Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3661363ybv;
        Mon, 10 Feb 2020 04:13:46 -0800 (PST)
X-Google-Smtp-Source: APXvYqx8vV1x98AOvTGC/DH3zrD8LWiIrfyXz9BZuj4qt0gf258wkH7NefJjzpGYbXaGMjUWqBq8
X-Received: by 2002:a9d:4c8c:: with SMTP id m12mr858639otf.312.1581336826267;
        Mon, 10 Feb 2020 04:13:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581336826; cv=none;
        d=google.com; s=arc-20160816;
        b=xPOvWZEYiS+QmxVNwDglsdw/DKM0mxXvcCHUxC2JJrUvsru1Rhfn36TZgfue/K3hbw
         hMRCovycqBuIISh2kMMumigpSfcD60xR02T5VCJV5AoX/KmKbQJEjunrG0Yzw1j4c1dU
         Af2iMu6HjHIEf8MpfxLXyXYU8dvzmcfKEyl3rYjOxvQC/FuG1+Fk5DdAta8S0pHW0/0h
         SSHjMKbkTUT0DdblAmnzY047x6wSw15/B/f11BZYNwqp9UPPLrhCoVcq+39xzWvGIb72
         hQ4Ysa0JFgHj3BAeLPXvaq1oygYvc2wviEprH7GgoTjPpEosy+pHJisR9I5S08NMiA6n
         hPvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=pMkC6cPOydPLk/vfoXmXXevVhDKtOIxoTwEcC3RfPvM=;
        b=Md293KQnh3U+Tt+Oy4uC0tCsD3TNjnPUGkLguyHkVGlWzpHeOCul/dCs9ktsMEh2wR
         ZDSRoSxiX/QvUUxkQtAMefJ5LFVZmSo05d1Tn79YLFKYnBhDnPfvdTfc7NxG8AikkcJp
         S1DJ7zbVBQNkWCJB/OrwTnbaiR/lmMHUeRf7tkiCeDCs/kETNNM3dw0hwZ2hN/u54aBR
         qwNZcj+6hbqXEfdeliD9OBC0dhSK5A3WQRzXyEcObExZaCyZKD+E8FloKfzDC7mldUzg
         s1EkktWvOKWQ1OUNs2vhfT1NaontVnPSrzDCFsndBtgnHOHyD98ElL08cGuaLWhCudbE
         t5kQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a3si94225otk.234.2020.02.10.04.13.34;
        Mon, 10 Feb 2020 04:13:46 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727566AbgBJMN2 (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Mon, 10 Feb 2020 07:13:28 -0500
Received: from foss.arm.com ([217.140.110.172]:59552 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727121AbgBJMN2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Feb 2020 07:13:28 -0500
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 531B81FB;
        Mon, 10 Feb 2020 04:13:27 -0800 (PST)
Received: from localhost (unknown [10.37.6.21])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CBFB83F6CF;
        Mon, 10 Feb 2020 04:13:26 -0800 (PST)
Date:   Mon, 10 Feb 2020 12:13:25 +0000
From:   Mark Brown <broonie@kernel.org>
To:     "Theodore Y. Ts'o" <tytso@mit.edu>
Cc:     Mark Salyzyn <salyzyn@android.com>, linux-kernel@vger.kernel.org,
        kernel-team@android.com, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Richard Henderson <richard.henderson@linaro.org>,
        Kees Cook <keescook@chromium.org>,
        Hsin-Yi Wang <hsinyi@chromium.org>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        "Steven Rostedt (VMware)" <rostedt@goodmis.org>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Arvind Sankar <nivedita@alum.mit.edu>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexander Potapenko <glider@google.com>,
        Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH] random: add rng-seed= command line option
Message-ID: <20200210121325.GA7685@sirena.org.uk>
References: <20200207150809.19329-1-salyzyn@android.com>
 <20200207155828.GB122530@mit.edu>
 <d35bacd4-ba3f-335d-85c4-57e87abd8e9a@android.com>
 <20200208004922.GE122530@mit.edu>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/"
Content-Disposition: inline
In-Reply-To: <20200208004922.GE122530@mit.edu>
X-Cookie: Avoid gunfire in the bathroom tonight.
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--pWyiEgJYm5f9v55/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Feb 07, 2020 at 07:49:22PM -0500, Theodore Y. Ts'o wrote:

> "add_device_randomness()" and so what this commit is doing is simply
> counting the length of xxx in "rng_seed=xxx" and assuming that those
> bytes are 100% entropy and simply crediting the trusted entropy by
> length of xxx.  If xxx happened to be a hex string, or worse, was

That'd been what I'd intially read the commit message as saying :/

> The second is that we're treating rng_seed as being magic, and if
> someone tries to pass in something like rng_seed=0x7932dca76b51
> because they didn't understand how rng_seed was going to work, it
> would be surprising.

We already have a kaslr-seed property on arm64 since we need a seed for
KASLR *super* early, we could generalize that I guess but it's not clear
to me that it's a good idea.  One fun thing here is that the kernel
command line is visible to userspace so we go and erase the seed from
the command line after reading it.

> My preference would be to pass in the random seed *not* on the
> command-line at all, but as a separate parameter which is passed to
> the bootloader, just as we pass in the device-tree, the initrd and the
> command-line as separate things.  The problem is that how we pass in
> extra boot parameters is architecture specific, and how we might do it
> for x86 is different than for arm64.  So yeah, it's a bit more
> inconvenient to do things that way; but I think it's also much
> cleaner.

Anything that requires boot protocol updates is going to be rather
difficult to deploy for the use it'll likely get - as far as I can see
we're basically just talking about the cases where there's some entropy
source available to the bootloader that the kernel can't get at
directly.  With the arm64 kaslr-seed it's not clear that people are
feeding actual entropy in there, they could be using something like the
device serial number to give different layouts on different devices even
if they can't get any useful entropy for boot to boot variation.

--pWyiEgJYm5f9v55/
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl5BSOQACgkQJNaLcl1U
h9Auzwf/av2aK6TmqdtmdtPDkrEB5Ek3/DfxaTDm2Pq+d6v4WVPoruo4dJ33Hg8a
QDBj0QbfLZuf7iMHKt1ZXQhZdwKlBvS1LeFQ+c7u9Dg4jQSHaPHARfgJbkKwWM01
yDLCytGbz9Fek2mxF01MQGeF1FKofeZpix5ANWdUQDYIZilMCPeWjzjUtQHW7d7e
ewQLu6jFtCGSFOl+dTyXRKagh0avbTmJY4s/hboTZAq8/dcI4xWq+gU6TS7leadx
qS5L35dcFQvm3GCANMei52mTz+BXaT7EbNuHaBL8n08hFBC8Ajwmn+2170sA7z0n
qS90ap7mJsFpE0jNINaZ0JIDFmvNlw==
=rsy5
-----END PGP SIGNATURE-----

--pWyiEgJYm5f9v55/--