The output n bits can receive more than n bits of min entropy, of course,
but the fixed output of the conditioning function can only asymptotically
approach the output size bits of min entropy, not attain that bound.
Random maps will tend to have output collisions, which reduces the
creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2
attempts to bound).
The value "64" is justified in Appendix A.4 of the current 90C draft,
and aligns with NIST's in "epsilon" definition in this document, which is
that a string can be considered "full entropy" if you can bound the min
entropy in each bit of output to at least 1-epsilon, where epsilon is
required to be <= 2^(-32).
Note, this patch causes the Jitter RNG to cut its performance in half in
FIPS mode because the conditioning function of the LFSR produces 64 bits
of entropy in one block. The oversampling requires that additionally 64
bits of entropy are sampled from the noise source. If the conditioner is
changed, such as using SHA-256, the impact of the oversampling is only
one fourth, because for the 256 bit block of the conditioner, only 64
additional bits from the noise source must be sampled.
This patch resurrects the function jent_fips_enabled as the oversampling
support is only enabled in FIPS mode.
This patch is derived from the user space jitterentropy-library.
Signed-off-by: Stephan Mueller <[email protected]>
---
crypto/jitterentropy-kcapi.c | 6 ++++++
crypto/jitterentropy.c | 22 ++++++++++++++++++++--
crypto/jitterentropy.h | 1 +
3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
index 2d115bec15ae..b02f93805e83 100644
--- a/crypto/jitterentropy-kcapi.c
+++ b/crypto/jitterentropy-kcapi.c
@@ -37,6 +37,7 @@
* DAMAGE.
*/
+#include <linux/fips.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/slab.h>
@@ -59,6 +60,11 @@ void jent_zfree(void *ptr)
kfree_sensitive(ptr);
}
+int jent_fips_enabled(void)
+{
+ return fips_enabled;
+}
+
void jent_panic(char *s)
{
panic("%s", s);
diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
index 8f5283f28ed3..9996120ad23c 100644
--- a/crypto/jitterentropy.c
+++ b/crypto/jitterentropy.c
@@ -117,6 +117,21 @@ struct rand_data {
#define JENT_EHEALTH 9 /* Health test failed during initialization */
#define JENT_ERCT 10 /* RCT failed during initialization */
+/*
+ * The output n bits can receive more than n bits of min entropy, of course,
+ * but the fixed output of the conditioning function can only asymptotically
+ * approach the output size bits of min entropy, not attain that bound. Random
+ * maps will tend to have output collisions, which reduces the creditable
+ * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
+ *
+ * The value "64" is justified in Appendix A.4 of the current 90C draft,
+ * and aligns with NIST's in "epsilon" definition in this document, which is
+ * that a string can be considered "full entropy" if you can bound the min
+ * entropy in each bit of output to at least 1-epsilon, where epsilon is
+ * required to be <= 2^(-32).
+ */
+#define JENT_ENTROPY_SAFETY_FACTOR 64
+
#include "jitterentropy.h"
/***************************************************************************
@@ -542,7 +557,10 @@ static int jent_measure_jitter(struct rand_data *ec)
*/
static void jent_gen_entropy(struct rand_data *ec)
{
- unsigned int k = 0;
+ unsigned int k = 0, safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
+
+ if (!jent_fips_enabled())
+ safety_factor = 0;
/* priming of the ->prev_time value */
jent_measure_jitter(ec);
@@ -556,7 +574,7 @@ static void jent_gen_entropy(struct rand_data *ec)
* We multiply the loop value with ->osr to obtain the
* oversampling rate requested by the caller
*/
- if (++k >= (DATA_SIZE_BITS * ec->osr))
+ if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))
break;
}
}
diff --git a/crypto/jitterentropy.h b/crypto/jitterentropy.h
index b7397b617ef0..c83fff32d130 100644
--- a/crypto/jitterentropy.h
+++ b/crypto/jitterentropy.h
@@ -2,6 +2,7 @@
extern void *jent_zalloc(unsigned int len);
extern void jent_zfree(void *ptr);
+extern int jent_fips_enabled(void);
extern void jent_panic(char *s);
extern void jent_memcpy(void *dest, const void *src, unsigned int n);
extern void jent_get_nstime(__u64 *out);
--
2.33.1
Stephan,
one comment inline.
On Fri, 2021-12-17 at 10:41 +0100, Stephan Müller wrote:
> The output n bits can receive more than n bits of min entropy, of course,
> but the fixed output of the conditioning function can only asymptotically
> approach the output size bits of min entropy, not attain that bound.
> Random maps will tend to have output collisions, which reduces the
> creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2
> attempts to bound).
