From eec11fbbb6eb70cfcae27ac6c055d2c1bd5d20d9 Mon Sep 17 00:00:00 2001 From: Shiji Yang Date: Wed, 2 Apr 2025 23:36:28 +0800 Subject: [PATCH] generic: crypto: fix jitterentropy initialization failed issue Sync jitterentropy source code with linux-6.12 to solve the issue of jitterentropy initialization failed: [ 9.523489] jitterentropy: Initialization failed with host not compliant with requirements: 9 [ 9.661916] kmodloader: 1 module could not be probed [ 9.662377] kmodloader: - jitterentropy_rng - 0 In linux upstream commit cf27d9475f37 ("crypto: jitter - use permanent health test storage"), when FIPS crypto is disabled, the health test results are always explicitly skipped. That means it will never return error code 9 (health test failed) again. Fixes: https://github.com/openwrt/openwrt/issues/16684 Signed-off-by: Shiji Yang Link: https://github.com/openwrt/openwrt/pull/18399 Signed-off-by: Robert Marko --- ...dd-RCTAPT-support-for-different-OSRs.patch | 445 ++++++++++++++++++ ...r-Allow-configuration-of-memory-size.patch | 159 +++++++ ...w-configuration-of-oversampling-rate.patch | 75 +++ ...er-reuse-allocated-entropy-collector.patch | 117 +++++ ...er-use-permanent-health-test-storage.patch | 242 ++++++++++ ...-Hide-esoteric-Kconfig-options-under.patch | 80 ++++ ...e-kvfree_sensitive-to-fix-Coccinelle.patch | 30 ++ ...2-crypto-jitter-set-default-OSR-to-3.patch | 36 ++ 8 files changed, 1184 insertions(+) create mode 100644 target/linux/generic/backport-6.6/906-01-v6.7-crypto-jitter-add-RCTAPT-support-for-different-OSRs.patch create mode 100644 target/linux/generic/backport-6.6/906-02-v6.7-crypto-jitter-Allow-configuration-of-memory-size.patch create mode 100644 target/linux/generic/backport-6.6/906-03-v6.7-crypto-jitter-Allow-configuration-of-oversampling-rate.patch create mode 100644 target/linux/generic/backport-6.6/906-04-v6.7-crypto-jitter-reuse-allocated-entropy-collector.patch create mode 100644 target/linux/generic/backport-6.6/906-05-v6.7-crypto-jitter-use-permanent-health-test-storage.patch create mode 100644 target/linux/generic/backport-6.6/906-06-v6.7-crypto-jitterentropy-Hide-esoteric-Kconfig-options-under.patch create mode 100644 target/linux/generic/backport-6.6/906-07-v6.10-crypto-jitter-Use-kvfree_sensitive-to-fix-Coccinelle.patch create mode 100644 target/linux/generic/backport-6.6/906-08-v6.12-crypto-jitter-set-default-OSR-to-3.patch diff --git a/target/linux/generic/backport-6.6/906-01-v6.7-crypto-jitter-add-RCTAPT-support-for-different-OSRs.patch b/target/linux/generic/backport-6.6/906-01-v6.7-crypto-jitter-add-RCTAPT-support-for-different-OSRs.patch new file mode 100644 index 00000000000..d0ae1258f86 --- /dev/null +++ b/target/linux/generic/backport-6.6/906-01-v6.7-crypto-jitter-add-RCTAPT-support-for-different-OSRs.patch @@ -0,0 +1,445 @@ +From 04597c8dd6c4b55e946fec50dc3b14a5d9d54501 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stephan=20M=C3=BCller?= +Date: Thu, 21 Sep 2023 13:48:11 +0200 +Subject: [PATCH] crypto: jitter - add RCT/APT support for different OSRs + +The oversampling rate (OSR) value specifies the heuristically implied +entropy in the recorded data - H_submitter = 1/osr. A different entropy +estimate implies a different APT/RCT cutoff value. This change adds +support for OSRs 1 through 15. This OSR can be selected by the caller +of the Jitter RNG. + +For this patch, the caller still uses one hard-coded OSR. A subsequent +patch allows this value to be configured. + +In addition, the power-up self test is adjusted as follows: + +* It allows the caller to provide an oversampling rate that should be +tested with - commonly it should be the same as used for the actual +runtime operation. This makes the power-up testing therefore consistent +with the runtime operation. + +* It calls now jent_measure_jitter (i.e. collects the full entropy +that can possibly be harvested by the Jitter RNG) instead of only +jent_condition_data (which only returns the entropy harvested from +the conditioning component). This should now alleviate reports where +the Jitter RNG initialization thinks there is too little entropy. + +* The power-up test now solely relies on the (enhanced) APT and RCT +test that is used as a health test at runtime. + +The code allowing the different OSRs as well as the power-up test +changes are present in the user space version of the Jitter RNG 3.4.1 +and thus was already in production use for some time. + +Reported-by "Ospan, Abylay" +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +--- + crypto/jitterentropy-kcapi.c | 4 +- + crypto/jitterentropy.c | 233 ++++++++++++++++++----------------- + crypto/jitterentropy.h | 3 +- + 3 files changed, 123 insertions(+), 117 deletions(-) + +--- a/crypto/jitterentropy-kcapi.c ++++ b/crypto/jitterentropy-kcapi.c +@@ -245,7 +245,7 @@ static int jent_kcapi_init(struct crypto + crypto_shash_init(sdesc); + rng->sdesc = sdesc; + +- rng->entropy_collector = jent_entropy_collector_alloc(1, 0, sdesc); ++ rng->entropy_collector = jent_entropy_collector_alloc(0, 0, sdesc); + if (!rng->entropy_collector) { + ret = -ENOMEM; + goto err; +@@ -334,7 +334,7 @@ static int __init jent_mod_init(void) + + desc->tfm = tfm; + crypto_shash_init(desc); +- ret = jent_entropy_init(desc); ++ ret = jent_entropy_init(0, 0, desc); + shash_desc_zero(desc); + crypto_free_shash(tfm); + if (ret) { +--- a/crypto/jitterentropy.c ++++ b/crypto/jitterentropy.c +@@ -72,6 +72,8 @@ struct rand_data { + __u64 prev_time; /* SENSITIVE Previous time stamp */ + __u64 last_delta; /* SENSITIVE stuck test */ + __s64 last_delta2; /* SENSITIVE stuck test */ ++ ++ unsigned int flags; /* Flags used to initialize */ + unsigned int osr; /* Oversample rate */ + #define JENT_MEMORY_BLOCKS 64 + #define JENT_MEMORY_BLOCKSIZE 32 +@@ -88,16 +90,9 @@ struct rand_data { + /* Repetition Count Test */ + unsigned int rct_count; /* Number of stuck values */ + +- /* Intermittent health test failure threshold of 2^-30 */ +- /* From an SP800-90B perspective, this RCT cutoff value is equal to 31. */ +- /* However, our RCT implementation starts at 1, so we subtract 1 here. */ +-#define JENT_RCT_CUTOFF (31 - 1) /* Taken from SP800-90B sec 4.4.1 */ +-#define JENT_APT_CUTOFF 325 /* Taken from SP800-90B sec 4.4.2 */ +- /* Permanent health test failure threshold of 2^-60 */ +- /* From an SP800-90B perspective, this RCT cutoff value is equal to 61. */ +- /* However, our RCT implementation starts at 1, so we subtract 1 here. */ +-#define JENT_RCT_CUTOFF_PERMANENT (61 - 1) +-#define JENT_APT_CUTOFF_PERMANENT 355 ++ /* Adaptive Proportion Test cutoff values */ ++ unsigned int apt_cutoff; /* Intermittent health test failure */ ++ unsigned int apt_cutoff_permanent; /* Permanent health test failure */ + #define JENT_APT_WINDOW_SIZE 512 /* Data window size */ + /* LSB of time stamp to process */ + #define JENT_APT_LSB 16 +@@ -122,6 +117,9 @@ struct rand_data { + * zero). */ + #define JENT_ESTUCK 8 /* Too many stuck results during init. */ + #define JENT_EHEALTH 9 /* Health test failed during initialization */ ++#define JENT_ERCT 10 /* RCT failed during initialization */ ++#define JENT_EHASH 11 /* Hash self test failed */ ++#define JENT_EMEM 12 /* Can't allocate memory for initialization */ + + /* + * The output n bits can receive more than n bits of min entropy, of course, +@@ -148,6 +146,48 @@ struct rand_data { + ***************************************************************************/ + + /* ++ * See the SP 800-90B comment #10b for the corrected cutoff for the SP 800-90B ++ * APT. ++ * http://www.untruth.org/~josh/sp80090b/UL%20SP800-90B-final%20comments%20v1.9%2020191212.pdf ++ * In in the syntax of R, this is C = 2 + qbinom(1 − 2^(−30), 511, 2^(-1/osr)). ++ * (The original formula wasn't correct because the first symbol must ++ * necessarily have been observed, so there is no chance of observing 0 of these ++ * symbols.) ++ * ++ * For the alpha < 2^-53, R cannot be used as it uses a float data type without ++ * arbitrary precision. A SageMath script is used to calculate those cutoff ++ * values. ++ * ++ * For any value above 14, this yields the maximal allowable value of 512 ++ * (by FIPS 140-2 IG 7.19 Resolution # 16, we cannot choose a cutoff value that ++ * renders the test unable to fail). ++ */ ++static const unsigned int jent_apt_cutoff_lookup[15] = { ++ 325, 422, 459, 477, 488, 494, 499, 502, ++ 505, 507, 508, 509, 510, 511, 512 }; ++static const unsigned int jent_apt_cutoff_permanent_lookup[15] = { ++ 355, 447, 479, 494, 502, 507, 510, 512, ++ 512, 512, 512, 512, 512, 512, 512 }; ++#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) ++ ++static void jent_apt_init(struct rand_data *ec, unsigned int osr) ++{ ++ /* ++ * Establish the apt_cutoff based on the presumed entropy rate of ++ * 1/osr. ++ */ ++ if (osr >= ARRAY_SIZE(jent_apt_cutoff_lookup)) { ++ ec->apt_cutoff = jent_apt_cutoff_lookup[ ++ ARRAY_SIZE(jent_apt_cutoff_lookup) - 1]; ++ ec->apt_cutoff_permanent = jent_apt_cutoff_permanent_lookup[ ++ ARRAY_SIZE(jent_apt_cutoff_permanent_lookup) - 1]; ++ } else { ++ ec->apt_cutoff = jent_apt_cutoff_lookup[osr - 1]; ++ ec->apt_cutoff_permanent = ++ jent_apt_cutoff_permanent_lookup[osr - 1]; ++ } ++} ++/* + * Reset the APT counter + * + * @ec [in] Reference to entropy collector +@@ -187,12 +227,12 @@ static void jent_apt_insert(struct rand_ + /* APT health test failure detection */ + static int jent_apt_permanent_failure(struct rand_data *ec) + { +- return (ec->apt_count >= JENT_APT_CUTOFF_PERMANENT) ? 1 : 0; ++ return (ec->apt_count >= ec->apt_cutoff_permanent) ? 1 : 0; + } + + static int jent_apt_failure(struct rand_data *ec) + { +- return (ec->apt_count >= JENT_APT_CUTOFF) ? 1 : 0; ++ return (ec->apt_count >= ec->apt_cutoff) ? 1 : 0; + } + + /*************************************************************************** +@@ -275,15 +315,28 @@ static int jent_stuck(struct rand_data * + return 0; + } + +-/* RCT health test failure detection */ ++/* ++ * The cutoff value is based on the following consideration: ++ * alpha = 2^-30 or 2^-60 as recommended in SP800-90B. ++ * In addition, we require an entropy value H of 1/osr as this is the minimum ++ * entropy required to provide full entropy. ++ * Note, we collect (DATA_SIZE_BITS + ENTROPY_SAFETY_FACTOR)*osr deltas for ++ * inserting them into the entropy pool which should then have (close to) ++ * DATA_SIZE_BITS bits of entropy in the conditioned output. ++ * ++ * Note, ec->rct_count (which equals to value B in the pseudo code of SP800-90B ++ * section 4.4.1) starts with zero. Hence we need to subtract one from the ++ * cutoff value as calculated following SP800-90B. Thus ++ * C = ceil(-log_2(alpha)/H) = 30*osr or 60*osr. ++ */ + static int jent_rct_permanent_failure(struct rand_data *ec) + { +- return (ec->rct_count >= JENT_RCT_CUTOFF_PERMANENT) ? 1 : 0; ++ return (ec->rct_count >= (60 * ec->osr)) ? 1 : 0; + } + + static int jent_rct_failure(struct rand_data *ec) + { +- return (ec->rct_count >= JENT_RCT_CUTOFF) ? 1 : 0; ++ return (ec->rct_count >= (30 * ec->osr)) ? 1 : 0; + } + + /* Report of health test failures */ +@@ -448,7 +501,7 @@ static void jent_memaccess(struct rand_d + * + * @return result of stuck test + */ +-static int jent_measure_jitter(struct rand_data *ec) ++static int jent_measure_jitter(struct rand_data *ec, __u64 *ret_current_delta) + { + __u64 time = 0; + __u64 current_delta = 0; +@@ -472,6 +525,10 @@ static int jent_measure_jitter(struct ra + if (jent_condition_data(ec, current_delta, stuck)) + stuck = 1; + ++ /* return the raw entropy value */ ++ if (ret_current_delta) ++ *ret_current_delta = current_delta; ++ + return stuck; + } + +@@ -489,11 +546,11 @@ static void jent_gen_entropy(struct rand + safety_factor = JENT_ENTROPY_SAFETY_FACTOR; + + /* priming of the ->prev_time value */ +- jent_measure_jitter(ec); ++ jent_measure_jitter(ec, NULL); + + while (!jent_health_failure(ec)) { + /* If a stuck measurement is received, repeat measurement */ +- if (jent_measure_jitter(ec)) ++ if (jent_measure_jitter(ec, NULL)) + continue; + + /* +@@ -554,7 +611,8 @@ int jent_read_entropy(struct rand_data * + * Perform startup health tests and return permanent + * error if it fails. + */ +- if (jent_entropy_init(ec->hash_state)) ++ if (jent_entropy_init(ec->osr, ec->flags, ++ ec->hash_state)) + return -3; + + return -2; +@@ -604,11 +662,15 @@ struct rand_data *jent_entropy_collector + + /* verify and set the oversampling rate */ + if (osr == 0) +- osr = 1; /* minimum sampling rate is 1 */ ++ osr = 1; /* H_submitter = 1 / osr */ + entropy_collector->osr = osr; ++ entropy_collector->flags = flags; + + entropy_collector->hash_state = hash_state; + ++ /* Initialize the APT */ ++ jent_apt_init(entropy_collector, osr); ++ + /* fill the data pad with non-zero values */ + jent_gen_entropy(entropy_collector); + +@@ -622,20 +684,14 @@ void jent_entropy_collector_free(struct + jent_zfree(entropy_collector); + } + +-int jent_entropy_init(void *hash_state) ++int jent_entropy_init(unsigned int osr, unsigned int flags, void *hash_state) + { +- int i; +- __u64 delta_sum = 0; +- __u64 old_delta = 0; +- unsigned int nonstuck = 0; +- int time_backwards = 0; +- int count_mod = 0; +- int count_stuck = 0; +- struct rand_data ec = { 0 }; +- +- /* Required for RCT */ +- ec.osr = 1; +- ec.hash_state = hash_state; ++ struct rand_data *ec; ++ int i, time_backwards = 0, ret = 0; ++ ++ ec = jent_entropy_collector_alloc(osr, flags, hash_state); ++ if (!ec) ++ return JENT_EMEM; + + /* We could perform statistical tests here, but the problem is + * that we only have a few loop counts to do testing. These +@@ -664,31 +720,28 @@ int jent_entropy_init(void *hash_state) + #define TESTLOOPCOUNT 1024 + #define CLEARCACHE 100 + for (i = 0; (TESTLOOPCOUNT + CLEARCACHE) > i; i++) { +- __u64 time = 0; +- __u64 time2 = 0; +- __u64 delta = 0; +- unsigned int lowdelta = 0; +- int stuck; ++ __u64 start_time = 0, end_time = 0, delta = 0; + + /* Invoke core entropy collection logic */ +- jent_get_nstime(&time); +- ec.prev_time = time; +- jent_condition_data(&ec, time, 0); +- jent_get_nstime(&time2); ++ jent_measure_jitter(ec, &delta); ++ end_time = ec->prev_time; ++ start_time = ec->prev_time - delta; + + /* test whether timer works */ +- if (!time || !time2) +- return JENT_ENOTIME; +- delta = jent_delta(time, time2); ++ if (!start_time || !end_time) { ++ ret = JENT_ENOTIME; ++ goto out; ++ } ++ + /* + * test whether timer is fine grained enough to provide + * delta even when called shortly after each other -- this + * implies that we also have a high resolution timer + */ +- if (!delta) +- return JENT_ECOARSETIME; +- +- stuck = jent_stuck(&ec, delta); ++ if (!delta || (end_time == start_time)) { ++ ret = JENT_ECOARSETIME; ++ goto out; ++ } + + /* + * up to here we did not modify any variable that will be +@@ -700,49 +753,9 @@ int jent_entropy_init(void *hash_state) + if (i < CLEARCACHE) + continue; + +- if (stuck) +- count_stuck++; +- else { +- nonstuck++; +- +- /* +- * Ensure that the APT succeeded. +- * +- * With the check below that count_stuck must be less +- * than 10% of the overall generated raw entropy values +- * it is guaranteed that the APT is invoked at +- * floor((TESTLOOPCOUNT * 0.9) / 64) == 14 times. +- */ +- if ((nonstuck % JENT_APT_WINDOW_SIZE) == 0) { +- jent_apt_reset(&ec, +- delta & JENT_APT_WORD_MASK); +- } +- } +- +- /* Validate health test result */ +- if (jent_health_failure(&ec)) +- return JENT_EHEALTH; +- + /* test whether we have an increasing timer */ +- if (!(time2 > time)) ++ if (!(end_time > start_time)) + time_backwards++; +- +- /* use 32 bit value to ensure compilation on 32 bit arches */ +- lowdelta = time2 - time; +- if (!(lowdelta % 100)) +- count_mod++; +- +- /* +- * ensure that we have a varying delta timer which is necessary +- * for the calculation of entropy -- perform this check +- * only after the first loop is executed as we need to prime +- * the old_data value +- */ +- if (delta > old_delta) +- delta_sum += (delta - old_delta); +- else +- delta_sum += (old_delta - delta); +- old_delta = delta; + } + + /* +@@ -752,31 +765,23 @@ int jent_entropy_init(void *hash_state) + * should not fail. The value of 3 should cover the NTP case being + * performed during our test run. + */ +- if (time_backwards > 3) +- return JENT_ENOMONOTONIC; +- +- /* +- * Variations of deltas of time must on average be larger +- * than 1 to ensure the entropy estimation +- * implied with 1 is preserved +- */ +- if ((delta_sum) <= 1) +- return JENT_EVARVAR; ++ if (time_backwards > 3) { ++ ret = JENT_ENOMONOTONIC; ++ goto out; ++ } + +- /* +- * Ensure that we have variations in the time stamp below 10 for at +- * least 10% of all checks -- on some platforms, the counter increments +- * in multiples of 100, but not always +- */ +- if ((TESTLOOPCOUNT/10 * 9) < count_mod) +- return JENT_ECOARSETIME; ++ /* Did we encounter a health test failure? */ ++ if (jent_rct_failure(ec)) { ++ ret = JENT_ERCT; ++ goto out; ++ } ++ if (jent_apt_failure(ec)) { ++ ret = JENT_EHEALTH; ++ goto out; ++ } + +- /* +- * If we have more than 90% stuck results, then this Jitter RNG is +- * likely to not work well. +- */ +- if ((TESTLOOPCOUNT/10 * 9) < count_stuck) +- return JENT_ESTUCK; ++out: ++ jent_entropy_collector_free(ec); + +- return 0; ++ return ret; + } +--- a/crypto/jitterentropy.h ++++ b/crypto/jitterentropy.h +@@ -9,7 +9,8 @@ extern int jent_hash_time(void *hash_sta + int jent_read_random_block(void *hash_state, char *dst, unsigned int dst_len); + + struct rand_data; +-extern int jent_entropy_init(void *hash_state); ++extern int jent_entropy_init(unsigned int osr, unsigned int flags, ++ void *hash_state); + extern int jent_read_entropy(struct rand_data *ec, unsigned char *data, + unsigned int len); + diff --git a/target/linux/generic/backport-6.6/906-02-v6.7-crypto-jitter-Allow-configuration-of-memory-size.patch b/target/linux/generic/backport-6.6/906-02-v6.7-crypto-jitter-Allow-configuration-of-memory-size.patch new file mode 100644 index 00000000000..b13fc867012 --- /dev/null +++ b/target/linux/generic/backport-6.6/906-02-v6.7-crypto-jitter-Allow-configuration-of-memory-size.patch @@ -0,0 +1,159 @@ +From 59bcfd788552504606e3eb774ae68052379396b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stephan=20M=C3=BCller?= +Date: Thu, 21 Sep 2023 13:48:33 +0200 +Subject: [PATCH] crypto: jitter - Allow configuration of memory size + +The memory size consumed by the Jitter RNG is one contributing factor in +the amount of entropy that is gathered. As the amount of entropy +directly correlates with the distance of the memory from the CPU, the +caches that are possibly present on a given system have an impact on the +collected entropy. + +Thus, the kernel compile time should offer a means to configure the +amount of memory used by the Jitter RNG. Although this option could be +turned into a runtime option (e.g. a kernel command line option), it +should remain a compile time option as otherwise adminsitrators who may +not have performed an entropy assessment may select a value that is +inappropriate. + +The default value selected by the configuration is identical to the +current Jitter RNG value. Thus, the patch should not lead to any change +in the Jitter RNG behavior. + +To accommodate larger memory buffers, kvzalloc / kvfree is used. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +--- + crypto/Kconfig | 43 ++++++++++++++++++++++++++++++++++++ + crypto/jitterentropy-kcapi.c | 11 +++++++++ + crypto/jitterentropy.c | 16 ++++++++------ + crypto/jitterentropy.h | 2 ++ + 4 files changed, 65 insertions(+), 7 deletions(-) + +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -1297,6 +1297,49 @@ config CRYPTO_JITTERENTROPY + + See https://www.chronox.de/jent/ + ++choice ++ prompt "CPU Jitter RNG Memory Size" ++ default CRYPTO_JITTERENTROPY_MEMSIZE_2 ++ depends on CRYPTO_JITTERENTROPY ++ help ++ The Jitter RNG measures the execution time of memory accesses. ++ Multiple consecutive memory accesses are performed. If the memory ++ size fits into a cache (e.g. L1), only the memory access timing ++ to that cache is measured. The closer the cache is to the CPU ++ the less variations are measured and thus the less entropy is ++ obtained. Thus, if the memory size fits into the L1 cache, the ++ obtained entropy is less than if the memory size fits within ++ L1 + L2, which in turn is less if the memory fits into ++ L1 + L2 + L3. Thus, by selecting a different memory size, ++ the entropy rate produced by the Jitter RNG can be modified. ++ ++ config CRYPTO_JITTERENTROPY_MEMSIZE_2 ++ bool "2048 Bytes (default)" ++ ++ config CRYPTO_JITTERENTROPY_MEMSIZE_128 ++ bool "128 kBytes" ++ ++ config CRYPTO_JITTERENTROPY_MEMSIZE_1024 ++ bool "1024 kBytes" ++ ++ config CRYPTO_JITTERENTROPY_MEMSIZE_8192 ++ bool "8192 kBytes" ++endchoice ++ ++config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS ++ int ++ default 64 if CRYPTO_JITTERENTROPY_MEMSIZE_2 ++ default 512 if CRYPTO_JITTERENTROPY_MEMSIZE_128 ++ default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 ++ default 4096 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 ++ ++config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE ++ int ++ default 32 if CRYPTO_JITTERENTROPY_MEMSIZE_2 ++ default 256 if CRYPTO_JITTERENTROPY_MEMSIZE_128 ++ default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 ++ default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 ++ + config CRYPTO_JITTERENTROPY_TESTINTERFACE + bool "CPU Jitter RNG Test Interface" + depends on CRYPTO_JITTERENTROPY +--- a/crypto/jitterentropy-kcapi.c ++++ b/crypto/jitterentropy-kcapi.c +@@ -54,6 +54,17 @@ + * Helper function + ***************************************************************************/ + ++void *jent_kvzalloc(unsigned int len) ++{ ++ return kvzalloc(len, GFP_KERNEL); ++} ++ ++void jent_kvzfree(void *ptr, unsigned int len) ++{ ++ memzero_explicit(ptr, len); ++ kvfree(ptr); ++} ++ + void *jent_zalloc(unsigned int len) + { + return kzalloc(len, GFP_KERNEL); +--- a/crypto/jitterentropy.c ++++ b/crypto/jitterentropy.c +@@ -75,10 +75,10 @@ struct rand_data { + + unsigned int flags; /* Flags used to initialize */ + unsigned int osr; /* Oversample rate */ +-#define JENT_MEMORY_BLOCKS 64 +-#define JENT_MEMORY_BLOCKSIZE 32 + #define JENT_MEMORY_ACCESSLOOPS 128 +-#define JENT_MEMORY_SIZE (JENT_MEMORY_BLOCKS*JENT_MEMORY_BLOCKSIZE) ++#define JENT_MEMORY_SIZE \ ++ (CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS * \ ++ CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE) + unsigned char *mem; /* Memory access location with size of + * memblocks * memblocksize */ + unsigned int memlocation; /* Pointer to byte in *mem */ +@@ -650,13 +650,15 @@ struct rand_data *jent_entropy_collector + /* Allocate memory for adding variations based on memory + * access + */ +- entropy_collector->mem = jent_zalloc(JENT_MEMORY_SIZE); ++ entropy_collector->mem = jent_kvzalloc(JENT_MEMORY_SIZE); + if (!entropy_collector->mem) { + jent_zfree(entropy_collector); + return NULL; + } +- entropy_collector->memblocksize = JENT_MEMORY_BLOCKSIZE; +- entropy_collector->memblocks = JENT_MEMORY_BLOCKS; ++ entropy_collector->memblocksize = ++ CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE; ++ entropy_collector->memblocks = ++ CONFIG_CRYPTO_JITTERENTROPY_MEMORY_BLOCKS; + entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; + } + +@@ -679,7 +681,7 @@ struct rand_data *jent_entropy_collector + + void jent_entropy_collector_free(struct rand_data *entropy_collector) + { +- jent_zfree(entropy_collector->mem); ++ jent_kvzfree(entropy_collector->mem, JENT_MEMORY_SIZE); + entropy_collector->mem = NULL; + jent_zfree(entropy_collector); + } +--- a/crypto/jitterentropy.h ++++ b/crypto/jitterentropy.h +@@ -1,5 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0-or-later + ++extern void *jent_kvzalloc(unsigned int len); ++extern void jent_kvzfree(void *ptr, unsigned int len); + extern void *jent_zalloc(unsigned int len); + extern void jent_zfree(void *ptr); + extern void jent_get_nstime(__u64 *out); diff --git a/target/linux/generic/backport-6.6/906-03-v6.7-crypto-jitter-Allow-configuration-of-oversampling-rate.patch b/target/linux/generic/backport-6.6/906-03-v6.7-crypto-jitter-Allow-configuration-of-oversampling-rate.patch new file mode 100644 index 00000000000..856400fce95 --- /dev/null +++ b/target/linux/generic/backport-6.6/906-03-v6.7-crypto-jitter-Allow-configuration-of-oversampling-rate.patch @@ -0,0 +1,75 @@ +From 0baa8fab334a4d7017235b72fa8a547433572109 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stephan=20M=C3=BCller?= +Date: Thu, 21 Sep 2023 13:48:59 +0200 +Subject: [PATCH] crypto: jitter - Allow configuration of oversampling rate + +The oversampling rate used by the Jitter RNG allows the configuration of +the heuristically implied entropy in one timing measurement. This +entropy rate is (1 / OSR) bits of entropy per time stamp. + +Considering that the Jitter RNG now support APT/RCT health tests for +different OSRs, allow this value to be configured at compile time to +support systems with limited amount of entropy in their timer. + +The allowed range of OSR values complies with the APT/RCT cutoff health +test values which range from 1 through 15. + +The default value of the OSR selection support is left at 1 which is the +current default. Thus, the addition of the configuration support does +not alter the default Jitter RNG behavior. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +--- + crypto/Kconfig | 17 +++++++++++++++++ + crypto/jitterentropy-kcapi.c | 6 ++++-- + 2 files changed, 21 insertions(+), 2 deletions(-) + +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -1340,6 +1340,23 @@ config CRYPTO_JITTERENTROPY_MEMORY_BLOCK + default 1024 if CRYPTO_JITTERENTROPY_MEMSIZE_1024 + default 2048 if CRYPTO_JITTERENTROPY_MEMSIZE_8192 + ++config CRYPTO_JITTERENTROPY_OSR ++ int "CPU Jitter RNG Oversampling Rate" ++ range 1 15 ++ default 1 ++ depends on CRYPTO_JITTERENTROPY ++ help ++ The Jitter RNG allows the specification of an oversampling rate (OSR). ++ The Jitter RNG operation requires a fixed amount of timing ++ measurements to produce one output block of random numbers. The ++ OSR value is multiplied with the amount of timing measurements to ++ generate one output block. Thus, the timing measurement is oversampled ++ by the OSR factor. The oversampling allows the Jitter RNG to operate ++ on hardware whose timers deliver limited amount of entropy (e.g. ++ the timer is coarse) by setting the OSR to a higher value. The ++ trade-off, however, is that the Jitter RNG now requires more time ++ to generate random numbers. ++ + config CRYPTO_JITTERENTROPY_TESTINTERFACE + bool "CPU Jitter RNG Test Interface" + depends on CRYPTO_JITTERENTROPY +--- a/crypto/jitterentropy-kcapi.c ++++ b/crypto/jitterentropy-kcapi.c +@@ -256,7 +256,9 @@ static int jent_kcapi_init(struct crypto + crypto_shash_init(sdesc); + rng->sdesc = sdesc; + +- rng->entropy_collector = jent_entropy_collector_alloc(0, 0, sdesc); ++ rng->entropy_collector = ++ jent_entropy_collector_alloc(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, ++ sdesc); + if (!rng->entropy_collector) { + ret = -ENOMEM; + goto err; +@@ -345,7 +347,7 @@ static int __init jent_mod_init(void) + + desc->tfm = tfm; + crypto_shash_init(desc); +- ret = jent_entropy_init(0, 0, desc); ++ ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, desc); + shash_desc_zero(desc); + crypto_free_shash(tfm); + if (ret) { diff --git a/target/linux/generic/backport-6.6/906-04-v6.7-crypto-jitter-reuse-allocated-entropy-collector.patch b/target/linux/generic/backport-6.6/906-04-v6.7-crypto-jitter-reuse-allocated-entropy-collector.patch new file mode 100644 index 00000000000..d56f1f2449b --- /dev/null +++ b/target/linux/generic/backport-6.6/906-04-v6.7-crypto-jitter-reuse-allocated-entropy-collector.patch @@ -0,0 +1,117 @@ +From 8405ec8e3c02df8b3720874c3e2169fef4553868 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stephan=20M=C3=BCller?= +Date: Sat, 7 Oct 2023 09:10:43 +0200 +Subject: [PATCH] crypto: jitter - reuse allocated entropy collector + +In case a health test error occurs during runtime, the power-up health +tests are rerun to verify that the noise source is still good and +that the reported health test error was an outlier. For performing this +power-up health test, the already existing entropy collector instance +is used instead of allocating a new one. This change has the following +implications: + +* The noise that is collected as part of the newly run health tests is + inserted into the entropy collector and thus stirs the existing + data present in there further. Thus, the entropy collected during + the health test is not wasted. This is also allowed by SP800-90B. + +* The power-on health test is not affected by the state of the entropy + collector, because it resets the APT / RCT state. The remainder of + the state is unrelated to the health test as it is only applied to + newly obtained time stamps. + +This change also fixes a bug report about an allocation while in an +atomic lock (the lock is taken in jent_kcapi_random, jent_read_entropy +is called and this can call jent_entropy_init). + +Fixes: 04597c8dd6c4 ("jitter - add RCT/APT support for different OSRs") +Reported-by: Dan Carpenter +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +--- + crypto/jitterentropy-kcapi.c | 2 +- + crypto/jitterentropy.c | 36 ++++++++++++++++++++++++++---------- + crypto/jitterentropy.h | 2 +- + 3 files changed, 28 insertions(+), 12 deletions(-) + +--- a/crypto/jitterentropy-kcapi.c ++++ b/crypto/jitterentropy-kcapi.c +@@ -347,7 +347,7 @@ static int __init jent_mod_init(void) + + desc->tfm = tfm; + crypto_shash_init(desc); +- ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, desc); ++ ret = jent_entropy_init(CONFIG_CRYPTO_JITTERENTROPY_OSR, 0, desc, NULL); + shash_desc_zero(desc); + crypto_free_shash(tfm); + if (ret) { +--- a/crypto/jitterentropy.c ++++ b/crypto/jitterentropy.c +@@ -611,8 +611,7 @@ int jent_read_entropy(struct rand_data * + * Perform startup health tests and return permanent + * error if it fails. + */ +- if (jent_entropy_init(ec->osr, ec->flags, +- ec->hash_state)) ++ if (jent_entropy_init(0, 0, NULL, ec)) + return -3; + + return -2; +@@ -686,14 +685,30 @@ void jent_entropy_collector_free(struct + jent_zfree(entropy_collector); + } + +-int jent_entropy_init(unsigned int osr, unsigned int flags, void *hash_state) ++int jent_entropy_init(unsigned int osr, unsigned int flags, void *hash_state, ++ struct rand_data *p_ec) + { +- struct rand_data *ec; +- int i, time_backwards = 0, ret = 0; ++ /* ++ * If caller provides an allocated ec, reuse it which implies that the ++ * health test entropy data is used to further still the available ++ * entropy pool. ++ */ ++ struct rand_data *ec = p_ec; ++ int i, time_backwards = 0, ret = 0, ec_free = 0; + +- ec = jent_entropy_collector_alloc(osr, flags, hash_state); +- if (!ec) +- return JENT_EMEM; ++ if (!ec) { ++ ec = jent_entropy_collector_alloc(osr, flags, hash_state); ++ if (!ec) ++ return JENT_EMEM; ++ ec_free = 1; ++ } else { ++ /* Reset the APT */ ++ jent_apt_reset(ec, 0); ++ /* Ensure that a new APT base is obtained */ ++ ec->apt_base_set = 0; ++ /* Reset the RCT */ ++ ec->rct_count = 0; ++ } + + /* We could perform statistical tests here, but the problem is + * that we only have a few loop counts to do testing. These +@@ -783,7 +798,8 @@ int jent_entropy_init(unsigned int osr, + } + + out: +- jent_entropy_collector_free(ec); ++ if (ec_free) ++ jent_entropy_collector_free(ec); + + return ret; + } +--- a/crypto/jitterentropy.h ++++ b/crypto/jitterentropy.h +@@ -12,7 +12,7 @@ int jent_read_random_block(void *hash_st + + struct rand_data; + extern int jent_entropy_init(unsigned int osr, unsigned int flags, +- void *hash_state); ++ void *hash_state, struct rand_data *p_ec); + extern int jent_read_entropy(struct rand_data *ec, unsigned char *data, + unsigned int len); + diff --git a/target/linux/generic/backport-6.6/906-05-v6.7-crypto-jitter-use-permanent-health-test-storage.patch b/target/linux/generic/backport-6.6/906-05-v6.7-crypto-jitter-use-permanent-health-test-storage.patch new file mode 100644 index 00000000000..7c59169720c --- /dev/null +++ b/target/linux/generic/backport-6.6/906-05-v6.7-crypto-jitter-use-permanent-health-test-storage.patch @@ -0,0 +1,242 @@ +From cf27d9475f37fb69b5bc293e6e6d6c1d03cf7cc6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stephan=20M=C3=BCller?= +Date: Thu, 19 Oct 2023 09:40:42 +0200 +Subject: [PATCH] crypto: jitter - use permanent health test storage + +The health test result in the current code is only given for the currently +processed raw time stamp. This implies to react on the health test error, +the result must be checked after each raw time stamp being processed. To +avoid this constant checking requirement, any health test error is recorded +and stored to be analyzed at a later time, if needed. + +This change ensures that the power-up test catches any health test error. +Without that patch, the power-up health test result is not enforced. + +The introduced changes are already in use with the user space version of +the Jitter RNG. + +Fixes: 04597c8dd6c4 ("jitter - add RCT/APT support for different OSRs") +Reported-by: Joachim Vandersmissen +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +--- + crypto/jitterentropy.c | 125 ++++++++++++++++++++++++----------------- + 1 file changed, 74 insertions(+), 51 deletions(-) + +--- a/crypto/jitterentropy.c ++++ b/crypto/jitterentropy.c +@@ -100,6 +100,8 @@ struct rand_data { + unsigned int apt_observations; /* Number of collected observations */ + unsigned int apt_count; /* APT counter */ + unsigned int apt_base; /* APT base reference */ ++ unsigned int health_failure; /* Record health failure */ ++ + unsigned int apt_base_set:1; /* APT base reference set? */ + }; + +@@ -121,6 +123,13 @@ struct rand_data { + #define JENT_EHASH 11 /* Hash self test failed */ + #define JENT_EMEM 12 /* Can't allocate memory for initialization */ + ++#define JENT_RCT_FAILURE 1 /* Failure in RCT health test. */ ++#define JENT_APT_FAILURE 2 /* Failure in APT health test. */ ++#define JENT_PERMANENT_FAILURE_SHIFT 16 ++#define JENT_PERMANENT_FAILURE(x) (x << JENT_PERMANENT_FAILURE_SHIFT) ++#define JENT_RCT_FAILURE_PERMANENT JENT_PERMANENT_FAILURE(JENT_RCT_FAILURE) ++#define JENT_APT_FAILURE_PERMANENT