[PATCH v9 0/3] add support for rng-seed

[PATCH v9 0/3] add support for rng-seed

[Hsin-Yi Wang]

Introducing a chosen node, rng-seed, which is an entropy that can be
passed to kernel called very early to increase initial device
randomness. This can be used for adding sufficient initial entropy
for stack canary. Especially architectures that lack per-stack canary.

Hsin-Yi Wang (3):
  arm64: map FDT as RW for early_init_dt_scan()
  fdt: add support for rng-seed
  arm64: kexec_file: add rng-seed support

 arch/arm64/include/asm/mmu.h           |  2 +-
 arch/arm64/kernel/kaslr.c              |  5 +----
 arch/arm64/kernel/machine_kexec_file.c | 18 +++++++++++++++++-
 arch/arm64/kernel/setup.c              |  9 ++++++++-
 arch/arm64/mm/mmu.c                    | 15 +--------------
 drivers/char/Kconfig                   | 10 ++++++++++
 drivers/char/random.c                  | 15 +++++++++++++++
 drivers/of/fdt.c                       | 14 ++++++++++++--
 include/linux/random.h                 |  1 +
 9 files changed, 66 insertions(+), 23 deletions(-)

--
Change from v8:
* Add a new interface add_bootloader_randomness
--
2.20.1

[PATCH v9 0/3] add support for rng-seed

[Hsin-Yi Wang]

Introducing a chosen node, rng-seed, which is an entropy that can be
passed to kernel called very early to increase initial device
randomness. This can be used for adding sufficient initial entropy
for stack canary. Especially architectures that lack per-stack canary.

Hsin-Yi Wang (3):
  arm64: map FDT as RW for early_init_dt_scan()
  fdt: add support for rng-seed
  arm64: kexec_file: add rng-seed support

 arch/arm64/include/asm/mmu.h           |  2 +-
 arch/arm64/kernel/kaslr.c              |  5 +----
 arch/arm64/kernel/machine_kexec_file.c | 18 +++++++++++++++++-
 arch/arm64/kernel/setup.c              |  9 ++++++++-
 arch/arm64/mm/mmu.c                    | 15 +--------------
 drivers/char/Kconfig                   | 10 ++++++++++
 drivers/char/random.c                  | 15 +++++++++++++++
 drivers/of/fdt.c                       | 14 ++++++++++++--
 include/linux/random.h                 |  1 +
 9 files changed, 66 insertions(+), 23 deletions(-)

--
Change from v8:
* Add a new interface add_bootloader_randomness
--
2.20.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v9 1/3] arm64: map FDT as RW for early_init_dt_scan()

[Hsin-Yi Wang]

Currently in arm64, FDT is mapped to RO before it's passed to
early_init_dt_scan(). However, there might be some codes
(eg. commit "fdt: add support for rng-seed") that need to modify FDT
during init. Map FDT to RO after early fixups are done.

Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
---
No change since v7.
---
 arch/arm64/include/asm/mmu.h |  2 +-
 arch/arm64/kernel/kaslr.c    |  5 +----
 arch/arm64/kernel/setup.c    |  9 ++++++++-
 arch/arm64/mm/mmu.c          | 15 +--------------
 4 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h
index fd6161336653..f217e3292919 100644
--- a/arch/arm64/include/asm/mmu.h
+++ b/arch/arm64/include/asm/mmu.h
@@ -126,7 +126,7 @@ extern void init_mem_pgprot(void);
 extern void create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys,
 			       unsigned long virt, phys_addr_t size,
 			       pgprot_t prot, bool page_mappings_only);
-extern void *fixmap_remap_fdt(phys_addr_t dt_phys);
+extern void *fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot);
 extern void mark_linear_text_alias_ro(void);
 
 #define INIT_MM_CONTEXT(name)	\
diff --git a/arch/arm64/kernel/kaslr.c b/arch/arm64/kernel/kaslr.c
index 5a59f7567f9c..416f537bf614 100644
--- a/arch/arm64/kernel/kaslr.c
+++ b/arch/arm64/kernel/kaslr.c
@@ -62,9 +62,6 @@ static __init const u8 *kaslr_get_cmdline(void *fdt)
 	return default_cmdline;
 }
 
-extern void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size,
-				       pgprot_t prot);
-
 /*
  * This routine will be executed with the kernel mapped at its default virtual
  * address, and if it returns successfully, the kernel will be remapped, and
@@ -93,7 +90,7 @@ u64 __init kaslr_early_init(u64 dt_phys)
 	 * attempt at mapping the FDT in setup_machine()
 	 */
 	early_fixmap_init();
-	fdt = __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL);
+	fdt = fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL);
 	if (!fdt)
 		return 0;
 
diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
index 57ff38600828..56f664561754 100644
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -170,9 +170,13 @@ static void __init smp_build_mpidr_hash(void)
 
 static void __init setup_machine_fdt(phys_addr_t dt_phys)
 {
-	void *dt_virt = fixmap_remap_fdt(dt_phys);
+	int size;
+	void *dt_virt = fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL);
 	const char *name;
 
+	if (dt_virt)
+		memblock_reserve(dt_phys, size);
+
 	if (!dt_virt || !early_init_dt_scan(dt_virt)) {
 		pr_crit("\n"
 			"Error: invalid device tree blob at physical address %pa (virtual address 0x%p)\n"
@@ -184,6 +188,9 @@ static void __init setup_machine_fdt(phys_addr_t dt_phys)
 			cpu_relax();
 	}
 
+	/* Early fixups are done, map the FDT as read-only now */
+	fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL_RO);
+
 	name = of_flat_dt_get_machine_name();
 	if (!name)
 		return;
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index e67bab4d613e..1586d7fbf26a 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -877,7 +877,7 @@ void __set_fixmap(enum fixed_addresses idx,
 	}
 }
 
-void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
+void *__init fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
 {
 	const u64 dt_virt_base = __fix_to_virt(FIX_FDT);
 	int offset;
@@ -930,19 +930,6 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
 	return dt_virt;
 }
 
-void *__init fixmap_remap_fdt(phys_addr_t dt_phys)
-{
-	void *dt_virt;
-	int size;
-
-	dt_virt = __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL_RO);
-	if (!dt_virt)
-		return NULL;
-
-	memblock_reserve(dt_phys, size);
-	return dt_virt;
-}
-
 int __init arch_ioremap_p4d_supported(void)
 {
 	return 0;
-- 
2.20.1

[PATCH v9 1/3] arm64: map FDT as RW for early_init_dt_scan()

[Hsin-Yi Wang]

Currently in arm64, FDT is mapped to RO before it's passed to
early_init_dt_scan(). However, there might be some codes
(eg. commit "fdt: add support for rng-seed") that need to modify FDT
during init. Map FDT to RO after early fixups are done.

Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
---
No change since v7.
---
 arch/arm64/include/asm/mmu.h |  2 +-
 arch/arm64/kernel/kaslr.c    |  5 +----
 arch/arm64/kernel/setup.c    |  9 ++++++++-
 arch/arm64/mm/mmu.c          | 15 +--------------
 4 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h
index fd6161336653..f217e3292919 100644
--- a/arch/arm64/include/asm/mmu.h
+++ b/arch/arm64/include/asm/mmu.h
@@ -126,7 +126,7 @@ extern void init_mem_pgprot(void);
 extern void create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys,
 			       unsigned long virt, phys_addr_t size,
 			       pgprot_t prot, bool page_mappings_only);
-extern void *fixmap_remap_fdt(phys_addr_t dt_phys);
+extern void *fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot);
 extern void mark_linear_text_alias_ro(void);
 
 #define INIT_MM_CONTEXT(name)	\
diff --git a/arch/arm64/kernel/kaslr.c b/arch/arm64/kernel/kaslr.c
index 5a59f7567f9c..416f537bf614 100644
--- a/arch/arm64/kernel/kaslr.c
+++ b/arch/arm64/kernel/kaslr.c
@@ -62,9 +62,6 @@ static __init const u8 *kaslr_get_cmdline(void *fdt)
 	return default_cmdline;
 }
 
-extern void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size,
-				       pgprot_t prot);
-
 /*
  * This routine will be executed with the kernel mapped at its default virtual
  * address, and if it returns successfully, the kernel will be remapped, and
@@ -93,7 +90,7 @@ u64 __init kaslr_early_init(u64 dt_phys)
 	 * attempt at mapping the FDT in setup_machine()
 	 */
 	early_fixmap_init();
-	fdt = __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL);
+	fdt = fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL);
 	if (!fdt)
 		return 0;
 
diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
index 57ff38600828..56f664561754 100644
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -170,9 +170,13 @@ static void __init smp_build_mpidr_hash(void)
 
 static void __init setup_machine_fdt(phys_addr_t dt_phys)
 {
-	void *dt_virt = fixmap_remap_fdt(dt_phys);
+	int size;
+	void *dt_virt = fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL);
 	const char *name;
 
+	if (dt_virt)
+		memblock_reserve(dt_phys, size);
+
 	if (!dt_virt || !early_init_dt_scan(dt_virt)) {
 		pr_crit("\n"
 			"Error: invalid device tree blob at physical address %pa (virtual address 0x%p)\n"
@@ -184,6 +188,9 @@ static void __init setup_machine_fdt(phys_addr_t dt_phys)
 			cpu_relax();
 	}
 
+	/* Early fixups are done, map the FDT as read-only now */
+	fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL_RO);
+
 	name = of_flat_dt_get_machine_name();
 	if (!name)
 		return;
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index e67bab4d613e..1586d7fbf26a 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -877,7 +877,7 @@ void __set_fixmap(enum fixed_addresses idx,
 	}
 }
 
-void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
+void *__init fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
 {
 	const u64 dt_virt_base = __fix_to_virt(FIX_FDT);
 	int offset;
@@ -930,19 +930,6 @@ void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, pgprot_t prot)
 	return dt_virt;
 }
 
-void *__init fixmap_remap_fdt(phys_addr_t dt_phys)
-{
-	void *dt_virt;
-	int size;
-
-	dt_virt = __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL_RO);
-	if (!dt_virt)
-		return NULL;
-
-	memblock_reserve(dt_phys, size);
-	return dt_virt;
-}
-
 int __init arch_ioremap_p4d_supported(void)
 {
 	return 0;
-- 
2.20.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v9 2/3] fdt: add support for rng-seed

[Hsin-Yi Wang]

Introducing a chosen node, rng-seed, which is an entropy that can be
passed to kernel called very early to increase initial device
randomness. Bootloader should provide this entropy and the value is
read from /chosen/rng-seed in DT.

Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.

Add a new interface add_bootloader_randomness() for rng-seed use case.
Depends on whether the seed is trustworthy, rng seed would be passed to
add_hwgenerator_randomness(). Otherwise it would be passed to
add_device_randomness(). Decision is controlled by kernel config
RANDOM_TRUST_BOOTLOADER.

Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Rob Herring <robh@kernel.org>
---
Change from v8:
* Add a new interface add_bootloader_randomness
* Add a new kernel config
---
 drivers/char/Kconfig   | 10 ++++++++++
 drivers/char/random.c  | 15 +++++++++++++++
 drivers/of/fdt.c       | 14 ++++++++++++--
 include/linux/random.h |  1 +
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
index 96156c729a31..5974a5906fd0 100644
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -551,3 +551,13 @@ config RANDOM_TRUST_CPU
 	has not installed a hidden back door to compromise the CPU's
 	random number generation facilities. This can also be configured
 	at boot with "random.trust_cpu=on/off".
+
+config RANDOM_TRUST_BOOTLOADER
+	bool "Trust the bootloader to initialize Linux's CRNG"
+	default n
+	help
+	Bootloader could provide rng-seed set in /chosen/rng-seed in DT to help
+	increase initial device randomness. Assume the entropy provided is
+	trustworthy, it would be regarded as true hardware RNGs and update the
+	entropy estimate. Otherwise it would be regarded as device input that
+	could help mix the entropy pool, but won't be added to actual entropy.
\ No newline at end of file
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 5d5ea4ce1442..29d3ff3de1e1 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -2445,3 +2445,18 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
 	credit_entropy_bits(poolp, entropy);
 }
 EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+
+/* Handle random seed passed by bootloader.
+ * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
+ * it would be regarded as device data.
+ * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
+ */
+void add_bootloader_randomness(const void *buf, unsigned int size)
+{
+#ifdef CONFIG_RANDOM_TRUST_BOOTLOADER
+	add_hwgenerator_randomness(buf, size, size * 8);
+#else
+	add_device_randomness(buf, size);
+#endif
+}
+EXPORT_SYMBOL_GPL(add_bootloader_randomness);
\ No newline at end of file
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 9cdf14b9aaab..7d97ab6d0e31 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -24,6 +24,7 @@
 #include <linux/debugfs.h>
 #include <linux/serial_core.h>
 #include <linux/sysfs.h>
+#include <linux/random.h>
 
 #include <asm/setup.h>  /* for COMMAND_LINE_SIZE */
 #include <asm/page.h>
@@ -1044,6 +1045,7 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
 {
 	int l;
 	const char *p;
+	const void *rng_seed;
 
 	pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
 
@@ -1078,6 +1080,14 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
 
 	pr_debug("Command line is: %s\n", (char*)data);
 
+	rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
+	if (rng_seed && l > 0) {
+		add_bootloader_randomness(rng_seed, l);
+
+		/* try to clear seed so it won't be found. */
+		fdt_nop_property(initial_boot_params, node, "rng-seed");
+	}
+
 	/* break now */
 	return 1;
 }
@@ -1166,8 +1176,6 @@ bool __init early_init_dt_verify(void *params)
 
 	/* Setup flat device-tree pointer */
 	initial_boot_params = params;
-	of_fdt_crc32 = crc32_be(~0, initial_boot_params,
-				fdt_totalsize(initial_boot_params));
 	return true;
 }
 
@@ -1197,6 +1205,8 @@ bool __init early_init_dt_scan(void *params)
 		return false;
 
 	early_init_dt_scan_nodes();
+	of_fdt_crc32 = crc32_be(~0, initial_boot_params,
+				fdt_totalsize(initial_boot_params));
 	return true;
 }
 
diff --git a/include/linux/random.h b/include/linux/random.h
index 1f7dced2bba6..f189c927fdea 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -19,6 +19,7 @@ struct random_ready_callback {
 };
 
 extern void add_device_randomness(const void *, unsigned int);
+extern void add_bootloader_randomness(const void *, unsigned int);
 
 #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
 static inline void add_latent_entropy(void)
-- 
2.20.1

[PATCH v9 2/3] fdt: add support for rng-seed

[Hsin-Yi Wang]

Introducing a chosen node, rng-seed, which is an entropy that can be
passed to kernel called very early to increase initial device
randomness. Bootloader should provide this entropy and the value is
read from /chosen/rng-seed in DT.

Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.

Add a new interface add_bootloader_randomness() for rng-seed use case.
Depends on whether the seed is trustworthy, rng seed would be passed to
add_hwgenerator_randomness(). Otherwise it would be passed to
add_device_randomness(). Decision is controlled by kernel config
RANDOM_TRUST_BOOTLOADER.

Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Rob Herring <robh@kernel.org>
---
Change from v8:
* Add a new interface add_bootloader_randomness
* Add a new kernel config
---
 drivers/char/Kconfig   | 10 ++++++++++
 drivers/char/random.c  | 15 +++++++++++++++
 drivers/of/fdt.c       | 14 ++++++++++++--
 include/linux/random.h |  1 +
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
index 96156c729a31..5974a5906fd0 100644
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -551,3 +551,13 @@ config RANDOM_TRUST_CPU
 	has not installed a hidden back door to compromise the CPU's
 	random number generation facilities. This can also be configured
 	at boot with "random.trust_cpu=on/off".
+
+config RANDOM_TRUST_BOOTLOADER
+	bool "Trust the bootloader to initialize Linux's CRNG"
+	default n
+	help
+	Bootloader could provide rng-seed set in /chosen/rng-seed in DT to help
+	increase initial device randomness. Assume the entropy provided is
+	trustworthy, it would be regarded as true hardware RNGs and update the
+	entropy estimate. Otherwise it would be regarded as device input that
+	could help mix the entropy pool, but won't be added to actual entropy.
\ No newline at end of file
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 5d5ea4ce1442..29d3ff3de1e1 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -2445,3 +2445,18 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
 	credit_entropy_bits(poolp, entropy);
 }
 EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
+
+/* Handle random seed passed by bootloader.
+ * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
+ * it would be regarded as device data.
+ * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
+ */
+void add_bootloader_randomness(const void *buf, unsigned int size)
+{
+#ifdef CONFIG_RANDOM_TRUST_BOOTLOADER
+	add_hwgenerator_randomness(buf, size, size * 8);
+#else
+	add_device_randomness(buf, size);
+#endif
+}
+EXPORT_SYMBOL_GPL(add_bootloader_randomness);
\ No newline at end of file
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 9cdf14b9aaab..7d97ab6d0e31 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -24,6 +24,7 @@
 #include <linux/debugfs.h>
 #include <linux/serial_core.h>
 #include <linux/sysfs.h>
+#include <linux/random.h>
 
 #include <asm/setup.h>  /* for COMMAND_LINE_SIZE */
 #include <asm/page.h>
@@ -1044,6 +1045,7 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
 {
 	int l;
 	const char *p;
+	const void *rng_seed;
 
 	pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
 
@@ -1078,6 +1080,14 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
 
 	pr_debug("Command line is: %s\n", (char*)data);
 
+	rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
+	if (rng_seed && l > 0) {
+		add_bootloader_randomness(rng_seed, l);
+
+		/* try to clear seed so it won't be found. */
+		fdt_nop_property(initial_boot_params, node, "rng-seed");
+	}
+
 	/* break now */
 	return 1;
 }
@@ -1166,8 +1176,6 @@ bool __init early_init_dt_verify(void *params)
 
 	/* Setup flat device-tree pointer */
 	initial_boot_params = params;
-	of_fdt_crc32 = crc32_be(~0, initial_boot_params,
-				fdt_totalsize(initial_boot_params));
 	return true;
 }
 
@@ -1197,6 +1205,8 @@ bool __init early_init_dt_scan(void *params)
 		return false;
 
 	early_init_dt_scan_nodes();
+	of_fdt_crc32 = crc32_be(~0, initial_boot_params,
+				fdt_totalsize(initial_boot_params));
 	return true;
 }
 
diff --git a/include/linux/random.h b/include/linux/random.h
index 1f7dced2bba6..f189c927fdea 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -19,6 +19,7 @@ struct random_ready_callback {
 };
 
 extern void add_device_randomness(const void *, unsigned int);
+extern void add_bootloader_randomness(const void *, unsigned int);
 
 #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
 static inline void add_latent_entropy(void)
-- 
2.20.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

[PATCH v9 3/3] arm64: kexec_file: add rng-seed support

[Hsin-Yi Wang]

Adding "rng-seed" to dtb. It's fine to add this property if original
fdt doesn't contain it. Since original seed will be wiped after
read, so use a default size 128 bytes here.

Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
---
No change since v7.
---
 arch/arm64/kernel/machine_kexec_file.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index ba78ee7ca990..7b08bf9499b6 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -27,6 +27,8 @@
 #define FDT_PROP_INITRD_END	"linux,initrd-end"
 #define FDT_PROP_BOOTARGS	"bootargs"
 #define FDT_PROP_KASLR_SEED	"kaslr-seed"
+#define FDT_PROP_RNG_SEED	"rng-seed"
+#define RNG_SEED_SIZE		128
 
 const struct kexec_file_ops * const kexec_file_loaders[] = {
 	&kexec_image_ops,
@@ -102,6 +104,19 @@ static int setup_dtb(struct kimage *image,
 				FDT_PROP_KASLR_SEED);
 	}
 
+	/* add rng-seed */
+	if (rng_is_initialized()) {
+		u8 rng_seed[RNG_SEED_SIZE];
+		get_random_bytes(rng_seed, RNG_SEED_SIZE);
+		ret = fdt_setprop(dtb, off, FDT_PROP_RNG_SEED, rng_seed,
+				RNG_SEED_SIZE);
+		if (ret)
+			goto out;
+	} else {
+		pr_notice("RNG is not initialised: omitting \"%s\" property\n",
+				FDT_PROP_RNG_SEED);
+	}
+
 out:
 	if (ret)
 		return (ret == -FDT_ERR_NOSPACE) ? -ENOMEM : -EINVAL;
@@ -110,7 +125,8 @@ static int setup_dtb(struct kimage *image,
 }
 
 /*
- * More space needed so that we can add initrd, bootargs and kaslr-seed.
+ * More space needed so that we can add initrd, bootargs, kaslr-seed, and
+ * rng-seed.
  */
 #define DTB_EXTRA_SPACE 0x1000
 
-- 
2.20.1

[PATCH v9 3/3] arm64: kexec_file: add rng-seed support

[Hsin-Yi Wang]

Adding "rng-seed" to dtb. It's fine to add this property if original
fdt doesn't contain it. Since original seed will be wiped after
read, so use a default size 128 bytes here.

Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
---
No change since v7.
---
 arch/arm64/kernel/machine_kexec_file.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index ba78ee7ca990..7b08bf9499b6 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -27,6 +27,8 @@
 #define FDT_PROP_INITRD_END	"linux,initrd-end"
 #define FDT_PROP_BOOTARGS	"bootargs"
 #define FDT_PROP_KASLR_SEED	"kaslr-seed"
+#define FDT_PROP_RNG_SEED	"rng-seed"
+#define RNG_SEED_SIZE		128
 
 const struct kexec_file_ops * const kexec_file_loaders[] = {
 	&kexec_image_ops,
@@ -102,6 +104,19 @@ static int setup_dtb(struct kimage *image,
 				FDT_PROP_KASLR_SEED);
 	}
 
+	/* add rng-seed */
+	if (rng_is_initialized()) {
+		u8 rng_seed[RNG_SEED_SIZE];
+		get_random_bytes(rng_seed, RNG_SEED_SIZE);
+		ret = fdt_setprop(dtb, off, FDT_PROP_RNG_SEED, rng_seed,
+				RNG_SEED_SIZE);
+		if (ret)
+			goto out;
+	} else {
+		pr_notice("RNG is not initialised: omitting \"%s\" property\n",
+				FDT_PROP_RNG_SEED);
+	}
+
 out:
 	if (ret)
 		return (ret == -FDT_ERR_NOSPACE) ? -ENOMEM : -EINVAL;
@@ -110,7 +125,8 @@ static int setup_dtb(struct kimage *image,
 }
 
 /*
- * More space needed so that we can add initrd, bootargs and kaslr-seed.
+ * More space needed so that we can add initrd, bootargs, kaslr-seed, and
+ * rng-seed.
  */
 #define DTB_EXTRA_SPACE 0x1000
 
-- 
2.20.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Theodore Y. Ts'o]

On Thu, Aug 22, 2019 at 03:15:22PM +0800, Hsin-Yi Wang wrote:
> Introducing a chosen node, rng-seed, which is an entropy that can be
> passed to kernel called very early to increase initial device
> randomness. Bootloader should provide this entropy and the value is
> read from /chosen/rng-seed in DT.
> 
> Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
> since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
> 
> Add a new interface add_bootloader_randomness() for rng-seed use case.
> Depends on whether the seed is trustworthy, rng seed would be passed to
> add_hwgenerator_randomness(). Otherwise it would be passed to
> add_device_randomness(). Decision is controlled by kernel config
> RANDOM_TRUST_BOOTLOADER.
> 
> Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
> Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> Reviewed-by: Rob Herring <robh@kernel.org>

For the changes to drivers/char/random.c:

Reviewed-by: Theodore Ts'o <tytso@mit.edu>

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Theodore Y. Ts'o]

On Thu, Aug 22, 2019 at 03:15:22PM +0800, Hsin-Yi Wang wrote:
> Introducing a chosen node, rng-seed, which is an entropy that can be
> passed to kernel called very early to increase initial device
> randomness. Bootloader should provide this entropy and the value is
> read from /chosen/rng-seed in DT.
> 
> Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
> since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
> 
> Add a new interface add_bootloader_randomness() for rng-seed use case.
> Depends on whether the seed is trustworthy, rng seed would be passed to
> add_hwgenerator_randomness(). Otherwise it would be passed to
> add_device_randomness(). Decision is controlled by kernel config
> RANDOM_TRUST_BOOTLOADER.
> 
> Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
> Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> Reviewed-by: Rob Herring <robh@kernel.org>

For the changes to drivers/char/random.c:

Reviewed-by: Theodore Ts'o <tytso@mit.edu>

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Stephen Boyd]

Quoting Hsin-Yi Wang (2019-08-22 00:15:22)
> Introducing a chosen node, rng-seed, which is an entropy that can be
> passed to kernel called very early to increase initial device
> randomness. Bootloader should provide this entropy and the value is
> read from /chosen/rng-seed in DT.
> 
> Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
> since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
> 
> Add a new interface add_bootloader_randomness() for rng-seed use case.
> Depends on whether the seed is trustworthy, rng seed would be passed to
> add_hwgenerator_randomness(). Otherwise it would be passed to
> add_device_randomness(). Decision is controlled by kernel config
> RANDOM_TRUST_BOOTLOADER.
> 
> Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
> Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> Reviewed-by: Rob Herring <robh@kernel.org>
> ---
> Change from v8:
> * Add a new interface add_bootloader_randomness
> * Add a new kernel config
> ---
>  drivers/char/Kconfig   | 10 ++++++++++
>  drivers/char/random.c  | 15 +++++++++++++++
>  drivers/of/fdt.c       | 14 ++++++++++++--
>  include/linux/random.h |  1 +
>  4 files changed, 38 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
> index 96156c729a31..5974a5906fd0 100644
> --- a/drivers/char/Kconfig
> +++ b/drivers/char/Kconfig
> @@ -551,3 +551,13 @@ config RANDOM_TRUST_CPU
>         has not installed a hidden back door to compromise the CPU's
>         random number generation facilities. This can also be configured
>         at boot with "random.trust_cpu=on/off".
> +
> +config RANDOM_TRUST_BOOTLOADER
> +       bool "Trust the bootloader to initialize Linux's CRNG"
> +       default n

You can drop the default.

> +       help
> +       Bootloader could provide rng-seed set in /chosen/rng-seed in DT to help
> +       increase initial device randomness. Assume the entropy provided is
> +       trustworthy, it would be regarded as true hardware RNGs and update the
> +       entropy estimate. Otherwise it would be regarded as device input that
> +       could help mix the entropy pool, but won't be added to actual entropy.

Maybe reword this to something like:

	Some bootloaders can provide entropy to increase the kernel's
	initial device randomness. Say Y here to assume the entropy
	provided by the booloader is trustworthy so it will be added to
	the kernel's entropy pool. Otherwise, say N here so it will be
	regarded as device input that only mixes the entropy pool.

