blob: c07bf84f7cf82718ec0798be15b2ffbd669c0f89 [file] [log] [blame]
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +02001// SPDX-License-Identifier: GPL-2.0 OR MIT
2/*
3 * Copyright (C) 2022 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 *
Jason A. Donenfeld31ec4812022-04-20 15:27:29 +02005 * SeedRNG is a simple program made for seeding the Linux kernel random number
6 * generator from seed files. It is is useful in light of the fact that the
7 * Linux kernel RNG cannot be initialized from shell scripts, and new seeds
8 * cannot be safely generated from boot time shell scripts either. It should
9 * be run once at init time and once at shutdown time. It can be run at other
10 * times on a timer as well. Whenever it is run, it writes existing seed files
11 * into the RNG pool, and then creates a new seed file. If the RNG is
12 * initialized at the time of creating a new seed file, then that new seed file
13 * is marked as "creditable", which means it can be used to initialize the RNG.
14 * Otherwise, it is marked as "non-creditable", in which case it is still used
15 * to seed the RNG's pool, but will not initialize the RNG. In order to ensure
16 * that entropy only ever stays the same or increases from one seed file to the
17 * next, old seed values are hashed together with new seed values when writing
18 * new seed files.
19 *
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020020 * This is based on code from <https://git.zx2c4.com/seedrng/about/>.
21 */
22
23//config:config SEEDRNG
Jason A. Donenfeld3cb40f82022-04-20 15:38:46 +020024//config: bool "seedrng (2 kb)"
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020025//config: default y
26//config: help
27//config: Seed the kernel RNG from seed files, meant to be called
28//config: once during startup, once during shutdown, and optionally
29//config: at some periodic interval in between.
30
31//applet:IF_SEEDRNG(APPLET(seedrng, BB_DIR_USR_SBIN, BB_SUID_DROP))
32
33//kbuild:lib-$(CONFIG_SEEDRNG) += seedrng.o
34
35//usage:#define seedrng_trivial_usage
Jason A. Donenfeld398bb382022-04-20 15:34:20 +020036//usage: "[-d SEED_DIRECTORY] [-n]"
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020037//usage:#define seedrng_full_usage "\n\n"
Denys Vlasenko137b2052022-04-27 16:53:44 +020038//usage: "Seed the kernel RNG from seed files"
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020039//usage: "\n"
Denys Vlasenko137b2052022-04-27 16:53:44 +020040//usage: "\n -d DIR Use seed files from DIR (default: /var/lib/seedrng)"
41//usage: "\n -n Skip crediting seeds, even if creditable"
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020042
43#include "libbb.h"
44
45#include <linux/random.h>
46#include <sys/random.h>
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020047#include <sys/file.h>
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020048
49#ifndef GRND_INSECURE
50#define GRND_INSECURE 0x0004 /* Apparently some headers don't ship with this yet. */
51#endif
52
Jason A. Donenfeld45385782022-04-20 15:22:55 +020053#define DEFAULT_SEED_DIR "/var/lib/seedrng"
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020054#define CREDITABLE_SEED_NAME "seed.credit"
55#define NON_CREDITABLE_SEED_NAME "seed.no-credit"
56
Denys Vlasenko40135652022-04-27 17:20:43 +020057enum {
Jason A. Donenfeld45385782022-04-20 15:22:55 +020058 MIN_SEED_LEN = SHA256_OUTSIZE,
59 MAX_SEED_LEN = 512
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020060};
61
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020062static size_t determine_optimal_seed_len(void)
63{
Denys Vlasenko40135652022-04-27 17:20:43 +020064 char poolsize_str[12];
65 unsigned poolsize;
66 int n;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020067
Denys Vlasenko40135652022-04-27 17:20:43 +020068 n = open_read_close("/proc/sys/kernel/random/poolsize", poolsize_str, sizeof(poolsize_str) - 1);
69 if (n < 0) {
Denys Vlasenkoc82a0cd2022-04-27 17:33:15 +020070 bb_perror_msg("can't determine pool size, assuming %u bits", MIN_SEED_LEN * 8);
Jason A. Donenfeld45385782022-04-20 15:22:55 +020071 return MIN_SEED_LEN;
72 }
Denys Vlasenko40135652022-04-27 17:20:43 +020073 poolsize_str[n] = '\0';
