linux

korg/linux

mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-24 23:04:17 +08:00

Go to file

Jason A. Donenfeld c570449094 random: use linear min-entropy accumulation crediting `30e37ec516` ("random: account for entropy loss due to overwrites") assumed that adding new entropy to the LFSR pool probabilistically cancelled out old entropy there, so entropy was credited asymptotically, approximating Shannon entropy of independent sources (rather than a stronger min-entropy notion) using 1/8th fractional bits and replacing a constant 2-2/√𝑒 term (~0.786938) with 3/4 (0.75) to slightly underestimate it. This wasn't superb, but it was perhaps better than nothing, so that's what was done. Which entropy specifically was being cancelled out and how much precisely each time is hard to tell, though as I showed with the attack code in my previous commit, a motivated adversary with sufficient information can actually cancel out everything. Since we're no longer using an LFSR for entropy accumulation, this probabilistic cancellation is no longer relevant. Rather, we're now using a computational hash function as the accumulator and we've switched to working in the random oracle model, from which we can now revisit the question of min-entropy accumulation, which is done in detail in <https://eprint.iacr.org/2019/198>. Consider a long input bit string that is built by concatenating various smaller independent input bit strings. Each one of these inputs has a designated min-entropy, which is what we're passing to credit_entropy_bits(h). When we pass the concatenation of these to a random oracle, it means that an adversary trying to receive back the same reply as us would need to become certain about each part of the concatenated bit string we passed in, which means becoming certain about all of those h values. That means we can estimate the accumulation by simply adding up the h values in calls to credit_entropy_bits(h); there's no probabilistic cancellation at play like there was said to be for the LFSR. Incidentally, this is also what other entropy accumulators based on computational hash functions do as well. So this commit replaces credit_entropy_bits(h) with essentially `total = min(POOL_BITS, total + h)`, done with a cmpxchg loop as before. What if we're wrong and the above is nonsense? It's not, but let's assume we don't want the actual _behavior_ of the code to change much. Currently that behavior is not extracting from the input pool until it has 128 bits of entropy in it. With the old algorithm, we'd hit that magic 128 number after roughly 256 calls to credit_entropy_bits(1). So, we can retain more or less the old behavior by waiting to extract from the input pool until it hits 256 bits of entropy using the new code. For people concerned about this change, it means that there's not that much practical behavioral change. And for folks actually trying to model the behavior rigorously, it means that we have an even higher margin against attacks. Cc: Theodore Ts'o <tytso@mit.edu> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>		2022-02-21 16:48:06 +01:00
arch	- Fix the ptrace regset xfpregs_set() callback to behave according to the ABI	2022-02-20 12:46:21 -08:00
block	block/wbt: fix negative inflight counter when remove scsi device	2022-02-17 07:54:03 -07:00
certs	certs: Fix build error when CONFIG_MODULE_SIG_KEY is empty	2022-01-23 00:08:44 +09:00
crypto	crypto: af_alg - get rid of alg_memory_allocated	2022-02-15 14:29:04 +00:00
Documentation	Power Supply Fixes for 5.17 cycle	2022-02-20 11:07:46 -08:00
drivers	random: use linear min-entropy accumulation crediting	2022-02-21 16:48:06 +01:00
fs	fs.mount_setattr.v5.17-rc4	2022-02-20 11:01:47 -08:00
include	random: simplify entropy debiting	2022-02-21 16:48:06 +01:00
init	lib/stackdepot: allow optional init and stack_table allocation by kvmalloc()	2022-01-22 08:33:37 +02:00
ipc	ipc/sem: do not sleep with a spin lock held	2022-02-04 09:25:05 -08:00
kernel	- Fix a NULL ptr dereference when dumping lockdep chains through /proc/lockdep_chains	2022-02-20 12:50:50 -08:00
lib	lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI	2022-02-04 19:22:32 +01:00
LICENSES	LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers	2021-12-16 14:33:10 +01:00
mm	mm: don't try to NUMA-migrate COW pages that have other uses	2022-02-17 08:57:47 -08:00
net	ipv6: fix data-race in fib6_info_hw_flags_set / fib6_purge_rt	2022-02-17 09:48:24 -08:00
samples	samples/seccomp: Adjust sample to also provide kill option	2022-02-10 19:09:12 -08:00
scripts	kconfig: fix failing to generate auto.conf	2022-02-12 23:24:19 +09:00
security	integrity-v5-17-fix	2022-02-07 09:55:14 -08:00
sound	ASoC: intel: skylake: Set max DMA segment size	2022-02-17 09:39:44 +01:00
tools	fs.mount_setattr.v5.17-rc4	2022-02-20 11:01:47 -08:00
usr	kbuild: remove include/linux/cyclades.h from header file check	2022-01-27 08:51:08 +01:00
virt	Two larger x86 series:	2022-01-28 19:00:26 +02:00
.clang-format	genirq/msi: Make interrupt allocation less convoluted	2021-12-16 22:22:20 +01:00
.cocciconfig
.get_maintainer.ignore	Opt out of scripts/get_maintainer.pl	2019-05-16 10:53:40 -07:00
.gitattributes	.gitattributes: use 'dts' diff driver for dts files	2019-12-04 19:44:11 -08:00
.gitignore	.gitignore: ignore only top-level modules.builtin	2021-05-02 00:43:35 +09:00
.mailmap	mailmap: update Christian Brauner's email address	2022-02-01 11:21:31 -08:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	MAINTAINERS: Removing Ohad from remoteproc/rpmsg maintenance	2021-12-08 10:09:40 -07:00
Kbuild	kbuild: rename hostprogs-y/always to hostprogs/always-y	2020-02-04 01:53:07 +09:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux	2022-02-20 11:23:48 -08:00
Makefile	Linux 5.17-rc5	2022-02-20 13:07:20 -08:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.