Re: [PATCH] random: skip fast_init if hwrng provides large chunk of entropy

From: Dominik Brodowski
Date: Tue Mar 22 2022 - 02:45:04 EST


Am Mon, Mar 21, 2022 at 06:52:56PM -0600 schrieb Jason A. Donenfeld:
> At boot time, EFI calls add_bootloader_randomness(), which in turn calls
> add_hwgenerator_randomness(). Currently add_hwgenerator_randomness()
> feeds the first 64 bytes of randomness to the "fast init"
> non-crypto-grade phase. But if add_hwgenerator_randomness() gets called
> with more than POOL_MIN_BITS of entropy, there's no point in passing it
> off to the "fast init" stage, since that's enough entropy to bootstrap
> the real RNG.

Well, so far, we need 64 bytes input to the fast init stage, and then
further 32 bytes of randomness to proceed to full init, and we used to mix
the former into the latter, which provided for some sort of extra margin.
But as we don't seem to do that any more (mixing some of base_crng back into
the input_pool), that exercise may have become pointless.

However, it's noteworthy that then CONFIG_RANDOM_TRUST_BOOTLOADER really
means trusting it to possibly being the only source for the first generation
of base_crng. In the past, EFI-provided randnomness never was sufficient to
progress crng_init to 2.

Therefore, I am a bit torn about this patch.

Thanks,
Dominik


NB: As POOL_MIN_BITS equals POOL_BITS, there's some room for cleanup. For
example, entropy_count cannot become larger than POOL_MIN_BITS in
credit_entropy_bits(), AFAICS.