From: Herbert Xu on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757
Upstream Status: RHEL only
Restore the changes to /dev/random which were reverted after 5.18.
This reverts commit 900f11e054896bae7b0146055698656e3d1e20a6 and 297bcb88233101e8d5062729ff3a5f989bad1c3b.
This also brings the code up-to-date with respect to centos-stream commit 9de3a7339793d3c516b9305a8854267156f90c53 so that changes that were made after the kernel-ark revert have been brought in.
Signed-off-by: Herbert Xu herbert.xu@redhat.com
--- crypto/drbg.c | 18 ++++- crypto/rng.c | 149 +++++++++++++++++++++++++++++++++++++++++++----- drivers/char/random.c | 122 ++++++++++++++++++++++++++++++++++++++++ include/linux/crypto.h | 1 + include/linux/random.h | 10 +++ 5 files changed, 281 insertions(+), 19 deletions(-)
From: Herbert Xu herbert.xu@redhat.com
random: Add hook to override device reads and getrandom(2)
Upstream Status: RHEL only
Restore the changes to /dev/random which were reverted after 5.18.
This reverts commit 900f11e054896bae7b0146055698656e3d1e20a6.
This also brings the code up-to-date with respect to centos-stream commit 9de3a7339793d3c516b9305a8854267156f90c53 so that changes that were made after the kernel-ark revert have been brought in.
Signed-off-by: Herbert Xu herbert.xu@redhat.com
diff --git a/drivers/char/random.c b/drivers/char/random.c index blahblah..blahblah 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -51,6 +51,7 @@ #include <linux/completion.h> #include <linux/uuid.h> #include <linux/uaccess.h> +#include <linux/rcupdate.h> #include <linux/suspend.h> #include <linux/siphash.h> #include <linux/sched/isolation.h> @@ -309,6 +310,11 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE], memzero_explicit(first_block, sizeof(first_block)); }
+/* + * Hook for external RNG. + */ +static const struct random_extrng __rcu *extrng; + /* * This function returns a ChaCha state that you may use for generating * random data. It also returns up to 32 bytes on its own of random data @@ -739,6 +745,9 @@ static void __cold _credit_init_bits(size_t bits) }
+static const struct file_operations extrng_random_fops; +static const struct file_operations extrng_urandom_fops; + /********************************************************************** * * Entropy collection routines. @@ -956,6 +965,19 @@ void __init add_bootloader_randomness(const void *buf, size_t len) credit_init_bits(len * 8); }
+void random_register_extrng(const struct random_extrng *rng) +{ + rcu_assign_pointer(extrng, rng); +} +EXPORT_SYMBOL_GPL(random_register_extrng); + +void random_unregister_extrng(void) +{ + RCU_INIT_POINTER(extrng, NULL); + synchronize_rcu(); +} +EXPORT_SYMBOL_GPL(random_unregister_extrng); + #if IS_ENABLED(CONFIG_VMGENID) static BLOCKING_NOTIFIER_HEAD(vmfork_chain);
@@ -1366,6 +1388,7 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags struct iov_iter iter; struct iovec iov; int ret; + const struct random_extrng *rng;
if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE)) return -EINVAL; @@ -1377,6 +1400,21 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE | GRND_RANDOM)) return -EINVAL;
+ rcu_read_lock(); + rng = rcu_dereference(extrng); + if (rng && !try_module_get(rng->owner)) + rng = NULL; + rcu_read_unlock(); + + if (rng) { + ret = import_single_range(ITER_DEST, ubuf, len, &iov, &iter); + if (unlikely(ret)) + return ret; + ret = rng->extrng_read_iter(&iter, !!(flags & GRND_RANDOM)); + module_put(rng->owner); + return ret; + } + if (!crng_ready() && !(flags & GRND_INSECURE)) { if (flags & GRND_NONBLOCK) return -EAGAIN; @@ -1397,6 +1435,12 @@ static __poll_t random_poll(struct file *file, poll_table *wait) return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM; }
