[PATCH v2] random: defer crediting bootloader randomness to random_init()

Phil Elwell phil at raspberrypi.com
Tue Jun 7 05:19:41 PDT 2022


Hi Jason,

On 07/06/2022 12:32, Jason A. Donenfeld wrote:
> Stephen reported that a static key warning splat appears during early
> boot on systems that credit randomness from device trees that contain an
> "rng-seed" property, because because setup_machine_fdt() is called
> before jump_label_init() during setup_arch():
> 
>   static_key_enable_cpuslocked(): static key '0xffffffe51c6fcfc0' used before call to jump_label_init()
>   WARNING: CPU: 0 PID: 0 at kernel/jump_label.c:166 static_key_enable_cpuslocked+0xb0/0xb8
>   Modules linked in:
>   CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0+ #224 44b43e377bfc84bc99bb5ab885ff694984ee09ff
>   pstate: 600001c9 (nZCv dAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>   pc : static_key_enable_cpuslocked+0xb0/0xb8
>   lr : static_key_enable_cpuslocked+0xb0/0xb8
>   sp : ffffffe51c393cf0
>   x29: ffffffe51c393cf0 x28: 000000008185054c x27: 00000000f1042f10
>   x26: 0000000000000000 x25: 00000000f10302b2 x24: 0000002513200000
>   x23: 0000002513200000 x22: ffffffe51c1c9000 x21: fffffffdfdc00000
>   x20: ffffffe51c2f0831 x19: ffffffe51c6fcfc0 x18: 00000000ffff1020
>   x17: 00000000e1e2ac90 x16: 00000000000000e0 x15: ffffffe51b710708
>   x14: 0000000000000066 x13: 0000000000000018 x12: 0000000000000000
>   x11: 0000000000000000 x10: 00000000ffffffff x9 : 0000000000000000
>   x8 : 0000000000000000 x7 : 61632065726f6665 x6 : 6220646573752027
>   x5 : ffffffe51c641d25 x4 : ffffffe51c13142c x3 : ffff0a00ffffff05
>   x2 : 40000000ffffe003 x1 : 00000000000001c0 x0 : 0000000000000065
>   Call trace:
>    static_key_enable_cpuslocked+0xb0/0xb8
>    static_key_enable+0x2c/0x40
>    crng_set_ready+0x24/0x30
>    execute_in_process_context+0x80/0x90
>    _credit_init_bits+0x100/0x154
>    add_bootloader_randomness+0x64/0x78
>    early_init_dt_scan_chosen+0x140/0x184
>    early_init_dt_scan_nodes+0x28/0x4c
>    early_init_dt_scan+0x40/0x44
>    setup_machine_fdt+0x7c/0x120
>    setup_arch+0x74/0x1d8
>    start_kernel+0x84/0x44c
>    __primary_switched+0xc0/0xc8
>   ---[ end trace 0000000000000000 ]---
>   random: crng init done
>   Machine model: Google Lazor (rev1 - 2) with LTE
> 
> A trivial fix went in to address this on arm64, 73e2d827a501 ("arm64:
> Initialize jump labels before setup_machine_fdt()"). But it appears that
> fixing it on other platforms might not be so trivial. And in the past
> there have been problems related to add_bootloader_randomness() being
> called too early in boot for what it needed.
> 
> This patch defers all entropy crediting until random_init(), where we
> can be sure that all facilities we need are up and running. It still
> mixes the actual seed immediately, so that it's maximally useful, but
> the crediting doesn't happen until later.
> 
> This also has the positive effect of allowing rng_has_arch_random() to
> reflect bootloader randomness.
> 
> Fixes: f5bda35fba61 ("random: use static branch for crng_ready()")
> Reported-by: Stephen Boyd <swboyd at chromium.org>
> Cc: Ard Biesheuvel <ardb at kernel.org>
> Cc: Catalin Marinas <catalin.marinas at arm.com>
> Cc: Russell King <linux at armlinux.org.uk>
> Cc: Arnd Bergmann <arnd at arndb.de>
> Cc: Phil Elwell <phil at raspberrypi.com>
> Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
> ---
>   drivers/char/random.c  | 11 ++++++-----
>   include/linux/random.h |  2 +-
>   2 files changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/char/random.c b/drivers/char/random.c
> index 4862d4d3ec49..34399e4bad19 100644
> --- a/drivers/char/random.c
> +++ b/drivers/char/random.c
> @@ -725,8 +725,9 @@ static void __cold _credit_init_bits(size_t bits)
>    **********************************************************************/
>   
>   static bool used_arch_random;
> -static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
> -static bool trust_bootloader __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
> +static bool trust_cpu __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
> +static bool trust_bootloader __initdata = IS_ENABLED(CONFIG_RANDOM_TRUST_BOOTLOADER);
> +static size_t bootloader_seed_bytes __initdata;
>   static int __init parse_trust_cpu(char *arg)
>   {
>   	return kstrtobool(arg, &trust_cpu);
> @@ -793,6 +794,7 @@ int __init random_init(const char *command_line)
>   		}
>   		_mix_pool_bytes(&entropy, sizeof(entropy));
>   	}
> +	arch_bytes += bootloader_seed_bytes;
>   	_mix_pool_bytes(&now, sizeof(now));
>   	_mix_pool_bytes(utsname(), sizeof(*(utsname())));
>   	_mix_pool_bytes(command_line, strlen(command_line));
> @@ -865,13 +867,12 @@ EXPORT_SYMBOL_GPL(add_hwgenerator_randomness);
>    * Handle random seed passed by bootloader, and credit it if
>    * CONFIG_RANDOM_TRUST_BOOTLOADER is set.
>    */
> -void __cold add_bootloader_randomness(const void *buf, size_t len)
> +void __init add_bootloader_randomness(const void *buf, size_t len)
>   {
>   	mix_pool_bytes(buf, len);
>   	if (trust_bootloader)
> -		credit_init_bits(len * 8);
> +		bootloader_seed_bytes = len;
>   }
> -EXPORT_SYMBOL_GPL(add_bootloader_randomness);
>   
>   #if IS_ENABLED(CONFIG_VMGENID)
>   static BLOCKING_NOTIFIER_HEAD(vmfork_chain);
> diff --git a/include/linux/random.h b/include/linux/random.h
> index fae0c84027fd..223b4bd584e7 100644
> --- a/include/linux/random.h
> +++ b/include/linux/random.h
> @@ -13,7 +13,7 @@
>   struct notifier_block;
>   
>   void add_device_randomness(const void *buf, size_t len);
> -void add_bootloader_randomness(const void *buf, size_t len);
> +void __init add_bootloader_randomness(const void *buf, size_t len);
>   void add_input_randomness(unsigned int type, unsigned int code,
>   			  unsigned int value) __latent_entropy;
>   void add_interrupt_randomness(int irq) __latent_entropy;

After a trivial merge conflict (into 5.15) was resolved, this patch allows the 
downstream kernel with CONFIG_RANDOM_TRUST_BOOTLOADER=y to boot cleanly. 
However, it does delay the initialisation of crng significantly compared to my
hack.

With v2:
[    1.981493] bcm2835-rng 3f104000.rng: hwrng registered
[   12.549190] random: crng init done

With the hack:
[    0.000000] random: crng init done
[    1.970662] bcm2835-rng 3f104000.rng: hwrng registered

I'll leave it to others to decide whether or not this is acceptable.

Phil



More information about the linux-arm-kernel mailing list