From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>,
Theodore Ts'o <tytso@mit.edu>,
Dominik Brodowski <linux@dominikbrodowski.net>
Subject: [PATCH] random: use first 128 bits of input as fast init
Date: Sat, 30 Apr 2022 15:24:20 +0200 [thread overview]
Message-ID: <20220430132420.2750896-1-Jason@zx2c4.com> (raw)
Before, the first 64 bytes of input, regardless of how entropic it was,
would be used to mutate the crng base key directly, and none of those
bytes would be credited as having entropy. Then 256 bits of credited
input would be accumulated, and only then would the rng transition from
the earlier "fast init" phase into being actually initialized.
The thinking was that by mixing and matching fast init and real init, an
attacker who compromised the fast init state, considered easy to do
given how little entropy might be in those first 64 bytes, would then be
able to bruteforce bits from the actual initialization. By keeping these
separate, bruteforcing became impossible.
However, by not crediting potentially creditable bits from those first 64
bytes of input, we delay initialization, and actually make the problem
worse, because it means the user is drawing worse random numbers for a
longer period of time.
Instead, we can take the first 128 bits as fast init, and allow them to
be credited, and then hold off on the next 128 bits until they've
accumulated. This is still a wide enough margin to prevent bruteforcing
the rng state, while still initializing much faster. This also
simplifies the code quite a bit and will make additional improvements
possible down the road.
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
drivers/char/random.c | 57 +++++++++++++++++--------------------------
1 file changed, 23 insertions(+), 34 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 02e880a2c51e..0935a140795e 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -231,10 +231,7 @@ static void _warn_unseeded_randomness(const char *func_name, void *caller, void
*
*********************************************************************/
-enum {
- CRNG_RESEED_INTERVAL = 300 * HZ,
- CRNG_INIT_CNT_THRESH = 2 * CHACHA_KEY_SIZE
-};
+enum { CRNG_RESEED_INTERVAL = 300 * HZ };
static struct {
u8 key[CHACHA_KEY_SIZE] __aligned(__alignof__(long));
@@ -445,9 +442,8 @@ static void crng_make_state(u32 chacha_state[CHACHA_STATE_WORDS],
* where we can't trust the buffer passed to it is guaranteed to be
* unpredictable (so it might not have any entropy at all).
*/
-static void crng_pre_init_inject(const void *input, size_t len, bool account)
+static void crng_pre_init_inject(const void *input, size_t len)
{
- static int crng_init_cnt = 0;
struct blake2s_state hash;
unsigned long flags;
@@ -463,18 +459,7 @@ static void crng_pre_init_inject(const void *input, size_t len, bool account)
blake2s_update(&hash, input, len);
blake2s_final(&hash, base_crng.key);
- if (account) {
- crng_init_cnt += min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt);
- if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
- ++base_crng.generation;
- crng_init = 1;
- }
- }
-
spin_unlock_irqrestore(&base_crng.lock, flags);
-
- if (crng_init == 1)
- pr_notice("fast init done\n");
}
static void _get_random_bytes(void *buf, size_t nbytes)
@@ -779,7 +764,8 @@ EXPORT_SYMBOL(get_random_bytes_arch);
enum {
POOL_BITS = BLAKE2S_HASH_SIZE * 8,
- POOL_MIN_BITS = POOL_BITS /* No point in settling for less. */
+ POOL_MIN_BITS = POOL_BITS, /* No point in settling for less. */
+ POOL_INIT_BITS = POOL_MIN_BITS / 2
};
/* For notifying userspace should write into /dev/random. */
@@ -819,6 +805,7 @@ static void mix_pool_bytes(const void *in, size_t nbytes)
static void credit_entropy_bits(size_t nbits)
{
unsigned int entropy_count, orig, add;
+ unsigned long flags;
if (!nbits)
return;
@@ -830,6 +817,15 @@ static void credit_entropy_bits(size_t nbits)
entropy_count = min_t(unsigned int, POOL_BITS, orig + add);
} while (cmpxchg(&input_pool.entropy_count, orig, entropy_count) != orig);
+ if (unlikely(crng_init == 0 && entropy_count >= POOL_INIT_BITS)) {
+ spin_lock_irqsave(&base_crng.lock, flags);
+ if (crng_init == 0) {
+ ++base_crng.generation;
+ crng_init = 1;
+ }
+ spin_unlock_irqrestore(&base_crng.lock, flags);
+ }
+
if (!crng_ready() && entropy_count >= POOL_MIN_BITS)
crng_reseed(false);
}
@@ -1031,13 +1027,13 @@ void add_device_randomness(const void *buf, size_t size)
unsigned long entropy = random_get_entropy();
unsigned long flags;
- if (crng_init == 0 && size)
- crng_pre_init_inject(buf, size, false);
-
spin_lock_irqsave(&input_pool.lock, flags);
_mix_pool_bytes(&entropy, sizeof(entropy));
_mix_pool_bytes(buf, size);
spin_unlock_irqrestore(&input_pool.lock, flags);
+
+ if (unlikely(crng_init == 0 && size))
+ crng_pre_init_inject(buf, size);
}
EXPORT_SYMBOL(add_device_randomness);
@@ -1149,12 +1145,6 @@ void rand_initialize_disk(struct gendisk *disk)
void add_hwgenerator_randomness(const void *buffer, size_t count,
size_t entropy)
{
- if (unlikely(crng_init == 0 && entropy < POOL_MIN_BITS)) {
- crng_pre_init_inject(buffer, count, true);
- mix_pool_bytes(buffer, count);
- return;
- }
-
/*
* Throttle writing if we're above the trickle threshold.
* We'll be woken up again once below POOL_MIN_BITS, when
@@ -1167,6 +1157,8 @@ void add_hwgenerator_randomness(const void *buffer, size_t count,
CRNG_RESEED_INTERVAL);
mix_pool_bytes(buffer, count);
credit_entropy_bits(entropy);
+ if (unlikely(crng_init == 0))
+ crng_pre_init_inject(buffer, count);
}
EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
@@ -1321,13 +1313,10 @@ static void mix_interrupt_randomness(struct work_struct *work)
fast_pool->last = jiffies;
local_irq_enable();
- if (unlikely(crng_init == 0)) {
- crng_pre_init_inject(pool, sizeof(pool), true);
- mix_pool_bytes(pool, sizeof(pool));
- } else {
- mix_pool_bytes(pool, sizeof(pool));
- credit_entropy_bits(1);
- }
+ mix_pool_bytes(pool, sizeof(pool));
+ credit_entropy_bits(1);
+ if (unlikely(crng_init == 0))
+ crng_pre_init_inject(pool, sizeof(pool));
memzero_explicit(pool, sizeof(pool));
}
--
2.35.1
next reply other threads:[~2022-04-30 13:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-30 13:24 Jason A. Donenfeld [this message]
2022-05-03 13:12 ` [PATCH v2] random: use first 128 bits of input as fast init Jason A. Donenfeld
2022-05-04 11:16 ` [PATCH v3] " Jason A. Donenfeld
2022-05-04 22:13 ` Nathan Chancellor
2022-05-05 0:34 ` Jason A. Donenfeld
2022-05-13 6:22 ` Dominik Brodowski
2022-05-13 10:17 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220430132420.2750896-1-Jason@zx2c4.com \
--to=jason@zx2c4.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.