne1q USTjGN+1rxTBQpvGgL2CUyqj4BSDwcQZEz4seKZ3mPdN/8YuwOoDG7XjdIM3RWY/ pXgkFo2VADa9kM/khdT8eLjTTBjdds6RIC+8f8f7OLd5SJEtN6BRgQA8jRh+DLmm xEBmjbS/UnxdT4yGdiwUH0yJlfDKlFI8Y1vi22T2VaP77yJa/Pyt1mbxl/pUwu0v oqTPwFUfmrC7NrGPq4z09D1Syq1dVkrqXo8fBxtodQLkgW/SrQ== From: "Jason A. Donenfeld" To: Theodore Ts'o , Linux Crypto Mailing List , LKML , kernel-hardening@lists.openwall.com Cc: "Jason A. Donenfeld" Date: Sat, 3 Jun 2017 04:32:02 +0200 Message-Id: <20170603023204.30933-2-Jason@zx2c4.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20170603023204.30933-1-Jason@zx2c4.com> References: <20170603023204.30933-1-Jason@zx2c4.com> Subject: [kernel-hardening] [PATCH RFC 1/3] random: add synchronous API for the urandom pool X-Virus-Scanned: ClamAV using ClamSMTP This enables users of get_random_{bytes,u32,u64,int,long} to wait until the pool is ready before using this function, in case they actually want to have reliable randomness. Signed-off-by: Jason A. Donenfeld --- drivers/char/random.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- include/linux/random.h | 1 + 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 0ab024918907..bee7b1349bcb 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1466,7 +1466,10 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf, * number of good random numbers, suitable for key generation, seeding * TCP sequence numbers, etc. It does not rely on the hardware random * number generator. For random bytes direct from the hardware RNG - * (when available), use get_random_bytes_arch(). + * (when available), use get_random_bytes_arch(). In order to ensure + * that the randomness provided by this function is okay, the function + * wait_for_random_bytes() should be called and return 0 at least once + * at any point prior. */ void get_random_bytes(void *buf, int nbytes) { @@ -1496,6 +1499,42 @@ void get_random_bytes(void *buf, int nbytes) EXPORT_SYMBOL(get_random_bytes); /* + * Wait for the urandom pool to be seeded and thus guaranteed to supply + * cryptographically secure random numbers. This applies to: the /dev/urandom + * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} + * family of functions. Using any of these functions without first calling + * this function forfeits the guarantee of security. + * + * If is_interruptable is true, then this uses wait_event_interruptable. + * Otherwise the calling process will not respond to signals. If timeout is + * 0, then, unless interrupted, this function will wait potentially forever. + * Otherwise, timeout is a measure in jiffies. + * + * Returns: 0 if the urandom pool has been seeded. + * -ERESTARTSYS if the function was interrupted or timed out. + * Other return values of the wait_event_* functions. + */ +int wait_for_random_bytes(bool is_interruptable, unsigned long timeout) +{ + if (likely(crng_ready())) + return 0; + if (is_interruptable && timeout) + return wait_event_interruptible_timeout(crng_init_wait, crng_ready(), timeout); + if (is_interruptable && !timeout) + return wait_event_interruptible(crng_init_wait, crng_ready()); + if (!is_interruptable && timeout) + return wait_event_timeout(crng_init_wait, crng_ready(), timeout); + if (!is_interruptable && !timeout) { + wait_event(crng_init_wait, crng_ready()); + return 0; + } + + BUG(); /* This BUG() should be compiled out as unreachable code, but just in case... */ + return -EINVAL; +} +EXPORT_SYMBOL(wait_for_random_bytes); + +/* * Add a callback function that will be invoked when the nonblocking * pool is initialised. * @@ -2023,7 +2062,10 @@ struct batched_entropy { /* * Get a random word for internal kernel use only. The quality of the random * number is either as good as RDRAND or as good as /dev/urandom, with the - * goal of being quite fast and not depleting entropy. + * goal of being quite fast and not depleting entropy. In order to ensure + * that the randomness provided by this function is okay, the function + * wait_for_random_bytes() should be called and return 0 at least once + * at any point prior. */ static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64); u64 get_random_u64(void) diff --git a/include/linux/random.h b/include/linux/random.h index ed5c3838780d..20dd73418bd5 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -34,6 +34,7 @@ extern void add_input_randomness(unsigned int type, unsigned int code, extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy; extern void get_random_bytes(void *buf, int nbytes); +extern int wait_for_random_bytes(bool is_interruptable, unsigned long timeout); extern int add_random_ready_callback(struct random_ready_callback *rdy); extern void del_random_ready_callback(struct random_ready_callback *rdy); extern void get_random_bytes_arch(void *buf, int nbytes);