From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, "H. Peter Anvin" <hpa@linux.intel.com>,
Ingo Molnar <mingo@kernel.org>,
DJ Johnston <dj.johnston@intel.com>, Theodore Tso <tytso@mit.edu>
Subject: [ 34/44] random: mix in architectural randomness in extract_buf()
Date: Mon, 13 Aug 2012 15:02:41 -0700 [thread overview]
Message-ID: <20120813220145.158521608@linuxfoundation.org> (raw)
In-Reply-To: <20120813220142.113186818@linuxfoundation.org>
From: Greg KH <gregkh@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: "H. Peter Anvin" <hpa@linux.intel.com>
commit d2e7c96af1e54b507ae2a6a7dd2baf588417a7e5 upstream.
Mix in any architectural randomness in extract_buf() instead of
xfer_secondary_buf(). This allows us to mix in more architectural
randomness, and it also makes xfer_secondary_buf() faster, moving a
tiny bit of additional CPU overhead to process which is extracting the
randomness.
[ Commit description modified by tytso to remove an extended
advertisement for the RDRAND instruction. ]
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: DJ Johnston <dj.johnston@intel.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/random.c | 56 ++++++++++++++++++++++++++++----------------------
1 file changed, 32 insertions(+), 24 deletions(-)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -277,6 +277,8 @@
#define SEC_XFER_SIZE 512
#define EXTRACT_SIZE 10
+#define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long))
+
/*
* The minimum number of bits of entropy before we wake up a read on
* /dev/random. Should be enough to do a significant reseed.
@@ -813,11 +815,7 @@ static ssize_t extract_entropy(struct en
*/
static void xfer_secondary_pool(struct entropy_store *r, size_t nbytes)
{
- union {
- __u32 tmp[OUTPUT_POOL_WORDS];
- long hwrand[4];
- } u;
- int i;
+ __u32 tmp[OUTPUT_POOL_WORDS];
if (r->pull && r->entropy_count < nbytes * 8 &&
r->entropy_count < r->poolinfo->POOLBITS) {
@@ -828,23 +826,17 @@ static void xfer_secondary_pool(struct e
/* pull at least as many as BYTES as wakeup BITS */
bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
/* but never more than the buffer size */
- bytes = min_t(int, bytes, sizeof(u.tmp));
+ bytes = min_t(int, bytes, sizeof(tmp));
DEBUG_ENT("going to reseed %s with %d bits "
"(%d of %d requested)\n",
r->name, bytes * 8, nbytes * 8, r->entropy_count);
- bytes = extract_entropy(r->pull, u.tmp, bytes,
+ bytes = extract_entropy(r->pull, tmp, bytes,
random_read_wakeup_thresh / 8, rsvd);
- mix_pool_bytes(r, u.tmp, bytes, NULL);
+ mix_pool_bytes(r, tmp, bytes, NULL);
credit_entropy_bits(r, bytes*8);
}
- kmemcheck_mark_initialized(&u.hwrand, sizeof(u.hwrand));
- for (i = 0; i < 4; i++)
- if (arch_get_random_long(&u.hwrand[i]))
- break;
- if (i)
- mix_pool_bytes(r, &u.hwrand, sizeof(u.hwrand), 0);
}
/*
@@ -901,15 +893,19 @@ static size_t account(struct entropy_sto
static void extract_buf(struct entropy_store *r, __u8 *out)
{
int i;
- __u32 hash[5], workspace[SHA_WORKSPACE_WORDS];
+ union {
+ __u32 w[5];
+ unsigned long l[LONGS(EXTRACT_SIZE)];
+ } hash;
+ __u32 workspace[SHA_WORKSPACE_WORDS];
__u8 extract[64];
unsigned long flags;
/* Generate a hash across the pool, 16 words (512 bits) at a time */
- sha_init(hash);
+ sha_init(hash.w);
spin_lock_irqsave(&r->lock, flags);
for (i = 0; i < r->poolinfo->poolwords; i += 16)
- sha_transform(hash, (__u8 *)(r->pool + i), workspace);
+ sha_transform(hash.w, (__u8 *)(r->pool + i), workspace);
/*
* We mix the hash back into the pool to prevent backtracking
@@ -920,14 +916,14 @@ static void extract_buf(struct entropy_s
* brute-forcing the feedback as hard as brute-forcing the
* hash.
