From nobody Sun Jun 28 07:37:46 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52FFDC433F5 for ; Thu, 10 Feb 2022 16:09:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244031AbiBJQJl (ORCPT ); Thu, 10 Feb 2022 11:09:41 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:32970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244023AbiBJQJi (ORCPT ); Thu, 10 Feb 2022 11:09:38 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EC21C30 for ; Thu, 10 Feb 2022 08:09:39 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5F830B82654 for ; Thu, 10 Feb 2022 16:09:38 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9CA86C004E1; Thu, 10 Feb 2022 16:09:36 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="QgM6gCJh" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1644509375; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zpqY/Mn2vcIljnoiofyjjpZnDgag2vvr8ReZa3aKGBs=; b=QgM6gCJhdBI4WnrrR04b6ZAXLyZZF/pD9pC3R2JSZs2Q2nSTB8avTnq7v+gMVm5XTOag0v GR2ESaof2CzFOh3VH04kZT1UBXmwwzmoqKRnjd6q+i8e/2RF/LjussL7jrggUQExe9riuD z0zkcPN1v5JpAKZYT7vPvqXgnVmJuaU= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 407fb4d0 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 10 Feb 2022 16:09:34 +0000 (UTC) From: "Jason A. Donenfeld" To: linux@dominikbrodowski.net, linux-kernel@vger.kernel.org Cc: "Jason A. Donenfeld" , Theodore Ts'o Subject: [PATCH 1/2] random: move fast_pool/fast_mix definitions to site of use Date: Thu, 10 Feb 2022 17:09:24 +0100 Message-Id: <20220210160925.156697-2-Jason@zx2c4.com> In-Reply-To: <20220210160925.156697-1-Jason@zx2c4.com> References: <20220210160925.156697-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" No actual code changes, just code position changes. Having to scroll up and down by several hundred lines every time is confusing and hard to follow. Instead cluster these together. Later when we're redocumenting the file, it'll mean a smaller delta. Cc: Theodore Ts'o Cc: Dominik Brodowski Signed-off-by: Jason A. Donenfeld --- drivers/char/random.c | 101 +++++++++++++++++++++--------------------- 1 file changed, 51 insertions(+), 50 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 77131f7b0f06..923a8f861437 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -281,45 +281,6 @@ static void mix_pool_bytes(const void *in, size_t nbyt= es) spin_unlock_irqrestore(&input_pool.lock, flags); } =20 -struct fast_pool { - struct work_struct mix; - unsigned long last; - u32 pool[4]; - unsigned int count; - u16 reg_idx; -}; -#define FAST_POOL_MIX_INFLIGHT (1U << 31) - -/* - * This is a fast mixing routine used by the interrupt randomness - * collector. It's hardcoded for an 128 bit pool and assumes that any - * locks that might be needed are taken by the caller. - */ -static void fast_mix(struct fast_pool *f) -{ - u32 a =3D f->pool[0], b =3D f->pool[1]; - u32 c =3D f->pool[2], d =3D f->pool[3]; - - a +=3D b; c +=3D d; - b =3D rol32(b, 6); d =3D rol32(d, 27); - d ^=3D a; b ^=3D c; - - a +=3D b; c +=3D d; - b =3D rol32(b, 16); d =3D rol32(d, 14); - d ^=3D a; b ^=3D c; - - a +=3D b; c +=3D d; - b =3D rol32(b, 6); d =3D rol32(d, 27); - d ^=3D a; b ^=3D c; - - a +=3D b; c +=3D d; - b =3D rol32(b, 16); d =3D rol32(d, 14); - d ^=3D a; b ^=3D c; - - f->pool[0] =3D a; f->pool[1] =3D b; - f->pool[2] =3D c; f->pool[3] =3D d; -} - static void process_random_ready_list(void) { unsigned long flags; @@ -758,6 +719,57 @@ void add_input_randomness(unsigned int type, unsigned = int code, } EXPORT_SYMBOL_GPL(add_input_randomness); =20 +#ifdef CONFIG_BLOCK +void add_disk_randomness(struct gendisk *disk) +{ + if (!disk || !disk->random) + return; + /* first major is 1, so we get >=3D 0x200 here */ + add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); +} +EXPORT_SYMBOL_GPL(add_disk_randomness); +#endif + +struct fast_pool { + struct