Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2c946656 authored by Jason A. Donenfeld's avatar Jason A. Donenfeld Committed by Greg Kroah-Hartman
Browse files

random: treat bootloader trust toggle the same way as cpu trust toggle 



commit d97c68d178fbf8aaaf21b69b446f2dfb13909316 upstream.

If CONFIG_RANDOM_TRUST_CPU is set, the RNG initializes using RDRAND.
But, the user can disable (or enable) this behavior by setting
`random.trust_cpu=0/1` on the kernel command line. This allows system
builders to do reasonable things while avoiding howls from tinfoil
hatters. (Or vice versa.)

CONFIG_RANDOM_TRUST_BOOTLOADER is basically the same thing, but regards
the seed passed via EFI or device tree, which might come from RDRAND or
a TPM or somewhere else. In order to allow distros to more easily enable
this while avoiding those same howls (or vice versa), this commit adds
the corresponding `random.trust_bootloader=0/1` toggle.

Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Graham Christensen <graham@grahamc.com>
Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
Reviewed-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
Link: https://github.com/NixOS/nixpkgs/pull/165355


Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 3696671a

Documentation/admin-guide/kernel-parameters.txt

+6 −0
Original line number Diff line number Diff line
@@ -3697,6 +3697,12 @@ 
			fully seed the kernel's CRNG. Default is controlled

			by CONFIG_RANDOM_TRUST_CPU.



	random.trust_bootloader={on,off}

			[KNL] Enable or disable trusting the use of a

			seed passed by the bootloader (if available) to

			fully seed the kernel's CRNG. Default is controlled

			by CONFIG_RANDOM_TRUST_BOOTLOADER.



	ras=option[,option,...]	[KNL] RAS-specific options



		cec_disable	[X86]

drivers/char/Kconfig

+2 −1
Original line number Diff line number Diff line
@@ -576,4 +576,5 @@ config RANDOM_TRUST_BOOTLOADER 
	device randomness. Say Y here to assume the entropy provided by the

	booloader is trustworthy so it will be added to the kernel's entropy

	pool. Otherwise, say N here so it will be regarded as device input that

	only mixes the entropy pool.
 
 No newline at end of file
 
	only mixes the entropy pool. This can also be configured at boot with

	"random.trust_bootloader=on/off".

drivers/char/random.c

+7 −1
Original line number Diff line number Diff line
@@ -940,11 +940,17 @@ static bool drain_entropy(void *buf, size_t nbytes) 
 **********************************************************************/



static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);

static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);

static int __init parse_trust_cpu(char *arg)

{

	return kstrtobool(arg, &trust_cpu);

}

static int __init parse_trust_bootloader(char *arg)

{

	return kstrtobool(arg, &trust_bootloader);

}

early_param("random.trust_cpu", parse_trust_cpu);

early_param("random.trust_bootloader", parse_trust_bootloader);



/*

 * The first collection of entropy occurs at system boot while interrupts
@@ -1152,7 +1158,7 @@ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness); 
 */

void add_bootloader_randomness(const void *buf, size_t size)

{

	if (IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER))

	if (trust_bootloader)

		add_hwgenerator_randomness(buf, size, size * 8);

	else

		add_device_randomness(buf, size);