Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp338152rwb; Sun, 6 Nov 2022 06:46:35 -0800 (PST) X-Google-Smtp-Source: AA0mqf6SIpDp4GGDLPs3hH3ENA8gqqXqv+lYWKae8xRPw1DhSDhPvegoMObxomSVcGXK5ugw4S9S X-Received: by 2002:a17:907:162b:b0:7ae:4ed4:1503 with SMTP id hb43-20020a170907162b00b007ae4ed41503mr6666820ejc.485.1667745995522; Sun, 06 Nov 2022 06:46:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667745995; cv=none; d=google.com; s=arc-20160816; b=MG3KW3DH38PC/gtbWRE1p9wvIaWQeyGwfEfYIsmomtN4TEXhqt+IaxkDrztohsgbpe 2230CQbbbgHoyBfpH5RKXiIFoZUYYUUMvpBqpXP8mle/IeMREWiRKWusDDgKCiciiCJG /soL/p2T23NplQXciaQjEefC2woO4MCRmXnzTnqDVtv7b0E1OBcUGHgVu0j7L8GOszcG Eyz6nYneTYkwBnCjstr5bM6FIyfZFMuaYItPkfgmV8HE4O9cndMQQz/XmuakGIcz7Ah5 4lsBRYSJnI49dqhsg6cYxISLv/5zL4ec+ir9ouL00+OE5+oYLFIZXBOvA1+SUF59DZHv KPSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=uWi00VPzm/KSCY92/QWftOK8dxKg3xaPTW7cQ4Tl+kU=; b=AfuNg6pW2IxqsqNBLichLBd9iICSI+1xlG5V5A3xXDULfKHcMiENeYJy3uhD7ObUv7 8K/WD0uS97bM0OB2eT/N9TtQxKaNqfvyrIGjm6jyrx1M3tMT9AxTLdu+O3YanPBS+aTe /sdQEDZySFQDugNB8qHXgdgMMai447Gjc5PuIEQLrmOpUoFtf/IlZ2Tv+ankiKY0+qOQ oZ2vCxY2CUVI3V+dvHt6MgfJrNmDvsh16pEuxCzUxIsFpNmQJU2PeLfB9wHkZ1mtHbk/ rOMenOxiAR7VEFo9heO0WiPMdlveY9URrzUEaf3opw2b1mn0IhVfbfpQO5ULXmHiuKq2 hyaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=pF57fNjb; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dn10-20020a17090794ca00b007acf3aed493si7031109ejc.910.2022.11.06.06.46.11; Sun, 06 Nov 2022 06:46:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=pF57fNjb; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229887AbiKFOky (ORCPT + 99 others); Sun, 6 Nov 2022 09:40:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229862AbiKFOkx (ORCPT ); Sun, 6 Nov 2022 09:40:53 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5321DDEFC for ; Sun, 6 Nov 2022 06:40:52 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E3D1660BFF for ; Sun, 6 Nov 2022 14:40:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0948C433C1; Sun, 6 Nov 2022 14:40:50 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="pF57fNjb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1667745648; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=uWi00VPzm/KSCY92/QWftOK8dxKg3xaPTW7cQ4Tl+kU=; b=pF57fNjbiYfBS+0yb5h7S6trb5F/WGCU1waHKdPnrxmM4+AeT7LNecLSYNxgurJ9Vj8DAB lOYrfsMBngpiA7YcYr0O/PAJos2AqqB39UdOWzaj3A2f4psBt4EUUOYelQk4l79nJEkxhw bXEPit+YyqSa7sc4YYTP2qEbWxysfrI= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 94f9f24a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 6 Nov 2022 14:40:47 +0000 (UTC) Date: Sun, 6 Nov 2022 15:40:44 +0100 From: "Jason A. Donenfeld" To: Dominik Brodowski Cc: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, Ard Biesheuvel Subject: Re: [PATCH] hw_random: treat default_quality as a maximum and default to 1024 Message-ID: References: <20221104154230.52836-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Dominik, On Sun, Nov 06, 2022 at 08:05:25AM +0100, Dominik Brodowski wrote: > Am Fri, Nov 04, 2022 at 04:42:30PM +0100 schrieb Jason A. Donenfeld: > > Most hw_random devices return entropy which is assumed to be of full > > quality, but driver authors don't bother setting the quality knob. Some > > hw_random devices return less than full quality entropy, and then driver > > authors set the quality knob. Therefore, the entropy crediting should be > > opt-out rather than opt-in per-driver, to reflect the actual reality on > > the ground. > > > > For example, the two Raspberry Pi RNG drivers produce full entropy > > randomness, and both EDK2 and U-Boot's drivers for these treat them as > > such. The result is that EFI then uses these numbers and passes the to > > Linux, and Linux credits them as boot, thereby initializing the RNG. > > Yet, in Linux, the quality knob was never set to anything, and so on the > > chance that Linux is booted without EFI, nothing is ever credited. > > That's annoying. > > > > The same pattern appears to repeat itself throughout various drivers. In > > fact, very very few drivers have bothered setting quality=1024. > > > > So let's invert this logic. A hw_random struct's quality knob now > > controls the maximum quality a driver can produce, or 0 to specify 1024. > > Then, the module-wide switch called "default_quality" is changed to > > represent the maximum quality of any driver. By default it's 1024, and > > the quality of any particular driver is then given by: > > > > min(default_quality, rng->quality ?: 1024); > > > > This way, the user can still turn this off for weird reasons, yet we get > > proper crediting for relevant RNGs. > > Hm. Wouldn't we need to verify that 1024 is appropriate for all drivers > where the quality currently is not set? No, certainly not, and I think this sort of thought belies a really backwards attitude. Hardware RNGs are assumed to produce good randomness. Some manufacturers provide a caveat, "actually, we're giving raw entropy with only N bits quality", but for the ones who don't, the overarching assumption is that the bits are fully entropic. This is what's done every place else in the field, across operating systems, boot environments, firmwares, and otherwise. It's so much so, that both EDK2's EFI and U-Boot's DTB and U-Boot's EFI will use RNGs for which the Linux driver has an empty quality setting and provide output from these as fully entropic seeds to Linux. And why shouldn't they? It seems entirely reasonable to do, given very okay assumptions. But more generally, this fetishization of entropy estimation has got to come to a close at some point. It wasn't a very good idea in the first place to bake that into the heart of all the Linux RNG APIs, but here we are. Just consider how meaningless the count is: random.c will do some completely bogus hocus pocus with interrupt counting, with disk seeks, with input events, to draw a number out of hat. Or it will twiddle around with `struct timer_list` functions and count some entropy there, which is complete nonsense, but whatever, it's by and large "good enough". However, what we're talking about here are RNG hardware devices that say on the tin "hey I'm an RNG device", which is an infinitely better guarantee that we should count entropy from them (unless, of course, the tin also says, "only count half the bits", or whatever). I mention "good enough", because really, the more important thing here from the security angle is that we're getting bits into the RNG quite fast at boot, and we largely accomplish that now. The next important thing is getting the RNG initialized quickly so that userspace doesn't block. Adding hw_random to the equation makes perfect sense here. And, like RDRAND, there's still a switch to turn this off for lunatics who simply don't trust anything. So, no, the way hw_random is oriented now, the whole thing is backwards, in a way that's not reflected across the rest of the hardware RNG and OS ecosystem, and just results in a total waste. I think it's important that we don't hold up progress here. Jason