Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1324314rwb; Sun, 6 Nov 2022 23:41:19 -0800 (PST) X-Google-Smtp-Source: AMsMyM56tAVw+Y+puo9vt8/eJnRN1cpOfILmDy6FlsDfTvcIWwimrnMhczlsXLHcStwIa9zRIvcq X-Received: by 2002:a62:fb0f:0:b0:56d:78af:993 with SMTP id x15-20020a62fb0f000000b0056d78af0993mr40436600pfm.7.1667806879475; Sun, 06 Nov 2022 23:41:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667806879; cv=none; d=google.com; s=arc-20160816; b=wXb4bE3pu2Hz6Ucro+Q1eGUPEvtQnsUb7iNlUVQkT0Cv07KXQO87E/NqSi8awMNF6u oIyUCSZxZmlK02jkPpAOiVdASDKsA0gAKKzZ4QbEhsYfpBZUDxVWywOfLwsdpCN1JYl2 sQAMHz5NCv5mXrHTa2/Rt2LP+05G+6tHE0bRpP3C13G+79zWJplcitU+LkBxLBssaxV1 flVjm2UUTa3qIWDf9imFHo9RDWgIXlA51vW297TJA2eoTnciWnBhH6I1y/o9fRBEHI02 YF9ZKIuNghqtzIrtTV43UtXKz7CV9vHaqobUVzCHtQtzyLHWbgKL9LW05TZUfJhrlp39 4IHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=wv/nMr4YaaUFfF7POBGDMFnVvljx1oN2x5jrCCuirYM=; b=HQb6+fR5C8brV8czW1hVk8Rh9CanxnXuXQMgYaQE+UqzcsYc/bOGWtQ/GmQHQM1psn 7qmR/StVlrWAtbs5mjuTyvJFEOO/BIoIrlJ6gZ6+0tk4vq9e5ne+WvILxRv2Qf+Xb7Ir wPfG/URHLFX6U6fSHiIiWrYRXqqI4YnJetk7m31X4fOuSK8va7JStpHQHVQw08XC/AaZ R8yIrIonmnnuTsopYfJLkrnDh3N7BxB18gGPr16fTJXvPGT2kN/u5hVZC4GFFY8yfMTC CbWfnFT++9WvJI/0uLq/lyW70Zmy+DhYDuawWjVe6kR809GZruFsP1xr5FoU9Uy1mDrn uooA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g11-20020a170902934b00b00186e8526793si8655137plp.143.2022.11.06.23.40.57; Sun, 06 Nov 2022 23:41:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231201AbiKGHjc (ORCPT + 99 others); Mon, 7 Nov 2022 02:39:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231152AbiKGHjb (ORCPT ); Mon, 7 Nov 2022 02:39:31 -0500 Received: from isilmar-4.linta.de (isilmar-4.linta.de [136.243.71.142]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C9417CFF for ; Sun, 6 Nov 2022 23:39:30 -0800 (PST) X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES X-isilmar-external: YES Received: from owl.dominikbrodowski.net (owl.brodo.linta [10.2.0.111]) by isilmar-4.linta.de (Postfix) with ESMTPSA id D3B212014B3; Mon, 7 Nov 2022 07:39:28 +0000 (UTC) Received: by owl.dominikbrodowski.net (Postfix, from userid 1000) id 6542D806D2; Mon, 7 Nov 2022 08:35:02 +0100 (CET) Date: Mon, 7 Nov 2022 08:35:02 +0100 From: Dominik Brodowski To: "Jason A. Donenfeld" Cc: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, Ard Biesheuvel Subject: Re: [PATCH] hw_random: treat default_quality as a maximum and default to 1024 Message-ID: References: <20221104154230.52836-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Jason, Am Sun, Nov 06, 2022 at 03:40:44PM +0100 schrieb Jason A. Donenfeld: > On Sun, Nov 06, 2022 at 08:05:25AM +0100, Dominik Brodowski wrote: > > Am Fri, Nov 04, 2022 at 04:42:30PM +0100 schrieb Jason A. Donenfeld: > > > Most hw_random devices return entropy which is assumed to be of full > > > quality, but driver authors don't bother setting the quality knob. Some > > > hw_random devices return less than full quality entropy, and then driver > > > authors set the quality knob. Therefore, the entropy crediting should be > > > opt-out rather than opt-in per-driver, to reflect the actual reality on > > > the ground. > > > > > > For example, the two Raspberry Pi RNG drivers produce full entropy > > > randomness, and both EDK2 and U-Boot's drivers for these treat them as > > > such. The result is that EFI then uses these numbers and passes the to > > > Linux, and Linux credits them as boot, thereby initializing the RNG. > > > Yet, in Linux, the quality knob was never set to anything, and so on the > > > chance that Linux is booted without EFI, nothing is ever credited. > > > That's annoying. > > > > > > The same pattern appears to repeat itself throughout various drivers. In > > > fact, very very few drivers have bothered setting quality=1024. > > > > > > So let's invert this logic. A hw_random struct's quality knob now > > > controls the maximum quality a driver can produce, or 0 to specify 1024. > > > Then, the module-wide switch called "default_quality" is changed to > > > represent the maximum quality of any driver. By default it's 1024, and > > > the quality of any particular driver is then given by: > > > > > > min(default_quality, rng->quality ?: 1024); > > > > > > This way, the user can still turn this off for weird reasons, yet we get > > > proper crediting for relevant RNGs. > > > > Hm. Wouldn't we need to verify that 1024 is appropriate for all drivers > > where the quality currently is not set? > > No, certainly not, and I think this sort of thought belies a really > backwards attitude. Hardware RNGs are assumed to produce good > randomness. Some manufacturers provide a caveat, "actually, we're giving > raw entropy with only N bits quality", but for the ones who don't, the > overarching assumption is that the bits are fully entropic. My point is not about the 1024 as an exact value, it's more about "do the driver and the hardware really provide _something_ sensible or not". In the past, the default mode as to feed the output of hw_rng devies to some userspace daemon, which then tried to verify that the device works as expected, and then feeded the data back to the crng core. This userspace indirection is largely removed already (in particular by a patch of mine which starts up the hwrng kernel thread also for devices with quality==0) once the crng is fully initialized, on the rationale that even bad quality data will do no harm. Yet, we may need to be a tad more careful whether or not to trust devices for the initial seeding of the crng. Thanks, Dominik