jitterentropy vs. simulation

Anton Ivanov anton.ivanov at kot-begemot.co.uk
Fri Dec 1 10:03:43 PST 2023 


On 01/12/2023 10:21, Johannes Berg wrote:
> Hi,
> 
> In ARCH=um, we have a mode where we simulate clocks completely, and even
> simulate that the CPU is infinitely fast. Thus, reading the clock will
> return completely predictable values regardless of the work happening.
> 
> This is clearly incompatible with jitterentropy, but now jitterentropy
> seems to be mandatory on pretty much every system that needs any crypto,
> so we can't just seem to turn it off (any more?)
> 
> Now given that the (simulated) clock doesn't have jitter, it's derivates
> are all constant/zero, and so jent_measure_jitter() - called via
> jent_entropy_collector_alloc() - will always detect a stuck measurement,
> and thus jent_gen_entropy() loops infinitely.
> 
> I wonder what you'd think about a patch like this?
> 
> --- a/crypto/jitterentropy.c
> +++ b/crypto/jitterentropy.c
> @@ -552,10 +552,13 @@ static int jent_measure_jitter(struct rand_data *ec, __u64 *ret_current_delta)
>    * Function fills rand_data->hash_state
>    *
>    * @ec [in] Reference to entropy collector
> + *
> + * Return: 0 if entropy reading failed (was stuck), 1 otherwise
>    */
> -static void jent_gen_entropy(struct rand_data *ec)
> +static int jent_gen_entropy(struct rand_data *ec)
>   {
>   	unsigned int k = 0, safety_factor = 0;
> +	unsigned int stuck_counter = 0;
>   
>   	if (fips_enabled)
>   		safety_factor = JENT_ENTROPY_SAFETY_FACTOR;
> @@ -565,8 +568,13 @@ static void jent_gen_entropy(struct rand_data *ec)
>   
>   	while (!jent_health_failure(ec)) {
>   		/* If a stuck measurement is received, repeat measurement */
> -		if (jent_measure_jitter(ec, NULL))
> +		if (jent_measure_jitter(ec, NULL)) {
> +			if (stuck_counter++ > 100)
> +				return 0;
>   			continue;
> +		}
> +
> +		stuck_counter = 0;
>   
>   		/*
>   		 * We multiply the loop value with ->osr to obtain the
> @@ -575,6 +583,8 @@ static void jent_gen_entropy(struct rand_data *ec)
>   		if (++k >= ((DATA_SIZE_BITS + safety_factor) * ec->osr))
>   			break;
>   	}
> +
> +	return 1;
>   }
>   
>   /*
> @@ -611,7 +621,8 @@ int jent_read_entropy(struct rand_data *ec, unsigned char *data,
>   	while (len > 0) {
>   		unsigned int tocopy, health_test_result;
>   
> -		jent_gen_entropy(ec);
> +		if (!jent_gen_entropy(ec))
> +			return -3;
>   
>   		health_test_result = jent_health_failure(ec);
>   		if (health_test_result > JENT_PERMANENT_FAILURE_SHIFT) {
> 
> 
> johannes
> 
> _______________________________________________
> linux-um mailing list
> linux-um at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-um
> 

Looking at the stuck check it will be bogus in simulations.

You might as well ifdef that instead.

If a simulation is running insert the entropy regardless and do not compute the derivatives used in the check.

-- 
Anton R. Ivanov
https://www.kot-begemot.co.uk/

More information about the linux-um mailing list