tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

random: suppress spammy warnings about unseeded randomness

Unfortunately, on some models of some architectures getting a fully
seeded CRNG is extremely difficult, and so this can result in dmesg
getting spammed for a surprisingly long time. This is really bad from
a security perspective, and so architecture maintainers really need to
do what they can to get the CRNG seeded sooner after the system is
booted. However, users can't do anything actionble to address this,
and spamming the kernel messages log will only just annoy people.

For developers who want to work on improving this situation,
CONFIG_WARN_UNSEEDED_RANDOM has been renamed to
CONFIG_WARN_ALL_UNSEEDED_RANDOM. By default the kernel will always
print the first use of unseeded randomness. This way, hopefully the
security obsessed will be happy that there is _some_ indication when
the kernel boots there may be a potential issue with that architecture
or subarchitecture. To see all uses of unseeded randomness,
developers can enable CONFIG_WARN_ALL_UNSEEDED_RANDOM.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Theodore Ts'o eecabf56 d06bfd19

options
unified split
Changed files
+57 -23
drivers
char
random.c
lib
Kconfig.debug
+39 -17
drivers/char/random.c
··· 436 436 static void _crng_backtrack_protect(struct crng_state *crng, 437 437 __u8 tmp[CHACHA20_BLOCK_SIZE], int used); 438 438 static void process_random_ready_list(void); 439 + static void _get_random_bytes(void *buf, int nbytes); 439 440 440 441 /********************************************************************** 441 442 * ··· 777 776 _extract_entropy(&input_pool, &crng->state[4], 778 777 sizeof(__u32) * 12, 0); 779 778 else 780 - get_random_bytes(&crng->state[4], sizeof(__u32) * 12); 779 + _get_random_bytes(&crng->state[4], sizeof(__u32) * 12); 781 780 for (i = 4; i < 16; i++) { 782 781 if (!arch_get_random_seed_long(&rv) && 783 782 !arch_get_random_long(&rv)) ··· 1467 1466 return ret; 1468 1467 } 1469 1468 1469 + #define warn_unseeded_randomness(previous) \ 1470 + _warn_unseeded_randomness(__func__, (void *) _RET_IP_, (previous)) 1471 + 1472 + static void _warn_unseeded_randomness(const char *func_name, void *caller, 1473 + void **previous) 1474 + { 1475 + #ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM 1476 + const bool print_once = false; 1477 + #else 1478 + static bool print_once __read_mostly; 1479 + #endif 1480 + 1481 + if (print_once || 1482 + crng_ready() || 1483 + (previous && (caller == READ_ONCE(*previous)))) 1484 + return; 1485 + WRITE_ONCE(*previous, caller); 1486 + #ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM 1487 + print_once = true; 1488 + #endif 1489 + pr_notice("random: %s called from %pF with crng_init=%d\n", 1490 + func_name, caller, crng_init); 1491 + } 1492 + 1470 1493 /* 1471 1494 * This function is the exported kernel interface. It returns some 1472 1495 * number of good random numbers, suitable for key generation, seeding ··· 1501 1476 * wait_for_random_bytes() should be called and return 0 at least once 1502 1477 * at any point prior. 1503 1478 */ 1504 - void get_random_bytes(void *buf, int nbytes) 1479 + static void _get_random_bytes(void *buf, int nbytes) 1505 1480 { 1506 1481 __u8 tmp[CHACHA20_BLOCK_SIZE]; 1507 1482 1508 - #ifdef CONFIG_WARN_UNSEEDED_RANDOM 1509 - if (!crng_ready()) 1510 - printk(KERN_NOTICE "random: %pF get_random_bytes called " 1511 - "with crng_init = %d\n", (void *) _RET_IP_, crng_init); 1512 - #endif 1513 1483 trace_get_random_bytes(nbytes, _RET_IP_); 1514 1484 1515 1485 while (nbytes >= CHACHA20_BLOCK_SIZE) { ··· 1520 1500 } else 1521 1501 crng_backtrack_protect(tmp, CHACHA20_BLOCK_SIZE); 1522 1502 memzero_explicit(tmp, sizeof(tmp)); 1503 + } 1504 + 1505 + void get_random_bytes(void *buf, int nbytes) 1506 + { 1507 + static void *previous; 1508 + 1509 + warn_unseeded_randomness(&previous); 1510 + _get_random_bytes(buf, nbytes); 1523 1511 } 1524 1512 EXPORT_SYMBOL(get_random_bytes); 1525 1513 ··· 2092 2064 bool use_lock = READ_ONCE(crng_init) < 2; 2093 2065 unsigned long flags = 0; 2094 2066 struct batched_entropy *batch; 2067 + static void *previous; 2095 2068 2096 2069 #if BITS_PER_LONG == 64 2097 2070 if (arch_get_random_long((unsigned long *)&ret)) ··· 2103 2074 return ret; 2104 2075 #endif 2105 2076 2106 - #ifdef CONFIG_WARN_UNSEEDED_RANDOM 2107 - if (!crng_ready()) 2108 - printk(KERN_NOTICE "random: %pF get_random_u64 called " 2109 - "with crng_init = %d\n", (void *) _RET_IP_, crng_init); 2110 - #endif 2077 + warn_unseeded_randomness(&previous); 2111 2078 2112 2079 batch = &get_cpu_var(batched_entropy_u64); 2113 2080 if (use_lock) ··· 2127 2102 bool use_lock = READ_ONCE(crng_init) < 2; 2128 2103 unsigned long flags = 0; 2129 2104 struct batched_entropy *batch; 2105 + static void *previous; 2130 2106 2131 2107 if (arch_get_random_int(&ret)) 2132 2108 return ret; 2133 2109 2134 - #ifdef CONFIG_WARN_UNSEEDED_RANDOM 2135 - if (!crng_ready()) 2136 - printk(KERN_NOTICE "random: %pF get_random_u32 called " 2137 - "with crng_init = %d\n", (void *) _RET_IP_, crng_init); 2138 - #endif 2110 + warn_unseeded_randomness(&previous); 2139 2111 2140 2112 batch = &get_cpu_var(batched_entropy_u32); 2141 2113 if (use_lock)
+18 -6
lib/Kconfig.debug
··· 1209 1209 It is also used by various kernel debugging features that require 1210 1210 stack trace generation. 1211 1211 1212 - config WARN_UNSEEDED_RANDOM 1213 - bool "Warn when kernel uses unseeded randomness" 1214 - default y 1215 - depends on DEBUG_KERNEL 1212 + config WARN_ALL_UNSEEDED_RANDOM 1213 + bool "Warn for all uses of unseeded randomness" 1214 + default n 1216 1215 help 1217 1216 Some parts of the kernel contain bugs relating to their use of 1218 1217 cryptographically secure random numbers before it's actually possible ··· 1221 1222 are going wrong, so that they might contact developers about fixing 1222 1223 it. 1223 1224 1224 - Say Y here, unless you simply do not care about using unseeded 1225 - randomness and do not want a potential warning message in your logs. 1225 + Unfortunately, on some models of some architectures getting 1226 + a fully seeded CRNG is extremely difficult, and so this can 1227 + result in dmesg getting spammed for a surprisingly long 1228 + time. This is really bad from a security perspective, and 1229 + so architecture maintainers really need to do what they can 1230 + to get the CRNG seeded sooner after the system is booted. 1231 + However, since users can not do anything actionble to 1232 + address this, by default the kernel will issue only a single 1233 + warning for the first use of unseeded randomness. 1234 + 1235 + Say Y here if you want to receive warnings for all uses of 1236 + unseeded randomness. This will be of use primarily for 1237 + those developers interersted in improving the security of 1238 + Linux kernels running on their architecture (or 1239 + subarchitecture). 1226 1240 1227 1241 config DEBUG_KOBJECT 1228 1242 bool "kobject debugging"