summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTheodore Ts'o <tytso@mit.edu>2018-07-14 23:55:57 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-08-03 07:55:26 +0200
commit820f2bcacbdb8e537abce8cdf660ff3b2c67871c (patch)
tree645ef54ffea4c10b2ab00d9f303006ddcf1c7da0
parentf685597b133510047dbbea61c942e5c708654118 (diff)
downloadlinux-stable-820f2bcacbdb8e537abce8cdf660ff3b2c67871c.tar.gz
linux-stable-820f2bcacbdb8e537abce8cdf660ff3b2c67871c.tar.bz2
linux-stable-820f2bcacbdb8e537abce8cdf660ff3b2c67871c.zip
random: mix rdrand with entropy sent in from userspace
commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream. Fedora has integrated the jitter entropy daemon to work around slow boot problems, especially on VM's that don't support virtio-rng: https://bugzilla.redhat.com/show_bug.cgi?id=1572944 It's understandable why they did this, but the Jitter entropy daemon works fundamentally on the principle: "the CPU microarchitecture is **so** complicated and we can't figure it out, so it *must* be random". Yes, it uses statistical tests to "prove" it is secure, but AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with flying colors. So if RDRAND is available, mix it into entropy submitted from userspace. It can't hurt, and if you believe the NSA has backdoored RDRAND, then they probably have enough details about the Intel microarchitecture that they can reverse engineer how the Jitter entropy daemon affects the microarchitecture, and attack its output stream. And if RDRAND is in fact an honest DRNG, it will immeasurably improve on what the Jitter entropy daemon might produce. This also provides some protection against someone who is able to read or set the entropy seed file. Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@vger.kernel.org Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/char/random.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c
index ddeac4eefd0a..81b65d0e7563 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1826,14 +1826,22 @@ static int
write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
{
size_t bytes;
- __u32 buf[16];
+ __u32 t, buf[16];
const char __user *p = buffer;
while (count > 0) {
+ int b, i = 0;
+
bytes = min(count, sizeof(buf));
if (copy_from_user(&buf, p, bytes))
return -EFAULT;
+ for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
+ if (!arch_get_random_int(&t))
+ break;
+ buf[i] ^= t;
+ }
+
count -= bytes;
p += bytes;