Re: [DistroKit] [PATCH 11/11] v7a: barebox: enable HWRNG drivers and allow fallback to PRNG

DistroKit Mailinglist
 help / color / mirror / Atom feed

From: Roland Hieber <rhi@pengutronix.de>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: distrokit@pengutronix.de
Subject: Re: [DistroKit] [PATCH 11/11] v7a: barebox: enable HWRNG drivers and allow fallback to PRNG
Date: Tue, 27 May 2025 11:15:16 +0200	[thread overview]
Message-ID: <1748336969-924b86987f54e70da098e439@pty> (raw)
In-Reply-To: <e87af203-f912-4e55-afa2-afb53e0adfde@pengutronix.de>

On Mon, May 26, 2025 at 12:59:33PM +0200, Ahmad Fatoum wrote:
> Hello Roland,
> 
> On 5/26/25 12:39, Roland Hieber wrote:
> > On Mon, May 26, 2025 at 12:20:36PM +0200, Ahmad Fatoum wrote:
> >> Hi Roland,
> >>
> >> On 5/26/25 12:11, Roland Hieber wrote:
> >>> Without ALLOW_PRNG_FALLBACK, barebox prints an unsightly error message
> >>> on boot:
> >>>
> >>>     ERROR: no HWRNG available!
> >>
> >> Is this because of the stack protector? Which platforms lack the RNG?
> > 
> > No, it's directly from get_crypto_bytes() in lib/random.c:
> > 
> >     137         if (!IS_ENABLED(CONFIG_ALLOW_PRNG_FALLBACK)) {
> >     138                 pr_err("no HWRNG available!\n");
> >     139                 return err;
> >     140         }
> > 
> > That's why I enabled CONFIG_ALLOW_PRNG_FALLBACK.
> 
> Yes, but why is get_crypto_bytes called in your case? Things like
> MAC address generation don't use a non-secure PRNG anyways.

Ah now I get what you mean. In that case, dmesg seems to suggest it's the stack
protector. On riotboard I get:

    […]
    register_driver: barebox-environment
        probe-> chosen:environment.of
    barebox-environment chosen:environment.of: Setting default environment path to /dev/mmc3.barebox-environment
    initcall-> stackprot_randomize_guard+0x1/0x38
    WARNING: falling back to Pseudo RNG source!
    initcall-> eth_register_of_fixup+0x1/0x10
    initcall-> dhcp_global_init+0x1/0xf8
    […]

> > In menuconfig there is:
> > 
> >     --- HWRNG Support
> >     [ ]   Timer IOMEM HW Random Number Generator support
> >     [*]   STM32 Random Number Generator
> >     [*]   OP-TEE based Random Number Generator support
> >     [*]   Broadcom BCM2835/BCM63xx Random Number Generator support
> >     [ ]   Broadcom iProc/STB RNG200 support
> >     [*]   OMAP Random Number Generator support
> 
> There is also the CAAM driver for i.MX, which is found separately in
> a crypto submenu.

Thanks, that got rid of the PRNG warning on riotboard :-) I'll enable it in v2
of this series too:

    --- a/configs/platform-v7a/barebox.config
    +++ b/configs/platform-v7a/barebox.config
    @@ -1239,7 +1239,9 @@ CONFIG_PHY_STM32_USBPHYC=y
     #
     # Hardware crypto devices
     #
    -# CONFIG_CRYPTO_DEV_FSL_CAAM is not set
    +CONFIG_CRYPTO_DEV_FSL_CAAM=y
    +CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
    +CONFIG_CRYPTO_DEV_FSL_CAAM_RNG=y
     # end of Hardware crypto devices

 - Roland

> > I'm not sure whether we want CONFIG_HW_RANDOM_TIMERIOMEM, its help text sounds
> > more like a workaround than a solution:
> > 
> >     This driver provides barebox support for a generic Random                                                                  │   
> >     Number Generator used by reading a 'dumb' iomem address that                                                               │   
> >     is to be read no faster than, for example, once a second. 
> 
> I don't think we have hardware in DistroKit that this is useful on.
> 
> Cheers,
> Ahmad
> 
> > 
> >  - Roland
> > 
> >> Cheers,
> >> Ahmad
> >>
> >>>
> >>> Since we don't have HWRNG drivers for all available platforms, enable
> >>> those that we have (RPi and AM33xx). For the other platforms allow
> >>> fallback to the PRNG, which will at least only print a warning on boot
> >>> on platforms without HWRNG:
> >>>
> >>>     WARNING: falling back to Pseudo RNG source!
> >>>
> >>> … but in this case, this is expected.
> >>>
> >>> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> >>> ---
> >>>  configs/platform-v7a/barebox.config | 6 +++---
> >>>  1 file changed, 3 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/configs/platform-v7a/barebox.config b/configs/platform-v7a/barebox.config
> >>> index 4780b6493a7a..86cb40acbf17 100644
> >>> --- a/configs/platform-v7a/barebox.config
> >>> +++ b/configs/platform-v7a/barebox.config
> >>> @@ -1106,9 +1106,9 @@ CONFIG_HWRNG=y
> >>>  # CONFIG_HW_RANDOM_TIMERIOMEM is not set
> >>>  CONFIG_HWRNG_STM32=y
> >>>  CONFIG_HW_RANDOM_OPTEE=y
> >>> -# CONFIG_HW_RANDOM_BCM2835 is not set
> >>> +CONFIG_HW_RANDOM_BCM2835=y
> >>>  # CONFIG_HW_RANDOM_IPROC_RNG200 is not set
> >>> -# CONFIG_HW_RANDOM_OMAP is not set
> >>> +CONFIG_HW_RANDOM_OMAP=y
> >>>  
> >>>  #
> >>>  # DMA support
> >>> @@ -1380,7 +1380,7 @@ CONFIG_IMAGE_SPARSE=y
> >>>  CONFIG_STMP_DEVICE=y
> >>>  CONFIG_LIBFDT=y
> >>>  # CONFIG_RATP is not set
> >>> -# CONFIG_ALLOW_PRNG_FALLBACK is not set
> >>> +CONFIG_ALLOW_PRNG_FALLBACK=y
> >>>  # CONFIG_CRC_CCITT is not set
> >>>  CONFIG_CRC8=y

next prev parent reply	other threads:[~2025-05-27  9:15 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-26 10:11 [DistroKit] [PATCH 01/11] platforms: images: use descriptive partition-type-uuids Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 02/11] v7a: barebox: version bump 2025.03.0 -> 2025.05.0 Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 03/11] v7a: barebox: boot from bootsource Roland Hieber
2025-05-26 10:18   ` Ahmad Fatoum
2025-05-26 10:11 ` [DistroKit] [PATCH 04/11] v7a: image-stm32mp*: use new partition-table-type option Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 05/11] v7a: stm32mp: switch to upstream barebox recipe Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 06/11] v7a: stm32mp: populate default environment in barebox partition Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 07/11] v7a: mx6: switch to upstream barebox recipe Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 08/11] v7a: vexpress: " Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 09/11] v7a: rpi: " Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 10/11] v7a: rpi: remove "2" from recipe names Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 11/11] v7a: barebox: enable HWRNG drivers and allow fallback to PRNG Roland Hieber
2025-05-26 10:20   ` Ahmad Fatoum
2025-05-26 10:39     ` Roland Hieber
2025-05-26 10:59       ` Ahmad Fatoum
2025-05-27  9:15         ` Roland Hieber [this message]
2025-05-27 20:19           ` Ahmad Fatoum
2025-05-28  9:47             ` Roland Hieber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1748336969-924b86987f54e70da098e439@pty \
    --to=rhi@pengutronix.de \
    --cc=a.fatoum@pengutronix.de \
    --cc=distrokit@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox