You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
373 lines
18 KiB
373 lines
18 KiB
7 months ago
|
From d424c00790f478790be7388827113853b968023e Mon Sep 17 00:00:00 2001
|
||
|
From: Franck Bui <fbui@suse.com>
|
||
|
Date: Thu, 20 Oct 2022 09:39:12 +0200
|
||
|
Subject: [PATCH] random-seed: split out run()
|
||
|
|
||
|
No functional change.
|
||
|
|
||
|
(cherry picked from commit d3fa881aa1f4bffc097d63ed68d2e2a8ada813d0)
|
||
|
|
||
|
Related: RHEL-16952
|
||
|
---
|
||
|
src/random-seed/random-seed.c | 327 +++++++++++++++++++---------------
|
||
|
1 file changed, 184 insertions(+), 143 deletions(-)
|
||
|
|
||
|
diff --git a/src/random-seed/random-seed.c b/src/random-seed/random-seed.c
|
||
|
index 4b8138ca03..991e4b8ddd 100644
|
||
|
--- a/src/random-seed/random-seed.c
|
||
|
+++ b/src/random-seed/random-seed.c
|
||
|
@@ -131,6 +131,180 @@ static int random_seed_size(int seed_fd, size_t *ret_size) {
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
+static int load_seed_file(
|
||
|
+ int seed_fd,
|
||
|
+ int urandom_fd,
|
||
|
+ size_t seed_size,
|
||
|
+ struct sha256_ctx **ret_hash_state) {
|
||
|
+
|
||
|
+ _cleanup_free_ void *buf = NULL;
|
||
|
+ CreditEntropy lets_credit;
|
||
|
+ sd_id128_t mid;
|
||
|
+ ssize_t k;
|
||
|
+ int r;
|
||
|
+
|
||
|
+ assert(seed_fd >= 0);
|
||
|
+ assert(urandom_fd >= 0);
|
||
|
+
|
||
|
+ /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an extra
|
||
|
+ * protection against "golden images" that are put together sloppily, i.e. images which are
|
||
|
+ * duplicated on multiple systems but where the random seed file is not properly reset. Frequently
|
||
|
+ * the machine ID is properly reset on those systems however (simply because it's easier to notice,
|
||
|
+ * if it isn't due to address clashes and so on, while random seed equivalence is generally not
|
||
|
+ * noticed easily), hence let's simply write the machined ID into the random pool too. */
|
||
|
+ r = sd_id128_get_machine(&mid);
|
||
|
+ if (r < 0)
|
||
|
+ log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
|
||
|
+ else {
|
||
|
+ r = random_write_entropy(urandom_fd, &mid, sizeof(mid), /* credit= */ false);
|
||
|
+ if (r < 0)
|
||
|
+ log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
|
||
|
+ }
|
||
|
+
|
||
|
+ buf = malloc(seed_size);
|
||
|
+ if (!buf)
|
||
|
+ return log_oom();
|
||
|
+
|
||
|
+ k = loop_read(seed_fd, buf, seed_size, false);
|
||
|
+ if (k < 0) {
|
||
|
+ log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+ if (k == 0) {
|
||
|
+ log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* If we're going to later write out a seed file, initialize a hash state with the contents of the
|
||
|
+ * seed file we just read, so that the new one can't regress in entropy. */
|
||
|
+ if (ret_hash_state) {
|
||
|
+ struct sha256_ctx *hash_state;
|
||
|
+
|
||
|
+ hash_state = malloc(sizeof(struct sha256_ctx));
|
||
|
+ if (!hash_state)
|
||
|
+ return log_oom();
|
||
|
+
|
||
|
+ sha256_init_ctx(hash_state);
|
||
|
+ sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from new seed. */
|
||
|
+ sha256_process_bytes(buf, k, hash_state);
|
||
|
+
|
||
|
+ *ret_hash_state = hash_state;
|
||
|
+ }
|
||
|
+
|
||
|
+ (void) lseek(seed_fd, 0, SEEK_SET);
|
||
|
+
|
||
|
+ lets_credit = may_credit(seed_fd);
|
||
|
+
|
||
|
+ /* Before we credit or use the entropy, let's make sure to securely drop the creditable xattr from
|
||
|
+ * the file, so that we never credit the same random seed again. Note that further down we'll write a
|
||
|
+ * new seed again, and likely mark it as credible again, hence this is just paranoia to close the
|
||
|
+ * short time window between the time we upload the random seed into the kernel and download the new
|
||
|
+ * one from it. */
|
||
|
+
|
||
|
+ if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
|
||
|
+ if (!ERRNO_IS_XATTR_ABSENT(errno))
|
||
|
