From: "Jason A. Donenfeld" <Jason@zx2c4.com> To: Theodore Ts'o <tytso@mit.edu>, Linux Crypto Mailing List <linux-crypto@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, kernel-hardening@lists.openwall.com, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, David Miller <davem@davemloft.net>, Eric Biggers <ebiggers3@gmail.com> Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Subject: [PATCH v4 13/13] random: warn when kernel uses unseeded randomness Date: Tue, 6 Jun 2017 19:48:04 +0200 [thread overview] Message-ID: <20170606174804.31124-14-Jason@zx2c4.com> (raw) In-Reply-To: <20170606174804.31124-1-Jason@zx2c4.com> This enables an important dmesg notification about when drivers have used the crng without it being seeded first. Prior, these errors would occur silently, and so there hasn't been a great way of diagnosing these types of bugs for obscure setups. By adding this as a config option, we can leave it on by default, so that we learn where these issues happen, in the field, will still allowing some people to turn it off, if they really know what they're doing and do not want the log entries. However, we don't leave it _completely_ by default. An earlier version of this patch simply had `default y`. I'd really love that, but it turns out, this problem with unseeded randomness being used is really quite present and is going to take a long time to fix. Thus, as a compromise between log-messages-for-all and nobody-knows, this is `default y`, except it is also `depends on DEBUG_KERNEL`. This will ensure that the curious see the messages while others don't have to. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> --- drivers/char/random.c | 15 +++++++++++++-- lib/Kconfig.debug | 16 ++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 36cdb2406610..33a9ec86d101 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -288,7 +288,6 @@ #define SEC_XFER_SIZE 512 #define EXTRACT_SIZE 10 -#define DEBUG_RANDOM_BOOT 0 #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long)) @@ -1477,7 +1476,7 @@ void get_random_bytes(void *buf, int nbytes) { __u8 tmp[CHACHA20_BLOCK_SIZE]; -#if DEBUG_RANDOM_BOOT > 0 +#ifdef CONFIG_WARN_UNSEEDED_RANDOM if (!crng_ready()) printk(KERN_NOTICE "random: %pF get_random_bytes called " "with crng_init = %d\n", (void *) _RET_IP_, crng_init); @@ -2071,6 +2070,12 @@ u64 get_random_u64(void) return ret; #endif +#ifdef CONFIG_WARN_UNSEEDED_RANDOM + if (!crng_ready()) + printk(KERN_NOTICE "random: %pF get_random_u64 called " + "with crng_init = %d\n", (void *) _RET_IP_, crng_init); +#endif + batch = &get_cpu_var(batched_entropy_u64); if (use_lock) read_lock_irqsave(&batched_entropy_reset_lock, flags); @@ -2097,6 +2102,12 @@ u32 get_random_u32(void) if (arch_get_random_int(&ret)) return ret; +#ifdef CONFIG_WARN_UNSEEDED_RANDOM + if (!crng_ready()) + printk(KERN_NOTICE "random: %pF get_random_u32 called " + "with crng_init = %d\n", (void *) _RET_IP_, crng_init); +#endif + batch = &get_cpu_var(batched_entropy_u32); if (use_lock) read_lock_irqsave(&batched_entropy_reset_lock, flags); diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index e4587ebe52c7..c4159605bfbf 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -1209,6 +1209,22 @@ config STACKTRACE It is also used by various kernel debugging features that require stack trace generation. +config WARN_UNSEEDED_RANDOM + bool "Warn when kernel uses unseeded randomness" + default y + depends on DEBUG_KERNEL + help + Some parts of the kernel contain bugs relating to their use of + cryptographically secure random numbers before it's actually possible + to generate those numbers securely. This setting ensures that these + flaws don't go unnoticed, by enabling a message, should this ever + occur. This will allow people with obscure setups to know when things + are going wrong, so that they might contact developers about fixing + it. + + Say Y here, unless you simply do not care about using unseeded + randomness and do not want a potential warning message in your logs. + config DEBUG_KOBJECT bool "kobject debugging" depends on DEBUG_KERNEL -- 2.13.0
WARNING: multiple messages have this Message-ID (diff)
From: "Jason A. Donenfeld" <Jason@zx2c4.com> To: Theodore Ts'o <tytso@mit.edu>, Linux Crypto Mailing List <linux-crypto@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>, kernel-hardening@lists.openwall.com, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, David Miller <davem@davemloft.net>, Eric Biggers <ebiggers3@gmail.com> Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Subject: [kernel-hardening] [PATCH v4 13/13] random: warn when kernel uses unseeded randomness Date: Tue, 6 Jun 2017 19:48:04 +0200 [thread overview] Message-ID: <20170606174804.31124-14-Jason@zx2c4.com> (raw) In-Reply-To: <20170606174804.31124-1-Jason@zx2c4.com> This enables an important dmesg notification about when drivers have used the crng without it being seeded first. Prior, these errors would occur silently, and so there hasn't been a great way of diagnosing these types of bugs for obscure setups. By adding this as a config option, we can leave it on by default, so that we learn where these issues happen, in the field, will still allowing some people to turn it off, if they really know what they're doing and do not want the log entries. However, we don't leave it _completely_ by default. An earlier version of this patch simply had `default y`. I'd really love that, but it turns out, this problem with unseeded randomness being used is really quite present and is going to take a long time to fix. Thus, as a compromise between log-messages-for-all and nobody-knows, this is `default y`, except it is also `depends on DEBUG_KERNEL`. This will ensure that the curious see the messages while others don't have to. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> --- drivers/char/random.c | 15 +++++++++++++-- lib/Kconfig.debug | 16 ++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 36cdb2406610..33a9ec86d101 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -288,7 +288,6 @@ #define SEC_XFER_SIZE 512 #define EXTRACT_SIZE 10 -#define DEBUG_RANDOM_BOOT 0 #define LONGS(x) (((x) + sizeof(unsigned long) - 1)/sizeof(unsigned long)) @@ -1477,7 +1476,7 @@ void get_random_bytes(void *buf, int nbytes) { __u8 tmp[CHACHA20_BLOCK_SIZE]; -#if DEBUG_RANDOM_BOOT > 0 +#ifdef CONFIG_WARN_UNSEEDED_RANDOM if (!crng_ready()) printk(KERN_NOTICE "random: %pF get_random_bytes called " "with crng_init = %d\n", (void *) _RET_IP_, crng_init); @@ -2071,6 +2070,12 @@ u64 get_random_u64(void) return ret; #endif +#ifdef CONFIG_WARN_UNSEEDED_RANDOM + if (!crng_ready()) + printk(KERN_NOTICE "random: %pF get_random_u64 called " + "with crng_init = %d\n", (void *) _RET_IP_, crng_init); +#endif + batch = &get_cpu_var(batched_entropy_u64); if (use_lock) read_lock_irqsave(&batched_entropy_reset_lock, flags); @@ -2097,6 +2102,12 @@ u32 get_random_u32(void) if (arch_get_random_int(&ret)) return ret; +#ifdef CONFIG_WARN_UNSEEDED_RANDOM + if (!crng_ready()) + printk(KERN_NOTICE "random: %pF get_random_u32 called " + "with crng_init = %d\n", (void *) _RET_IP_, crng_init); +#endif + batch = &get_cpu_var(batched_entropy_u32); if (use_lock) read_lock_irqsave(&batched_entropy_reset_lock, flags); diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index