From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 918B8C433EF for ; Wed, 29 Dec 2021 21:14:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231288AbhL2VOA (ORCPT ); Wed, 29 Dec 2021 16:14:00 -0500 Received: from isilmar-4.linta.de ([136.243.71.142]:33350 "EHLO isilmar-4.linta.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231749AbhL2VNw (ORCPT ); Wed, 29 Dec 2021 16:13:52 -0500 X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES Received: from owl.dominikbrodowski.net (owl.brodo.linta [10.2.0.111]) by isilmar-4.linta.de (Postfix) with ESMTPSA id 90B5E201373; Wed, 29 Dec 2021 21:13:48 +0000 (UTC) Received: by owl.dominikbrodowski.net (Postfix, from userid 1000) id 5E8B980F57; Wed, 29 Dec 2021 22:10:18 +0100 (CET) From: Dominik Brodowski To: "Jason A . Donenfeld" Cc: linux-kernel@vger.kernel.org, Theodore Ts'o , "Ivan T . Ivanov" , Ard Biesheuvel , linux-efi@vger.kernel.org, linux@dominikbrodowski.net Subject: [PATCH v8 4/7] random: mix bootloader randomness into pool Date: Wed, 29 Dec 2021 22:10:06 +0100 Message-Id: <20211229211009.108091-4-linux@dominikbrodowski.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20211229211009.108091-1-linux@dominikbrodowski.net> References: <20211228153826.448805-1-Jason@zx2c4.com> <20211229211009.108091-1-linux@dominikbrodowski.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Jason A. Donenfeld" If we're trusting bootloader randomness, crng_fast_load() is called by add_hwgenerator_randomness(), which sets us to crng_init==1. However, usually it is only called once for an initial 64-byte push, so bootloader entropy will not mix any bytes into the input pool. So it's conceivable that crng_init==1 when crng_initialize_primary() is called later, but then the input pool is empty. When that happens, the crng state key will be overwritten with extracted output from the empty input pool. That's bad. In contrast, if we're not trusting bootloader randomness, we call crng_slow_load() *and* we call mix_pool_bytes(), so that later crng_initialize_primary() isn't drawing on nothing. In order to prevent crng_initialize_primary() from extracting an empty pool, have the trusted bootloader case mirror that of the untrusted bootloader case, mixing the input into the pool. Signed-off-by: Jason A. Donenfeld [linux@dominikbrodowski.net: rewrite commit message] Signed-off-by: Dominik Brodowski --- drivers/char/random.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/char/random.c b/drivers/char/random.c index 21166188b7e1..9d4e1907e4b1 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -2298,6 +2298,7 @@ void add_hwgenerator_randomness(const char *buffer, size_t count, if (unlikely(crng_init == 0)) { size_t ret = crng_fast_load(buffer, count); + mix_pool_bytes(poolp, buffer, ret); count -= ret; buffer += ret; if (!count || crng_init == 0) -- 2.34.1