Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.14 2013-11-16T18:19:15Z 2013-11-16T18:19:15Z Linus Torvalds torvalds@linux-foundation.org 2013-11-16T18:19:15Z urn:sha1:0891ad829d2a0501053703df66029e843e3b8365 Pull /dev/random changes from Ted Ts'o: "The /dev/random changes for 3.13 including a number of improvements in the following areas: performance, avoiding waste of entropy, better tracking of entropy estimates, support for non-x86 platforms that have a register which can't be used for fine-grained timekeeping, but which might be good enough for the random driver. Also add some printk's so that we can see how quickly /dev/urandom can get initialized, and when programs try to use /dev/urandom before it is fully initialized (since this could be a security issue). This shouldn't be an issue on x86 desktop/laptops --- a test on my Lenovo T430s laptop shows that /dev/urandom is getting fully initialized approximately two seconds before the root file system is mounted read/write --- this may be an issue with ARM and MIPS embedded/mobile systems, though. These printk's will be a useful canary before potentially adding a future change to start blocking processes which try to read from /dev/urandom before it is initialized, which is something FreeBSD does already for security reasons, and which security folks have been agitating for Linux to also adopt" * tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: random: add debugging code to detect early use of get_random_bytes() random: initialize the last_time field in struct timer_rand_state random: don't zap entropy count in rand_initialize() random: printk notifications for urandom pool initialization random: make add_timer_randomness() fill the nonblocking pool first random: convert DEBUG_ENT to tracepoints random: push extra entropy to the output pools random: drop trickle mode random: adjust the generator polynomials in the mixing function slightly random: speed up the fast_mix function by a factor of four random: cap the rate which the /dev/urandom pool gets reseeded random: optimize the entropy_store structure random: optimize spinlock use in add_device_randomness() random: fix the tracepoint for get_random_bytes(_arch) random: account for entropy loss due to overwrites random: allow fractional bits to be tracked random: statically compute poolbitshift, poolbytes, poolbits random: mix in architectural randomness earlier in extract_buf() 2013-11-11T19:32:14Z Hannes Frederic Sowa hannes@stressinduktion.org 2013-11-11T11:20:34Z urn:sha1:4af712e8df998475736f3e2727701bd31e3751a9 The Tausworthe PRNG is initialized at late_initcall time. At that time the entropy pool serving get_random_bytes is not filled sufficiently. This patch adds an additional reseeding step as soon as the nonblocking pool gets marked as initialized. On some machines it might be possible that late_initcall gets called after the pool has been initialized. In this situation we won't reseed again. (A call to prandom_seed_late blocks later invocations of early reseed attempts.) Joint work with Daniel Borkmann. Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Acked-by: "Theodore Ts'o" <tytso@mit.edu> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-11-03T23:24:08Z Theodore Ts'o tytso@mit.edu 2013-11-03T23:24:08Z urn:sha1:392a546dc8368d1745f9891ef3f8f7c380de8650 Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> 2013-11-03T23:20:05Z Theodore Ts'o tytso@mit.edu 2013-11-03T21:40:53Z urn:sha1:644008df899ec252e78db28c1b6d6b86779aada8 Since we initialize jiffies to wrap five minutes before boot (see INITIAL_JIFFIES defined in include/linux/jiffies.h) it's important to make sure the last_time field is initialized to INITIAL_JIFFIES. Otherwise, the entropy estimator will overestimate the amount of entropy resulting from the first call to add_timer_randomness(), generally by about 8 bits. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> 2013-11-03T23:18:49Z Theodore Ts'o tytso@mit.edu 2013-11-03T12:56:17Z urn:sha1:ae9ecd92ddabc250817baa7eb401df3cfbd4c2da The rand_initialize() function was being run fairly late in the kernel boot sequence. This was unfortunate, since it zero'ed the entropy counters, thus throwing away credit that was accumulated earlier in the boot sequence, and it also meant that initcall functions run before rand_initialize were using a minimally initialized pool. To fix this, fix init_std_data() to no longer zap the entropy counter; it wasn't necessary, and move rand_initialize() to be an early initcall. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> 2013-11-03T23:18:48Z Theodore Ts'o tytso@mit.edu 2013-11-03T11:54:51Z urn:sha1:301f0595c0e788edacc3521c4caa90b4e56ffee1 Print a notification to the console when the nonblocking pool is initialized. Also printk a warning when a process tries reading from /dev/urandom before it is fully initialized. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> 2013-11-03T23:18:47Z Theodore Ts'o tytso@mit.edu 2013-11-03T04:15:05Z urn:sha1:40db23e5337d99fda05ee6cd18034b516f8f123d Change add_timer_randomness() so that it directs incoming entropy to the nonblocking pool first if it hasn't been fully initialized yet. This matches the strategy we use in add_interrupt_randomness(), which allows us to push the randomness where we need it the most during when the system is first booting up, so that get_random_bytes() and /dev/urandom become safe to use as soon as possible. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> 2013-10-10T19:31:43Z Linus Torvalds torvalds@linux-foundation.org 2013-10-10T19:31:43Z urn:sha1:f715729ee4cb666f51749f6cd86d06fff1e6e17b Pull /dev/random changes from Ted Ts'o: "These patches are designed to enable improvements to /dev/random for non-x86 platforms, in particular MIPS and ARM" * tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: random: allow architectures to optionally define random_get_entropy() random: run random_int_secret_init() run after all late_initcalls 2013-10-10T18:32:23Z Theodore Ts'o tytso@mit.edu 2013-10-03T16:02:37Z urn:sha1:f80bbd8b92987f55f26691cd53785c4a54622eb0 Instead of using the random driver's ad-hoc DEBUG_ENT() mechanism, use tracepoints instead. This allows for a much more fine-grained control of which debugging mechanism which a developer might need, and unifies the debugging messages with all of the existing tracepoints. Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> 2013-10-10T18:32:22Z Theodore Ts'o tytso@mit.edu 2013-10-03T05:08:15Z urn:sha1:6265e169cd313d6f3aad3c33d0a5b0d9624f69f5 As the input pool gets filled, start transfering entropy to the output pools until they get filled. This allows us to use the output pools to store more system entropy. Waste not, want not.... Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>