> \ No newline at end of file
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index 5d5ea4ce1442..29d3ff3de1e1 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -2445,3 +2445,18 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
>         credit_entropy_bits(poolp, entropy);
>  }
>  EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
> +
> +/* Handle random seed passed by bootloader.
> + * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
> + * it would be regarded as device data.
> + * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
> + */
> +void add_bootloader_randomness(const void *buf, unsigned int size)
> +{
> +#ifdef CONFIG_RANDOM_TRUST_BOOTLOADER
> +       add_hwgenerator_randomness(buf, size, size * 8);
> +#else
> +       add_device_randomness(buf, size);
> +#endif

Maybe use

	if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
		add_hwgenerator_randomness(buf, size, size * 8);
	else
		add_device_randomness(buf, size);
	
> +}
> +EXPORT_SYMBOL_GPL(add_bootloader_randomness);
> \ No newline at end of file

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Stephen Boyd]

Quoting Hsin-Yi Wang (2019-08-22 00:15:22)
> Introducing a chosen node, rng-seed, which is an entropy that can be
> passed to kernel called very early to increase initial device
> randomness. Bootloader should provide this entropy and the value is
> read from /chosen/rng-seed in DT.
> 
> Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
> since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
> 
> Add a new interface add_bootloader_randomness() for rng-seed use case.
> Depends on whether the seed is trustworthy, rng seed would be passed to
> add_hwgenerator_randomness(). Otherwise it would be passed to
> add_device_randomness(). Decision is controlled by kernel config
> RANDOM_TRUST_BOOTLOADER.
> 
> Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
> Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> Reviewed-by: Rob Herring <robh@kernel.org>
> ---
> Change from v8:
> * Add a new interface add_bootloader_randomness
> * Add a new kernel config
> ---
>  drivers/char/Kconfig   | 10 ++++++++++
>  drivers/char/random.c  | 15 +++++++++++++++
>  drivers/of/fdt.c       | 14 ++++++++++++--
>  include/linux/random.h |  1 +
>  4 files changed, 38 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
> index 96156c729a31..5974a5906fd0 100644
> --- a/drivers/char/Kconfig
> +++ b/drivers/char/Kconfig
> @@ -551,3 +551,13 @@ config RANDOM_TRUST_CPU
>         has not installed a hidden back door to compromise the CPU's
>         random number generation facilities. This can also be configured
>         at boot with "random.trust_cpu=on/off".
> +
> +config RANDOM_TRUST_BOOTLOADER
> +       bool "Trust the bootloader to initialize Linux's CRNG"
> +       default n

You can drop the default.

> +       help
> +       Bootloader could provide rng-seed set in /chosen/rng-seed in DT to help
> +       increase initial device randomness. Assume the entropy provided is
> +       trustworthy, it would be regarded as true hardware RNGs and update the
> +       entropy estimate. Otherwise it would be regarded as device input that
> +       could help mix the entropy pool, but won't be added to actual entropy.

Maybe reword this to something like:

	Some bootloaders can provide entropy to increase the kernel's
	initial device randomness. Say Y here to assume the entropy
	provided by the booloader is trustworthy so it will be added to
	the kernel's entropy pool. Otherwise, say N here so it will be
	regarded as device input that only mixes the entropy pool.

> \ No newline at end of file
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index 5d5ea4ce1442..29d3ff3de1e1 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -2445,3 +2445,18 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
>         credit_entropy_bits(poolp, entropy);
>  }
>  EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
> +
> +/* Handle random seed passed by bootloader.
> + * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
> + * it would be regarded as device data.
> + * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
> + */
> +void add_bootloader_randomness(const void *buf, unsigned int size)
> +{
> +#ifdef CONFIG_RANDOM_TRUST_BOOTLOADER
> +       add_hwgenerator_randomness(buf, size, size * 8);
> +#else
> +       add_device_randomness(buf, size);
> +#endif

Maybe use

	if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
		add_hwgenerator_randomness(buf, size, size * 8);
	else
		add_device_randomness(buf, size);
	
> +}
> +EXPORT_SYMBOL_GPL(add_bootloader_randomness);
> \ No newline at end of file

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Kees Cook]

On Thu, Aug 22, 2019 at 10:39:51AM -0700, Stephen Boyd wrote:
> Quoting Hsin-Yi Wang (2019-08-22 00:15:22)
> > Introducing a chosen node, rng-seed, which is an entropy that can be
> > passed to kernel called very early to increase initial device
> > randomness. Bootloader should provide this entropy and the value is
> > read from /chosen/rng-seed in DT.
> > 
> > Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
> > since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
> > 
> > Add a new interface add_bootloader_randomness() for rng-seed use case.
> > Depends on whether the seed is trustworthy, rng seed would be passed to
> > add_hwgenerator_randomness(). Otherwise it would be passed to
> > add_device_randomness(). Decision is controlled by kernel config
> > RANDOM_TRUST_BOOTLOADER.
> > 
> > Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
> > Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> > Reviewed-by: Rob Herring <robh@kernel.org>
> > ---
> > Change from v8:
> > * Add a new interface add_bootloader_randomness
> > * Add a new kernel config
> > ---
> >  drivers/char/Kconfig   | 10 ++++++++++
> >  drivers/char/random.c  | 15 +++++++++++++++
> >  drivers/of/fdt.c       | 14 ++++++++++++--
> >  include/linux/random.h |  1 +
> >  4 files changed, 38 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
> > index 96156c729a31..5974a5906fd0 100644
> > --- a/drivers/char/Kconfig
> > +++ b/drivers/char/Kconfig
> > @@ -551,3 +551,13 @@ config RANDOM_TRUST_CPU
> >         has not installed a hidden back door to compromise the CPU's
> >         random number generation facilities. This can also be configured
> >         at boot with "random.trust_cpu=on/off".
> > +
> > +config RANDOM_TRUST_BOOTLOADER
> > +       bool "Trust the bootloader to initialize Linux's CRNG"
> > +       default n
> 
> You can drop the default.
> 
> > +       help
> > +       Bootloader could provide rng-seed set in /chosen/rng-seed in DT to help
> > +       increase initial device randomness. Assume the entropy provided is
> > +       trustworthy, it would be regarded as true hardware RNGs and update the
> > +       entropy estimate. Otherwise it would be regarded as device input that
> > +       could help mix the entropy pool, but won't be added to actual entropy.
> 
> Maybe reword this to something like:
> 
> 	Some bootloaders can provide entropy to increase the kernel's
> 	initial device randomness. Say Y here to assume the entropy
> 	provided by the booloader is trustworthy so it will be added to
> 	the kernel's entropy pool. Otherwise, say N here so it will be
> 	regarded as device input that only mixes the entropy pool.
> 
> > \ No newline at end of file
> > diff --git a/drivers/char/random.c b/drivers/char/random.c
> > index 5d5ea4ce1442..29d3ff3de1e1 100644
> > --- a/drivers/char/random.c
> > +++ b/drivers/char/random.c
> > @@ -2445,3 +2445,18 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
> >         credit_entropy_bits(poolp, entropy);
> >  }
> >  EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
> > +
> > +/* Handle random seed passed by bootloader.
> > + * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
> > + * it would be regarded as device data.
> > + * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
> > + */
> > +void add_bootloader_randomness(const void *buf, unsigned int size)
> > +{
> > +#ifdef CONFIG_RANDOM_TRUST_BOOTLOADER

Can this please be a boot param (with the default controlled by the
CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...

-Kees

> > +       add_hwgenerator_randomness(buf, size, size * 8);
> > +#else
> > +       add_device_randomness(buf, size);
> > +#endif
> 
> Maybe use
> 
> 	if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
> 		add_hwgenerator_randomness(buf, size, size * 8);
> 	else
> 		add_device_randomness(buf, size);
> 	
> > +}
> > +EXPORT_SYMBOL_GPL(add_bootloader_randomness);
> > \ No newline at end of file

-- 
Kees Cook

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Kees Cook]

On Thu, Aug 22, 2019 at 10:39:51AM -0700, Stephen Boyd wrote:
> Quoting Hsin-Yi Wang (2019-08-22 00:15:22)
> > Introducing a chosen node, rng-seed, which is an entropy that can be
> > passed to kernel called very early to increase initial device
> > randomness. Bootloader should provide this entropy and the value is
> > read from /chosen/rng-seed in DT.
> > 
> > Obtain of_fdt_crc32 for CRC check after early_init_dt_scan_nodes(),
> > since early_init_dt_scan_chosen() would modify fdt to erase rng-seed.
> > 
> > Add a new interface add_bootloader_randomness() for rng-seed use case.
> > Depends on whether the seed is trustworthy, rng seed would be passed to
> > add_hwgenerator_randomness(). Otherwise it would be passed to
> > add_device_randomness(). Decision is controlled by kernel config
> > RANDOM_TRUST_BOOTLOADER.
> > 
> > Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
> > Reviewed-by: Stephen Boyd <swboyd@chromium.org>
> > Reviewed-by: Rob Herring <robh@kernel.org>
> > ---
> > Change from v8:
> > * Add a new interface add_bootloader_randomness
> > * Add a new kernel config
> > ---
> >  drivers/char/Kconfig   | 10 ++++++++++
> >  drivers/char/random.c  | 15 +++++++++++++++
> >  drivers/of/fdt.c       | 14 ++++++++++++--
> >  include/linux/random.h |  1 +
> >  4 files changed, 38 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
> > index 96156c729a31..5974a5906fd0 100644
> > --- a/drivers/char/Kconfig
> > +++ b/drivers/char/Kconfig
> > @@ -551,3 +551,13 @@ config RANDOM_TRUST_CPU
> >         has not installed a hidden back door to compromise the CPU's
> >         random number generation facilities. This can also be configured
> >         at boot with "random.trust_cpu=on/off".
> > +
> > +config RANDOM_TRUST_BOOTLOADER
> > +       bool "Trust the bootloader to initialize Linux's CRNG"
> > +       default n
> 
> You can drop the default.
> 
> > +       help
> > +       Bootloader could provide rng-seed set in /chosen/rng-seed in DT to help
> > +       increase initial device randomness. Assume the entropy provided is
> > +       trustworthy, it would be regarded as true hardware RNGs and update the
> > +       entropy estimate. Otherwise it would be regarded as device input that
> > +       could help mix the entropy pool, but won't be added to actual entropy.
> 
> Maybe reword this to something like:
> 
> 	Some bootloaders can provide entropy to increase the kernel's
> 	initial device randomness. Say Y here to assume the entropy
> 	provided by the booloader is trustworthy so it will be added to
> 	the kernel's entropy pool. Otherwise, say N here so it will be
> 	regarded as device input that only mixes the entropy pool.
> 
> > \ No newline at end of file
> > diff --git a/drivers/char/random.c b/drivers/char/random.c
> > index 5d5ea4ce1442..29d3ff3de1e1 100644
> > --- a/drivers/char/random.c
> > +++ b/drivers/char/random.c
> > @@ -2445,3 +2445,18 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
> >         credit_entropy_bits(poolp, entropy);
> >  }
> >  EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
> > +
> > +/* Handle random seed passed by bootloader.
> > + * If the seed is trustworthy, it would be regarded as hardware RNGs. Otherwise
> > + * it would be regarded as device data.
> > + * The decision is controlled by CONFIG_RANDOM_TRUST_BOOTLOADER.
> > + */
> > +void add_bootloader_randomness(const void *buf, unsigned int size)
> > +{
> > +#ifdef CONFIG_RANDOM_TRUST_BOOTLOADER

Can this please be a boot param (with the default controlled by the
CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...

-Kees

> > +       add_hwgenerator_randomness(buf, size, size * 8);
> > +#else
> > +       add_device_randomness(buf, size);
> > +#endif
> 
> Maybe use
> 
> 	if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))
> 		add_hwgenerator_randomness(buf, size, size * 8);
> 	else
> 		add_device_randomness(buf, size);
> 	
> > +}
> > +EXPORT_SYMBOL_GPL(add_bootloader_randomness);
> > \ No newline at end of file

-- 
Kees Cook

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Hsin-Yi Wang]

On Thu, Aug 29, 2019 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
>
> Can this please be a boot param (with the default controlled by the
> CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...
>
> -Kees
>

Currently rng-seed read and added in setup_arch() -->
setup_machine_fdt().. -> early_init_dt_scan_chosen(), which is earlier
than parse_early_param() that initializes early_param.

If we want to set it as a boot param, add_bootloader_randomness() can
only be called after parse_early_param(). The seed can't be directly
added to pool after it's read in. We need to store into global
variable and load it later.
If this seems okay then I'll add a patch for this. Thanks

--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -1096,13 +1096,15 @@ static const char *config_cmdline = CONFIG_CMDLINE;

+const void* rng_seed;
+int rng_seed_len;
+
 int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
                                                            int depth,
void *data)
 {
        int l = 0;
        const char *p = NULL;
        char *cmdline = data;
-       const void *rng_seed;

  pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);

@@ -1137,10 +1139,8 @@ int __init early_init_dt_scan_chosen(unsigned
long node, const char *uname,

         pr_debug("Command line is: %s\n", (char*)data);

-        rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
-        if (rng_seed && l > 0) {
-                add_bootloader_randomness(rng_seed, l);  //
Originally it's added to entropy pool here
-
+       rng_seed = of_get_flat_dt_prop(node, "rng-seed", &rng_seed_len);
+       if (rng_seed && rng_seed_len > 0) {
                /* try to clear seed so it won't be found. */

diff --git a/include/linux/random.h b/include/linux/random.h
index 831a002a1882..946840bba7c1 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -31,6 +31,15 @@ static inline void add_latent_entropy(void)
 static inline void add_latent_entropy(void) {}
 #endif

