linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Janne Karhunen <janne.karhunen@gmail.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: linux-integrity@vger.kernel.org,
	David Safford <david.safford@ge.com>,
	Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	Peter Huewe <peterhuewe@gmx.de>, Jason Gunthorpe <jgg@ziepe.ca>,
	Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	open list <linux-kernel@vger.kernel.org>,
	Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH] tpm: Salt tpm_get_random() result with get_random_bytes()
Date: Wed, 16 Oct 2019 10:02:01 +0300	[thread overview]
Message-ID: <CAE=NcraH_6nDe4Ax9axsbsrMf+EggCQFibY3dpNNgGm7NYTtJQ@mail.gmail.com> (raw)
In-Reply-To: <20191015124702.633-1-jarkko.sakkinen@linux.intel.com>

On Tue, Oct 15, 2019 at 3:50 PM Jarkko Sakkinen
<jarkko.sakkinen@linux.intel.com> wrote:
>
> Salt the result that comes from the TPM RNG with random bytes from the
> kernel RNG. This will allow to use tpm_get_random() as a substitute for
> get_random_bytes().  TPM could have a bug (making results predicatable),
> backdoor or even an inteposer in the bus. Salting gives protections
> against these concerns.

The current issue in the randomness from my point of view is that
encrypted filesystems, ima etc in common deployments require high
quality entropy just few seconds after the system has powered on for
the first time. It is likely that people want to keep their keys
device specific, so the keys need to be generated on the first boot
before any of the filesystems mount.

Issue is wider than the tpm alone. Tpm is not generally present in the
mobile (or even embedded-) systems, but the kernel entropy pool is.
Kernel entropy pool on the other hand normally takes ages to
initialize, and it is initialized from a source (interrupt timestamps)
that does not classify as high-quality entropy. Thus, in the default
configurations the first boot cannot proceed as there is no entropy to
generate keys from and the boot cannot be paused or the entropy
collection ends. I have a hunch that to get past this deadlock many
people end up using very, very low quality entropy present at the krng
at that time. Solving this properly should be in everyone's interests.
This is a bad trap.

I'm personally working around this by using multiple entropy sources
to feed the kernel entropy pool directly from the hwrng driver
initialization function(s) before we enter the userspace. Maybe we
could create a KConfig option that forces people to consciously choose
from the trust sources present in the system which ones are to be used
to feed the krng before we enter the userspace. It would be mandatory
to choose one or more sources rather than us silently running them
into a trap. During the boot some sort of message should be displayed
telling the user how the krng actually got initialized. There is lot
of junk happening on the console early on, but this absolutely vital
piece of information is completely hidden - that you have to read from
the source.


--
Janne

  parent reply	other threads:[~2019-10-16  7:02 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-10-15 12:47 [PATCH] tpm: Salt tpm_get_random() result with get_random_bytes() Jarkko Sakkinen
2019-10-15 17:04 ` Jason Gunthorpe
2019-10-16 10:38   ` Jarkko Sakkinen
2019-10-16 10:43     ` Jarkko Sakkinen
2019-10-16 16:09       ` Jason Gunthorpe
2019-10-17 16:21         ` Jarkko Sakkinen
2019-10-16  7:02 ` Janne Karhunen [this message]
2019-10-16 10:41   ` Jarkko Sakkinen
2019-10-16 11:16     ` Janne Karhunen
2019-10-16 16:23       ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAE=NcraH_6nDe4Ax9axsbsrMf+EggCQFibY3dpNNgGm7NYTtJQ@mail.gmail.com' \
    --to=janne.karhunen@gmail.com \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=arnd@arndb.de \
    --cc=david.safford@ge.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=jgg@ziepe.ca \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peterhuewe@gmx.de \
    --cc=pvanleeuwen@verimatrix.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).