+ log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");
|
||
|
+
|
||
|
+ /* Otherwise, there was no creditable flag set, which is OK. */
|
||
|
+ } else {
|
||
|
+ r = fsync_full(seed_fd);
|
||
|
+ if (r < 0) {
|
||
|
+ log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");
|
||
|
+
|
||
|
+ if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
|
||
|
+ lets_credit = CREDIT_ENTROPY_NO_WAY;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ r = random_write_entropy(urandom_fd, buf, k,
|
||
|
+ IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
|
||
|
+ if (r < 0)
|
||
|
+ log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
+static int save_seed_file(
|
||
|
+ int seed_fd,
|
||
|
+ int urandom_fd,
|
||
|
+ size_t seed_size,
|
||
|
+ bool synchronous,
|
||
|
+ struct sha256_ctx *hash_state) {
|
||
|
+
|
||
|
+ _cleanup_free_ void *buf = NULL;
|
||
|
+ bool getrandom_worked = false;
|
||
|
+ ssize_t k, l;
|
||
|
+ int r;
|
||
|
+
|
||
|
+ assert(seed_fd >= 0);
|
||
|
+ assert(urandom_fd >= 0);
|
||
|
+
|
||
|
+ /* This is just a safety measure. Given that we are root and most likely created the file ourselves
|
||
|
+ * the mode and owner should be correct anyway. */
|
||
|
+ r = fchmod_and_chown(seed_fd, 0600, 0, 0);
|
||
|
+ if (r < 0)
|
||
|
+ return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");
|
||
|
+
|
||
|
+ buf = malloc(seed_size);
|
||
|
+ if (!buf)
|
||
|
+ return log_oom();
|
||
|
+
|
||
|
+ /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for proper
|
||
|
+ * initialization of the random pool. */
|
||
|
+ k = getrandom(buf, seed_size, GRND_NONBLOCK);
|
||
|
+ if (k < 0 && errno == EAGAIN && synchronous) {
|
||
|
+ log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
|
||
|
+ k = getrandom(buf, seed_size, 0); /* retry synchronously */
|
||
|
+ }
|
||
|
+ if (k < 0)
|
||
|
+ log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
|
||
|
+ else if ((size_t) k < seed_size)
|
||
|
+ log_debug("Short read from getrandom(), falling back to /dev/urandom.");
|
||
|
+ else
|
||
|
+ getrandom_worked = true;
|
||
|
+
|
||
|
+ if (!getrandom_worked) {
|
||
|
+ /* Retry with classic /dev/urandom */
|
||
|
+ k = loop_read(urandom_fd, buf, seed_size, false);
|
||
|
+ if (k < 0)
|
||
|
+ return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
|
||
|
+ if (k == 0)
|
||
|
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Got EOF while reading from /dev/urandom.");
|
||
|
+ }
|
||
|
+
|
||
|
+ /* If we previously read in a seed file, then hash the new seed into the old one, and replace the
|
||
|
+ * last 32 bytes of the seed with the hash output, so that the new seed file can't regress in
|
||
|
+ * entropy. */
|
||
|
+ if (hash_state) {
|
||
|
+ uint8_t hash[SHA256_DIGEST_SIZE];
|
||
|
+
|
||
|
+ sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from old seed. */
|
||
|
+ sha256_process_bytes(buf, k, hash_state);
|
||
|
+ sha256_finish_ctx(hash_state, hash);
|
||
|
+ l = MIN((size_t)k, sizeof(hash));
|
||
|
+ memcpy((uint8_t *)buf + k - l, hash, l);
|
||
|
+ }
|
||
|
+
|
||
|
+ r = loop_write(seed_fd, buf, (size_t) k, false);
|
||
|
+ if (r < 0)
|
||
|
+ return log_error_errno(r, "Failed to write new random seed file: %m");
|
||
|
+
|
||
|
+ if (ftruncate(seed_fd, k) < 0)
|
||
|
+ return log_error_errno(r, "Failed to truncate random seed file: %m");
|
||
|
+
|
||
|
+ r = fsync_full(seed_fd);
|
||
|
+ if (r < 0)
|
||
|
+ return log_error_errno(r, "Failed to synchronize seed file: %m");
|
||
|
+
|
||
|
+ /* If we got this random seed data from getrandom() the data is suitable for crediting entropy later
|
||
|
+ * on. Let's keep that in mind by setting an extended attribute. on the file */
|
||
|
+ if (getrandom_worked)
|
||
|
+ if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
|
||
|
+ log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
|
||
|
+ "Failed to mark seed file as creditable, ignoring: %m");
