From nobody Sun Sep 29 15:25:18 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XGp1C4S8nz5XpGn; Sun, 29 Sep 2024 15:25:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XGp1C0Vztz4ksK; Sun, 29 Sep 2024 15:25:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727623519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O6x/izbytoxOqTnNSqq+HFWhp6yXZsxRMo/qzmDld/A=; b=smMaBKZo+1O4/oVXnqDnrKo75ffJ+L4UUBm/YDkvZu+fN8EfJ3QMAThk33uukFKYs8GiwF JOL+Y1MeWrF251p1yOmusszhFT2twHoHV3SkpiA2pQv3b5ESK1WU3cfFQcITS/EjYbun3t DChHWMTV7Igbc7AYM2G6Sl/WIqhulekVqi3dFw4L/O5bQ7WUIgyYEijr0vypprymXsrMgH or9Z/4bYJrbByp6NPWMSc7pj/x0HhMa4PRC9bO0DRYpMxaIn2s3gctqkWYA58sC8Oal5AN 2ohu6BoW7yLkS1tuQi1Gyc1FzPsD7AgfD+eCov/m7dkuad4Eb6p3TomsVtVWGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727623519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O6x/izbytoxOqTnNSqq+HFWhp6yXZsxRMo/qzmDld/A=; b=crnWcLKcd37O71RwCIsntvG4Ns8+IIM03ooeK1LqNkrwju3MlSvNyWoK2nDK4ZnOXwBfvv 4tBdwepoc4QXKJlH/P4yrl11U1WsDOVbJow6fIEchNpUiPlKdz5N8ej1bCffQZnQuqqzHO 3qF0pqyq/SBQDtUe6TjARy6hJc52uf0t4wEiW7XsyaHtbf1Sfh+JKVe7XcXaSvkULlvj3M zS76i2nt9+j0WxSAyN2dqtkQJ1O+tKwtjcJrioj0sYESqbFELAZ83ZXJLKKyShlOMY0PsZ uXEvt1A2HTKIxM0Z/IXJzYL0eOYcv/gQGlvU8ICi7JGcmmt224FYHNegxZddgA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727623519; a=rsa-sha256; cv=none; b=uBTN8KyCSYP10IDkvYPQZYDuOJQF04n6XFdOEdSXHMOYBD2ko9PdTzYJQdWIwLjdneudzP zi5vTstb3kt1AX464ofrscEQ0f7uSJyKA5y92ahfcx28oWd+4f90jvip2tTYm3elzy7RLs xKcpZq8dFUzkHGpM9FIXsAGM/yFsNrXgJSn9aXyEIJp50AaegGwFFf+N8nFdnW0xVjJTnd SL/UrYrN6nUgdWN1MUPmOBQllqivlohxTFDgxgKEQZW7E3EJO84znBavm3c4cAhfFPl0Rz oFmBbB60/tSjzA24ICGPWLcojzFAIIqfre3sbBD98LDcQJnO5jF4ffLsh4DtWg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XGp1B6k3zzFGk; Sun, 29 Sep 2024 15:25:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48TFPIl1030561; Sun, 29 Sep 2024 15:25:18 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48TFPI2c030558; Sun, 29 Sep 2024 15:25:18 GMT (envelope-from git) Date: Sun, 29 Sep 2024 15:25:18 GMT Message-Id: <202409291525.48TFPI2c030558@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Colin Percival Subject: git: f470543a65b1 - stable/14 - loader: Expand EFI entropy if < 2048 bytes List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f470543a65b14cbf2fec4e69b924d66068e182f4 Auto-Submitted: auto-generated The branch stable/14 has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=f470543a65b14cbf2fec4e69b924d66068e182f4 commit f470543a65b14cbf2fec4e69b924d66068e182f4 Author: Colin Percival AuthorDate: 2024-09-18 11:02:12 +0000 Commit: Colin Percival CommitDate: 2024-09-29 15:24:52 +0000 loader: Expand EFI entropy if < 2048 bytes The EFI RNG on some platforms takes a long time if we request 2048 bytes of entropy, so we would like to request less; but our kernel Fortuna RNG needs to be fed 2048 bytes in order to consider itself "fully seeded". If we have between 64 bytes (the size of a single Fortuna pool and enough to guarantee cryptographic security) and 2048 bytes (what Fortuna wants) then the boot process will hang waiting for more entropy despite in fact having enough to operate securely. Since 64 bytes of entropy is plenty to be cryptographically secure (an attack of cost ~ 2^128 is infeasible, which implies a mere 16 bytes of entropy), use PBKDF2 (aka pkcs5v2_genkey_raw) to spread the entropy across 2048 bytes. This is secure since PBKDF2 has the property that every subset of output bytes has within O(1) of the maximum possible amount of entropy. Reviewed by: pjd MFC after: 1 week Sponsored by: Amazon Differential Revision: https://reviews.freebsd.org/D46635 (cherry picked from commit c8ebbd28aa91705aea3a67b06018ea6aef5aa6e4) --- stand/efi/loader/main.c | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/stand/efi/loader/main.c b/stand/efi/loader/main.c index 27fdb3bfefc9..324150f7c8c7 100644 --- a/stand/efi/loader/main.c +++ b/stand/efi/loader/main.c @@ -56,6 +56,9 @@ #include #include +#include +#include + #include "efizfs.h" #include "framebuffer.h" @@ -1249,11 +1252,27 @@ command_seed_entropy(int argc, char *argv[]) { EFI_STATUS status; EFI_RNG_PROTOCOL *rng; - unsigned int size = 2048; + unsigned int size_efi = RANDOM_FORTUNA_DEFPOOLSIZE * RANDOM_FORTUNA_NPOOLS; + unsigned int size = RANDOM_FORTUNA_DEFPOOLSIZE * RANDOM_FORTUNA_NPOOLS; + void *buf_efi; void *buf; if (argc > 1) { - size = strtol(argv[1], NULL, 0); + size_efi = strtol(argv[1], NULL, 0); + + /* Don't *compress* the entropy we get from EFI. */ + if (size_efi > size) + size = size_efi; + + /* + * If the amount of entropy we get from EFI is less than the + * size of a single Fortuna pool -- i.e. not enough to ensure + * that Fortuna is safely seeded -- don't expand it since we + * don't want to trick Fortuna into thinking that it has been + * safely seeded when it has not. + */ + if (size_efi < RANDOM_FORTUNA_DEFPOOLSIZE) + size = size_efi; } status = BS->LocateProtocol(&rng_guid, NULL, (VOID **)&rng); @@ -1267,20 +1286,34 @@ command_seed_entropy(int argc, char *argv[]) return (CMD_ERROR); } + if ((buf_efi = malloc(size_efi)) == NULL) { + free(buf); + command_errmsg = "out of memory"; + return (CMD_ERROR); + } + TSENTER2("rng->GetRNG"); - status = rng->GetRNG(rng, NULL, size, (UINT8 *)buf); + status = rng->GetRNG(rng, NULL, size_efi, (UINT8 *)buf_efi); TSEXIT(); if (status != EFI_SUCCESS) { + free(buf_efi); free(buf); command_errmsg = "GetRNG failed"; return (CMD_ERROR); } + if (size_efi < size) + pkcs5v2_genkey_raw(buf, size, "", 0, buf_efi, size_efi, 1); + else + memcpy(buf, buf_efi, size); if (file_addbuf("efi_rng_seed", "boot_entropy_platform", size, buf) != 0) { + free(buf_efi); free(buf); return (CMD_ERROR); } + explicit_bzero(buf_efi, size_efi); + free(buf_efi); free(buf); return (CMD_OK); }