The two existing trusted key sources don't make use of the kernel RNG,
but instead let the hardware doing the sealing/unsealing also
generate the random key material. However, Users may want to place
less trust into the quality of the trust source's random number
generator and instead use the kernel entropy pool, which can be
seeded from multiple entropy sources.
Make this possible by adding a new trusted.kernel_rng parameter,
that will force use of the kernel RNG. In its absence, it's up
to the trust source to decide, which random numbers to use,
maintaining the existing behavior.
Suggested-by: Jarkko Sakkinen <[email protected]>
Acked-by: Sumit Garg <[email protected]>
Reviewed-by: David Gstir <[email protected]>
Tested-By: Tim Harvey <[email protected]>
Signed-off-by: Ahmad Fatoum <[email protected]>
---
To: James Bottomley <[email protected]>
To: Jarkko Sakkinen <[email protected]>
To: Mimi Zohar <[email protected]>
To: David Howells <[email protected]>
Cc: James Morris <[email protected]>
Cc: "Serge E. Hallyn" <[email protected]>
Cc: "Horia Geantă" <[email protected]>
Cc: Aymen Sghaier <[email protected]>
Cc: Herbert Xu <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Udit Agarwal <[email protected]>
Cc: Jan Luebbe <[email protected]>
Cc: Eric Biggers <[email protected]>
Cc: David Gstir <[email protected]>
Cc: Richard Weinberger <[email protected]>
Cc: Franck LENORMAND <[email protected]>
Cc: Sumit Garg <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
---
Documentation/admin-guide/kernel-parameters.txt | 7 ++++++-
Documentation/security/keys/trusted-encrypted.rst | 20 +++++++++-------
security/keys/trusted-keys/trusted_core.c | 17 +++++++++++++-
3 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 43dc35fe5bc0..d5969452f063 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -5772,6 +5772,13 @@
first trust source as a backend which is initialized
successfully during iteration.
+ trusted.kernel_rng = [KEYS]
+ Format: <bool>
+ When set to true (1), the kernel random number pool
+ is used to generate key material for trusted keys.
+ The default is to leave the RNG's choice to each
+ individual trust source.
+
tsc= Disable clocksource stability checks for TSC.
Format: <string>
[x86] reliable: mark tsc clocksource as reliable, this
diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
index 80d5a5af62a1..1d4b4b8f12f0 100644
--- a/Documentation/security/keys/trusted-encrypted.rst
+++ b/Documentation/security/keys/trusted-encrypted.rst
@@ -87,22 +87,26 @@ Key Generation
Trusted Keys
------------
-New keys are created from random numbers generated in the trust source. They
-are encrypted/decrypted using a child key in the storage key hierarchy.
-Encryption and decryption of the child key must be protected by a strong
-access control policy within the trust source.
+New keys are created from random numbers. They are encrypted/decrypted using
+a child key in the storage key hierarchy. Encryption and decryption of the
+child key must be protected by a strong access control policy within the
+trust source. The random number generator in use differs according to the
+selected trust source:
- * TPM (hardware device) based RNG
+ * TPM: hardware device based RNG
- Strength of random numbers may vary from one device manufacturer to
- another.
+ Keys are generated within the TPM. Strength of random numbers may vary
+ from one device manufacturer to another.
- * TEE (OP-TEE based on Arm TrustZone) based RNG
+ * TEE: OP-TEE based on Arm TrustZone based RNG
RNG is customizable as per platform needs. It can either be direct output
from platform specific hardware RNG or a software based Fortuna CSPRNG
which can be seeded via multiple entropy sources.
+Optionally, users may specify ``trusted.kernel_rng=1`` on the kernel
+command-line to override the used RNG with the kernel's random number pool.
