Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp273553imm; Tue, 17 Jul 2018 18:53:29 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcWw4wd0osKtGkC2rExOEsob7ild82iSKgzoXBXDeeCHuMX/p49bbOz6+Dk6sYkm+GUV91P X-Received: by 2002:a63:c902:: with SMTP id o2-v6mr3835440pgg.118.1531878809594; Tue, 17 Jul 2018 18:53:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531878809; cv=none; d=google.com; s=arc-20160816; b=qqtUBhSHW1ueAVlkzqM4t2sdPScjwvs6km0Er7ocZRcYxfVILO0JkMuD4+Xovu8zgz BNQBaLdkyLz64IL2FgiSmtbRSWaIlvUamge3WS+clA5hImZy+NEg/n3jlVXFt/y1pZbF 0dyOTSHlImd3GJW05m+ateGGrYBEZPzhTe1HL4kTHDbHtOJexV4K4Bv/2vxBRPNXW2Yn 8KsoYvx8o5Yeg4t54FmvN9ADWKcDyRg0uEnpIjfpu2DyDb6TfbgoqAXQp/p/MBFC8ebj xkwIjGktewrGzaI6qzqpaZ0vwKgYLTNmcB95E+q2ZnVzloq1qZla5QrXUFISOcMwFP/x PH9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=EOhbypMt3/ftVyBQMvRAGuBahD8qRFCm170B/yz2oRc=; b=x52YSo5oE3A96jRScsjQ/mIp8KLp2AVLs9E/jvKSYkmIEemCgrVz2qGaJo2t7gUQ1I Qn2ybQma5lDdC6nbtRRJYNzeTUuJ0JaPX2UIWoS4hPn/bRPQIuk0kUMaUHGa4hM28dk/ C1mfbiI1Ci3xSKhlqSaa8ncHMgzenCuHXz3qdXl6NioQMJKDIUt6G+gjNFpUQ5GiNoQt /ldg3dONtE/naoVf6XIhAZ4B7jP4f2gG3HhFxxqk7Yvp8p6W5gRTT0kRyvz0axwYUGZR iRet5kjLQRW+KoyFlzzH7yj6uMROH0lq7fjLd8TPUH06yXLYandzQYgrOvlCMOt7au1E M9NA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=xnh0Z6yz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d5-v6si2108022plr.13.2018.07.17.18.53.13; Tue, 17 Jul 2018 18:53:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=xnh0Z6yz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731624AbeGRC1V (ORCPT + 99 others); Tue, 17 Jul 2018 22:27:21 -0400 Received: from imap.thunk.org ([74.207.234.97]:54488 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730930AbeGRC1V (ORCPT ); Tue, 17 Jul 2018 22:27:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=EOhbypMt3/ftVyBQMvRAGuBahD8qRFCm170B/yz2oRc=; b=xnh0Z6yzRi6QPlZzce6XyeAHHf TiF2MW0apzkBWWD21mFBdgAskXjXRMqAXErWEOZljqMxretKRLultg1Ys9hZ776y/Ih6kasZpfMPS HYpalr2Gsv+RVywIjXNVyecUSpPHN7UaRjRHGMeEG2+hL2Tyt6dZ9DEdF1kagyTDb+QE=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1ffbdE-0000nn-BN; Wed, 18 Jul 2018 01:51:56 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 2ECE67A63F0; Tue, 17 Jul 2018 21:51:54 -0400 (EDT) Date: Tue, 17 Jul 2018 21:51:54 -0400 From: "Theodore Y. Ts'o" To: linux-crypto@vger.kernel.org, Linux Kernel Developers List Cc: labbott@redhat.com Subject: Re: [PATCH] random: add a config option to trust the CPU's hwrng Message-ID: <20180718015154.GE3489@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , linux-crypto@vger.kernel.org, Linux Kernel Developers List , labbott@redhat.com References: <20180718014344.1309-1-tytso@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180718014344.1309-1-tytso@mit.edu> User-Agent: Mutt/1.10.0 (2018-05-17) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 17, 2018 at 09:43:44PM -0400, Theodore Ts'o wrote: > This gives the user building their own kernel (or a Linux > distribution) the option of deciding whether or not to trust the CPU's > hardware random number generator (e.g., RDRAND for x86 CPU's) as being > correctly implemented and not having a back door introduced (perhaps > courtesy of a Nation State's law enforcement or intelligence > agencies). > > This will prevent getrandom(2) from blocking, if there is a > willingness to trust the CPU manufacturer. > > Signed-off-by: Theodore Ts'o Note, I had meant to tag this with an RFC. I'm not sure I really want to push this to Linus yet. If you have an opinion, let me know. Thanks! - Ted > --- > > I'm not sure Linux distro's will thank us for this. The problem is > trusting the CPU manfuacturer can be an emotional / political issue. > > For example, assume that China has decided that as a result of the > "death sentence" that the US government threatened to impose on ZTE > after they were caught introducing privacy violating malware on US > comsumers, that they needed to be self-sufficient in their technology > sector, and so they decided the needed to produce their own CPU. > > Even if I were convinced that Intel hadn't backdoored RDRAND (or an > NSA agent backdoored RDRAND for them) such that the NSA had a NOBUS > (nobody but us) capability to crack RDRAND generated numbers, if we > made a change to unconditionally trust RDRAND, then I didn't want the > upstream kernel developers to have to answer the question, "why are > you willing to trust Intel, but you aren't willing to trust a company > owned and controlled by a PLA general?" (Or a company owned and > controlled by one of Putin's Oligarchs, if that makes you feel > better.) > > With this patch, we don't put ourselves in this position --- but we > do put the Linux distro's in this position intead. The upside is it > gives the choice to each person building their own Linux kernel to > decide whether trusting RDRAND is worth it to avoid hangs due to > userspace trying to get cryptographic-grade entropy early in the boot > process. (Note: I trust RDRAND more than I do Jitter Entropy.) > > drivers/char/Kconfig | 14 ++++++++++++++ > drivers/char/random.c | 11 ++++++++++- > 2 files changed, 24 insertions(+), 1 deletion(-) > > diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig > index 212f447938ae..fe2930c4ecf0 100644 > --- a/drivers/char/Kconfig > +++ b/drivers/char/Kconfig > @@ -554,3 +554,17 @@ config ADI > > endmenu > > +config RANDOM_TRUST_CPU > + bool "Trust the CPU manufacturer to initialize Linux's CRNG" > + depends on (X86 || X86_64 || X86_32 || S390 || PPC) > + default n > + help > + Assume that CPU manufacurer (e.g., Intel or AMD for RDSEED or > + RDRAND, IBM for the S390 and Power PC architectures) is trustworthy > + for the purposes of initializing Linux's CRNG. Since this is not > + something that can be indepedently audited, this amounts to trusting > + that CPU manufacturer (perhaps with the insistance or requirement > + of a Nation State's intelligence or law enforcement agencies) > + has not installed a hidden back door to compromise the CPU's > + random number generation facilities. > + > diff --git a/drivers/char/random.c b/drivers/char/random.c > index 34ddfd57419b..f4013b8a711b 100644 > --- a/drivers/char/random.c > +++ b/drivers/char/random.c > @@ -782,6 +782,7 @@ static void invalidate_batched_entropy(void); > static void crng_initialize(struct crng_state *crng) > { > int i; > + int arch_init = 1; > unsigned long rv; > > memcpy(&crng->state[0], "expand 32-byte k", 16); > @@ -792,10 +793,18 @@ static void crng_initialize(struct crng_state *crng) > _get_random_bytes(&crng->state[4], sizeof(__u32) * 12); > for (i = 4; i < 16; i++) { > if (!arch_get_random_seed_long(&rv) && > - !arch_get_random_long(&rv)) > + !arch_get_random_long(&rv)) { > rv = random_get_entropy(); > + arch_init = 0; > + } > crng->state[i] ^= rv; > } > +#ifdef CONFIG_RANDOM_TRUST_CPU > + if (arch_init) { > + crng_init = 2; > + pr_notice("random: crng done (trusting CPU's manufacturer)\n"); > + } > +#endif > crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; > } > > -- > 2.18.0.rc0 >