0bca489b24
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
229 lines
7.1 KiB
C
229 lines
7.1 KiB
C
// SPDX-License-Identifier: GPL-2.0 OR MIT
|
|
/*
|
|
* Copyright (C) 2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
|
|
*
|
|
* SeedRNG is a simple program made for seeding the Linux kernel random number
|
|
* generator from seed files. It is is useful in light of the fact that the
|
|
* Linux kernel RNG cannot be initialized from shell scripts, and new seeds
|
|
* cannot be safely generated from boot time shell scripts either. It should
|
|
* be run once at init time and once at shutdown time. It can be run at other
|
|
* times on a timer as well. Whenever it is run, it writes existing seed files
|
|
* into the RNG pool, and then creates a new seed file. If the RNG is
|
|
* initialized at the time of creating a new seed file, then that new seed file
|
|
* is marked as "creditable", which means it can be used to initialize the RNG.
|
|
* Otherwise, it is marked as "non-creditable", in which case it is still used
|
|
* to seed the RNG's pool, but will not initialize the RNG. In order to ensure
|
|
* that entropy only ever stays the same or increases from one seed file to the
|
|
* next, old seed values are hashed together with new seed values when writing
|
|
* new seed files.
|
|
*
|
|
* This is based on code from <https://git.zx2c4.com/seedrng/about/>.
|
|
*/
|
|
|
|
//config:config SEEDRNG
|
|
//config: bool "seedrng (2 kb)"
|
|
//config: default y
|
|
//config: help
|
|
//config: Seed the kernel RNG from seed files, meant to be called
|
|
//config: once during startup, once during shutdown, and optionally
|
|
//config: at some periodic interval in between.
|
|
|
|
//applet:IF_SEEDRNG(APPLET(seedrng, BB_DIR_USR_SBIN, BB_SUID_DROP))
|
|
|
|
//kbuild:lib-$(CONFIG_SEEDRNG) += seedrng.o
|
|
|
|
//usage:#define seedrng_trivial_usage
|
|
//usage: "[-d SEED_DIRECTORY] [-n]"
|
|
//usage:#define seedrng_full_usage "\n\n"
|
|
//usage: "Seed the kernel RNG from seed files"
|
|
//usage: "\n"
|
|
//usage: "\n -d DIR Use seed files from DIR (default: /var/lib/seedrng)"
|
|
//usage: "\n -n Skip crediting seeds, even if creditable"
|
|
|
|
#include "libbb.h"
|
|
|
|
#include <linux/random.h>
|
|
#include <sys/random.h>
|
|
#include <sys/file.h>
|
|
|
|
#ifndef GRND_INSECURE
|
|
#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */
|
|
#endif
|
|
|
|
#define DEFAULT_SEED_DIR "/var/lib/seedrng"
|
|
#define CREDITABLE_SEED_NAME "seed.credit"
|
|
#define NON_CREDITABLE_SEED_NAME "seed.no-credit"
|
|
|
|
enum {
|
|
MIN_SEED_LEN = SHA256_OUTSIZE,
|
|
MAX_SEED_LEN = 512
|
|
};
|
|
|
|
static size_t determine_optimal_seed_len(void)
|
|
{
|
|
char poolsize_str[12];
|
|
unsigned poolsize;
|
|
int n;
|
|
|
|
n = open_read_close("/proc/sys/kernel/random/poolsize", poolsize_str, sizeof(poolsize_str) - 1);
|
|
if (n < 0) {
|
|
bb_perror_msg("can't determine pool size, assuming %u bits", MIN_SEED_LEN * 8);
|
|
return MIN_SEED_LEN;
|
|
}
|
|
poolsize_str[n] = '\0';
|
|
poolsize = (bb_strtoul(poolsize_str, NULL, 10) + 7) / 8;
|
|
return MAX(MIN(poolsize, MAX_SEED_LEN), MIN_SEED_LEN);
|
|
}
|
|
|
|
static bool read_new_seed(uint8_t *seed, size_t len)
|
|
{
|
|
bool is_creditable;
|
|
ssize_t ret;
|
|
|
|
ret = getrandom(seed, len, GRND_NONBLOCK);
|
|
if (ret == (ssize_t)len) {
|
|
return true;
|
|
}
|
|
if (ret < 0 && errno == ENOSYS) {
|
|
int fd = xopen("/dev/random", O_RDONLY);
|
|
struct pollfd random_fd;
|
|
random_fd.fd = fd;
|
|
random_fd.events = POLLIN;
|
|
is_creditable = poll(&random_fd, 1, 0) == 1;
|
|
//This is racy. is_creditable can be set to true here, but other process
|
|
//can consume "good" random data from /dev/urandom before we do it below.
|
|
close(fd);
|
|
} else {
|
|
if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len)
|
|
return false;
|
|
is_creditable = false;
|
|
}
|
|
|
|
/* Either getrandom() is not implemented, or
|
|
* getrandom(GRND_INSECURE) did not give us LEN bytes.
|
|
* Fallback to reading /dev/urandom.
