Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4194226ybv; Mon, 10 Feb 2020 14:21:32 -0800 (PST) X-Google-Smtp-Source: APXvYqxr5V+a4+bO+kBe0aialhs7FRvZWu0bLkZ+a48sWO2tDAL6q8tXhbo9fTCWKUHXTX2L27ic X-Received: by 2002:aca:530e:: with SMTP id h14mr861325oib.105.1581373292344; Mon, 10 Feb 2020 14:21:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581373292; cv=none; d=google.com; s=arc-20160816; b=V1i3XPrTz2H+rSxqfJ2SX/cTCDwyLTdS7qQ03dcsLE19N7lcvljpTSAQZCf9ZmELZE N+WWs4Ee5LVdIPUQi2O28o+0LtkeXF612MJ55hF87Sjh5vQaO4RdzLE+P4vV7tbjPFw8 nswmrbSqbMDbWhyCQWAtcwuuvL6QC5vF5X63vEBrx5ZTjxlHYw/UIFHs9V90bhn4hCQK S6LbcNSpCK//Yq+bCMkkwUJpiEAcLm1Pbpj2ut9pbus/b8w4TcyxUnGb2q3XwUkIRmac kySp7r49PFBUTi+V0+Eqlsp/YO8t6YdcNuAVDsqA0UJJAhGZJ6192y7BplC933IsJTmm Uugg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=W4+bXOYA7di4EtSAPlqTcU8yDs9ZmyX+rKNZ6zxUfJM=; b=u415TVmxDL/2y+V5K1imYDS2d0wZgiNIbJWJL3+ezYLVKVjOeZrnnrv6bckqC/4xdB ztScuIypVO6EUgcPW7SDl/ERKF+Nzt4b6ewH2GWJ5sYXc8Ih61VkQMK+1SQTc+fbIIss AWKD4cdWf8UBduS/rsaedLJJTQJSilI8Y+8LsLBcCEY4ZrMoF4BOtDpjKgKMacB2jo20 ZaVy9ZtRsT10vwzt8A8oPZMeSqxwAsi4VIPxSTvjs20D8E/EQJg+IaK6P4YXZ2E4UCUE 9/4desHHR3bqODnhiGlLnugMKkSJ8C2AZ8YfZv5uLv0Q+qIIfw1Fn6w2kOtd2ZkbBHeE wSFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=bDHwf3XH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s11si793096oic.57.2020.02.10.14.21.20; Mon, 10 Feb 2020 14:21:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=bDHwf3XH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727452AbgBJWTg (ORCPT + 99 others); Mon, 10 Feb 2020 17:19:36 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:37080 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727254AbgBJWTf (ORCPT ); Mon, 10 Feb 2020 17:19:35 -0500 Received: by mail-pg1-f194.google.com with SMTP id z12so4638682pgl.4 for ; Mon, 10 Feb 2020 14:19:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=W4+bXOYA7di4EtSAPlqTcU8yDs9ZmyX+rKNZ6zxUfJM=; b=bDHwf3XHXyXL++azeW+mtkWbAkHjfstlK28gQAT8IcD+XRHkVP9wJ57RA131g+giRf 1NXN/7TIJqONaT01x4mlS1N90gZtUfZwBV1zlZ3r7/qXXCeJcs8m2+pdAiWiJwFnqqYO Ilht536LJyDnv/UngbGHjMJVlqplBcpNfdXzPaCWO6k5nJeTdCxFVUqDh7nxknhlyXaT taxFN33U9M19g1wb3/mOk1vn0oqJ9vD2dJtXiGFKDV+7wZAhidfJ4slSM/vENT8Z8S1s yoKcivrtLBfl/CXH2I+FwFNSHsfeU97ipNaQn/Jz7jS3AOq6v7TP8JAQYrcRW9AdI7yP 2iHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=W4+bXOYA7di4EtSAPlqTcU8yDs9ZmyX+rKNZ6zxUfJM=; b=ZMj8k7UY8UOKrtDxxWRq7BjFXPCP9MMELy7JUSYbTP/tMZ+iNdkZe0rrkFZ0T4qNmw qcHr38eQxFwgxDZ3N6Y6IFRdkWKcBG2NZAuvNkqXj+HXjcFhibKubCgcdViKy8400gd/ yAgFvuNslAj36ZnoFn4JIaA7dXvby42/ydM+f/agU7jPcPKwCY5A/Die3Q36rgiQW38I XZYmrWQ2LXTPGVbYzMcdoqsBuxmk4OpJdIdsP5C3rS25eSoB+aELDpmAG4810xded1Bm 4ArFxkzVCS+YBAxV5hQg8WQR9yk3LRh5ryj5oJuSeHLfodztFGvGstXcJoaRbAIshlfm 3m+g== X-Gm-Message-State: APjAAAW8L9V0TuSdkuHmsqZ+N87vkETJ9fttDqp9DPUMUhh1/uzJYEYN w3IhXfWV70M8v4fudjvEPaN4lkSVKu8= X-Received: by 2002:a63:2f04:: with SMTP id v4mr3702404pgv.33.1581373174335; Mon, 10 Feb 2020 14:19:34 -0800 (PST) Received: from nebulus.mtv.corp.google.com ([2620:15c:211:200:5404:91ba:59dc:9400]) by smtp.gmail.com with ESMTPSA id f81sm1323393pfa.118.2020.02.10.14.19.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Feb 2020 14:19:33 -0800 (PST) From: Mark Salyzyn To: linux-kernel@vger.kernel.org Cc: kernel-team@android.com, Mark Salyzyn , "Theodore Ts'o" , Arnd Bergmann , Greg Kroah-Hartman , Richard Henderson , Mark Brown , Kees Cook , Hsin-Yi Wang , Vasily Gorbik , Andrew Morton , Masami Hiramatsu , "Steven Rostedt (VMware)" , Mike Rapoport , Arvind Sankar , Dominik Brodowski , Thomas Gleixner , Alexander Potapenko , Jonathan Corbet , Mauro Carvalho Chehab , Josh Poimboeuf , Pawan Gupta , Juergen Gross , Rob Herring , linux-doc@vger.kernel.org Subject: [PATCH 4/4 v3] random: add rng-seed= command line option Date: Mon, 10 Feb 2020 14:19:16 -0800 Message-Id: <20200210221925.43533-1-salyzyn@android.com> X-Mailer: git-send-email 2.25.0.341.g760bfbb309-goog In-Reply-To: <4bd0d1cb-44cb-d02e-6aac-2b2cfce52eba@infradead.org> References: <20200207150809.19329-1-salyzyn@android.com> <202002070850.BD92BDCA@keescook> <20200207155828.GB122530@mit.edu> <20200210144512.180348-5-salyzyn@android.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A followup to commit 428826f5358c922dc378830a1717b682c0823160 ("fdt: add support for rng-seed") to extend what was started with Open Firmware (OF or Device Tree) parsing, but also add it to the command line. If CONFIG_RANDOM_TRUST_BOOTLOADER is set, then feed the rng-seed command line option length as added trusted entropy. Always erase view of the rng-seed option, except our early command line parsing, to prevent leakage to applications or modules, to eliminate any attack vector. It is preferred to add rng-seed to the Device Tree, but some platforms do not have this option, so this adds the ability to provide some command-line-limited data to the entropy through this alternate mechanism. Expect on average 6 bits of useful entropy per character. Signed-off-by: Mark Salyzyn Cc: linux-kernel@vger.kernel.org Cc: kernel-team@android.com Cc: "Theodore Ts'o" Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Richard Henderson Cc: Mark Brown Cc: Kees Cook Cc: Hsin-Yi Wang Cc: Vasily Gorbik Cc: Andrew Morton Cc: Masami Hiramatsu Cc: "Steven Rostedt (VMware)" Cc: Mike Rapoport Cc: Arvind Sankar Cc: Dominik Brodowski Cc: Thomas Gleixner Cc: Alexander Potapenko --- v3 - Add Documentation (all other new v2 patches unchanged) v2 - Split into four bite sized patches. - Correct spelling in commit message. - rng-seed is assumed to be utf-8, so correct both to 6 bits/character of collected entropy. - Move entropy collection to a static __always_inline helper function. --- .../admin-guide/kernel-parameters.txt | 11 +++ drivers/char/random.c | 8 ++ include/linux/random.h | 5 ++ init/main.c | 88 +++++++++++++++---- 4 files changed, 95 insertions(+), 17 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index dbc22d6846275..f3c373cc40f9a 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4334,6 +4334,17 @@ [KNL] Disable ring 3 MONITOR/MWAIT feature on supported CPUs. + rng-seed= [KNL] Provide a trusted seed for the kernel's CRNG. + Seed only trusted if CONFIG_RANDOM_TRUST_BOOTLOADER. + After collection, this option is wiped from the command + line views. The seed is given a weight of 6 bits per + character with the assumption that it is a printable + utf8 string. It is expected that the supplier of the + seed, typically a bootloader or virtualization, will + supply a new random seed for each kernel instance. + A fixed serial number is typically not appropriate + for security features like ASLR. + ro [KNL] Mount root device read-only on boot rodata= [KNL] diff --git a/drivers/char/random.c b/drivers/char/random.c index ee21a6a584b15..83c77306e18e7 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -2311,3 +2311,11 @@ void add_bootloader_randomness(const void *buf, unsigned int size) add_device_randomness(buf, size); } EXPORT_SYMBOL_GPL(add_bootloader_randomness); + +#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER) +/* caller called add_device_randomness, but it is from a trusted source */ +void __init credit_trusted_entropy_bits(unsigned int nbits) +{ + credit_entropy_bits(&input_pool, nbits); +} +#endif diff --git a/include/linux/random.h b/include/linux/random.h index d319f9a1e4290..efe8cbe2255ab 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -20,6 +20,11 @@ struct random_ready_callback { extern void add_device_randomness(const void *, unsigned int); extern void add_bootloader_randomness(const void *, unsigned int); +#if defined(CONFIG_RANDOM_TRUST_BOOTLOADER) +extern void __init credit_trusted_entropy_bits(unsigned int nbits); +#else +static inline void credit_trusted_entropy_bits(unsigned int nbits) {} +#endif #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__) static inline void add_latent_entropy(void) diff --git