From nobody Mon Jun 29 08:55:31 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18D92C433EF for ; Sat, 12 Feb 2022 23:10:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232333AbiBLXKo (ORCPT ); Sat, 12 Feb 2022 18:10:44 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:37874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232328AbiBLXKl (ORCPT ); Sat, 12 Feb 2022 18:10:41 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A77783CFDC for ; Sat, 12 Feb 2022 15:10:36 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4109D60EB5 for ; Sat, 12 Feb 2022 23:10:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4FF5CC340E7; Sat, 12 Feb 2022 23:10:35 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="P7afH2mX" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1644707434; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DrMcdd3SjoJ+OLazLWVd7fj2S+exV5Lv4BE4VyJBDPQ=; b=P7afH2mXlsd6PF1RsgGFUKcseNZwjpUKzG0hK+MMa4wP8m18UbwH1wwwFJKeZOxIR5Iz0D jR60iBS+pPOOqMgQwWraWmhK4U5sIsrkO93ODz9BAyPcAAF8d2lWP9vpEMmiN/VfZYtCkr 2R82ho36w7FgOIMzUa99vOM/vP1LKDA= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id f9e13a61 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sat, 12 Feb 2022 23:10:34 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, linux@dominikbrodowski.net Cc: "Jason A. Donenfeld" , Theodore Ts'o Subject: [PATCH 1/3] random: unify early init crng load accounting Date: Sun, 13 Feb 2022 00:10:20 +0100 Message-Id: <20220212231022.679926-2-Jason@zx2c4.com> In-Reply-To: <20220212231022.679926-1-Jason@zx2c4.com> References: <20220212231022.679926-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" crng_fast_load() and crng_slow_load() have different semantics: - crng_fast_load() xors and accounts with crng_init_cnt. - crng_slow_load() hashes and doesn't account. However add_hwgenerator_randomness() can afford to hash (it's called from a kthread), and it should account. Additionally, ones that can afford to hash don't need to take a trylock but can take a normal lock. So, we combine these into one function, crng_pre_init_inject(), which allows us to control these in a uniform way. This will make it simpler later to simplify this all down when the time comes for that. Cc: Dominik Brodowski Cc: Theodore Ts'o Signed-off-by: Jason A. Donenfeld --- drivers/char/random.c | 107 ++++++++++++++++++++++-------------------- 1 file changed, 55 insertions(+), 52 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 8088348190e6..a128bb947bd4 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -423,72 +423,74 @@ static void crng_make_state(u32 chacha_state[CHACHA_S= TATE_WORDS], } =20 /* - * This function is for crng_init < 2 only. + * This function is for crng_init < 2 only. It loads entropy directly + * into the crng's key, without going through the input pool. It is, + * generally speaking, not very safe, but we use this only at early + * boot time when it's better to have something there rather than + * nothing. * - * crng_fast_load() can be called by code in the interrupt service - * path. So we can't afford to dilly-dally. Returns the number of - * bytes processed from cp. + * There are two paths, a slow one and a fast one. The slow one + * hashes the input along with the current key. The fast one simply + * xors it in, and should only be used from interrupt context. + * + * If account is set, then the crng_init_cnt counter is incremented. + * This shouldn't be set by functions like add_device_randomness(), + * where we can't trust the buffer passed to it is guaranteed to be + * unpredictable (so it might not have any entropy at all). + * + * Returns the number of bytes processed from cp, which is bounded by + * CRNG_INIT_CNT_THRESH if account is true. */ -static size_t crng_fast_load(const void *cp, size_t len) +static size_t crng_pre_init_inject(const void *cp, size_t len, + bool fast, bool account) { static int crng_init_cnt =3D 0; unsigned long flags; - u8 *src =3D (u8 *)cp; - size_t ret =3D 0; + const u8 *src =3D cp; + + if (fast) { + if (!spin_trylock_irqsave(&base_crng.lock, flags)) + return 0; + } else + spin_lock_irqsave(&base_crng.lock, flags); =20 - if (!spin_trylock_irqsave(&base_crng.lock, flags)) - return 0; if (crng_init !=3D 0) { spin_unlock_irqrestore(&base_crng.lock, flags); return 0; } - while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) { - base_crng.key[crng_init_cnt % sizeof(base_crng.key)] ^=3D *src; - src++; crng_init_cnt++; len--; ret++; - } - if (crng_init_cnt >=3D CRNG_INIT_CNT_THRESH) { - ++base_crng.generation; - crng_init =3D 1; - } - spin_unlock_irqrestore(&base_crng.lock, flags); - if (crng_init =3D=3D 1) - pr_notice("fast init done\n"); - return ret; -} =20 -/* - * This function is for crng_init < 2 only. - * - * crng_slow_load() is called by add_device_randomness, which has two - * attributes. (1) We can't trust the buffer passed to it is - * guaranteed to be unpredictable (so it might not have any entropy at - * all), and (2) it doesn't have the performance constraints of - * crng_fast_load(). - * - * So, we simply hash the contents in with the current key. Finally, - * we do *not* advance crng_init_cnt since buffer we may get may be - * something like a fixed DMI table (for example), which might very - * well be unique to the machine, but is otherwise unvarying. - */ -static void crng_slow_load(const void *cp, size_t len) -{ - unsigned long flags; - struct blake2s_state hash; + if (account) + len =3D min_t(size_t, len, CRNG_INIT_CNT_THRESH - crng_init_cnt); =20 - blake2s_init(&hash, sizeof(base_crng.key)); + if (fast) { + size_t i; =20 - if (!spin_trylock_irqsave(&base_crng.lock, flags)) - return; - if (crng_init !=3D 0) { - spin_unlock_irqrestore(&base_crng.lock, flags); - return; + for (i =3D 0; i < len; ++i) + base_crng.key[(crng_init_cnt + i) % + sizeof(base_crng.key)] ^=3D *src++; + } else { + struct blake2s_state hash; + + blake2s_init(&hash, sizeof(base_crng.key)); + blake2s_update(&hash, base_crng.key, sizeof(base_crng.key)); + blake2s_update(&hash, cp, len); + blake2s_final(&hash, base_crng.key); } =20 - blake2s_update(&hash, base_crng.key, sizeof(base_crng.key)); - blake2s_update(&hash, cp, len); - blake2s_final(&hash, base_crng.key); + if (account) { + crng_init_cnt +=3D len; + if (crng_init_cnt >=3D CRNG_INIT_CNT_THRESH) { + ++base_crng.generation; + crng_init =3D 1; + } + } =20 spin_unlock_irqrestore(&base_crng.lock, flags); + + if (crng_init =3D=3D 1) + pr_notice("fast init done\n"); + + return len; } =20 static void _get_random_bytes(void *buf, size_t nbytes) @@ -1006,7 +1008,7 @@ void add_device_randomness(const void *buf, size_t si= ze) unsigned long flags; =20 if (!crng_ready() && size) - crng_slow_load(buf, size); + crng_pre_init_inject(buf, size, false, false); =20 spin_lock_irqsave(&input_pool.lock, flags); _mix_pool_bytes(buf, size); @@ -1123,7 +1125,7 @@ void add_hwgenerator_randomness(const void *buffer, s= ize_t count, size_t entropy) { if (unlikely(crng_init =3D=3D 0)) { - size_t ret =3D crng_fast_load(buffer, count); + size_t ret =3D crng_pre_init_inject(buffer, count, false, true); mix_pool_bytes(buffer, ret); count -=3D ret; buffer +=3D ret; @@ -1279,7 +1281,8 @@ void add_interrupt_randomness(int irq) =20 if (unlikely(crng_init =3D=3D 0)) { if (new_count >=3D 64 && - crng_fast_load(fast_pool->pool, sizeof(fast_pool->pool)) > 0) { + crng_pre_init_inject(fast_pool->pool, sizeof(fast_pool->pool), + true, true) > 0) { atomic_set(&fast_pool->count, 0); fast_pool->last =3D now; =20 --=20 2.35.0 From nobody Mon Jun 29 08:55:31 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40168C433FE for ; Sat, 12 Feb 2022 23:10:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232361AbiBLXKq (ORCPT ); Sat, 12 Feb 2022 18:10:46 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:37954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232324AbiBLXKp (ORCPT ); Sat, 12 Feb 2022 18:10:45 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55F2241995 for ; Sat, 12 Feb 2022 15:10:41 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CD28A60DEB for ; Sat, 12 Feb 2022 23:10:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E3C29C340E7; Sat, 12 Feb 2022 23:10:39 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="GvohszMn" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1644707439; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0PYWzf/LonqCWyCOmLD/U3fj8lGO2iLic0hegNQyL0Y=; b=GvohszMnj9+masX2X1hmMdGe1Aa1dvuZtqCms3/b5ea/zA9U/Mqz4U15gIQMMhkB7pKdyh iH+njQWM2lGMaBVFv25KKRKDc3560t8qm5uBFgJCAfjfMKE8PgaysCQinDzXfle0bxsRvp NeRx6tHA70C7WnOVNhHKb1zJ5XVJVak= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 5e48dabc (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sat, 12 Feb 2022 23:10:38 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, linux@dominikbrodowski.net Cc: "Jason A. Donenfeld" , Theodore Ts'o Subject: [PATCH 2/3] random: check for crng_init == 0, not crng_ready() in add_device_randomness() Date: Sun, 13 Feb 2022 00:10:21 +0100 Message-Id: <20220212231022.679926-3-Jason@zx2c4.com> In-Reply-To: <20220212231022.679926-1-Jason@zx2c4.com> References: <20220212231022.679926-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This has no real functional change, as crng_pre_init_inject() (and before that, crng_slow_init()) always checks for =3D=3D 0, not >=3D 2. So correct the outer unlocked change to reflect that. Cc: Dominik Brodowski Cc: Theodore Ts'o Signed-off-by: Jason A. Donenfeld Reviewed-by: Eric Biggers --- drivers/char/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index a128bb947bd4..9a8e1bb9845d 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1007,7 +1007,7 @@ void add_device_randomness(const void *buf, size_t si= ze) unsigned long time =3D random_get_entropy() ^ jiffies; unsigned long flags; =20 - if (!crng_ready() && size) + if (crng_init =3D=3D 0 && size) crng_pre_init_inject(buf, size, false, false); =20 spin_lock_irqsave(&input_pool.lock, flags); --=20 2.35.0 From nobody Mon Jun 29 08:55:31 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82633C433F5 for ; Sat, 12 Feb 2022 23:10:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232372AbiBLXKx (ORCPT ); Sat, 12 Feb 2022 18:10:53 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:38120 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232357AbiBLXKv (ORCPT ); Sat, 12 Feb 2022 18:10:51 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6EC033CFDC for ; Sat, 12 Feb 2022 15:10:47 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 1631BB80761 for ; Sat, 12 Feb 2022 23:10:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 83A13C340E7; Sat, 12 Feb 2022 23:10:44 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="W17lDIFh" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1644707443; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sdvfLAsU9/N/fGr1+dI8JJUEnNk2YhAvefoKc6v2QBA=; b=W17lDIFhH01yOWrK4Dzoflfhyyvd8ODbztfT5/XLSDIc3+VbwO3HCfLFucR9A6g/2hOnbm xuTPD8ycrPhrfjpaWwdT0v9QGA4WxVPcoQedtK1td9SIbeED7cDJkRGgF8T+h0ZyJ4dF65 Ks1hdVsYYVuTt+rWd1rTS7jFK509s8A= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ffce0cd2 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Sat, 12 Feb 2022 23:10:43 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-kernel@vger.kernel.org, linux@dominikbrodowski.net Cc: "Jason A. Donenfeld" , Theodore Ts'o Subject: [PATCH 3/3] random: use trylock in irq handler rather than spinning Date: Sun, 13 Feb 2022 00:10:22 +0100 Message-Id: <20220212231022.679926-4-Jason@zx2c4.com> In-Reply-To: <20220212231022.679926-1-Jason@zx2c4.com> References: <20220212231022.679926-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" crng_pre_init_inject() (and prior crng_fast_load()) uses a trylock when in fast mode, so that it never contends. We should be doing the same when grabbing a spinlock for mixing into the entropy pool. So switch to doing that before calling the underscored _mix_pool_bytes(). Cc: Dominik Brodowski Cc: Theodore Ts'o Signed-off-by: Jason A. Donenfeld --- drivers/char/random.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 9a8e1bb9845d..ca224c3f2561 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1286,13 +1286,10 @@ void add_interrupt_randomness(int irq) atomic_set(&fast_pool->count, 0); fast_pool->last =3D now; =20 - /* - * Technically this call means that we're using a spinlock_t - * in the IRQ handler, which isn't terrific for PREEMPT_RT. - * However, this only happens during boot, and then never - * again, so we live with it. - */ - mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool)); + if (spin_trylock(&input_pool.lock)) { + _mix_pool_bytes(&fast_pool->pool, sizeof(fast_pool->pool)); + spin_unlock(&input_pool.lock); + } } return; } --=20 2.35.0