+
Encrypted Keys
--------------
diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
index 8cab69e5d0da..569af9af8df0 100644
--- a/security/keys/trusted-keys/trusted_core.c
+++ b/security/keys/trusted-keys/trusted_core.c
@@ -16,12 +16,17 @@
#include <linux/key-type.h>
#include <linux/module.h>
#include <linux/parser.h>
+#include <linux/random.h>
#include <linux/rcupdate.h>
#include <linux/slab.h>
#include <linux/static_call.h>
#include <linux/string.h>
#include <linux/uaccess.h>
+static bool trusted_kernel_rng;
+module_param_named(kernel_rng, trusted_kernel_rng, bool, 0);
+MODULE_PARM_DESC(kernel_rng, "Generate key material from kernel RNG");
+
static char *trusted_key_source;
module_param_named(source, trusted_key_source, charp, 0);
MODULE_PARM_DESC(source, "Select trusted keys source (tpm or tee)");
@@ -312,8 +317,14 @@ struct key_type key_type_trusted = {
};
EXPORT_SYMBOL_GPL(key_type_trusted);
+static int kernel_get_random(unsigned char *key, size_t key_len)
+{
+ return get_random_bytes_wait(key, key_len) ?: key_len;
+}
+
static int __init init_trusted(void)
{
+ int (*get_random)(unsigned char *key, size_t key_len);
int i, ret = 0;
for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) {
@@ -322,6 +333,10 @@ static int __init init_trusted(void)
strlen(trusted_key_sources[i].name)))
continue;
+ get_random = trusted_key_sources[i].ops->get_random;
+ if (trusted_kernel_rng)
+ get_random = kernel_get_random;
+
static_call_update(trusted_key_init,
trusted_key_sources[i].ops->init);
static_call_update(trusted_key_seal,
@@ -329,7 +344,7 @@ static int __init init_trusted(void)
static_call_update(trusted_key_unseal,
trusted_key_sources[i].ops->unseal);
static_call_update(trusted_key_get_random,
- trusted_key_sources[i].ops->get_random);
+ get_random);
static_call_update(trusted_key_exit,
trusted_key_sources[i].ops->exit);
migratable = trusted_key_sources[i].ops->migratable;
--
git-series 0.9.1
On Mon, Oct 11, 2021 at 12:02:35PM +0200, Ahmad Fatoum wrote:
> The two existing trusted key sources don't make use of the kernel RNG,
> but instead let the hardware doing the sealing/unsealing also
> generate the random key material. However, Users may want to place
"Users" -> "users"
> less trust into the quality of the trust source's random number
> generator and instead use the kernel entropy pool, which can be
> seeded from multiple entropy sources.
>
> Make this possible by adding a new trusted.kernel_rng parameter,
> that will force use of the kernel RNG. In its absence, it's up
> to the trust source to decide, which random numbers to use,
> maintaining the existing behavior.
>
> Suggested-by: Jarkko Sakkinen <[email protected]>
> Acked-by: Sumit Garg <[email protected]>
> Reviewed-by: David Gstir <[email protected]>
> Tested-By: Tim Harvey <[email protected]>
> Signed-off-by: Ahmad Fatoum <[email protected]>
> ---
> To: James Bottomley <[email protected]>
> To: Jarkko Sakkinen <[email protected]>
> To: Mimi Zohar <[email protected]>
> To: David Howells <[email protected]>
> Cc: James Morris <[email protected]>
> Cc: "Serge E. Hallyn" <[email protected]>
> Cc: "Horia Geantă" <[email protected]>
> Cc: Aymen Sghaier <[email protected]>
> Cc: Herbert Xu <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Udit Agarwal <[email protected]>
> Cc: Jan Luebbe <[email protected]>
> Cc: Eric Biggers <[email protected]>
> Cc: David Gstir <[email protected]>
> Cc: Richard Weinberger <[email protected]>
> Cc: Franck LENORMAND <[email protected]>
> Cc: Sumit Garg <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> ---
> Documentation/admin-guide/kernel-parameters.txt | 7 ++++++-
> Documentation/security/keys/trusted-encrypted.rst | 20 +++++++++-------
> security/keys/trusted-keys/trusted_core.c | 17 +++++++++++++-
> 3 files changed, 35 insertions(+), 9 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 43dc35fe5bc0..d5969452f063 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -5772,6 +5772,13 @@
> first trust source as a backend which is initialized
> successfully during iteration.
>
> + trusted.kernel_rng = [KEYS]
> + Format: <bool>
> + When set to true (1), the kernel random number pool
> + is used to generate key material for trusted keys.
