Differential D14541
Make Raspberry Pi RNG compatible with upstream DTBs Authored by sylvain_sylvaingarrigues.com on Feb 28 2018, 9:26 AM. Tags None Referenced Files
Details Upstream DTBs don't provide IRQ lines for the RNG. Even if they did, harvesting bytes as often as the RNG interrupt is triggered seems overkill: it was acknowledged on #bsdmips with security and RNG experts that feeding 16 bytes of randomness every 4 seconds was enough. For these reasons, get rid of the interrupt mode and make callout mode the default, with random bits harvested every 4 seconds. Tested on RPI2 v1.1 (armv7), RPI3 (armv7), RPI3 (arm64) with upstream DTBs from https://github.com/raspberrypi/firmware/tree/master/boot. Tested on RPI-B (armv6) by Michal.
Diff Detail
Event TimelineComment Actions Tested also on RPi-B (armv6) without problem. With above exception, I'm fine with this. Comment Actions Cosmetic change: rename callback argument from "param" to "arg" as per callout_reset documentation. Comment Actions I only briefly reviewed changes, and I don't see any issues. I did not do a security review. Two issues that I do see is that there does not appear to be any man page for this driver. For reference: https://security.stackexchange.com/a/47481 Comment Actions Driver originally introduced in D6888. This driver should indeed have a man page, but that should not gate the change here. Comment Actions I see no security issues here. I agree that a man page would be nice, and a note in it communicating risk would also be nice. The only material change is the rate we feed data to the entropy engine. It would be good to get the SO to say yes or no to that in a timely fashion. I agree that the lower rate is fine. The interrupt rate is ridiculously often. Comment Actions Perhaps we could make the period for the first callout_reset lower, instead of waiting 4s for the first harvest. But I'm happy to see this committed either way. Comment Actions Schedule the initial harvesting as soon as one second after the RNG is started, which should give it plenty of time to generate the first random bytes. Comment Actions delphij: as the approver for secteam of D6888 which introduced the code and logic implemented in this driver, are you comfortable to approve this one patch here, which does not introduce functional changes to the callout mode? For reference, as discussed on #bsdmips, the interrupt rate of the RPI RNG was measured at around 87 interrupts / second on an rpi2, which makes the interrupt mode feed 16*4*87 bytes of entropy/sec: that seems overkill and jmg gave us hint that harvesting 16*4 bytes every 4 seconds was enough, hence this patch. In addition, this patch also allows to use upstream DTBs (instead of FreeBSD custom ones) as they do not specify IRQ numbers for the RNG. |