diff options
author | Theodore Ts'o <tytso@mit.edu> | 2014-07-17 05:27:30 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2014-08-05 16:41:50 -0400 |
commit | 48d6be955a7167b0d0e025ae6c39e795e3544499 (patch) | |
tree | c6e3ebc786fbb45072fbda6a8c55e91aa17aaf95 /drivers/char | |
parent | c6e9d6f38894798696f23c8084ca7edbf16ee895 (diff) | |
download | linux-48d6be955a7167b0d0e025ae6c39e795e3544499.tar.gz linux-48d6be955a7167b0d0e025ae6c39e795e3544499.tar.bz2 linux-48d6be955a7167b0d0e025ae6c39e795e3544499.zip |
random: limit the contribution of the hw rng to at most half
For people who don't trust a hardware RNG which can not be audited,
the changes to add support for RDSEED can be troubling since 97% or
more of the entropy will be contributed from the in-CPU hardware RNG.
We now have a in-kernel khwrngd, so for those people who do want to
implicitly trust the CPU-based system, we could create an arch-rng
hw_random driver, and allow khwrng refill the entropy pool. This
allows system administrator whether or not they trust the CPU (I
assume the NSA will trust RDRAND/RDSEED implicitly :-), and if so,
what level of entropy derating they want to use.
The reason why this is a really good idea is that if different people
use different levels of entropy derating, it will make it much more
difficult to design a backdoor'ed hwrng that can be generally
exploited in terms of the output of /dev/random when different attack
targets are using differing levels of entropy derating.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'drivers/char')
-rw-r--r-- | drivers/char/random.c | 43 |
1 files changed, 4 insertions, 39 deletions
diff --git a/drivers/char/random.c b/drivers/char/random.c index 7d1682ea1e86..6e455bc4a39e 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -910,12 +910,13 @@ void add_interrupt_randomness(int irq, int irq_flags) /* * If we have architectural seed generator, produce a seed and - * add it to the pool. For the sake of paranoia count it as - * 50% entropic. + * add it to the pool. For the sake of paranoia don't let the + * architectural seed generator dominate the input from the + * interrupt noise. */ if (arch_get_random_seed_long(&seed)) { __mix_pool_bytes(r, &seed, sizeof(seed)); - credit += sizeof(seed) * 4; + credit = 1; } spin_unlock(&r->lock); @@ -1328,37 +1329,6 @@ void rand_initialize_disk(struct gendisk *disk) } #endif -/* - * Attempt an emergency refill using arch_get_random_seed_long(). - * - * As with add_interrupt_randomness() be paranoid and only - * credit the output as 50% entropic. - */ -static int arch_random_refill(void) -{ - const unsigned int nlongs = 64; /* Arbitrary number */ - unsigned int n = 0; - unsigned int i; - unsigned long buf[nlongs]; - - if (!arch_has_random_seed()) - return 0; - - for (i = 0; i < nlongs; i++) { - if (arch_get_random_seed_long(&buf[n])) - n++; - } - - if (n) { - unsigned int rand_bytes = n * sizeof(unsigned long); - - mix_pool_bytes(&input_pool, buf, rand_bytes); - credit_entropy_bits(&input_pool, rand_bytes*4); - } - - return n; -} - static ssize_t _random_read(int nonblock, char __user *buf, size_t nbytes) { @@ -1379,11 +1349,6 @@ _random_read(int nonblock, char __user *buf, size_t nbytes) return n; /* Pool is (near) empty. Maybe wait and retry. */ - - /* First try an emergency refill */ - if (arch_random_refill()) - continue; - if (nonblock) return -EAGAIN; |