Re: [PATCH] random: add rng-seed= command line option
From: Theodore Y. Ts'o
Date: Tue Feb 11 2020 - 10:08:46 EST
On Mon, Feb 10, 2020 at 12:13:25PM +0000, Mark Brown wrote:
> > The second is that we're treating rng_seed as being magic, and if
> > someone tries to pass in something like rng_seed=0x7932dca76b51
> > because they didn't understand how rng_seed was going to work, it
> > would be surprising.
>
> We already have a kaslr-seed property on arm64 since we need a seed for
> KASLR *super* early, we could generalize that I guess but it's not clear
> to me that it's a good idea. One fun thing here is that the kernel
> command line is visible to userspace so we go and erase the seed from
> the command line after reading it.
This is exactly what this patch is doing, in fact (it is erasing the
seed from the command line).
> > My preference would be to pass in the random seed *not* on the
> > command-line at all, but as a separate parameter which is passed to
> > the bootloader, just as we pass in the device-tree, the initrd and the
> > command-line as separate things. The problem is that how we pass in
> > extra boot parameters is architecture specific, and how we might do it
> > for x86 is different than for arm64. So yeah, it's a bit more
> > inconvenient to do things that way; but I think it's also much
> > cleaner.
>
> Anything that requires boot protocol updates is going to be rather
> difficult to deploy for the use it'll likely get - as far as I can see
> we're basically just talking about the cases where there's some entropy
> source available to the bootloader that the kernel can't get at
> directly. With the arm64 kaslr-seed it's not clear that people are
> feeding actual entropy in there, they could be using something like the
> device serial number to give different layouts on different devices even
> if they can't get any useful entropy for boot to boot variation.
So here's one thing we could do; we could require something like:
rng_seed=<nr_bits>,<base-64 encoded string of 32 bytes>
... where the kernel parses rng_seed, and errors out if nr_bits is
greater than 256, and errors out if the base-64 encoded string is not
valid, and then replaces it with the SHA-256 hash of the rng seed,
base-64 encoded.
That way if there is a crappy handset which is just encoding the
device serial number, it becomes painfully obvious that someone is
cheating.
Is that overkill? Well, from my perspective, we're talking about an
industry that was willing to turn the CPU thermal safety limits when
certain benchmark applications were detected to be running, just to
gain a commercial advantage. So trust doesn't come easily to me, when
it comes to corporate desires of expediency. :-)
- Ted