Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3485722imm; Tue, 29 May 2018 08:03:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo2VHsu0gBP8grBXnl5uzFPTTRMG+1ZxeydEP/EddyYadRikrCPp6iy7RjIHUnoNj1tjieJ X-Received: by 2002:a62:20c7:: with SMTP id m68-v6mr17506806pfj.110.1527606219873; Tue, 29 May 2018 08:03:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527606219; cv=none; d=google.com; s=arc-20160816; b=dHQCY8JQRGKEFwgDSwdt2WjDdlGjSmrm+awDAo/Qr4aITLYk8WQFCZ1WrDQ8Ci3qtp 8spM8F3egKJ8AB3QBuHeZsKXk2Jr8joFAQxZ9edP2CQFC6M5yWXY2r/a04/ao7qkIZJC 0xuFzrB8DjJkELGG208cC2mN0QgiUGmNgLpGmEkTdHuKeWVALRXCfJ982lEjRbMvoA2j HR0iynxubEvugG+8TOUrvrTawZGD3HhfAyA+37q7MNHmfTCP2gFpydSACAZRIUqhvPOi n6CNd/RnO/AvfQztmSO3J1KBzJJ2OwVWazS6KXA3BFXqiogQvMKfalhTCDL9Oudrlok+ 9a4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=pF9f0AASJ1C96z7sJcVdQbmdYrJ4PUoltCJIcRWWo3s=; b=hK2fuEpe6SFGNIIhwgPwCMlNNA4Rh9YNXZnUPbZt7UPeEOps5TyaI0C7Bp0zJC0CNP OqyxHmdrpjurpXT/IULlRJr9POnaXyLF342yfaD/djrGkeFAJngu0eSDV/Deq4GyJUey tzzl9NpvQxYPuMSQP7MTWY9lvAwkU1PMfVRDQMCGhstX7hpx3SZjBSS6OvtmCOLuyVBX 0eu1PRKDPWxXIRP0wIFX52Z+GSFZAWqEH7FJG00MfUL81LEyWynExqvAOcHAy4p5ujnD Fcev6eUPEJiYvKrUWP5p///bx+ikGaxywwJjUrD6w8Q+cPjCVDqktYE1kTyyav7OK0yM sJGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l2-v6si25251303pgc.438.2018.05.29.08.03.24; Tue, 29 May 2018 08:03:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936599AbeE2PBQ (ORCPT + 99 others); Tue, 29 May 2018 11:01:16 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:51974 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S935576AbeE2PBL (ORCPT ); Tue, 29 May 2018 11:01:11 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5D4E880401A8; Tue, 29 May 2018 15:01:10 +0000 (UTC) Received: from prarit.bos.redhat.com (prarit-guest.khw.lab.eng.bos.redhat.com [10.16.186.145]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5381C1117631; Tue, 29 May 2018 15:01:07 +0000 (UTC) Subject: Re: [PATCH] x86, random: Fix get_random_bytes() warning in x86 start_kernel To: Kees Cook Cc: LKML , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , X86 ML , Theodore Ts'o , Arnd Bergmann , Greg Kroah-Hartman , Rik van Riel , Andrew Morton , Philippe Ombredanne , "Jason A. Donenfeld" , Kate Stewart References: <20180529123800.19627-1-prarit@redhat.com> From: Prarit Bhargava Message-ID: <71b5df93-2e21-f3c3-fa22-4488729daeb5@redhat.com> Date: Tue, 29 May 2018 11:01:07 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 29 May 2018 15:01:10 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 29 May 2018 15:01:10 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'prarit@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/29/2018 10:49 AM, Kees Cook wrote: > On Tue, May 29, 2018 at 5:38 AM, Prarit Bhargava wrote: >> After 43838a23a05f ("random: fix crng_ready() test") early boot calls >> to get_random_bytes() will warn on each cpu on x86 because the crng >> is not initialized. For example, >> >> random: get_random_bytes called from start_kernel+0x8e/0x587 with crng_init=0 >> >> x86 only uses get_random_bytes() for better randomization of the stack >> canary value so the warning is of no consequence. >> >> Export crng_ready() for x86 and test if the crng is initialized before >> calling get_random_bytes(). > > NAK. This leaves the stack canary with very little entropy. This needs > to pull from whatever pool is available, not skip it. > Kees, in early boot no pool is available so the stack canary is initialized from the TSC. Later in boot, the stack canary will use the the crng. The existing comment in the code (cut-off in the patch below) reads /* * We both use the random pool and the current TSC as a source * of randomness. The TSC only matters for very early init, * there it already has some randomness on most systems. Later * on during the bootup the random pool has true entropy too. */ ie) in early boot only TSC is okay, and late boot (when crng_ready() is true) the pool will be used. P. > -Kees > >> >> Signed-off-by: Prarit Bhargava >> Cc: Thomas Gleixner >> Cc: Ingo Molnar >> Cc: "H. Peter Anvin" >> Cc: x86@kernel.org >> Cc: "Theodore Ts'o" >> Cc: Arnd Bergmann >> Cc: Greg Kroah-Hartman >> Cc: Rik van Riel >> Cc: Andrew Morton >> Cc: Philippe Ombredanne >> Cc: Kees Cook >> Cc: Prarit Bhargava >> Cc: "Jason A. Donenfeld" >> Cc: Kate Stewart >> --- >> arch/x86/include/asm/stackprotector.h | 3 ++- >> drivers/char/random.c | 5 ++++- >> include/linux/random.h | 1 + >> 3 files changed, 7 insertions(+), 2 deletions(-) >> >> diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h >> index 371b3a4af000..4e2223aa34fc 100644 >> --- a/arch/x86/include/asm/stackprotector.h >> +++ b/arch/x86/include/asm/stackprotector.h >> @@ -72,7 +72,8 @@ static __always_inline void boot_init_stack_canary(void) >> * there it already has some randomness on most systems. Later >> * on during the bootup the random pool has true entropy too. >> */ >> - get_random_bytes(&canary, sizeof(canary)); >> + if (crng_ready()) >> + get_random_bytes(&canary, sizeof(canary)); >> tsc = rdtsc(); >> canary += tsc + (tsc << 32UL); >> canary &= CANARY_MASK; >> diff --git a/drivers/char/random.c b/drivers/char/random.c >> index cd888d4ee605..003091d104bf 100644 >> --- a/drivers/char/random.c >> +++ b/drivers/char/random.c >> @@ -428,7 +428,10 @@ struct crng_state primary_crng = { >> * its value (from 0->1->2). >> */ >> static int crng_init = 0; >> -#define crng_ready() (likely(crng_init > 1)) >> +int crng_ready(void) >> +{ >> + return likely(crng_init > 1); >> +} >> static int crng_init_cnt = 0; >> static unsigned long crng_global_init_time = 0; >> #define CRNG_INIT_CNT_THRESH (2*CHACHA20_KEY_SIZE) >> diff --git a/include/linux/random.h b/include/linux/random.h >> index 2ddf13b4281e..45616513abd9 100644 >> --- a/include/linux/random.h >> +++ b/include/linux/random.h >> @@ -196,4 +196,5 @@ static inline u32 next_pseudo_random32(u32 seed) >> return seed * 1664525 + 1013904223; >> } >> >> +extern int crng_ready(void); >> #endif /* _LINUX_RANDOM_H */ >> -- >> 2.14.3 >> > > >