Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2315903imm; Sun, 5 Aug 2018 01:18:09 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeCiY5lfG47VVpd4A9ZAD7ox/sWkbouoJNV4XNoxQCyKdneaalIzKvj0Z3wKtbAIeSBAjbW X-Received: by 2002:a17:902:d710:: with SMTP id w16-v6mr9765086ply.93.1533457089261; Sun, 05 Aug 2018 01:18:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533457089; cv=none; d=google.com; s=arc-20160816; b=Mm4g5ArwhI//KiVbANovpbPuETAPhzH9aOWNlYpRMRN5rT18Yp5y2E3Nd2VVGC68Ii 3Cf/E47x5lng20NhvoQL4qH4tGbrsxyW/nKbEZ6R6JinEzxEpfWSGBVnoNpr2KjCv868 KpvGZKYWN0/GpdV4Xn/Mqv5f24H5m0DGaiwp1LTXVKf0OxXlSYZcq2xv+t6OwZvUyZ01 BqX7lOzHpLT/p1DNh0KNvQc8/+0+tT0b7Jnomuk32Rb3Xj41SQM1IbgJ+VGNkP8gMEIA IBXgihcnWc903v5P6fA8V4x8sA3iE522vAEJKRM20uHrENtwK4LBuBgMNiMi8+HHTD9G W/xg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=mKl5iCULWG/QQNgt2Hom1+IXP+JXntiV600kFrjbwvE=; b=iY2RRHQTrfYoVnEaBLlaeboM8tq+6gtYJlWAK5ziWxCSCA0V4an7yVclqjr9xDZi5W 4B5bSFVS3CwXxW0615LGJKtC5EGaBLPOpu21bI0PiZQ0OTwKpkOxs1fk5Qh1Bmf6YyJD BufhG7YZWZuAWbfbW3imaH4V9zChoNwb2CpUHAqKTOS/SEip6kzFo6tCmxHh/hLbYer5 o7DGZyLDi3//WYxsMnYdimN7nstbjcrIMCPDOs5VjMMmdjhmf064hSV/8zGvP+mwDc9E PwP5dDaN97PgZOp5LomHnIix6VxjaEYDV9U0oFWW7hPT9Re4zucOShD0fpGAx10IlRsq lwsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aR5+7Lxt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w126-v6si4055116pfb.232.2018.08.05.01.17.54; Sun, 05 Aug 2018 01:18:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=aR5+7Lxt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726371AbeHEKTt (ORCPT + 99 others); Sun, 5 Aug 2018 06:19:49 -0400 Received: from mail-io0-f196.google.com ([209.85.223.196]:40426 "EHLO mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726267AbeHEKTs (ORCPT ); Sun, 5 Aug 2018 06:19:48 -0400 Received: by mail-io0-f196.google.com with SMTP id l14-v6so8482689iob.7 for ; Sun, 05 Aug 2018 01:16:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mKl5iCULWG/QQNgt2Hom1+IXP+JXntiV600kFrjbwvE=; b=aR5+7Lxtn36lHlhNBG7UENHI9kxr6X5eBW9Olrj+PfD9iWylXCjl4tBDGlUYe2LC+6 9h9K6PROHprxLcskVK3V4Ei6FON86cNBRMWLYMxF5whL3X44h9IEpBdun3nLFxq0SqjS rY7qjTOpkmlhGzZ+ma/rIw8h5vQ/1Vg0AYO5o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mKl5iCULWG/QQNgt2Hom1+IXP+JXntiV600kFrjbwvE=; b=Ujer9Y+4KB6AYl4sHh/HqKjamKXnwzKBOfdlg5GO2FRto/Xe5ACEjIhqAZ8iBOSsON JWzkpqw5i7nYQ4KJjTiLGUEnCA6rx582MqF9+h3R6hdB0HnWVOotX3xt+FNWYHR2IR04 OrriO7Gc2b5o3zp1//YpDKkiEF3/rTPri+NHfb1UNeYbPOxscj2iKZs2Tfc40ySvqUgB 3bVXy6IgTdFr0jwjWLt4aqz14f9qxoQLhdAJNJTtByDHYuOmpE1pLW2EyWDxvOK/Dsjv aRSYjFcq7nyHFyynkidZRiURrMK1uwXhiGreNt9PZ0uT6yBwqwkjnyu/NY8fysaf3azd ZRpg== X-Gm-Message-State: AOUpUlGnIB8MBy3AQYnrWHq9flGVkpNs8MOAY+f0SA+jDFj9/5XbXWVK qJqZrnlFyiKqor55hh7/22lQcFX4B2oc73kWRgksOA== X-Received: by 2002:a6b:5208:: with SMTP id g8-v6mr11997231iob.60.1533456964357; Sun, 05 Aug 2018 01:16:04 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a6b:ac05:0:0:0:0:0 with HTTP; Sun, 5 Aug 2018 01:16:03 -0700 (PDT) In-Reply-To: <20180805032119.20485-2-jlee@suse.com> References: <20180805032119.20485-1-jlee@suse.com> <20180805032119.20485-2-jlee@suse.com> From: Ard Biesheuvel Date: Sun, 5 Aug 2018 10:16:03 +0200 Message-ID: Subject: Re: [PATCH 1/6] x86/KASLR: make getting random long number function public To: "Lee, Chun-Yi" Cc: Linux Kernel Mailing List , linux-efi , "the arch/x86 maintainers" , keyrings@vger.kernel.org, linux-integrity , "Lee, Chun-Yi" , Kees Cook , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , "Rafael J. Wysocki" , Pavel Machek , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Mimi Zohar Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5 August 2018 at 05:21, Lee, Chun-Yi wrote: > Separating the functions for getting random long number from KASLR > to x86 library, then it can be used to generate random long for > EFI root key. > > Cc: Kees Cook > Cc: Thomas Gleixner > Cc: Ingo Molnar > Cc: "H. Peter Anvin" > Cc: "Rafael J. Wysocki" > Cc: Pavel Machek > Cc: Chen Yu > Cc: Oliver Neukum > Cc: Ryan Chen > Cc: Ard Biesheuvel > Cc: David Howells > Cc: Mimi Zohar > Signed-off-by: "Lee, Chun-Yi" Not my call to make perhaps, but i'm nacking it anyway. Playing games with counters and other low entropy inputs may have been acceptable for kaslr on x86 when it was first introduced, but using it to generate symmetric keys is really out of the question. On modern x86, i suppose rdrand is a given, and these days we have EFI_RNG_PROTOCOL as well (and an open source UEFI driver for ChasoKey, btw - perhaps we should try and get MS to sign that?), although I'm not sure whether any x86 support this out of the box now. BTW using low entropy inputs on top of rdrand or EFI_RNG_PROTOCOL is fine, if you're paranoid, but if you have neither of those, you should really fail the call. > --- > arch/x86/boot/compressed/kaslr.c | 21 ------------- > arch/x86/boot/compressed/misc.c | 17 ++++++++++ > arch/x86/boot/compressed/misc.h | 6 ++++ > arch/x86/lib/kaslr.c | 61 ++--------------------------------- > arch/x86/lib/random.c | 68 ++++++++++++++++++++++++++++++++++++++++ > 5 files changed, 93 insertions(+), 80 deletions(-) > create mode 100644 arch/x86/lib/random.c > > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c > index b87a7582853d..0f40d2178ebc 100644 > --- a/arch/x86/boot/compressed/kaslr.c > +++ b/arch/x86/boot/compressed/kaslr.c > @@ -33,13 +33,11 @@ > #include "error.h" > #include "../string.h" > > -#include > #include > #include > #include > #include > #include > -#include > #include > > /* Macros used by the included decompressor code below. */ > @@ -57,25 +55,6 @@ extern unsigned long get_cmd_line_ptr(void); > /* Used by PAGE_KERN* macros: */ > pteval_t __default_kernel_pte_mask __read_mostly = ~0; > > -/* Simplified build-specific string for starting entropy. */ > -static const char build_str[] = UTS_RELEASE " (" LINUX_COMPILE_BY "@" > - LINUX_COMPILE_HOST ") (" LINUX_COMPILER ") " UTS_VERSION; > - > -static unsigned long rotate_xor(unsigned long hash, const void *area, > - size_t size) > -{ > - size_t i; > - unsigned long *ptr = (unsigned long *)area; > - > - for (i = 0; i < size / sizeof(hash); i++) { > - /* Rotate by odd number of bits and XOR. */ > - hash = (hash << ((sizeof(hash) * 8) - 7)) | (hash >> 7); > - hash ^= ptr[i]; > - } > - > - return hash; > -} > - > /* Attempt to create a simple but unpredictable starting entropy. */ > static unsigned long get_boot_seed(void) > { > diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c > index 8dd1d5ccae58..eb0ab9cad4e4 100644 > --- a/arch/x86/boot/compressed/misc.c > +++ b/arch/x86/boot/compressed/misc.c > @@ -426,3 +426,20 @@ void fortify_panic(const char *name) > { > error("detected buffer overflow"); > } > + > +#if CONFIG_RANDOMIZE_BASE > +unsigned long rotate_xor(unsigned long hash, const void *area, > + size_t size) > +{ > + size_t i; > + unsigned long *ptr = (unsigned long *)area; > + > + for (i = 0; i < size / sizeof(hash); i++) { > + /* Rotate by odd number of bits and XOR. */ > + hash = (hash << ((sizeof(hash) * 8) - 7)) | (hash >> 7); > + hash ^= ptr[i]; > + } > + > + return hash; > +} > +#endif > diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h > index a423bdb42686..957f327ad83c 100644 > --- a/arch/x86/boot/compressed/misc.h > +++ b/arch/x86/boot/compressed/misc.h > @@ -70,6 +70,8 @@ int cmdline_find_option_bool(const char *option); > > > #if CONFIG_RANDOMIZE_BASE > +#include > +#include > /* kaslr.c */ > void choose_random_location(unsigned long input, > unsigned long input_size, > @@ -78,6 +80,10 @@ void choose_random_location(unsigned long input, > unsigned long *virt_addr); > /* cpuflags.c */ > bool has_cpuflag(int flag); > +/* Simplified build-specific string for starting entropy. */ > +static const char build_str[] = UTS_RELEASE " (" LINUX_COMPILE_BY "@" > + LINUX_COMPILE_HOST ") (" LINUX_COMPILER ") " UTS_VERSION; > +unsigned long rotate_xor(unsigned long hash, const void *area, size_t size); > #else > static inline void choose_random_location(unsigned long input, > unsigned long input_size, > diff --git a/arch/x86/lib/kaslr.c b/arch/x86/lib/kaslr.c > index 79778ab200e4..29ed9bfde5a5 100644 > --- a/arch/x86/lib/kaslr.c > +++ b/arch/x86/lib/kaslr.c > @@ -26,67 +26,10 @@ > #define get_boot_seed() kaslr_offset() > #endif > > -#define I8254_PORT_CONTROL 0x43 > -#define I8254_PORT_COUNTER0 0x40 > -#define I8254_CMD_READBACK 0xC0 > -#define I8254_SELECT_COUNTER0 0x02 > -#define I8254_STATUS_NOTREADY 0x40 > -static inline u16 i8254(void) > -{ > - u16 status, timer; > - > - do { > - outb(I8254_PORT_CONTROL, > - I8254_CMD_READBACK | I8254_SELECT_COUNTER0); > - status = inb(I8254_PORT_COUNTER0); > - timer = inb(I8254_PORT_COUNTER0); > - timer |= inb(I8254_PORT_COUNTER0) << 8; > - } while (status & I8254_STATUS_NOTREADY); > - > - return timer; > -} > +#include "random.c" > > unsigned long kaslr_get_random_long(const char *purpose) > { > -#ifdef CONFIG_X86_64 > - const unsigned long mix_const = 0x5d6008cbf3848dd3UL; > -#else > - const unsigned long mix_const = 0x3f39e593UL; > -#endif > - unsigned long raw, random = get_boot_seed(); > - bool use_i8254 = true; > - > - debug_putstr(purpose); > debug_putstr(" KASLR using"); > - > - if (has_cpuflag(X86_FEATURE_RDRAND)) { > - debug_putstr(" RDRAND"); > - if (rdrand_long(&raw)) { > - random ^= raw; > - use_i8254 = false; > - } > - } > - > - if (has_cpuflag(X86_FEATURE_TSC)) { > - debug_putstr(" RDTSC"); > - raw = rdtsc(); > - > - random ^= raw; > - use_i8254 = false; > - } > - > - if (use_i8254) { > - debug_putstr(" i8254"); > - random ^= i8254(); > - } > - > - /* Circular multiply for better bit diffusion */ > - asm(_ASM_MUL "%3" > - : "=a" (random), "=d" (raw) > - : "a" (random), "rm" (mix_const)); > - random += raw; > - > - debug_putstr("...\n"); > - > - return random; > + return get_random_long(purpose); > } > diff --git a/arch/x86/lib/random.c b/arch/x86/lib/random.c > new file mode 100644 > index 000000000000..f2fe6a784c98 > --- /dev/null > +++ b/arch/x86/lib/random.c > @@ -0,0 +1,68 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +#include > +#include > + > +#define I8254_PORT_CONTROL 0x43 > +#define I8254_PORT_COUNTER0 0x40 > +#define I8254_CMD_READBACK 0xC0 > +#define I8254_SELECT_COUNTER0 0x02 > +#define I8254_STATUS_NOTREADY 0x40 > +static inline u16 i8254(void) > +{ > + u16 status, timer; > + > + do { > + outb(I8254_PORT_CONTROL, > + I8254_CMD_READBACK | I8254_SELECT_COUNTER0); > + status = inb(I8254_PORT_COUNTER0); > + timer = inb(I8254_PORT_COUNTER0); > + timer |= inb(I8254_PORT_COUNTER0) << 8; > + } while (status & I8254_STATUS_NOTREADY); > + > + return timer; > +} > + > +static unsigned long get_random_long(const char *purpose) > +{ > +#ifdef CONFIG_X86_64 > + const unsigned long mix_const = 0x5d6008cbf3848dd3UL; > +#else > + const unsigned long mix_const = 0x3f39e593UL; > +#endif > + unsigned long raw, random = get_boot_seed(); > + bool use_i8254 = true; > + > + debug_putstr(purpose); > + > + if (has_cpuflag(X86_FEATURE_RDRAND)) { > + debug_putstr(" RDRAND"); > + if (rdrand_long(&raw)) { > + random ^= raw; > + use_i8254 = false; > + } > + } > + > + if (has_cpuflag(X86_FEATURE_TSC)) { > + debug_putstr(" RDTSC"); > + raw = rdtsc(); > + > + random ^= raw; > + use_i8254 = false; > + } > + > + if (use_i8254) { > + debug_putstr(" i8254"); > + random ^= i8254(); > + } > + > + /* Circular multiply for better bit diffusion */ > + asm(_ASM_MUL "%3" > + : "=a" (random), "=d" (raw) > + : "a" (random), "rm" (mix_const)); > + random += raw; > + > + debug_putstr("...\n"); > + > + return random; > +} > -- > 2.13.6 >