Hi all,
this patchset aims at (hopefully) improving the DRBG code related to
reseeding from get_random_bytes() a bit:
- Replace the asynchronous random_ready_callback based DRBG reseeding
logic with a synchronous solution leveraging rng_is_initialized(). This
move simplifies the code IMO and, as a side-effect, would enable DRBG
users to rely on wait_for_random_bytes() to sync properly with
drbg_generate(), if desired. Implemented by patches 1-5/6.
- Make the 'nopr' DRBGs to reseed themselves every 5min from
get_random_bytes(). This achieves at least kind of a partial prediction
resistance over the time domain at almost no extra cost. Implemented
by patch 6/6, the preceding patches in this series are a prerequisite
for this.
Tested with and without fips_enabled in a x86_64 VM, both with
random.trust_cpu=on and off. As confirmed with a couple of debugging
printks() (added for testing only, not included in this series), DRBGs
have been instantiated with and without rng_is_initialized() evaluating
to true each during my tests and the patched DRBG reseeding code worked as
intended in either case.
Applies to current herbert/cryptodev-2.6.git master.
Many thanks for your comments and remarks!
Nicolai
Nicolai Stange (6):
crypto: DRBG - prepare for more fine-grained tracking of seeding state
crypto: DRBG - track whether DRBG was seeded with
!rng_is_initialized()
crypto: DRBG - move dynamic ->reseed_threshold adjustments to
__drbg_seed()
crypto: DRBG - make reseeding from get_random_bytes() synchronous
crypto: DRBG - make drbg_prepare_hrng() handle jent instantiation
errors
crypto: DRBG - reseed 'nopr' drbgs periodically from
get_random_bytes()
crypto/drbg.c | 145 +++++++++++++++++++++---------------------
include/crypto/drbg.h | 11 +++-
2 files changed, 82 insertions(+), 74 deletions(-)
--
2.26.2