*/
- __mix_pool_bytes(r, hash, sizeof(hash), extract);
+ __mix_pool_bytes(r, hash.w, sizeof(hash.w), extract);
spin_unlock_irqrestore(&r->lock, flags);
/*
* To avoid duplicates, we atomically extract a portion of the
* pool while mixing, and hash one final time.
*/
- sha_transform(hash, extract, workspace);
+ sha_transform(hash.w, extract, workspace);
memset(extract, 0, sizeof(extract));
memset(workspace, 0, sizeof(workspace));
@@ -936,11 +932,23 @@ static void extract_buf(struct entropy_s
* pattern, we fold it in half. Thus, we always feed back
* twice as much data as we output.
*/
- hash[0] ^= hash[3];
- hash[1] ^= hash[4];
- hash[2] ^= rol32(hash[2], 16);
- memcpy(out, hash, EXTRACT_SIZE);
- memset(hash, 0, sizeof(hash));
+ hash.w[0] ^= hash.w[3];
+ hash.w[1] ^= hash.w[4];
+ hash.w[2] ^= rol32(hash.w[2], 16);
+
+ /*
+ * If we have a architectural hardware random number
+ * generator, mix that in, too.
+ */
+ for (i = 0; i < LONGS(EXTRACT_SIZE); i++) {
+ unsigned long v;
+ if (!arch_get_random_long(&v))
+ break;
+ hash.l[i] ^= v;
+ }
+
+ memcpy(out, &hash, EXTRACT_SIZE);
+ memset(&hash, 0, sizeof(hash));
}
static ssize_t extract_entropy(struct entropy_store *r, void *buf,
next prev parent reply other threads:[~2012-08-13 22:05 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-13 22:02 [ 00/44] 3.0.41-stable review Greg Kroah-Hartman
2012-08-13 22:02 ` [ 01/44] [IA64] Redefine ATOMIC_INIT and ATOMIC64_INIT to drop the casts Greg Kroah-Hartman
2012-08-13 22:02 ` [ 02/44] SUNRPC: return negative value in case rpcbind client creation error Greg Kroah-Hartman
2012-08-13 22:02 ` [ 03/44] nilfs2: fix deadlock issue between chcp and thaw ioctls Greg Kroah-Hartman
2012-08-13 22:02 ` [ 04/44] pcdp: use early_ioremap/early_iounmap to access pcdp table Greg Kroah-Hartman
2012-08-13 22:02 ` [ 05/44] mm: fix wrong argument of migrate_huge_pages() in soft_offline_huge_page() Greg Kroah-Hartman
2012-08-13 22:02 ` [ 06/44] ARM: 7467/1: mutex: use generic xchg-based implementation for ARMv6+ Greg Kroah-Hartman
2012-08-15 14:02 ` Ben Hutchings
2012-08-13 22:02 ` [ 07/44] ARM: 7477/1: vfp: Always save VFP state in vfp_pm_suspend on UP Greg Kroah-Hartman
2012-08-14 20:01 ` Herton Ronaldo Krzesinski
2012-08-15 14:05 ` Greg Kroah-Hartman
2012-08-15 14:50 ` Herton Ronaldo Krzesinski
2012-08-13 22:02 ` [ 08/44] ARM: 7478/1: errata: extend workaround for erratum #720789 Greg Kroah-Hartman
2012-08-13 22:02 ` [ 09/44] ARM: 7479/1: mm: avoid NULL dereference when flushing gate_vma with VIVT caches Greg Kroah-Hartman
2012-08-13 22:02 ` [ 10/44] ALSA: hda - remove quirk for Dell Vostro 1015 Greg Kroah-Hartman
2012-08-14 5:17 ` David Henningsson
2012-08-14 5:43 ` Takashi Iwai
2012-08-15 14:03 ` Greg Kroah-Hartman
2012-08-13 22:02 ` [ 11/44] mm: mmu_notifier: fix freed page still mapped in secondary MMU Greg Kroah-Hartman
2012-08-13 22:02 ` [ 12/44] mac80211: cancel mesh path timer Greg Kroah-Hartman
2012-08-13 22:02 ` [ 13/44] x86, nops: Missing break resulting in incorrect selection on Intel Greg Kroah-Hartman
2012-08-13 22:02 ` [ 14/44] random: Add support for architectural random hooks Greg Kroah-Hartman
2012-08-13 22:02 ` [ 15/44] fix typo/thinko in get_random_bytes() Greg Kroah-Hartman
