• Jason A. Donenfeld's avatar
    random: invalidate batched entropy after crng init · b169c13d
    Jason A. Donenfeld authored
    It's possible that get_random_{u32,u64} is used before the crng has
    initialized, in which case, its output might not be cryptographically
    secure. For this problem, directly, this patch set is introducing the
    *_wait variety of functions, but even with that, there's a subtle issue:
    what happens to our batched entropy that was generated before
    initialization. Prior to this commit, it'd stick around, supplying bad
    numbers. After this commit, we force the entropy to be re-extracted
    after each phase of the crng has initialized.
    
    In order to avoid a race condition with the position counter, we
    introduce a simple rwlock for this invalidation. Since it's only during
    this awkward transition period, after things are all set up, we stop
    using it, so that it doesn't have an impact on performance.
    Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org  # v4.11+
    b169c13d
random.c 62.1 KB