Re: [PATCH] random: skip fast_init if hwrng provides large chunk of entropy

From: Jason A. Donenfeld
Date: Tue Mar 22 2022 - 13:26:17 EST

Next message: Willy Tarreau: "Re: [RFC PATCH v2 2/8] tools/nolibc: Remove .global _start from the entry point code"
Previous message: Maxim Levitsky: "[PATCH 6/8] kvm: x86: SVM: remove unused defines"
In reply to: Dominik Brodowski: "Re: [PATCH] random: skip fast_init if hwrng provides large chunk of entropy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dominik,

On Tue, Mar 22, 2022 at 12:45 AM Dominik Brodowski
<linux@xxxxxxxxxxxxxxxxxxxx> wrote:
> Well, so far, we need 64 bytes input to the fast init stage, and then
> further 32 bytes of randomness to proceed to full init, and we used to mix
> the former into the latter, which provided for some sort of extra margin.
> But as we don't seem to do that any more (mixing some of base_crng back into
> the input_pool), that exercise may have become pointless.

"Some extra margin" but you're comparing 512 bits to 768 bits? That
makes no sense. 256 bits alone would be sufficient here. The whole
point of CONFIG_RANDOM_TRUST_BOOTLOADER=y is that the kernel builder
has chosen to trust the seed that comes from the bootloader. If it's
not trusted, then it goes through add_device_randomness(), which
doesn't have anything to do with fast init or the main init.

The purpose of "fast init" being separate from the full thing is so
that you can't brute force inputs bit by bit. Having a massive tranche
of 512 bits of entropy makes that brute forcing impossible; therefore
it doesn't make sense to do the fast init thing in that case.

Jason

Next message: Willy Tarreau: "Re: [RFC PATCH v2 2/8] tools/nolibc: Remove .global _start from the entry point code"
Previous message: Maxim Levitsky: "[PATCH 6/8] kvm: x86: SVM: remove unused defines"
In reply to: Dominik Brodowski: "Re: [PATCH] random: skip fast_init if hwrng provides large chunk of entropy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]