+extern const void* rng_seed;
+extern int rng_seed_len;
+
+static inline void add_bootloader_entropy(void)
+{
+        if (rng_seed && rng_seed_len > 0)
+                add_bootloader_randomness(rng_seed, rng_seed_len);
+}
+
 extern void add_input_randomness(unsigned int type, unsigned int code,
  unsigned int value) __latent_entropy;
 extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
diff --git a/init/main.c b/init/main.c
index 71847af32e4e..f74a8c7b34af 100644
--- a/init/main.c
+++ b/init/main.c
@@ -645,6 +645,7 @@ asmlinkage __visible void __init start_kernel(void)
  * - adding command line entropy
  */
  rand_initialize();
+ add_bootloader_entropy();
  add_latent_entropy();
  add_device_randomness(command_line, strlen(command_line));
  boot_init_stack_canary();

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Hsin-Yi Wang]

On Thu, Aug 29, 2019 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
>
> Can this please be a boot param (with the default controlled by the
> CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...
>
> -Kees
>

Currently rng-seed read and added in setup_arch() -->
setup_machine_fdt().. -> early_init_dt_scan_chosen(), which is earlier
than parse_early_param() that initializes early_param.

If we want to set it as a boot param, add_bootloader_randomness() can
only be called after parse_early_param(). The seed can't be directly
added to pool after it's read in. We need to store into global
variable and load it later.
If this seems okay then I'll add a patch for this. Thanks

--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -1096,13 +1096,15 @@ static const char *config_cmdline = CONFIG_CMDLINE;

+const void* rng_seed;
+int rng_seed_len;
+
 int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
                                                            int depth,
void *data)
 {
        int l = 0;
        const char *p = NULL;
        char *cmdline = data;
-       const void *rng_seed;

  pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);

@@ -1137,10 +1139,8 @@ int __init early_init_dt_scan_chosen(unsigned
long node, const char *uname,

         pr_debug("Command line is: %s\n", (char*)data);

-        rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
-        if (rng_seed && l > 0) {
-                add_bootloader_randomness(rng_seed, l);  //
Originally it's added to entropy pool here
-
+       rng_seed = of_get_flat_dt_prop(node, "rng-seed", &rng_seed_len);
+       if (rng_seed && rng_seed_len > 0) {
                /* try to clear seed so it won't be found. */

diff --git a/include/linux/random.h b/include/linux/random.h
index 831a002a1882..946840bba7c1 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -31,6 +31,15 @@ static inline void add_latent_entropy(void)
 static inline void add_latent_entropy(void) {}
 #endif

+extern const void* rng_seed;
+extern int rng_seed_len;
+
+static inline void add_bootloader_entropy(void)
+{
+        if (rng_seed && rng_seed_len > 0)
+                add_bootloader_randomness(rng_seed, rng_seed_len);
+}
+
 extern void add_input_randomness(unsigned int type, unsigned int code,
  unsigned int value) __latent_entropy;
 extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
diff --git a/init/main.c b/init/main.c
index 71847af32e4e..f74a8c7b34af 100644
--- a/init/main.c
+++ b/init/main.c
@@ -645,6 +645,7 @@ asmlinkage __visible void __init start_kernel(void)
  * - adding command line entropy
  */
  rand_initialize();
+ add_bootloader_entropy();
  add_latent_entropy();
  add_device_randomness(command_line, strlen(command_line));
  boot_init_stack_canary();

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Theodore Y. Ts'o]

On Thu, Aug 29, 2019 at 06:03:57PM +0800, Hsin-Yi Wang wrote:
> On Thu, Aug 29, 2019 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Can this please be a boot param (with the default controlled by the
> > CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...
> >
>
> Currently rng-seed read and added in setup_arch() -->
> setup_machine_fdt().. -> early_init_dt_scan_chosen(), which is earlier
> than parse_early_param() that initializes early_param.
> 
> If we want to set it as a boot param, add_bootloader_randomness() can
> only be called after parse_early_param(). The seed can't be directly
> added to pool after it's read in. We need to store into global
> variable and load it later.
> If this seems okay then I'll add a patch for this. Thanks

I thought about asking for this, but we really want to do this as
early as possible, so that it can be used by KASLR and other services
that are run super early.  Also, whether or not we can trust the
bootloader is going to be a system-level thing.  This should probably
be defaulted to off, and only enabled by the system integrator if they
are 100%, positively sure, that the entire system is one where we can
trust the source of randomness which the bootloader is using --- or
for that matter, that the bootloader is trustworthy!

Is it really going to be that useful for a random system administrator
to be able to flip this on or off from the command line?  Hopefully
there will be an easy way to configure the firmware or the bootloader
to simply not supply entropy, if for some reason it's not trustworthy.

   	      	     	      	     - Ted

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Theodore Y. Ts'o]

On Thu, Aug 29, 2019 at 06:03:57PM +0800, Hsin-Yi Wang wrote:
> On Thu, Aug 29, 2019 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Can this please be a boot param (with the default controlled by the
> > CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...
> >
>
> Currently rng-seed read and added in setup_arch() -->
> setup_machine_fdt().. -> early_init_dt_scan_chosen(), which is earlier
> than parse_early_param() that initializes early_param.
> 
> If we want to set it as a boot param, add_bootloader_randomness() can
> only be called after parse_early_param(). The seed can't be directly
> added to pool after it's read in. We need to store into global
> variable and load it later.
> If this seems okay then I'll add a patch for this. Thanks

I thought about asking for this, but we really want to do this as
early as possible, so that it can be used by KASLR and other services
that are run super early.  Also, whether or not we can trust the
bootloader is going to be a system-level thing.  This should probably
be defaulted to off, and only enabled by the system integrator if they
are 100%, positively sure, that the entire system is one where we can
trust the source of randomness which the bootloader is using --- or
for that matter, that the bootloader is trustworthy!

Is it really going to be that useful for a random system administrator
to be able to flip this on or off from the command line?  Hopefully
there will be an easy way to configure the firmware or the bootloader
to simply not supply entropy, if for some reason it's not trustworthy.

   	      	     	      	     - Ted

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Kees Cook]

On Thu, Aug 29, 2019 at 06:03:57PM +0800, Hsin-Yi Wang wrote:
> On Thu, Aug 29, 2019 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Can this please be a boot param (with the default controlled by the
> > CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...
> >
> > -Kees
> >
> 
> Currently rng-seed read and added in setup_arch() -->
> setup_machine_fdt().. -> early_init_dt_scan_chosen(), which is earlier
> than parse_early_param() that initializes early_param.
> 
> If we want to set it as a boot param, add_bootloader_randomness() can
> only be called after parse_early_param(). The seed can't be directly
> added to pool after it's read in. We need to store into global
> variable and load it later.
> If this seems okay then I'll add a patch for this. Thanks

This seems like a good idea to me.

