Re: [PATCH v5] x86/coco: Require seeding RNG with RDRAND on CoCo systems

From: Borislav Petkov
Date: Tue Mar 26 2024 - 07:22:15 EST

Next message: Simon Horman: "Re: [PATCH V4 net 2/3] net: hns3: fix kernel crash when devlink reload during pf initialization"
Previous message: Takashi Iwai: "Re: [PATCH v2][next] ALSA: firewire-lib: Avoid -Wflex-array-member-not-at-end warning"
Next in thread: Jason A. Donenfeld: "[PATCH v6] x86/coco: Require seeding RNG with RDRAND on CoCo systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 24, 2024 at 02:18:56AM +0100, Jason A. Donenfeld wrote:
> +__init void cc_random_init(void)
> +{
> + /*
> + * The seed is 32 bytes (in units of longs), which is 256 bits, which
> + * is the security level that the RNG is targeting.
> + */
> + unsigned long rng_seed[32 / sizeof(long)];
> + size_t i, longs;
> +
> + if (!cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT))
> + return;
> +
> + /*
> + * Since the CoCo threat model includes the host, the only reliable
> + * source of entropy that can be neither observed nor manipulated is
> + * RDRAND. Usually, RDRAND failure is considered tolerable, but since
> + * CoCo guests have no other unobservable source of entropy, it's
> + * important to at least ensure the RNG gets some initial random seeds.
> + */
> + for (i = 0; i < ARRAY_SIZE(rng_seed); i += longs) {
> + longs = arch_get_random_longs(&rng_seed[i], ARRAY_SIZE(rng_seed) - i);
> +
> + /*
> + * A zero return value means that the guest doesn't have RDRAND
> + * or the CPU is physically broken, and in both cases that
> + * means most crypto inside of the CoCo instance will be
> + * broken, defeating the purpose of CoCo in the first place. So
> + * just panic here because it's absolutely unsafe to continue
> + * executing.
> + */
> + if (longs == 0)
> + panic("RDRAND is defective.");
> + }
> + add_device_randomness(rng_seed, sizeof(rng_seed));
> + memzero_explicit(rng_seed, sizeof(rng_seed));

Please redo your patch ontop of latest tip/master:

arch/x86/coco/core.c: In function ‘cc_random_init’:
arch/x86/coco/core.c:189:9: error: implicit declaration of function ‘memzero_explicit’ [-Werror=implicit-function-declaration]
189 | memzero_explicit(rng_seed, sizeof(rng_seed));
| ^~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
make[4]: *** [scripts/Makefile.build:244: arch/x86/coco/core.o] Error 1
make[3]: *** [scripts/Makefile.build:485: arch/x86/coco] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [scripts/Makefile.build:485: arch/x86] Error 2
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [/mnt/kernel/kernel/2nd/linux/Makefile:1919: .] Error 2
make: *** [Makefile:240: __sub-make] Error 2

Thx.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Next message: Simon Horman: "Re: [PATCH V4 net 2/3] net: hns3: fix kernel crash when devlink reload during pf initialization"
Previous message: Takashi Iwai: "Re: [PATCH v2][next] ALSA: firewire-lib: Avoid -Wflex-array-member-not-at-end warning"
Next in thread: Jason A. Donenfeld: "[PATCH v6] x86/coco: Require seeding RNG with RDRAND on CoCo systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]