1. 15 Jul, 2012 7 commits
    • Theodore Ts'o's avatar
      random: add new get_random_bytes_arch() function · c2557a30
      Theodore Ts'o authored
      Create a new function, get_random_bytes_arch() which will use the
      architecture-specific hardware random number generator if it is
      present.  Change get_random_bytes() to not use the HW RNG, even if it
      is avaiable.
      
      The reason for this is that the hw random number generator is fast (if
      it is present), but it requires that we trust the hardware
      manufacturer to have not put in a back door.  (For example, an
      increasing counter encrypted by an AES key known to the NSA.)
      
      It's unlikely that Intel (for example) was paid off by the US
      Government to do this, but it's impossible for them to prove otherwise
      --- especially since Bull Mountain is documented to use AES as a
      whitener.  Hence, the output of an evil, trojan-horse version of
      RDRAND is statistically indistinguishable from an RDRAND implemented
      to the specifications claimed by Intel.  Short of using a tunnelling
      electronic microscope to reverse engineer an Ivy Bridge chip and
      disassembling and analyzing the CPU microcode, there's no way for us
      to tell for sure.
      
      Since users of get_random_bytes() in the Linux kernel need to be able
      to support hardware systems where the HW RNG is not present, most
      time-sensitive users of this interface have already created their own
      cryptographic RNG interface which uses get_random_bytes() as a seed.
      So it's much better to use the HW RNG to improve the existing random
      number generator, by mixing in any entropy returned by the HW RNG into
      /dev/random's entropy pool, but to always _use_ /dev/random's entropy
      pool.
      
      This way we get almost of the benefits of the HW RNG without any
      potential liabilities.  The only benefits we forgo is the
      speed/performance enhancements --- and generic kernel code can't
      depend on depend on get_random_bytes() having the speed of a HW RNG
      anyway.
      
      For those places that really want access to the arch-specific HW RNG,
      if it is available, we provide get_random_bytes_arch().
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      c2557a30
    • Theodore Ts'o's avatar
      random: use the arch-specific rng in xfer_secondary_pool · e6d4947b
      Theodore Ts'o authored
      If the CPU supports a hardware random number generator, use it in
      xfer_secondary_pool(), where it will significantly improve things and
      where we can afford it.
      
      Also, remove the use of the arch-specific rng in
      add_timer_randomness(), since the call is significantly slower than
      get_cycles(), and we're much better off using it in
      xfer_secondary_pool() anyway.
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      e6d4947b
    • Theodore Ts'o's avatar
      net: feed /dev/random with the MAC address when registering a device · 7bf23575
      Theodore Ts'o authored
      Cc: David Miller <davem@davemloft.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      7bf23575
    • Theodore Ts'o's avatar
      usb: feed USB device information to the /dev/random driver · b04b3156
      Theodore Ts'o authored
      Send the USB device's serial, product, and manufacturer strings to the
      /dev/random driver to help seed its pools.
      
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Acked-by: default avatarGreg KH <greg@kroah.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      b04b3156
    • Linus Torvalds's avatar
      random: create add_device_randomness() interface · a2080a67
      Linus Torvalds authored
      Add a new interface, add_device_randomness() for adding data to the
      random pool that is likely to differ between two devices (or possibly
      even per boot).  This would be things like MAC addresses or serial
      numbers, or the read-out of the RTC. This does *not* add any actual
      entropy to the pool, but it initializes the pool to different values
      for devices that might otherwise be identical and have very little
      entropy available to them (particularly common in the embedded world).
      
      [ Modified by tytso to mix in a timestamp, since there may be some
        variability caused by the time needed to detect/configure the hardware
        in question. ]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      a2080a67
    • Theodore Ts'o's avatar
      random: use lockless techniques in the interrupt path · 902c098a
      Theodore Ts'o authored
      The real-time Linux folks don't like add_interrupt_randomness() taking
      a spinlock since it is called in the low-level interrupt routine.
      This also allows us to reduce the overhead in the fast path, for the
      random driver, which is the interrupt collection path.
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      902c098a
    • Theodore Ts'o's avatar
      random: make 'add_interrupt_randomness()' do something sane · 775f4b29
      Theodore Ts'o authored
      We've been moving away from add_interrupt_randomness() for various
      reasons: it's too expensive to do on every interrupt, and flooding the
      CPU with interrupts could theoretically cause bogus floods of entropy
      from a somewhat externally controllable source.
      
      This solves both problems by limiting the actual randomness addition
      to just once a second or after 64 interrupts, whicever comes first.
      During that time, the interrupt cycle data is buffered up in a per-cpu
      pool.  Also, we make sure the the nonblocking pool used by urandom is
      initialized before we start feeding the normal input pool.  This
      assures that /dev/urandom is returning unpredictable data as soon as
      possible.
      
      (Based on an original patch by Linus, but significantly modified by
      tytso.)
      Tested-by: default avatarEric Wustrow <ewust@umich.edu>
      Reported-by: default avatarEric Wustrow <ewust@umich.edu>
      Reported-by: default avatarNadia Heninger <nadiah@cs.ucsd.edu>
      Reported-by: default avatarZakir Durumeric <zakir@umich.edu>
      Reported-by: J. Alex Halderman <jhalderm@umich.edu>.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      775f4b29
  2. 06 Jul, 2012 1 commit
  3. 30 Jun, 2012 13 commits
  4. 29 Jun, 2012 13 commits
  5. 28 Jun, 2012 6 commits