JENT_PERMANENT_FAILURE(JENT_APT_FAILURE) ++ + /* + * The output n bits can receive more than n bits of min entropy, of course, + * but the fixed output of the conditioning function can only asymptotically +@@ -215,26 +224,22 @@ static void jent_apt_insert(struct rand_ + return; + } + +- if (delta_masked == ec->apt_base) ++ if (delta_masked == ec->apt_base) { + ec->apt_count++; + ++ /* Note, ec->apt_count starts with one. */ ++ if (ec->apt_count >= ec->apt_cutoff_permanent) ++ ec->health_failure |= JENT_APT_FAILURE_PERMANENT; ++ else if (ec->apt_count >= ec->apt_cutoff) ++ ec->health_failure |= JENT_APT_FAILURE; ++ } ++ + ec->apt_observations++; + + if (ec->apt_observations >= JENT_APT_WINDOW_SIZE) + jent_apt_reset(ec, delta_masked); + } + +-/* APT health test failure detection */ +-static int jent_apt_permanent_failure(struct rand_data *ec) +-{ +- return (ec->apt_count >= ec->apt_cutoff_permanent) ? 1 : 0; +-} +- +-static int jent_apt_failure(struct rand_data *ec) +-{ +- return (ec->apt_count >= ec->apt_cutoff) ? 1 : 0; +-} +- + /*************************************************************************** + * Stuck Test and its use as Repetition Count Test + * +@@ -261,6 +266,30 @@ static void jent_rct_insert(struct rand_ + { + if (stuck) { + ec->rct_count++; ++ ++ /* ++ * The cutoff value is based on the following consideration: ++ * alpha = 2^-30 or 2^-60 as recommended in SP800-90B. ++ * In addition, we require an entropy value H of 1/osr as this ++ * is the minimum entropy required to provide full entropy. ++ * Note, we collect (DATA_SIZE_BITS + ENTROPY_SAFETY_FACTOR)*osr ++ * deltas for inserting them into the entropy pool which should ++ * then have (close to) DATA_SIZE_BITS bits of entropy in the ++ * conditioned output. ++ * ++ * Note, ec->rct_count (which equals to value B in the pseudo ++ * code of SP800-90B section 4.4.1) starts with zero. Hence ++ * we need to subtract one from the cutoff value as calculated ++ * following SP800-90B. Thus C = ceil(-log_2(alpha)/H) = 30*osr ++ * or 60*osr. ++ */ ++ if ((unsigned int)ec->rct_count >= (60 * ec->osr)) { ++ ec->rct_count = -1; ++ ec->health_failure |= JENT_RCT_FAILURE_PERMANENT; ++ } else if ((unsigned int)ec->rct_count >= (30 * ec->osr)) { ++ ec->rct_count = -1; ++ ec->health_failure |= JENT_RCT_FAILURE; ++ } + } else { + /* Reset RCT */ + ec->rct_count = 0; +@@ -316,38 +345,24 @@ static int jent_stuck(struct rand_data * + } + + /* +- * The cutoff value is based on the following consideration: +- * alpha = 2^-30 or 2^-60 as recommended in SP800-90B. +- * In addition, we require an entropy value H of 1/osr as this is the minimum +- * entropy required to provide full entropy. +- * Note, we collect (DATA_SIZE_BITS + ENTROPY_SAFETY_FACTOR)*osr deltas for +- * inserting them into the entropy pool which should then have (close to) +- * DATA_SIZE_BITS bits of entropy in the conditioned output. ++ * Report any health test failures + * +- * Note, ec->rct_count (which equals to value B in the pseudo code of SP800-90B +- * section 4.4.1) starts with zero. Hence we need to subtract one from the +- * cutoff value as calculated following SP800-90B. Thus +- * C = ceil(-log_2(alpha)/H) = 30*osr or 60*osr. +- */ +-static int jent_rct_permanent_failure(struct rand_data *ec) +-{ +- return (ec->rct_count >= (60 * ec->osr)) ? 1 : 0; +-} +- +-static int jent_rct_failure(struct rand_data *ec) +-{ +- return (ec->rct_count >= (30 * ec->osr)) ? 1 : 0; +-} +- +-/* Report of health test failures */ +-static int jent_health_failure(struct rand_data *ec) +-{ +- return jent_rct_failure(ec) | jent_apt_failure(ec); +-} ++ * @ec [in] Reference to entropy collector ++ * ++ * @return a bitmask indicating which tests failed ++ * 0 No health test failure ++ * 1 RCT failure ++ * 2 APT failure ++ * 1<health_failure; + } + + /*************************************************************************** +@@ -594,11 +609,12 @@ int jent_read_entropy(struct rand_data * + return -1; + + while (len > 0) { +- unsigned int tocopy; ++ unsigned int tocopy, health_test_result; + + jent_gen_entropy(ec); + +- if (jent_permanent_health_failure(ec)) { ++ health_test_result = jent_health_failure(ec); ++ if (health_test_result > JENT_PERMANENT_FAILURE_SHIFT) { + /* + * At this point, the Jitter RNG instance is considered + * as a failed instance. There is no rerun of the +@@ -606,13 +622,18 @@ int jent_read_entropy(struct rand_data * + * is assumed to not further use this instance. + */ + return -3; +- } else if (jent_health_failure(ec)) { ++ } else if (health_test_result) { + /* + * Perform startup health tests and return permanent + * error if it fails. + */ +- if (jent_entropy_init(0, 0, NULL, ec)) ++ if (jent_entropy_init(0, 0, NULL, ec)) { ++ /* Mark the permanent error */ ++ ec->health_failure &= ++ JENT_RCT_FAILURE_PERMANENT | ++ JENT_APT_FAILURE_PERMANENT; + return -3; ++ } + + return -2; + } +@@ -695,6 +716,7 @@ int jent_entropy_init(unsigned int osr, + */ + struct rand_data *ec = p_ec; + int i, time_backwards = 0, ret = 0, ec_free = 0; ++ unsigned int health_test_result; + + if (!ec) { + ec = jent_entropy_collector_alloc(osr, flags, hash_state); +@@ -708,6 +730,9 @@ int jent_entropy_init(unsigned int osr, + ec->apt_base_set = 0; + /* Reset the RCT */ + ec->rct_count = 0; ++ /* Reset intermittent, leave permanent health test result */ ++ ec->health_failure &= (~JENT_RCT_FAILURE); ++ ec->health_failure &= (~JENT_APT_FAILURE); + } + + /* We could perform statistical tests here, but the problem is +@@ -788,12 +813,10 @@ int jent_entropy_init(unsigned int osr, + } + + /* Did we encounter a health test failure? */ +- if (jent_rct_failure(ec)) { +- ret = JENT_ERCT; +- goto out; +- } +- if (jent_apt_failure(ec)) { +- ret = JENT_EHEALTH; ++ health_test_result = jent_health_failure(ec); ++ if (health_test_result) { ++ ret = (health_test_result & JENT_RCT_FAILURE) ? JENT_ERCT : ++ JENT_EHEALTH; + goto out; + } + diff --git a/target/linux/generic/backport-6.6/906-06-v6.7-crypto-jitterentropy-Hide-esoteric-Kconfig-options-under.patch b/target/linux/generic/backport-6.6/906-06-v6.7-crypto-jitterentropy-Hide-esoteric-Kconfig-options-under.patch new file mode 100644 index 00000000000..2dc2a011698 --- /dev/null +++ b/target/linux/generic/backport-6.6/906-06-v6.7-crypto-jitterentropy-Hide-esoteric-Kconfig-options-under.patch @@ -0,0 +1,80 @@ +From e7ed6473c2c8c4e45dd861bfa06e96189b11d8db Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 6 Nov 2023 18:00:08 +0800 +Subject: [PATCH] crypto: jitterentropy - Hide esoteric Kconfig options under + FIPS and EXPERT + +As JITTERENTROPY is selected by default if you enable the CRYPTO +API, any Kconfig options added there will show up for every single +user. Hide the esoteric options under EXPERT as well as FIPS so +that only distro makers will see them. + +Reported-by: Linus Torvalds +Signed-off-by: Herbert Xu +Reviewed-by: Stephan Mueller +Signed-off-by: Herbert Xu +--- + crypto/Kconfig | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -1297,10 +1297,12 @@ config CRYPTO_JITTERENTROPY + + See https://www.chronox.de/jent/ + ++if CRYPTO_JITTERENTROPY ++if CRYPTO_FIPS && EXPERT ++ + choice + prompt "CPU Jitter RNG Memory Size" + default CRYPTO_JITTERENTROPY_MEMSIZE_2 +- depends on CRYPTO_JITTERENTROPY + help + The Jitter RNG measures the execution time of memory accesses. + Multiple consecutive memory accesses are performed. If the memory +@@ -1344,7 +1346,6 @@ config CRYPTO_JITTERENTROPY_OSR + int "CPU Jitter RNG Oversampling Rate" + range 1 15 + default 1 +- depends on CRYPTO_JITTERENTROPY + help + The Jitter RNG allows the specification of an oversampling rate (OSR). + The Jitter RNG operation requires a fixed amount of timing +@@ -1359,7 +1360,6 @@ config CRYPTO_JITTERENTROPY_OSR + + config CRYPTO_JITTERENTROPY_TESTINTERFACE + bool "CPU Jitter RNG Test Interface" +- depends on CRYPTO_JITTERENTROPY + help + The test interface allows a privileged process to capture + the raw unconditioned high resolution time stamp noise that +@@ -1377,6 +1377,28 @@ config CRYPTO_JITTERENTROPY_TESTINTERFAC + + If unsure, select N. + ++endif # if CRYPTO_FIPS && EXPERT ++ ++if !(CRYPTO_FIPS && EXPERT) ++ ++config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS ++ int ++ default 64 ++ ++config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE ++ int ++ default 32 ++ ++config CRYPTO_JITTERENTROPY_OSR ++ int ++ default 1 ++ ++config CRYPTO_JITTERENTROPY_TESTINTERFACE ++ bool ++ ++endif # if !(CRYPTO_FIPS && EXPERT) ++endif # if CRYPTO_JITTERENTROPY ++ + config CRYPTO_KDF800108_CTR + tristate + select CRYPTO_HMAC diff --git a/target/linux/generic/backport-6.6/906-07-v6.10-crypto-jitter-Use-kvfree_sensitive-to-fix-Coccinelle.patch b/target/linux/generic/backport-6.6/906-07-v6.10-crypto-jitter-Use-kvfree_sensitive-to-fix-Coccinelle.patch new file mode 100644 index 00000000000..88a0bd15c06 --- /dev/null +++ b/target/linux/generic/backport-6.6/906-07-v6.10-crypto-jitter-Use-kvfree_sensitive-to-fix-Coccinelle.patch @@ -0,0 +1,30 @@ +From 6e61ee1ca551292d8714c35c92a019c41db79e4e Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 27 Mar 2024 23:25:09 +0100 +Subject: [PATCH] crypto: jitter - Use kvfree_sensitive() to fix Coccinelle + warning + +Replace memzero_explicit() and kvfree() with kvfree_sensitive() to fix +the following Coccinelle/coccicheck warning reported by +kfree_sensitive.cocci: + + WARNING opportunity for kfree_sensitive/kvfree_sensitive + +Signed-off-by: Thorsten Blum +Signed-off-by: Herbert Xu +--- + crypto/jitterentropy-kcapi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/crypto/jitterentropy-kcapi.c ++++ b/crypto/jitterentropy-kcapi.c +@@ -61,8 +61,7 @@ void *jent_kvzalloc(unsigned int len) + + void jent_kvzfree(void *ptr, unsigned int len) + { +- memzero_explicit(ptr, len); +- kvfree(ptr); ++ kvfree_sensitive(ptr, len); + } + + void *jent_zalloc(unsigned int len) diff --git a/target/linux/generic/backport-6.6/906-08-v6.12-crypto-jitter-set-default-OSR-to-3.patch b/target/linux/generic/backport-6.6/906-08-v6.12-crypto-jitter-set-default-OSR-to-3.patch new file mode 100644 index 00000000000..ade8f1005bd --- /dev/null +++ b/target/linux/generic/backport-6.6/906-08-v6.12-crypto-jitter-set-default-OSR-to-3.patch @@ -0,0 +1,36 @@ +From 95a798d20060d2b648dd604321e347c85edfd783 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Mon, 12 Aug 2024 08:25:42 +0200 +Subject: [PATCH] crypto: jitter - set default OSR to 3 + +The user space Jitter RNG library uses the oversampling rate of 3 which +implies that each time stamp is credited with 1/3 bit of entropy. To +obtain 256 bits of entropy, 768 time stamps need to be sampled. The +increase in OSR is applied based on a report where the Jitter RNG is +used on a system exhibiting a challenging environment to collect +entropy. + +This OSR default value is now applied to the Linux kernel version of +the Jitter RNG as well. + +The increase in the OSR from 1 to 3 also implies that the Jitter RNG is +now slower by default. + +Reported-by: Jeff Barnes +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +--- + crypto/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -1345,7 +1345,7 @@ config CRYPTO_JITTERENTROPY_MEMORY_BLOCK + config CRYPTO_JITTERENTROPY_OSR + int "CPU Jitter RNG Oversampling Rate" + range 1 15 +- default 1 ++ default 3 + help + The Jitter RNG allows the specification of an oversampling rate (OSR). + The Jitter RNG operation requires a fixed amount of timing