Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Fri, 7 Feb 2020 09:28:27 -0800
From:   Kees Cook <keescook@chromium.org>
To:     Mark Salyzyn <salyzyn@android.com>
Cc:     linux-kernel@vger.kernel.org, kernel-team@android.com,
        Theodore Ts'o <tytso@mit.edu>, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Richard Henderson <richard.henderson@linaro.org>,
        Mark Brown <broonie@kernel.org>,
        Hsin-Yi Wang <hsinyi@chromium.org>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        "Steven Rostedt (VMware)" <rostedt@goodmis.org>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Arvind Sankar <nivedita@alum.mit.edu>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexander Potapenko <glider@google.com>
Subject: Re: [PATCH] random: add rng-seed= command line option
Message-ID: <202002070850.BD92BDCA@keescook>
References: <20200207150809.19329-1-salyzyn@android.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200207150809.19329-1-salyzyn@android.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Fri, Feb 07, 2020 at 07:07:59AM -0800, Mark Salyzyn wrote:
> +#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER)
> +/* caller called add_device_randomness, but it is from a trusted source */
> +void __init credit_trusted_entropy(unsigned int size)
> +{
> +	credit_entropy_bits(&input_pool, size * 8);
> +}
> +#endif

As Ted already mentioned, I was expecting the string contents to actually
get added somewhere. Is the idea that it's already been added via the
add_device_randomness(command_line) call, and you just want to explicitly
credit those bytes? If so, that deserves a comment, and I think it should
likely not use 8 bits per character, as that's not how many bits are
possible for an alphanumeric string character; I would expect 6 bits (~32
standard letter/number) -- this likely needs fixing in the fdt patch too.

> diff --git a/include/linux/random.h b/include/linux/random.h
> index d319f9a1e4290..1e09eeadc613c 100644
> --- a/include/linux/random.h
> +++ b/include/linux/random.h
> @@ -20,6 +20,11 @@ struct random_ready_callback {
>  
>  extern void add_device_randomness(const void *, unsigned int);
>  extern void add_bootloader_randomness(const void *, unsigned int);
> +#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER)
> +extern void __init credit_trusted_entropy(unsigned int b);
> +#else
> +static inline void credit_trusted_entropy(unsigned int b) {}
> +#endif
>  
>  #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
>  static inline void add_latent_entropy(void)
> diff --git a/init/main.c b/init/main.c
> index cc0ee4873419c..ae976b2dea5dc 100644
> --- a/init/main.c
> +++ b/init/main.c
> @@ -524,24 +524,53 @@ static inline void smp_prepare_cpus(unsigned int maxcpus) { }
>   * parsing is performed in place, and we should allow a component to
>   * store reference of name/value for future reference.
>   */
> +static const char rng_seed_str[] __initconst = "rng-seed=";
> +/* try to clear rng-seed so it won't be found by user applications. */
> +static void __init copy_command_line(char *dest, char *src, size_t r)
> +{
> +	char *rng_seed = strnstr(src, rng_seed_str, r);
> +
> +	if (rng_seed) {
> +		size_t l = rng_seed - src;
> +		char *end;
> +
> +		memcpy(dest, src, l);
> +		dest += l;
> +		src = rng_seed + strlen(rng_seed_str);
> +		r -= l + strlen(rng_seed_str);
> +		end = strnchr(src, r, ' ');
> +		if (end) {
> +			if (l && rng_seed[-1] == ' ')
> +				++end;
> +			r -= end - src;
> +			src = end;
> +		}
> +	}
> +	memcpy(dest, src, r);
> +	dest[r] = '\0';
> +}
> +
>  static void __init setup_command_line(char *command_line)
>  {
>  	size_t len, xlen = 0, ilen = 0;
> +	static const char argsep_str[] __initconst = " -- ";
> +	static const char alloc_fail_msg[] __initconst =
> +		"%s: Failed to allocate %zu bytes\n";

There's some refactoring in this patch unrelated to the seed logic. Can
you split that out? (I think these changes are good.)

