Hi all, this patchset aims at (hopefully) improving the DRBG code related to reseeding from get_random_bytes() a bit: - Replace the asynchronous random_ready_callback based DRBG reseeding logic with a synchronous solution leveraging rng_is_initialized(). This move simplifies the code IMO and, as a side-effect, would enable DRBG users to rely on wait_for_random_bytes() to sync properly with drbg_generate(), if desired. Implemented by patches 1-5/6. - Make the 'nopr' DRBGs to reseed themselves every 5min from get_random_bytes(). This achieves at least kind of a partial prediction resistance over the time domain at almost no extra cost. Implemented by patch 6/6, the preceding patches in this series are a prerequisite for this. Tested with and without fips_enabled in a x86_64 VM, both with random.trust_cpu=on and off. As confirmed with a couple of debugging printks() (added for testing only, not included in this series), DRBGs have been instantiated with and without rng_is_initialized() evaluating to true each during my tests and the patched DRBG reseeding code worked as intended in either case. Applies to current herbert/cryptodev-2.6.git master. Many thanks for your comments and remarks! Nicolai Nicolai Stange (6): crypto: DRBG - prepare for more fine-grained tracking of seeding state crypto: DRBG - track whether DRBG was seeded with !rng_is_initialized() crypto: DRBG - move dynamic ->reseed_threshold adjustments to __drbg_seed() crypto: DRBG - make reseeding from get_random_bytes() synchronous crypto: DRBG - make drbg_prepare_hrng() handle jent instantiation errors crypto: DRBG - reseed 'nopr' drbgs periodically from get_random_bytes() crypto/drbg.c | 145 +++++++++++++++++++++--------------------- include/crypto/drbg.h | 11 +++- 2 files changed, 82 insertions(+), 74 deletions(-) -- 2.26.2