On 09/05/2019 10.00, Hsin-Yi Wang wrote:
Why do you need to clear it? That wasn't necessary for kaslr-seed.
I think it's for security purpose. If we know the random seed, it's more likely we can predict randomness. Currently on arm64, kaslr-seed will be wiped out (in arch/arm64/kernel/kaslr.c#get_kaslr_seed(), it's set to 0) so we can't read from sysfs (eg. /sys/firmware/devicetree/.../kaslr-seed) I'm not sure on other arch if it will be wiped out.
The difference is if I have the kaslr seed, I can calculate the kernel base address.
In your case, you are feeding an RNG which continually has entropy added to it. I can't see that knowing one piece of the entropy data is a security hole. It looks more like you've just copied what what done for kaslr-seed.
+Kees who can probably explain this better.
This early added entropy is also going to be used for stack canary. At the time it's created there's not be much entropy (before boot_init_stack_canary(), there's only add_latent_entropy() and command_line).
So, why not just have the bootloader add whatever entropy it has via the commandline, which already gets mixed in? That requires no kernel changes, and works for all architectures.
If anything, perhaps instead of just adding gobbledygook=abc123, make an official command line parameter (there was talk about this at some point), and have the kernel overwrite the value with xxx so it's not visible in /proc/cmdline.
Rasmus