> + The default is to leave the RNG's choice to each
> + individual trust source.
> +
> tsc= Disable clocksource stability checks for TSC.
> Format: <string>
> [x86] reliable: mark tsc clocksource as reliable, this
> diff --git a/Documentation/security/keys/trusted-encrypted.rst b/Documentation/security/keys/trusted-encrypted.rst
> index 80d5a5af62a1..1d4b4b8f12f0 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -87,22 +87,26 @@ Key Generation
> Trusted Keys
> ------------
>
> -New keys are created from random numbers generated in the trust source. They
> -are encrypted/decrypted using a child key in the storage key hierarchy.
> -Encryption and decryption of the child key must be protected by a strong
> -access control policy within the trust source.
> +New keys are created from random numbers. They are encrypted/decrypted using
> +a child key in the storage key hierarchy. Encryption and decryption of the
> +child key must be protected by a strong access control policy within the
> +trust source. The random number generator in use differs according to the
> +selected trust source:
>
> - * TPM (hardware device) based RNG
> + * TPM: hardware device based RNG
>
> - Strength of random numbers may vary from one device manufacturer to
> - another.
> + Keys are generated within the TPM. Strength of random numbers may vary
> + from one device manufacturer to another.
>
> - * TEE (OP-TEE based on Arm TrustZone) based RNG
> + * TEE: OP-TEE based on Arm TrustZone based RNG
>
> RNG is customizable as per platform needs. It can either be direct output
> from platform specific hardware RNG or a software based Fortuna CSPRNG
> which can be seeded via multiple entropy sources.
>
> +Optionally, users may specify ``trusted.kernel_rng=1`` on the kernel
> +command-line to override the used RNG with the kernel's random number pool.
> +
> Encrypted Keys
> --------------
>
> diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-keys/trusted_core.c
> index 8cab69e5d0da..569af9af8df0 100644
> --- a/security/keys/trusted-keys/trusted_core.c
> +++ b/security/keys/trusted-keys/trusted_core.c
> @@ -16,12 +16,17 @@
> #include <linux/key-type.h>
> #include <linux/module.h>
> #include <linux/parser.h>
> +#include <linux/random.h>
> #include <linux/rcupdate.h>
> #include <linux/slab.h>
> #include <linux/static_call.h>
> #include <linux/string.h>
> #include <linux/uaccess.h>
>
> +static bool trusted_kernel_rng;
> +module_param_named(kernel_rng, trusted_kernel_rng, bool, 0);
> +MODULE_PARM_DESC(kernel_rng, "Generate key material from kernel RNG");
It's not then always kernel RNG, i.e. that is a very misleading name.
I'd prefer trusted_rng with string values "kernel", "tee". That makes
it explicit what you are using.
/Jarkko
Hello Jarkko,
On 05.12.21 01:16, Jarkko Sakkinen wrote:
> On Mon, Oct 11, 2021 at 12:02:35PM +0200, Ahmad Fatoum wrote:
>> The two existing trusted key sources don't make use of the kernel RNG,
>> but instead let the hardware doing the sealing/unsealing also
>> generate the random key material. However, Users may want to place
>
> "Users" -> "users"
Will fix for v5.
>> +static bool trusted_kernel_rng;
>> +module_param_named(kernel_rng, trusted_kernel_rng, bool, 0);
>> +MODULE_PARM_DESC(kernel_rng, "Generate key material from kernel RNG");
>
> It's not then always kernel RNG, i.e. that is a very misleading name.
trusted.kernel_rng=1 always forces kernel RNG, trusted.kernel_rng=0 will
choose trust source default.
> I'd prefer trusted_rng with string values "kernel", "tee". That makes
> it explicit what you are using.
This is also a bit misleading for trust sources that don't provide their
own RNG, either because the driver doesn't implement it, or because the
IP doesn't have its own RNG (like DCP on NXP's i.MX6UL SoC).
