From nobody Sun Sep 22 07:36:46 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XBHxp6pQ2z5XYSJ; Sun, 22 Sep 2024 07:36:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XBHxp2JD2z44RC; Sun, 22 Sep 2024 07:36:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726990606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=17NhGn9Y+1OSXbmSPy4e6pmU6j6TrSlXehwQLp+Eq/A=; b=JgENnH0zWtPfILtQpHuIdpI1oqPIYWi477UX0fIOtcYkkRDoBHA9tP3uigcj5YdxdtQl7Q xZIVdpIlceQBb1B6+4BbGqmQdncex6RvgDYaRb7A4g1Zh8i31OLiwUZ+AAhQYu4JCUudXz /+1SiZKrqxni9J6kkQV1gtpqv49noB42aic5CyCwDp9G19AswRH7OlCj/+pxE65qKQUoQw T/or4AkNOxw3XVD+mJE/X3cDRBXzlafrry1c7yLrEKG+nnN5aqqMESQEk61TVxxDgEqCXf 7qo8kEzYn2+M/94tudHCEQDpaxq//eYvb9SURDwChiOZKRRZ+RZ3SKtJ2MjLDw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726990606; a=rsa-sha256; cv=none; b=fkpzL4Z0j0Weqv4GQrKPxkd9cucHNoxJyztfUNS3oSwghHaoUimdEa5GXz0BhI7SW9qoAY JKuNQaFRtTltn5MxWcUSR+FtdvaK31amHBJmu6yCXQ3YbMgQHJx3P2KJJzdOmnxTKc9KOG 4IoaKJR6SE+Jrq+E+LyKrwhSBMKzyKQlLmTq398yO+ntADSZ6qvTC5RNLgCBqrmqp+TXl5 d49QUa3qGDNuVPzG6rvU1SSfBnPqt7/ooB82gFh3L1vig5FTvRaHhYL4MuEgc/ZGmw1i5N HDbML4gwOwR0UoF+6k+yZE/VSi2xFkzM32mqwPFl3iPPBXasA8vSOQ4tmlw3nw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726990606; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=17NhGn9Y+1OSXbmSPy4e6pmU6j6TrSlXehwQLp+Eq/A=; b=mqZXZoQ81ktYat/RXFLw75B3AvQs3oA2IZn3F66c7f4efK4RmHN6xHtmaoNMAZmYOGh2kG eLueeAeB9IKMBfEXlMTzQv/iU/fCSs1rtuly2tYj1PbjY+9GxWISuWgmrrYBf6gB/ywY6t ypjonVcYA2M9QO0Z+5tK78jSCKjb4hb1uU33O5a0baMCr8+t+dUtgdd7IpCfRg6YPFbJ32 qGAzdcXz6HT77YHAacDMjggtNWhUfBlJtxvqosJLB4xvdQctXzPT9ZuthRiqmffuF425Lz cUI6TjedsvmtPKYdveQ3qjtAaLCx8AP+xxeZwS/JUM4gZ2ppfFN0sElVGuNNMg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XBHxp1m6jz16hd; Sun, 22 Sep 2024 07:36:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48M7ak0d097272; Sun, 22 Sep 2024 07:36:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48M7akhq097269; Sun, 22 Sep 2024 07:36:46 GMT (envelope-from git) Date: Sun, 22 Sep 2024 07:36:46 GMT Message-Id: <202409220736.48M7akhq097269@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Colin Percival Subject: git: c8ebbd28aa91 - main - loader: Expand EFI entropy if < 2048 bytes List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cperciva X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c8ebbd28aa91705aea3a67b06018ea6aef5aa6e4 Auto-Submitted: auto-generated The branch main has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=c8ebbd28aa91705aea3a67b06018ea6aef5aa6e4 commit c8ebbd28aa91705aea3a67b06018ea6aef5aa6e4 Author: Colin Percival AuthorDate: 2024-09-18 11:02:12 +0000 Commit: Colin Percival CommitDate: 2024-09-22 07:35:48 +0000 loader: Expand EFI entropy if < 2048 bytes The EFI RNG on some platforms takes a long time if we request 2048 bytes of entropy, so we would like to request less; but our kernel Fortuna RNG needs to be fed 2048 bytes in order to consider itself "fully seeded". If we have between 64 bytes (the size of a single Fortuna pool and enough to guarantee cryptographic security) and 2048 bytes (what Fortuna wants) then the boot process will hang waiting for more entropy despite in fact having enough to operate securely. Since 64 bytes of entropy is plenty to be cryptographically secure (an attack of cost ~ 2^128 is infeasible, which implies a mere 16 bytes of entropy), use PBKDF2 (aka pkcs5v2_genkey_raw) to spread the entropy across 2048 bytes. This is secure since PBKDF2 has the property that every subset of output bytes has within O(1) of the maximum possible amount of entropy. Reviewed by: pjd MFC after: 1 week Sponsored by: Amazon Differential Revision: https://reviews.freebsd.org/D46635 --- stand/efi/loader/main.c | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/stand/efi/loader/main.c b/stand/efi/loader/main.c index 17676cd9deb8..508e7ad2db36 100644 --- a/stand/efi/loader/main.c +++ b/stand/efi/loader/main.c @@ -57,6 +57,9 @@ #include #include +#include +#include + #include "efizfs.h" #include "framebuffer.h" @@ -1250,11 +1253,27 @@ command_seed_entropy(int argc, char *argv[]) { EFI_STATUS status; EFI_RNG_PROTOCOL *rng; - unsigned int size = 2048; + unsigned int size_efi = RANDOM_FORTUNA_DEFPOOLSIZE * RANDOM_FORTUNA_NPOOLS; + unsigned int size = RANDOM_FORTUNA_DEFPOOLSIZE * RANDOM_FORTUNA_NPOOLS; + void *buf_efi; void *buf; if (argc > 1) { - size = strtol(argv[1], NULL, 0); + size_efi = strtol(argv[1], NULL, 0); + + /* Don't *compress* the entropy we get from EFI. */ + if (size_efi > size) + size = size_efi; + + /* + * If the amount of entropy we get from EFI is less than the + * size of a single Fortuna pool -- i.e. not enough to ensure + * that Fortuna is safely seeded -- don't expand it since we + * don't want to trick Fortuna into thinking that it has been + * safely seeded when it has not. + */ + if (size_efi < RANDOM_FORTUNA_DEFPOOLSIZE) + size = size_efi; } status = BS->LocateProtocol(&rng_guid, NULL, (VOID **)&rng); @@ -1268,20 +1287,34 @@ command_seed_entropy(int argc, char *argv[]) return (CMD_ERROR); } + if ((buf_efi = malloc(size_efi)) == NULL) { + free(buf); + command_errmsg = "out of memory"; + return (CMD_ERROR); + } + TSENTER2("rng->GetRNG"); - status = rng->GetRNG(rng, NULL, size, (UINT8 *)buf); + status = rng->GetRNG(rng, NULL, size_efi, (UINT8 *)buf_efi); TSEXIT(); if (status != EFI_SUCCESS) { + free(buf_efi); free(buf); command_errmsg = "GetRNG failed"; return (CMD_ERROR); } + if (size_efi < size) + pkcs5v2_genkey_raw(buf, size, "", 0, buf_efi, size_efi, 1); + else + memcpy(buf, buf_efi, size); if (file_addbuf("efi_rng_seed", "boot_entropy_platform", size, buf) != 0) { + free(buf_efi); free(buf); return (CMD_ERROR); } + explicit_bzero(buf_efi, size_efi); + free(buf_efi); free(buf); return (CMD_OK); }