Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random
Pull random updates from Ted Ts'o:
"Change get_random_{int,log} to use the CRNG used by /dev/urandom and
getrandom(2). It's faster and arguably more secure than cut-down MD5
that we had been using.
Also do some code cleanup"
* tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random:
random: move random_min_urandom_seed into CONFIG_SYSCTL ifdef block
random: convert get_random_int/long into get_random_u32/u64
random: use chacha20 for get_random_int/long
random: fix comment for unused random_min_urandom_seed
random: remove variable limit
random: remove stale urandom_init_wait
random: remove stale maybe_reseed_primary_crng
+71
-89
+56
-85
drivers/char/random.c
+56
-85
drivers/char/random.c
···
313
313
static int random_write_wakeup_bits = 28 * OUTPUT_POOL_WORDS;
314
314
315
315
/*
316
-
* The minimum number of seconds between urandom pool reseeding. We
317
-
* do this to limit the amount of entropy that can be drained from the
318
-
* input pool even if there are heavy demands on /dev/urandom.
319
-
*/
320
-
static int random_min_urandom_seed = 60;
321
-
322
-
/*
323
316
* Originally, we used a primitive polynomial of degree .poolwords
324
317
* over GF(2). The taps for various sizes are defined below. They
325
318
* were chosen to be evenly spaced except for the last tap, which is 1
···
402
409
*/
403
410
static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
404
411
static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
405
-
static DECLARE_WAIT_QUEUE_HEAD(urandom_init_wait);
406
412
static struct fasync_struct *fasync;
407
413
408
414
static DEFINE_SPINLOCK(random_ready_list_lock);
···
459
467
int entropy_count;
460
468
int entropy_total;
461
469
unsigned int initialized:1;
462
-
unsigned int limit:1;
463
470
unsigned int last_data_init:1;
464
471
__u8 last_data[EXTRACT_SIZE];
465
472
};
···
476
485
static struct entropy_store input_pool = {
477
486
.poolinfo = &poolinfo_table[0],
478
487
.name = "input",
479
-
.limit = 1,
480
488
.lock = __SPIN_LOCK_UNLOCKED(input_pool.lock),
481
489
.pool = input_pool_data
482
490
};
···
483
493
static struct entropy_store blocking_pool = {
484
494
.poolinfo = &poolinfo_table[1],
485
495
.name = "blocking",
486
-
.limit = 1,
487
496
.pull = &input_pool,
488
497
.lock = __SPIN_LOCK_UNLOCKED(blocking_pool.lock),
489
498
.pool = blocking_pool_data,
···
844
855
spin_unlock_irqrestore(&primary_crng.lock, flags);
845
856
}
846
857
847
-
static inline void maybe_reseed_primary_crng(void)
848
-
{
849
-
if (crng_init > 2 &&
850
-
time_after(jiffies, primary_crng.init_time + CRNG_RESEED_INTERVAL))
851
-
crng_reseed(&primary_crng, &input_pool);
852
-
}
853
-
854
858
static inline void crng_wait_ready(void)
855
859
{
856
860
wait_event_interruptible(crng_init_wait, crng_ready());
···
1202
1220
r->entropy_count > r->poolinfo->poolfracbits)
1203
1221
return;
1204
1222
1205
-
if (r->limit == 0 && random_min_urandom_seed) {
1206
-
unsigned long now = jiffies;
1207
-
1208
-
if (time_before(now,
1209
-
r->last_pulled + random_min_urandom_seed * HZ))
1210
-
return;
1211
-
r->last_pulled = now;
1212
-
}
1213
