Remove WARN_ALL_UNSEEDED_RANDOM kernel config option

This config option goes way back - it used to be an internal debug
option to random.c (at that point called DEBUG_RANDOM_BOOT), then was
renamed and exposed as a config option as CONFIG_WARN_UNSEEDED_RANDOM,
and then further renamed to the current CONFIG_WARN_ALL_UNSEEDED_RANDOM.

It was all done with the best of intentions: the more limited
rate-limited reports were reporting some cases, but if you wanted to see
all the gory details, you'd enable this "ALL" option.

However, it turns out - perhaps not surprisingly - that when people
don't care about and fix the first rate-limited cases, they most
certainly don't care about any others either, and so warning about all
of them isn't actually helping anything.

And the non-ratelimited reporting causes problems, where well-meaning
people enable debug options, but the excessive flood of messages that
nobody cares about will hide actual real information when things go
wrong.

I just got a kernel bug report (which had nothing to do with randomness)
where two thirds of the the truncated dmesg was just variations of

   random: get_random_u32 called from __get_random_u32_below+0x10/0x70 with crng_init=0

and in the process early boot messages had been lost (in addition to
making the messages that _hadn't_ been lost harder to read).

The proper way to find these things for the hypothetical developer that
cares - if such a person exists - is almost certainly with boot time
tracing.  That gives you the option to get call graphs etc too, which is
likely a requirement for fixing any problems anyway.

See Documentation/trace/boottime-trace.rst for that option.

And if we for some reason do want to re-introduce actual printing of
these things, it will need to have some uniqueness filtering rather than
this "just print it all" model.

Fixes: cc1e127bfa95 ("random: remove ratelimiting for in-kernel unseeded randomness")
Acked-by: Jason Donenfeld <Jason@zx2c4.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/char/random.c b/drivers/char/random.c
index dcd002e1b890d1d59a37ea36f5ad99d8fe38c262..7ff4d29911fd84ca98cfbbced50e06db12087e69 100644 (file)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -96,8 +96,7 @@ static ATOMIC_NOTIFIER_HEAD(random_ready_notifier);
 /* Control how we warn userspace. */
 static struct ratelimit_state urandom_warning =
        RATELIMIT_STATE_INIT_FLAGS("urandom_warning", HZ, 3, RATELIMIT_MSG_ON_RELEASE);
-static int ratelimit_disable __read_mostly =
-       IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM);
+static int ratelimit_disable __read_mostly = 0;
 module_param_named(ratelimit_disable, ratelimit_disable, int, 0644);
 MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression");
 
@@ -168,12 +167,6 @@ int __cold execute_with_initialized_rng(struct notifier_block *nb)
        return ret;
 }
 
-#define warn_unseeded_randomness() \
-       if (IS_ENABLED(CONFIG_WARN_ALL_UNSEEDED_RANDOM) && !crng_ready()) \
-               printk_deferred(KERN_NOTICE "random: %s called from %pS with crng_init=%d\n", \
-                               __func__, (void *)_RET_IP_, crng_init)
-
-
 /*********************************************************************
  *
  * Fast key erasure RNG, the "crng".
@@ -434,7 +427,6 @@ static void _get_random_bytes(void *buf, size_t len)
  */
 void get_random_bytes(void *buf, size_t len)
 {
-       warn_unseeded_randomness();
        _get_random_bytes(buf, len);
 }
 EXPORT_SYMBOL(get_random_bytes);
@@ -523,8 +515,6 @@ type get_random_ ##type(void)                                                       \
        struct batch_ ##type *batch;                                            \
        unsigned long next_gen;                                                 \
                                                                                \
-       warn_unseeded_randomness();                                             \
-                                                                               \
        if  (!crng_ready()) {                                                   \
                _get_random_bytes(&ret, sizeof(ret));                           \
                return ret;                                                     \

diff --git a/kernel/configs/debug.config b/kernel/configs/debug.config
index 774702591d26c60514faeda3bfebe933a4b9da38..307c97ac5fa9c338a4a45f647150c6c933726b63 100644 (file)
--- a/kernel/configs/debug.config
+++ b/kernel/configs/debug.config
@@ -29,7 +29,6 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 # CONFIG_UBSAN_ALIGNMENT is not set
 # CONFIG_UBSAN_DIV_ZERO is not set
 # CONFIG_UBSAN_TRAP is not set
-# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set
 CONFIG_DEBUG_FS=y
 CONFIG_DEBUG_FS_ALLOW_ALL=y
 CONFIG_DEBUG_IRQFLAGS=y

diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 4e2dfbbd3d7863029fb38810031a786aa5d6b6d9..318df4c754542f4de5d19d46f3a0e6c8c3d0c925 100644 (file)
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1766,33 +1766,6 @@ config STACKTRACE
          It is also used by various kernel debugging features that require
          stack trace generation.
 
-config WARN_ALL_UNSEEDED_RANDOM
-       bool "Warn for all uses of unseeded randomness"
-       default n
-       help
-         Some parts of the kernel contain bugs relating to their use of
-         cryptographically secure random numbers before it's actually possible
-         to generate those numbers securely. This setting ensures that these
-         flaws don't go unnoticed, by enabling a message, should this ever
-         occur. This will allow people with obscure setups to know when things
-         are going wrong, so that they might contact developers about fixing
-         it.
-
-         Unfortunately, on some models of some architectures getting
-         a fully seeded CRNG is extremely difficult, and so this can
-         result in dmesg getting spammed for a surprisingly long
-         time.  This is really bad from a security perspective, and
-         so architecture maintainers really need to do what they can
-         to get the CRNG seeded sooner after the system is booted.
-         However, since users cannot do anything actionable to
-         address this, by default this option is disabled.
-
-         Say Y here if you want to receive warnings for all uses of
-         unseeded randomness.  This will be of use primarily for
-         those developers interested in improving the security of
-         Linux kernels running on their architecture (or
-         subarchitecture).
-
 config DEBUG_KOBJECT
        bool "kobject debugging"
        depends on DEBUG_KERNEL