Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Software PRNG fixes #1843

Merged
merged 2 commits into from
Oct 11, 2017
Merged

Software PRNG fixes #1843

merged 2 commits into from
Oct 11, 2017

Conversation

jforissier
Copy link
Contributor

No description provided.

@jbech-linaro
Copy link
Contributor

You could add to the commit message also that this resolves: OP-TEE-2017-0001.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

This commit fixes a vulnerability (OP-TEE-2017-0001) that affects
platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that
platforms that also set CFG_SECURE_TIME_SOURCE_REE=y are still
vulnerable, unless they provide an implementation of
plat_prng_add_jitter_entropy_norpc().

The LibTomCrypt API is not used properly in the current PRNG
initialization code (tee_ltc_prng_init()). We have:

  prng->start();
  prng->ready();
  plat_prng_add_jitter_entropy_norpc();

...and at this point, the PRNG is assumed to be ready to provide random
data through rng->read().

That is broken, because there is no guarantee that the added entropy
will have an immediate effect on the output of rng->read(). In fact, it
usually will NOT. For instance, the default software PRNG used in
OP-TEE (Fortuna) re-seeds its PRNG generator from the entropy pools
only once every ten reads. So we're effectively using an un-seeded
generator for the first ten calls to prng->read(). Practically it means
that the same byte sequences are generated after each boot and, for the
Fortuna PRNG, until the 11th call to the PRNG read function. At the
Internal Core API level, this affects TEE_GenerateRandom() and
TEE_GenerateKey().

The fix is simple: prng->ready() seeds the generator from the pools, so
by moving plat_prng_add_jitter_entropy_norpc() before prng->ready(), we
can ensure that some amount of entropy is used immediately.

Fixes: OP-TEE#1730
Link: https://op-tee.org/security-advisories
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
This commit fixes a vulnerability (OP-TEE-2017-0001) that affects
platforms built with CFG_WITH_SOFTWARE_PRNG=y. Note however that
platforms that also set CFG_SECURE_TIME_SOURCE_REE=y are still
vulnerable, unless they provide an implementation of
plat_prng_add_jitter_entropy_norpc().

Adds some entropy to the PRNG used to generate the AE key for paged
user TAs.

Link: https://op-tee.org/security-advisories/
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
@jforissier jforissier merged commit 93d3c45 into OP-TEE:master Oct 11, 2017
@jforissier jforissier deleted the fortuna-fix branch October 11, 2017 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants