Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3325710imu; Sun, 11 Nov 2018 12:25:19 -0800 (PST) X-Google-Smtp-Source: AJdET5dzqlcMTZxxZ8o7zGxV0vv1Ca2DCsi+lQ67rXCwyKRPtmunHDay3O5wucbdj42PuUJ5v4kS X-Received: by 2002:a17:902:e28a:: with SMTP id cf10-v6mr12456311plb.81.1541967919779; Sun, 11 Nov 2018 12:25:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541967919; cv=none; d=google.com; s=arc-20160816; b=0s3f/RjJbn0Y30NiMnUrj+HpU8sBRxJcdIaVphN8+U87UT/lrGn9pU/9r0rGr11KwX wpj6YA62rfoXqrBuhiuOTuCsrCOCwxZGolQNJ25pAgyM53m0wvwtSm6/3QA2E3Q2Npx9 ZilP7gdaV7jFNyXCSEvV1twwaReeuSbMM4x/bRu6jIsYnQ0erSyQdi18wrG73cgw0E8U vWF2rgfq7qM+/nsuQsLry4fThgtPg4g17kyzr265Ot5yfxxokvja2Bcl7IKxFTpW0R5L 2RtFPoK38LizDyspqOnOsnB57L0Qc2fipQd87YdeIr2m5G/n4gHTnJ/lWZN1hNZtkpFv +uPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=Mf8iIIX/EhF4BOciUDH5LksUQHr0qyQqooaz9PLHgRE=; b=oUh1wjWNNKj2/TKcaowN1ldueMeqFvMLY6pR6i9rByWQVH97v7F9qaieNpihXBQv9v pjXwLT4OEL1kM6mwKO6oqxEsyxYc9CD1g6SlzaAIr7W0thYjNU4vbGKPVOTDhUqncaY/ Vv6Llyxu92Uhbt8lwY+QHmNRDUHk9d0O6/T4LMfWxs7GzJNcHwbQ7pbWEj3iTUpv7c5g IP473vVaC0zcZiEKK8AgpcdkHVD/+Q2eis8ZpfhFcwnDAGYboa3r6TY7fdin+RL6ZEdw qafyEDhPxaA40JFELjVqEAMFx15ol69fGI5w2SxDdbV+/n3a3eS0/lTzLil3o1QDWgmj WfkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si15833771plj.146.2018.11.11.12.25.04; Sun, 11 Nov 2018 12:25:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730650AbeKLGOH (ORCPT + 99 others); Mon, 12 Nov 2018 01:14:07 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:51100 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730696AbeKLFsa (ORCPT ); Mon, 12 Nov 2018 00:48:30 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvsq-0000oG-He; Sun, 11 Nov 2018 19:59:00 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsX-0001kG-4T; Sun, 11 Nov 2018 19:58:41 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Arnd Bergmann" , "Theodore Ts'o" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 266/366] random: mix rdrand with entropy sent in from userspace In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream. Fedora has integrated the jitter entropy daemon to work around slow boot problems, especially on VM's that don't support virtio-rng: https://bugzilla.redhat.com/show_bug.cgi?id=1572944 It's understandable why they did this, but the Jitter entropy daemon works fundamentally on the principle: "the CPU microarchitecture is **so** complicated and we can't figure it out, so it *must* be random". Yes, it uses statistical tests to "prove" it is secure, but AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with flying colors. So if RDRAND is available, mix it into entropy submitted from userspace. It can't hurt, and if you believe the NSA has backdoored RDRAND, then they probably have enough details about the Intel microarchitecture that they can reverse engineer how the Jitter entropy daemon affects the microarchitecture, and attack its output stream. And if RDRAND is in fact an honest DRNG, it will immeasurably improve on what the Jitter entropy daemon might produce. This also provides some protection against someone who is able to read or set the entropy seed file. Signed-off-by: Theodore Ts'o Cc: Arnd Bergmann Signed-off-by: Ben Hutchings --- drivers/char/random.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1418,14 +1418,22 @@ static int write_pool(struct entropy_store *r, const char __user *buffer, size_t count) { size_t bytes; - __u32 buf[16]; + __u32 t, buf[16]; const char __user *p = buffer; while (count > 0) { + int b, i = 0; + bytes = min(count, sizeof(buf)); if (copy_from_user(&buf, p, bytes)) return -EFAULT; + for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) { + if (!arch_get_random_int(&t)) + break; + buf[i] ^= t; + } + count -= bytes; p += bytes;