e4587ebe52c7..c4159605bfbf 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -1209,6 +1209,22 @@ config STACKTRACE It is also used by various kernel debugging features that require stack trace generation. +config WARN_UNSEEDED_RANDOM + bool "Warn when kernel uses unseeded randomness" + default y + depends on DEBUG_KERNEL + help + Some parts of the kernel contain bugs relating to their use of + cryptographically secure random numbers before it's actually possible + to generate those numbers securely. This setting ensures that these + flaws don't go unnoticed, by enabling a message, should this ever + occur. This will allow people with obscure setups to know when things + are going wrong, so that they might contact developers about fixing + it. + + Say Y here, unless you simply do not care about using unseeded + randomness and do not want a potential warning message in your logs. + config DEBUG_KOBJECT bool "kobject debugging" depends on DEBUG_KERNEL -- 2.13.0
next prev parent reply other threads:[~2017-06-06 17:48 UTC|newest] Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-06-06 17:47 [PATCH v4 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-06 17:47 ` [PATCH v4 01/13] random: invalidate batched entropy after crng init Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-07 23:58 ` Theodore Ts'o 2017-06-07 23:58 ` [kernel-hardening] " Theodore Ts'o 2017-06-08 0:52 ` Jason A. Donenfeld 2017-06-08 0:52 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-06 17:47 ` [PATCH v4 02/13] random: add synchronous API for the urandom pool Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 0:00 ` Theodore Ts'o 2017-06-08 0:00 ` [kernel-hardening] " Theodore Ts'o 2017-06-06 17:47 ` [PATCH v4 03/13] random: add get_random_{bytes,u32,u64,int,long,once}_wait family Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 0:05 ` Theodore Ts'o 2017-06-06 17:47 ` [PATCH v4 04/13] security/keys: ensure RNG is seeded before use Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 0:31 ` Theodore Ts'o 2017-06-08 0:31 ` [kernel-hardening] " Theodore Ts'o 2017-06-08 0:50 ` Jason A. Donenfeld 2017-06-08 0:50 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 1:03 ` Jason A. Donenfeld 2017-06-08 1:03 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-06 17:47 ` [PATCH v4 05/13] crypto/rng: ensure that the RNG is ready before using Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 0:41 ` Theodore Ts'o 2017-06-08 0:47 ` Jason A. Donenfeld 2017-06-06 17:47 ` [PATCH v4 06/13] iscsi: ensure RNG is seeded before use Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 2:43 ` Theodore Ts'o 2017-06-08 2:43 ` [kernel-hardening] " Theodore Ts'o 2017-06-08 12:09 ` Jason A. Donenfeld 2017-06-16 21:58 ` Lee Duncan 2017-06-17 0:41 ` Jason A. Donenfeld 2017-06-17 3:45 ` Lee Duncan 2017-06-17 14:23 ` Jeffrey Walton [not found] ` <CAH8yC8nHX2r9cfQ0gNeJAUrgSfAS8V16dVHv35BRnLn-YprZCg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-06-17 18:50 ` [kernel-hardening] " Paul Koning 2017-06-17 18:50 ` Paul Koning 2017-07-05 7:08 ` Antw: Re: [kernel-hardening] " Ulrich Windl 2017-07-05 7:08 ` Ulrich Windl 2017-07-05 7:08 ` Ulrich Windl 2017-07-05 13:16 ` Paul Koning 2017-07-05 13:16 ` Paul Koning 2017-07-05 17:34 ` Antw: " Theodore Ts'o 2017-07-05 17:34 ` Antw: Re: [kernel-hardening] " Theodore Ts'o 2017-07-05 17:34 ` Theodore Ts'o 2017-06-18 8:04 ` Stephan Müller [not found] ` <2639082.PtrrGWOPPL-jJGQKZiSfeo1haGO/jJMPxvVK+yQ3ZXh@public.gmane.org> 2017-06-26 1:23 ` Nicholas A. Bellinger 2017-06-26 1:23 ` Nicholas A. Bellinger [not