>  
>  	if (extra_command_line)
>  		xlen = strlen(extra_command_line);

Unrelated note: whoa this is based on linux-next which has a massive
change to the boot command line handling and appears to be doing some
bad things. I need to go find that thread...

>  	if (extra_init_args)
> -		ilen = strlen(extra_init_args) + 4; /* for " -- " */
> +		ilen = strlen(extra_init_args) + strlen(argsep_str);
>  
> -	len = xlen + strlen(boot_command_line) + 1;
> +	len = xlen + strnlen(boot_command_line, sizeof(boot_command_line)) + 1;
>  
>  	saved_command_line = memblock_alloc(len + ilen, SMP_CACHE_BYTES);
>  	if (!saved_command_line)
> -		panic("%s: Failed to allocate %zu bytes\n", __func__, len + ilen);
> +		panic(alloc_fail_msg, __func__, len + ilen);
>  
>  	static_command_line = memblock_alloc(len, SMP_CACHE_BYTES);
>  	if (!static_command_line)
> -		panic("%s: Failed to allocate %zu bytes\n", __func__, len);
> +		panic(alloc_fail_msg, __func__, len);
>  
>  	if (xlen) {
>  		/*
> @@ -549,11 +578,14 @@ static void __init setup_command_line(char *command_line)
>  		 * lines because there could be dashes (separator of init
>  		 * command line) in the command lines.
>  		 */
> -		strcpy(saved_command_line, extra_command_line);
> -		strcpy(static_command_line, extra_command_line);
> +		copy_command_line(saved_command_line, extra_command_line, xlen);
> +		copy_command_line(static_command_line, extra_command_line,
> +				  xlen);
>  	}
> -	strcpy(saved_command_line + xlen, boot_command_line);
> -	strcpy(static_command_line + xlen, command_line);
> +	copy_command_line(saved_command_line + xlen, boot_command_line,
> +			  len - xlen - 1);
> +	copy_command_line(static_command_line + xlen, command_line,
> +			  len - xlen - 1);
>  
>  	if (ilen) {
>  		/*
> @@ -562,13 +594,15 @@ static void __init setup_command_line(char *command_line)
>  		 * to init.
>  		 */
>  		len = strlen(saved_command_line);
> -		if (!strstr(boot_command_line, " -- ")) {
> -			strcpy(saved_command_line + len, " -- ");
> -			len += 4;
> +		if (!strnstr(boot_command_line, argsep_str,
> +			     sizeof(boot_command_line))) {
> +			strcpy(saved_command_line + len, argsep_str);
> +			len += strlen(argsep_str);
>  		} else
>  			saved_command_line[len++] = ' ';
>  
> -		strcpy(saved_command_line + len, extra_init_args);
> +		copy_command_line(saved_command_line + len, extra_init_args,
> +				  ilen - strlen(argsep_str));
>  	}
>  }
>  
> @@ -875,6 +909,21 @@ asmlinkage __visible void __init start_kernel(void)
>  	rand_initialize();
>  	add_latent_entropy();
>  	add_device_randomness(command_line, strlen(command_line));
> +	if (IS_BUILTIN(CONFIG_RANDOM_TRUST_BOOTLOADER)) {
> +		size_t l = strlen(command_line);
> +		char *rng_seed = strnstr(command_line, rng_seed_str, l);
> +
> +		if (rng_seed) {
> +			char *end;
> +
> +			rng_seed += strlen(rng_seed_str);
> +			l -= rng_seed - command_line;
> +			end = strnchr(rng_seed, l, ' ');
> +			if (end)
> +				l = end - rng_seed;
> +			credit_trusted_entropy(l);
> +		}
> +	}

Can you pull this out of line and write a new static help that does all
of the rng stuff here? Basically from rand_initialize() through
boot_init_stack_canary(), so it's all in one place and not "open coded"
in start_kernel(). (And then, actually, you don't need a separate
credit_trusted_entropy() function at all -- just call
credit_entropy_bits() directly there (and add a comment about the
command line already getting added).

>  	boot_init_stack_canary();
>  
>  	time_init();
> -- 
> 2.25.0.341.g760bfbb309-goog
> 

-- 
Kees Cook