[PATCH] random: use urandom instead of random for now and speed up crng init

From: Sultan Alsawaf
Date: Tue May 01 2018 - 20:36:17 EST

Next message: Andrew Morton: "Re: [PATCH] kvmalloc: always use vmalloc if CONFIG_DEBUG_VM"
Previous message: Theodore Y. Ts'o: "Re: [PATCH 2/3] random: Return nbytes filled from hw RNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With the fixes for CVE-2018-1108, /dev/random now requires user-provided
entropy on quite a few machines lacking high levels of boot entropy
in order to complete its initialization. This causes issues on environments
where userspace depends on /dev/random in order to finish booting
completely (i.e., userspace will remain stuck, unable to boot, waiting for
entropy more-or-less indefinitely until the user provides it via something
like keystrokes or mouse movements).

As a temporary workaround, redirect /dev/random to /dev/urandom instead,
and speed up the initialization process by slightly relaxing the
threshold for interrupts to go towards adding one bit of entropy credit
(only until initialization is complete).

Signed-off-by: Sultan Alsawaf <sultanxda@xxxxxxxxx>
---
drivers/char/mem.c | 3 ++-
drivers/char/random.c | 9 ++++++---
2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index ffeb60d3434c..cc9507f01c79 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -870,7 +870,8 @@ static const struct memdev {
#endif
[5] = { "zero", 0666, &zero_fops, 0 },
[7] = { "full", 0666, &full_fops, 0 },
- [8] = { "random", 0666, &random_fops, 0 },
+ /* Redirect /dev/random to /dev/urandom until /dev/random is fixed */
+ [8] = { "random", 0666, &urandom_fops, 0 },
[9] = { "urandom", 0666, &urandom_fops, 0 },
#ifdef CONFIG_PRINTK
[11] = { "kmsg", 0644, &kmsg_fops, 0 },
diff --git a/drivers/char/random.c b/drivers/char/random.c
index d9e38523b383..bce3b43cdd3b 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1200,9 +1200,12 @@ void add_interrupt_randomness(int irq)
return;
}

- if ((fast_pool->count < 64) &&
- !time_after(now, fast_pool->last + HZ))
- return;
+ if (fast_pool->count < 64) {
+ unsigned long timeout = crng_ready() ? HZ : HZ / 4;
+
+ if (!time_after(now, fast_pool->last + timeout))
+ return;
+ }

r = &input_pool;
if (!spin_trylock(&r->lock))
--
2.14.1

Next message: Andrew Morton: "Re: [PATCH] kvmalloc: always use vmalloc if CONFIG_DEBUG_VM"
Previous message: Theodore Y. Ts'o: "Re: [PATCH 2/3] random: Return nbytes filled from hw RNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]