Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1139785imm; Wed, 1 Aug 2018 10:50:53 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdQfSZg+K4xq+22KGsk/r/RziTgJMe4cVVNnWxSTL+D5B+4NokFVYZxnqZRiVxL9ay9ndL0 X-Received: by 2002:a62:42d7:: with SMTP id h84-v6mr27835584pfd.146.1533145853411; Wed, 01 Aug 2018 10:50:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533145853; cv=none; d=google.com; s=arc-20160816; b=yQwtf/a3sayqOrJA0/sO/0mRI4tScPdxBo3tcfV8kLkGJxoxTqT8iRPI8byFoFY+Dj 9G/n1Win4jM+uq8El4svKQO3cpa5Zwv/y3X5+IYxlXZ0lHMQKtBVbkGBkl3vC2eD51JA Us4LLLHsaMypYxC3oWaubx4QQ83eBWGTuapoNkwBJ1DGAyp3LtkDtcb2g43dGGCGcu3T FfIE/XZ7YKlWftF/83RSUx/UcAPnI/zF7qGqfZqpmFiIAmUvqa0PYsHMi+R24CPHbP7t FBI2+gd4Ivrn7Avo+jGbMEfgqL4ExNK5fgr9mGrUY8xZtXkteqwcy4FR8xK+dX50xzk7 I+wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=n/UUUl6Ci+cuZi/02zVg3Nt52eeNU9pUVcJJkdEZnpg=; b=lOHqIe/jTYcc5vR0J7deQT3iXWoVobpJQcXLvuKIH/rovBmWGrB1CsY5DxuYjCl2Em iuod2lbNxc+4yB/UB+oChWpMjg9IjKwm60kPE7Y0HvihG7r7vogqE8NqdUeA2Ov+/TSt FVt8ARfZgELTbndPWdlmFAZCGzbORMn+c0xcZMqGWKTf3hHdM3f3VSaLzsc17EbHitVd JXiVCSkDCy4q5oHNqV693NLcH/wWbBjygyNelHLNlFsFuh4Yg/gv5IuJoZpk1SLPOaNf 4mbz0q7gvBucNQq5eBYrMsFSC7N/a+F8KVxcTl0J8pajzNoMgMs+zBRq8847cKaRUyhY 1/5g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a1-v6si15973016pli.472.2018.08.01.10.50.39; Wed, 01 Aug 2018 10:50:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406293AbeHATJb (ORCPT + 99 others); Wed, 1 Aug 2018 15:09:31 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:50792 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405186AbeHATJb (ORCPT ); Wed, 1 Aug 2018 15:09:31 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 366B2D2F; Wed, 1 Aug 2018 17:22:49 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , Arnd Bergmann Subject: [PATCH 4.14 218/246] random: mix rdrand with entropy sent in from userspace Date: Wed, 1 Aug 2018 18:52:08 +0200 Message-Id: <20180801165022.140213822@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180801165011.700991984@linuxfoundation.org> References: <20180801165011.700991984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream. Fedora has integrated the jitter entropy daemon to work around slow boot problems, especially on VM's that don't support virtio-rng: https://bugzilla.redhat.com/show_bug.cgi?id=1572944 It's understandable why they did this, but the Jitter entropy daemon works fundamentally on the principle: "the CPU microarchitecture is **so** complicated and we can't figure it out, so it *must* be random". Yes, it uses statistical tests to "prove" it is secure, but AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with flying colors. So if RDRAND is available, mix it into entropy submitted from userspace. It can't hurt, and if you believe the NSA has backdoored RDRAND, then they probably have enough details about the Intel microarchitecture that they can reverse engineer how the Jitter entropy daemon affects the microarchitecture, and attack its output stream. And if RDRAND is in fact an honest DRNG, it will immeasurably improve on what the Jitter entropy daemon might produce. This also provides some protection against someone who is able to read or set the entropy seed file. Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org Cc: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman --- drivers/char/random.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1897,14 +1897,22 @@ static int write_pool(struct entropy_store *r, const char __user *buffer, size_t count) { size_t bytes; - __u32 buf[16]; + __u32 t, buf[16]; const char __user *p = buffer; while (count > 0) { + int b, i = 0; + bytes = min(count, sizeof(buf)); if (copy_from_user(&buf, p, bytes)) return -EFAULT; + for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) { + if (!arch_get_random_int(&t)) + break; + buf[i] ^= t; + } + count -= bytes; p += bytes;