On Mon, Mar 27, 2023 at 09:03:52AM +0200, Stephan Müller wrote: > According to SP800-90B, two health failures are allowed: the intermittend > and the permanent failure. So far, only the intermittent failure was > implemented. The permanent failure was achieved by resetting the entire > entropy source including its health test state and waiting for two or > more back-to-back health errors. > > This approach is appropriate for RCT, but not for APT as APT has a > non-linear cutoff value. Thus, this patch implements 2 cutoff values > for both RCT/APT. This implies that the health state is left untouched > when an intermittent failure occurs. The noise source is reset > and a new APT powerup-self test is performed. Yet, whith the unchanged > health test state, the counting of failures continues until a permanent > failure is reached. > > Any non-failing raw entropy value causes the health tests to reset. > > The intermittent error has an unchanged significance level of 2^-30. > The permanent error has a significance level of 2^-60. Considering that > this level also indicates a false-positive rate (see SP800-90B section 4.2) > a false-positive must only be incurred with a low probability when > considering a fleet of Linux kernels as a whole. Hitting the permanent > error may cause a panic(), the following calculation applies: Assuming > that a fleet of 10^9 Linux kernels run concurrently with this patch in > FIPS mode and on each kernel 2 health tests are performed every minute > for one year, the chances of a false positive is about 1:1000 > based on the binomial distribution. > > In addition, any power-up health test errors triggered with > jent_entropy_init are treated as permanent errors. > > A permanent failure causes the entire entropy source to permanently > return an error. This implies that a caller can only remedy the situation > by re-allocating a new instance of the Jitter RNG. In a subsequent > patch, a transparent re-allocation will be provided which also changes > the implied heuristic entropy assessment. > > In addition, when the kernel is booted with fips=1, the Jitter RNG > is defined to be part of a FIPS module. The permanent error of the > Jitter RNG is translated as a FIPS module error. In this case, the entire > FIPS module must cease operation. This is implemented in the kernel by > invoking panic(). > > The patch also fixes an off-by-one in the RCT cutoff value which is now > set to 30 instead of 31. This is because the counting of the values > starts with 0. > > Reviewed-by: Vladis Dronov <vdronov@xxxxxxxxxx> > Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> > --- > > v4: > - fix comment regarding fips=1 > - update patch subject to match common naming schema > - remove now unused jent_panic function > - added Reviewed-by line > > v3: > - remove an unused goto target > > v2: > - Drop the enforcement of permanent disabling the entropy source > > crypto/jitterentropy-kcapi.c | 51 ++++++------- > crypto/jitterentropy.c | 144 +++++++++++++---------------------- > crypto/jitterentropy.h | 1 - > 3 files changed, 76 insertions(+), 120 deletions(-) Patch applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
