From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: tytso@mit.edu, linux@dominikbrodowski.net, ebiggers@kernel.org,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH v2 8/9] random: use hash function for crng_slow_load()
Date: Wed, 9 Feb 2022 02:19:18 +0100 [thread overview]
Message-ID: <20220209011919.493762-9-Jason@zx2c4.com> (raw)
In-Reply-To: <20220209011919.493762-1-Jason@zx2c4.com>
Since we have a hash function that's really fast, and the goal of
crng_slow_load() is reportedly to "touch all of the crng's state", we
can just hash the old state together with the new state and call it a
day. This way we dont need to reason about another LFSR or worry about
various attacks there. This code is only ever used at early boot and
then never again.
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
drivers/char/random.c | 42 +++++++++++++++---------------------------
1 file changed, 15 insertions(+), 27 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 359fd2501c45..f7f9cbfe13f7 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -470,42 +470,30 @@ static size_t crng_fast_load(const u8 *cp, size_t len)
* all), and (2) it doesn't have the performance constraints of
* crng_fast_load().
*
- * So we do something more comprehensive which is guaranteed to touch
- * all of the primary_crng's state, and which uses a LFSR with a
- * period of 255 as part of the mixing algorithm. Finally, we do
- * *not* advance crng_init_cnt since buffer we may get may be something
- * like a fixed DMI table (for example), which might very well be
- * unique to the machine, but is otherwise unvarying.
+ * So, we simply hash the contents in with the current key. Finally,
+ * we do *not* advance crng_init_cnt since buffer we may get may be
+ * something like a fixed DMI table (for example), which might very
+ * well be unique to the machine, but is otherwise unvarying.
*/
-static int crng_slow_load(const u8 *cp, size_t len)
+static void crng_slow_load(const u8 *cp, size_t len)
{
unsigned long flags;
- static u8 lfsr = 1;
- u8 tmp;
- unsigned int i, max = sizeof(base_crng.key);
- const u8 *src_buf = cp;
- u8 *dest_buf = base_crng.key;
+ struct blake2s_state hash;
+
+ blake2s_init(&hash, sizeof(base_crng.key));
if (!spin_trylock_irqsave(&base_crng.lock, flags))
- return 0;
+ return;
if (crng_init != 0) {
spin_unlock_irqrestore(&base_crng.lock, flags);
- return 0;
- }
- if (len > max)
- max = len;
-
- for (i = 0; i < max; i++) {
- tmp = lfsr;
- lfsr >>= 1;
- if (tmp & 1)
- lfsr ^= 0xE1;
- tmp = dest_buf[i % sizeof(base_crng.key)];
- dest_buf[i % sizeof(base_crng.key)] ^= src_buf[i % len] ^ lfsr;
- lfsr += (tmp << 3) | (tmp >> 5);
+ return;
}
+
+ blake2s_update(&hash, base_crng.key, sizeof(base_crng.key));
+ blake2s_update(&hash, cp, len);
+ blake2s_final(&hash, base_crng.key);
+
spin_unlock_irqrestore(&base_crng.lock, flags);
- return 1;
}
static void crng_reseed(void)
--
2.35.0
next prev parent reply other threads:[~2022-02-09 2:39 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 1:19 [PATCH v2 0/9] random: cleanups around per-cpu crng & rdrand Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 1/9] random: use RDSEED instead of RDRAND in entropy extraction Jason A. Donenfeld
2022-02-09 6:18 ` Dominik Brodowski
2022-02-09 1:19 ` [PATCH v2 2/9] random: get rid of secondary crngs Jason A. Donenfeld
2022-02-09 8:22 ` Dominik Brodowski
2022-02-09 10:26 ` Jason A. Donenfeld
2022-02-21 2:38 ` Eric Biggers
2022-02-09 1:19 ` [PATCH v2 3/9] random: inline leaves of rand_initialize() Jason A. Donenfeld
2022-02-09 8:22 ` Dominik Brodowski
2022-02-09 10:27 ` Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 4/9] random: ensure early RDSEED goes through mixer on init Jason A. Donenfeld
2022-02-09 8:23 ` Dominik Brodowski
2022-02-09 10:37 ` Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 5/9] random: do not xor RDRAND when writing into /dev/random Jason A. Donenfeld
2022-02-09 8:28 ` Dominik Brodowski
2022-02-09 10:40 ` Jason A. Donenfeld
2022-02-09 1:19 ` [PATCH v2 6/9] random: absorb fast pool into input pool after fast load Jason A. Donenfeld
2022-02-09 8:29 ` Dominik Brodowski
2022-02-09 10:45 ` Jason A. Donenfeld
2022-02-15 21:13 ` [PATCH v3] " Jason A. Donenfeld
2022-02-21 2:47 ` Eric Biggers
2022-02-21 14:57 ` Jason A. Donenfeld
2022-02-21 14:58 ` [PATCH v4] " Jason A. Donenfeld
2022-02-21 19:08 ` Eric Biggers
2022-02-09 1:19 ` [PATCH v2 7/9] random: use simpler fast key erasure flow on per-cpu keys Jason A. Donenfeld
2022-02-09 8:30 ` Dominik Brodowski
2022-02-09 10:54 ` Jason A. Donenfeld
2022-02-14 18:46 ` [PATCH v3] " Jason A. Donenfeld
2022-02-16 23:21 ` [PATCH v4] " Jason A. Donenfeld
2022-02-21 3:37 ` Eric Biggers
2022-02-21 14:42 ` Jason A. Donenfeld
2022-02-09 1:19 ` Jason A. Donenfeld [this message]
2022-02-09 8:30 ` [PATCH v2 8/9] random: use hash function for crng_slow_load() Dominik Brodowski
2022-02-21 3:40 ` Eric Biggers
2022-02-09 1:19 ` [PATCH v2 9/9] random: remove outdated INT_MAX >> 6 check in urandom_read() Jason A. Donenfeld
2022-02-21 3:56 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220209011919.493762-9-Jason@zx2c4.com \
--to=jason@zx2c4.com \
--cc=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).