3 files changed, 16 insertions, 5 deletions
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 0c8f7889efa1..227c5c6fa4c1 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3390,6 +3390,12 @@
        ramdisk_size=   [RAM] Sizes of RAM disks in kilobytes
                        See Documentation/blockdev/ramdisk.txt.
+        random.trust_cpu={on,off}
+                        [KNL] Enable or disable trusting the use of the
+                        CPU's random number generator (if available) to
+                        fully seed the kernel's CRNG. Default is controlled
+                        by CONFIG_RANDOM_TRUST_CPU.
        ras=option[,option,...] [KNL] RAS-specific options
                cec_disable     [X86]
diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
index ce277ee0a28a..40728491f37b 100644
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -566,5 +566,5 @@ config RANDOM_TRUST_CPU
        that CPU manufacturer (perhaps with the insistence or mandate
        of a Nation State's intelligence or law enforcement agencies)
        has not installed a hidden back door to compromise the CPU's
-        random number generation facilities.
+        random number generation facilities. This can also be configured
+        at boot with "random.trust_cpu=on/off".
diff --git a/drivers/char/random.c b/drivers/char/random.c
index bf5f99fc36f1..c75b6cdf0053 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -779,6 +779,13 @@ static struct crng_state **crng_node_pool __read_mostly;
 static void invalidate_batched_entropy(void);
+static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
+static int __init parse_trust_cpu(char *arg)
+{
+        return kstrtobool(arg, &trust_cpu);
+}
+early_param("random.trust_cpu", parse_trust_cpu);
 static void crng_initialize(struct crng_state *crng)
 {
        int             i;
@@ -799,12 +806,10 @@ static void crng_initialize(struct crng_state *crng)
                }
                crng->state[i] ^= rv;
        }
-#ifdef CONFIG_RANDOM_TRUST_CPU
+        if (trust_cpu && arch_init) {
-        if (arch_init) {
                crng_init = 2;
                pr_notice("random: crng done (trusting CPU's manufacturer)\n");
        }
-#endif
        crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
 }

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 0c8f7889efa1..227c5c6fa4c1 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3390,6 +3390,12 @@
3390	ramdisk_size= [RAM] Sizes of RAM disks in kilobytes	3390	ramdisk_size= [RAM] Sizes of RAM disks in kilobytes
3391	See Documentation/blockdev/ramdisk.txt.	3391	See Documentation/blockdev/ramdisk.txt.
3392		3392
		3393	random.trust_cpu={on,off}
		3394	[KNL] Enable or disable trusting the use of the
		3395	CPU's random number generator (if available) to
		3396	fully seed the kernel's CRNG. Default is controlled
		3397	by CONFIG_RANDOM_TRUST_CPU.
		3398
3393	ras=option[,option,...] [KNL] RAS-specific options	3399	ras=option[,option,...] [KNL] RAS-specific options
3394		3400
3395	cec_disable [X86]	3401	cec_disable [X86]


diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig index ce277ee0a28a..40728491f37b 100644 --- a/drivers/char/Kconfig +++ b/drivers/char/Kconfig
@@ -566,5 +566,5 @@ config RANDOM_TRUST_CPU
566	that CPU manufacturer (perhaps with the insistence or mandate	566	that CPU manufacturer (perhaps with the insistence or mandate
567	of a Nation State's intelligence or law enforcement agencies)	567	of a Nation State's intelligence or law enforcement agencies)
568	has not installed a hidden back door to compromise the CPU's	568	has not installed a hidden back door to compromise the CPU's
569	random number generation facilities.	569	random number generation facilities. This can also be configured
570		570	at boot with "random.trust_cpu=on/off".


diff --git a/drivers/char/random.c b/drivers/char/random.c index bf5f99fc36f1..c75b6cdf0053 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c
@@ -779,6 +779,13 @@ static struct crng_state **crng_node_pool __read_mostly;
779		779
780	static void invalidate_batched_entropy(void);	780	static void invalidate_batched_entropy(void);
781		781
		782	static bool trust_cpu __ro_after_init = IS_ENABLED(CONFIG_RANDOM_TRUST_CPU);
		783	static int __init parse_trust_cpu(char *arg)
		784	{
		785	return kstrtobool(arg, &trust_cpu);
		786	}
		787	early_param("random.trust_cpu", parse_trust_cpu);
		788
782	static void crng_initialize(struct crng_state *crng)	789	static void crng_initialize(struct crng_state *crng)
783	{	790	{
784	int i;	791	int i;
@@ -799,12 +806,10 @@ static void crng_initialize(struct crng_state *crng)
799	}	806	}
800	crng->state[i] ^= rv;	807	crng->state[i] ^= rv;
801	}	808	}
802	#ifdef CONFIG_RANDOM_TRUST_CPU	809	if (trust_cpu && arch_init) {
803	if (arch_init) {
804	crng_init = 2;	810	crng_init = 2;
805	pr_notice("random: crng done (trusting CPU's manufacturer)\n");	811	pr_notice("random: crng done (trusting CPU's manufacturer)\n");
806	}	812	}
807	#endif
808	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;	813	crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1;
809	}	814	}
810		815