Re: RNDR/SS vs. SMCCC

From: Ard Biesheuvel <ardb@kernel.org>
To: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Andre Przywara <andre.przywara@arm.com>,
	Mark Brown <broonie@kernel.org>,  Will Deacon <will@kernel.org>,
	"Saidi, Ali" <alisaidi@amazon.com>,
	 Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: RNDR/SS vs. SMCCC
Date: Thu, 3 Jun 2021 09:10:17 +0200	[thread overview]
Message-ID: <CAMj1kXHZCzrELRH=G82AxPC76N=x89qx7OFndkcNvn63OXDX6A@mail.gmail.com> (raw)
In-Reply-To: <03af6cf4f263f9de4b7dbcf16e8a1c4962347191.camel@kernel.crashing.org>

On Thu, 3 Jun 2021 at 03:41, Benjamin Herrenschmidt
<benh@kernel.crashing.org> wrote:
>
> On Thu, 2021-06-03 at 01:19 +0100, Andre Przywara wrote:
> >
> > You mean like this?
> > https://gitlab.arm.com/linux-arm/linux-ap/-/commit/87e3722f437f9c3f09397e0e9812e6509c94786a
>
> Yes. We have a similar one in Amazon Linux which I think Ali submitted
> a while back but never went upstream.
>

I think it is fine to have something like this upstream. At the time,
I asked Andre not to include it, in order to keep the discussion
focused on the SMCCC and arch hook bits. This is all sorted now, so I
think it makes sense to upstream this.

> > This is not reviewed nor widely tested, but I used it for assessing the
> > quality of the SMCCC provided numbers on the Juno board using rngtest.
> > I think one problem was that this opens the SMCCC to userland, so the
> > entropy could be depleted from there (again under the assumption that
> > this is really a problem in practice).
>
> IMHO, userland can always adjust permission to /dev/hwrng if it wishes
> to do so...
>

True. However, the way things are currently set up, the hwrng is used
both either internally (if the entropy estimate is high enough) or via
rngd in user space to read from /dev/hwrng and write it back to
/dev/random. This is kind of pointless in this case, although not
harmful per se

> > I would be interested to hear opinions on this.
>
> The issue is with things like FIPS certification (and other such
> horrors) where I believe /dev/random is much harder to deal with since
> it mixes multiple entropy sources.
>

/dev/random is not an entropy source but a random number generator. I
agree with your characterization of FIPS in the general case, but the
/dev/random kludge we have is not pretty either :-)

Note that NIST SP800-90A/B compliance has similar requirements, i.e.,
if user space wants to seed its own DRBG in user space and comply with
these specs, it needs a compliant entropy source as well. However,
health tests on the entropy source are also mandated, and it is not
clear to me how that would fit into the SMCCC + /dev/hwrng
arrangement.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel