1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #if defined(__i386__) || defined(__x86_64__)
10 #include <linux/random.h>
16 #include <sys/ioctl.h>
20 # include <sys/auxv.h>
23 #include "alloc-util.h"
24 #include "errno-util.h"
28 #include "missing_random.h"
29 #include "missing_syscall.h"
30 #include "parse-util.h"
31 #include "random-util.h"
32 #include "siphash24.h"
33 #include "time-util.h"
35 static bool srand_called
= false;
37 int rdrand(unsigned long *ret
) {
39 /* So, you are a "security researcher", and you wonder why we bother with using raw RDRAND here,
40 * instead of sticking to /dev/urandom or getrandom()?
42 * Here's why: early boot. On Linux, during early boot the random pool that backs /dev/urandom and
43 * getrandom() is generally not initialized yet. It is very common that initialization of the random
44 * pool takes a longer time (up to many minutes), in particular on embedded devices that have no
45 * explicit hardware random generator, as well as in virtualized environments such as major cloud
46 * installations that do not provide virtio-rng or a similar mechanism.
48 * In such an environment using getrandom() synchronously means we'd block the entire system boot-up
49 * until the pool is initialized, i.e. *very* long. Using getrandom() asynchronously (GRND_NONBLOCK)
50 * would mean acquiring randomness during early boot would simply fail. Using /dev/urandom would mean
51 * generating many kmsg log messages about our use of it before the random pool is properly
52 * initialized. Neither of these outcomes is desirable.
54 * Thus, for very specific purposes we use RDRAND instead of either of these three options. RDRAND
55 * provides us quickly and relatively reliably with random values, without having to delay boot,
56 * without triggering warning messages in kmsg.
58 * Note that we use RDRAND only under very specific circumstances, when the requirements on the
59 * quality of the returned entropy permit it. Specifically, here are some cases where we *do* use
62 * • UUID generation: UUIDs are supposed to be universally unique but are not cryptographic
63 * key material. The quality and trust level of RDRAND should hence be OK: UUIDs should be
64 * generated in a way that is reliably unique, but they do not require ultimate trust into
65 * the entropy generator. systemd generates a number of UUIDs during early boot, including
66 * 'invocation IDs' for every unit spawned that identify the specific invocation of the
67 * service globally, and a number of others. Other alternatives for generating these UUIDs
68 * have been considered, but don't really work: for example, hashing uuids from a local
69 * system identifier combined with a counter falls flat because during early boot disk
70 * storage is not yet available (think: initrd) and thus a system-specific ID cannot be
71 * stored or retrieved yet.
73 * • Hash table seed generation: systemd uses many hash tables internally. Hash tables are
74 * generally assumed to have O(1) access complexity, but can deteriorate to prohibitive
75 * O(n) access complexity if an attacker manages to trigger a large number of hash
76 * collisions. Thus, systemd (as any software employing hash tables should) uses seeded
77 * hash functions for its hash tables, with a seed generated randomly. The hash tables
78 * systemd employs watch the fill level closely and reseed if necessary. This allows use of
79 * a low quality RNG initially, as long as it improves should a hash table be under attack:
80 * the attacker after all needs to trigger many collisions to exploit it for the purpose
81 * of DoS, but if doing so improves the seed the attack surface is reduced as the attack
84 * Some cases where we do NOT use RDRAND are:
86 * • Generation of cryptographic key material 🔑
88 * • Generation of cryptographic salt values 🧂
90 * This function returns:
92 * -EOPNOTSUPP → RDRAND is not available on this system 😔
93 * -EAGAIN → The operation failed this time, but is likely to work if you try again a few
95 * -EUCLEAN → We got some random value, but it looked strange, so we refused using it.
96 * This failure might or might not be temporary. 😕
99 #if defined(__i386__) || defined(__x86_64__)
100 static int have_rdrand
= -1;
104 if (have_rdrand
< 0) {
105 uint32_t eax
, ebx
, ecx
, edx
;
107 /* Check if RDRAND is supported by the CPU */
108 if (__get_cpuid(1, &eax
, &ebx
, &ecx
, &edx
) == 0) {
113 /* Compat with old gcc where bit_RDRND didn't exist yet */
115 #define bit_RDRND (1U << 30)
118 have_rdrand
= !!(ecx
& bit_RDRND
);
121 if (have_rdrand
== 0)
124 asm volatile("rdrand %0;"
128 msan_unpoison(&success
, sizeof(success
));
132 /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
133 * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
134 * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
135 * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
136 * only however and something AMD really should fix properly. The Linux kernel should probably work
137 * around this issue by turning off RDRAND altogether on those CPUs. See:
138 * https://github.com/systemd/systemd/issues/11810 */
139 if (v
== 0 || v
== ULONG_MAX
)
140 return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN
),
141 "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v
);
150 int genuine_random_bytes(void *p
, size_t n
, RandomFlags flags
) {
151 static int have_syscall
= -1;
152 _cleanup_close_
int fd
= -1;
153 bool got_some
= false;
156 /* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from
157 * the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK
158 * flag is set. If RANDOM_MAY_FAIL is set, an error is returned if the random pool is not
159 * initialized. Otherwise it will always return some data from the kernel, regardless of whether the
160 * random pool is fully initialized or not. If RANDOM_EXTEND_WITH_PSEUDO is set, and some but not
161 * enough better quality randomness could be acquired, the rest is filled up with low quality
164 * Of course, when creating cryptographic key material you really shouldn't use RANDOM_ALLOW_DRDRAND
165 * or even RANDOM_EXTEND_WITH_PSEUDO.
167 * When generating UUIDs it's fine to use RANDOM_ALLOW_RDRAND but not OK to use
168 * RANDOM_EXTEND_WITH_PSEUDO. In fact RANDOM_EXTEND_WITH_PSEUDO is only really fine when invoked via
169 * an "all bets are off" wrapper, such as random_bytes(), see below. */
174 if (FLAGS_SET(flags
, RANDOM_ALLOW_RDRAND
))
175 /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
176 * not required, as we don't trust it (who does?). Note that we only do a single iteration of
177 * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
178 * invocations or so. That's because we don't really care about the quality here. We
179 * generally prefer using RDRAND if the caller allows us to, since this way we won't upset
180 * the kernel's random subsystem by accessing it before the pool is initialized (after all it
181 * will kmsg log about every attempt to do so)..*/
186 if (rdrand(&u
) < 0) {
187 if (got_some
&& FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
188 /* Fill in the remaining bytes using pseudo-random values */
189 pseudo_random_bytes(p
, n
);
193 /* OK, this didn't work, let's go to getrandom() + /dev/urandom instead */
197 m
= MIN(sizeof(u
), n
);
200 p
= (uint8_t*) p
+ m
;
204 return 0; /* Yay, success! */
209 /* Use the getrandom() syscall unless we know we don't have it. */
210 if (have_syscall
!= 0 && !HAS_FEATURE_MEMORY_SANITIZER
) {
214 (FLAGS_SET(flags
, RANDOM_BLOCK
) ? 0 : GRND_NONBLOCK
) |
215 (FLAGS_SET(flags
, RANDOM_ALLOW_INSECURE
) ? GRND_INSECURE
: 0));
220 return 0; /* Yay, success! */
222 assert((size_t) r
< n
);
223 p
= (uint8_t*) p
+ r
;
226 if (FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
227 /* Fill in the remaining bytes using pseudo-random values */
228 pseudo_random_bytes(p
, n
);
234 /* Hmm, we didn't get enough good data but the caller insists on good data? Then try again */
235 if (FLAGS_SET(flags
, RANDOM_BLOCK
))
238 /* Fill in the rest with /dev/urandom */
245 } else if (ERRNO_IS_NOT_SUPPORTED(errno
)) {
246 /* We lack the syscall, continue with reading from /dev/urandom. */
247 have_syscall
= false;
250 } else if (errno
== EAGAIN
) {
251 /* The kernel has no entropy whatsoever. Let's remember to use the syscall
252 * the next time again though.
254 * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
255 * produce some pseudo-random bytes instead. Otherwise, fall back to
256 * /dev/urandom, which we know is empty, but the kernel will produce some
257 * bytes for us on a best-effort basis. */
260 if (got_some
&& FLAGS_SET(flags
, RANDOM_EXTEND_WITH_PSEUDO
)) {
261 /* Fill in the remaining bytes using pseudorandom values */
262 pseudo_random_bytes(p
, n
);
266 if (FLAGS_SET(flags
, RANDOM_MAY_FAIL
))
269 /* Use /dev/urandom instead */
272 } else if (errno
== EINVAL
) {
274 /* Most likely: unknown flag. We know that GRND_INSECURE might cause this,
275 * hence try without. */
277 if (FLAGS_SET(flags
, RANDOM_ALLOW_INSECURE
)) {
278 flags
= flags
&~ RANDOM_ALLOW_INSECURE
;
288 fd
= open("/dev/urandom", O_RDONLY
|O_CLOEXEC
|O_NOCTTY
);
290 return errno
== ENOENT
? -ENOSYS
: -errno
;
292 return loop_read_exact(fd
, p
, n
, true);
295 static void clear_srand_initialization(void) {
296 srand_called
= false;
299 void initialize_srand(void) {
300 static bool pthread_atfork_registered
= false;
311 /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
312 * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
313 * to recover the original value by watching any pseudo-random bits we generate. After all the
314 * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
315 * leak the seed for that. */
317 auxv
= ULONG_TO_PTR(getauxval(AT_RANDOM
));
319 static const uint8_t auxval_hash_key
[16] = {
320 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
323 x
= (unsigned) siphash24(auxv
, 16, auxval_hash_key
);
328 x
^= (unsigned) now(CLOCK_REALTIME
);
329 x
^= (unsigned) gettid();
337 if (!pthread_atfork_registered
) {
338 (void) pthread_atfork(NULL
, NULL
, clear_srand_initialization
);
339 pthread_atfork_registered
= true;
343 /* INT_MAX gives us only 31 bits, so use 24 out of that. */
344 #if RAND_MAX >= INT_MAX
345 assert_cc(RAND_MAX
>= 16777215);
348 /* SHORT_INT_MAX or lower gives at most 15 bits, we just use 8 out of that. */
349 assert_cc(RAND_MAX
>= 255);
353 void pseudo_random_bytes(void *p
, size_t n
) {
356 /* This returns pseudo-random data using libc's rand() function. You probably never want to call this
357 * directly, because why would you use this if you can get better stuff cheaply? Use random_bytes()
358 * instead, see below: it will fall back to this function if there's nothing better to get, but only
363 for (q
= p
; q
< (uint8_t*) p
+ n
; q
+= RAND_STEP
) {
366 rr
= (unsigned) rand();
369 if ((size_t) (q
- (uint8_t*) p
+ 2) < n
)
373 if ((size_t) (q
- (uint8_t*) p
+ 1) < n
)
380 void random_bytes(void *p
, size_t n
) {
382 /* This returns high quality randomness if we can get it cheaply. If we can't because for some reason
383 * it is not available we'll try some crappy fallbacks.
385 * What this function will do:
387 * • This function will preferably use the CPU's RDRAND operation, if it is available, in
388 * order to return "mid-quality" random values cheaply.
390 * • Use getrandom() with GRND_NONBLOCK, to return high-quality random values if they are
393 * • This function will return pseudo-random data, generated via libc rand() if nothing
394 * better is available.
396 * • This function will work fine in early boot
398 * • This function will always succeed
400 * What this function won't do:
402 * • This function will never fail: it will give you randomness no matter what. It might not
403 * be high quality, but it will return some, possibly generated via libc's rand() call.
405 * • This function will never block: if the only way to get good randomness is a blocking,
406 * synchronous getrandom() we'll instead provide you with pseudo-random data.
408 * This function is hence great for things like seeding hash tables, generating random numeric UNIX
409 * user IDs (that are checked for collisions before use) and such.
411 * This function is hence not useful for generating UUIDs or cryptographic key material.
414 if (genuine_random_bytes(p
, n
, RANDOM_EXTEND_WITH_PSEUDO
|RANDOM_MAY_FAIL
|RANDOM_ALLOW_RDRAND
|RANDOM_ALLOW_INSECURE
) >= 0)
417 /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
418 pseudo_random_bytes(p
, n
);
421 size_t random_pool_size(void) {
422 _cleanup_free_
char *s
= NULL
;
425 /* Read pool size, if possible */
426 r
= read_one_line_file("/proc/sys/kernel/random/poolsize", &s
);
428 log_debug_errno(r
, "Failed to read pool size from kernel: %m");
432 r
= safe_atou(s
, &sz
);
434 log_debug_errno(r
, "Failed to parse pool size: %s", s
);
436 /* poolsize is in bits on 2.6, but we want bytes */
437 return CLAMP(sz
/ 8, RANDOM_POOL_SIZE_MIN
, RANDOM_POOL_SIZE_MAX
);
440 /* Use the minimum as default, if we can't retrieve the correct value */
441 return RANDOM_POOL_SIZE_MIN
;
444 int random_write_entropy(int fd
, const void *seed
, size_t size
, bool credit
) {
448 assert(seed
&& size
> 0);
451 _cleanup_free_
struct rand_pool_info
*info
= NULL
;
453 /* The kernel API only accepts "int" as entropy count (which is in bits), let's avoid any
454 * chance for confusion here. */
455 if (size
> INT_MAX
/ 8)
458 info
= malloc(offsetof(struct rand_pool_info
, buf
) + size
);
462 info
->entropy_count
= size
* 8;
463 info
->buf_size
= size
;
464 memcpy(info
->buf
, seed
, size
);
466 if (ioctl(fd
, RNDADDENTROPY
, info
) < 0)
469 r
= loop_write(fd
, seed
, size
, false);