• Jason A. Donenfeld's avatar
    random: simplify entropy debiting · 9c07f578
    Jason A. Donenfeld authored
    Our pool is 256 bits, and we only ever use all of it or don't use it at
    all, which is decided by whether or not it has at least 128 bits in it.
    So we can drastically simplify the accounting and cmpxchg loop to do
    exactly this.  While we're at it, we move the minimum bit size into a
    constant so it can be shared between the two places where it matters.
    
    The reason we want any of this is for the case in which an attacker has
    compromised the current state, and then bruteforces small amounts of
    entropy added to it. By demanding a particular minimum amount of entropy
    be present before reseeding, we make that bruteforcing difficult.
    
    Note that this rationale no longer includes anything about /dev/random
    blocking at the right moment, since /dev/random no longer blocks (except
    for at ~boot), but rather uses the crng. In a former life, /dev/random
    was different and therefore required a more nuanced account(), but this
    is no longer.
    
    Behaviorally, nothing changes here. This is just a simplification of
    the code.
    
    Cc: Theodore Ts'o <tytso@mit.edu>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
    Reviewed-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
    Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
    9c07f578
random.c 56.3 KB