-
1214
1223
_xfer_secondary_pool(r, nbytes);
1215
1224
}
1216
1225
···
1209
1236
{
1210
1237
__u32 tmp[OUTPUT_POOL_WORDS];
1211
1238
1212
-
/* For /dev/random's pool, always leave two wakeups' worth */
1213
-
int rsvd_bytes = r->limit ? 0 : random_read_wakeup_bits / 4;
1214
1239
int bytes = nbytes;
1215
1240
1216
1241
/* pull at least as much as a wakeup */
···
1219
1248
trace_xfer_secondary_pool(r->name, bytes * 8, nbytes * 8,
1220
1249
ENTROPY_BITS(r), ENTROPY_BITS(r->pull));
1221
1250
bytes = extract_entropy(r->pull, tmp, bytes,
1222
-
random_read_wakeup_bits / 8, rsvd_bytes);
1251
+
random_read_wakeup_bits / 8, 0);
1223
1252
mix_pool_bytes(r, tmp, bytes);
1224
1253
credit_entropy_bits(r, bytes*8);
1225
1254
}
···
1247
1276
static size_t account(struct entropy_store *r, size_t nbytes, int min,
1248
1277
int reserved)
1249
1278
{
1250
-
int entropy_count, orig;
1279
+
int entropy_count, orig, have_bytes;
1251
1280
size_t ibytes, nfrac;
1252
1281
1253
1282
BUG_ON(r->entropy_count > r->poolinfo->poolfracbits);
···
1256
1285
retry:
1257
1286
entropy_count = orig = ACCESS_ONCE(r->entropy_count);
1258
1287
ibytes = nbytes;
1259
-
/* If limited, never pull more than available */
1260
-
if (r->limit) {
1261
-
int have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
1288
+
/* never pull more than available */
1289
+
have_bytes = entropy_count >> (ENTROPY_SHIFT + 3);
1262
1290
1263
-
if ((have_bytes -= reserved) < 0)
1264
-
have_bytes = 0;
1265
-
ibytes = min_t(size_t, ibytes, have_bytes);
1266
-
}
1291
+
if ((have_bytes -= reserved) < 0)
1292
+
have_bytes = 0;
1293
+
ibytes = min_t(size_t, ibytes, have_bytes);
1267
1294
if (ibytes < min)
1268
1295
ibytes = 0;
1269
1296
···
1881
1912
static int min_read_thresh = 8, min_write_thresh;
1882
1913
static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
1883
1914
static int max_write_thresh = INPUT_POOL_WORDS * 32;
1915
+
static int random_min_urandom_seed = 60;
1884
1916
static char sysctl_bootid[16];
1885
1917
1886
1918
/*
···
2012
2042
};
2013
2043
#endif /* CONFIG_SYSCTL */
2014
2044
2015
-
static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
2016
-
2017
-
int random_int_secret_init(void)
2018
-
{
2019
-
get_random_bytes(random_int_secret, sizeof(random_int_secret));
2020
-
return 0;
2021
-
}
2022
-
2023
-
static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash)
2024
-
__aligned(sizeof(unsigned long));
2045
+
struct batched_entropy {
2046
+
union {
2047
+
u64 entropy_u64[CHACHA20_BLOCK_SIZE / sizeof(u64)];
2048
+
u32 entropy_u32[CHACHA20_BLOCK_SIZE / sizeof(u32)];
2049
+
};
2050
+
unsigned int position;
2051
+
};
2025
2052
2026
2053
/*
2027
-
* Get a random word for internal kernel use only. Similar to urandom but
2028
-
* with the goal of minimal entropy pool depletion. As a result, the random
2029
-
* value is not cryptographically secure but for several uses the cost of
2030
-
* depleting entropy is too high
2054
+
* Get a random word for internal kernel use only. The quality of the random
2055
+
* number is either as good as RDRAND or as good as /dev/urandom, with the
2056
+
* goal of being quite fast and not depleting entropy.