|
|
*/
|
|
errno = 0;
|
|
if (open_read_close("/dev/urandom", seed, len) != (ssize_t)len)
|
|
bb_perror_msg_and_die("can't read '%s'", "/dev/urandom");
|
|
return is_creditable;
|
|
}
|
|
|
|
static void seed_rng(uint8_t *seed, size_t len, bool credit)
|
|
{
|
|
struct {
|
|
int entropy_count;
|
|
int buf_size;
|
|
uint8_t buffer[MAX_SEED_LEN];
|
|
} req;
|
|
int random_fd;
|
|
|
|
req.entropy_count = credit ? len * 8 : 0;
|
|
req.buf_size = len;
|
|
memcpy(req.buffer, seed, len);
|
|
|
|
random_fd = xopen("/dev/urandom", O_RDONLY);
|
|
xioctl(random_fd, RNDADDENTROPY, &req);
|
|
if (ENABLE_FEATURE_CLEAN_UP)
|
|
close(random_fd);
|
|
}
|
|
|
|
static void seed_from_file_if_exists(const char *filename, int dfd, bool credit, sha256_ctx_t *hash)
|
|
{
|
|
uint8_t seed[MAX_SEED_LEN];
|
|
ssize_t seed_len;
|
|
|
|
seed_len = open_read_close(filename, seed, sizeof(seed));
|
|
if (seed_len < 0) {
|
|
if (errno != ENOENT)
|
|
bb_perror_msg_and_die("can't read '%s'", filename);
|
|
return;
|
|
}
|
|
xunlink(filename);
|
|
if (seed_len != 0) {
|
|
/* We are going to use this data to seed the RNG:
|
|
* we believe it to genuinely containing entropy.
|
|
* If this just-unlinked file survives
|
|
* (e.g. if machine crashes _right now_)
|
|
* and we reuse it after reboot, this assumption
|
|
* would be violated. Fsync the directory to
|
|
* make sure file is gone:
|
|
*/
|
|
fsync(dfd);
|
|
|
|
sha256_hash(hash, &seed_len, sizeof(seed_len));
|
|
sha256_hash(hash, seed, seed_len);
|
|
printf("Seeding %u bits %s crediting\n",
|
|
(unsigned)seed_len * 8, credit ? "and" : "without");
|
|
seed_rng(seed, seed_len, credit);
|
|
}
|
|
}
|
|
|
|
int seedrng_main(int argc, char *argv[]) MAIN_EXTERNALLY_VISIBLE;
|
|
int seedrng_main(int argc UNUSED_PARAM, char *argv[])
|
|
{
|
|
const char *seed_dir;
|
|
int fd, dfd;
|
|
uint8_t new_seed[MAX_SEED_LEN];
|
|
size_t new_seed_len;
|
|
bool new_seed_creditable, skip_credit;
|
|
struct timespec timestamp;
|
|
sha256_ctx_t hash;
|
|
|
|
enum {
|
|
OPT_d = (1 << 0),
|
|
OPT_n = (1 << 1)
|
|
};
|
|
#if ENABLE_LONG_OPTS
|
|
static const char longopts[] ALIGN1 =
|
|
"seed-dir\0" Required_argument "d"
|
|
"skip-credit\0" No_argument "n"
|
|
;
|
|
#endif
|
|
|
|
seed_dir = DEFAULT_SEED_DIR;
|
|
skip_credit = getopt32long(argv, "d:n", longopts, &seed_dir) & OPT_n;
|
|
umask(0077);
|
|
if (getuid() != 0)
|
|
bb_simple_error_msg_and_die(bb_msg_you_must_be_root);
|
|
|
|
if (mkdir(seed_dir, 0700) < 0 && errno != EEXIST)
|
|
bb_perror_msg_and_die("can't create directory '%s'", seed_dir);
|
|
dfd = xopen(seed_dir, O_DIRECTORY | O_RDONLY);
|
|
if (flock(dfd, LOCK_EX) < 0)
|
|
bb_perror_msg_and_die("can't lock seed directory");
|
|
xfchdir(dfd);
|
|
|
|
sha256_begin(&hash);
|
|
sha256_hash(&hash, "SeedRNG v1 Old+New Prefix", 25);
|
|
clock_gettime(CLOCK_REALTIME, ×tamp);
|
|
sha256_hash(&hash, ×tamp, sizeof(timestamp));
|
|
clock_gettime(CLOCK_BOOTTIME, ×tamp);
|
|
sha256_hash(&hash, ×tamp, sizeof(timestamp));
|
|
|
|
for (int i = 1; i < 3; ++i) {
|
|
seed_from_file_if_exists(i == 1 ? NON_CREDITABLE_SEED_NAME : CREDITABLE_SEED_NAME,
|
|
dfd,
|
|
i == 1 ? false : !skip_credit,
|
|
&hash);
|
|
}
|
|
|
|
new_seed_len = determine_optimal_seed_len();
|
|
new_seed_creditable = read_new_seed(new_seed, new_seed_len);
|
|
sha256_hash(&hash, &new_seed_len, sizeof(new_seed_len));
|
|
sha256_hash(&hash, new_seed, new_seed_len);
|
|
sha256_end(&hash, new_seed + new_seed_len - SHA256_OUTSIZE);
|
|
|
|
printf("Saving %u bits of %screditable seed for next boot\n",
|
|
(unsigned)new_seed_len * 8, new_seed_creditable ? "" : "non-");
|
|
fd = xopen3(NON_CREDITABLE_SEED_NAME, O_WRONLY | O_CREAT | O_TRUNC, 0400);
|
|
xwrite(fd, new_seed, new_seed_len);
|
|
if (fsync(fd) < 0) {
|
|
bb_perror_msg("can't%s seed", " write");
|
|
return (1 << 4);
|
|
}
|
|
if (new_seed_creditable)
|
|
xrename(NON_CREDITABLE_SEED_NAME, CREDITABLE_SEED_NAME);
|
|
return EXIT_SUCCESS;
|
|
}
|