releases/4.17.12/random-mix-rdrand-with-entropy-sent-in-from-userspace.patch

   1 From 81e69df38e2911b642ec121dec319fad2a4782f3 Mon Sep 17 00:00:00 2001
   2 From: Theodore Ts'o <tytso@mit.edu>
   3 Date: Sat, 14 Jul 2018 23:55:57 -0400
   4 Subject: random: mix rdrand with entropy sent in from userspace
   5
   6 From: Theodore Ts'o <tytso@mit.edu>
   7
   8 commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream.
   9
  10 Fedora has integrated the jitter entropy daemon to work around slow
  11 boot problems, especially on VM's that don't support virtio-rng:
  12
  13     https://bugzilla.redhat.com/show_bug.cgi?id=1572944
  14
  15 It's understandable why they did this, but the Jitter entropy daemon
  16 works fundamentally on the principle: "the CPU microarchitecture is
  17 **so** complicated and we can't figure it out, so it *must* be
  18 random".  Yes, it uses statistical tests to "prove" it is secure, but
  19 AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with
  20 flying colors.
  21
  22 So if RDRAND is available, mix it into entropy submitted from
  23 userspace.  It can't hurt, and if you believe the NSA has backdoored
  24 RDRAND, then they probably have enough details about the Intel
  25 microarchitecture that they can reverse engineer how the Jitter
  26 entropy daemon affects the microarchitecture, and attack its output
  27 stream.  And if RDRAND is in fact an honest DRNG, it will immeasurably
  28 improve on what the Jitter entropy daemon might produce.
  29
  30 This also provides some protection against someone who is able to read
  31 or set the entropy seed file.
  32
  33 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  34 Cc: stable@vger.kernel.org
  35 Cc: Arnd Bergmann <arnd@arndb.de>
  36 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  37
  38 ---
  39  drivers/char/random.c |   10 +++++++++-
  40  1 file changed, 9 insertions(+), 1 deletion(-)
  41
  42 --- a/drivers/char/random.c
  43 +++ b/drivers/char/random.c
  44 @@ -1895,14 +1895,22 @@ static int
  45  write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
  46  {
  47         size_t bytes;
  48 -       __u32 buf[16];
  49 +       __u32 t, buf[16];
  50         const char __user *p = buffer;
  51
  52         while (count > 0) {
  53 +               int b, i = 0;
  54 +
  55                 bytes = min(count, sizeof(buf));
  56                 if (copy_from_user(&buf, p, bytes))
  57                         return -EFAULT;
  58
  59 +               for (b = bytes ; b > 0 ; b -= sizeof(__u32), i++) {
  60 +                       if (!arch_get_random_int(&t))
  61 +                               break;
  62 +                       buf[i] ^= t;
  63 +               }
  64 +
  65                 count -= bytes;
  66                 p += bytes;
  67