Merge tag 'random-5.18-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull random number generator fixes from Jason Donenfeld:

- If a hardware random number generator passes a sufficiently large
chunk of entropy to random.c during early boot, we now skip the
"fast_init" business and let it initialize the RNG.

This makes CONFIG_RANDOM_TRUST_BOOTLOADER=y actually useful.

- We already have the command line `random.trust_cpu=0/1` option for
RDRAND, which let distros enable CONFIG_RANDOM_TRUST_CPU=y while
placating concerns of more paranoid users.

Now we add `random.trust_bootloader=0/1` so that distros can
similarly enable CONFIG_RANDOM_TRUST_BOOTLOADER=y.

- Re-add a comment that got removed by accident in the recent revert.

- Add the spec-compliant ACPI CID for vmgenid, which Microsoft added to
the vmgenid spec at Ard's request during earlier review.

- Restore build-time randomness via the latent entropy plugin, which
was lost when we transitioned to using a hash function.

* tag 'random-5.18-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
random: mix build-time latent entropy into pool at init
virt: vmgenid: recognize new CID added by Hyper-V
random: re-add removed comment about get_random_{u32,u64} reseeding
random: treat bootloader trust toggle the same way as cpu trust toggle
random: skip fast_init if hwrng provides large chunk of entropy

Linus Torvalds 4 years ago 478f74a3 354b8bf2

+26 -6

4 changed files

expand all

Documentation

admin-guide

kernel-parameters.txt

drivers

char

Kconfig

random.c

virt

vmgenid.c

Documentation/admin-guide/kernel-parameters.txt

··· 4427 4427 fully seed the kernel's CRNG. Default is controlled 4428 4428 by CONFIG_RANDOM_TRUST_CPU. 4429 4429 4430 + random.trust_bootloader={on,off} 4431 + [KNL] Enable or disable trusting the use of a 4432 + seed passed by the bootloader (if available) to 4433 + fully seed the kernel's CRNG. Default is controlled 4434 + by CONFIG_RANDOM_TRUST_BOOTLOADER. 4435 + 4430 4436 randomize_kstack_offset= 4431 4437 [KNL] Enable or disable kernel stack offset 4432 4438 randomization, which provides roughly 5 bits of

+2 -1

drivers/char/Kconfig

··· 449 449 device randomness. Say Y here to assume the entropy provided by the 450 450 booloader is trustworthy so it will be added to the kernel's entropy 451 451 pool. Otherwise, say N here so it will be regarded as device input that 452 - only mixes the entropy pool. 452 + only mixes the entropy pool. This can also be configured at boot with 453 + "random.trust_bootloader=on/off". 453 454 454 455 endmenu

+17 -5

drivers/char/random.c

··· 224 224 * 225 225 * These interfaces will return the requested number of random bytes 226 226 * into the given buffer or as a return value. This is equivalent to 227 - * a read from /dev/urandom. The integer family of functions may be 228 - * higher performance for one-off random integers, because they do a 229 - * bit of buffering. 227 + * a read from /dev/urandom. The u32, u64, int, and long family of 228 + * functions may be higher performance for one-off random integers, 229 + * because they do a bit of buffering and do not invoke reseeding 230 + * until the buffer is emptied. 230 231 * 231 232 *********************************************************************/ 232 233 ··· 949 948 **********************************************************************/ 950 949 951 950 static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); 951 + static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER); 952 952 static int __init parse_trust_cpu(char *arg) 953 953 { 954 954 return kstrtobool(arg, &trust_cpu); 955 955 } 956 + static int __init parse_trust_bootloader(char *arg) 957 + { 958 + return kstrtobool(arg, &trust_bootloader); 959 + } 956 960 early_param("random.trust_cpu", parse_trust_cpu); 961 + early_param("random.trust_bootloader", parse_trust_bootloader); 957 962 958 963 /* 959 964 * The first collection of entropy occurs at system boot while interrupts ··· 974 967 ktime_t now = ktime_get_real(); 975 968 bool arch_init = true; 976 969 unsigned long rv; 970 + 971 + #if defined(LATENT_ENTROPY_PLUGIN) 972 + static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy; 973 + _mix_pool_bytes(compiletime_seed, sizeof(compiletime_seed)); 974 + #endif 977 975 978 976 for (i = 0; i < BLAKE2S_BLOCK_SIZE; i += sizeof(rv)) { 979 977 if (!arch_get_random_seed_long_early(&rv) && ··· 1140 1128 void add_hwgenerator_randomness(const void *buffer, size_t count, 1141 1129 size_t entropy) 1142 1130 { 1143 - if (unlikely(crng_init == 0)) { 1131 + if (unlikely(crng_init == 0 && entropy < POOL_MIN_BITS)) { 1144 1132 size_t ret = crng_pre_init_inject(buffer, count, true); 1145 1133 mix_pool_bytes(buffer, ret); 1146 1134 count -= ret; ··· 1172 1160 */ 1173 1161 void add_bootloader_randomness(const void *buf, size_t size) 1174 1162 { 1175 - if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER)) 1163 + if (trust_bootloader) 1176 1164 add_hwgenerator_randomness(buf, size, size * 8); 1177 1165 else 1178 1166 add_device_randomness(buf, size);

drivers/virt/vmgenid.c

··· 78 78 } 79 79 80 80 static const struct acpi_device_id vmgenid_ids[] = { 81 + { "VMGENCTR", 0 }, 81 82 { "VM_GEN_COUNTER", 0 }, 82 83 { } 83 84 };