2031
2057
*/
2032
-
unsigned int get_random_int(void)
2058
+
static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u64);
2059
+
u64 get_random_u64(void)
2033
2060
{
2034
-
__u32 *hash;
2035
-
unsigned int ret;
2061
+
u64 ret;
2062
+
struct batched_entropy *batch;
2063
+
2064
+
#if BITS_PER_LONG == 64
2065
+
if (arch_get_random_long((unsigned long *)&ret))
2066
+
return ret;
2067
+
#else
2068
+
if (arch_get_random_long((unsigned long *)&ret) &&
2069
+
arch_get_random_long((unsigned long *)&ret + 1))
2070
+
return ret;
2071
+
#endif
2072
+
2073
+
batch = &get_cpu_var(batched_entropy_u64);
2074
+
if (batch->position % ARRAY_SIZE(batch->entropy_u64) == 0) {
2075
+
extract_crng((u8 *)batch->entropy_u64);
2076
+
batch->position = 0;
2077
+
}
2078
+
ret = batch->entropy_u64[batch->position++];
2079
+
put_cpu_var(batched_entropy_u64);
2080
+
return ret;
2081
+
}
2082
+
EXPORT_SYMBOL(get_random_u64);
2083
+
2084
+
static DEFINE_PER_CPU(struct batched_entropy, batched_entropy_u32);
2085
+
u32 get_random_u32(void)
2086
+
{
2087
+
u32 ret;
2088
+
struct batched_entropy *batch;
2036
2089
2037
2090
if (arch_get_random_int(&ret))
2038
2091
return ret;
2039
2092
2040
-
hash = get_cpu_var(get_random_int_hash);
2041
-
2042
-
hash[0] += current->pid + jiffies + random_get_entropy();
2043
-
md5_transform(hash, random_int_secret);
2044
-
ret = hash[0];
2045
-
put_cpu_var(get_random_int_hash);
2046
-
2093
+
batch = &get_cpu_var(batched_entropy_u32);
2094
+
if (batch->position % ARRAY_SIZE(batch->entropy_u32) == 0) {
2095
+
extract_crng((u8 *)batch->entropy_u32);
2096
+
batch->position = 0;
2097
+
}
2098
+
ret = batch->entropy_u32[batch->position++];
2099
+
put_cpu_var(batched_entropy_u32);
2047
2100
return ret;
2048
2101
}
2049
-
EXPORT_SYMBOL(get_random_int);
2050
-
2051
-
/*
2052
-
* Same as get_random_int(), but returns unsigned long.
2053
-
*/
2054
-
unsigned long get_random_long(void)
2055
-
{
2056
-
__u32 *hash;
2057
-
unsigned long ret;
2058
-
2059
-
if (arch_get_random_long(&ret))
2060
-
return ret;
2061
-
2062
-
hash = get_cpu_var(get_random_int_hash);
2063
-
2064
-
hash[0] += current->pid + jiffies + random_get_entropy();
2065
-
md5_transform(hash, random_int_secret);
2066
-
ret = *(unsigned long *)hash;
2067
-
put_cpu_var(get_random_int_hash);
2068
-
2069
-
return ret;
2070
-
}
2071
-
EXPORT_SYMBOL(get_random_long);
2102
+
EXPORT_SYMBOL(get_random_u32);
2072
2103
2073
2104
/**
2074
2105
* randomize_page - Generate a random, page aligned address
+15
-3
include/linux/random.h
+15
-3
include/linux/random.h
···
37
37
extern int add_random_ready_callback(struct random_ready_callback *rdy);
38
38
extern void del_random_ready_callback(struct random_ready_callback *rdy);
39
39
extern void get_random_bytes_arch(void *buf, int nbytes);
40
-
extern int random_int_secret_init(void);
41
40
42
41
#ifndef MODULE
43
42
extern const struct file_operations random_fops, urandom_fops;
44
43
#endif
45
44
46
-
unsigned int get_random_int(void);
47
-
unsigned long get_random_long(void);
45
+
u32 get_random_u32(void);
46
+
u64 get_random_u64(void);
47
+
static inline unsigned int get_random_int(void)
48
+
{
49
+
return get_random_u32();
50
+
}
51
+
static inline unsigned long get_random_long(void)
52
+
{
53
+
#if BITS_PER_LONG == 64
54
+
return get_random_u64();
55
+
#else
56
+
return get_random_u32();
57
+
#endif
58
+
}
59
+
48
60
unsigned long randomize_page(unsigned long start, unsigned long range);
49
61
50
62
u32 prandom_u32(void);