>
> The value "64" is justified in Appendix A.4 of the current 90C draft,
> and aligns with NIST's in "epsilon" definition in this document, which is
> that a string can be considered "full entropy" if you can bound the min
> entropy in each bit of output to at least 1-epsilon, where epsilon is
> required to be <= 2^(-32).
>
> Note, this patch causes the Jitter RNG to cut its performance in half in
> FIPS mode because the conditioning function of the LFSR produces 64 bits
> of entropy in one block. The oversampling requires that additionally 64
> bits of entropy are sampled from the noise source. If the conditioner is
> changed, such as using SHA-256, the impact of the oversampling is only
> one fourth, because for the 256 bit block of the conditioner, only 64
> additional bits from the noise source must be sampled.
>
> This patch resurrects the function jent_fips_enabled as the oversampling
> support is only enabled in FIPS mode.
>
> This patch is derived from the user space jitterentropy-library.
>
> Signed-off-by: Stephan Mueller <[email protected]>
> ---
> crypto/jitterentropy-kcapi.c | 6 ++++++
> crypto/jitterentropy.c | 22 ++++++++++++++++++++--
> crypto/jitterentropy.h | 1 +
> 3 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
> index 2d115bec15ae..b02f93805e83 100644
> --- a/crypto/jitterentropy-kcapi.c
> +++ b/crypto/jitterentropy-kcapi.c
> @@ -37,6 +37,7 @@
> * DAMAGE.
> */
>
> +#include <linux/fips.h>
> #include <linux/kernel.h>
> #include <linux/module.h>
> #include <linux/slab.h>
> @@ -59,6 +60,11 @@ void jent_zfree(void *ptr)
> kfree_sensitive(ptr);
> }
>
> +int jent_fips_enabled(void)
> +{
> + return fips_enabled;
> +}
> +
> void jent_panic(char *s)
> {
> panic("%s", s);
> diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
> index 8f5283f28ed3..9996120ad23c 100644
> --- a/crypto/jitterentropy.c
> +++ b/crypto/jitterentropy.c
> @@ -117,6 +117,21 @@ struct rand_data {
> #define JENT_EHEALTH 9 /* Health test failed during initialization */
> #define JENT_ERCT 10 /* RCT failed during initialization */
>
> +/*
> + * The output n bits can receive more than n bits of min entropy, of course,
> + * but the fixed output of the conditioning function can only asymptotically
> + * approach the output size bits of min entropy, not attain that bound. Random
> + * maps will tend to have output collisions, which reduces the creditable
> + * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
> + *
> + * The value "64" is justified in Appendix A.4 of the current 90C draft,
> + * and aligns with NIST's in "epsilon" definition in this document, which is
> + * that a string can be considered "full entropy" if you can bound the min
> + * entropy in each bit of output to at least 1-epsilon, where epsilon is
> + * required to be <= 2^(-32).
> + */
> +#define JENT_ENTROPY_SAFETY_FACTOR 64
> +
> #include "jitterentropy.h"
>
> /***************************************************************************
> @@ -542,7 +557,10 @@ static int jent_measure_jitter(struct rand_data *ec)
> */
> static void jent_gen_entropy(struct rand_data *ec)
> {
> - unsigned int k = 0;
> + unsigned int k = 0, safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
> +
> + if (!jent_fips_enabled())
> + safety_factor = 0;
I would find this more readable if safety_factor is initialized to 0,
and then in the code:
if (jent_fips_enabled())
safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
However this is just readability for me, either option is perfectly
identicaly IMO, so
Reviewed-by: Simo Sorce <[email protected]>
> /* priming of the ->prev_time value */
> jent_measure_jitter(ec);
> @@ -556,7 +574,7 @@ static void jent_gen_entropy(struct rand_data *ec)
> * We multiply the loop value with ->osr to obtain the
> * oversampling rate requested by the caller
> */
> - if (++k >= (DATA_SIZE_BITS * ec->osr))
> + if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))
> break;
> }
> }
> diff --git a/crypto/jitterentropy.h b/crypto/jitterentropy.h
> index b7397b617ef0..c83fff32d130 100644
> --- a/crypto/jitterentropy.h
> +++ b/crypto/jitterentropy.h
> @@ -2,6 +2,7 @@
>
> extern void *jent_zalloc(unsigned int len);
> extern void jent_zfree(void *ptr);
> +extern int jent_fips_enabled(void);
> extern void jent_panic(char *s);
> extern void jent_memcpy(void *dest, const void *src, unsigned int n);
> extern void jent_get_nstime(__u64 *out);
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
Am Freitag, 17. Dezember 2021, 13:06:07 CET schrieb Simo Sorce:
Hi Simo,
> > static void jent_gen_entropy(struct rand_data *ec)
> > {
> >
> > - unsigned int k = 0;
> > + unsigned int k = 0, safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
> > +
> > + if (!jent_fips_enabled())
> > + safety_factor = 0;
>
> I would find this more readable if safety_factor is initialized to 0,
> and then in the code:
> if (jent_fips_enabled())
> safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
>
> However this is just readability for me, either option is perfectly
> identicaly IMO, so
Thank you, I will send an updated patch.
