Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2438216ioo; Sat, 28 May 2022 13:42:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNDX1tsvQOGduOI/U2bXk0kFNw9GQA44ocFHqGd9nNpQPDYGS8uXYuyZzHi8j21c6qZLgr X-Received: by 2002:a17:90a:9282:b0:1dc:4a1b:ea55 with SMTP id n2-20020a17090a928200b001dc4a1bea55mr14885672pjo.24.1653770541491; Sat, 28 May 2022 13:42:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653770541; cv=none; d=google.com; s=arc-20160816; b=G2WU1pweKhoCpjAN3lH3aQrQiy5Ij3D/vtXOe9bXLKipaX3ReKjUDAjHgg5BRMRCp9 NLEUMRUkEdWeiGFKVIVyc+yB61vu5WsTvKDpUcAQK041KfPs8OXsdkSdg9ipDQNu+2fg awL1T9ZPJ1rtnSysRtdpTlYcBwrko18FGadYS3jcwFZ5SXYMPe6VyIiG5uzNlB+W0pp1 IAlItJPxenDJ+3H106YDoldzgbc/AMmzx5ImDsIzTgczCnCGCfOTMto8gpuYKpp4xruo /WnZlYoZ1NiE2Mwaqz8wA+O0pDtPSukWrG7TAWF1fIPsMu/xH89LUoO/cyinfVkK/zEi YnhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1B7nq6UeItWPqwK+nIL4xw5FS0BZ6ZH26T6W2n4c4nc=; b=pxED+cuHIzDHsamVYoBFLdVOWOKSYBaxSzk1o3bsjY+iwz6aOY/g/yw3OGWp9wm6H2 xkNP+zgtqIXnmOZYDK8x5+H7buDTQ9XNVJzWDq+0Q+3BnBY/YOy30XdRpQ3lo7H48FDg 0I0R4puKcxFVqTYXETN1y4gV1FAKZk+NadEH8PyzsH1nm+jlA/2TCLb0gLvL7beIGv5N i3HQcA9VKg/eELSczayr4LQAUGThFfSzzVD5Ia98tp0vfwcbKNI7jJbZpTLL3/AUJxam +u7rdMOnDmViGHgdWH0Rat8kyV+Id1Lc2J/tNTkoonxrDOJh5bp9wK5LMONGy//U5p1L l5Bg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gIJNFahT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id i9-20020a635849000000b003faf501eeecsi11347421pgm.660.2022.05.28.13.42.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 May 2022 13:42:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gIJNFahT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 893FD1BBAFD; Sat, 28 May 2022 12:45:06 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351194AbiE0JGA (ORCPT + 99 others); Fri, 27 May 2022 05:06:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350373AbiE0I7w (ORCPT ); Fri, 27 May 2022 04:59:52 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8C995C874; Fri, 27 May 2022 01:55:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 214EB61D6F; Fri, 27 May 2022 08:55:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B0F1C385A9; Fri, 27 May 2022 08:55:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1653641741; bh=i2Ls4FRmXeR8s7LWB/7GTRBtb7/HOAyQN4vOp63lBFU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gIJNFahT/Y36NVU0zm0bG4J7vlHqxFjAdC4yf1qogVlG+zEB0QoVEHtZ7GzKjWtSk W/Q/BjPgvQiqJr7quH3Wv3Uw5iPtsEMMI7CtUuOWuDRNaC046rR3qxGAc0r2RAGeUt A4aDWGgCB23IeLYq9qVX7eKRTr1RaaooCJ43/uLM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , Dominik Brodowski , Eric Biggers , "Jason A. Donenfeld" Subject: [PATCH 5.17 018/111] random: use hash function for crng_slow_load() Date: Fri, 27 May 2022 10:48:50 +0200 Message-Id: <20220527084821.857162460@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220527084819.133490171@linuxfoundation.org> References: <20220527084819.133490171@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Jason A. Donenfeld" commit 66e4c2b9541503d721e936cc3898c9f25f4591ff upstream. Since we have a hash function that's really fast, and the goal of crng_slow_load() is reportedly to "touch all of the crng's state", we can just hash the old state together with the new state and call it a day. This way we dont need to reason about another LFSR or worry about various attacks there. This code is only ever used at early boot and then never again. Cc: Theodore Ts'o Reviewed-by: Dominik Brodowski Reviewed-by: Eric Biggers Signed-off-by: Jason A. Donenfeld Signed-off-by: Greg Kroah-Hartman --- drivers/char/random.c | 40 ++++++++++++++-------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -477,42 +477,30 @@ static size_t crng_fast_load(const u8 *c * all), and (2) it doesn't have the performance constraints of * crng_fast_load(). * - * So we do something more comprehensive which is guaranteed to touch - * all of the primary_crng's state, and which uses a LFSR with a - * period of 255 as part of the mixing algorithm. Finally, we do - * *not* advance crng_init_cnt since buffer we may get may be something - * like a fixed DMI table (for example), which might very well be - * unique to the machine, but is otherwise unvarying. + * So, we simply hash the contents in with the current key. Finally, + * we do *not* advance crng_init_cnt since buffer we may get may be + * something like a fixed DMI table (for example), which might very + * well be unique to the machine, but is otherwise unvarying. */ -static int crng_slow_load(const u8 *cp, size_t len) +static void crng_slow_load(const u8 *cp, size_t len) { unsigned long flags; - static u8 lfsr = 1; - u8 tmp; - unsigned int i, max = sizeof(base_crng.key); - const u8 *src_buf = cp; - u8 *dest_buf = base_crng.key; + struct blake2s_state hash; + + blake2s_init(&hash, sizeof(base_crng.key)); if (!spin_trylock_irqsave(&base_crng.lock, flags)) - return 0; + return; if (crng_init != 0) { spin_unlock_irqrestore(&base_crng.lock, flags); - return 0; + return; } - if (len > max) - max = len; - for (i = 0; i < max; i++) { - tmp = lfsr; - lfsr >>= 1; - if (tmp & 1) - lfsr ^= 0xE1; - tmp = dest_buf[i % sizeof(base_crng.key)]; - dest_buf[i % sizeof(base_crng.key)] ^= src_buf[i % len] ^ lfsr; - lfsr += (tmp << 3) | (tmp >> 5); - } + blake2s_update(&hash, base_crng.key, sizeof(base_crng.key)); + blake2s_update(&hash, cp, len); + blake2s_final(&hash, base_crng.key); + spin_unlock_irqrestore(&base_crng.lock, flags); - return 1; } static void crng_reseed(void)