Hi @all,
First, sorry for the late feedback, I was busy with other topics.
In the meanwhile I had a look at this hwrng entropy feature related to s390
and the zcrypt hardware random generator.
I have a concern about the initial call to the hwrng device while trying to
register the same.
drivers/char/hw_random/core.c
...
int hwrng_register(struct hwrng *rng) {
...
bytes_read = rng_get_data(rng, bytes, sizeof(bytes), 1);
if (bytes_read > 0)
add_device_randomness(bytes, bytes_read);
...
}
At this point in time the zcrypt hw device is not registered completely in
the internal zcrypt device list (ap_device_list). The crypto card itself is
initialized and ready to receive and service requests, but the tasklet that
retrieve the card response is not able to find the device because it's not
yet in the list. Finally the response would not be received and the thread
is still waiting for completion, hence the probing/registering procedure
for all the other crypto devices is blocked. No further devices could be
scanned, initialized and registered.
Therefore I would not recommend to trigger a hw device request before the
device register process has completed.
Anyway, when the kernel thread (hwrng_fillfn) starts, it take care about
the initial call to the zcrypt rng device to be triggered. Therefore I
don't see any reason to manually call rng_get_data() during the
registration or did I missed something?
Mit freundlichen Gr??en / Kind regards
Ingo Tuchscherer
Software Development - Linux on System z
IBM Systems &Technology Group
Phone: +49-7031-16-1986 IBM Deutschland (Embedded
image moved
to file:
pic60502.gif)
E-Mail: [email protected] Schoenaicher Str. 220
71032 Boeblingen
Germany
IBM Deutschland
Research &
Development
GmbH /
Vorsitzender des
Aufsichtsrats:
Martina Koederitz
Gesch?ftsf?hrung:
Dirk Wittkopp
Sitz der
Gesellschaft:
B?blingen /
Registergericht:
Amtsgericht
Stuttgart, HRB
243294
From: "Theodore Ts'o" <[email protected]>
To: Torsten Duwe <[email protected]>,
Cc: Ingo Tuchscherer/Germany/IBM@IBMDE, Hans-Georg
Markgraf/Germany/IBM@IBMDE, [email protected],
[email protected], [email protected], J?rn
Engel <[email protected]>
Date: 16.06.2014 16:28
Subject: Re: [Patch v5.1 03/03]: hwrng: khwrngd derating per device
On Mon, Jun 16, 2014 at 04:14:44PM +0200, Torsten Duwe wrote:
> Also, I added the patch below to our kernel. Who wants to take that
> one-liner upstream?
This will require sucking in the "master" branch of random.git. So
either the s390 tree can merge in the master branch, or I can carry it
in the random.git tree. I'm happy to do that unless their are any
objections.
(Note: if you want to base something on random.git, please use the
master branch. The dev branch is sometimes rewound... I've since
moved master up to the dev branch, which is my guarantee not to rewind
anything up to the master branch.)
> --- linux-3.12-SLE12/drivers/s390/crypto/zcrypt_api.c.orig
2014-06-16 14:23:27.726162185 +0200
> +++ linux-3.12-SLE12/drivers/s390/crypto/zcrypt_api.c
2014-06-16 14:46:31.869103924 +0200
> @@ -1374,6 +1374,7 @@ static int zcrypt_rng_data_read(struct h
> static struct hwrng zcrypt_rng_dev = {
> .name = "zcrypt",
> .data_read = zcrypt_rng_data_read,
> + .quality = 990,
> };
>
> static int zcrypt_rng_device_add(void)
I assume the z-Series RNG is presumed to be high quality, yes?
-
Ted
On Fri, Jul 11, 2014 at 03:43:24PM +0200, Ingo Tuchscherer wrote:
> At this point in time the zcrypt hw device is not registered completely in
> the internal zcrypt device list (ap_device_list). The crypto card itself is
> initialized and ready to receive and service requests, but the tasklet that
> retrieve the card response is not able to find the device because it's not
> yet in the list. Finally the response would not be received and the thread
> is still waiting for completion, hence the probing/registering procedure
> for all the other crypto devices is blocked. No further devices could be
> scanned, initialized and registered.
> Therefore I would not recommend to trigger a hw device request before the
> device register process has completed.
Is there any chance that you could change the zcrypt driver so that it
doesn't call hwrng_register() until and the tasklet that can receive
the request has been fully registered? It sounds like that should
just be a matter of reordering a few lines of code, no?
> Anyway, when the kernel thread (hwrng_fillfn) starts, it take care about
> the initial call to the zcrypt rng device to be triggered. Therefore I
> don't see any reason to manually call rng_get_data() during the
> registration or did I missed something?
The basic idea was described in the commit that added this:
commit d9e79726193346569af7953369a638ee2275ade5
Author: Kees Cook <[email protected]>
Date: Mon Mar 3 15:51:48 2014 -0800
hwrng: add randomness to system from rng sources
When bringing a new RNG source online, it seems like it would make sense
to use some of its bytes to make the system entropy pool more random,
as done with all sorts of other devices that contain per-device or
per-boot differences.
Signed-off-by: Kees Cook <[email protected]>
Reviewed-by: Jason Cooper <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Cheers,
- Ted