review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Jason A. Donenfeld <Jason@zx2c4.com>
	Wed, 29 Dec 2021 21:10:06 +0000 (22:10 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 30 May 2022 07:29:00 +0000 (09:29 +0200)
commit	c4c9081184e9afc59e0a31fb81fd027cbfde4163
tree	4d024485421999f5b732f0ce8be74c97306d654d	tree \| snapshot
parent	1b1258b91757fa294f1f6a6e7302fe3b368e4221	commit \| diff

random: mix bootloader randomness into pool

commit 57826feeedb63b091f807ba8325d736775d39afd upstream.

If we're trusting bootloader randomness, crng_fast_load() is called by
add_hwgenerator_randomness(), which sets us to crng_init==1. However,
usually it is only called once for an initial 64-byte push, so bootloader
entropy will not mix any bytes into the input pool. So it's conceivable
that crng_init==1 when crng_initialize_primary() is called later, but
then the input pool is empty. When that happens, the crng state key will
be overwritten with extracted output from the empty input pool. That's
bad.

In contrast, if we're not trusting bootloader randomness, we call
crng_slow_load() *and* we call mix_pool_bytes(), so that later
crng_initialize_primary() isn't drawing on nothing.

In order to prevent crng_initialize_primary() from extracting an empty
pool, have the trusted bootloader case mirror that of the untrusted
bootloader case, mixing the input into the pool.

[linux@dominikbrodowski.net: rewrite commit message]
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>