Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: "Mimi Zohar" <zohar@linux.ibm.com>,
	"James Bottomley" <jejb@linux.ibm.com>,
	"Jarkko Sakkinen" <jarkko@kernel.org>,
	"David Howells" <dhowells@redhat.com>,
	kernel@pengutronix.de, "Sumit Garg" <sumit.garg@linaro.org>,
	"Pankaj Gupta" <pankaj.gupta@nxp.com>,
	"David Gstir" <david@sigma-star.at>,
	"Michael Walle" <michael@walle.cc>,
	"John Ernberg" <john.ernberg@actia.se>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Horia Geantă" <horia.geanta@nxp.com>,
	"Herbert Xu" <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	"Jan Luebbe" <j.luebbe@pengutronix.de>,
	"Eric Biggers" <ebiggers@kernel.org>,
	"Richard Weinberger" <richard@nod.at>,
	"Franck LENORMAND" <franck.lenormand@nxp.com>,
	"Matthias Schiffer" <matthias.schiffer@ew.tq-group.com>,
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	"Theodore Ts'o" <tytso@mit.edu>
Subject: Re: [PATCH v10 2/7] KEYS: trusted: allow use of kernel RNG for key material
Date: Tue, 17 May 2022 19:40:06 +0200	[thread overview]
Message-ID: <YoPd9qbkzT97IuCd@zx2c4.com> (raw)
In-Reply-To: <6da32ccf-1735-c47f-02c3-f7a8c736dbe3@pengutronix.de>

Hi Ahmad,

On Tue, May 17, 2022 at 06:25:08PM +0200, Ahmad Fatoum wrote:
> Hello Mimi,
> 
> [Cc'ing RNG maintainers in case they want to chime in]

Thanks for adding me to this thread.

> On 17.05.22 17:52, Mimi Zohar wrote:
> > On Fri, 2022-05-13 at 16:57 +0200, Ahmad Fatoum wrote:
> >>  static int __init init_trusted(void)
> >>  {
> >> +       int (*get_random)(unsigned char *key, size_t key_len);
> >>         int i, ret = 0;
> >>  
> >>         for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) {
> >> @@ -322,6 +333,28 @@ static int __init init_trusted(void)
> >>                             strlen(trusted_key_sources[i].name)))
> >>                         continue;
> >>  
> >> +               /*
> >> +                * We always support trusted.rng="kernel" and "default" as
> >> +                * well as trusted.rng=$trusted.source if the trust source
> >> +                * defines its own get_random callback.
> >> +                */
> >  
> > While TEE trusted keys support was upstreamed, there was a lot of
> > discussion about using kernel RNG.  One of the concerns was lack of or
> > insuffiencent entropy during early boot on embedded devices.  This
> > concern needs to be clearly documented in both Documentation/admin-
> > guide/kernel-parameters.txt and Documentation/security/keys/trusted-
> > encrypted.rst.
> 
> If a user decides to use kernel RNG for trusted keys, wait_for_random_bytes()
> called first thing in the used get_random_bytes_wait() will (quoting
> documentation) "wait for the input pool to be seeded and thus [is] guaranteed
> to supply cryptographically secure random numbers."
> 
> Does this address your concerns about Kernel RNG use?

Indeed if get_random_bytes_wait() or wait_for_random_bytes() is called,
then the RNG will just block until it's accumulated 256 bits of
estimated entropy. The RNG will also make use of whatever hwrng or
cpu rng capabilities are available, and mix those in to augment its own
output.

Jason