Ciao
Stephan
On Fri, Dec 17, 2021 at 10:41:42AM +0100, Stephan M?ller wrote:
>
> diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
> index 2d115bec15ae..b02f93805e83 100644
> --- a/crypto/jitterentropy-kcapi.c
> +++ b/crypto/jitterentropy-kcapi.c
> @@ -59,6 +60,11 @@ void jent_zfree(void *ptr)
> kfree_sensitive(ptr);
> }
>
> +int jent_fips_enabled(void)
> +{
> + return fips_enabled;
> +}
Why do you need this function? And why can't it be inlined?
Normally fips_enabled is entirely optimised away if FIPS is
disabled in Kconfig. This function breaks this.
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Am Samstag, 18. Dezember 2021, 04:27:21 CET schrieb Herbert Xu:
Hi Herbert,
> On Fri, Dec 17, 2021 at 10:41:42AM +0100, Stephan M?ller wrote:
> > diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
> > index 2d115bec15ae..b02f93805e83 100644
> > --- a/crypto/jitterentropy-kcapi.c
> > +++ b/crypto/jitterentropy-kcapi.c
> > @@ -59,6 +60,11 @@ void jent_zfree(void *ptr)
> >
> > kfree_sensitive(ptr);
> >
> > }
> >
> > +int jent_fips_enabled(void)
> > +{
> > + return fips_enabled;
> > +}
>
> Why do you need this function? And why can't it be inlined?
>
> Normally fips_enabled is entirely optimised away if FIPS is
> disabled in Kconfig. This function breaks this.
You are right, fips.h can be included into jitterentropy.c and this helper
function can be eliminated.
Thanks
>
> Thanks,
Ciao
Stephan
The output n bits can receive more than n bits of min entropy, of course,
but the fixed output of the conditioning function can only asymptotically
approach the output size bits of min entropy, not attain that bound.
Random maps will tend to have output collisions, which reduces the
creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2
attempts to bound).
The value "64" is justified in Appendix A.4 of the current 90C draft,
and aligns with NIST's in "epsilon" definition in this document, which is
that a string can be considered "full entropy" if you can bound the min
entropy in each bit of output to at least 1-epsilon, where epsilon is
required to be <= 2^(-32).
Note, this patch causes the Jitter RNG to cut its performance in half in
FIPS mode because the conditioning function of the LFSR produces 64 bits
of entropy in one block. The oversampling requires that additionally 64
bits of entropy are sampled from the noise source. If the conditioner is
changed, such as using SHA-256, the impact of the oversampling is only
one fourth, because for the 256 bit block of the conditioner, only 64
additional bits from the noise source must be sampled.
This patch is derived from the user space jitterentropy-library.
Signed-off-by: Stephan Mueller <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
---
crypto/jitterentropy.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
index 8f5283f28ed3..7d6de0a29ab8 100644
--- a/crypto/jitterentropy.c
+++ b/crypto/jitterentropy.c
@@ -117,6 +117,22 @@ struct rand_data {
#define JENT_EHEALTH 9 /* Health test failed during initialization */
#define JENT_ERCT 10 /* RCT failed during initialization */
+/*
+ * The output n bits can receive more than n bits of min entropy, of course,
+ * but the fixed output of the conditioning function can only asymptotically
+ * approach the output size bits of min entropy, not attain that bound. Random
+ * maps will tend to have output collisions, which reduces the creditable
+ * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
+ *
+ * The value "64" is justified in Appendix A.4 of the current 90C draft,
+ * and aligns with NIST's in "epsilon" definition in this document, which is
+ * that a string can be considered "full entropy" if you can bound the min
+ * entropy in each bit of output to at least 1-epsilon, where epsilon is
+ * required to be <= 2^(-32).
+ */
+#define JENT_ENTROPY_SAFETY_FACTOR 64
+
+#include "linux/fips.h"
#include "jitterentropy.h"
/***************************************************************************
@@ -542,7 +558,10 @@ static int jent_measure_jitter(struct rand_data *ec)
*/
static void jent_gen_entropy(struct rand_data *ec)
{
- unsigned int k = 0;
+ unsigned int k = 0, safety_factor = 0;
+
+ if (fips_enabled)
+ safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
/* priming of the ->prev_time value */
jent_measure_jitter(ec);
@@ -556,7 +575,7 @@ static void jent_gen_entropy(struct rand_data *ec)
* We multiply the loop value with ->osr to obtain the
* oversampling rate requested by the caller
*/
- if (++k >= (DATA_SIZE_BITS * ec->osr))
+ if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))
break;
}
}
--
2.33.1
On Sun, Dec 19, 2021 at 05:25:32PM +0100, Stephan M?ller wrote:
>
> +#include "linux/fips.h"
Shouldn't this be <linux/fips.h>?
