Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5088862ybv;
        Tue, 11 Feb 2020 09:00:00 -0800 (PST)
X-Google-Smtp-Source: APXvYqzrvVG9qJ7DGG8yCy9YzfGyhpRpgi1eV8xhufYBUUt1qTg5FUGzlIJ5yY0h1TU45djpvWcb
X-Received: by 2002:aca:1708:: with SMTP id j8mr3490298oii.166.1581440399965;
        Tue, 11 Feb 2020 08:59:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581440399; cv=none;
        d=google.com; s=arc-20160816;
        b=o7gs2oaziJp8F5L1saQLZlZsS+MA2BPPpcXJia2CX164QYgPWSb0X7IJt982DX/OCQ
         8l8ta1BzASrViMdzMc6A2UvNWeG2PCyEKcmGgYGGzyxjDHTdKkY7BvKG8H0m8QPJINyw
         YwE0+Qh66syRlzPsSW2Tdq1gCN5IDO11MV0ytWMGqR36hvHqojRfNhHX1yadRJp8LeD+
         SbnU/RScCRMi7u6ehPQ3j4rzZeLmd2bnHnY9YOCLaMo6DsVRYqvtIAlchdtXZjLYETEZ
         0YSIpziCe7881u3qu5cLOMyVhJf/lXvDaNxJQSusJM+J9LdSV73y9UU7XZFCoQzkut17
         ar1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=frIXWgmaSd65nBOY50bZoIvuSURGFH0pFDgpFw5ZXqs=;
        b=m4WD0uUNPjtqOOmVo2DsqYilE8fqmJmV/u329nIotAjhRWt5eNbdUY5Cadjq8Rodp3
         X9cpVfJbCL9f0dLmqpSKS6GnXUcfWF6f3durICg+plCxnHdg+ZswUfRPB737yITDpRZE
         2k4ydbMrlyoYicWWhdaH5FgDHtb9f0po40kB3Av29mPm0rPTXcnoAAD1cxxX9WCb/AqI
         LghHINwsrsEZ3HXkyQSUlo+XtcVXk5o5GmXc7iR335Ytye7UMDi3XXfbzURgMtfLPAhD
         DP2HZspE6SmmTWAAxtg9nnpikZ410AAl+7CPh+rom0qOxVOHt+tSbnwXgLvaQKN+TS6h
         jNvA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w4si2310953otl.214.2020.02.11.08.59.48;
        Tue, 11 Feb 2020 08:59:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730070AbgBKPIp (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Tue, 11 Feb 2020 10:08:45 -0500
Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:49440 "EHLO
        outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1727668AbgBKPIo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Feb 2020 10:08:44 -0500
Received: from callcc.thunk.org (guestnat-104-133-0-101.corp.google.com [104.133.0.101] (may be forged))
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 01BF7pYW001934
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Tue, 11 Feb 2020 10:07:52 -0500
Received: by callcc.thunk.org (Postfix, from userid 15806)
        id D3E46420324; Tue, 11 Feb 2020 10:07:50 -0500 (EST)
Date:   Tue, 11 Feb 2020 10:07:50 -0500
From:   "Theodore Y. Ts'o" <tytso@mit.edu>
To:     Mark Brown <broonie@kernel.org>
Cc:     Mark Salyzyn <salyzyn@android.com>, linux-kernel@vger.kernel.org,
        kernel-team@android.com, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Richard Henderson <richard.henderson@linaro.org>,
        Kees Cook <keescook@chromium.org>,
        Hsin-Yi Wang <hsinyi@chromium.org>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        "Steven Rostedt (VMware)" <rostedt@goodmis.org>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Arvind Sankar <nivedita@alum.mit.edu>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexander Potapenko <glider@google.com>,
        Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH] random: add rng-seed= command line option
Message-ID: <20200211150750.GA3630@mit.edu>
References: <20200207150809.19329-1-salyzyn@android.com>
 <20200207155828.GB122530@mit.edu>
 <d35bacd4-ba3f-335d-85c4-57e87abd8e9a@android.com>
 <20200208004922.GE122530@mit.edu>
 <20200210121325.GA7685@sirena.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200210121325.GA7685@sirena.org.uk>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 10, 2020 at 12:13:25PM +0000, Mark Brown wrote:
> > The second is that we're treating rng_seed as being magic, and if
> > someone tries to pass in something like rng_seed=0x7932dca76b51
> > because they didn't understand how rng_seed was going to work, it
> > would be surprising.
> 
> We already have a kaslr-seed property on arm64 since we need a seed for
> KASLR *super* early, we could generalize that I guess but it's not clear
> to me that it's a good idea.  One fun thing here is that the kernel
> command line is visible to userspace so we go and erase the seed from
> the command line after reading it.

This is exactly what this patch is doing, in fact (it is erasing the
seed from the command line).

> > My preference would be to pass in the random seed *not* on the
> > command-line at all, but as a separate parameter which is passed to
> > the bootloader, just as we pass in the device-tree, the initrd and the
> > command-line as separate things.  The problem is that how we pass in
> > extra boot parameters is architecture specific, and how we might do it
> > for x86 is different than for arm64.  So yeah, it's a bit more
> > inconvenient to do things that way; but I think it's also much
> > cleaner.
> 
> Anything that requires boot protocol updates is going to be rather
> difficult to deploy for the use it'll likely get - as far as I can see
> we're basically just talking about the cases where there's some entropy
> source available to the bootloader that the kernel can't get at
> directly.  With the arm64 kaslr-seed it's not clear that people are
> feeding actual entropy in there, they could be using something like the
> device serial number to give different layouts on different devices even
> if they can't get any useful entropy for boot to boot variation.

So here's one thing we could do; we could require something like:

rng_seed=<nr_bits>,<base-64 encoded string of 32 bytes>

... where the kernel parses rng_seed, and errors out if nr_bits is
greater than 256, and errors out if the base-64 encoded string is not
valid, and then replaces it with the SHA-256 hash of the rng seed,
base-64 encoded.

That way if there is a crappy handset which is just encoding the
device serial number, it becomes painfully obvious that someone is
cheating.

Is that overkill?  Well, from my perspective, we're talking about an
industry that was willing to turn the CPU thermal safety limits when
certain benchmark applications were detected to be running, just to
gain a commercial advantage.  So trust doesn't come easily to me, when
it comes to corporate desires of expediency.  :-)

	       	     	     	  	    - Ted