Commit d93aebbd authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'random-5.17-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random 

Pull random number generator updates from Jason Donenfeld:
 "These a bit more numerous than usual for the RNG, due to folks
  resubmitting patches that had been pending prior and generally renewed
  interest.

  There are a few categories of patches in here:

   1) Dominik Brodowski and I traded a series back and forth for a some
      weeks that fixed numerous issues related to seeds being provided
      at extremely early boot by the firmware, before other parts of the
      kernel or of the RNG have been initialized, both fixing some
      crashes and addressing correctness around early boot randomness.
      One of these is marked for stable.

   2) I replaced the RNG's usage of SHA-1 with BLAKE2s in the entropy
      extractor, and made the construction a bit safer and more
      standard. This was sort of a long overdue low hanging fruit, as we
      were supposed to have phased out SHA-1 usage quite some time ago
      (even if all we needed here was non-invertibility). Along the way
      it also made extraction 131% faster. This required a bit of
      Kconfig and symbol plumbing to make things work well with the
      crypto libraries, which is one of the reasons why I'm sending you
      this pull early in the cycle.

   3) I got rid of a truly superfluous call to RDRAND in the hot path,
      which resulted in a whopping 370% increase in performance.

   4) Sebastian Andrzej Siewior sent some patches regarding PREEMPT_RT,
      the full series of which wasn't ready yet, but the first two
      preparatory cleanups were good on their own. One of them touches
      files in kernel/irq/, which is the other reason why I'm sending
      you this pull early in the cycle.

   5) Other assorted correctness fixes from Eric Biggers, Jann Horn,
      Mark Brown, Dominik Brodowski, and myself"

* 'random-5.17-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random:
  random: don't reset crng_init_cnt on urandom_read()
  random: avoid superfluous call to RDRAND in CRNG extraction
  random: early initialization of ChaCha constants
  random: use IS_ENABLED(CONFIG_NUMA) instead of ifdefs
  random: harmonize "crng init done" messages
  random: mix bootloader randomness into pool
  random: do not throw away excess input to crng_fast_load
  random: do not re-init if crng_reseed completes before primary init
  random: fix crash on multiple early calls to add_bootloader_randomness()
  random: do not sign extend bytes for rotation when mixing
  random: use BLAKE2s instead of SHA1 in extraction
  lib/crypto: blake2s: include as built-in
  random: fix data race on crng init time
  random: fix data race on crng_node_pool
  irq: remove unused flags argument from __handle_irq_event_percpu()
  random: remove unused irq_flags argument from add_interrupt_randomness()
  random: document add_hwgenerator_randomness() with other input functions
  MAINTAINERS: add git tree for random.c
parents 9d3a1e0a 6c8e11e0

MAINTAINERS

+1 −0
Original line number Original line Diff line number Diff line
@@ -15998,6 +15998,7 @@ F: arch/mips/generic/board-ranchu.c 
RANDOM NUMBER DRIVER

RANDOM NUMBER DRIVER

M:	"Theodore Ts'o" <tytso@mit.edu>

M:	"Theodore Ts'o" <tytso@mit.edu>

M:	Jason A. Donenfeld <Jason@zx2c4.com>

M:	Jason A. Donenfeld <Jason@zx2c4.com>

T:	git https://git.kernel.org/pub/scm/linux/kernel/git/crng/random.git

S:	Maintained

S:	Maintained

F:	drivers/char/random.c

F:	drivers/char/random.c



































arch/arm/crypto/Makefile



+3
−1






























Original line number
Original line
Diff line number
Diff line







@@ -10,6 +10,7 @@ obj-$(CONFIG_CRYPTO_SHA1_ARM_NEON) += sha1-arm-neon.o






obj-$(CONFIG_CRYPTO_SHA256_ARM) += sha256-arm.o




obj-$(CONFIG_CRYPTO_SHA256_ARM) += sha256-arm.o








obj-$(CONFIG_CRYPTO_SHA512_ARM) += sha512-arm.o




obj-$(CONFIG_CRYPTO_SHA512_ARM) += sha512-arm.o








obj-$(CONFIG_CRYPTO_BLAKE2S_ARM) += blake2s-arm.o




obj-$(CONFIG_CRYPTO_BLAKE2S_ARM) += blake2s-arm.o










obj-$(if $(CONFIG_CRYPTO_BLAKE2S_ARM),y) += libblake2s-arm.o








obj-$(CONFIG_CRYPTO_BLAKE2B_NEON) += blake2b-neon.o




obj-$(CONFIG_CRYPTO_BLAKE2B_NEON) += blake2b-neon.o








obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o




obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o








obj-$(CONFIG_CRYPTO_POLY1305_ARM) += poly1305-arm.o




obj-$(CONFIG_CRYPTO_POLY1305_ARM) += poly1305-arm.o








@@ -31,7 +32,8 @@ sha256-arm-neon-$(CONFIG_KERNEL_MODE_NEON) := sha256_neon_glue.o






