Re: Hashed pointer issues

From: Kees Cook
Date: Mon Apr 30 2018 - 14:39:22 EST


On Mon, Apr 30, 2018 at 10:01 AM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Mon, Apr 30, 2018 at 9:57 AM Linus Torvalds <
> torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>> Although in *practice* we'd have tons of entropy on any modern development
>> CPU too, since any new hardware will have the hardware random number
>> generation. Some overly cautious person might not trust it, of course.
>
> In fact, maybe that's the right policy. Avoid a boot-time parameter by just
> saying
>
> "if you have hardware random number generation, we can fill entropy
> immediately"

Something like this? (Untested.)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 30c0cb8cc9bc..2d8615f14dc9 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1672,9 +1672,8 @@ char *pointer_string(char *buf, char *end, const
void *ptr,
static bool have_filled_random_ptr_key __read_mostly;
static siphash_key_t ptr_key __read_mostly;

-static void fill_random_ptr_key(struct random_ready_callback *unused)
+static void ptr_key_ready(void)
{
- get_random_bytes(&ptr_key, sizeof(ptr_key));
/*
* have_filled_random_ptr_key==true is dependent on get_random_bytes().
* ptr_to_id() needs to see have_filled_random_ptr_key==true
@@ -1684,14 +1683,28 @@ static void fill_random_ptr_key(struct
random_ready_callback *unused)
WRITE_ONCE(have_filled_random_ptr_key, true);
}

+static void fill_random_ptr_key(struct random_ready_callback *unused)
+{
+ get_random_bytes(&ptr_key, sizeof(ptr_key));
+ ptr_key_ready();
+}
+
static struct random_ready_callback random_ready = {
.func = fill_random_ptr_key
};

static int __init initialize_ptr_random(void)
{
- int ret = add_random_ready_callback(&random_ready);
+ int ret;
+
+ /* If we have hw RNG, start hashing immediately. */
+ if (arch_has_random()) {
+ get_random_bytes_arch(&ptr_key, sizeof(ptr_key));
+ ptr_key_ready();
+ return 0;
+ }

+ ret = add_random_ready_callback(&random_ready);
if (!ret) {
return 0;
} else if (ret == -EALREADY) {


>
> No kernel command line needed in practice any more. That's assuming any
> kernel developer will have an IvyBridge or newer.
>
> The "I don't trust my hardware" people can still disable that with
> "nordrand".
>
> Hmm?
>
> Linus



--
Kees Cook
Pixel Security