Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752094AbdFHD7F (ORCPT ); Wed, 7 Jun 2017 23:59:05 -0400 Received: from mail-it0-f67.google.com ([209.85.214.67]:36714 "EHLO mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751433AbdFHD7E (ORCPT ); Wed, 7 Jun 2017 23:59:04 -0400 Message-ID: <1496894341.10825.26.camel@gmail.com> Subject: Re: [kernel-hardening] Re: [PATCH v3 04/13] crypto/rng: ensure that the RNG is ready before using From: Daniel Micay To: Mark Rutland Cc: Henrique de Moraes Holschuh , "Theodore Ts'o" , "Jason A. Donenfeld" , Eric Biggers , Linux Crypto Mailing List , LKML , kernel-hardening@lists.openwall.com, Greg Kroah-Hartman , David Miller , Herbert Xu , Stephan Mueller Date: Wed, 07 Jun 2017 23:59:01 -0400 In-Reply-To: <20170607172627.GB8330@leverpostej> References: <20170606005108.5646-1-Jason@zx2c4.com> <20170606005108.5646-5-Jason@zx2c4.com> <20170606030004.4go6btmobrsmqiwz@thunk.org> <20170606044404.GA3469@zzz> <20170606170319.5eva2yoxxeru5p74@thunk.org> <20170606221910.GB9057@khazad-dum.debian.net> <1496854825.10825.24.camel@gmail.com> <20170607172627.GB8330@leverpostej> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.24.2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1300 Lines: 33 On Wed, 2017-06-07 at 18:26 +0100, Mark Rutland wrote: > On Wed, Jun 07, 2017 at 01:00:25PM -0400, Daniel Micay wrote: > > > On the better bootloaders, an initramfs segment can be loaded > > > independently (and you can have as many as required), which makes > > > an > > > early_initramfs a more palatable vector to inject large amounts of > > > entropy into the next boot than, say, modifying the kernel image > > > directly at every boot/shutdown to stash entropy in there > > > somewhere. > > [...] > > > I didn't really understand the device tree approach and mentioned a > > few times before. Passing via the kernel cmdline is a lot simpler > > than > > modifying the device tree in-memory and persistent modification > > isn't > > an option unless verified boot is missing anyway. > > I might be missing something here, but the command line is inside of > the > device tree, at /chosen/bootargs, so modifying the kernel command line > *is* modifying the device tree in-memory. > > For arm64, we have a /chosen/kaslr-seed property that we hope > FW/bootloaders fill in, and similar could be done for some initial > entropy, provided appropriate HW/FW support. > > Thanks, > Mark. I was assuming it was simpler since bootloaders are already setting it, but it seems I'm wrong about that.