Message ID | 20201216104117.10836-1-matthias.bgg@kernel.org |
---|---|
Headers | show |
Series | Use RNG to get random behaviour | expand |
On Wed, 16 Dec 2020 11:41:15 +0100 matthias.bgg@kernel.org wrote: > From: Matthias Brugger <mbrugger@suse.com> > > > For now bootp and uuid code use a weak seed for generating random > data. U-Boot as support for RNG devices now, so we should change to > code to use them if they are present. This will help mitigate issues > like seen in CVE-2019-11690. First of all: thanks for bringing this up. These patches are a big improvement over the current state. But: thinking about this further, it could be possible to give U-Boot a lightweight version of a complete entropy keeper, with /dev/random and /dev/urandom functionality. Linux, for example, will happily randomise the kernel address layout, if it's configured and the boot loader provides enough entropy... But for now this should be good enough. Torsten
On Wed, Dec 16, 2020 at 1:17 PM Torsten Duwe <duwe@lst.de> wrote: > > On Wed, 16 Dec 2020 11:41:15 +0100 > matthias.bgg@kernel.org wrote: > > > From: Matthias Brugger <mbrugger@suse.com> > > > > > > For now bootp and uuid code use a weak seed for generating random > > data. U-Boot as support for RNG devices now, so we should change to > > code to use them if they are present. This will help mitigate issues > > like seen in CVE-2019-11690. > > First of all: thanks for bringing this up. These patches are a big > improvement over the current state. > > But: thinking about this further, it could be possible to give U-Boot a > lightweight version of a complete entropy keeper, with /dev/random and > /dev/urandom functionality. Linux, for example, will happily randomise > the kernel address layout, if it's configured and the boot loader > provides enough entropy... That functionality is already available with U-Boot via the UEFI random seed functionality if you're booting Linux using U-Boot's UEFI support.
From: Matthias Brugger <mbrugger@suse.com> For now bootp and uuid code use a weak seed for generating random data. U-Boot as support for RNG devices now, so we should change to code to use them if they are present. This will help mitigate issues like seen in CVE-2019-11690. Matthias Brugger (2): lib: uuid: use RNG device if present net: Use NDRNG device in srand_mac() lib/uuid.c | 20 +++++++++++++++++--- net/net_rand.h | 18 +++++++++++++++++- 2 files changed, 34 insertions(+), 4 deletions(-)