> 
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -1096,13 +1096,15 @@ static const char *config_cmdline = CONFIG_CMDLINE;
> 
> +const void* rng_seed;
> +int rng_seed_len;

These should be __initdata, yes?

> +
>  int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
>                                                             int depth,
> void *data)
>  {
>         int l = 0;
>         const char *p = NULL;
>         char *cmdline = data;
> -       const void *rng_seed;
> 
>   pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
> 
> @@ -1137,10 +1139,8 @@ int __init early_init_dt_scan_chosen(unsigned
> long node, const char *uname,
> 
>          pr_debug("Command line is: %s\n", (char*)data);
> 
> -        rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
> -        if (rng_seed && l > 0) {
> -                add_bootloader_randomness(rng_seed, l);  //
> Originally it's added to entropy pool here
> -
> +       rng_seed = of_get_flat_dt_prop(node, "rng-seed", &rng_seed_len);
> +       if (rng_seed && rng_seed_len > 0) {
>                 /* try to clear seed so it won't be found. */
> 
> diff --git a/include/linux/random.h b/include/linux/random.h
> index 831a002a1882..946840bba7c1 100644
> --- a/include/linux/random.h
> +++ b/include/linux/random.h
> @@ -31,6 +31,15 @@ static inline void add_latent_entropy(void)
>  static inline void add_latent_entropy(void) {}
>  #endif
> 
> +extern const void* rng_seed;
> +extern int rng_seed_len;
> +
> +static inline void add_bootloader_entropy(void)
> +{
> +        if (rng_seed && rng_seed_len > 0)
> +                add_bootloader_randomness(rng_seed, rng_seed_len);
> +}

And this should be __init

> +
>  extern void add_input_randomness(unsigned int type, unsigned int code,
>   unsigned int value) __latent_entropy;
>  extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
> diff --git a/init/main.c b/init/main.c
> index 71847af32e4e..f74a8c7b34af 100644
> --- a/init/main.c
> +++ b/init/main.c
> @@ -645,6 +645,7 @@ asmlinkage __visible void __init start_kernel(void)
>   * - adding command line entropy
>   */
>   rand_initialize();
> + add_bootloader_entropy();
>   add_latent_entropy();
>   add_device_randomness(command_line, strlen(command_line));
>   boot_init_stack_canary();

But yeah, looks reasonable to me.

-- 
Kees Cook

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Kees Cook]

On Thu, Aug 29, 2019 at 06:03:57PM +0800, Hsin-Yi Wang wrote:
> On Thu, Aug 29, 2019 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Can this please be a boot param (with the default controlled by the
> > CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...
> >
> > -Kees
> >
> 
> Currently rng-seed read and added in setup_arch() -->
> setup_machine_fdt().. -> early_init_dt_scan_chosen(), which is earlier
> than parse_early_param() that initializes early_param.
> 
> If we want to set it as a boot param, add_bootloader_randomness() can
> only be called after parse_early_param(). The seed can't be directly
> added to pool after it's read in. We need to store into global
> variable and load it later.
> If this seems okay then I'll add a patch for this. Thanks

This seems like a good idea to me.

> 
> --- a/drivers/of/fdt.c
> +++ b/drivers/of/fdt.c
> @@ -1096,13 +1096,15 @@ static const char *config_cmdline = CONFIG_CMDLINE;
> 
> +const void* rng_seed;
> +int rng_seed_len;

These should be __initdata, yes?

> +
>  int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
>                                                             int depth,
> void *data)
>  {
>         int l = 0;
>         const char *p = NULL;
>         char *cmdline = data;
> -       const void *rng_seed;
> 
>   pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
> 
> @@ -1137,10 +1139,8 @@ int __init early_init_dt_scan_chosen(unsigned
> long node, const char *uname,
> 
>          pr_debug("Command line is: %s\n", (char*)data);
> 
> -        rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
> -        if (rng_seed && l > 0) {
> -                add_bootloader_randomness(rng_seed, l);  //
> Originally it's added to entropy pool here
> -
> +       rng_seed = of_get_flat_dt_prop(node, "rng-seed", &rng_seed_len);
> +       if (rng_seed && rng_seed_len > 0) {
>                 /* try to clear seed so it won't be found. */
> 
> diff --git a/include/linux/random.h b/include/linux/random.h
> index 831a002a1882..946840bba7c1 100644
> --- a/include/linux/random.h
> +++ b/include/linux/random.h
> @@ -31,6 +31,15 @@ static inline void add_latent_entropy(void)
>  static inline void add_latent_entropy(void) {}
>  #endif
> 
> +extern const void* rng_seed;
> +extern int rng_seed_len;
> +
> +static inline void add_bootloader_entropy(void)
> +{
> +        if (rng_seed && rng_seed_len > 0)
> +                add_bootloader_randomness(rng_seed, rng_seed_len);
> +}

And this should be __init

> +
>  extern void add_input_randomness(unsigned int type, unsigned int code,
>   unsigned int value) __latent_entropy;
>  extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
> diff --git a/init/main.c b/init/main.c
> index 71847af32e4e..f74a8c7b34af 100644
> --- a/init/main.c
> +++ b/init/main.c
> @@ -645,6 +645,7 @@ asmlinkage __visible void __init start_kernel(void)
>   * - adding command line entropy
>   */
>   rand_initialize();
> + add_bootloader_entropy();
>   add_latent_entropy();
>   add_device_randomness(command_line, strlen(command_line));
>   boot_init_stack_canary();

But yeah, looks reasonable to me.

-- 
Kees Cook

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v9 2/3] fdt: add support for rng-seed

[Kees Cook]

On Thu, Aug 29, 2019 at 11:45:05AM -0400, Theodore Y. Ts'o wrote:
> I thought about asking for this, but we really want to do this as
> early as possible, so that it can be used by KASLR and other services

KASLR entropy is sent via a separate DT entry, since it's needed before
the kernel is even running.

> that are run super early.  Also, whether or not we can trust the

Are there things using the kernel RNG before the stack canary is set up?
I tried to move all of that code as early as possible already.

> bootloader is going to be a system-level thing.  This should probably
> be defaulted to off, and only enabled by the system integrator if they
> are 100%, positively sure, that the entire system is one where we can
> trust the source of randomness which the bootloader is using --- or
> for that matter, that the bootloader is trustworthy!
> 
> Is it really going to be that useful for a random system administrator
> to be able to flip this on or off from the command line?  Hopefully
> there will be an easy way to configure the firmware or the bootloader
> to simply not supply entropy, if for some reason it's not trustworthy.

You have a point about bootloader vs system design. I'm cautiously
convinced we don't need a boot param, but if we CAN put all the entropy
collection in a single place, that'd be nice.

-- 
Kees Cook

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel