Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp2883608rwl; Fri, 6 Jan 2023 12:11:36 -0800 (PST) X-Google-Smtp-Source: AMrXdXuDA0/NTr2EOJxxZtx26uBCR7T135gMH89VVDKB2NSyx257UgqJo6wdk8W9DkcsOxsD9d2r X-Received: by 2002:a17:907:bb8b:b0:84d:1f41:1177 with SMTP id xo11-20020a170907bb8b00b0084d1f411177mr3068491ejc.68.1673035896140; Fri, 06 Jan 2023 12:11:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673035896; cv=none; d=google.com; s=arc-20160816; b=fsazETT8YwHpxxPI2vZ0yxKLxFtE0F0dIYVHvpJZ2M68ygoEPhOxVGGdMd2JvAwg+8 SlwZSR+6HqRWARmDCGF04jpgICKO0r8w+rq7ZGN5KPFVeOhtHBwouquvhVss1IvR4773 d22VOJH3QexgSkmM0Q1IeYVw0rFxPRPKzq3+rdZANDVRgj1iWgNfrCUgbbIZann1v1X5 v4rCyEun8NESHpFm7sH1BTOyDl03AnPpfCv31fGXB3G7D8hNOoBdubd3rz505pIIMCe8 eTWm+4eT7Zy8+lY82+rqTfhjpsjIcNzTl++dDjp9gFJuowHG6ZtBuJiqgQHpZiQEJjey I5fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=GzCgQ6kuQycdzwh6t3skvEow87f6nzRLM3lEMDxfCiw=; b=nHUn4l79s55a8jrPmI7hUKys9Nbs+3qiwG+Mo9Zk6baz95lwF6DwUsstif9N65dKc2 7tpBwBntXg39xROHcwnCntfu1joXzOuDHJWaXhK+WBZKW4PxJGa11qPHdeQcbk82Nx9j a1udEi/MnSTsswkwAgb9jYNY4P6EIZN4Aw9F9KBtx9zMkQxT2vsbfNtuUemwupxvyvco ID3Qn2qEkDpIguN4YBHrKYLjaDsoIkMLeG7p+NuNd1APqXhy2zf94YLH7rWfXu0zX/PP YlALOnAhUZ15jwRU9PIPk00TaG06k5Wl2/61I0DLoKkT7qRKYZmlPe1LOQsRxmN4E/Xi W04w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=WLX3Uq2J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id di17-20020a170906731100b0084c8d880503si2893538ejc.76.2023.01.06.12.11.22; Fri, 06 Jan 2023 12:11:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=WLX3Uq2J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235321AbjAFTXX (ORCPT + 54 others); Fri, 6 Jan 2023 14:23:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229575AbjAFTXV (ORCPT ); Fri, 6 Jan 2023 14:23:21 -0500 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B28314017 for ; Fri, 6 Jan 2023 11:23:20 -0800 (PST) Received: by mail-pj1-x1034.google.com with SMTP id v13-20020a17090a6b0d00b00219c3be9830so2723347pjj.4 for ; Fri, 06 Jan 2023 11:23:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=GzCgQ6kuQycdzwh6t3skvEow87f6nzRLM3lEMDxfCiw=; b=WLX3Uq2Ju0++6xITuhnNWagM/zuoRNv8enKtAe43Bje28LFSgRbuN0S0JMDVLg2wpc FZtxZkbWhETfVX0Q5GDPP89Ma+OlP5vCL4l9m//rWN97dadTyAkjZHCjyEVBg2zu8u9X Smd5/OprTtQDPQdK/iDrHhTpmF0qGieFvowJM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GzCgQ6kuQycdzwh6t3skvEow87f6nzRLM3lEMDxfCiw=; b=ZSzwLGAIhXdntR7sZf8EnCixTKqtXOLQ+dKdCmzz6om8FunVZuxG3wfZzDLYr13ALu C5E8MQNy/aCvHasv/m9Jr6wJgRrTi7jaaFxk9dKrBCRy4oPOLkWnOWIOA8NoEHSsXxx/ zQHTttyglLBhD45TxyoKpmOyCFf35J8K504h47BGr5RfiN4m8u1uASG6zi/ZPnb4eQe/ KDHTem/AsbnSme0Pbk9J7dmZ56pcRYLUBV5+6+KSHm0v+kVcxAt0tHZEZy5cn5u6t9D0 YctRBJVjyeRg6Dk4MKft7GZuI0UJOHystEA3EiMdUnyo+XkZktl7KultjjMCKioODglE HILw== X-Gm-Message-State: AFqh2koyxYjNQKbN1rZNV1vqv3J9oR+dL6abWuMScrqGwzxZ47X21YrJ pRR2Q9lcSUozLcdElCjkT9B3dw== X-Received: by 2002:a05:6a20:1b02:b0:aa:7d04:109b with SMTP id ch2-20020a056a201b0200b000aa7d04109bmr71297175pzb.40.1673032999757; Fri, 06 Jan 2023 11:23:19 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q2-20020a63cc42000000b004788780dd8esm1194945pgi.63.2023.01.06.11.23.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Jan 2023 11:23:19 -0800 (PST) Date: Fri, 6 Jan 2023 11:23:18 -0800 From: Kees Cook To: david.keisarschm@mail.huji.ac.il Cc: linux-kernel@vger.kernel.org, Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , Jason@zx2c4.com, aksecurity@gmail.com, ilay.bahat1@gmail.com Subject: Re: [PATCH v3 3/3] Replace invocation of weak PRNG in arch/x86/mm/kaslr.c Message-ID: <202301061118.836BF431F@keescook> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Dec 18, 2022 at 08:19:00PM +0200, david.keisarschm@mail.huji.ac.il wrote: > From: David Keisar Schmidt > > This third series add some changes to the commit messages, > and also replaces get_random_u32 with get_random_u32_below, > in a case a modulo operation is done on the result. > > The memory randomization of the virtual address space of kernel memory regions > (physical memory mapping, vmalloc & vmemmap) inside arch/x86/mm/kaslr.c > is based on the function prandom_bytes_state which uses the prandom_u32 PRNG. > > However, this PRNG turned out to be weak, as noted in commit c51f8f88d705 > To fix it, we have changed the invocation of prandom_bytes_state to get_random_bytes. > > Unlike get_random_bytes which maintains its own state, prandom_bytes state needs to be seeded, > thus, we have omitted the call to the seeding function, since it is not needed anymore. I'd really rather not do this. prandom is being seeded from "true" RNG, and it allows for the KASLR to be hand-seeded for a repeatable layout for doing debugging and performance analysis (for the coming FG-KASLR). AIUI, prandom is weak due to its shared state (which KASLR's use doesn't have) and its predictability over time (but KASLR uses it only at boot-time). And being able to recover the outputs would mean KASLR was already broken, so there isn't anything that becomes MORE exposed. If there is some other weakness, then sure, we can re-evaluate it, but for now I'd rather leave this as-is. -Kees -- Kees Cook