work_struct mix; + unsigned long last; + u32 pool[4]; + unsigned int count; + u16 reg_idx; +}; +#define FAST_POOL_MIX_INFLIGHT (1U << 31) + +/* + * This is a fast mixing routine used by the interrupt randomness + * collector. It's hardcoded for an 128 bit pool and assumes that any + * locks that might be needed are taken by the caller. + */ +static void fast_mix(struct fast_pool *f) +{ + u32 a =3D f->pool[0], b =3D f->pool[1]; + u32 c =3D f->pool[2], d =3D f->pool[3]; + + a +=3D b; c +=3D d; + b =3D rol32(b, 6); d =3D rol32(d, 27); + d ^=3D a; b ^=3D c; + + a +=3D b; c +=3D d; + b =3D rol32(b, 16); d =3D rol32(d, 14); + d ^=3D a; b ^=3D c; + + a +=3D b; c +=3D d; + b =3D rol32(b, 6); d =3D rol32(d, 27); + d ^=3D a; b ^=3D c; + + a +=3D b; c +=3D d; + b =3D rol32(b, 16); d =3D rol32(d, 14); + d ^=3D a; b ^=3D c; + + f->pool[0] =3D a; f->pool[1] =3D b; + f->pool[2] =3D c; f->pool[3] =3D d; +} + + static DEFINE_PER_CPU(struct fast_pool, irq_randomness); =20 static u32 get_reg(struct fast_pool *f, struct pt_regs *regs) @@ -849,17 +861,6 @@ void add_interrupt_randomness(int irq) } EXPORT_SYMBOL_GPL(add_interrupt_randomness); =20 -#ifdef CONFIG_BLOCK -void add_disk_randomness(struct gendisk *disk) -{ - if (!disk || !disk->random) - return; - /* first major is 1, so we get >=3D 0x200 here */ - add_timer_randomness(disk->random, 0x100 + disk_devt(disk)); -} -EXPORT_SYMBOL_GPL(add_disk_randomness); -#endif - /********************************************************************* * * Entropy extraction routines --=20 2.35.0 From nobody Sun Jun 28 07:37:46 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18D4BC433EF for ; Thu, 10 Feb 2022 16:09:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244042AbiBJQJn (ORCPT ); Thu, 10 Feb 2022 11:09:43 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:32990 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244026AbiBJQJl (ORCPT ); Thu, 10 Feb 2022 11:09:41 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1C67EB for ; Thu, 10 Feb 2022 08:09:42 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3CEA161D0C for ; Thu, 10 Feb 2022 16:09:42 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4DA9CC004E1; Thu, 10 Feb 2022 16:09:41 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="c/wcIGWb" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1644509380; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qE60YeWa/s+S2GHC5gb4WBfkI+YE+RQRZu/hdGfvy2s=; b=c/wcIGWb+OoIYMt/QY1g/YqgnpxfJzWTe+Up7z9rk6DTaC7vjk0d+LDDHjAgCwG5tmMQEC ElnDJigftQTzI/tbSHuSZVd7haSqyN4pXD3Vb5ctneXLpoBlGyw+XuB/ff2TYdsN3MImhn FfhSxQjnfbLB5cdO4QB84LKzn7QfaCM= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id f2e38b22 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 10 Feb 2022 16:09:40 +0000 (UTC) From: "Jason A. Donenfeld" To: linux@dominikbrodowski.net, linux-kernel@vger.kernel.org Cc: "Jason A. Donenfeld" , Theodore Ts'o Subject: [PATCH 2/2] random: deobfuscate irq u32/u64 contributions Date: Thu, 10 Feb 2022 17:09:25 +0100 Message-Id: <20220210160925.156697-3-Jason@zx2c4.com> In-Reply-To: <20220210160925.156697-1-Jason@zx2c4.com> References: <20220210160925.156697-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In the irq handler, we fill out 16 bytes differently on 32-bit and 64-bit platforms. Whether or not you like that, it is a matter of fact. But it might not be a fact you well realized until now, because the code that loaded the irq info into 4 32-bit words was quite confusing. Instead, this commit makes everything explicit by having separate (compile-time) branches for 32-bit and 64-bit machines. In the process, it exposed a shortcoming in in mix_interrupt_randomness() which we rectify. Cc: Theodore Ts'o Cc: Dominik Brodowski Signed-off-by: Jason A. Donenfeld --- drivers/char/random.c | 54 ++++++++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 923a8f861437..1eb3c059025b 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -731,9 +731,12 @@ EXPORT_SYMBOL_GPL(add_disk_randomness); #endif =20 struct fast_pool { + union { + u64 pool64[2]; + u32 pool32[4]; + }; struct work_struct mix; unsigned long last; - u32 pool[4]; unsigned int count; u16 reg_idx; }; @@ -744,10 +747,10 @@ struct fast_pool { * collector. It's hardcoded for an 128 bit pool and assumes that any * locks that might be needed are taken by the caller. */ -static void fast_mix(struct fast_pool *f) +static void fast_mix(u32 pool[4]) { - u32 a =3D f->pool[0], b =3D f->pool[1]; - u32 c =3D f->pool[2], d =3D f->pool[3]; + u32 a =3D pool[0], b =3D pool[1]; + u32 c =3D pool[2], d =3D pool[3]; =20 a +=3D b; c +=3D d; b =3D rol32(b, 6); d =3D rol32(d, 27); @@ -765,11 +768,10 @@ static void fast_mix(struct fast_pool *f) b =3D rol32(b, 16); d =3D rol32(d, 14); d ^=3D a; b ^=3D c; =20 - f->pool[0] =3D a; f->pool[1] =3D b; - f->pool[2] =3D c; f->pool[3] =3D d; + pool[0] =3D a; pool[1] =3D b; + pool[2] =3D c; pool[3] =3D d; } =20 - static DEFINE_PER_CPU(struct fast_pool, irq_randomness); =20 static u32 get_reg(struct fast_pool *f, struct pt_regs *regs) @@ -790,15 +792,19 @@ static u32 get_reg(struct fast_pool *f, struct pt_reg= s *regs) static void mix_interrupt_randomness(struct work_struct *work) { struct fast_pool *fast_pool =3D container_of(work, struct fast_pool, mix); - u32 pool[ARRAY_SIZE(fast_pool->pool)]; + u32 pool[ARRAY_SIZE(fast_pool->pool32)]; =20 /* * Since this is the result of a trip through the scheduler, xor in * a cycle counter. It can't hurt, and might help. */ - fast_pool->pool[3] ^=3D random_get_entropy(); + if (sizeof(unsigned long) =3D=3D 8) + fast_pool->pool64[1] ^=3D random_get_entropy(); + else + fast_pool->pool32[3] ^=3D random_get_entropy(); + /* Copy the pool to the stack so that the mixer always has a consistent v= iew. */ - memcpy(pool, fast_pool->pool, sizeof(pool)); + memcpy(pool, fast_pool->pool32, sizeof(pool)); /* We take care to zero out the count only after we're done reading the p= ool. */ WRITE_ONCE(fast_pool->count, 0); fast_pool->last =3D jiffies; @@ -815,26 +821,26 @@ void add_interrupt_randomness(int irq) unsigned long now =3D jiffies; cycles_t cycles =3D random_get_entropy(); unsigned int new_count; - u32 c_high, j_high; - u64 ip; =20 if (cycles =3D=3D 0) cycles =3D get_reg(fast_pool, regs); - c_high =3D (sizeof(cycles) > 4) ? cycles >> 32 : 0; - j_high =3D (sizeof(now) > 4) ? now >> 32 : 0; - fast_pool->pool[0] ^=3D cycles ^ j_high ^ irq; - fast_pool->pool[1] ^=3D now ^ c_high; - ip =3D regs ? instruction_pointer(regs) : _RET_IP_; - fast_pool->pool[2] ^=3D ip; - fast_pool->pool[3] ^=3D - (sizeof(ip) > 4) ? ip >> 32 : get_reg(fast_pool, regs); - - fast_mix(fast_pool); + + if (sizeof(unsigned long) =3D=3D 8) { + fast_pool->pool64[0] ^=3D cycles ^ rol64(now, 32) ^ irq; + fast_pool->pool64[1] ^=3D regs ? instruction_pointer(regs) : _RET_IP_; + } else { + fast_pool->pool32[0] ^=3D cycles ^ irq; + fast_pool->pool32[1] ^=3D now; + fast_pool->pool32[2] ^=3D regs ? instruction_pointer(regs) : _RET_IP_; + fast_pool->pool32[3] ^=3D get_reg(fast_pool, regs); + } + + fast_mix(fast_pool->pool32); new_count =3D ++fast_pool->count; =20 if (unlikely(crng_init =3D=3D 0)) { if (new_count >=3D 64 && - crng_fast_load(fast_pool->pool, sizeof(fast_pool->pool)) > 0) { + crng_fast_load(fast_pool->pool32, sizeof(fast_pool->pool32)) > 0) { fast_pool->count =3D 0; fast_pool->last =3D now; =20 @@ -843,7 +849,7 @@ void add_interrupt_randomness(int irq) * However, this only happens during boot, and then never * again, so we live with it. */ - mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool)); + mix_pool_bytes(&fast_pool->pool32, sizeof(fast_pool->pool32)); } return; } --=20 2.35.0