2012-08-13 22:02 ` [ 16/44] random: Use arch_get_random_int instead of cycle counter if avail Greg Kroah-Hartman
2012-08-13 22:02 ` [ 17/44] random: Use arch-specific RNG to initialize the entropy store Greg Kroah-Hartman
2012-08-13 22:02 ` [ 18/44] random: Adjust the number of loops when initializing Greg Kroah-Hartman
2012-08-13 22:02 ` [ 19/44] drivers/char/random.c: fix boot id uniqueness race Greg Kroah-Hartman
2012-08-13 22:02 ` [ 20/44] random: make add_interrupt_randomness() do something sane Greg Kroah-Hartman
2012-08-13 22:02 ` [ 21/44] random: use lockless techniques in the interrupt path Greg Kroah-Hartman
2012-08-13 22:02 ` [ 22/44] random: create add_device_randomness() interface Greg Kroah-Hartman
2012-08-13 22:02 ` [ 23/44] usb: feed USB device information to the /dev/random driver Greg Kroah-Hartman
2012-08-13 22:02 ` [ 24/44] net: feed /dev/random with the MAC address when registering a device Greg Kroah-Hartman
2012-08-13 22:02 ` [ 25/44] random: use the arch-specific rng in xfer_secondary_pool Greg Kroah-Hartman
2012-08-13 22:02 ` [ 26/44] random: add new get_random_bytes_arch() function Greg Kroah-Hartman
2012-08-13 22:02 ` [ 27/44] random: add tracepoints for easier debugging and verification Greg Kroah-Hartman
2012-08-13 22:02 ` [ 28/44] MAINTAINERS: Theodore Tso is taking over the random driver Greg Kroah-Hartman
2012-08-13 22:02 ` [ 29/44] rtc: wm831x: Feed the write counter into device_add_randomness() Greg Kroah-Hartman
2012-08-13 22:02 ` [ 30/44] mfd: wm831x: Feed the device UUID " Greg Kroah-Hartman
2012-08-13 22:02 ` [ 31/44] random: remove rand_initialize_irq() Greg Kroah-Hartman
2012-08-13 22:02 ` [ 32/44] random: Add comment to random_initialize() Greg Kroah-Hartman
2012-08-13 22:02 ` [ 33/44] dmi: Feed DMI table to /dev/random driver Greg Kroah-Hartman
2012-08-13 22:02 ` Greg Kroah-Hartman [this message]
2012-08-13 22:02 ` [ 35/44] x86, microcode: microcode_core.c simple_strtoul cleanup Greg Kroah-Hartman
2012-08-13 22:02 ` [ 36/44] x86, microcode: Sanitize per-cpu microcode reloading interface Greg Kroah-Hartman
2012-08-15 0:26 ` Henrique de Moraes Holschuh
2012-08-15 14:06 ` Greg Kroah-Hartman
2012-08-15 16:30 ` Henrique de Moraes Holschuh
2012-08-15 18:26 ` Greg Kroah-Hartman
2012-08-13 22:02 ` [ 37/44] mm: hugetlbfs: close race during teardown of hugetlbfs shared page tables Greg Kroah-Hartman
2012-08-13 22:02 ` [ 38/44] ARM: mxs: Remove MMAP_MIN_ADDR setting from mxs_defconfig Greg Kroah-Hartman
2012-08-13 22:02 ` [ 39/44] ARM: pxa: remove irq_to_gpio from ezx-pcap driver Greg Kroah-Hartman
2012-08-13 22:02 ` [ 40/44] cfg80211: process pending events when unregistering net device Greg Kroah-Hartman
2012-08-13 22:02 ` [ 41/44] cfg80211: fix interface combinations check for ADHOC(IBSS) Greg Kroah-Hartman
2012-08-13 22:02 ` [ 42/44] e1000e: NIC goes up and immediately goes down Greg Kroah-Hartman
2012-08-13 22:02 ` [ 43/44] Input: wacom - Bamboo One 1024 pressure fix Greg Kroah-Hartman
2012-08-13 22:02 ` [ 44/44] rt61pci: fix NULL pointer dereference in config_lna_gain Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120813220145.158521608@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dj.johnston@intel.com \
--cc=hpa@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).