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
The output n bits can receive more than n bits of min entropy, of course,
but the fixed output of the conditioning function can only asymptotically
approach the output size bits of min entropy, not attain that bound.
Random maps will tend to have output collisions, which reduces the
creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2
attempts to bound).
The value "64" is justified in Appendix A.4 of the current 90C draft,
and aligns with NIST's in "epsilon" definition in this document, which is
that a string can be considered "full entropy" if you can bound the min
entropy in each bit of output to at least 1-epsilon, where epsilon is
required to be <= 2^(-32).
Note, this patch causes the Jitter RNG to cut its performance in half in
FIPS mode because the conditioning function of the LFSR produces 64 bits
of entropy in one block. The oversampling requires that additionally 64
bits of entropy are sampled from the noise source. If the conditioner is
changed, such as using SHA-256, the impact of the oversampling is only
one fourth, because for the 256 bit block of the conditioner, only 64
additional bits from the noise source must be sampled.
This patch is derived from the user space jitterentropy-library.
Signed-off-by: Stephan Mueller <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
---
crypto/jitterentropy.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
index 8f5283f28ed3..93bff3213823 100644
--- a/crypto/jitterentropy.c
+++ b/crypto/jitterentropy.c
@@ -117,6 +117,22 @@ struct rand_data {
#define JENT_EHEALTH 9 /* Health test failed during initialization */
#define JENT_ERCT 10 /* RCT failed during initialization */
+/*
+ * The output n bits can receive more than n bits of min entropy, of course,
+ * but the fixed output of the conditioning function can only asymptotically
+ * approach the output size bits of min entropy, not attain that bound. Random
+ * maps will tend to have output collisions, which reduces the creditable
+ * output entropy (that is what SP 800-90B Section 3.1.5.1.2 attempts to bound).
+ *
+ * The value "64" is justified in Appendix A.4 of the current 90C draft,
+ * and aligns with NIST's in "epsilon" definition in this document, which is
+ * that a string can be considered "full entropy" if you can bound the min
+ * entropy in each bit of output to at least 1-epsilon, where epsilon is
+ * required to be <= 2^(-32).
+ */
+#define JENT_ENTROPY_SAFETY_FACTOR 64
+
+#include <linux/fips.h>
#include "jitterentropy.h"
/***************************************************************************
@@ -542,7 +558,10 @@ static int jent_measure_jitter(struct rand_data *ec)
*/
static void jent_gen_entropy(struct rand_data *ec)
{
- unsigned int k = 0;
+ unsigned int k = 0, safety_factor = 0;
+
+ if (fips_enabled)
+ safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
/* priming of the ->prev_time value */
jent_measure_jitter(ec);
@@ -556,7 +575,7 @@ static void jent_gen_entropy(struct rand_data *ec)
* We multiply the loop value with ->osr to obtain the
* oversampling rate requested by the caller
*/
- if (++k >= (DATA_SIZE_BITS * ec->osr))
+ if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))
break;
}
}
--
2.33.1
On Mon, Dec 20, 2021 at 07:21:53AM +0100, Stephan M?ller wrote:
> The output n bits can receive more than n bits of min entropy, of course,
> but the fixed output of the conditioning function can only asymptotically
> approach the output size bits of min entropy, not attain that bound.
> Random maps will tend to have output collisions, which reduces the
> creditable output entropy (that is what SP 800-90B Section 3.1.5.1.2
> attempts to bound).
>
> The value "64" is justified in Appendix A.4 of the current 90C draft,
> and aligns with NIST's in "epsilon" definition in this document, which is
> that a string can be considered "full entropy" if you can bound the min
> entropy in each bit of output to at least 1-epsilon, where epsilon is
> required to be <= 2^(-32).
>
> Note, this patch causes the Jitter RNG to cut its performance in half in
> FIPS mode because the conditioning function of the LFSR produces 64 bits
> of entropy in one block. The oversampling requires that additionally 64
> bits of entropy are sampled from the noise source. If the conditioner is
> changed, such as using SHA-256, the impact of the oversampling is only
> one fourth, because for the 256 bit block of the conditioner, only 64
> additional bits from the noise source must be sampled.
>
> This patch is derived from the user space jitterentropy-library.
>
> Signed-off-by: Stephan Mueller <[email protected]>
> Reviewed-by: Simo Sorce <[email protected]>
> ---
> crypto/jitterentropy.c | 23 +++++++++++++++++++++--
> 1 file changed, 21 insertions(+), 2 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt