HomeFreeBSD

loader: Expand EFI entropy if < 2048 bytes

Description

loader: Expand EFI entropy if < 2048 bytes

The EFI RNG on some platforms takes a long time if we request 2048
bytes of entropy, so we would like to request less; but our kernel
Fortuna RNG needs to be fed 2048 bytes in order to consider itself
"fully seeded". If we have between 64 bytes (the size of a single
Fortuna pool and enough to guarantee cryptographic security) and
2048 bytes (what Fortuna wants) then the boot process will hang
waiting for more entropy despite in fact having enough to operate
securely.

Since 64 bytes of entropy is plenty to be cryptographically secure
(an attack of cost ~ 2^128 is infeasible, which implies a mere 16
bytes of entropy), use PBKDF2 (aka pkcs5v2_genkey_raw) to spread
the entropy across 2048 bytes. This is secure since PBKDF2 has
the property that every subset of output bytes has within O(1) of
the maximum possible amount of entropy.

Reviewed by: pjd
MFC after: 1 week
Sponsored by: Amazon
Differential Revision: https://reviews.freebsd.org/D46635

(cherry picked from commit c8ebbd28aa91705aea3a67b06018ea6aef5aa6e4)

Details

Provenance
cpercivaAuthored on Sep 18 2024, 11:02 AM
Reviewer
pjd
Differential Revision
D46635: loader: Expand EFI entropy if < 2048 bytes
Parents
rGf216bddf84e6: loader: Make pkcs5v2 unconditionally available
Branches
Unknown
Tags
Unknown