sha256-arm-y	:= sha256-core.o sha256_glue.o $(sha256-arm-neon-y)




sha256-arm-y	:= sha256-core.o sha256_glue.o $(sha256-arm-neon-y)








sha512-arm-neon-$(CONFIG_KERNEL_MODE_NEON) := sha512-neon-glue.o




sha512-arm-neon-$(CONFIG_KERNEL_MODE_NEON) := sha512-neon-glue.o








sha512-arm-y	:= sha512-core.o sha512-glue.o $(sha512-arm-neon-y)




sha512-arm-y	:= sha512-core.o sha512-glue.o $(sha512-arm-neon-y)








blake2s-arm-y   := blake2s-core.o blake2s-glue.o




blake2s-arm-y   := blake2s-shash.o










libblake2s-arm-y:= blake2s-core.o blake2s-glue.o








blake2b-neon-y  := blake2b-neon-core.o blake2b-neon-glue.o




blake2b-neon-y  := blake2b-neon-core.o blake2b-neon-glue.o








sha1-arm-ce-y	:= sha1-ce-core.o sha1-ce-glue.o




sha1-arm-ce-y	:= sha1-ce-core.o sha1-ce-glue.o








sha2-arm-ce-y	:= sha2-ce-core.o sha2-ce-glue.o




sha2-arm-ce-y	:= sha2-ce-core.o sha2-ce-glue.o
































arch/arm/crypto/blake2s-core.S



+4
−4






























Original line number
Original line
Diff line number
Diff line







@@ -167,7 +167,7 @@






.endm




.endm






















//




//








// void blake2s_compress_arch(struct blake2s_state *state,




// void blake2s_compress(struct blake2s_state *state,








//			 const u8 *block, size_t nblocks, u32 inc);




//			 const u8 *block, size_t nblocks, u32 inc);








//




//








// Only the first three fields of struct blake2s_state are used:




// Only the first three fields of struct blake2s_state are used:








@@ -176,7 +176,7 @@






//	u32 f[2];	(in)




//	u32 f[2];	(in)








//




//








	.align		5




	.align		5








ENTRY(blake2s_compress_arch)




ENTRY(blake2s_compress)








	push		{r0-r2,r4-r11,lr}	// keep this an even number




	push		{r0-r2,r4-r11,lr}	// keep this an even number






















.Lnext_block:




.Lnext_block:








@@ -303,4 +303,4 @@ ENTRY(blake2s_compress_arch)






	str		r3, [r12], #4




	str		r3, [r12], #4








	bne		1b




	bne		1b








	b		.Lcopy_block_done




	b		.Lcopy_block_done








ENDPROC(blake2s_compress_arch)



ENDPROC(blake2s_compress)
























arch/arm/crypto/blake2s-glue.c



+1
−72






























Original line number
Original line
Diff line number
Diff line








// SPDX-License-Identifier: GPL-2.0-or-later




// SPDX-License-Identifier: GPL-2.0-or-later








/*










 * BLAKE2s digest algorithm, ARM scalar implementation










 *










 * Copyright 2020 Google LLC










 */
























#include <crypto/internal/blake2s.h>




#include <crypto/internal/blake2s.h>








#include <crypto/internal/hash.h>





















#include <linux/module.h>




#include <linux/module.h>






















/* defined in blake2s-core.S */




/* defined in blake2s-core.S */








EXPORT_SYMBOL(blake2s_compress_arch);




EXPORT_SYMBOL(blake2s_compress);


















static int crypto_blake2s_update_arm(struct shash_desc *desc,










				     const u8 *in, unsigned int inlen)










{










	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_arch);










}





















static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)










{










	return crypto_blake2s_final(desc, out, blake2s_compress_arch);










}





















#define BLAKE2S_ALG(name, driver_name, digest_size)			\










	{								\










		.base.cra_name		= name,				\










		.base.cra_driver_name	= driver_name,			\










		.base.cra_priority	= 200,				\










		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,	\










		.base.cra_blocksize	= BLAKE2S_BLOCK_SIZE,		\










		.base.cra_ctxsize	= sizeof(struct blake2s_tfm_ctx), \










		.base.cra_module	= THIS_MODULE,			\










		.digestsize		= digest_size,			\










		.setkey			= crypto_blake2s_setkey,	\










		.init			= crypto_blake2s_init,		\










		.update			= crypto_blake2s_update_arm,	\










		.final			= crypto_blake2s_final_arm,	\










		.descsize		= sizeof(struct blake2s_state),	\










	}





















static struct shash_alg blake2s_arm_algs[] = {










	BLAKE2S_ALG("blake2s-128", "blake2s-128-arm", BLAKE2S_128_HASH_SIZE),










	BLAKE2S_ALG("blake2s-160", "blake2s-160-arm", BLAKE2S_160_HASH_SIZE),










	BLAKE2S_ALG("blake2s-224", "blake2s-224-arm", BLAKE2S_224_HASH_SIZE),










	BLAKE2S_ALG("blake2s-256", "blake2s-256-arm", BLAKE2S_256_HASH_SIZE),










};





















static int __init blake2s_arm_mod_init(void)










