Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp2931527iog;
        Mon, 20 Jun 2022 07:44:43 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vspQNrjRWwHG+AW/3blHjMQATyo+pPOnwh31iFF/NA5K3UPCmCVGmhbcakI4jRvjBP7xQ0
X-Received: by 2002:a62:8707:0:b0:525:1cdf:265b with SMTP id i7-20020a628707000000b005251cdf265bmr8173105pfe.72.1655736283400;
        Mon, 20 Jun 2022 07:44:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655736283; cv=none;
        d=google.com; s=arc-20160816;
        b=g7IOC6daJ5W/kZnU0+ktL/DzEEbmadGYAcA5AiNDkscj21TQ616cddds1rl5WoPP1p
         CKir9pwUQB0IKiUdZXtRVbfD6ugWpmuC4b/VAFjl31p/JI4b3JPZONtZ6HhaQbh1bQW5
         eNRLaLN8gJ80sToYQnTDWxLmlCiP4HgTr4GiMn8gGGcnhhdG2d07YX9ljR9ncmpGxWKU
         ynQnvmKfzyKb19wZFEPJgsaZZpT/DZfPG9VVDSVnmxZNTqNNzntieYLkXbkzHi8b+yvy
         B4sse/jX18sxg6zD3s+gv6FUEn66vRiwBOVJgL/DiuUHcOCFX7wQq+Eg/61Dajjw7NyF
         55pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=XB8O/HSIs9QgT9JleXDop/5bzCqgRBWMzm09o4lhFq8=;
        b=rxoIWE/fsKuVhzHVY+ZPBGFBWKQaLgkLzE2Ozw0KTjpngCK4+SofCuIxW9WqLxPOxo
         nrjXkP9qKeFVofY/+U7rO0eKqg9A5cX+shgKo0a37QPCBK5x426H4x7QRp1flr2jIhsL
         Jx22wm7bbj31SQ1lRif+KeAR8bh68/7A+JYBvazfKtKD3RPFc8LHj11ioKCts3aMV71m
         XSWzNoINgE2y74KV3VQZx35fSbsRkCxBDz6IeJTDDbPsP2xfqyZnWp0s+im8QCBT6aJ3
         8YNFO0dhhUNP773++ke7YlSnmbjiTIEcvtuk1j5gbKsPGXLhkkNgtgjmfltN7HeQyoDF
         /s+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=URGAAWds;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c3-20020a170903234300b00163ddc0d430si1265915plh.173.2022.06.20.07.44.29;
        Mon, 20 Jun 2022 07:44:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=URGAAWds;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346626AbiFTNgN (ORCPT <rfc822;airlied@gmail.com> + 99 others);
        Mon, 20 Jun 2022 09:36:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33220 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345799AbiFTNee (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 Jun 2022 09:34:34 -0400
Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AEC1E27CC4;
        Mon, 20 Jun 2022 06:13:32 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by sin.source.kernel.org (Postfix) with ESMTPS id 6628ACE139A;
        Mon, 20 Jun 2022 13:12:25 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30F1CC3411C;
        Mon, 20 Jun 2022 13:12:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1655730743;
        bh=YTcOURT67RliY+onoFdF4rJ3Bag8bxdtEdjdRn02ukk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=URGAAWdsTKak3JcTGTXOQm/t3ZNP3Thv+kP6UHnn6FIIPG9Pb9ErXJYGWvZJh/RtQ
         YNnasu/rG3uOvhndqTRsdXNR8VAVCJd0rhKirpCHtNWKJz1H323cFz9Yl6CyJ2rEmB
         2LcWTsmMVnlvmBk3USNLCRhT81WVb8GeIwke0VnI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH 5.4 042/240] random: mix bootloader randomness into pool
Date:   Mon, 20 Jun 2022 14:49:03 +0200
Message-Id: <20220620124739.210208937@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220620124737.799371052@linuxfoundation.org>
References: <20220620124737.799371052@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

commit 57826feeedb63b091f807ba8325d736775d39afd upstream.

If we're trusting bootloader randomness, crng_fast_load() is called by
add_hwgenerator_randomness(), which sets us to crng_init==1. However,
usually it is only called once for an initial 64-byte push, so bootloader
entropy will not mix any bytes into the input pool. So it's conceivable
that crng_init==1 when crng_initialize_primary() is called later, but
then the input pool is empty. When that happens, the crng state key will
be overwritten with extracted output from the empty input pool. That's
bad.

In contrast, if we're not trusting bootloader randomness, we call
crng_slow_load() *and* we call mix_pool_bytes(), so that later
crng_initialize_primary() isn't drawing on nothing.

In order to prevent crng_initialize_primary() from extracting an empty
pool, have the trusted bootloader case mirror that of the untrusted
bootloader case, mixing the input into the pool.

[linux@dominikbrodowski.net: rewrite commit message]
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/random.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -2299,6 +2299,7 @@ void add_hwgenerator_randomness(const ch
 
 	if (unlikely(crng_init == 0)) {
 		size_t ret = crng_fast_load(buffer, count);
+		mix_pool_bytes(poolp, buffer, ret);
 		count -= ret;
 		buffer += ret;
 		if (!count || crng_init == 0)