For v5, I'd implement following 'tristate-with-strings' scheme:
trusted.rng=""
=> Use trust source default, fall back to kernel RNG if there's none
(trusted.kernel_rng=0 in current patch)
trusted.rng=kernel
=> Always use kernel RNG
(trusted.kernel_rng=1 in current patch)
trusted.rng=$trusted.source
=> Use trust source default, but error out if trust source
doesn't implement its own RNG to avoid misleading users
about key randomness source
trusted.rng="anything-else"
=> Error out with warning that only valid values are
"kernel,${trust.source}" where trust.source is the currently
active one.
Sounds good?
Cheers,
Ahmad
>
> /Jarkko
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Reviewed-by: Pankaj Gupta <[email protected]>
> -----Original Message-----
> From: Ahmad Fatoum <[email protected]>
> Sent: Monday, October 11, 2021 3:33 PM
> To: James Bottomley <[email protected]>; Jarkko Sakkinen
> <[email protected]>; Mimi Zohar <[email protected]>; David Howells
> <[email protected]>
> Cc: [email protected]; Sumit Garg <[email protected]>; David Gstir
> <[email protected]>; [email protected]; Ahmad Fatoum
> <[email protected]>; James Morris <[email protected]>; Serge E.
> Hallyn <[email protected]>; Horia Geanta <[email protected]>; Aymen
> Sghaier <[email protected]>; Herbert Xu
> <[email protected]>; David S. Miller <[email protected]>; Udit
> Agarwal <[email protected]>; Jan Luebbe <[email protected]>; Eric
> Biggers <[email protected]>; Richard Weinberger <[email protected]>; Franck
> Lenormand <[email protected]>; [email protected]; linux-
> [email protected]; [email protected]; linux-
> [email protected]; [email protected]
> Subject: [EXT] [PATCH v4 2/5] KEYS: trusted: allow users to use kernel RNG for
> key material
>
> Caution: EXT Email
>
> The two existing trusted key sources don't make use of the kernel RNG, but
> instead let the hardware doing the sealing/unsealing also generate the random
> key material. However, Users may want to place less trust into the quality of the
> trust source's random number generator and instead use the kernel entropy pool,
> which can be seeded from multiple entropy sources.
>
> Make this possible by adding a new trusted.kernel_rng parameter, that will force
> use of the kernel RNG. In its absence, it's up to the trust source to decide, which
> random numbers to use, maintaining the existing behavior.
>
> Suggested-by: Jarkko Sakkinen <[email protected]>
> Acked-by: Sumit Garg <[email protected]>
> Reviewed-by: David Gstir <[email protected]>
> Tested-By: Tim Harvey <[email protected]>
> Signed-off-by: Ahmad Fatoum <[email protected]>
> ---
> To: James Bottomley <[email protected]>
> To: Jarkko Sakkinen <[email protected]>
> To: Mimi Zohar <[email protected]>
> To: David Howells <[email protected]>
> Cc: James Morris <[email protected]>
> Cc: "Serge E. Hallyn" <[email protected]>
> Cc: "Horia Geantă" <[email protected]>
> Cc: Aymen Sghaier <[email protected]>
> Cc: Herbert Xu <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Udit Agarwal <[email protected]>
> Cc: Jan Luebbe <[email protected]>
> Cc: Eric Biggers <[email protected]>
> Cc: David Gstir <[email protected]>
> Cc: Richard Weinberger <[email protected]>
> Cc: Franck LENORMAND <[email protected]>
> Cc: Sumit Garg <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> ---
> Documentation/admin-guide/kernel-parameters.txt | 7 ++++++-
> Documentation/security/keys/trusted-encrypted.rst | 20 +++++++++-------
> security/keys/trusted-keys/trusted_core.c | 17 +++++++++++++-
> 3 files changed, 35 insertions(+), 9 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt
> b/Documentation/admin-guide/kernel-parameters.txt
> index 43dc35fe5bc0..d5969452f063 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -5772,6 +5772,13 @@
> first trust source as a backend which is initialized
> successfully during iteration.
>
> + trusted.kernel_rng = [KEYS]
> + Format: <bool>
> + When set to true (1), the kernel random number pool
> + is used to generate key material for trusted keys.
> + The default is to leave the RNG's choice to each
> + individual trust source.
> +
> tsc= Disable clocksource stability checks for TSC.
