Re: [PATCH v9 2/3] fdt: add support for rng-seed

From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Hsin-Yi Wang <hsinyi@chromium.org>
Cc: Kate Stewart <kstewart@linuxfoundation.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Mukesh Ojha <mojha@codeaurora.org>,
	Grzegorz Halat <ghalat@redhat.com>,
	"H . Peter Anvin" <hpa@zytor.com>,
	Guenter Roeck <groeck@chromium.org>,
	Will Deacon <will@kernel.org>,
	Marek Szyprowski <m.szyprowski@samsung.com>,
	Rob Herring <robh@kernel.org>,
	Daniel Thompson <daniel.thompson@linaro.org>,
	Anders Roxell <anders.roxell@linaro.org>,
	Yury Norov <ynorov@marvell.com>, Marc Zyngier <maz@kernel.org>,
	Russell King <linux@armlinux.org.uk>,
	Aaro Koskinen <aaro.koskinen@nokia.com>,
	Ingo Molnar <mingo@redhat.com>,
	Viresh Kumar <viresh.kumar@linaro.org>,
	Waiman Long <longman@redhat.com>,
	"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
	Wei Li <liwei391@huawei.com>,
	Alexey Dobriyan <adobriyan@gmail.com>,
	Julien Thierry <julien.thierry.kdev@gmail.com>,
	Len Brown <len.brown@intel.com>,
	Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
	Rik van Riel <riel@surriel.com>,
	Stephen Boyd <swboyd@chromium.org>,
	Shaokun Zhang <zhangshaokun@hisilicon.com>,
	Mike Rapoport <rppt@linux.vnet.ibm.com>,
	Borislav Petkov <bp@alien8.de>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	"moderated list:ARM/FREESCALE IMX / MXC ARM ARCHITECTURE"
	<linux-arm-kernel@lists.infradead.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	lkml <linux-kernel@vger.kernel.org>,
	Armijn Hemel <armijn@tjaldur.nl>, Jiri Kosina <jkosina@suse.cz>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	"David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH v9 2/3] fdt: add support for rng-seed
Date: Thu, 29 Aug 2019 11:45:05 -0400	[thread overview]
Message-ID: <20190829154505.GB10779@mit.edu> (raw)
In-Reply-To: <CAJMQK-iDoPxbFUH3JUeJ7SehCptZOnjKZiUoFd1PqLjDdGHujA@mail.gmail.com>

On Thu, Aug 29, 2019 at 06:03:57PM +0800, Hsin-Yi Wang wrote:
> On Thu, Aug 29, 2019 at 1:36 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > Can this please be a boot param (with the default controlled by the
> > CONFIG)? See how CONFIG_RANDOM_TRUST_CPU is wired up...
> >
>
> Currently rng-seed read and added in setup_arch() -->
> setup_machine_fdt().. -> early_init_dt_scan_chosen(), which is earlier
> than parse_early_param() that initializes early_param.
> 
> If we want to set it as a boot param, add_bootloader_randomness() can
> only be called after parse_early_param(). The seed can't be directly
> added to pool after it's read in. We need to store into global
> variable and load it later.
> If this seems okay then I'll add a patch for this. Thanks

I thought about asking for this, but we really want to do this as
early as possible, so that it can be used by KASLR and other services
that are run super early.  Also, whether or not we can trust the
bootloader is going to be a system-level thing.  This should probably
be defaulted to off, and only enabled by the system integrator if they
are 100%, positively sure, that the entire system is one where we can
trust the source of randomness which the bootloader is using --- or
for that matter, that the bootloader is trustworthy!

Is it really going to be that useful for a random system administrator
to be able to flip this on or off from the command line?  Hopefully
there will be an easy way to configure the firmware or the bootloader
to simply not supply entropy, if for some reason it's not trustworthy.

   	      	     	      	     - Ted

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel