random: suppress spammy warnings about unseeded randomness

Unfortunately, on some models of some architectures getting a fully
seeded CRNG is extremely difficult, and so this can result in dmesg
getting spammed for a surprisingly long time.  This is really bad from
a security perspective, and so architecture maintainers really need to
do what they can to get the CRNG seeded sooner after the system is
booted.  However, users can't do anything actionble to address this,
and spamming the kernel messages log will only just annoy people.

For developers who want to work on improving this situation,
CONFIG_WARN_UNSEEDED_RANDOM has been renamed to
CONFIG_WARN_ALL_UNSEEDED_RANDOM.  By default the kernel will always
print the first use of unseeded randomness.  This way, hopefully the
security obsessed will be happy that there is _some_ indication when
the kernel boots there may be a potential issue with that architecture
or subarchitecture.  To see all uses of unseeded randomness,
developers can enable CONFIG_WARN_ALL_UNSEEDED_RANDOM.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
This commit is contained in:
Theodore Ts'o 2017-06-08 04:16:59 -04:00
Родитель d06bfd1989
Коммит eecabf5674
2 изменённых файлов: 57 добавлений и 23 удалений

Просмотреть файл

@ -436,6 +436,7 @@ static void _extract_crng(struct crng_state *crng,
static void _crng_backtrack_protect(struct crng_state *crng, static void _crng_backtrack_protect(struct crng_state *crng,
__u8 tmp[CHACHA20_BLOCK_SIZE], int used); __u8 tmp[CHACHA20_BLOCK_SIZE], int used);
static void process_random_ready_list(void); static void process_random_ready_list(void);
static void _get_random_bytes(void *buf, int nbytes);
/********************************************************************** /**********************************************************************
* *
@ -776,7 +777,7 @@ static void crng_initialize(struct crng_state *crng)
_extract_entropy(&input_pool, &crng->state[4], _extract_entropy(&input_pool, &crng->state[4],
sizeof(__u32) * 12, 0); sizeof(__u32) * 12, 0);
else else
get_random_bytes(&crng->state[4], sizeof(__u32) * 12); _get_random_bytes(&crng->state[4], sizeof(__u32) * 12);
for (i = 4; i < 16; i++) { for (i = 4; i < 16; i++) {
if (!arch_get_random_seed_long(&rv) && if (!arch_get_random_seed_long(&rv) &&
!arch_get_random_long(&rv)) !arch_get_random_long(&rv))
@ -1466,6 +1467,30 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
return ret; return ret;
} }
#define warn_unseeded_randomness(previous) \
_warn_unseeded_randomness(__func__, (void *) _RET_IP_, (previous))
static void _warn_unseeded_randomness(const char *func_name, void *caller,
void **previous)
{
#ifdef CONFIG_WARN_ALL_UNSEEDED_RANDOM
const bool print_once = false;
#else
static bool print_once __read_mostly;
#endif
if (print_once ||
crng_ready() ||
(previous && (caller == READ_ONCE(*previous))))
return;
WRITE_ONCE(*previous, caller);
#ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM
print_once = true;
#endif
pr_notice("random: %s called from %pF with crng_init=%d\n",
func_name, caller, crng_init);
}
/* /*
* This function is the exported kernel interface. It returns some * This function is the exported kernel interface. It returns some
* number of good random numbers, suitable for key generation, seeding * number of good random numbers, suitable for key generation, seeding
@ -1476,15 +1501,10 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
* wait_for_random_bytes() should be called and return 0 at least once * wait_for_random_bytes() should be called and return 0 at least once
* at any point prior. * at any point prior.
*/ */
void get_random_bytes(void *buf, int nbytes) static void _get_random_bytes(void *buf, int nbytes)
{ {
__u8 tmp[CHACHA20_BLOCK_SIZE]; __u8 tmp[CHACHA20_BLOCK_SIZE];
#ifdef CONFIG_WARN_UNSEEDED_RANDOM
if (!crng_ready())
printk(KERN_NOTICE "random: %pF get_random_bytes called "
"with crng_init = %d\n", (void *) _RET_IP_, crng_init);
#endif
trace_get_random_bytes(nbytes, _RET_IP_); trace_get_random_bytes(nbytes, _RET_IP_);
while (nbytes >= CHACHA20_BLOCK_SIZE) { while (nbytes >= CHACHA20_BLOCK_SIZE) {
@ -1501,6 +1521,14 @@ void get_random_bytes(void *buf, int nbytes)
crng_backtrack_protect(tmp, CHACHA20_BLOCK_SIZE); crng_backtrack_protect(tmp, CHACHA20_BLOCK_SIZE);
memzero_explicit(tmp, sizeof(tmp)); memzero_explicit(tmp, sizeof(tmp));
} }
void get_random_bytes(void *buf, int nbytes)
{
static void *previous;
warn_unseeded_randomness(&previous);
_get_random_bytes(buf, nbytes);
}
EXPORT_SYMBOL(get_random_bytes); EXPORT_SYMBOL(get_random_bytes);
/* /*
@ -2064,6 +2092,7 @@ u64 get_random_u64(void)
bool use_lock = READ_ONCE(crng_init) < 2; bool use_lock = READ_ONCE(crng_init) < 2;
unsigned long flags = 0; unsigned long flags = 0;
struct batched_entropy *batch; struct batched_entropy *batch;
static void *previous;
#if BITS_PER_LONG == 64 #if BITS_PER_LONG == 64
if (arch_get_random_long((unsigned long *)&ret)) if (arch_get_random_long((unsigned long *)&ret))
@ -2074,11 +2103,7 @@ u64 get_random_u64(void)
return ret; return ret;
#endif #endif
#ifdef CONFIG_WARN_UNSEEDED_RANDOM warn_unseeded_randomness(&previous);
if (!crng_ready())
printk(KERN_NOTICE "random: %pF get_random_u64 called "
"with crng_init = %d\n", (void *) _RET_IP_, crng_init);
#endif
batch = &get_cpu_var(batched_entropy_u64); batch = &get_cpu_var(batched_entropy_u64);
if (use_lock) if (use_lock)
@ -2102,15 +2127,12 @@ u32 get_random_u32(void)
bool use_lock = READ_ONCE(crng_init) < 2; bool use_lock = READ_ONCE(crng_init) < 2;
unsigned long flags = 0; unsigned long flags = 0;
struct batched_entropy *batch; struct batched_entropy *batch;
static void *previous;
if (arch_get_random_int(&ret)) if (arch_get_random_int(&ret))
return ret; return ret;
#ifdef CONFIG_WARN_UNSEEDED_RANDOM warn_unseeded_randomness(&previous);
if (!crng_ready())
printk(KERN_NOTICE "random: %pF get_random_u32 called "
"with crng_init = %d\n", (void *) _RET_IP_, crng_init);
#endif
batch = &get_cpu_var(batched_entropy_u32); batch = &get_cpu_var(batched_entropy_u32);
if (use_lock) if (use_lock)

Просмотреть файл

@ -1209,10 +1209,9 @@ config STACKTRACE
It is also used by various kernel debugging features that require It is also used by various kernel debugging features that require
stack trace generation. stack trace generation.
config WARN_UNSEEDED_RANDOM config WARN_ALL_UNSEEDED_RANDOM
bool "Warn when kernel uses unseeded randomness" bool "Warn for all uses of unseeded randomness"
default y default n
depends on DEBUG_KERNEL
help help
Some parts of the kernel contain bugs relating to their use of Some parts of the kernel contain bugs relating to their use of
cryptographically secure random numbers before it's actually possible cryptographically secure random numbers before it's actually possible
@ -1222,8 +1221,21 @@ config WARN_UNSEEDED_RANDOM
are going wrong, so that they might contact developers about fixing are going wrong, so that they might contact developers about fixing
it. it.
Say Y here, unless you simply do not care about using unseeded Unfortunately, on some models of some architectures getting
randomness and do not want a potential warning message in your logs. a fully seeded CRNG is extremely difficult, and so this can
result in dmesg getting spammed for a surprisingly long
time. This is really bad from a security perspective, and
so architecture maintainers really need to do what they can
to get the CRNG seeded sooner after the system is booted.
However, since users can not do anything actionble to
address this, by default the kernel will issue only a single
warning for the first use of unseeded randomness.
Say Y here if you want to receive warnings for all uses of
unseeded randomness. This will be of use primarily for
those developers interersted in improving the security of
Linux kernels running on their architecture (or
subarchitecture).
config DEBUG_KOBJECT config DEBUG_KOBJECT
bool "kobject debugging" bool "kobject debugging"