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
static int help(int argc, char *argv[], void *userdata) {
|
||
|
_cleanup_free_ char *link = NULL;
|
||
|
int r;
|
||
|
@@ -204,12 +378,10 @@ static int parse_argv(int argc, char *argv[]) {
|
||
|
}
|
||
|
|
||
|
static int run(int argc, char *argv[]) {
|
||
|
- bool read_seed_file, write_seed_file, synchronous, hashed_old_seed = false;
|
||
|
+ _cleanup_free_ struct sha256_ctx *hash_state = NULL;
|
||
|
_cleanup_close_ int seed_fd = -1, random_fd = -1;
|
||
|
- _cleanup_free_ void* buf = NULL;
|
||
|
- struct sha256_ctx hash_state;
|
||
|
- size_t buf_size;
|
||
|
- ssize_t k, l;
|
||
|
+ bool read_seed_file, write_seed_file, synchronous;
|
||
|
+ size_t seed_size;
|
||
|
int r;
|
||
|
|
||
|
log_setup();
|
||
|
@@ -274,149 +446,18 @@ static int run(int argc, char *argv[]) {
|
||
|
assert_not_reached();
|
||
|
}
|
||
|
|
||
|
- r = random_seed_size(seed_fd, &buf_size);
|
||
|
+ r = random_seed_size(seed_fd, &seed_size);
|
||
|
if (r < 0)
|
||
|
return r;
|
||
|
|
||
|
- buf = malloc(buf_size);
|
||
|
- if (!buf)
|
||
|
- return log_oom();
|
||
|
-
|
||
|
- if (read_seed_file) {
|
||
|
- sd_id128_t mid;
|
||
|
-
|
||
|
- /* First, let's write the machine ID into /dev/urandom, not crediting entropy. Why? As an
|
||
|
- * extra protection against "golden images" that are put together sloppily, i.e. images which
|
||
|
- * are duplicated on multiple systems but where the random seed file is not properly
|
||
|
- * reset. Frequently the machine ID is properly reset on those systems however (simply
|
||
|
- * because it's easier to notice, if it isn't due to address clashes and so on, while random
|
||
|
- * seed equivalence is generally not noticed easily), hence let's simply write the machined
|
||
|
- * ID into the random pool too. */
|
||
|
- r = sd_id128_get_machine(&mid);
|
||
|
- if (r < 0)
|
||
|
- log_debug_errno(r, "Failed to get machine ID, ignoring: %m");
|
||
|
- else {
|
||
|
- r = random_write_entropy(random_fd, &mid, sizeof(mid), /* credit= */ false);
|
||
|
- if (r < 0)
|
||
|
- log_debug_errno(r, "Failed to write machine ID to /dev/urandom, ignoring: %m");
|
||
|
- }
|
||
|
-
|
||
|
- k = loop_read(seed_fd, buf, buf_size, false);
|
||
|
- if (k < 0)
|
||
|
- log_error_errno(k, "Failed to read seed from " RANDOM_SEED ": %m");
|
||
|
- else if (k == 0)
|
||
|
- log_debug("Seed file " RANDOM_SEED " not yet initialized, proceeding.");
|
||
|
- else {
|
||
|
- CreditEntropy lets_credit;
|
||
|
-
|
||
|
- /* If we're going to later write out a seed file, initialize a hash state with
|
||
|
- * the contents of the seed file we just read, so that the new one can't regress
|
||
|
- * in entropy. */
|
||
|
- if (write_seed_file) {
|
||
|
- sha256_init_ctx(&hash_state);
|
||
|
- sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from new seed. */
|
||
|
- sha256_process_bytes(buf, k, &hash_state);
|
||
|
- hashed_old_seed = true;
|
||
|
- }
|
||
|
-
|
||
|
- (void) lseek(seed_fd, 0, SEEK_SET);
|
||
|
-
|
||
|
- lets_credit = may_credit(seed_fd);
|
||
|
-
|
||
|
- /* Before we credit or use the entropy, let's make sure to securely drop the
|
||
|
- * creditable xattr from the file, so that we never credit the same random seed
|
||
|
- * again. Note that further down we'll write a new seed again, and likely mark it as
|
||
|
- * credible again, hence this is just paranoia to close the short time window between
|
||
|
- * the time we upload the random seed into the kernel and download the new one from
|
||
|
- * it. */
|
||
|
-
|
||
|
- if (fremovexattr(seed_fd, "user.random-seed-creditable") < 0) {
|
||
|
- if (!ERRNO_IS_XATTR_ABSENT(errno))
|
||
|
- log_warning_errno(errno, "Failed to remove extended attribute, ignoring: %m");
|
||
|
+ if (read_seed_file)
|
||
|
+ r = load_seed_file(seed_fd, random_fd, seed_size,
|
||
|
+ write_seed_file ? &hash_state : NULL);
|
||
|
|
||
|
- /* Otherwise, there was no creditable flag set, which is OK. */
|
||
|
- } else {
|
||
|
- r = fsync_full(seed_fd);
|
||
|
- if (r < 0) {
|
||
|
- log_warning_errno(r, "Failed to synchronize seed to disk, not crediting entropy: %m");
|
||
|
+ if (r >= 0 && write_seed_file)
|
||
|
+ r = save_seed_file(seed_fd, random_fd, seed_size, synchronous, hash_state);
|
||
|
|
||
|
- if (lets_credit == CREDIT_ENTROPY_YES_PLEASE)
|
||
|
- lets_credit = CREDIT_ENTROPY_NO_WAY;
|
||
|
- }
|
||
|
- }
|
||
|
-
|
||
|
- r = random_write_entropy(random_fd, buf, k,
|
||
|
- IN_SET(lets_credit, CREDIT_ENTROPY_YES_PLEASE, CREDIT_ENTROPY_YES_FORCED));
|
||
|
- if (r < 0)
|
||
|
- log_error_errno(r, "Failed to write seed to /dev/urandom: %m");
|
||
|
- }
|
||
|
- }
|
||
|
-
|
||
|
- if (write_seed_file) {
|
||
|
- bool getrandom_worked = false;
|
||
|
-
|
||
|
- /* This is just a safety measure. Given that we are root and most likely created the file
|
||
|
- * ourselves the mode and owner should be correct anyway. */
|
||
|
- r = fchmod_and_chown(seed_fd, 0600, 0, 0);
|
||
|
- if (r < 0)
|
||
|
- return log_error_errno(r, "Failed to adjust seed file ownership and access mode: %m");
|
||
|
-
|
||
|
- /* Let's make this whole job asynchronous, i.e. let's make ourselves a barrier for
|
||
|
- * proper initialization of the random pool. */
|
||
|
- k = getrandom(buf, buf_size, GRND_NONBLOCK);
|
||
|
- if (k < 0 && errno == EAGAIN && synchronous) {
|
||
|
- log_notice("Kernel entropy pool is not initialized yet, waiting until it is.");
|
||
|
- k = getrandom(buf, buf_size, 0); /* retry synchronously */
|
||
|
- }
|
||
|
- if (k < 0)
|
||
|
- log_debug_errno(errno, "Failed to read random data with getrandom(), falling back to /dev/urandom: %m");
|
||
|
- else if ((size_t) k < buf_size)
|
||
|
- log_debug("Short read from getrandom(), falling back to /dev/urandom.");
|
||
|
- else
|
||
|
- getrandom_worked = true;
|
||
|
-
|
||
|
- if (!getrandom_worked) {
|
||
|
- /* Retry with classic /dev/urandom */
|
||
|
- k = loop_read(random_fd, buf, buf_size, false);
|
||
|
- if (k < 0)
|
||
|
- return log_error_errno(k, "Failed to read new seed from /dev/urandom: %m");
|
||
|
- if (k == 0)
|
||
|
- return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||
|
- "Got EOF while reading from /dev/urandom.");
|
||
|
- }
|
||
|
-
|
||
|
- /* If we previously read in a seed file, then hash the new seed into the old one,
|
||
|
- * and replace the last 32 bytes of the seed with the hash output, so that the
|
||
|
- * new seed file can't regress in entropy. */
|
||
|
- if (hashed_old_seed) {
|
||
|
- uint8_t hash[SHA256_DIGEST_SIZE];
|
||
|
- sha256_process_bytes(&k, sizeof(k), &hash_state); /* Hash length to distinguish from old seed. */
|
||
|
- sha256_process_bytes(buf, k, &hash_state);
|
||
|
- sha256_finish_ctx(&hash_state, hash);
|
||
|
- l = MIN((size_t)k, sizeof(hash));
|
||
|
- memcpy((uint8_t *)buf + k - l, hash, l);
|
||
|
- }
|
||
|
-
|
||
|
- r = loop_write(seed_fd, buf, (size_t) k, false);
|
||
|
- if (r < 0)
|
||
|
- return log_error_errno(r, "Failed to write new random seed file: %m");
|
||
|
-
|
||
|
- if (ftruncate(seed_fd, k) < 0)
|
||
|
- return log_error_errno(r, "Failed to truncate random seed file: %m");
|
||
|
-
|
||
|
- r = fsync_full(seed_fd);
|
||
|
- if (r < 0)
|
||
|
- return log_error_errno(r, "Failed to synchronize seed file: %m");
|
||
|
-
|
||
|
- /* If we got this random seed data from getrandom() the data is suitable for crediting
|
||
|
- * entropy later on. Let's keep that in mind by setting an extended attribute. on the file */
|
||
|
- if (getrandom_worked)
|
||
|
- if (fsetxattr(seed_fd, "user.random-seed-creditable", "1", 1, 0) < 0)
|
||
|
- log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno,
|
||
|
- "Failed to mark seed file as creditable, ignoring: %m");
|
||
|
- }
|
||
|
-
|
||
|
- return 0;
|
||
|
+ return r;
|
||
|
}
|
||
|
|
||
|
DEFINE_MAIN_FUNCTION(run);
|