From patchwork Fri May 7 08:15:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Righi X-Patchwork-Id: 1475385 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fc3Dr1TRdz9t0G; Fri, 7 May 2021 18:16:12 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1leveZ-0000pb-Rk; Fri, 07 May 2021 08:16:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1leveY-0000pC-8b for kernel-team@lists.ubuntu.com; Fri, 07 May 2021 08:16:06 +0000 Received: from mail-ej1-f70.google.com ([209.85.218.70]) by youngberry.canonical.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1leveY-00048I-1o for kernel-team@lists.ubuntu.com; Fri, 07 May 2021 08:16:06 +0000 Received: by mail-ej1-f70.google.com with SMTP id w23-20020a1709061857b029039ea04b02fdso2691725eje.22 for ; Fri, 07 May 2021 01:16:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=VjKSlXHuI0lEWX4pNnVIgq4omuPYeXlNFFfUL4VbxHQ=; b=NiR3l44A8SaodNnKr++UNPBJGCIkq3oYcwa8xg0fVk/KSWLB1Sn1xMGQm2O94KcFNx 1rhqxe8mEWFGXgo0V0j5OQ6mYCv2DM/5KmxPYoGknf/Boww27//BrXaG7e4f3OF0Gh0v iQ8NzWdIne8wVf9h7+xWvTjxaSL8U9o1H+ikQ3zROn/85jiNhHgaoApI5Hm5odqPh+SC Ng3uY088olYiMWv6WaofI4dbJxQEyrTF99G/upsUGcmZkv9OLun7tKhonLBX5khIaliL 3gBbA0u0zReximdkZwLu38EasfVLjNyQoDGK3wOJkKswRwwpFxdzQ5uvUMtLyaHq9auU rbZw== X-Gm-Message-State: AOAM531a10i8s0/sMn9OTkA/fVKPrTT1lWHBugd6p4oREYju3iMbkHMG AsvP3vbkeeQMZAIj3lXrUkGZNmMR8n9vtJp3Gl1YNP7fg+Yg2dlu/DSIFNkKl/K8Yss1GGgefHt XMlQB+DOIorlj51uZIRYNJkR9lNZH5D47jvWHaAeeeg== X-Received: by 2002:aa7:d7cf:: with SMTP id e15mr9641895eds.109.1620375365621; Fri, 07 May 2021 01:16:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7jh1HPJdSCeuidOpNKKSM3gw0swX96zypnJj5+daFZ2KFhz+Y/yzBW12w6bq8cy//LHi2gQ== X-Received: by 2002:aa7:d7cf:: with SMTP id e15mr9641881eds.109.1620375365430; Fri, 07 May 2021 01:16:05 -0700 (PDT) Received: from xps-13-7390.homenet.telecomitalia.it (host-79-19-135-103.retail.telecomitalia.it. [79.19.135.103]) by smtp.gmail.com with ESMTPSA id q25sm2977290ejd.9.2021.05.07.01.16.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 May 2021 01:16:05 -0700 (PDT) From: Andrea Righi To: kernel-team@lists.ubuntu.com Subject: [SRU][F/aws][PATCH 0/5] AWS: fix out of entropy on Graviton 2 instances types (mg6.*) Date: Fri, 7 May 2021 10:15:42 +0200 Message-Id: <20210507081547.6945-1-andrea.righi@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1927692 [Impact] AWS Graviton 2 instances do not have enough entropy available at boot, so any task that require entropy (even reading few bytes from /dev/random) will be stuck forever. [Fix] The proper fix for this problem is to correctly refill the entropy pool with some real random data using some hardware-generated randomness. In the meantime a reasonable workaround can be to apply the following upstream commits: 30c08efec888 random: make /dev/random be almost like /dev/urandom 48446f198f9a random: ignore GRND_RANDOM in getentropy(2) 75551dbf112c random: add GRND_INSECURE to return best-effort non-cryptographic bytes c6f1deb15878 random: Add a urandom_read_nowait() for random APIs that don't warn 4c8d062186d9 random: Don't wake crng_init_wait when crng_init == 1 In this way the system will not run out of entropy and will be able to provide best-effort randomness in any case, preventing the out of entropy issue on the AWS Gravion 2 instances. [Test plan] Execute the following command on any m6g instance: dd bs=32 count=1 if=/dev/random of=/dev/null This should return quickly, if not it means that the system does not have enough entropy available. When the problem happens this command hangs forever. [Where problems could occur] This changes affect the read semantics of /dev/random to be the same as /dev/urandom except that reads will block until the CRNG is ready. This should not materially break any API. Any code that worked without these changes should work at least as well as before. However, applications that have strict randomness requirements might be affected by the provided best-effort randomness, so we may need to apply more commits/changes to introduce a proper hardware entropy support on Graviton 2 instances to provide a better quality of randomness. In the meantime these upstream changes consist a reasonable workaround to prevent applications from hanging forever on the mg6.* instances. ---------------------------------------------------------------- Andy Lutomirski (5): random: add GRND_INSECURE to return best-effort non-cryptographic bytes random: Don't wake crng_init_wait when crng_init == 1 random: Add a urandom_read_nowait() for random APIs that don't warn random: ignore GRND_RANDOM in getentropy(2) random: make /dev/random be almost like /dev/urandom drivers/char/random.c | 81 +++++++++++++++++++++++++++++++++------------------------------------------------ include/uapi/linux/random.h | 4 +++- 2 files changed, 36 insertions(+), 49 deletions(-) Acked-by: Guilherme G. Piccoli Acked-by: Tim Gardner