a/init/main.c b/init/main.c index 9f4ce0356057e..ad52f03fb8de4 100644 --- a/init/main.c +++ b/init/main.c @@ -524,6 +524,31 @@ static inline void smp_prepare_cpus(unsigned int maxcpus) { } * parsing is performed in place, and we should allow a component to * store reference of name/value for future reference. */ +static const char rng_seed_str[] __initconst = "rng-seed="; +/* try to clear rng-seed so it won't be found by user applications. */ +static void __init copy_command_line(char *dest, char *src, size_t r) +{ + char *rng_seed = strnstr(src, rng_seed_str, r); + + if (rng_seed) { + size_t l = rng_seed - src; + char *end; + + memcpy(dest, src, l); + dest += l; + src = rng_seed + strlen(rng_seed_str); + r -= l + strlen(rng_seed_str); + end = strnchr(src, r, ' '); + if (end) { + if (l && rng_seed[-1] == ' ') + ++end; + r -= end - src; + src = end; + } + } + strlcpy(dest, src, r); +} + static const char alloc_fail_msg[] __initconst = "%s: Failed to allocate %zu bytes\n"; static void __init setup_command_line(char *command_line) @@ -552,11 +577,15 @@ static void __init setup_command_line(char *command_line) * lines because there could be dashes (separator of init * command line) in the command lines. */ - strcpy(saved_command_line, extra_command_line); - strcpy(static_command_line, extra_command_line); + copy_command_line(saved_command_line, extra_command_line, + xlen + 1); + copy_command_line(static_command_line, extra_command_line, + xlen + 1); } - strlcpy(saved_command_line + xlen, boot_command_line, len - xlen); - strcpy(static_command_line + xlen, command_line); + copy_command_line(saved_command_line + xlen, boot_command_line, + len - xlen); + copy_command_line(static_command_line + xlen, command_line, + len - xlen); if (ilen) { /* @@ -572,7 +601,8 @@ static void __init setup_command_line(char *command_line) } else saved_command_line[len++] = ' '; - strcpy(saved_command_line + len, extra_init_args); + copy_command_line(saved_command_line + len, extra_init_args, + ilen - strlen(argsep_str) + 1); } } @@ -757,6 +787,41 @@ void __init __weak arch_call_rest_init(void) rest_init(); } +static __always_inline void __init collect_entropy(const char *command_line) +{ + /* + * For best initial stack canary entropy, prepare it after: + * - setup_arch() for any UEFI RNG entropy and boot cmdline access + * - timekeeping_init() for ktime entropy used in rand_initialize() + * - rand_initialize() to get any arch-specific entropy like RDRAND + * - add_latent_entropy() to get any latent entropy + * - adding command line entropy + */ + rand_initialize(); + add_latent_entropy(); + add_device_randomness(command_line, strlen(command_line)); + if (IS_BUILTIN(CONFIG_RANDOM_TRUST_BOOTLOADER)) { + /* + * Added command line device randomness above, + * now add entropy credit for just rng-seed= + */ + size_t l = strlen(command_line); + char *rng_seed = strnstr(command_line, rng_seed_str, l); + + if (rng_seed) { + char *end; + + rng_seed += strlen(rng_seed_str); + l -= rng_seed - command_line; + end = strnchr(rng_seed, l, ' '); + if (end) + l = end - rng_seed; + credit_trusted_entropy_bits(l * 6); + } + } + boot_init_stack_canary(); +} + asmlinkage __visible void __init start_kernel(void) { char *command_line; @@ -868,18 +933,7 @@ asmlinkage __visible void __init start_kernel(void) softirq_init(); timekeeping_init(); - /* - * For best initial stack canary entropy, prepare it after: - * - setup_arch() for any UEFI RNG entropy and boot cmdline access - * - timekeeping_init() for ktime entropy used in rand_initialize() - * - rand_initialize() to get any arch-specific entropy like RDRAND - * - add_latent_entropy() to get any latent entropy - * - adding command line entropy - */ - rand_initialize(); - add_latent_entropy(); - add_device_randomness(command_line, strlen(command_line)); - boot_init_stack_canary(); + collect_entropy(command_line); time_init(); printk_safe_init(); -- 2.25.0.341.g760bfbb309-goog