{










	return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?










		crypto_register_shashes(blake2s_arm_algs,










					ARRAY_SIZE(blake2s_arm_algs)) : 0;










}





















static void __exit blake2s_arm_mod_exit(void)










{










	if (IS_REACHABLE(CONFIG_CRYPTO_HASH))










		crypto_unregister_shashes(blake2s_arm_algs,










					  ARRAY_SIZE(blake2s_arm_algs));










}





















module_init(blake2s_arm_mod_init);










module_exit(blake2s_arm_mod_exit);





















MODULE_DESCRIPTION("BLAKE2s digest algorithm, ARM scalar implementation");










MODULE_LICENSE("GPL");










MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");










MODULE_ALIAS_CRYPTO("blake2s-128");










MODULE_ALIAS_CRYPTO("blake2s-128-arm");










MODULE_ALIAS_CRYPTO("blake2s-160");










MODULE_ALIAS_CRYPTO("blake2s-160-arm");










MODULE_ALIAS_CRYPTO("blake2s-224");










MODULE_ALIAS_CRYPTO("blake2s-224-arm");










MODULE_ALIAS_CRYPTO("blake2s-256");










MODULE_ALIAS_CRYPTO("blake2s-256-arm");


























arch/arm/crypto/blake2s-shash.c
0 → 100644



+75
−0






























Original line number
Original line
Diff line number
Diff line










// SPDX-License-Identifier: GPL-2.0-or-later










/*










 * BLAKE2s digest algorithm, ARM scalar implementation










 *










 * Copyright 2020 Google LLC










 */





















#include <crypto/internal/blake2s.h>










#include <crypto/internal/hash.h>





















#include <linux/module.h>





















static int crypto_blake2s_update_arm(struct shash_desc *desc,










				     const u8 *in, unsigned int inlen)










{










	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);










}





















static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)










{










	return crypto_blake2s_final(desc, out, blake2s_compress);










}





















#define BLAKE2S_ALG(name, driver_name, digest_size)			\










	{								\










		.base.cra_name		= name,				\










		.base.cra_driver_name	= driver_name,			\










		.base.cra_priority	= 200,				\










		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,	\










		.base.cra_blocksize	= BLAKE2S_BLOCK_SIZE,		\










		.base.cra_ctxsize	= sizeof(struct blake2s_tfm_ctx), \










		.base.cra_module	= THIS_MODULE,			\










		.digestsize		= digest_size,			\










		.setkey			= crypto_blake2s_setkey,	\










		.init			= crypto_blake2s_init,		\










		.update			= crypto_blake2s_update_arm,	\










		.final			= crypto_blake2s_final_arm,	\










		.descsize		= sizeof(struct blake2s_state),	\










	}





















static struct shash_alg blake2s_arm_algs[] = {










	BLAKE2S_ALG("blake2s-128", "blake2s-128-arm", BLAKE2S_128_HASH_SIZE),










	BLAKE2S_ALG("blake2s-160", "blake2s-160-arm", BLAKE2S_160_HASH_SIZE),










	BLAKE2S_ALG("blake2s-224", "blake2s-224-arm", BLAKE2S_224_HASH_SIZE),










	BLAKE2S_ALG("blake2s-256", "blake2s-256-arm", BLAKE2S_256_HASH_SIZE),










};





















static int __init blake2s_arm_mod_init(void)










{










	return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?










		crypto_register_shashes(blake2s_arm_algs,










					ARRAY_SIZE(blake2s_arm_algs)) : 0;










}





















static void __exit blake2s_arm_mod_exit(void)










{










	if (IS_REACHABLE(CONFIG_CRYPTO_HASH))










		crypto_unregister_shashes(blake2s_arm_algs,










					  ARRAY_SIZE(blake2s_arm_algs));










}





















module_init(blake2s_arm_mod_init);










module_exit(blake2s_arm_mod_exit);





















MODULE_DESCRIPTION("BLAKE2s digest algorithm, ARM scalar implementation");










MODULE_LICENSE("GPL");










MODULE_AUTHOR("Eric Biggers <ebiggers@google.com>");










MODULE_ALIAS_CRYPTO("blake2s-128");










MODULE_ALIAS_CRYPTO("blake2s-128-arm");










MODULE_ALIAS_CRYPTO("blake2s-160");










MODULE_ALIAS_CRYPTO("blake2s-160-arm");










MODULE_ALIAS_CRYPTO("blake2s-224");










MODULE_ALIAS_CRYPTO("blake2s-224-arm");










MODULE_ALIAS_CRYPTO("blake2s-256");










MODULE_ALIAS_CRYPTO("blake2s-256-arm");