+static __poll_t extrng_poll(struct file *file, poll_table * wait) +{ + /* extrng pool is always full, always read, no writes */ + return EPOLLIN | EPOLLRDNORM; +} + static ssize_t write_pool_user(struct iov_iter *iter) { u8 block[BLAKE2S_BLOCK_SIZE]; @@ -1538,7 +1582,58 @@ static int random_fasync(int fd, struct file *filp, int on) return fasync_helper(fd, filp, on, &fasync); }
+static int random_open(struct inode *inode, struct file *filp) +{ + const struct random_extrng *rng; + + rcu_read_lock(); + rng = rcu_dereference(extrng); + if (rng && !try_module_get(rng->owner)) + rng = NULL; + rcu_read_unlock(); + + if (!rng) + return 0; + + filp->f_op = &extrng_random_fops; + filp->private_data = rng->owner; + + return 0; +} + +static int urandom_open(struct inode *inode, struct file *filp) +{ + const struct random_extrng *rng; + + rcu_read_lock(); + rng = rcu_dereference(extrng); + if (rng && !try_module_get(rng->owner)) + rng = NULL; + rcu_read_unlock(); + + if (!rng) + return 0; + + filp->f_op = &extrng_urandom_fops; + filp->private_data = rng->owner; + + return 0; +} + +static int extrng_release(struct inode *inode, struct file *filp) +{ + module_put(filp->private_data); + return 0; +} + +static ssize_t +extrng_read_iter(struct kiocb *kiocb, struct iov_iter *iter) +{ + return rcu_dereference_raw(extrng)->extrng_read_iter(iter, false); +} + const struct file_operations random_fops = { + .open = random_open, .read_iter = random_read_iter, .write_iter = random_write_iter, .poll = random_poll, @@ -1551,6 +1646,7 @@ const struct file_operations random_fops = { };
const struct file_operations urandom_fops = { + .open = urandom_open, .read_iter = urandom_read_iter, .write_iter = random_write_iter, .unlocked_ioctl = random_ioctl, @@ -1561,6 +1657,32 @@ const struct file_operations urandom_fops = { .splice_write = iter_file_splice_write, };
+static const struct file_operations extrng_random_fops = { + .open = random_open, + .read_iter = extrng_read_iter, + .write_iter = random_write_iter, + .poll = extrng_poll, + .unlocked_ioctl = random_ioctl, + .compat_ioctl = compat_ptr_ioctl, + .fasync = random_fasync, + .llseek = noop_llseek, + .release = extrng_release, + .splice_read = copy_splice_read, + .splice_write = iter_file_splice_write, +}; + +static const struct file_operations extrng_urandom_fops = { + .open = urandom_open, + .read_iter = extrng_read_iter, + .write_iter = random_write_iter, + .unlocked_ioctl = random_ioctl, + .compat_ioctl = compat_ptr_ioctl, + .fasync = random_fasync, + .llseek = noop_llseek, + .release = extrng_release, + .splice_read = copy_splice_read, + .splice_write = iter_file_splice_write, +};
/******************************************************************** * diff --git a/include/linux/random.h b/include/linux/random.h index blahblah..blahblah 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -9,6 +9,13 @@
#include <uapi/linux/random.h>
+struct iov_iter; + +struct random_extrng { + ssize_t (*extrng_read_iter)(struct iov_iter *iter, bool reseed); + struct module *owner; +}; + struct notifier_block;
void add_device_randomness(const void *buf, size_t len); @@ -157,6 +164,9 @@ int random_prepare_cpu(unsigned int cpu); int random_online_cpu(unsigned int cpu); #endif
+void random_register_extrng(const struct random_extrng *rng); +void random_unregister_extrng(void); + #ifndef MODULE extern const struct file_operations random_fops, urandom_fops; #endif
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757
From: Herbert Xu herbert.xu@redhat.com
crypto: rng - Override drivers/char/random in FIPS mode
Upstream Status: RHEL only
Restore the changes to use the crypto RNG in drivers/char/random which were reverted after 5.18.
This reverts commit 297bcb88233101e8d5062729ff3a5f989bad1c3b.
This also brings the code up-to-date with respect to centos-stream commit 9de3a7339793d3c516b9305a8854267156f90c53 so that changes that were made after the kernel-ark revert have been brought in.