Jason A. Donenfeld31ec4812022-04-20 15:27:29 +020074 poolsize = (bb_strtoul(poolsize_str, NULL, 10) + 7) / 8;
75 return MAX(MIN(poolsize, MAX_SEED_LEN), MIN_SEED_LEN);
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020076}
77
Denys Vlasenko52f3cf72022-04-30 15:33:28 +020078static bool read_new_seed(uint8_t *seed, size_t len)
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020079{
Denys Vlasenko52f3cf72022-04-30 15:33:28 +020080 bool is_creditable;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020081 ssize_t ret;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020082
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +020083 ret = getrandom(seed, len, GRND_NONBLOCK);
84 if (ret == (ssize_t)len) {
Denys Vlasenko52f3cf72022-04-30 15:33:28 +020085 return true;
Denys Vlasenko282b61a2022-04-30 15:25:55 +020086 }
87 if (ret < 0 && errno == ENOSYS) {
Denys Vlasenko2cbfd012022-04-30 15:36:54 +020088 int fd = xopen("/dev/random", O_RDONLY);
89 struct pollfd random_fd;
90 random_fd.fd = fd;
91 random_fd.events = POLLIN;
Denys Vlasenko52f3cf72022-04-30 15:33:28 +020092 is_creditable = poll(&random_fd, 1, 0) == 1;
93//This is racy. is_creditable can be set to true here, but other process
94//can consume "good" random data from /dev/urandom before we do it below.
Denys Vlasenko2cbfd012022-04-30 15:36:54 +020095 close(fd);
Denys Vlasenko282b61a2022-04-30 15:25:55 +020096 } else {
Denys Vlasenko282b61a2022-04-30 15:25:55 +020097 if (getrandom(seed, len, GRND_INSECURE) == (ssize_t)len)
Denys Vlasenko52f3cf72022-04-30 15:33:28 +020098 return false;
99 is_creditable = false;
Denys Vlasenko282b61a2022-04-30 15:25:55 +0200100 }
Denys Vlasenko52f3cf72022-04-30 15:33:28 +0200101
102 /* Either getrandom() is not implemented, or
103 * getrandom(GRND_INSECURE) did not give us LEN bytes.
104 * Fallback to reading /dev/urandom.
105 */
Denys Vlasenko282b61a2022-04-30 15:25:55 +0200106 errno = 0;
107 if (open_read_close("/dev/urandom", seed, len) != (ssize_t)len)
108 bb_perror_msg_and_die("can't read '%s'", "/dev/urandom");
Denys Vlasenko52f3cf72022-04-30 15:33:28 +0200109 return is_creditable;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200110}
111
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200112static void seed_rng(uint8_t *seed, size_t len, bool credit)
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200113{
114 struct {
115 int entropy_count;
116 int buf_size;
117 uint8_t buffer[MAX_SEED_LEN];
Denys Vlasenko6da99472022-04-27 17:09:38 +0200118 } req;
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200119 int random_fd;
Denys Vlasenko6da99472022-04-27 17:09:38 +0200120
121 req.entropy_count = credit ? len * 8 : 0;
122 req.buf_size = len;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200123 memcpy(req.buffer, seed, len);
124
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200125 random_fd = xopen("/dev/urandom", O_RDONLY);
126 xioctl(random_fd, RNDADDENTROPY, &req);
Jason A. Donenfeld31ec4812022-04-20 15:27:29 +0200127 if (ENABLE_FEATURE_CLEAN_UP)
128 close(random_fd);
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200129}
130
Denys Vlasenko46487542022-04-30 23:17:58 +0200131static void seed_from_file_if_exists(const char *filename, int dfd, bool credit, sha256_ctx_t *hash)
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200132{
133 uint8_t seed[MAX_SEED_LEN];
134 ssize_t seed_len;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200135
Jason A. Donenfeld45385782022-04-20 15:22:55 +0200136 seed_len = open_read_close(filename, seed, sizeof(seed));
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200137 if (seed_len < 0) {
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200138 if (errno != ENOENT)
Denys Vlasenko267178c2022-04-30 15:50:45 +0200139 bb_perror_msg_and_die("can't read '%s'", filename);
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200140 return;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200141 }
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200142 xunlink(filename);
143 if (seed_len != 0) {
Denys Vlasenko46487542022-04-30 23:17:58 +0200144 /* We are going to use this data to seed the RNG:
145 * we believe it to genuinely containing entropy.
