tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Revert "random: block in /dev/urandom"

This reverts commit 6f98a4bfee72c22f50aedb39fb761567969865fe.

It turns out we still can't do this. Way too many platforms that don't
have any real source of randomness at boot and no jitter entropy because
they don't even have a cycle counter.

As reported by Guenter Roeck:

"This causes a large number of qemu boot test failures for various
architectures (arm, m68k, microblaze, sparc32, xtensa are the ones I
observed).

Common denominator is that boot hangs at 'Saving random seed:'"

This isn't hugely unexpected - we tried it, it failed, so now we'll
revert it.

Link: https://lore.kernel.org/all/20220322155820.GA1745955@roeck-us.net/
Reported-and-bisected-by: Guenter Roeck <linux@roeck-us.net>
Cc: Jason Donenfeld <Jason@zx2c4.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 0313bc27 b47d5a4f

+57 -19
+1 -1
drivers/char/mem.c
··· 707 707 [5] = { "zero", 0666, &zero_fops, FMODE_NOWAIT }, 708 708 [7] = { "full", 0666, &full_fops, 0 }, 709 709 [8] = { "random", 0666, &random_fops, 0 }, 710 - [9] = { "urandom", 0666, &random_fops, 0 }, 710 + [9] = { "urandom", 0666, &urandom_fops, 0 }, 711 711 #ifdef CONFIG_PRINTK 712 712 [11] = { "kmsg", 0644, &kmsg_fops, 0 }, 713 713 #endif
+55 -17
drivers/char/random.c
··· 89 89 /* Control how we warn userspace. */ 90 90 static struct ratelimit_state unseeded_warning = 91 91 RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3); 92 + static struct ratelimit_state urandom_warning = 93 + RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3); 92 94 static int ratelimit_disable __read_mostly; 93 95 module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); 94 96 MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); 95 97 96 98 /* 97 99 * Returns whether or not the input pool has been seeded and thus guaranteed 98 - * to supply cryptographically secure random numbers. This applies to 99 - * get_random_bytes() and get_random_{u32,u64,int,long}(). 100 + * to supply cryptographically secure random numbers. This applies to: the 101 + * /dev/urandom device, the get_random_bytes function, and the get_random_{u32, 102 + * ,u64,int,long} family of functions. 100 103 * 101 104 * Returns: true if the input pool has been seeded. 102 105 * false if the input pool has not been seeded. ··· 115 112 116 113 /* 117 114 * Wait for the input pool to be seeded and thus guaranteed to supply 118 - * cryptographically secure random numbers. This applies to 119 - * get_random_bytes() and get_random_{u32,u64,int,long}(). Using any 120 - * of these functions without first calling this function means that 121 - * the returned numbers might not be cryptographically secure. 115 + * cryptographically secure random numbers. This applies to: the /dev/urandom 116 + * device, the get_random_bytes function, and the get_random_{u32,u64,int,long} 117 + * family of functions. Using any of these functions without first calling 118 + * this function forfeits the guarantee of security. 122 119 * 123 120 * Returns: 0 if the input pool has been seeded. 124 121 * -ERESTARTSYS if the function was interrupted by a signal. ··· 223 220 * unsigned long get_random_long() 224 221 * 225 222 * These interfaces will return the requested number of random bytes 226 - * into the given buffer or as a return value. The returned numbers are 227 - * the same as those of getrandom(0). The integer family of functions may 228 - * be higher performance for one-off random integers, because they do a 229 - * bit of buffering and do not invoke reseeding. 223 + * into the given buffer or as a return value. This is equivalent to 224 + * a read from /dev/urandom. The integer family of functions may be 225 + * higher performance for one-off random integers, because they do a 226 + * bit of buffering. 