Signed-off-by: Herbert Xu herbert.xu@redhat.com
diff --git a/crypto/drbg.c b/crypto/drbg.c index blahblah..blahblah 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1510,13 +1510,14 @@ static int drbg_generate(struct drbg_state *drbg, * Wrapper around drbg_generate which can pull arbitrary long strings * from the DRBG without hitting the maximum request limitation. * - * Parameters: see drbg_generate + * Parameters: see drbg_generate, except @reseed, which triggers reseeding * Return codes: see drbg_generate -- if one drbg_generate request fails, * the entire drbg_generate_long request fails */ static int drbg_generate_long(struct drbg_state *drbg, unsigned char *buf, unsigned int buflen, - struct drbg_string *addtl) + struct drbg_string *addtl, + bool reseed) { unsigned int len = 0; unsigned int slice = 0; @@ -1526,6 +1527,8 @@ static int drbg_generate_long(struct drbg_state *drbg, slice = ((buflen - len) / drbg_max_request_bytes(drbg)); chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len); mutex_lock(&drbg->drbg_mutex); + if (reseed) + drbg->seeded = DRBG_SEED_STATE_UNSEEDED; err = drbg_generate(drbg, buf + len, chunk, addtl); mutex_unlock(&drbg->drbg_mutex); if (0 > err) @@ -1952,6 +1955,7 @@ static int drbg_kcapi_random(struct crypto_rng *tfm, struct drbg_state *drbg = crypto_rng_ctx(tfm); struct drbg_string *addtl = NULL; struct drbg_string string; + int err;
if (slen) { /* linked list variable is now local to allow modification */ @@ -1959,7 +1963,15 @@ static int drbg_kcapi_random(struct crypto_rng *tfm, addtl = &string; }
- return drbg_generate_long(drbg, dst, dlen, addtl); + err = drbg_generate_long(drbg, dst, dlen, addtl, + (crypto_tfm_get_flags(crypto_rng_tfm(tfm)) & + CRYPTO_TFM_REQ_NEED_RESEED) == + CRYPTO_TFM_REQ_NEED_RESEED); + + crypto_tfm_clear_flags(crypto_rng_tfm(tfm), + CRYPTO_TFM_REQ_NEED_RESEED); + + return err; }
/* diff --git a/crypto/rng.c b/crypto/rng.c index blahblah..blahblah 100644 --- a/crypto/rng.c +++ b/crypto/rng.c @@ -12,10 +12,13 @@ #include <linux/atomic.h> #include <linux/cryptouser.h> #include <linux/err.h> +#include <linux/fips.h> #include <linux/kernel.h> #include <linux/module.h> #include <linux/mutex.h> #include <linux/random.h> +#include <linux/sched.h> +#include <linux/sched/signal.h> #include <linux/seq_file.h> #include <linux/slab.h> #include <linux/string.h> @@ -23,7 +26,9 @@
#include "internal.h"
-static DEFINE_MUTEX(crypto_default_rng_lock); +static ____cacheline_aligned_in_smp DEFINE_MUTEX(crypto_reseed_rng_lock); +static struct crypto_rng *crypto_reseed_rng; +static ____cacheline_aligned_in_smp DEFINE_MUTEX(crypto_default_rng_lock); struct crypto_rng *crypto_default_rng; EXPORT_SYMBOL_GPL(crypto_default_rng); static int crypto_default_rng_refcnt; @@ -136,31 +141,37 @@ struct crypto_rng *crypto_alloc_rng(const char *alg_name, u32 type, u32 mask) } EXPORT_SYMBOL_GPL(crypto_alloc_rng);
-int crypto_get_default_rng(void) +static int crypto_get_rng(struct crypto_rng **rngp) { struct crypto_rng *rng; int err;
- mutex_lock(&crypto_default_rng_lock); - if (!crypto_default_rng) { + if (!*rngp) { rng = crypto_alloc_rng("stdrng", 0, 0); err = PTR_ERR(rng); if (IS_ERR(rng)) - goto unlock; + return err;
err = crypto_rng_reset(rng, NULL, crypto_rng_seedsize(rng)); if (err) { crypto_free_rng(rng); - goto unlock; + return err; }
- crypto_default_rng = rng; + *rngp = rng; }
- crypto_default_rng_refcnt++; - err = 0; + return 0; +} + +int crypto_get_default_rng(void) +{ + int err;
-unlock: + mutex_lock(&crypto_default_rng_lock); + err = crypto_get_rng(&crypto_default_rng); + if (!err) + crypto_default_rng_refcnt++; mutex_unlock(&crypto_default_rng_lock);
return err; @@ -176,24 +187,33 @@ void crypto_put_default_rng(void) EXPORT_SYMBOL_GPL(crypto_put_default_rng);
#if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE) -int crypto_del_default_rng(void) +static int crypto_del_rng(struct crypto_rng **rngp, int *refcntp, + struct mutex *lock) { int err = -EBUSY;
- mutex_lock(&crypto_default_rng_lock); - if (crypto_default_rng_refcnt) + mutex_lock(lock); + if (refcntp && *refcntp) goto out;
- crypto_free_rng(crypto_default_rng); - crypto_default_rng = NULL; + crypto_free_rng(*rngp); + *rngp = NULL;
err = 0;
out: - mutex_unlock(&crypto_default_rng_lock); + mutex_unlock(lock);
return err; } + +int crypto_del_default_rng(void) +{ + return crypto_del_rng(&crypto_default_rng, &crypto_default_rng_refcnt, + &crypto_default_rng_lock) ?: + crypto_del_rng(&crypto_reseed_rng, NULL, + &crypto_reseed_rng_lock); +} EXPORT_SYMBOL_GPL(crypto_del_default_rng); #endif
@@ -251,5 +271,102 @@ void crypto_unregister_rngs(struct rng_alg *algs, int count) } EXPORT_SYMBOL_GPL(crypto_unregister_rngs);
+static ssize_t crypto_devrandom_read_iter(struct iov_iter *iter, bool reseed) +{ + struct crypto_rng *rng; + u8 tmp[256]; + ssize_t ret; + + if (unlikely(!iov_iter_count(iter))) + return 0; + + if (reseed) { + u32 flags = 0; + + /* If reseeding is requested, acquire a lock on + * crypto_reseed_rng so it is not swapped out until + * the initial random bytes are generated. + * + * The algorithm implementation is also protected with + * a separate mutex (drbg->drbg_mutex) around the + * reseed-and-generate operation. + */ + mutex_lock(&crypto_reseed_rng_lock); + + /* If crypto_default_rng is not set, it will be seeded + * at creation in __crypto_get_default_rng and thus no + * reseeding is needed. + */ + if (crypto_reseed_rng) + flags |= CRYPTO_TFM_REQ_NEED_RESEED; + + ret = crypto_get_rng(&crypto_reseed_rng); + if (ret) { + mutex_unlock(&crypto_reseed_rng_lock); + return ret; + } + + rng = crypto_reseed_rng; + crypto_tfm_set_flags(crypto_rng_tfm(rng), flags); + } else { + ret = crypto_get_default_rng(); + if (ret) + return ret; + rng = crypto_default_rng; + } + + for (;;) { + size_t i, copied; + int err; + + i = min_t(size_t, iov_iter_count(iter), sizeof(tmp)); + err = crypto_rng_get_bytes(rng, tmp, i); + if (err) { + ret = err; + break; + } + + copied = copy_to_iter(tmp, i, iter); + ret += copied; + + if (!iov_iter_count(iter)) + break; + + if (need_resched()) { + if (signal_pending(current)) + break; + schedule(); + } + } + + if (reseed) + mutex_unlock(&crypto_reseed_rng_lock); + else + crypto_put_default_rng(); + memzero_explicit(tmp, sizeof(tmp)); + + return ret; +} + +static const struct random_extrng crypto_devrandom_rng = { + .extrng_read_iter = crypto_devrandom_read_iter, + .owner = THIS_MODULE, +}; + +static int __init crypto_rng_init(void) +{ + if (fips_enabled) + random_register_extrng(&crypto_devrandom_rng); + return 0; +} + +static void __exit crypto_rng_exit(void) +{ + random_unregister_extrng(); +} + +late_initcall(crypto_rng_init); +module_exit(crypto_rng_exit); + MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("Random Number Generator"); diff --git a/include/linux/crypto.h b/include/linux/crypto.h index blahblah..blahblah 100644 --- a/include/linux/crypto.h +++ b/include/linux/crypto.h @@ -135,6 +135,7 @@ #define CRYPTO_TFM_REQ_FORBID_WEAK_KEYS 0x00000100 #define CRYPTO_TFM_REQ_MAY_SLEEP 0x00000200 #define CRYPTO_TFM_REQ_MAY_BACKLOG 0x00000400 +#define CRYPTO_TFM_REQ_NEED_RESEED 0x00000800
/* * Miscellaneous stuff.
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_1611091...
@herbert.xu2 thanks! Is there a reason why this isn't pushed upstream and needs to be RHEL-only? (We ask on all RHEL-only patches).
From: Herbert Xu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_1611555...
Such modifications of /dev/random are unacceptable upstream and remain so. Thanks!
From: Vladis Dronov on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_1613416...
hi, Herbert, thank you for the patchset. i'm looking at "changes that were made after the kernel-ark revert". especially, at https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_r... uests/1360/diffs?commit_id=66d567ab6293dc284952e8d145820d257f3987b9. i see the first hunk is in your patchset, but the second one is not.
i see `i = min_t(size_t, iov_iter_count(iter), sizeof(tmp)); err = crypto_rng_get_bytes(rng, tmp, i);` statements in your patch, same as in the older C9S `66d567ab` above. but not a `crypto_tfm_set_flags(CRYPTO_TFM_REQ_NEED_RESEED)` call, which is under a comment "The above call to crypto_rng_get_bytes will reset the CRYPTO_TFM_REQ_NEED_RESEED flag". it is not in your patchset, is this intentional? can you please have a look?
From: Vladis Dronov on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_1613420...
reviewed, lgtm, approving. thanks, Herbert @herbert.xu2!
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_1614803...
@jmflinuxtx for awareness.
From: Sanjib Das on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_2343405...
With changes from new commits (https://gitlab.com/cki-project/kernel- ark/-/merge_requests/2757/diffs) I dont see "/proc/sys/kernel/random/crng" . Is this expected?
However, above /proc entry was found with commits 77f4d049, 8313ae8c (https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1304/diffs?commit... id=77f4d04971afd67990d04174c971a74bd2bd1fc9)
I patched these changes on 5.10.209 upstream kernel.
Thanking you in advance. Sanjib
kernel@lists.fedoraproject.org
-
Don Zickus (via Email Bridge) -
Herbert Xu (via Email Bridge)
-
Patrick Talbert (via Email Bridge)
-
Sanjib Das (via Email Bridge)
-
Vladis Dronov (via Email Bridge)