> Format: <string>
> [x86] reliable: mark tsc clocksource as reliable, this diff --git
> a/Documentation/security/keys/trusted-encrypted.rst
> b/Documentation/security/keys/trusted-encrypted.rst
> index 80d5a5af62a1..1d4b4b8f12f0 100644
> --- a/Documentation/security/keys/trusted-encrypted.rst
> +++ b/Documentation/security/keys/trusted-encrypted.rst
> @@ -87,22 +87,26 @@ Key Generation
> Trusted Keys
> ------------
>
> -New keys are created from random numbers generated in the trust source.
> They -are encrypted/decrypted using a child key in the storage key hierarchy.
> -Encryption and decryption of the child key must be protected by a strong -
> access control policy within the trust source.
> +New keys are created from random numbers. They are encrypted/decrypted
> +using a child key in the storage key hierarchy. Encryption and
> +decryption of the child key must be protected by a strong access
> +control policy within the trust source. The random number generator in
> +use differs according to the selected trust source:
>
> - * TPM (hardware device) based RNG
> + * TPM: hardware device based RNG
>
> - Strength of random numbers may vary from one device manufacturer to
> - another.
> + Keys are generated within the TPM. Strength of random numbers may vary
> + from one device manufacturer to another.
>
> - * TEE (OP-TEE based on Arm TrustZone) based RNG
> + * TEE: OP-TEE based on Arm TrustZone based RNG
>
> RNG is customizable as per platform needs. It can either be direct output
> from platform specific hardware RNG or a software based Fortuna CSPRNG
> which can be seeded via multiple entropy sources.
>
> +Optionally, users may specify ``trusted.kernel_rng=1`` on the kernel
> +command-line to override the used RNG with the kernel's random number pool.
> +
> Encrypted Keys
> --------------
>
> diff --git a/security/keys/trusted-keys/trusted_core.c b/security/keys/trusted-
> keys/trusted_core.c
> index 8cab69e5d0da..569af9af8df0 100644
> --- a/security/keys/trusted-keys/trusted_core.c
> +++ b/security/keys/trusted-keys/trusted_core.c
> @@ -16,12 +16,17 @@
> #include <linux/key-type.h>
> #include <linux/module.h>
> #include <linux/parser.h>
> +#include <linux/random.h>
> #include <linux/rcupdate.h>
> #include <linux/slab.h>
> #include <linux/static_call.h>
> #include <linux/string.h>
> #include <linux/uaccess.h>
>
> +static bool trusted_kernel_rng;
> +module_param_named(kernel_rng, trusted_kernel_rng, bool, 0);
> +MODULE_PARM_DESC(kernel_rng, "Generate key material from kernel RNG");
> +
> static char *trusted_key_source;
> module_param_named(source, trusted_key_source, charp, 0);
> MODULE_PARM_DESC(source, "Select trusted keys source (tpm or tee)"); @@ -
> 312,8 +317,14 @@ struct key_type key_type_trusted = { };
> EXPORT_SYMBOL_GPL(key_type_trusted);
>
> +static int kernel_get_random(unsigned char *key, size_t key_len) {
> + return get_random_bytes_wait(key, key_len) ?: key_len; }
> +
> static int __init init_trusted(void)
> {
> + int (*get_random)(unsigned char *key, size_t key_len);
> int i, ret = 0;
>
> for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) { @@ -322,6 +333,10
> @@ static int __init init_trusted(void)
> strlen(trusted_key_sources[i].name)))
> continue;
>
> + get_random = trusted_key_sources[i].ops->get_random;
> + if (trusted_kernel_rng)
> + get_random = kernel_get_random;
> +
> static_call_update(trusted_key_init,
> trusted_key_sources[i].ops->init);
> static_call_update(trusted_key_seal,
> @@ -329,7 +344,7 @@ static int __init init_trusted(void)
> static_call_update(trusted_key_unseal,
> trusted_key_sources[i].ops->unseal);
> static_call_update(trusted_key_get_random,
> - trusted_key_sources[i].ops->get_random);
> + get_random);
> static_call_update(trusted_key_exit,
> trusted_key_sources[i].ops->exit);
> migratable = trusted_key_sources[i].ops->migratable;
> --
> git-series 0.9.1