146 * If this just-unlinked file survives
147 * (e.g. if machine crashes _right now_)
148 * and we reuse it after reboot, this assumption
149 * would be violated. Fsync the directory to
150 * make sure file is gone:
151 */
152 fsync(dfd);
153
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200154 sha256_hash(hash, &seed_len, sizeof(seed_len));
155 sha256_hash(hash, seed, seed_len);
Denys Vlasenkod49da382022-04-30 15:45:53 +0200156 printf("Seeding %u bits %s crediting\n",
157 (unsigned)seed_len * 8, credit ? "and" : "without");
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200158 seed_rng(seed, seed_len, credit);
Jason A. Donenfeld398bb382022-04-20 15:34:20 +0200159 }
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200160}
161
162int seedrng_main(int argc, char *argv[]) MAIN_EXTERNALLY_VISIBLE;
163int seedrng_main(int argc UNUSED_PARAM, char *argv[])
164{
Denys Vlasenko8456c212022-04-27 17:53:12 +0200165 const char *seed_dir;
Denys Vlasenkod49da382022-04-30 15:45:53 +0200166 int fd, dfd;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200167 uint8_t new_seed[MAX_SEED_LEN];
168 size_t new_seed_len;
Denys Vlasenko0bca4892022-04-30 23:53:28 +0200169 bool new_seed_creditable, skip_credit;
Denys Vlasenko6da99472022-04-27 17:09:38 +0200170 struct timespec timestamp;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200171 sha256_ctx_t hash;
172
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200173 enum {
174 OPT_d = (1 << 0),
Jason A. Donenfeld398bb382022-04-20 15:34:20 +0200175 OPT_n = (1 << 1)
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200176 };
177#if ENABLE_LONG_OPTS
178 static const char longopts[] ALIGN1 =
Denys Vlasenko0bca4892022-04-30 23:53:28 +0200179 "seed-dir\0" Required_argument "d"
180 "skip-credit\0" No_argument "n"
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200181 ;
182#endif
183
Denys Vlasenko40135652022-04-27 17:20:43 +0200184 seed_dir = DEFAULT_SEED_DIR;
Jason A. Donenfeldf9ea8ba2022-04-21 12:37:32 +0200185 skip_credit = getopt32long(argv, "d:n", longopts, &seed_dir) & OPT_n;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200186 umask(0077);
Denys Vlasenko8456c212022-04-27 17:53:12 +0200187 if (getuid() != 0)
Jason A. Donenfeldce9a3452022-04-20 15:36:22 +0200188 bb_simple_error_msg_and_die(bb_msg_you_must_be_root);
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200189
Jason A. Donenfeld45385782022-04-20 15:22:55 +0200190 if (mkdir(seed_dir, 0700) < 0 && errno != EEXIST)
Denys Vlasenko267178c2022-04-30 15:50:45 +0200191 bb_perror_msg_and_die("can't create directory '%s'", seed_dir);
Denys Vlasenkod49da382022-04-30 15:45:53 +0200192 dfd = xopen(seed_dir, O_DIRECTORY | O_RDONLY);
Denys Vlasenko8456c212022-04-27 17:53:12 +0200193 xfchdir(dfd);
Denys Vlasenkod5bd2e52022-05-01 01:50:44 +0200194 /* Concurrent runs of this tool might feed the same data to RNG twice.
195 * Avoid concurrent runs by taking a blocking lock on the directory.
196 * Not checking for errors. Looking at manpage,
197 * ENOLCK "The kernel ran out of memory for allocating lock records"
198 * seems to be the only one which is likely - and if that happens,
199 * machine is OOMing (much worse problem than inability to lock...).
200 * Also, typically configured Linux machines do not fail GFP_KERNEL
201 * allocations (they trigger memory reclaim instead).
202 */
203 flock(dfd, LOCK_EX); /* would block while another copy runs */
Jason A. Donenfeld3c607112022-04-20 15:31:01 +0200204
Jason A. Donenfeld31ec4812022-04-20 15:27:29 +0200205 sha256_begin(&hash);
Jason A. Donenfeld3cb40f82022-04-20 15:38:46 +0200206 sha256_hash(&hash, "SeedRNG v1 Old+New Prefix", 25);
Jason A. Donenfeld31ec4812022-04-20 15:27:29 +0200207 clock_gettime(CLOCK_REALTIME, &timestamp);
208 sha256_hash(&hash, &timestamp, sizeof(timestamp));
209 clock_gettime(CLOCK_BOOTTIME, &timestamp);
210 sha256_hash(&hash, &timestamp, sizeof(timestamp));
211
Jason A. Donenfeldf9ea8ba2022-04-21 12:37:32 +0200212 for (int i = 1; i < 3; ++i) {
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200213 seed_from_file_if_exists(i == 1 ? NON_CREDITABLE_SEED_NAME : CREDITABLE_SEED_NAME,
Denys Vlasenko46487542022-04-30 23:17:58 +0200214 dfd,
Denys Vlasenkod5bd2e52022-05-01 01:50:44 +0200215 /* credit? */ i == 1 ? false : !skip_credit,
Denys Vlasenko0fa16fc2022-04-29 18:37:42 +0200216 &hash);
Jason A. Donenfeldf9ea8ba2022-04-21 12:37:32 +0200217 }
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200218
219 new_seed_len = determine_optimal_seed_len();
Denys Vlasenko52f3cf72022-04-30 15:33:28 +0200220 new_seed_creditable = read_new_seed(new_seed, new_seed_len);
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200221 sha256_hash(&hash, &new_seed_len, sizeof(new_seed_len));
222 sha256_hash(&hash, new_seed, new_seed_len);
223 sha256_end(&hash, new_seed + new_seed_len - SHA256_OUTSIZE);
224
Denys Vlasenko52f3cf72022-04-30 15:33:28 +0200225 printf("Saving %u bits of %screditable seed for next boot\n",
226 (unsigned)new_seed_len * 8, new_seed_creditable ? "" : "non-");
Denys Vlasenkod49da382022-04-30 15:45:53 +0200227 fd = xopen3(NON_CREDITABLE_SEED_NAME, O_WRONLY | O_CREAT | O_TRUNC, 0400);
228 xwrite(fd, new_seed, new_seed_len);
Denys Vlasenkod5bd2e52022-05-01 01:50:44 +0200229 if (new_seed_creditable) {
230 /* More paranoia when we create a file which we believe contains
231 * genuine entropy: make sure disk is not full, quota was't esceeded, etc:
232 */
233 if (fsync(fd) < 0)
234 bb_perror_msg_and_die("can't write '%s'", NON_CREDITABLE_SEED_NAME);
Denys Vlasenkod49da382022-04-30 15:45:53 +0200235 xrename(NON_CREDITABLE_SEED_NAME, CREDITABLE_SEED_NAME);
Denys Vlasenkod5bd2e52022-05-01 01:50:44 +0200236 }
Denys Vlasenkod49da382022-04-30 15:45:53 +0200237 return EXIT_SUCCESS;
Jason A. Donenfeld4b407ba2022-04-04 18:21:51 +0200238}