[PATCHv5] random: Make /dev/random wait for input_pool initialized
From: Bernd Edlinger
Date: Tue Feb 19 2019 - 12:09:07 EST
Reading from /dev/random may return data while the getrandom
syscall is still blocking.
Those bytes are not yet cryptographically secure.
The first byte from /dev/random can have as little
as 8 bits entropy estimation. Once a read blocks, it will
block until /proc/sys/kernel/random/read_wakeup_threshold
bits are available, which is usually 64 bits, but can be
configured as low as 8 bits. A select will wake up when
at least read_wakeup_threshold bits are available.
Also when constantly reading bytes out of /dev/random
it will prevent the crng init done event forever.
Furthermore previously the input_pool got initialized when
more than 128 bits of raw entropy are accumulated, but that
is only credited 80 bits of pool entroy. Therefore if
random_write_wakeup_bits is configured lower than 80 bits,
the code path that sends entropy to the blocking_pool can
get activated, before the CRNG is initialized and delays
the initialization of the CRNG until the blocking_pool is
filled to 75%.
Fixed by making read and select on /dev/random wait until
the input_pool is initialized which means that more than
128 bits of entropy have been fed into the input_pool.
This is guaranteed to happen after the CRNG is ready.
So after the first byte is readable from /dev/random
also /dev/urandom is guaranteed to be fully initialized.
Another minor tweak this patch makes, is when the primary
CRNG is periodically reseeded, we reserve twice the amount
of read_wakeup_threshold for fairness reasons, to keep
/dev/random readable when it is not accessed by user mode.
And finally, when the system runs for long times the jiffies
may roll over, but crng_global_init_time is not updated
when reseed every 5 minutes happens. This could cause
CRNG reseeding all the time, making the input_pool run
low on entropy which would make /dev/random block
unexpectedly.
Signed-off-by: Bernd Edlinger <bernd.edlinger@xxxxxxxxxx>
---
v4 makes the /dev/random block until the input_pool has
reached 128 bits of entropy at least once. Now make
everything depend on input_pool.initialized.
Additionally fixed a potential issue with jiffies roll
over in the CRNG reseeding logic, which would cause the
cgng_global_init_time to be in the future, causing
reseeding to happen all the time.
Finally added a fairness reserve to keep the /dev/random
in the readable state (select can check non-destructively),
when nothing but CRNG reseeding happens.
v5 adds one "&& crng_ready()" to fix a race condition.
---
drivers/char/random.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index bd449ad..652e024 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -645,6 +645,7 @@ static void process_random_ready_list(void)
static void credit_entropy_bits(struct entropy_store *r, int nbits)
{
int entropy_count, orig;
+ int entropy_bits;
const int pool_size = r->poolinfo->poolfracbits;
int nfrac = nbits << ENTROPY_SHIFT;
@@ -702,8 +703,9 @@ static void credit_entropy_bits(struct entropy_store *r, int nbits)
if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
goto retry;
+ entropy_bits = entropy_count >> ENTROPY_SHIFT;
r->entropy_total += nbits;
- if (!r->initialized && r->entropy_total > 128) {
+ if (!r->initialized && entropy_bits >= 128) {
r->initialized = 1;
r->entropy_total = 0;
}
@@ -713,8 +715,6 @@ static void credit_entropy_bits(struct entropy_store *r, int nbits)
r->entropy_total, _RET_IP_);
if (r == &input_pool) {
- int entropy_bits = entropy_count >> ENTROPY_SHIFT;
-
if (crng_init < 2 && entropy_bits >= 128) {
crng_reseed(&primary_crng, r);
entropy_bits = r->entropy_count >> ENTROPY_SHIFT;
@@ -722,10 +722,12 @@ static void credit_entropy_bits(struct entropy_store *r, int nbits)
/* should we wake readers? */
if (entropy_bits >= random_read_wakeup_bits &&
+ r->initialized &&
wq_has_sleeper(&random_read_wait)) {
wake_up_interruptible(&random_read_wait);
kill_fasync(&fasync, SIGIO, POLL_IN);
}
+
/* If the input pool is getting full, send some
* entropy to the blocking pool until it is 75% full.
*/
@@ -917,9 +919,11 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r)
} buf;
if (r) {
- num = extract_entropy(r, &buf, 32, 16, 0);
+ num = extract_entropy(r, &buf, 32, 16, crng_ready()
+ ? random_read_wakeup_bits / 4 : 0);
if (num == 0)
return;
+ crng_global_init_time = jiffies;
} else {
_extract_crng(&primary_crng, buf.block);
_crng_backtrack_protect(&primary_crng, buf.block,
@@ -1652,7 +1656,7 @@ EXPORT_SYMBOL(get_random_bytes);
*/
int wait_for_random_bytes(void)
{
- if (likely(crng_ready()))
+ if (crng_ready())
return 0;
return wait_event_interruptible(crng_init_wait, crng_ready());
}
@@ -1826,7 +1830,9 @@ _random_read(int nonblock, char __user *buf, size_t nbytes)
nbytes = min_t(size_t, nbytes, SEC_XFER_SIZE);
while (1) {
- n = extract_entropy_user(&blocking_pool, buf, nbytes);
+ n = input_pool.initialized && crng_ready()
+ ? extract_entropy_user(&blocking_pool, buf, nbytes)
+ : 0;
if (n < 0)
return n;
trace_random_read(n*8, (nbytes-n)*8,
@@ -1840,6 +1846,7 @@ _random_read(int nonblock, char __user *buf, size_t nbytes)
return -EAGAIN;
wait_event_interruptible(random_read_wait,
+ input_pool.initialized &&
ENTROPY_BITS(&input_pool) >=
random_read_wakeup_bits);
if (signal_pending(current))
@@ -1884,7 +1891,8 @@ random_poll(struct file *file, poll_table * wait)
poll_wait(file, &random_read_wait, wait);
poll_wait(file, &random_write_wait, wait);
mask = 0;
- if (ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits)
+ if (input_pool.initialized &&
+ ENTROPY_BITS(&input_pool) >= random_read_wakeup_bits)
mask |= EPOLLIN | EPOLLRDNORM;
if (ENTROPY_BITS(&input_pool) < random_write_wakeup_bits)
mask |= EPOLLOUT | EPOLLWRNORM;
--
2.7.4