Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751182AbdFDFyR (ORCPT ); Sun, 4 Jun 2017 01:54:17 -0400 Received: from mail-oi0-f46.google.com ([209.85.218.46]:35370 "EHLO mail-oi0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750852AbdFDFyN (ORCPT ); Sun, 4 Jun 2017 01:54:13 -0400 MIME-Version: 1.0 Reply-To: noloader@gmail.com In-Reply-To: <2400574.rYAxqaUNNq@positron.chronox.de> References: <2400574.rYAxqaUNNq@positron.chronox.de> From: Jeffrey Walton Date: Sun, 4 Jun 2017 01:54:12 -0400 Message-ID: Subject: Re: get_random_bytes returns bad randomness before seeding is complete To: =?UTF-8?Q?Stephan_M=C3=BCller?= Cc: "Jason A. Donenfeld" , "Theodore Ts'o" , Linux Crypto Mailing List , LKML , kernel-hardening@lists.openwall.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v545sL3A008723 Content-Length: 839 Lines: 19 On Sun, Jun 4, 2017 at 1:48 AM, Stephan Müller wrote: > Am Freitag, 2. Juni 2017, 16:59:56 CEST schrieb Jason A. Donenfeld: > >> Alternatively, I'm open to other solutions people might come up with. > > How about stirring in some data from the Jitter RNG that we have in the kernel > already and that is used for the DRBG in case get_random_bytes has > insufficient entropy? Yes, two kernel developers said that this RNG is > useless, where in fact a lot of hardware and even crypto folks say that this > approach has merits. Almost anything has to be better than (1) silent failures, and (2) draining the little entropy available when the generators are starting and trying to become operational. The [negative] use case for (2) is systemd. See, for example, https://github.com/systemd/systemd/issues/4167. Jeff