1. 06 Apr, 2023 2 commits
    • Herbert Xu's avatar
      crypto: drbg - Only fail when jent is unavailable in FIPS mode · 686cd976
      Herbert Xu authored
      When jent initialisation fails for any reason other than ENOENT,
      the entire drbg fails to initialise, even when we're not in FIPS
      mode.  This is wrong because we can still use the kernel RNG when
      we're not in FIPS mode.
      
      Change it so that it only fails when we are in FIPS mode.
      
      Fixes: 57225e67 ("crypto: drbg - Use callback API for random readiness")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Reviewed-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      686cd976
    • Stephan Müller's avatar
      crypto: jitter - permanent and intermittent health errors · 3fde2fe9
      Stephan Müller authored
      According to SP800-90B, two health failures are allowed: the intermittend
      and the permanent failure. So far, only the intermittent failure was
      implemented. The permanent failure was achieved by resetting the entire
      entropy source including its health test state and waiting for two or
      more back-to-back health errors.
      
      This approach is appropriate for RCT, but not for APT as APT has a
      non-linear cutoff value. Thus, this patch implements 2 cutoff values
      for both RCT/APT. This implies that the health state is left untouched
      when an intermittent failure occurs. The noise source is reset
      and a new APT powerup-self test is performed. Yet, whith the unchanged
      health test state, the counting of failures continues until a permanent
      failure is reached.
      
      Any non-failing raw entropy value causes the health tests to reset.
      
      The intermittent error has an unchanged significance level of 2^-30.
      The permanent error has a significance level of 2^-60. Considering that
      this level also indicates a false-positive rate (see SP800-90B section 4.2)
      a false-positive must only be incurred with a low probability when
      considering a fleet of Linux kernels as a whole. Hitting the permanent
      error may cause a panic(), the following calculation applies: Assuming
      that a fleet of 10^9 Linux kernels run concurrently with this patch in
      FIPS mode and on each kernel 2 health tests are performed every minute
      for one year, the chances of a false positive is about 1:1000
      based on the binomial distribution.
      
      In addition, any power-up health test errors triggered with
      jent_entropy_init are treated as permanent errors.
      
      A permanent failure causes the entire entropy source to permanently
      return an error. This implies that a caller can only remedy the situation
      by re-allocating a new instance of the Jitter RNG. In a subsequent
      patch, a transparent re-allocation will be provided which also changes
      the implied heuristic entropy assessment.
      
      In addition, when the kernel is booted with fips=1, the Jitter RNG
      is defined to be part of a FIPS module. The permanent error of the
      Jitter RNG is translated as a FIPS module error. In this case, the entire
      FIPS module must cease operation. This is implemented in the kernel by
      invoking panic().
      
      The patch also fixes an off-by-one in the RCT cutoff value which is now
      set to 30 instead of 31. This is because the counting of the values
      starts with 0.
      Reviewed-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Reviewed-by: default avatarMarcelo Henrique Cerri <marcelo.cerri@canonical.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3fde2fe9
  2. 31 Mar, 2023 5 commits
  3. 24 Mar, 2023 13 commits
  4. 17 Mar, 2023 20 commits