From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Roland Hieber <rhi@pengutronix.de>
Cc: distrokit@pengutronix.de
Subject: Re: [DistroKit] [PATCH 11/11] v7a: barebox: enable HWRNG drivers and allow fallback to PRNG
Date: Tue, 27 May 2025 22:19:51 +0200 [thread overview]
Message-ID: <b4dafb60-df11-417f-b68f-21910be4470f@pengutronix.de> (raw)
In-Reply-To: <1748336969-924b86987f54e70da098e439@pty>
Hi Roland,
On 27.05.25 11:15, Roland Hieber wrote:
> On Mon, May 26, 2025 at 12:59:33PM +0200, Ahmad Fatoum wrote:
>> Hello Roland,
>>
>> On 5/26/25 12:39, Roland Hieber wrote:
>>> On Mon, May 26, 2025 at 12:20:36PM +0200, Ahmad Fatoum wrote:
>>>> Hi Roland,
>>>>
>>>> On 5/26/25 12:11, Roland Hieber wrote:
>>>>> Without ALLOW_PRNG_FALLBACK, barebox prints an unsightly error message
>>>>> on boot:
>>>>>
>>>>> ERROR: no HWRNG available!
>>>>
>>>> Is this because of the stack protector? Which platforms lack the RNG?
>>>
>>> No, it's directly from get_crypto_bytes() in lib/random.c:
>>>
>>> 137 if (!IS_ENABLED(CONFIG_ALLOW_PRNG_FALLBACK)) {
>>> 138 pr_err("no HWRNG available!\n");
>>> 139 return err;
>>> 140 }
>>>
>>> That's why I enabled CONFIG_ALLOW_PRNG_FALLBACK.
>>
>> Yes, but why is get_crypto_bytes called in your case? Things like
>> MAC address generation don't use a non-secure PRNG anyways.
>
> Ah now I get what you mean. In that case, dmesg seems to suggest it's the stack
> protector. On riotboard I get:
>
> […]
> register_driver: barebox-environment
> probe-> chosen:environment.of
> barebox-environment chosen:environment.of: Setting default environment path to /dev/mmc3.barebox-environment
> initcall-> stackprot_randomize_guard+0x1/0x38
> WARNING: falling back to Pseudo RNG source!
> initcall-> eth_register_of_fixup+0x1/0x10
> initcall-> dhcp_global_init+0x1/0xf8
> […]
Ah, there is a warning in the stack protector code:
WARNING: stackprot: proceeding without randomized stack protector
But it was only printed, when CONFIG_ALLOW_PRNG_FALLBACK was disabled.
I add some extra context to the warning message inside get_crypto_bytes
in [1], so it now looks like this:
WARNING: stackprot_randomize_guard: falling back to Pseudo RNG source!
[1]: https://lore.barebox.org/barebox/20250527201359.889550-9-a.fatoum@pengutronix.de/T/#u
Thanks by the way for enabling the stack protector support!
I have been meaning to do this for some time now. :)
Cheers,
Ahmad
>
>>> In menuconfig there is:
>>>
>>> --- HWRNG Support
>>> [ ] Timer IOMEM HW Random Number Generator support
>>> [*] STM32 Random Number Generator
>>> [*] OP-TEE based Random Number Generator support
>>> [*] Broadcom BCM2835/BCM63xx Random Number Generator support
>>> [ ] Broadcom iProc/STB RNG200 support
>>> [*] OMAP Random Number Generator support
>>
>> There is also the CAAM driver for i.MX, which is found separately in
>> a crypto submenu.
>
> Thanks, that got rid of the PRNG warning on riotboard :-) I'll enable it in v2
> of this series too:
>
> --- a/configs/platform-v7a/barebox.config
> +++ b/configs/platform-v7a/barebox.config
> @@ -1239,7 +1239,9 @@ CONFIG_PHY_STM32_USBPHYC=y
> #
> # Hardware crypto devices
> #
> -# CONFIG_CRYPTO_DEV_FSL_CAAM is not set
> +CONFIG_CRYPTO_DEV_FSL_CAAM=y
> +CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
> +CONFIG_CRYPTO_DEV_FSL_CAAM_RNG=y
> # end of Hardware crypto devices
>
> - Roland
>
>>> I'm not sure whether we want CONFIG_HW_RANDOM_TIMERIOMEM, its help text sounds
>>> more like a workaround than a solution:
>>>
>>> This driver provides barebox support for a generic Random │
>>> Number Generator used by reading a 'dumb' iomem address that │
>>> is to be read no faster than, for example, once a second.
>>
>> I don't think we have hardware in DistroKit that this is useful on.
>>
>> Cheers,
>> Ahmad
>>
>>>
>>> - Roland
>>>
>>>> Cheers,
>>>> Ahmad
>>>>
>>>>>
>>>>> Since we don't have HWRNG drivers for all available platforms, enable
>>>>> those that we have (RPi and AM33xx). For the other platforms allow
>>>>> fallback to the PRNG, which will at least only print a warning on boot
>>>>> on platforms without HWRNG:
>>>>>
>>>>> WARNING: falling back to Pseudo RNG source!
>>>>>
>>>>> … but in this case, this is expected.
>>>>>
>>>>> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
>>>>> ---
>>>>> configs/platform-v7a/barebox.config | 6 +++---
>>>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>>>
>>>>> diff --git a/configs/platform-v7a/barebox.config b/configs/platform-v7a/barebox.config
>>>>> index 4780b6493a7a..86cb40acbf17 100644
>>>>> --- a/configs/platform-v7a/barebox.config
>>>>> +++ b/configs/platform-v7a/barebox.config
>>>>> @@ -1106,9 +1106,9 @@ CONFIG_HWRNG=y
>>>>> # CONFIG_HW_RANDOM_TIMERIOMEM is not set
>>>>> CONFIG_HWRNG_STM32=y
>>>>> CONFIG_HW_RANDOM_OPTEE=y
>>>>> -# CONFIG_HW_RANDOM_BCM2835 is not set
>>>>> +CONFIG_HW_RANDOM_BCM2835=y
>>>>> # CONFIG_HW_RANDOM_IPROC_RNG200 is not set
>>>>> -# CONFIG_HW_RANDOM_OMAP is not set
>>>>> +CONFIG_HW_RANDOM_OMAP=y
>>>>>
>>>>> #
>>>>> # DMA support
>>>>> @@ -1380,7 +1380,7 @@ CONFIG_IMAGE_SPARSE=y
>>>>> CONFIG_STMP_DEVICE=y
>>>>> CONFIG_LIBFDT=y
>>>>> # CONFIG_RATP is not set
>>>>> -# CONFIG_ALLOW_PRNG_FALLBACK is not set
>>>>> +CONFIG_ALLOW_PRNG_FALLBACK=y
>>>>> # CONFIG_CRC_CCITT is not set
>>>>> CONFIG_CRC8=y
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2025-05-27 20:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-26 10:11 [DistroKit] [PATCH 01/11] platforms: images: use descriptive partition-type-uuids Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 02/11] v7a: barebox: version bump 2025.03.0 -> 2025.05.0 Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 03/11] v7a: barebox: boot from bootsource Roland Hieber
2025-05-26 10:18 ` Ahmad Fatoum
2025-05-26 10:11 ` [DistroKit] [PATCH 04/11] v7a: image-stm32mp*: use new partition-table-type option Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 05/11] v7a: stm32mp: switch to upstream barebox recipe Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 06/11] v7a: stm32mp: populate default environment in barebox partition Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 07/11] v7a: mx6: switch to upstream barebox recipe Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 08/11] v7a: vexpress: " Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 09/11] v7a: rpi: " Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 10/11] v7a: rpi: remove "2" from recipe names Roland Hieber
2025-05-26 10:11 ` [DistroKit] [PATCH 11/11] v7a: barebox: enable HWRNG drivers and allow fallback to PRNG Roland Hieber
2025-05-26 10:20 ` Ahmad Fatoum
2025-05-26 10:39 ` Roland Hieber
2025-05-26 10:59 ` Ahmad Fatoum
2025-05-27 9:15 ` Roland Hieber
2025-05-27 20:19 ` Ahmad Fatoum [this message]
2025-05-28 9:47 ` Roland Hieber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4dafb60-df11-417f-b68f-21910be4470f@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=distrokit@pengutronix.de \
--cc=rhi@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox