aefde918c3
This is a simple backport of the getrandom syscall. It does not include other changes to the random interface like periodic or late re-seeding which might be necessary to get good random numbers.
335 lines
12 KiB
Diff
335 lines
12 KiB
Diff
From 1c1f660bcb0682a80324e5204a08e59ac93b7a88 Mon Sep 17 00:00:00 2001
|
|
From: Theodore Ts'o <tytso@mit.edu>
|
|
Date: Thu, 17 Jul 2014 04:13:05 -0400
|
|
Subject: [PATCH 1/3] BACKPORT: random: introduce getrandom(2) system call
|
|
|
|
Almost clean cherry pick of c6e9d6f38894798696f23c8084ca7edbf16ee895,
|
|
includes change made by merge 0891ad829d2a0501053703df66029e843e3b8365.
|
|
|
|
The getrandom(2) system call was requested by the LibreSSL Portable
|
|
developers. It is analoguous to the getentropy(2) system call in
|
|
OpenBSD.
|
|
|
|
The rationale of this system call is to provide resiliance against
|
|
file descriptor exhaustion attacks, where the attacker consumes all
|
|
available file descriptors, forcing the use of the fallback code where
|
|
/dev/[u]random is not available. Since the fallback code is often not
|
|
well-tested, it is better to eliminate this potential failure mode
|
|
entirely.
|
|
|
|
The other feature provided by this new system call is the ability to
|
|
request randomness from the /dev/urandom entropy pool, but to block
|
|
until at least 128 bits of entropy has been accumulated in the
|
|
/dev/urandom entropy pool. Historically, the emphasis in the
|
|
/dev/urandom development has been to ensure that urandom pool is
|
|
initialized as quickly as possible after system boot, and preferably
|
|
before the init scripts start execution.
|
|
|
|
This is because changing /dev/urandom reads to block represents an
|
|
interface change that could potentially break userspace which is not
|
|
acceptable. In practice, on most x86 desktop and server systems, in
|
|
general the entropy pool can be initialized before it is needed (and
|
|
in modern kernels, we will printk a warning message if not). However,
|
|
on an embedded system, this may not be the case. And so with this new
|
|
interface, we can provide the functionality of blocking until the
|
|
urandom pool has been initialized. Any userspace program which uses
|
|
this new functionality must take care to assure that if it is used
|
|
during the boot process, that it will not cause the init scripts or
|
|
other portions of the system startup to hang indefinitely.
|
|
|
|
SYNOPSIS
|
|
#include <linux/random.h>
|
|
|
|
int getrandom(void *buf, size_t buflen, unsigned int flags);
|
|
|
|
DESCRIPTION
|
|
The system call getrandom() fills the buffer pointed to by buf
|
|
with up to buflen random bytes which can be used to seed user
|
|
space random number generators (i.e., DRBG's) or for other
|
|
cryptographic uses. It should not be used for Monte Carlo
|
|
simulations or other programs/algorithms which are doing
|
|
probabilistic sampling.
|
|
|
|
If the GRND_RANDOM flags bit is set, then draw from the
|
|
/dev/random pool instead of the /dev/urandom pool. The
|
|
/dev/random pool is limited based on the entropy that can be
|
|
obtained from environmental noise, so if there is insufficient
|
|
entropy, the requested number of bytes may not be returned.
|
|
If there is no entropy available at all, getrandom(2) will
|
|
either block, or return an error with errno set to EAGAIN if
|
|
the GRND_NONBLOCK bit is set in flags.
|
|
|
|
If the GRND_RANDOM bit is not set, then the /dev/urandom pool
|
|
will be used. Unlike using read(2) to fetch data from
|
|
/dev/urandom, if the urandom pool has not been sufficiently
|
|
initialized, getrandom(2) will block (or return -1 with the
|
|
errno set to EAGAIN if the GRND_NONBLOCK bit is set in flags).