230 227 * 231 228 *********************************************************************/ 232 229 ··· 302 299 pr_notice("%d get_random_xx warning(s) missed due to ratelimiting\n", 303 300 unseeded_warning.missed); 304 301 unseeded_warning.missed = 0; 302 + } 303 + if (urandom_warning.missed) { 304 + pr_notice("%d urandom warning(s) missed due to ratelimiting\n", 305 + urandom_warning.missed); 306 + urandom_warning.missed = 0; 305 307 } 306 308 } 307 309 } ··· 987 979 pr_notice("crng init done (trusting CPU's manufacturer)\n"); 988 980 } 989 981 990 - if (ratelimit_disable) 982 + if (ratelimit_disable) { 983 + urandom_warning.interval = 0; 991 984 unseeded_warning.interval = 0; 985 + } 992 986 return 0; 993 987 } 994 988 ··· 1430 1420 * getrandom(2) is the primary modern interface into the RNG and should 1431 1421 * be used in preference to anything else. 1432 1422 * 1433 - * Reading from /dev/random and /dev/urandom both have the same effect 1434 - * as calling getrandom(2) with flags=0. (In earlier versions, however, 1435 - * they each had different semantics.) 1423 + * Reading from /dev/random has the same functionality as calling 1424 + * getrandom(2) with flags=0. In earlier versions, however, it had 1425 + * vastly different semantics and should therefore be avoided, to 1426 + * prevent backwards compatibility issues. 1427 + * 1428 + * Reading from /dev/urandom has the same functionality as calling 1429 + * getrandom(2) with flags=GRND_INSECURE. Because it does not block 1430 + * waiting for the RNG to be ready, it should not be used. 1436 1431 * 1437 1432 * Writing to either /dev/random or /dev/urandom adds entropy to 1438 1433 * the input pool but does not credit it. 1439 1434 * 1440 - * Polling on /dev/random or /dev/urandom indicates when the RNG 1441 - * is initialized, on the read side, and when it wants new entropy, 1442 - * on the write side. 1435 + * Polling on /dev/random indicates when the RNG is initialized, on 1436 + * the read side, and when it wants new entropy, on the write side. 1443 1437 * 1444 1438 * Both /dev/random and /dev/urandom have the same set of ioctls for 1445 1439 * adding entropy, getting the entropy count, zeroing the count, and ··· 1528 1514 return (ssize_t)count; 1529 1515 } 1530 1516 1517 + static ssize_t urandom_read(struct file *file, char __user *buf, size_t nbytes, 1518 + loff_t *ppos) 1519 + { 1520 + static int maxwarn = 10; 1521 + 1522 + if (!crng_ready() && maxwarn > 0) { 1523 + maxwarn--; 1524 + if (__ratelimit(&urandom_warning)) 1525 + pr_notice("%s: uninitialized urandom read (%zd bytes read)\n", 1526 + current->comm, nbytes); 1527 + } 1528 + 1529 + return get_random_bytes_user(buf, nbytes); 1530 + } 1531 + 1531 1532 static ssize_t random_read(struct file *file, char __user *buf, size_t nbytes, 1532 1533 loff_t *ppos) 1533 1534 { ··· 1623 1594 .read = random_read, 1624 1595 .write = random_write, 1625 1596 .poll = random_poll, 1597 + .unlocked_ioctl = random_ioctl, 1598 + .compat_ioctl = compat_ptr_ioctl, 1599 + .fasync = random_fasync, 1600 + .llseek = noop_llseek, 1601 + }; 1602 + 1603 + const struct file_operations urandom_fops = { 1604 + .read = urandom_read, 1605 + .write = random_write, 1626 1606 .unlocked_ioctl = random_ioctl, 1627 1607 .compat_ioctl = compat_ptr_ioctl, 1628 1608 .fasync = random_fasync,
+1 -1
include/linux/random.h
··· 48 48 extern size_t __must_check get_random_bytes_arch(void *buf, size_t nbytes); 49 49 50 50 #ifndef MODULE 51 - extern const struct file_operations random_fops; 51 + extern const struct file_operations random_fops, urandom_fops; 52 52 #endif 53 53 54 54 u32 get_random_u32(void);