found] ` <1498440189.26123.85.camel-XoQW25Eq2zviZyQQd+hFbcojREIfoBdhmpATvIKMPHk@public.gmane.org> 2017-06-26 17:38 ` Stephan Müller 2017-06-26 17:38 ` Stephan Müller 2017-06-30 6:02 ` Nicholas A. Bellinger [not found] ` <1678474.GnYBdSlWgs-b2PLbiJbNv8ftSvlWXw0+g@public.gmane.org> 2017-07-05 7:03 ` Antw: " Ulrich Windl 2017-07-05 7:03 ` Ulrich Windl 2017-07-05 7:03 ` Ulrich Windl 2017-07-05 12:35 ` Theodore Ts'o 2017-07-05 12:35 ` Theodore Ts'o 2017-06-06 17:47 ` [PATCH v4 07/13] ceph: ensure RNG is seeded before using Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 2:45 ` Theodore Ts'o 2017-06-06 17:47 ` [PATCH v4 08/13] cifs: use get_random_u32 for 32-bit lock random Jason A. Donenfeld 2017-06-06 17:47 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 0:25 ` Theodore Ts'o 2017-06-08 0:25 ` [kernel-hardening] " Theodore Ts'o 2017-06-08 0:31 ` Jason A. Donenfeld 2017-06-08 0:34 ` Jason A. Donenfeld 2017-06-06 17:48 ` [PATCH v4 09/13] rhashtable: use get_random_u32 for hash_rnd Jason A. Donenfeld 2017-06-06 17:48 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 2:47 ` Theodore Ts'o 2017-06-08 2:47 ` [kernel-hardening] " Theodore Ts'o 2017-06-06 17:48 ` [PATCH v4 10/13] net/neighbor: use get_random_u32 for 32-bit hash random Jason A. Donenfeld 2017-06-06 17:48 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 3:00 ` Theodore Ts'o 2017-06-08 3:00 ` [kernel-hardening] " Theodore Ts'o 2017-06-06 17:48 ` [PATCH v4 11/13] net/route: use get_random_int for random counter Jason A. Donenfeld 2017-06-06 17:48 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 3:01 ` Theodore Ts'o 2017-06-08 3:01 ` [kernel-hardening] " Theodore Ts'o 2017-06-06 17:48 ` [PATCH v4 12/13] bluetooth/smp: ensure RNG is properly seeded before ECDH use Jason A. Donenfeld 2017-06-06 17:48 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 3:06 ` Theodore Ts'o 2017-06-08 3:06 ` [kernel-hardening] " Theodore Ts'o 2017-06-08 5:04 ` Marcel Holtmann 2017-06-08 5:04 ` [kernel-hardening] " Marcel Holtmann 2017-06-08 12:03 ` Jason A. Donenfeld 2017-06-08 12:03 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 12:05 ` Jason A. Donenfeld 2017-06-08 12:05 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-08 17:05 ` Marcel Holtmann 2017-06-08 17:05 ` [kernel-hardening] " Marcel Holtmann 2017-06-08 17:34 ` Jason A. Donenfeld 2017-06-08 17:34 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-09 1:16 ` [PATCH] bluetooth: ensure RNG is properly seeded before powerup Jason A. Donenfeld 2017-06-06 17:48 ` Jason A. Donenfeld [this message] 2017-06-06 17:48 ` [kernel-hardening] [PATCH v4 13/13] random: warn when kernel uses unseeded randomness Jason A. Donenfeld 2017-06-08 8:19 ` Theodore Ts'o 2017-06-08 8:19 ` [kernel-hardening] " Theodore Ts'o 2017-06-08 12:01 ` Jason A. Donenfeld 2017-06-08 12:01 ` [kernel-hardening] " Jason A. Donenfeld 2017-06-15 11:03 ` Michael Ellerman 2017-06-15 11:59 ` Stephan Müller 2017-06-18 15:46 ` Theodore Ts'o 2017-06-18 17:55 ` Stephan Müller 2017-06-18 19:12 ` Jason A. Donenfeld 2017-06-18 19:11 ` Jason A. Donenfeld 2017-06-08 8:43 ` Jeffrey Walton 2017-06-08 8:43 ` [kernel-hardening] " Jeffrey Walton 2017-06-07 12:33 ` [PATCH v4 00/13] Unseeded In-Kernel Randomness Fixes Jason A. Donenfeld 2017-06-07 12:33 ` [kernel-hardening] " Jason A. Donenfeld
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20170606174804.31124-14-Jason@zx2c4.com \ --to=jason@zx2c4.com \ --cc=davem@davemloft.net \ --cc=ebiggers3@gmail.com \ --cc=gregkh@linuxfoundation.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=tytso@mit.edu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.