[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86: re-initialize RNG seed when selecting kernel
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [PATCH] x86: re-initialize RNG seed when selecting kernel |
|
Date: |
Mon, 26 Sep 2022 18:07:43 +0200 |
On Mon, Sep 26, 2022 at 3:45 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> On Thu, Sep 22, 2022 at 5:28 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > We don't want it to be possible to re-read the RNG seed after ingesting
> > it, because this ruins forward secrecy. Currently, however, the setup
> > data section can just be re-read. Since the kernel is always read after
> > the setup data, use the selection of the kernel as a trigger to
> > re-initialize the RNG seed, just like we do on reboot, to preserve
> > forward secrecy.
> >
> > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> > ---
> > Paolo- this applies on top of the 4 you merged this morning. -Jason
>
> Just bumping this, in hopes that this can go out with the same PULL
> for the other 4 you merged last week.
Thanks, queued but I have a question.
If I understand correctly, this protects against rereading the seed while the
OS is running. If so, does that mean that the device tree-based seed
initialization does not have forward secrecy at all?
Paolo