[PATCH 0/2] Use RNG to get random behaviour
From: Matthias Brugger mbrugger@suse.com
For now bootp and uuid code use a weak seed for generating random data. U-Boot as support for RNG devices now, so we should change to code to use them if they are present. This will help mitigate issues like seen in CVE-2019-11690.
Matthias Brugger (2): lib: uuid: use RNG device if present net: Use NDRNG device in srand_mac()
lib/uuid.c | 20 +++++++++++++++++--- net/net_rand.h | 18 +++++++++++++++++- 2 files changed, 34 insertions(+), 4 deletions(-)
From: Matthias Brugger mbrugger@suse.com
When calculating a random UUID we use a weak seed. Use a RNG device if present to increase entropy.
Signed-off-by: Matthias Brugger mbrugger@suse.com ---
lib/uuid.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/lib/uuid.c b/lib/uuid.c index e62d5ca264..219d4b7767 100644 --- a/lib/uuid.c +++ b/lib/uuid.c @@ -15,6 +15,7 @@ #include <asm/io.h> #include <part_efi.h> #include <malloc.h> +#include <rng.h>
/* * UUID - Universally Unique IDentifier - 128 bits unique number. @@ -249,9 +250,22 @@ void gen_rand_uuid(unsigned char *uuid_bin) { u32 ptr[4]; struct uuid *uuid = (struct uuid *)ptr; - int i; - - srand(get_ticks() + rand()); + int i, ret; + struct udevice *devp; + u8 randv = 0; + +#if defined(CONFIG_DM_RNG) + ret = uclass_get_device(UCLASS_RNG, 0, &devp); + if (ret) { + ret = dm_rng_read(dev, randv, sizeof(randv)); + if (ret < 0) + randv = 0; + } + if (randv) + srand(randv); + else +#endif + srand(get_ticks() + rand());
/* Set all fields randomly */ for (i = 0; i < 4; i++)
On Wed, 16 Dec 2020 11:41:16 +0100 matthias.bgg@kernel.org wrote:
@@ -249,9 +250,22 @@ void gen_rand_uuid(unsigned char *uuid_bin) { u32 ptr[4]; struct uuid *uuid = (struct uuid *)ptr;
- int i;
- srand(get_ticks() + rand());
- int i, ret;
- struct udevice *devp;
- u8 randv = 0;
+#if defined(CONFIG_DM_RNG)
- ret = uclass_get_device(UCLASS_RNG, 0, &devp);
- if (ret) {
ret = dm_rng_read(dev, randv, sizeof(randv));
^ ^ same as patch 2/2
if (ret < 0)randv = 0;- }
- if (randv)
srand(randv);- else
+#endif
srand(get_ticks() + rand());/* Set all fields randomly */ for (i = 0; i < 4; i++)
From: Matthias Brugger mbrugger@suse.com
When calling srand_mac we use a weak seed dependent on the mac address. If present, use a RNG device instead to incerase entropy.
Signed-off-by: Matthias Brugger mbrugger@suse.com
---
net/net_rand.h | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/net/net_rand.h b/net/net_rand.h index 4bf9bd817e..600c3d825e 100644 --- a/net/net_rand.h +++ b/net/net_rand.h @@ -10,6 +10,7 @@ #define __NET_RAND_H__
#include <common.h> +#include <rng.h>
/* * Return a seed for the PRNG derived from the eth0 MAC address. @@ -37,7 +38,22 @@ static inline unsigned int seed_mac(void) */ static inline void srand_mac(void) { - srand(seed_mac()); +#if defined(CONFIG_DM_RNG) + int ret; + struct udevice *devp; + u32 randv = 0; + + ret = uclass_get_device(UCLASS_RNG, 0, &devp); + if (ret) { + ret = dm_rng_read(dev, randv, sizeof(randv)); + if (ret < 0) + randv = 0; + } + if (randv) + srand(randv); + else +#endif + srand(seed_mac()); }
#endif /* __NET_RAND_H__ */
On Wed, 16 Dec 2020 11:41:17 +0100 matthias.bgg@kernel.org wrote:
From: Matthias Brugger mbrugger@suse.com
When calling srand_mac we use a weak seed dependent on the mac address. If present, use a RNG device instead to incerase entropy.
Signed-off-by: Matthias Brugger mbrugger@suse.com
net/net_rand.h | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/net/net_rand.h b/net/net_rand.h index 4bf9bd817e..600c3d825e 100644 --- a/net/net_rand.h +++ b/net/net_rand.h @@ -10,6 +10,7 @@ #define __NET_RAND_H__
#include <common.h> +#include <rng.h>
/*
- Return a seed for the PRNG derived from the eth0 MAC address.
@@ -37,7 +38,22 @@ static inline unsigned int seed_mac(void) */ static inline void srand_mac(void) {
- srand(seed_mac());
+#if defined(CONFIG_DM_RNG)
- int ret;
- struct udevice *devp;
- u32 randv = 0;
- ret = uclass_get_device(UCLASS_RNG, 0, &devp);
- if (ret) {
ret = dm_rng_read(dev, randv, sizeof(randv));
Haven't tested this (yet), but shouldn't this be ret = dm_rng_read(devp, &randv, sizeof(randv)); ^ ^ ?
if (ret < 0)randv = 0;- }
- if (randv)
srand(randv);- else
+#endif
srand(seed_mac());}
#endif /* __NET_RAND_H__ */
On 16/12/2020 14:20, Torsten Duwe wrote:
On Wed, 16 Dec 2020 11:41:17 +0100 matthias.bgg@kernel.org wrote:
From: Matthias Brugger mbrugger@suse.com
When calling srand_mac we use a weak seed dependent on the mac address. If present, use a RNG device instead to incerase entropy.
Signed-off-by: Matthias Brugger mbrugger@suse.com
net/net_rand.h | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/net/net_rand.h b/net/net_rand.h index 4bf9bd817e..600c3d825e 100644 --- a/net/net_rand.h +++ b/net/net_rand.h @@ -10,6 +10,7 @@ #define __NET_RAND_H__
#include <common.h> +#include <rng.h>
/*
- Return a seed for the PRNG derived from the eth0 MAC address.
@@ -37,7 +38,22 @@ static inline unsigned int seed_mac(void) */ static inline void srand_mac(void) {
- srand(seed_mac());
+#if defined(CONFIG_DM_RNG)
- int ret;
- struct udevice *devp;
- u32 randv = 0;
- ret = uclass_get_device(UCLASS_RNG, 0, &devp);
- if (ret) {
ret = dm_rng_read(dev, randv, sizeof(randv));Haven't tested this (yet), but shouldn't this be ret = dm_rng_read(devp, &randv, sizeof(randv)); ^ ^ ?
Ups, yes you are right. I'll send a v2.
Regards, Matthias
On Wed, 16 Dec 2020 11:41:15 +0100 matthias.bgg@kernel.org wrote:
From: Matthias Brugger mbrugger@suse.com
For now bootp and uuid code use a weak seed for generating random data. U-Boot as support for RNG devices now, so we should change to code to use them if they are present. This will help mitigate issues like seen in CVE-2019-11690.
First of all: thanks for bringing this up. These patches are a big improvement over the current state.
But: thinking about this further, it could be possible to give U-Boot a lightweight version of a complete entropy keeper, with /dev/random and /dev/urandom functionality. Linux, for example, will happily randomise the kernel address layout, if it's configured and the boot loader provides enough entropy...
But for now this should be good enough.
Torsten
On Wed, Dec 16, 2020 at 1:17 PM Torsten Duwe duwe@lst.de wrote:
On Wed, 16 Dec 2020 11:41:15 +0100 matthias.bgg@kernel.org wrote:
From: Matthias Brugger mbrugger@suse.com
For now bootp and uuid code use a weak seed for generating random data. U-Boot as support for RNG devices now, so we should change to code to use them if they are present. This will help mitigate issues like seen in CVE-2019-11690.
First of all: thanks for bringing this up. These patches are a big improvement over the current state.
But: thinking about this further, it could be possible to give U-Boot a lightweight version of a complete entropy keeper, with /dev/random and /dev/urandom functionality. Linux, for example, will happily randomise the kernel address layout, if it's configured and the boot loader provides enough entropy...
That functionality is already available with U-Boot via the UEFI random seed functionality if you're booting Linux using U-Boot's UEFI support.
participants (4)
-
Matthias Brugger -
matthias.bgg@kernel.org -
Peter Robinson -
Torsten Duwe