NIST SP800-90C prohibits the use of multiple correlated entropy sources. Obviously, add_disk_randomness(), add_input_randomness() and add_interrupt_randomness() are not independent. Follow the approach taken by Stephan Müller's LRNG patchset ([1]) and don't award any entropy to the former two if fips_enabled is true. Note that the entropy loss has already been compensated for by a previous patch increasing the IRQ event estimate. The actual entropy accounting from add_disk_randomness() and add_input_randomness() is implemented in the common add_timer_randomness() called therefrom. Make the latter to not dispatch any entropy to the global entropy balance if fips_enabled is on. [1] https://lkml.kernel.org/r/5695397.lOV4Wx5bFT@xxxxxxxxxxxxxxxxxxx Suggested-by: Stephan Müller <smueller@xxxxxxxxxx> Signed-off-by: Nicolai Stange <nstange@xxxxxxx> --- drivers/char/random.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 8f79e90f2429..680ccc82a436 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1481,12 +1481,24 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) r = &input_pool; spin_lock_irqsave(&r->lock, flags); - /* - * delta is now minimum absolute delta. - * Round down by 1 bit on general principles, - * and limit entropy estimate to 12 bits. - */ - __queue_entropy(r, &q, min_t(int, fls(delta>>1), 11) << ENTROPY_SHIFT); + if (!fips_enabled) { + unsigned int nfrac; + + /* + * delta is now minimum absolute delta. + * Round down by 1 bit on general principles, + * and limit entropy estimate to 12 bits. + */ + nfrac = min_t(int, fls(delta>>1), 11) << ENTROPY_SHIFT; + __queue_entropy(r, &q, nfrac); + } else { + /* + * Multiple correlated entropy sources are prohibited + * by NIST SP800-90C. Leave it up to + * add_interrupt_randomness() to contribute any + * entropy. + */ + } __mix_pool_bytes(r, &sample, sizeof(sample)); reseed = __dispatch_queued_entropy_fast(r, &q); spin_unlock_irqrestore(&r->lock, flags); -- 2.26.2
