Commit f6238499 authored by Jason A. Donenfeld's avatar Jason A. Donenfeld

random: split initialization into early step and later step

The full RNG initialization relies on some timestamps, made possible
with initialization functions like time_init() and timekeeping_init().
However, these are only available rather late in initialization.
Meanwhile, other things, such as memory allocator functions, make use of
the RNG much earlier.

So split RNG initialization into two phases. We can provide arch
randomness very early on, and then later, after timekeeping and such are
available, initialize the rest.

This ensures that, for example, slabs are properly randomized if RDRAND
is available. Without this, CONFIG_SLAB_FREELIST_RANDOM=y loses a degree
of its security, because its random seed is potentially deterministic,
since it hasn't yet incorporated RDRAND. It also makes it possible to
use a better seed in kfence, which currently relies on only the cycle
counter.

Another positive consequence is that on systems with RDRAND, running
with CONFIG_WARN_ALL_UNSEEDED_RANDOM=y results in no warnings at all.

One subtle side effect of this change is that on systems with no RDRAND,
RDTSC is now only queried by random_init() once, committing the moment
of the function call, instead of multiple times as before. This is
intentional, as the multiple RDTSCs in a loop before weren't
accomplishing very much, with jitter being better provided by
try_to_generate_entropy(). Plus, filling blocks with RDTSC is still
being done in extract_entropy(), which is necessarily called before
random bytes are served anyway.

Cc: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
parent 748bc4dd
...@@ -772,18 +772,13 @@ static int random_pm_notification(struct notifier_block *nb, unsigned long actio ...@@ -772,18 +772,13 @@ static int random_pm_notification(struct notifier_block *nb, unsigned long actio
static struct notifier_block pm_notifier = { .notifier_call = random_pm_notification }; static struct notifier_block pm_notifier = { .notifier_call = random_pm_notification };
/* /*
* The first collection of entropy occurs at system boot while interrupts * This is called extremely early, before time keeping functionality is
* are still turned off. Here we push in latent entropy, RDSEED, a timestamp, * available, but arch randomness is. Interrupts are not yet enabled.
* utsname(), and the command line. Depending on the above configuration knob,
* RDSEED may be considered sufficient for initialization. Note that much
* earlier setup may already have pushed entropy into the input pool by the
* time we get here.
*/ */
int __init random_init(const char *command_line) void __init random_init_early(const char *command_line)
{ {
ktime_t now = ktime_get_real();
size_t i, longs, arch_bits;
unsigned long entropy[BLAKE2S_BLOCK_SIZE / sizeof(long)]; unsigned long entropy[BLAKE2S_BLOCK_SIZE / sizeof(long)];
size_t i, longs, arch_bits;
#if defined(LATENT_ENTROPY_PLUGIN) #if defined(LATENT_ENTROPY_PLUGIN)
static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy; static const u8 compiletime_seed[BLAKE2S_BLOCK_SIZE] __initconst __latent_entropy;
...@@ -803,34 +798,49 @@ int __init random_init(const char *command_line) ...@@ -803,34 +798,49 @@ int __init random_init(const char *command_line)
i += longs; i += longs;
continue; continue;
} }
entropy[0] = random_get_entropy();
_mix_pool_bytes(entropy, sizeof(*entropy));
arch_bits -= sizeof(*entropy) * 8; arch_bits -= sizeof(*entropy) * 8;
++i; ++i;
} }
_mix_pool_bytes(&now, sizeof(now));
_mix_pool_bytes(utsname(), sizeof(*(utsname())));
_mix_pool_bytes(command_line, strlen(command_line)); _mix_pool_bytes(command_line, strlen(command_line));
/* Reseed if already seeded by earlier phases. */
if (crng_ready())
crng_reseed();
else if (trust_cpu)
_credit_init_bits(arch_bits);
}
/*
* This is called a little bit after the prior function, and now there is
* access to timestamps counters. Interrupts are not yet enabled.
*/
void __init random_init(void)
{
unsigned long entropy = random_get_entropy();
ktime_t now = ktime_get_real();
_mix_pool_bytes(utsname(), sizeof(*(utsname())));
_mix_pool_bytes(&now, sizeof(now));
_mix_pool_bytes(&entropy, sizeof(entropy));
add_latent_entropy(); add_latent_entropy();
/* /*
* If we were initialized by the bootloader before jump labels are * If we were initialized by the cpu or bootloader before jump labels
* initialized, then we should enable the static branch here, where * are initialized, then we should enable the static branch here, where
* it's guaranteed that jump labels have been initialized. * it's guaranteed that jump labels have been initialized.
*/ */
if (!static_branch_likely(&crng_is_ready) && crng_init >= CRNG_READY) if (!static_branch_likely(&crng_is_ready) && crng_init >= CRNG_READY)
crng_set_ready(NULL); crng_set_ready(NULL);
/* Reseed if already seeded by earlier phases. */
if (crng_ready()) if (crng_ready())
crng_reseed(); crng_reseed();
else if (trust_cpu)
_credit_init_bits(arch_bits);
WARN_ON(register_pm_notifier(&pm_notifier)); WARN_ON(register_pm_notifier(&pm_notifier));
WARN(!random_get_entropy(), "Missing cycle counter and fallback timer; RNG " WARN(!entropy, "Missing cycle counter and fallback timer; RNG "
"entropy collection will consequently suffer."); "entropy collection will consequently suffer.");
return 0;
} }
/* /*
......
...@@ -72,7 +72,8 @@ static inline unsigned long get_random_canary(void) ...@@ -72,7 +72,8 @@ static inline unsigned long get_random_canary(void)
return get_random_long() & CANARY_MASK; return get_random_long() & CANARY_MASK;
} }
int __init random_init(const char *command_line); void __init random_init_early(const char *command_line);
void __init random_init(void);
bool rng_is_initialized(void); bool rng_is_initialized(void);
int wait_for_random_bytes(void); int wait_for_random_bytes(void);
......
...@@ -976,6 +976,9 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void) ...@@ -976,6 +976,9 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void)
parse_args("Setting extra init args", extra_init_args, parse_args("Setting extra init args", extra_init_args,
NULL, 0, -1, -1, NULL, set_init_arg); NULL, 0, -1, -1, NULL, set_init_arg);
/* Architectural and non-timekeeping rng init, before allocator init */
random_init_early(command_line);
/* /*
* These use large bootmem allocations and must precede * These use large bootmem allocations and must precede
* kmem_cache_init() * kmem_cache_init()
...@@ -1035,17 +1038,13 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void) ...@@ -1035,17 +1038,13 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void)
hrtimers_init(); hrtimers_init();
softirq_init(); softirq_init();
timekeeping_init(); timekeeping_init();
kfence_init();
time_init(); time_init();
/* /* This must be after timekeeping is initialized */
* For best initial stack canary entropy, prepare it after: random_init();
* - setup_arch() for any UEFI RNG entropy and boot cmdline access
* - timekeeping_init() for ktime entropy used in random_init() /* These make use of the fully initialized rng */
* - time_init() for making random_get_entropy() work on some platforms kfence_init();
* - random_init() to initialize the RNG from from early entropy sources
*/
random_init(command_line);
boot_init_stack_canary(); boot_init_stack_canary();
perf_event_init(); perf_event_init();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment