random: Restrict extrng registration to init time

It is technically a risk to permit extrng registration by modules after
kernel init completes. Since there is only one user of the extrng interface
and it is imperative that it is the _only_ registered extrng for FIPS
compliance, restrict the extrng registration interface to only permit
registration during kernel init and only from built-in drivers.

This also eliminates the risks associated with the extrng interface itself
being designed to solely accommodate a single registration, which would
therefore permit the registered extrng to be overridden or even removed by
an unrelated module.

Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: kerneltoast

crypto/rng.c

@@ -322,8 +322,7 @@ static ssize_t crypto_devrandom_read_iter(struct iov_iter *iter, bool reseed)
 }
 
 static const struct random_extrng crypto_devrandom_rng = {
-	.extrng_read_iter = crypto_devrandom_read_iter,
-	.owner = THIS_MODULE,
+	.extrng_read_iter = crypto_devrandom_read_iter
 };
 
 static int __init crypto_rng_init(void)
@@ -333,13 +332,7 @@ static int __init crypto_rng_init(void)
 	return 0;
 }
 
-static void __exit crypto_rng_exit(void)
-{
-	random_unregister_extrng();
-}
-
 late_initcall(crypto_rng_init);
-module_exit(crypto_rng_exit);
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Random Number Generator");

drivers/char/random.c

@@ -51,7 +51,6 @@
 #include <linux/completion.h>
 #include <linux/uuid.h>
 #include <linux/uaccess.h>
-#include <linux/rcupdate.h>
 #include <linux/suspend.h>
 #include <linux/siphash.h>
 #include <linux/sched/isolation.h>
@@ -314,7 +313,7 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE],
 /*
  * Hook for external RNG.
  */
-static const struct random_extrng __rcu *extrng;
+static const struct random_extrng *extrng __ro_after_init;
 
 /*
  * This function returns a ChaCha state that you may use for generating
@@ -966,18 +965,12 @@ void __init add_bootloader_randomness(const void *buf, size_t len)
 		credit_init_bits(len * 8);
 }
 
-void random_register_extrng(const struct random_extrng *rng)
+void __init random_register_extrng(const struct random_extrng *rng)
 {
-	rcu_assign_pointer(extrng, rng);
+	/* Don't allow the registered extrng to be overridden */
+	BUG_ON(extrng);
+	extrng = rng;
 }
-EXPORT_SYMBOL_GPL(random_register_extrng);
-
-void random_unregister_extrng(void)
-{
-	RCU_INIT_POINTER(extrng, NULL);
-	synchronize_rcu();
-}
-EXPORT_SYMBOL_GPL(random_unregister_extrng);
 
 #if IS_ENABLED(CONFIG_VMGENID)
 static BLOCKING_NOTIFIER_HEAD(vmfork_chain);
@@ -1386,7 +1379,6 @@ static void __cold try_to_generate_entropy(void)
 
 SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags)
 {
-	const struct random_extrng *rng;
 	struct iov_iter iter;
 	struct iovec iov;
 	int ret;
@@ -1404,19 +1396,11 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags
 	if (len > INT_MAX)
 		len = INT_MAX;
 
-	rcu_read_lock();
-	rng = rcu_dereference(extrng);
-	if (rng && !try_module_get(rng->owner))
-		rng = NULL;
-	rcu_read_unlock();
-
-	if (rng) {
+	if (extrng) {
 		ret = import_single_range(READ, ubuf, len, &iov, &iter);
 		if (unlikely(ret))
 			return ret;
-		ret = rng->extrng_read_iter(&iter, !!(flags & GRND_RANDOM));
-		module_put(rng->owner);
-		return ret;
+		return extrng->extrng_read_iter(&iter, !!(flags & GRND_RANDOM));
 	}
 
 	if (!crng_ready() && !(flags & GRND_INSECURE)) {
@@ -1589,52 +1573,24 @@ static int random_fasync(int fd, struct file *filp, int on)
 
 static int random_open(struct inode *inode, struct file *filp)
 {
-	const struct random_extrng *rng;
-
-	rcu_read_lock();
-	rng = rcu_dereference(extrng);
-	if (rng && !try_module_get(rng->owner))
-		rng = NULL;
-	rcu_read_unlock();
-
-	if (!rng)
-		return 0;
-
-	filp->f_op = &extrng_random_fops;
-	filp->private_data = rng->owner;
+	if (extrng)
+		filp->f_op = &extrng_random_fops;
 
 	return 0;
 }
 
 static int urandom_open(struct inode *inode, struct file *filp)
 {
-	const struct random_extrng *rng;
+	if (extrng)
+		filp->f_op = &extrng_urandom_fops;
 
-	rcu_read_lock();
-	rng = rcu_dereference(extrng);
-	if (rng && !try_module_get(rng->owner))
-		rng = NULL;
-	rcu_read_unlock();
-
-	if (!rng)
-		return 0;
-
-	filp->f_op = &extrng_urandom_fops;
-	filp->private_data = rng->owner;
-
-	return 0;
-}
-
-static int extrng_release(struct inode *inode, struct file *filp)
-{
-	module_put(filp->private_data);
 	return 0;
 }
 
 static ssize_t
 extrng_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
 {
-	return rcu_dereference_raw(extrng)->extrng_read_iter(iter, false);
+	return extrng->extrng_read_iter(iter, false);
 }
 
 const struct file_operations random_fops = {
@@ -1670,7 +1626,6 @@ static const struct file_operations extrng_random_fops = {
 	.unlocked_ioctl = random_ioctl,
 	.fasync = random_fasync,
 	.llseek = noop_llseek,
-	.release = extrng_release,
 	.splice_read = generic_file_splice_read,
 	.splice_write = iter_file_splice_write,
 };
@@ -1682,7 +1637,6 @@ static const struct file_operations extrng_urandom_fops = {
 	.unlocked_ioctl = random_ioctl,
 	.fasync = random_fasync,
 	.llseek = noop_llseek,
-	.release = extrng_release,
 	.splice_read = generic_file_splice_read,
 	.splice_write = iter_file_splice_write,
 };

include/linux/random.h

@@ -9,12 +9,6 @@
 
 #include <uapi/linux/random.h>
 
-struct iov_iter;
-struct random_extrng {
-	ssize_t (*extrng_read_iter)(struct iov_iter *, bool reseed);
-	struct module *owner;
-};
-
 struct notifier_block;
 
 void add_device_randomness(const void *buf, size_t len);
@@ -42,9 +36,6 @@ static inline int register_random_vmfork_notifier(struct notifier_block *nb) { r
 static inline int unregister_random_vmfork_notifier(struct notifier_block *nb) { return 0; }
 #endif
 
-void random_register_extrng(const struct random_extrng *rng);
-void random_unregister_extrng(void);
-
 void get_random_bytes(void *buf, size_t len);
 u8 get_random_u8(void);
 u16 get_random_u16(void);
@@ -173,6 +164,13 @@ int random_online_cpu(unsigned int cpu);
 
 #ifndef MODULE
 extern const struct file_operations random_fops, urandom_fops;
+
+struct iov_iter;
+struct random_extrng {
+	ssize_t (*extrng_read_iter)(struct iov_iter *iter, bool reseed);
+};
+
+void __init random_register_extrng(const struct random_extrng *rng);
 #endif
 
 #endif /* _LINUX_RANDOM_H */