diff options
Diffstat (limited to '0001-random-make-CPU-trust-a-boot-parameter.patch')
| -rw-r--r-- | 0001-random-make-CPU-trust-a-boot-parameter.patch | 82 |
1 files changed, 0 insertions, 82 deletions
diff --git a/0001-random-make-CPU-trust-a-boot-parameter.patch b/0001-random-make-CPU-trust-a-boot-parameter.patch deleted file mode 100644 index 33695fcb4..000000000 --- a/0001-random-make-CPU-trust-a-boot-parameter.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 9b25436662d5fb4c66eb527ead53cab15f596ee0 Mon Sep 17 00:00:00 2001 -From: Kees Cook <keescook@chromium.org> -Date: Mon, 27 Aug 2018 14:51:54 -0700 -Subject: [PATCH] random: make CPU trust a boot parameter - -Instead of forcing a distro or other system builder to choose -at build time whether the CPU is trusted for CRNG seeding via -CONFIG_RANDOM_TRUST_CPU, provide a boot-time parameter for end users to -control the choice. The CONFIG will set the default state instead. - -Signed-off-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> ---- - Documentation/admin-guide/kernel-parameters.txt | 6 ++++++ - drivers/char/Kconfig | 4 ++-- - drivers/char/random.c | 11 ++++++++--- - 3 files changed, 16 insertions(+), 5 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 0c8f7889efa1..227c5c6fa4c1 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -3390,6 +3390,12 @@ - ramdisk_size= [RAM] Sizes of RAM disks in kilobytes - See Documentation/blockdev/ramdisk.txt. - -+ random.trust_cpu={on,off} -+ [KNL] Enable or disable trusting the use of the -+ CPU's random number generator (if available) to -+ fully seed the kernel's CRNG. Default is controlled -+ by CONFIG_RANDOM_TRUST_CPU. -+ - ras=option[,option,...] [KNL] RAS-specific options - - cec_disable [X86] -diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig -index ce277ee0a28a..40728491f37b 100644 ---- a/drivers/char/Kconfig -+++ b/drivers/char/Kconfig -@@ -566,5 +566,5 @@ config RANDOM_TRUST_CPU - that CPU manufacturer (perhaps with the insistence or mandate - of a Nation State's intelligence or law enforcement agencies) - has not installed a hidden back door to compromise the CPU's -- random number generation facilities. -- -+ random number generation facilities. This can also be configured -+ at boot with "random.trust_cpu=on/off". -diff --git a/drivers/char/random.c b/drivers/char/random.c -index bf5f99fc36f1..c75b6cdf0053 100644 ---- a/drivers/char/random.c -+++ b/drivers/char/random.c -@@ -779,6 +779,13 @@ static struct crng_state **crng_node_pool __read_mostly; - - static void invalidate_batched_entropy(void); - -+static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU); -+static int __init parse_trust_cpu(char *arg) -+{ -+ return kstrtobool(arg, &trust_cpu); -+} -+early_param("random.trust_cpu", parse_trust_cpu); -+ - static void crng_initialize(struct crng_state *crng) - { - int i; -@@ -799,12 +806,10 @@ static void crng_initialize(struct crng_state *crng) - } - crng->state[i] ^= rv; - } --#ifdef CONFIG_RANDOM_TRUST_CPU -- if (arch_init) { -+ if (trust_cpu && arch_init) { - crng_init = 2; - pr_notice("random: crng done (trusting CPU's manufacturer)\n"); - } --#endif - crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; - } - --- -2.17.1 - |