On Wed, Feb 21, 2024 at 1:33 PM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > There are few uses of CoCo that don't rely on working cryptography and > hence a working RNG. Unfortunately, the CoCo threat model means that the > VM host cannot be trusted and may actively work against guests to > extract secrets or manipulate computation. Since a malicious host can > modify or observe nearly all inputs to guests, the only remaining source > of entropy for CoCo guests is RDRAND. > > If RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole > is meant to gracefully continue on gathering entropy from other sources, > but since there aren't other sources on CoCo, this is catastrophic. > This is mostly a concern at boot time when initially seeding the RNG, as > after that the consequences of a broken RDRAND are much more > theoretical. > > So, try at boot to seed the RNG using 256 bits of RDRAND output. If this > fails, panic(). This will also trigger if the system is booted without > RDRAND, as RDRAND is essential for a safe CoCo boot. > > This patch is deliberately written to be "just a CoCo x86 driver > feature" and not part of the RNG itself. Many device drivers and > platforms have some desire to contribute something to the RNG, and > add_device_randomness() is specifically meant for this purpose. Any > driver can call this with seed data of any quality, or even garbage > quality, and it can only possibly make the quality of the RNG better or > have no effect, but can never make it worse. Rather than trying to > build something into the core of the RNG, this patch interprets the > particular CoCo issue as just a CoCo issue, and therefore separates this > all out into driver (well, arch/platform) code. > > Cc: Borislav Petkov <bp@xxxxxxxxx> > Cc: Daniel P. Berrangé <berrange@xxxxxxxxxx> > Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > Cc: Elena Reshetova <elena.reshetova@xxxxxxxxx> > Cc: H. Peter Anvin <hpa@xxxxxxxxx> > Cc: Ingo Molnar <mingo@xxxxxxxxxx> > Cc: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx> > Cc: Theodore Ts'o <tytso@xxxxxxx> > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx> Also, Cc: stable@xxxxxxxxxxxxxxx At least, I think that's probably what we want, though I don't know what version range is relevant for CoCo.