|
|
|
|
The getentropy(2) system call in OpenBSD can be emulated using
|
|
the following function:
|
|
|
|
int getentropy(void *buf, size_t buflen)
|
|
{
|
|
int ret;
|
|
|
|
if (buflen > 256)
|
|
goto failure;
|
|
ret = getrandom(buf, buflen, 0);
|
|
if (ret < 0)
|
|
return ret;
|
|
if (ret == buflen)
|
|
return 0;
|
|
failure:
|
|
errno = EIO;
|
|
return -1;
|
|
}
|
|
|
|
RETURN VALUE
|
|
On success, the number of bytes that was filled in the buf is
|
|
returned. This may not be all the bytes requested by the
|
|
caller via buflen if insufficient entropy was present in the
|
|
/dev/random pool, or if the system call was interrupted by a
|
|
signal.
|
|
|
|
On error, -1 is returned, and errno is set appropriately.
|
|
|
|
ERRORS
|
|
EINVAL An invalid flag was passed to getrandom(2)
|
|
|
|
EFAULT buf is outside the accessible address space.
|
|
|
|
EAGAIN The requested entropy was not available, and
|
|
getentropy(2) would have blocked if the
|
|
GRND_NONBLOCK flag was not set.
|
|
|
|
EINTR While blocked waiting for entropy, the call was
|
|
interrupted by a signal handler; see the description
|
|
of how interrupted read(2) calls on "slow" devices
|
|
are handled with and without the SA_RESTART flag
|
|
in the signal(7) man page.
|
|
|
|
NOTES
|
|
For small requests (buflen <= 256) getrandom(2) will not
|
|
return EINTR when reading from the urandom pool once the
|
|
entropy pool has been initialized, and it will return all of
|
|
the bytes that have been requested. This is the recommended
|
|
way to use getrandom(2), and is designed for compatibility
|
|
with OpenBSD's getentropy() system call.
|
|
|
|
However, if you are using GRND_RANDOM, then getrandom(2) may
|
|
block until the entropy accounting determines that sufficient
|
|
environmental noise has been gathered such that getrandom(2)
|
|
will be operating as a NRBG instead of a DRBG for those people
|
|
who are working in the NIST SP 800-90 regime. Since it may
|
|
block for a long time, these guarantees do *not* apply. The
|
|
user may want to interrupt a hanging process using a signal,
|
|
so blocking until all of the requested bytes are returned
|
|
would be unfriendly.
|
|
|
|
For this reason, the user of getrandom(2) MUST always check
|
|
the return value, in case it returns some error, or if fewer
|
|
bytes than requested was returned. In the case of
|
|
!GRND_RANDOM and small request, the latter should never
|
|
happen, but the careful userspace code (and all crypto code
|
|
should be careful) should check for this anyway!
|
|
|
|
Finally, unless you are doing long-term key generation (and
|
|
perhaps not even then), you probably shouldn't be using
|
|
GRND_RANDOM. The cryptographic algorithms used for
|
|
/dev/urandom are quite conservative, and so should be
|
|
sufficient for all purposes. The disadvantage of GRND_RANDOM
|
|
is that it can block, and the increased complexity required to
|
|
deal with partially fulfilled getrandom(2) requests.
|
|
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Reviewed-by: Zach Brown <zab@zabbo.net>
|
|
|
|
Bug: http://b/29621447
|
|
Change-Id: I189ba74070dd6d918b0fdf83ff30bb74ec0f7556
|
|
(cherry picked from commit 4af712e8df998475736f3e2727701bd31e3751a9)
|
|
[flex1911]: backport to 3.4
|
|
[michitux]: backport to 3.0, remove x86 support
|
|
---
|
|
drivers/char/random.c | 52 +++++++++++++++++++++++++++++++-----
|
|
include/asm-generic/unistd.h | 4 ++-
|
|
include/linux/random.h | 9 +++++++
|
|
include/linux/syscalls.h | 3 +++
|
|
4 files changed, 60 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/drivers/char/random.c b/drivers/char/random.c
|
|
index e7e479c84233..8d09b53c9102 100644
|
|
--- a/drivers/char/random.c
|
|
+++ b/drivers/char/random.c
|
|
@@ -255,6 +255,8 @@
|
|
#include <linux/fips.h>
|
|
#include <linux/ptrace.h>
|
|
#include <linux/kmemcheck.h>
|
|
+#include <linux/syscalls.h>
|
|
+#include <linux/completion.h>
|
|
|
|
#ifdef CONFIG_GENERIC_HARDIRQS
|
|
# include <linux/irq.h>
|
|
@@ -397,6 +399,7 @@ static struct poolinfo {
|
|
*/
|
|
static DECLARE_WAIT_QUEUE_HEAD(random_read_wait);
|
|
static DECLARE_WAIT_QUEUE_HEAD(random_write_wait);
|
|
+static DECLARE_WAIT_QUEUE_HEAD(urandom_init_wait);
|
|
static struct fasync_struct *fasync;
|
|
|
|
#if 0
|
|
@@ -607,10 +610,14 @@ retry:
|
|
if (cmpxchg(&r->entropy_count, orig, entropy_count) != orig)
|
|
goto retry;
|
|
|
|
- if (!r->initialized && nbits > 0) {
|
|
- r->entropy_total += nbits;
|
|
- if (r->entropy_total > 128)
|
|
- r->initialized = 1;
|
|
+ r->entropy_total += nbits;
|
|
+ if (!r->initialized && r->entropy_total > 128) {
|
|
+ r->initialized = 1;
|
|
+ r->entropy_total = 0;
|
|
+ if (r == &nonblocking_pool) {
|
|
+ wake_up_interruptible(&urandom_init_wait);
|
|
+ pr_notice("random: %s pool is initialized\n", r->name);
|
|
+ }
|
|
}
|
|
|
|
trace_credit_entropy_bits(r->name, nbits, entropy_count,
|
|
@@ -957,6 +964,7 @@ static ssize_t extract_entropy(struct entropy_store *r, void *buf,
|
|
ssize_t ret = 0, i;
|
|
__u8 tmp[EXTRACT_SIZE];
|
|
|
|
+
|
|
trace_extract_entropy(r->name, nbytes, r->entropy_count, _RET_IP_);
|
|
xfer_secondary_pool(r, nbytes);
|
|
nbytes = account(r, nbytes, min, reserved);
|
|
@@ -991,13 +999,14 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
|
|
{
|
|
ssize_t ret = 0, i;
|
|
__u8 tmp[EXTRACT_SIZE];
|
|
+ int large_request = (nbytes > 256);
|
|
|
|
trace_extract_entropy_user(r->name, nbytes, r->entropy_count, _RET_IP_);
|
|
xfer_secondary_pool(r, nbytes);
|
|
nbytes = account(r, nbytes, 0, 0);
|
|
|
|
while (nbytes) {
|
|
- if (need_resched()) {
|
|
+ if (large_request && need_resched()) {
|
|
if (signal_pending(current)) {
|
|
if (ret == 0)
|
|
ret = -ERESTARTSYS;
|
|
@@ -1130,7 +1139,7 @@ void rand_initialize_disk(struct gendisk *disk)
|
|
#endif
|
|
|
|
static ssize_t
|
|
-random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
|
|
+_random_read(int nonblock, char __user *buf, size_t nbytes)
|
|
{
|
|
ssize_t n, retval = 0, count = 0;
|
|
|
|
@@ -1150,7 +1159,7 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
|
|
n*8, (nbytes-n)*8);
|
|
|
|
if (n == 0) {
|
|
- if (file->f_flags & O_NONBLOCK) {
|
|
+ if (nonblock) {
|
|
retval = -EAGAIN;
|
|
break;
|
|
}
|
|
@@ -1185,6 +1194,12 @@ random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
|
|
return (count ? count : retval);
|
|
}
|
|
|
|
+static ssize_t
|
|
+random_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
|
|
+{
|
|
+ return _random_read(file->f_flags & O_NONBLOCK, buf, nbytes);
|
|
+}
|
|
+
|
|
static ssize_t
|
|
urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos)
|
|
{
|
|
@@ -1311,6 +1326,29 @@ const struct file_operations urandom_fops = {
|
|
.llseek = noop_llseek,
|
|
};
|
|
|
|
+SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count,
|
|
+ unsigned int, flags)
|
|
+{
|
|
+ if (flags & ~(GRND_NONBLOCK|GRND_RANDOM))
|
|
+ return -EINVAL;
|
|
+
|
|
+ if (count > INT_MAX)
|
|
+ count = INT_MAX;
|
|
+
|
|
+ if (flags & GRND_RANDOM)
|
|
+ return _random_read(flags & GRND_NONBLOCK, buf, count);
|
|
+
|
|
+ if (unlikely(nonblocking_pool.initialized == 0)) {
|
|
+ if (flags & GRND_NONBLOCK)
|
|
+ return -EAGAIN;
|
|
+ wait_event_interruptible(urandom_init_wait,
|
|
+ nonblocking_pool.initialized);
|
|
+ if (signal_pending(current))
|
|
+ return -ERESTARTSYS;
|
|
+ }
|
|
+ return urandom_read(NULL, buf, count, NULL);
|
|
+}
|
|
+
|
|
/***************************************************************
|
|
* Random UUID interface
|
|
*
|
|
diff --git a/include/asm-generic/unistd.h b/include/asm-generic/unistd.h
|
|
index 5518963e38b0..4eeff0f900ac 100644
|
|
--- a/include/asm-generic/unistd.h
|
|
+++ b/include/asm-generic/unistd.h
|
|
@@ -685,9 +685,11 @@ __SYSCALL(__NR_syncfs, sys_syncfs)
|
|
__SYSCALL(__NR_setns, sys_setns)
|
|
#define __NR_sendmmsg 269
|
|
__SC_COMP(__NR_sendmmsg, sys_sendmmsg, compat_sys_sendmmsg)
|
|
+#define __NR_getrandom 278
|
|
+__SYSCALL(__NR_getrandom, sys_getrandom)
|
|
|
|
#undef __NR_syscalls
|
|
-#define __NR_syscalls 270
|
|
+#define __NR_syscalls 279
|
|
|
|
/*
|
|
* All syscalls below here should go away really,
|
|
diff --git a/include/linux/random.h b/include/linux/random.h
|
|
index 7e58ad27b7ff..788834fb7969 100644
|
|
--- a/include/linux/random.h
|
|
+++ b/include/linux/random.h
|
|
@@ -46,6 +46,15 @@ struct rnd_state {
|
|
|
|
/* Exported functions */
|
|
|
|
+/*
|
|
+ * Flags for getrandom(2)
|
|
+ *
|
|
+ * GRND_NONBLOCK Don't block and return EAGAIN instead
|
|
+ * GRND_RANDOM Use the /dev/random pool instead of /dev/urandom
|
|
+ */
|
|
+#define GRND_NONBLOCK 0x0001
|
|
+#define GRND_RANDOM 0x0002
|
|
+
|
|
#ifdef __KERNEL__
|
|
|
|
extern void add_device_randomness(const void *, unsigned int);
|
|
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
|
|
index 8c03b98df5f9..6935b215e34c 100644
|
|
--- a/include/linux/syscalls.h
|
|
+++ b/include/linux/syscalls.h
|
|
@@ -847,4 +847,7 @@ asmlinkage long sys_open_by_handle_at(int mountdirfd,
|
|
struct file_handle __user *handle,
|
|
int flags);
|
|
asmlinkage long sys_setns(int fd, int nstype);
|
|
+asmlinkage long sys_getrandom(char __user *buf, size_t count,
|
|
+ unsigned int flags);
|
|
+
|
|
#endif
|
|
--
|
|
2.19.0
|
|
|